Class Note

Summary the important note from COMP5349

Week 1: Intro to Cloud Computing

What is Cloud Computing

Informal: Renting/sharing IT resources (hardware, software, datacenters) over the internet with flexible metering and charging.

Formal (NIST): A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources.

Non-Cloud Scenarios: Traditional IT leasing (e.g., renting physical servers, ISP space).

Typical Cloud Architecture

• Bottom Layer: Hardware (servers, networking, storage) and data centers.

• Virtualization Layer: Physical servers are divided into virtual machines. Service Models built on virtualization

Service Specification and Pricing

Cloud Service Model

Model	Description	Specification	Price	Examples
IaaS (Infrastructure as a Service)	Consumer uses "fundamental computing resources" such as processing power, storage, networking components or middleware. User controls OS, applications, but not underlying infrastructure.	Similar to traditional computers (CPU, memory)	pay-as-you-go (hourly/secondly)	AWS EC2, Google Compute Engine
Paas (Platform as a Service)	Consumer uses a hosting environment for their applications. User controls applications and hosting environment, but not OS, hardware.	Between IaaS and SaaS	can be pay-as-you-go or subscription	Google App Engine, Azure
SaaS (Software as a Service)	User consumes application, no control over underlying infrastructure.	Based on application features (user accounts, storage)	subscription-based	Gmail, Office 365, Salesforce

Other Services (e.g., Storage): More complex specification and pricing, involving static and dynamic parts: actual storage size, number of queries, consistency, and other quality requirement.Service Delivery: All those XaaS models are delivered through the Internet, with a web interface

Introduction to Amazon Web Services

Web service: any piece of software that makes itself available over the internet and uses a standardized format—such as Extensible Markup Language (XML) or JavaScript Object Notation (JSON)—for the request and the response of an application programming interface (API) interaction. Web services are accessible via the internet by using typical web protocols (such as HTTP) and are used by machines or by humans through a UI.

AWS: a platform of web services that offers solutions for computing, storing, and networking, at different layers of abstraction.

AWS Global Infrastructure: supported by global datacenters, providing high availability, scalability, and security, with high-quality global network performance.AWS Regions: Geographical areas, data replication user-controlled, inter-region communication via AWS backbone (e.g., eu-west-1 for London).

AWS Availability Zones: Fully isolated data centers within a region, interconnected via high-speed private networks. recommends replicating data and resources across Availability Zones for resiliency.

AWS Sample Applications

1. E-commerce Website:

   • Basic Setup: VM web server (EC2) + cloud DB (RDS)

   • Enhanced Setup: CDN (static content), load balancing (distribute customer requests), cross-datacenter DB replication (high availability, reduce response time)

2. Batching Processing Infrastructure

   • Cost-effective solution: Utilizing the AWS pay-as-you-go model, pay only for active usage (minimum 60-second billing) for cost-effectiveness.

   

Cost of AWS

• Free Tier: Limited free services for new accounts for the first 12 months.

• Education Credits: For lab exercises.

• Billing Models: Based on usage time, traffic, storage, etc., linearly related to actual usage.

Interacting with AWS Services

Method	Use Case	Tools
Management Console	Simple infrastructure setup/testing	AWS Console
CLI	Automation/scripting tasks	AWS CLI
SDK	Application integration	AWS SDK (Python, Java)
Infrastructure as Code（IaC）	Automated deployments	CloudFormation, Terraform

Identity & Access Management (IAM)

Key Components

• IAM Users: A person or application that can authenticate with an AWS account.

• IAM Groups: Collections of users with shared permissions.

• IAM Roles: Useful mechanism to grant a set of permissions for making AWS service requests.

• IAM Policies: The document that defines which resources can be accessed and the level of access to each resource.

IAM Users access Authenticate:

• Programmatic access: Access key ID, Secret access key

• AWS Management Console access: 12-digit Account ID or alias, IAM user name, IAM password

Best Practices:

• Least Privilege Principle: Grant minimal necessary permissions.

• Multi-Factor Authentication (MFA): Enhances account security.

• The scope of IAM service configurations is global. Settings apply across all AWS Regions.

IAM Policies: a document that defines permissions

• Identity-based policies: Attach a policy to any IAM entity, specify actions that may (not) be performed by the entity

• Resource-based policies: Attached to a resource (such as an S3 bucket)

Week 2: Cloud Storage

Cloud Storage Types

• Storage as SaaS: Extends local hard drives or file systems, user-friendly with cloud features like sharing, collaboration, and versioning. Examples: Google Drive, OneDrive, Dropbox, iCloud.

• Storage as IaaS/PaaS: Provided as independent infrastructure, more cost-effective but with fewer UI features, requiring some learning. Examples: AWS S3, Azure Storage, Google Cloud Storage.AWS Data Storage Services

  

AWS S3: A distributed object store

Store type:

• File Store: Data as files, managed in folder hierarchies, filenames locally unique.

• Object Store: Data as objects (often files), managed by globally unique identifiers (Keys), includes metadata (access control, type, size, creation date, etc.), and content itself. A folder is a 0-byte object

  • Difference: Flat structure (only Bucket and Object), no directory hierarchy (pseudo-directories are implemented through key prefixes).

S3 Core Concepts:

• Bucket: Container for objects, to organize and manage objects, globally unique name.

• Object: Data unit in S3, typically a file, with a globally unique Key and metadata.

• Key: Unique identifier for an object, includes Bucket name and filename (can mimic folder structure).

• URLs: two styles, path-style s3.<region>.amazonaws.com/<bucket> and virtual hosted-style <bucket>.s3.<region>.amazonaws.com.

S3 Characteristics:

• Distributed object storage, data redundancy, and high durability. Provides fault tolerance and continuous access to data.

• Upload and retrieval via HTTPS and APIs.

• Complex cost structure involving storage, requests, data transfer, storage classes, etc.

• Provides a pseudo-directory structure to simulate the organization of the file system. The directory name is the prefix of the object Key. E.g. graphics - bucket/photos/2022/catpiano.jpg. In the AWS S3 console, "photos/2022" will be regarded as a directory.

  

Common Scenarios for S3:

• Backup and Storage

• Application Hosting

• Media Hosting

• Software Delivery

• Data Store for Computation and Analytics (e.g., with EMR)

• Static Website Hostingincluding

S3 Pricing

• Pay for what you use, including GBs per month, transfer OUT to other RegionsPUT, COPY, POST, LIST, and GET requests

• No need to pay for: Transfers IN to Amazon S3, Transfers OUT from Amazon S3 to Amazon CloudFront or Amazon EC2 in the same Region

• Cost includes Storage class type, Amount of storage(The number and size of objects), Requests(The number and type of requests), Data transfer(transferred out of the Amazon S3 Region)

S3 Storage

Storage Type	Scenarios	Characteristic
General purpose (S3 Standard)	frequently accessed data	high availability and low latency, higher cost
Intelligent tiering (S3 Intelligent-Tiering)	Access data with unclear patterns	Automatically optimizes cost by moving data between tiers based on access patterns, monitoring fee applies
Infrequent access (S3 One Zone-IA、S3 Standard-IA)	Less frequently accessed data	Lower storage cost but higher retrieval cost, with min storage duration 30days. (One Zone-IA data stored in a single Availability Zone)
Archive (Glacier Instant Retrieval、S3 Glacier Flexible Retrieval、S3 Glacier Deep Archive)	Long-term archival of cold data	Extremely low cost, but longer retrieval times, with min storage duation 90days

S3 Lifecycle: a set of rules that define 1. transition actions transition to another storage class; 2. expiration actions define when objects expire.

S3 Versioning

• Purpose: Protects against accidental overwrites and deletions, allows restoring previous versions.

• Versioning Enabled Behavior:

  • Uploading an object with the same key creates a new version, each with a unique version ID.

  • Deleting an object adds a new object version with a Delete Marker, the object is still retrievable by version ID.

  • Requests for an object key return the most recent version. If the most recent version is a delete marker, the request is not successful. Requests for an object with its version ID will successfully return that version of the object.

  • Permanently delete an object by using delete with the version ID.

• Consistency Model: Read-After-Write Consistency.

S3 Replication:

• Purpose: Automatically copies objects from source to destination bucket(s) for disaster recovery, compliance, and latency reduction.

• Replication Types: Same Region Replication (SRR) and Cross-Region Replication (CRR).

• Versioning Requirement: Versioning must be enabled on both source and destination buckets.

• Delete Operations and Replication:

  • By default, if you make a DELETE request without specifying an object version ID, Amazon S3 adds a delete marker. Delete Markers are not replicated, potentially causing inconsistency between the source and destination.

  • Delete Marker Replication can be enabled to maintain consistency.

  • Deleting a specific version only deletes it in the source bucket; manual deletion is needed in the destination for consistency.

Week 3: Virtualization & EC2

Virtualization Overview

Virtualization: run multiple virtual machines on a single physical machine, with each virtual machine sharing the resources of that one physical computer across multiple environments. Broadly, virtualization includes virtual memory, storage, network, virtual reality.

Early virtualization examples:

• Virtual Memory: Provide more accessible memories to CPU than those physically presented on the board

• Mainframe Virtualization: IBM's early VM solution, similar to modern system VM

• Hot Standby Router Protocol: Uses virtual IPs for gateway redundancy

Common features of virtualization

• Emulation: A preexisiting IT resources was emulated (memory, mainframe, IP address, etc)

• Transparency: The consumers of the resources (CPU, mainframe users, network hosts) cannot distinguish between real and emulated resources

• Benefits: Compared with directly using actual resources, virtualization brings various benefits (memory expansion, resource optimization, high availability, etc)

Server Virtualisation

Virtual Machine: a software-defined computer that runs on a physical computer with a separate operating system and computing resources. The physical computer is called the host machine and virtual machines are guest machines. Multiple virtual machines can run on a single physical machine. Virtual machines are abstracted from the computer hardware by a hypervisor.

Hypervisor: Software managing VMs, responsible for resource allocation, isolation, and management.

• Types:

  • Type 1 (Bare-metal): Directly on hardware, higher performance and often be used in cloud computing environments (e.g., Xen, Hyper-V Type 1).

  • Type 2 (Hosted): On top of an OS, runs as an application and is suitable for individual users (e.g., VMware Workstation, VirtualBox).

• Role: Provide the same environment as the physical one, with minimal performance cost and maintain full control over system resources.

• Xen Hypervisor Component

  • The Xen Hypervisor: Responsible for managing CPU, memory, and interrupts

  • The Control Domain (or Domain 0): handling I/O and interacting with the other Virtual Machines

  • Guest Domains/Virtual Machines: The VM allocated to users

  • Toolstack and Console: Admin interface for creating, destroying and configuring guest domains

• Hyper-V Components

  • Hypervisor: Provides isolated execution environments called partitions, controls and arbitrates access to the underlying hardware.

  • Partition: The virtual machine running on a hypervisor

  • Root Partition: Similar to Xen’s domain 0, which manages I/O and communicates with other partitions

  • Child Partition: All other guest VMs

VM Resource Management

CPU Management: Physical CPU cores are time-shared by virtual CPUs(vCPUs) in server virtualization. The dynamic scheduling of vCPUs on physical CPUs is managed by the hypervisor following a customized scheduler algorithm (e.g., credit scheduler of Xen)

Memory Management: Guest OS acquires a dedicated portion of the physical memory of the host machine to ensure strong isolation. The Guest operating system manages the mapping between its virtual memory and what it considers to be physical memory, while the actual mapping from virtual memory to physical memory is controlled by the Hypervisor and involves two levels of mapping/conversion (Guest OS virtual memory → Hypervisor physical memory).

I/O Management: I/O refers to all input/output devices (Disk, network, printer, monitor, mouse). OS have efficient ways to deal with I/O by providing standard interface and by loading various drivers.

• Disk: a partitioned device. Each VM can get a partition exposed as a virtual disk, and External disk drivers can be mounted easily

• Network adapter: a shared device. The physical adapter can be time-shared by each VM. A virtual network adapter is presented to the VM

• Early I/O paths might involve VM operating system drivers, device simulators, and drivers in the hypervisor, and then physical device drivers. Modern management programs (such as Xen) offload I/O processing to the control Domain (Domain 0).

Amazon EC2

Amazon EC2: EC2 provides resizable compute capacity in the cloud. Provides VM and startup servers in minutes. Can automatically scale capacity up or down as needed. Enables to pay only for the capacity that you use.

EC2 instances: a virtual machine that runs on a physical host, sharing host resources (CPU, RAM, storage).

EC2 use cases: Complete control of computing resources (including operating system and processor type), optimizing compute costs (On-Demand Instances, Reserved Instances, and Spot Instances, Savings Plans), Ability to run any type of workload (Simple websites, Enterprise applications, Generative AI applications)

Steps for provisioning an EC2 instance

1. Select an AMI: AMI is a template that is used to create an EC2 instance, contains a Windows or Linux operating system, often also has some software pre-installed. Users can choose from the Quick Start AMI provided by AWS, their own AMI, AWS Marketplace or community AMI.

   • Benefits: Repeatability, Reusability, and Recoverability. Users can create an AMI from a configured instance as a restorable backup.

2. Select an instance type: Instance type determines Memory (RAM), Processing power (CPU), Disk space and disk type (Storage), Network performance. Users select instance type base on their use (General purpose, Compute optimized, Memory optimized, Storage optimized, Accelerated computing)

   • Instance types offer family (Like t, m, c, r, x, z, f, g, p, d, h, i), generation (t3), and size (e.g. nano, micro, small, large, xlarge, 2xlarge)

   

   • Networking Optimize: If you have interdependent instances, launch them into a cluster placement group. Enhanced networking types includes Elastic Network Adapter (ENA) (up to 100 Gbps), & Intel 82599 Virtual Function interface (up to 10 Gbps).

3. Identify or create the key pair: It enables secure connections to the instance. A key pair consists of a public key that AWS stores, and a private key file that you store.

4. Specify network settings: Includes Identify the VPC and optionally the subnet (for deployment location) and determined whether assigned a public IP address (make it internet-accessible)

5. Security group settings: a set of firewall rules that control traffic to the instance. It exists outside of the instance's guest OS. Users could specify the source (IP Address or other security group), the port number and the protocol (TCP, UDP, ICMP)

6. Specify storage: includes configure the root volume, and attach additional storage volumes (optional). For each volume, specify the size of the disk (in GB), The volume type (SSDs, HDD), whether the volume will be deleted when the instance is terminated, and encryption

• Amazon EBS: Network-attached persistent, block-level storage volumes. Data exists independently of the instance lifecycle and can be attached to any instance in the same availability zone, supporting snapshots and encryption. Suitable for Stand-alone database and general application data storage.

• Instance Store: Non-persistent temporary block-level storage, where data is stored on the disk of the same physical server where the instance is running. Data is lost when the instance stops or terminates. Applicable to buffers, caches and temporary data.

1. Attach IAM role (optional): If the software on the EC2 instance needs to interact with other AWS services, an IAM role can be attached to grant the necessary permissions without hard-coding credentials in the instance.

2. User data script (optional): Users can provide scripts when starting an instance. These scripts run after the instance starts and are used to automate configuration tasks, such as software installation and configuration.

3. Add tags: a label that you can assign to an AWS resource. Consists of a key and an optional value. Potential benefits for filtering, automation, cost allocation, and access control.EC2 instance lifecycle: includes Pending, Running, Stopping, Stopped, Starting, Rebooting, Terminating, and Terminated.

AWS Nitro System

• Overview: AWS's in-house virtualization system, based on KVM, lightweight and high-performance.

• Architecture: Hypervisor for CPU/Memory only, Nitro Cards for network, storage, management, and security virtualization.

• Nitro Cards: Dedicated hardware for VPC, EBS, Instance Store, and management functions.

• Benefits: Improved performance, reduced overhead, supports Bare Metal Instances.

• Bare Metal Instances: Direct access to physical server resources, no hypervisor, but still utilizes Nitro Cards for cloud service integration.

Week 4: Cloud Database

Amazon EBS

AWS Data Storage Services

Block storage: Stored in fixed-size blocks. Only the blocks containing the changes need to be updated. Suitable for frequently updated files with fine-grained control.

Object storage: Requiring replacement of the entire file for each modification, unsuitable for frequent updates.

Amazon EBS: Block-level persistent storage attached to EC2 instances via a network. Support dynamic expansion

• An EBS can only be attached to one instance at a time

• Not part of the EC2 instances; the EBS volumes remain after the EC2 instance is terminated.

• Volumes are automatically replicated within their Availability Zone

• Can be backed up automatically to S3 through snapshots.

• Available in SSD and HDD types, with SSD providing faster IO.

• Features:

  • Snapshots: An EBS snapshot is a copy of a point in time and can be used to restore a new volume. Stored in S3, charged based on the amount of data stored.

  • Encryption: Encrypted Amazon EBS volumes with No additional cost

  • Elasticity: Can increase capacity or Change to different types

• Price:

  • Volumes: Charged by the amount that is provisioned per month.

  • IOPS: General Purpose SSD charged by the amount provision per month; Magnetic charged by the number of requests to the volume; Provisioned IOPS SSD charged by the amount provision in IOPS (multiplied by the percentage of days for the month).

  • Snapshots: Added cost of Amazon EBS snapshots to Amazon S3 is per GB month of data stored.

  • Data transfer: Inbound data transfer is free. Outbound data transfer across Regions incurs charges

Amazon VPC

Brief review of IP addresses:

• IP address: a unique numerical label assigned to devices connected to a network

• Classless Inter-Domain Routing (CIDR) block: specifies a range of IP addresses. Format is <IP Address> / < number>. The address ranges of VPC and subnets are defined through CIDR blocks.

Amazon VPC: a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network.

• Gives you control over your virtual networking resources, including selection of IP address range, creation of subnets, configuration of route tables and network gateways

• Customize the network configuration for your VPC

• Use multiple layers of security

AWS physical infrastructure: Data centers ->Availability Zones -> Region -> AWS Cloud. AZs are connected with single-digit millisecond latency network

AWS account resource isolation: Each AWS account has a default VPC in each region.

• dedicatedVPCs: Logically isolated from other VPCs, dedicated to your AWS account, belong to a single AWS Region, and can span multiple Availability Zones

• Subnets: A range of IP addresses that divide a VPC. Belong to a single Availability Zone. Classified as public or private

• CIDR blocks: Subnets are a subset of the VPC CIDR block. Subnet CIDR blocks cannot overlap

• E.g. VPC is 10.0.0.0/22，So the subnet can be 10.0.0.0/24, 10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24

• Elastic Network Interfaces (ENIs): An ENI is a virtual network interface that can be attached to an EC2 instance. An EC2 instance can have multiple ENIs. ENIs contain network configuration information such as MAC addresses, IP addresses, and security groups. ENI traffic is handled by the VPC's Nitro Card.

IP addresses:

• Private: Many AWS resources (e.g., EC2) are created within a subnet of a VPC. They get allocated a private IP address within the CIDR range of the associated subnet.

• Public: Public IP addresses can be assigned through a subnet's auto IP assign property (changes when the instance is restarted), or an Elastic IP address

Security Groups: act as a firewall for virtual machines and other services.

• Can associate with AWS resources (e.g. EC2) to control traffic by configuring rules to allow or deny traffic from specific protocols, ports and sources.

• An EC2 instance can have more than one security group. A security group to be associated with multiple EC2 instances.

• Default security groups deny all inbound traffic and allow all outbound traffic.

• Can specify allow rules, but not deny rules. All rules are evaluated before the decision to allow traffic.

• The IP address range, CIDR block or the security group itself can be used as the source or target of traffic.

Cloud Database Options

Cloud-Hosted Databases:

• Self-Managed: Install and manage database servers on EC2 instances (e.g., MariaDB).

• Fully Managed: Use services like AWS RDS, based on existing database engines, without self-installation and management.

Cloud-Native Databases:

• Developed by cloud providers, with built-in cloud features like high scalability, elasticity, and highly available.

• Supports multiple data models (relational and non-relational).

Database considerations: Scalability (throughput, scale), Storage requirements, Data characteristics (data model, data access patterns, latency), Durability(data durability, availability, recoverability, regulatory obligations)

AWS Database Services:

• Relational Databases: RDS (supports MySQL, PostgreSQL, MariaDB, etc.).

• Non-Relational Databases: DynamoDB (key-value store), Neptune (graph database), Elastic Cache (in-memory database).

• Relational Databases vs. Non-Relational Databases:

  
• Database capacity planning:

1. Analyze current storage capacity.

2. Predict capacity requirements.

3. Determine if horizontal scaling, vertical scaling, or a combination is needed.

Amazon RDS

Overview: a managed relational database service to deploy and scale relational databases. Supports multiple database engines. Uses Amazon Elastic Block Store (Amazon EBS) volumes for database and log storage

Benefits:

• Lower administrative burden: don't need to provision infrastructure or install and maintain database software.

• Highly scalable: scale up or down the compute and memory resources

• Available and durable: configure automated backups, database snapshots, and automatic host replacement

• Secure and compliant: isolate your database in your own virtual network.

RDS Architecture:

• Runs database engines on EC2 instances, using EBS volumes for data storage.

• RDS instances are isolated database environments that can contain multiple user-created databases.

• Typically places EC2 instances in public subnets and RDS instances in private subnets. Requires configuration of security group rules to allow EC2 instances to connect to the specified port of the RDS instance.

High Availability and Scalability:

• Multi-AZ Deployment: Uses synchronous replication of the RDS instance in a different Availability Zone, ensuring data is written to both the primary and standby instances simultaneously. Provides automatic failover to the standby instance in case of primary instance failure. Focus on high availability and persistence.

• Read Replicas: Provides asynchronous replication for handling read-intensive database workloads, which can divert read queries to read-only replicas and relieve the pressure on the primary instance. It can also be used for disaster recovery. The main focus is on read expansion and offload read queries.

Aurora database clusters: includes one or more database instances and a cluster volume that manages the data for those database instances

Aurora cluster volume: a virtualdatabase storagevolume that spansmultiple AvailabilityZones, and eachAvailability Zone hasa copy of the DBcluster data.

Amazon RDS security best practices: Run in VPC, manage permissions using IAM policies, control connections with security groups, use SSL/TLS connections to specific engines, encrypt static data with KMS, and control database access by leveraging the security features of the database engine itself.

Amazon Aurora

Overview: a relational Database service attempting to build SQL in a distributed environment, modified MySQL/PostgresSQL. Aims to provide high scalability, high performance, and high availability. Used through RDS, but has cloud-native database characteristics.

Key Design: disaggregation of compute and storage architecture

• DB Layer: Run the modified MySQL/PostgreSQL, and the user interaction method is the same as that of the standard database. It contains one write node (Primary) and up to 15 read nodes (Replicas). But the actual data is not stored on the instance that runs DB engine. Latest update will be reflected in the memory of all available DB instances.

• Storage Layer: A group of EC2 instances, distributed in different AZs, local SSD (Instance Store) is used for data persistence and replication. Replicated 6 times to 3 Availability Zones.

Consistency mechanism:

• Write Arbitration (W=4) : Among the 6 copies, 4 are required to confirm the successful write.

• Read arbitration (R=3): At least 3 copies respond to the read request.

Disaster Recovery capability : Can tolerate a single AZ failure +1 node loss, ensuring read and write availability.

Aurora Advantages:

• Better scalability, supporting a larger volume of data.

• Higher durability ensures data availability even when the entire available zone is lost.

Amazon Aurora: log as database

Write request needs Append the Write-ahead log(WAL) and Update the actual data file

Aurora Approach: The Log is the Database During write operation, only redo logs are sent across the network by Primary Instance. Replicate Instances receive redo logs to update their memory. Storage nodes receive redo logs. They materialize database pages from logs independently and in asynchronous manner. Primary Instance waits for 4 out of 6 acknowledgements to consider the write as successful.

IO traffic Optimize: Most storage processing (persistence, organization, completion, merging, writing to S3, garbage collection, verification) is carried out asynchronously in the background to minimize the latency of foreground write requests.

Log Sequence Number(LSN): Each log record has a monotonically increasing LSN, generated by the Primary instance, which is used to track the log order and ensure transaction consistency.

VCL (Volume Complete LSN), CPL (Consistency Point LSN), VDL (Volume Durable LSN) : These LSN are used to coordinate the states of the database layer and the storage layer during crash recovery to ensure data consistency. VCL is the highest LSN at which the storage service guarantees the availability of all previous log records. CPL is the transaction consistency point LSN marked by the database layer, and VDL is the highest CPL less than or equal to VCL, serving as the truncation point for recovery.

RDS MySQL vs. RDS Aurora with MySQL: The main difference lies in the underlying storage architecture. RDS MySQL uses EBS volumes attached to EC2 instances, while RDS Aurora with MySQL uses distributed storage nodes, providing better scalability and persistence, even in single-instance deployments.

Week 5 Cloud Networking

VPC Routing

Route Tables: Essential for controlling network traffic flow. Route tables contain a set of rules (routes) that determine where network traffic from a subnet or gateway is directed. Each subnet within a VPC can only be associated with one route table at a time.

Route Rules: Each route rule specifies a destination CIDR block and a target (e.g., local, Internet Gateway (IGW), VPN Gateway, NAT Gateway).

Main Route Table: Each VPC has a default main route table containing a local route rule allowing instances within the VPC to communicate. When creating a new subnet, if no routing table is specified, it will be automatically associated with the main routing table.

Custom Route Tables: You can create custom route tables and associate them with one or more subnets to control subnet traffic.

Internet Gateway: The IGW allows instances in a VPC to connect to the internet. Each VPC can only be associated with one IGW.

• Two Key Functions:

  • Network Address Translation (NAT): Translates private IP addresses in your VPC to public IP addresses, enabling instances to connect to the internet.

    
  • Route Table Target: Provides a target in the VPC route tables for internet-routable traffic.

    
  • Connecting private subnets to the internet: NAT

    

Two types of NAT gateways

• Public NAT Gateway: Is created within a public subnet, allowing instances in a private subnet to connect to the Internet (outgoing only). Is assigned an elastic IP address. Has redundancy within the Availability Zone. Private subnets in different AZs should have their own NAT gateway

• Private NAT Gateway: Allowing instances in private subnets to connect to other VPCs or on-premises network

Internet gateway vs. NAT gateway

• IGW: a virtual gateway that allows instances with public IPs to access the internet. Allows two-way traffic. One per VPC.

• NAT Gateway: A managed Network Address Translation (NAT) service that allows instances with no public IPs to access the internet. Allows one-way traffic – outgoing. One per AZ (recommended).

VPC Security

Security layers of defense

• Route Tables: Control network traffic at the subnet level.

• Network ACLs (Network Access Control Lists): Control inbound and outbound traffic at the subnet level, providing stateless packet filtering.

  • Network ACLs are stateless. You must explicitly allow both inbound and outbound traffic.

  • Rules are evaluated in number order, starting with the lowest number.

  • Can specify both allow and deny rules.

• Security Groups: Control inbound and outbound traffic at the EC2 instance level, providing stateful packet filtering.

  • Security groups are stateful. Return traffic is automatically allowed, regardless of any rule

  • All rules are allow-rules

  • Security groups are associated with EC2 instances and can specify which IP addresses, protocols, and ports are allowed to access the instance.

    

Bastion Host: A bastion host is an EC2 instance located in a public subnet, used to securely access instances in private subnets.

• The security group of a bastion host usually only allows SSH access from a specific IP address range.

• The security group of a private instance can be configured to allow SSH traffic from the bastion host security group.

• The administrator first SSH connects to the bastion host, and then SSH connects from the bastion host to the private instance. ![[Pasted image 20250421220608.png]]

Connecting to managed AWS services

Connection from the public subnet: EC2 instances located in the public subnet can access AWS-hosted services (such as Amazon S3) through the Internet gateway via their public IP addresses. The traffic will pass through the Internet.

Connection from a private subnet: For an EC2 instance located in a private subnet to access AWS managed services, it typically needs to connect to the Internet through a NAT gateway and then access the services. This type of traffic needs to leave the AWS network, which may result in additional latency and costs.

VPC Endpoints: Allow instances within a VPC to privately access other AWS services without traversing the internet. Helps improve security and performance, as well as reducing potential networking costs

• Interface Endpoint: Use PrivateLink to provide private access to AWS services. Create Elastic Network Interfaces (ENIs) in your subnet and route traffic to the service.

  
• Gateway Endpoint: Support S3 and DynamoDB only, and route traffic to the service by modifying route tables. A list of route prefixes pointing to terminal nodes needs to be added to the routing table of the VPC.

  

EC2 attached ENI vs. VPC Endpoint ENI

• Both are backed by Nitro hardware

• EC2-attached ENIs: Backed by Nitro hardware. Handles VPC networking, security groups, monitoring, and encryption offloaded from the host CPU.

• ENIs for interface VPC endpoints: Also backed by Nitro hardware. These ENIs are not attached to an EC2 instance, but AWS still provisions them on Nitro-backed hypervisors running in AWS-managed infrastructure. These are “invisible” service instances, purpose-built to act as entry points to AWS services via PrivateLink.

Gateways vs. VPC Endpoints

AWS Internal and External Traffic

• Internal Traffic: AWS internal traffic uses private IP addresses for routing, relying on a Mapping Service to map VM IP addresses to physical host IP addresses.

• External Traffic: AWS external traffic goes through Blackfoot edge devices, which perform Network Address Translation (NAT) to convert private IP addresses to public IP addresses.

Week 6: Cloud Security

AWS shared responsibility model

AWS responsibility: Security of the cloud

• Physical security of data centers (Controlled, need-based access)

• Hardware and software infrastructure (Storage decommissioning, host operating system (OS) access logging, and auditing)

• Network infrastructure (Intrusion detection)

• Virtualization infrastructure (Instance isolation)

Customer responsibility: Security in the cloud

• Amazon EC2 instance operating system: Including patching, maintenance

• Applications: Passwords, role-based access, etc.

• Security group configuration

• OS or host-based firewalls: Including intrusion detection or prevention systems

• Network configurations

• Account management: Login and permission settings for each user

Service characteristics and security responsibility

• IaaS (e.g. EC2): Configure networking, storage settings, and access controls, responsible for managing more aspects of the security.

• PaaS (e.g. RDS): Customer focus on managing code or data. AWS handles the operating system, database patching, firewall configuration, and disaster recovery

• SaaS (e.g., AWS Shield): Fully managed by AWS.

Identity and Access Management

Identity: Each entity (such as a user, administrator, or system) needs an identity

Authentication: The process of verifying that identity. Includes programmatic access (Access key ID, Secret access key) or via the AWS Management Console (12-digit Account ID or alias, IAM user name & password). Could use multi-factor authentication (MFA) prompts for an authentication code.

Access management: Ensuring that entities can perform only the tasks they need to perform.

Authorization: The process of checking what access an entity should have

IAM Components:

• Users: Account users and IAM users. Use credentials to authenticate

• Groups: A collection of IAM users that are granted identical authorization. Convenient for batch authorization (such as the development group, the administrator group)

  • Benefit: Simplified multi-user permission management, inheriting group permissions by adding users to groups. Users can belong to multiple groups. The group policy and the user policy can be used in combination, but the stricter permissions in the user policy will override the permissions in the group policy.

• Roles: Can be assumed by a user or services. Mechanism to grant temporary access for making AWS service requests (e.g., EC2 access S3).

  • Provides temporary security credentials, not uniquely associated with one person, is assumable by a person, application, or service, often used to delegate access. Use cases include providing AWS resources with access to AWS services, providing access to externally authenticated users, providing access to third parties, and switching roles to access resources in any AWS account

• Policies: Defines which resources can be accessed and the level of access to each resource.

  • Identity-based Policies: Attached to IAM users, groups, or roles.

  • Resource-based Policies: Attached to AWS resources (e.g., S3 buckets).

  • Policy Documents: Formatted in JSON. The policy defines which resources and operations are allowed or denied. Follow the principle of least privilege.

    • Evaluation Logic: Explicit Deny > Explicit Allow > Implicit Deny. Default Implicit Deny

    • Document structure:

      

    e.g.

    

Groups and Roles in non-cloud setting vs. AWS:

• In a non-cloud setting, the "group" concept is mainly used in OS identity management, "role" concept is mainly used in application identity management. Representing a collection of permissions that can be granted to different users. A user can be assigned to multiple groups or roles

• In AWS, an IAM group is similar to the group concept in OS and the role concept in the application. IAM roles are used to handle cloud-specific authorization scenarios. E.g., Allow AWS resources to use AWS services, Provide access to externally authenticated users, Provide access to third parties, Provide cross-account access

Attribute Based Access Control

ABAC: Uses Tags (key-value pairs) for flexible permission management. Tags can be applied to both IAM resources and AWS resources.

• More flexible, highly scalable

• Policies can use conditional statements to check resource and principal tags.

  

Federating users

Identity provider (IdP): responsible for user authentication.

Service provider (SP): responsible for controlling access to its resources.

Use case: External identity sources (such as enterprise AD, Google) users access AWS services

AWS services that support identity federation:

• AWS Identity and Access Management (IAM)

• AWS IAM Identity Center (successor to AWS Single Sign-On): Centralized identity management across AWS accounts.

• AWS Security Token Service (AWS STS): generates temporary credentials.

• Amazon Cognito: Authentication and authorization for web and mobile apps.

  
• Identity federation to AWS with an identity broker

1. the User signs in with existing credentials for their IdP

2. Identity broker acts as an intermediary between IdP and SP

3. AWS STS generates temporary credentials dynamically

4. Identity broker passes temporary credentials to application