AWS Developer Associate Exam Notes
For more information on AWS, visit aws.amazon.com
Description
Notes and information that were collected while studying and prepping for the AWS Developer Associate Exam.
Topic | Answer |
---|---|
Exam Time: | 80 Minutes |
No. Questions: | 60 Questions |
Question Types: | Scenario and Multiple Choice |
Passing Score: | ~ 70% |
Validity Period: | 2 years |
Renewal Exam: | 1/2 price off |
PreRequiste Assumptions Note:
This study guide builds upon the AWS Solutions Architect Study Guide under the Notes section. You should reference that study guide and use this studyguide for additional information required for the AWS Developer Associate Exam.
General
Amazon Web Services SDK's:
- Android, IOS, JavaScript (Browser)
- Java
- .NET
- Node.js
- PHP
- Python
- Ruby
- Go
- C++
Default Regions:
- US-EAST-1
- Java has default region
- Some languages such as Node.js do not have a default region
Service Limits:
Each service has the default limits defined, to see the official AWS documentation on service limits, check here
Networking:
Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking, IP ranges, creation of subnets and configuration of route tables and network gateways.
- This topic is covered in AWS Solutions Architect Study Guide
- Virtual data center in the cloud
- Allowed up to 5 VPCs in each AWS region by default
- All subnets in default VPC have an Internet gateway attached
- Multiple IGW's can be created, but only a single IGW can be attached to a VPC
- Each EC2 instance has both a public and private IP address
- If you delete the default VPC, the only way to get it back is to submit a support ticket
- By default when you create a VPC, a default main routing table automatically gets created as well.
- Subnets are always mapped to a single AZ's
- Subnets can not be mapped to multiple AZ's
- /16 is the largest CIDR block available when provisioning an IP space for a VPC
- Amazon uses 3 of the available IP addresses in a newly created subnet
- x.x.x.0 - Always subnet network address and is never usable
- x.x.x.1 - Reserved by AWS for the VPC router
- x.x.x.2 - Reserved by AWS for subnet DNS
- x.x.x.3 - Reserved by AWS for future use
- x.x.x.255 - Always subnet broadcast address and is never usable.
- 169.254.169.253 - Amazon DNS
- By default all traffic between subnets is allowed
- By default not all subnets have access to the Internet. Either an Internet Gateway or NAT gateway is required for private subnets
- You can only have 1 Internet gateway per VPC
- A security group can stretch across different AZ's
- You can also create Hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC and leverage the AWS cloud as an extension of your corporate data center
- Network Address Translation (NAT) Instances:
- When creating a NAT instance, disable Source/Destination checks on the instance or you could encounter issues
- NAT instances must be in a public subnet
- There must be a route out of the private subnet to the NAT instance in order for it to work
- The amount of traffic that NAT instances support depend on the size of the NAT instance
- If you are experiencing any sort of bottleneck issues with a NAT instance, then increase the instance size
- HA can be achieved by using Auto-scaling groups, or multiple subnets in different AZ's with a scripted fail-over procedure
- NAT instances are always behind a security group
- Network Address Translation (NAT) Gateway:
- NAT Gateways scale automatically up to 10Gbps
- There is no need to patch NAT gateways as the AMI is handled by AWS
- NAT gateways are automatically assigned a public IP address
- When a new NAT gateway has been created, remember to update your route table
- No need to assign a security group, NAT gateways are not associated with security groups
- Preferred in the Enterprise
- No need to disable Source/Destination checks
- Network Access Control Lists (NACLS):
- Numbered list of rules that are evaluated in order starting at the lowest numbered rule first to determine what traffic is allowed in or out depending on what subnet is associated with the rule
- The highest rule number is 32766
- Start with rules starting at 100 so you can insert rules if needed
- Default NACL will allow ALL traffic in and out by default
- You must assign a NACL to each subnet, if a subnet is not associated with a NACL, it will allow no traffic in or out
- NACL rules are stateless, established in does not create outbound rule automatically
- You can only assign a single NACL to a single subnet
- VPC Peering:
- Connection between two VPCs that enables you to route traffic between them using private IP addresses via a direct network route
- Instances in either VPC can communicate with each other as if they are within the same network
- You can create VPC peering connections between your own VPCs or with a VPC in another account within a SINGLE REGION
- AWS uses existing infrastructure of a VPC to create a VPC peering connection. It is not a gateway nor a VPN, and does not rely on separate hardware
- There is NO single point of failure for communication nor any bandwidth bottleneck
- There is no transitive peering between VPC peers (Can't go through 1 VPC to get to another)
- Hub and spoke configuration model (1 to 1)
- Be mindful of IPs in each VPC, if multiple VPCs have the same IP blocks, they will not be able to communicate
- You can peer VPC's with other AWS accounts as well as with other VPCs in the same account
Resource or Operation | Default Limit | Comments |
---|---|---|
VPCs per region: | 5 | The limit for Internet gateways per region is directly correlated to this one. Increasing this limit will increase the limit on Internet gateways per region by the same amount. |
Subnets per VPC: | 200 | |
Internet gateways per region: | 5 | This limit is directly correlated with the limit on VPCs per region. You cannot increase this limit individually; the only way to increase this limit is to increase the limit on VPCs per region. Only one Internet gateway can be attached to a VPC at a time. |
Customer gateways per region: | 50 | |
VPN connections per region: | 50 | |
VPN connections per VPC (per virtual private gateway): | 10 | |
Route tables per VPC: | 5 | Including the main route table. You can associate one route table to one or more subnets in a VPC. |
Routes per route table (non-propagated routes): | 50 | This is the limit for the number of non-propagated entries per route table. You can submit a request for an increase of up to a maximum of 100; however, network performance may be impacted. |
BGP advertised routes per route table (propagated routes): | 5 | You can have up to 100 propagated routes per route table; however, the total number of propagated and non-propagated entries per route table cannot exceed 100. For example, if you have 50 non-propagated entries (the default limit for this type of entry), you can only have 50 propagated entries. This limit cannot be increased. If you require more than 100 prefixes, advertise a default route. |
Elastic IP addresses per region for each AWS account: | 5 | This is the limit for the number of VPC Elastic IP addresses you can allocate within a region. This is a separate limit from the Amazon EC2 Elastic IP address limit. |
Security groups per VPC: | 500 | |
Inbound or outbound rules per security group: | 50 | You can have 50 inbound and 50 outbound rules per security group (giving a total of 100 combined inbound and outbound rules). If you need to increase or decrease this limit, you can contact AWS Support — a limit change applies to both inbound and outbound rules. However, the multiple of the limit for inbound or outbound rules per security group and the limit for security groups per network interface cannot exceed 250. For example, if you want to increase the limit to 100, we decrease your number of security groups per network interface to 2. |
Security groups per network interface: | 5 | If you need to increase or decrease this limit, you can contact AWS Support. The maximum is 16. The multiple of the limit for security groups per network interface and the limit for rules per security group cannot exceed 250. For example, if you want 10 security groups per network interface, we decrease your number of rules per security group to 25. |
Network interfaces per instance: | N/A | This limit varies by instance type. For more information, see Private IP Addresses Per ENI Per Instance Type. |
Network interfaces per region: | 350 | This limit is the greater of either the default limit (350) or your On-Demand instance limit multiplied by 5. The default limit for On-Demand instances is 20. If your On-Demand instance limit is below 70, the default limit of 350 applies. You can increase the number of network interfaces per region by contacting AWS Support, or by increasing your On-Demand instance limit. |
Network ACLs per VPC: | 200 | You can associate one network ACL to one or more subnets in a VPC. This limit is not the same as the number of rules per network ACL. |
Rules per network ACL: | 20 | This is the one-way limit for a single network ACL, where the limit for ingress rules is 20, and the limit for egress rules is 20. This limit can be increased upon request up to a maximum if 40; however, network performance may be impacted due to the increased workload to process the additional rules. |
Active VPC peering connections per VPC: | 50 | If you need to increase this limit, contact AWS Support . The maximum limit is 125 peering connections per VPC. The number of entries per route table should be increased accordingly; however, network performance may be impacted. |
Outstanding VPC peering connection requests: | 25 | This is the limit for the number of outstanding VPC peering connection requests that you've requested from your account. |
Expiry time for an unaccepted VPC peering connection request: | 1 week (168 hrs) | |
VPC endpoints per region: | 20 | The maximum limit is 255 endpoints per VPC, regardless of your endpoint limit per region. |
Flow logs per single eni, single subnet, or single VPC in a region: | 2 | You can effectively have 6 flow logs per network interface if you create 2 flow logs for the subnet, and 2 flow logs for the VPC in which your network interface resides. This limit cannot be increased. |
NAT gateways per Availability Zone: | 5 | A NAT gateway in the pending, active, or deleting state counts against your limit. |
For additional information about VPC Limits, see Limits in Amazon VPC
Compute:
Elastic Compute Cloud - Backbone of AWS, provides re-sizable compute capacity in the cloud. Reduces the time required to obtain and boot new server instances to minutes allowing you to quickly scale capacity, both up and down, as your computing requirements change.
- This topic is covered in AWS Solutions Architect Study Guide
- Once an Instance has been launched with instance store storage, you can not attach additional instance store volumes after the instance is launched, only EBS volumes
- When using an instance store volume, you can not stop the instance (the option to do so will not be available, as the instance moves to another host and and would cause complete data loss)
- When using ephemeral storage, an underlying host failure will result in data loss
- You can reboot both instance types (w/ephemeral and EBS volumes) and will not lose data, but again, an ephemeral volume based instance can NOT be stopped
- By default both Root volumes will be deleted on termination, however you can tell AWS to keep the root device volume on a new instance during launch
- You can poll an instances meta-data by using curl http://169.254.169.254/latest/meta-data/
- You can get an instance's IP address by using curl http://169.254.169.254/latest/meta-data/public-ipv4
- No such thing as user-data, remember its always meta-data not user-data
- Can not encrypt root volumes, but you can encrypt any additional volumes that are added and attached to an EC2 instance.
- You can have up to 10 tags per EC2 instance
- AWS does not recommend ever putting RAID 5's on EBS
- When configuring a launch configuration for an auto-scaling group, the Health Check Grace Period is the period of time to ignore health checks while instances or auto-scaled instances are added and booting.
- Termination protection is turned off by default, you must turn it on
- Roles:
- You can only assign an EC2 role to an instance on create. You can not assign a role after the instance has been created and/or is running
- You can change the permissions on a role post creation, but can NOT assign a new role to an existing instance
- Role permissions can be changed, but not swapped
- Roles are more secure then storing your access key and secret key on individual EC2 instances
- Roles are easier to manager, You can assign a role, and change permissions on that role at any time which take effect immediately
- Roles can only be assigned when that EC2 instance is being provisioned
- Roles are universal, you can use them in any region
- Instance sizing:
- T2 - Lowest Cost General Purpose - Web/Small DBs
- M4 - General Purpose - App Servers
- M3 - General Purpose - App servers
- C4 - Compute Optimized - CPU Intensive Apps/DBs
- C3 - Compute Optimized - CPU Intensive Apps/DBs
- R3 - Memory Optimized - Memory Intensive Apps/DBs
- G2 - Graphics / General Purpose - Video Encoding/Machine Learning/3D App Streaming
- I2 - High Speed Storage - NoSQL DBs, Data Warehousing
- D2 - Dense Storage - Fileservers/Data Warehousing/Hadoop
- D - Density
- I - IOPS
- R - RAM
- T - Cheap General Purpose
- M - Main General Purpose
- C - Compute
- G - Graphics
- Storage Types:
- Instance Store (Ephemeral):
- Also referred to as ephemeral storage and is not persistent
- Instances using instance store storage can not be stopped. If they are, data loss would result
- If there is an issue with the underlying host and your instance needs to be moved, or is lost, Data is also lost
- Instance store volumes cannot be detached and reattached to other instances; They exist only for the life of that instance
- Best used for scratch storage, storage that can be lost at any time with no bad ramifications, such as a cache store
- EBS (Elastic Block Storage):
- Elastic Block Storage is persistent storage that can be used to procure storage to EC2 instances.
- You can NOT mount 1 EBS volume to multiple EC2 instances instead you must use EFS
- Default action for EBS volumes is for the root EBS volume to be deleted when the instance is terminated
- By default, ROOT volumes will be deleted on termination, however with EBS volumes only, you can tell AWS to keep the root device volume
- EBS backed instances can be stopped, you will NOT lose any data
- EBS volumes can be detached and reattached to other EC2 instances
3 Types of available EBS volumes can be provisioned and attached to an EC2 instance:- General Purpose SSD (GP2):
- General Purpose up to 10K IOPS
- 99.999% availability
- Ratio of 3 IOPS per GB with up to 10K IOPS and ability to burst
- Up to 3K IOPS for short periods for volumes under 1GB
- Provisioned IOPS SSD (I01)
- Designed for I/O intensive applications such as large relational or No-SQL DBs.
- Use if need more than 10K IOPS
- Magnetic (Standard)
- Lowest cost per GB
- Ideal for workloads where data is accessed infrequently and apps where the lowest cost storage is important.
- Ideal for fileservers
- General Purpose SSD (GP2):
- Encryption:
- Root Volumes cannot be encrypted by default, you need a 3rd party utility
- Other volumes added to an instance can be encrypted.
- Instance Store (Ephemeral):
- AMIs:
- AMI's are simply snapshots of a root volume and is stored in S3
- AMI's are regional. You can only launch an AMI from the region in which it was stored
- You can copy AMI's to other regions using the console, CLI or Amazon EC2 API
- Provides information required to launch a VM in the cloud
- Template for the root volume for the instance (OS, Apps, etc)
- Permissions that control which AWS accounts can use the AMI to launch instances
- When you create an AMI, by default its marked private. You have to manually change the permissions to make the image public or share images with individual accounts
- Block device mapping that specifies volumes to attach to the instance when its launched
- Hardware Virtual Machines (HVM) AMI's Available
- Paravirtual (PV) AMI's Available
- You can select an AMI based on:
- Region
- OS
- Architecture (32 vs. 64 bit)
- Launch Permissions
- Storage for the root device (Instance Store Vs. EBS)
- Security Groups:
- Act like virtual firewalls for the associated EC2 instance
- If you edit a security group, it takes effect immediately.
- You can not set any deny rules in security groups, you can only set allow rules
- There is an implicit deny any any at the end of the security group rules
- You don't need outbound rules for any inbound request. Rules are stateful meaning that any request allowed in, is automatically allowed out
- You can have any number of EC2 instances associated with a security group
- Snapshots:
- You can take a snapshot of a volume, this will store that volumes snapshot on S3
- Snapshots are point in time copies of volumes
- The first snapshot will be a full snapshot of the volume and can take a little time to create
- Snapshots are incremental, which means that only the blocks that have changes since your last snapshot are moved to S3
- Snapshots of encrypted volumes are encrypted automatically
- Volumes restored from encrypted snapshots are encrypted automatically
- You can share snapshots but only if they are not encrypted
- Snapshots can be shared with other AWS accounts or made public in the market place again as long as they are NOT encrypted
- If you are making a snapshot of a root volume, you should stop the instance before taking the snapshot
- RAID Volumes:
- If you take a snapshot, the snapshot excludes data held in the cache by applications or OS. This tends to not be an issue on a single volume, however multiple volumes in a RAID array, can cause a problem due to interdependencies of the array
- Take an application consistent snapshot
- Stop the application from writing to disk
- Flush all caches to the disk
- Snapshot of RAID array --> 3 Methods:
- Freeze the file system
- Unmount the RAID Array
- Shutdown the EC2 instance --> Take Snapshot --> Turn it back on
- Placement Groups:
- A logical group of instance in a single AZ
- Using placement groups enables applications to participate in a low latency, 10Gbps network
- Placement groups are recommended for applications that benefit from low network latency, high network throughput or both
- A placement group can't span multiple AZ's so it is a SPoF.
- Then name you specify for a placement group must be unique within your AWS account
- Only certain types of instances can be launched in a placement group. Computer Optimized, GPU, Memory Optimized, and Storage Optimized.
- AWS recommends that you use the same instance family and same instance size within the instance group.
- You can't merge placement groups
- You can't move an existing instance into a placement group
- You can create an AMI from your existing instance and then launch a new instance from the AMI into a placement group
- Pricing Models:
- On Demand:
- Pay fixed rate by the hour with no commitment
- Users that want the low cost and flexibility of EC2
- Apps with short term, spiky or unpredictable workloads that cannot be interrupted
- Apps being developed or tested on EC2 for the first time
- Reserved:
- Provide capacity reservation and offer significant discount on the hourly charge for an instance (1-3 year terms)
- Applications have steady state, or predictable usage
- Apps that require reserved capacity
- Users able to make upfront payments to reduce their total computing costs even further.
- Spot:
- Bid whatever price you want for instance capacity by the hour
- When your bid price is greater than or equal to the spot price, your instance will boot
- When the spot price is greater than your bid price, your instance will terminate with an hours notice.
- Applications have flexible start and end times
- Apps that are only feasible at very low compute prices
- Users with urgent computing needs for large amounts of additional capacity
- If the spot instance is terminated by Amazon EC2, you will not be changed for a partial hour of usage
- If you terminate the instance yourself you WILL be charged for any partial hours of usage.
- On Demand:
Developer Associate Specific Topics
- Install the AWSCLI tools or use the Amazon AMI to have access to the Amazon Command line tools
- Create a user in IAM, download the access key/secret access key
- Use the aws configure command to configure the CLI tools to interface with your amazon account using the IAM user access key/secret access key, and default region (Default output format can be left blank)
- Configured credentials can be found in ~/.aws/credentials
- Region and other configuration parameters can be found in ~/.aws/config
- Common CLI commands
- aws configure: Use to configure the command line tools to access your amazon account
- aws s3 ls - List all buckets that are associated with your AWS account
- aws s3 mb s3://helloworldtestbucket - Create a new S3 bucket, in this case named helloworldtestbucket
- SDKs
- PHP:
- From the instance that you want to install the SDK install composer (curl -sS https://getcomposer.org/installer | php)
- Install the SDK using composer in the web directory which is usually /var/www/html (php composer.phar require aws/aws-sdk-php)
- PHP:
Resource or Operation | Default Limit |
---|---|
Elastic IP addresses for EC2-Classic: | 5 |
Security groups for EC2-Classic per instance: | 500 |
Rules per security group for EC2-Classic: | 100 |
Key pairs: | 5000 |
On-Demand instances: | Varies based on instance type |
Spot Instances: | Varies based on instance type |
Reserved Instances: | 20 instance reservations per Availability Zone, per month |
Dedicated Hosts: | Up to 2 Dedicated Hosts per instance family, per region can be allocated |
AMI Copies: | Destination regions are limited to 50 concurrent AMI copies at a time, with no more than 25 of those coming from a single source region. |
Throttle on the emails that can be sent : | Throttle applied |
Tags per EC2 instance: | 10 |
ELB (Elastic Block Storage Limits)
Resource or Operation | Default Limit |
---|---|
Number of EBS volumes: | 5000 |
Number of EBS snapshots: | 10,000 |
Total volume storage of General Purpose SSD (gp2) volumes: | 20 TiB |
Total volume storage of Provisioned IOPS SSD (io1) volumes: | 20 TiB |
Total volume storage of Throughput Optimized HDD (st1): | 20 TiB |
Total volume storage of Cold HDD (sc1): | 20 TiB |
Total volume storage of Magnetic volumes: | 20 TiB |
Total provisioned IOPS: | 40,000 |
For additional information about EC2 Limits, see Limits in Amazon EC2
ELB (Elastic Block Storage Limits)
Resource or Operation | Default Limit |
---|---|
Number of EBS volumes: | 5000 |
Number of EBS snapshots: | 10,000 |
Total volume storage of General Purpose SSD (gp2) volumes: | 20 TiB |
Total volume storage of Provisioned IOPS SSD (io1) volumes: | 20 TiB |
Total volume storage of Throughput Optimized HDD (st1): | 20 TiB |
Total volume storage of Cold HDD (sc1): | 20 TiB |
Total volume storage of Magnetic volumes: | 20 TiB |
Total provisioned IOPS: | 40,000 |
For additional information about EC2 Limits, see Limits in Amazon EC2
Elastic Load Balancing offers two types of load balancers that both feature high availability, automatic scaling, and robust security. These include the Classic Load Balancer that routes traffic based on either application or network level information, and the Application Load Balancer that routes traffic based on advanced application level information that includes the content of the request.
- This topic is covered in AWS Solutions Architect Study Guide
- When configuring ELB health checks, bear in mind that you may want to create a file like healthcheck.html or point the ping path of the health check to the main index file in your application
- Remember the health check interval is how often a health check will occur
- Your Healthy/Unhealthy thresholds are how many times either will check before marking the origin either healthy or unhealthy
- Health Check Interval: 10 seconds
- Unhealthy Threshold: 2
- Healthy Threshold: 3
- This means that if the health check interval occurs twice without success, then the source will be marked as unhealthy. This is 2 checks @ 10 seconds per check, so basically after 20 seconds the origin will be marked unhealthy
- Likewise, if the healthy threshold is marked at 3, then it would be 3 x health check interval or 10 seconds being 30 seconds. After 30 seconds with 3 consecutive success checks, the origin will be marked as healthy.
- Enable Cross-Zone Load Balancing will distribute load across all back-end instances, even if they exist in different AZ's
- ELBs are NEVER given public IP Addresses, only a public DNS name
- ELBs can be In Service or Out of Service depending on health check results
- Charged by the hour and on a per GB basis of usage
- Must be configured with at least one listener
- A listener must be configured with a protocol and a port for front end (client to ELB connection), as well as a protocol and port for backed end (ELB to instances connection)
- ELBs support HTTP, HTTPS, TCP, and SSL (Secure TCP)
- ELBs support all ports (1-65535)
- ELBs do not support multiple SSL certificates
- Classic ELBs support the following ports:
- 25 (SMTP)
- 80 (HTTP)
- 443 (HTTPS)
- 465 (SMTPS)
- 587 (SMTPS)
- 1024-65535
- HTTP Error Codes:
- 200 - The request has succeeded
- 3xx - Redirection
- 4xx - Client Error (404 not found)
- 5xx - Server Error
Application Load Balancer Limit | Default Limit |
---|---|
Load balancers per region: | 20 |
Target groups per region: | 50 |
Listeners per load balancer: | 10 |
Targets per load balancer: | 1000 |
Subnets per Availability Zone per load balancer: | 1 |
Security groups per load balancer: | 5 |
Rules per load balancer (excluding defaults: | 10 |
No. of times a target can be registered per LB: | 100 |
Load balancers per target group: | 1 |
Targets per target group : | 1000 |
Classic Load Balancer Limit | Default Limit |
---|---|
Load balancers per region: | 20 |
Listeners per load balancer: | 100 |
Subnets per Availability Zone per load balancer: | 1 |
Security groups per load balancer: | 5 |
This limit includes both your Application load balancers and your Classic load balancers. This limit can be increased upon request.
AWS Elastic Beanstalk is an easy-to-use service for deploying and scaling web applications and services developed with Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker on familiar servers such as Apache, Nginx, Passenger, and IIS.
Developer Associate Specific Topics
- Elastic Beanstalk is free, however any resources that are used in conjunction with the service are subject to normal pricing
- Predefined Configuration:
- IIS
- Node.js
- PHP
- Python
- Ruby
- Tomcat
- Docker
- Pre-configured Docker
- GlassFish
- Python
Resource or Operation | Default Limit |
---|---|
Applications: | 1000 |
Application Versions: | 1000 |
Environments: | 500 |
Good!