diff --git a/content/post/aws-series-automation.md b/content/post/aws-series-automation.md new file mode 100644 index 00000000..66e48bd8 --- /dev/null +++ b/content/post/aws-series-automation.md @@ -0,0 +1,34 @@ +--- +title: "Aws Series Automation" +type: "post" +date: 2024-01-03T14:40:26+07:00 +description: "In this topic you will learn about automation in AWS Infrastructure" +keywords: ["aws", "solution architecture", "aws solution architect associate"] +categories: ["systemdesign", "aws"] +tags: ["aws"] +image: "https://gist.github.com/assets/31009750/d03115b2-879f-465f-8804-cde93a12ec14" +--- + +Automation Benefit: + +- Time +- Consistency +- Security + +![image](https://gist.github.com/assets/31009750/267cc128-3803-4531-8a3e-50113d03e520) + +## CloudFormation + +- Allows you to provision resources quickly and consistently, and manage them throughout their lifecycles, by treating infrastructure as code. + +![image](https://gist.github.com/assets/31009750/5e2d1287-5267-4464-a2c8-6cdff59ed4d9) + +![image](https://gist.github.com/assets/31009750/919cb061-c905-4e0d-94de-748ce880addb) + +## Elastic Beanstalk + +- Easy-to-use all in one service for deploying and scaling web applications and services developed with a variety of supported languages + +## System Manager + +- Gives you the ability to easily patch, update, manage and configure your EC2 instances along with on-premise architecture. diff --git a/content/post/aws-series-caching.md b/content/post/aws-series-caching.md new file mode 100644 index 00000000..1c52102c --- /dev/null +++ b/content/post/aws-series-caching.md @@ -0,0 +1,53 @@ +--- +title: "Aws Series Caching" +type: "post" +date: 2024-01-03T15:20:47+07:00 +description: "In this topic you will learn about caching in AWS architecture" +keywords: ["aws", "solution architecture", "aws solution architect associate"] +categories: ["systemdesign", "aws"] +tags: ["aws"] +image: "https://gist.github.com/assets/31009750/c20c75e0-9149-403e-bdc8-fb4e9ee704ae" +--- + +What can we cache: + +1. External: data that's going to be returned to our users +2. Internal: eg, we can speed up our databases, the less we talk to the database, the better. + +Caching solutions + +![image](https://gist.github.com/assets/31009750/b53bc9b3-76e9-4fe7-bade-2b0a184ab0ce) + +## Global Caching with CloudFront + +- CDN service, help to reduce latency and provide high transfer speed using AWS edge locations. +- Https is default +- Global distribution +- Can be used to front AWS endpoint along with non-AWS applications +- Expiring content with TTL configuration + +![image](https://gist.github.com/assets/31009750/ce2b3617-6394-4152-aaf6-98cf5041a5ed) + +![image](https://gist.github.com/assets/31009750/dcc4df84-d0ff-4ef0-8618-efba250aecfe) + +## Elastic Cache + +- A managed version of two opensource: memcached and redis +- And for RDS + +![image](https://gist.github.com/assets/31009750/00d97912-7e0d-4470-ae12-1eb97bc9af2e) + +## DAX + +- DynamoDB Accelerator +- In Memory Cache: ml to nano +- Live inside VPC +- You can control size of node, TTL, + +## IP Caching with Global Accelerators + +- A service that send user's traffic to the global AWS Infrastructure via accelerators. Anycast IP. + +![image](https://gist.github.com/assets/31009750/7d004c3d-b89c-41bd-a14c-0932a8841d56) +![image](https://gist.github.com/assets/31009750/245a1583-ef36-491f-a983-70969f1a749d) +![image](https://gist.github.com/assets/31009750/ab226cb7-8720-4bfe-a0ce-4da7a7ebf9c3) diff --git a/content/post/aws-series-governance.md b/content/post/aws-series-governance.md new file mode 100644 index 00000000..5898b877 --- /dev/null +++ b/content/post/aws-series-governance.md @@ -0,0 +1,144 @@ +--- +title: "Aws Series Governance" +type: "post" +date: 2024-01-03T23:05:24+07:00 +description: "In this topic you will learn how to use AWS Organization" +keywords: ["aws", "solution architecture", "aws solution architect associate"] +categories: ["systemdesign", "aws"] +tags: ["aws"] +image: "/common/no-image.png" +--- + +## Account Types + +- Management Account is the primary account that hosts and manage organization (payer account) +- Member Account is all AWS accounts that belong to the organization + +## Features + +- Consolidated Billing +- Usage Discounts +- Shared Savings + +## Main concepts + +- Multi Account +- Tag Enforcement +- Organization Unit(ou): group of accounts +- Service Controler Policies(SCP): JSON policies that get applied to OUs or accounts to restrict actions that are or are not allowed +- Management Account: SCP do affect the management account like they do all member accounts. +- Account Best Practices: create a centralized logging account for organization CloudTrail logs. Also, levelrage cross-account roles for accessing member accounts. + +![image](https://gist.github.com/assets/31009750/c53f9497-0b96-4d81-bc3c-ff7b0e21ce37) + +**Example of SCP** + +![image](https://gist.github.com/assets/31009750/a0ccc820-1cd7-4040-83b0-c33d3ae34d01) + +## Sharing resources using AWS RAM + +> AWS RAM(Resource Access Manager) + +- A Free service that allows you to share resources with other accounts inside or outside your organization. It is actually shared not duplicating + +> What could be shared? + +- Transit gateways +- VPC subnets +- License Manager +- Route 53 Resolver(Rules and Endpoints) +- Dedicated Hosts +- ... + +> Ownership and Participants + +- Ownership: create and manage VPC resources that get shared. Can not delete or modify resourced deployed by participant accounts. +- Participants: able to provision services in the shared VPC subnets. Can not modify or delete the shared resources. + +## Setting up cross account role access + +> Cross-account role access gives you the ability to setup temporately credentials that can be revoked as needed + +![image](https://gist.github.com/assets/31009750/dee02994-6901-4759-8efa-13383a4b9ba5) +![image](https://gist.github.com/assets/31009750/28c9eb37-f43c-4444-aecf-8c34a32b32cf) +![image](https://gist.github.com/assets/31009750/4508d18a-f7d0-47c4-a101-3bb28a1d9190) +![image](https://gist.github.com/assets/31009750/50f8b8c7-6296-4be7-8290-e4bcbc33aeac) +![image](https://gist.github.com/assets/31009750/406c79bd-c32d-4e6a-a9db-8882b0e4366f) + +## AWS config + +- An inventory management and control tool +- Allow to show configuration history +- Ability to create rules to make sure resources conform to your requirements +- Capable of receiving alerts via SNS +- Configured per Region +- Results can be aggregated across regions and AWS accounts + +![image](https://gist.github.com/assets/31009750/1e9f9e04-f320-4bf9-bfec-e44046b1a06a) + +![image](https://gist.github.com/assets/31009750/9ec989ee-47d8-4fb1-859d-4f39844f56c3) + +![image](https://gist.github.com/assets/31009750/73345dad-9d46-44d6-8a61-8824512aa81a) + +Examples + +![image](https://gist.github.com/assets/31009750/97ce2750-3366-4418-88d6-8612f79fd084) + +## AWS Directory Service + +- A fully managed version of Active Directory + +![image](https://gist.github.com/assets/31009750/8454b091-4766-496e-8de1-373a3929ba43) + +There 2 types: + +- Managed Microsoft AD +- AD Connector + +## AWS Cost Explorer + +![image](https://gist.github.com/assets/31009750/e0f99f2f-a60b-4944-90b0-d0335a9dc11f) + +## AWS Budgets + +- The best way to let users know they are getting close to overspending + +![image](https://gist.github.com/assets/31009750/ce32dcc2-8048-4681-b809-5feafdd74d64) + +## Optimize AWS CUR + +> Cost and Usage Report + +![image](https://gist.github.com/assets/31009750/bcf51104-1b18-4253-a17f-fe2b6615af29) + +## AWS Trusted Advisor + +![image](https://gist.github.com/assets/31009750/4789f89f-a6f2-493c-a648-0da9fc238bdb) + +## AWS Control Tower and GuardRails + +- Automated multi-account governance, guardrails, account orchestration + +![image](https://gist.github.com/assets/31009750/7f169cda-e705-4585-971a-94b961db3387) + +## Manage software license in AWS using AWS License Manager + +![image](https://gist.github.com/assets/31009750/f7e76ff0-2ac1-4e9e-8764-ec626c48273d) + +## AWS Health and Personal Health Dashboard + +![image](https://gist.github.com/assets/31009750/ac5d293a-ab83-48d0-9a7a-75d195bd5420) + +## AWS Service Catalog and AWS Proton + +### Catalog + +![image](https://gist.github.com/assets/31009750/ddf05823-f889-4614-bb20-6079b4ad4a64) + +### AWS Proton + +![image](https://gist.github.com/assets/31009750/5fb94f79-f00a-4d6d-97d1-f679f94ebb8e) + +## AWS Well Architected Framework + +![image](https://gist.github.com/assets/31009750/de394b33-e5c1-425f-bcdb-54b42edb04a2) diff --git a/content/post/aws-series-security.md b/content/post/aws-series-security.md new file mode 100644 index 00000000..8f6cc847 --- /dev/null +++ b/content/post/aws-series-security.md @@ -0,0 +1,264 @@ +--- +title: "Aws Series Security" +type: "post" +date: 2024-01-03T10:12:10+07:00 +description: "In this topic you will learn how to protect your infrastructure on AWS" +keywords: ["aws", "solution architecture", "aws solution architect associate"] +categories: ["systemdesign", "aws"] +tags: ["aws"] +image: "https://gist.github.com/assets/31009750/8e399333-fb60-4510-b61d-f0d253d560e7" +--- + +## DDos Attack + +### SYN Floods Attack + +> SYN Flood use TCP 3-Way Handshake to attack the servers + +> Some concepts + +- SYN(Synchronize Sequence Number) +- ACK(Acknowledgement) + +[TCP 3-Way Handshake Process](https://www.geeksforgeeks.org/tcp-3-way-handshake-process/) + +![image](https://gist.github.com/assets/31009750/8503776e-e14b-43e1-b53c-b87949dfb45a) +![image](https://gist.github.com/assets/31009750/8b3ec0c5-b515-4c44-8bb6-799d2e759b16) + +> How SYN floods attack work? + +- Uses the built-in patience of the TCP stacks to overwhelm a server by sending a large number of SYN packets and then ignoring the SYN-ACKs returned by the server. This causes the server to use up resources waiting for a set of amount time for the anticipated ACK that should come from a legitimate client. +- There are so many concurrent TCP connections that a web or application server can have open, so if an attacker sends enough SYN packets to a server, it can easily eat through the allowed number of TCP connections. + +### Amplification Attack + +- Amplicafication/Reflection attacks can include things such as NTP, SSDP, DNS, Chargen, SNMP attacks,... +- This is where an attacker may send a third-party server(such as an NTP server) a request using a spoofed IP address. Then the server will response to that request with a greater payload than the initial request(28-54 times larger than the request) to the spoofed IP address. +- Attackers can cordinate this use multiple NTP servers a second to send legitimate NTP traffic to the target + +![image](https://gist.github.com/assets/31009750/67fc1dcc-ae49-4ef8-ad14-3c3e3fb559bf) + +- [Example About Amplication Attack](https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/) + +### Layer 7 Attack + +- A typically layer 7 attack occurs when a web server receives flood of GET or POST requests, usually from a botnet or a large number of compromised computer. + +![image](https://gist.github.com/assets/31009750/77f21b0b-caec-4587-9b6c-7a9c0a4013d1) + +## CloudTrail + +You can identity which users and accounts called AWS, the source IP address from which the calls were made, and when the calls occurred. Basically, it logs all your API calls and store in S3. + +![image](https://gist.github.com/assets/31009750/2d334e9b-0a34-458b-93c3-034c445aa850) + +## AWS Shield + +- Free DDos Protection +- Protect all customers on ELB, CloudFront, Route53 +- Protect againts SYN/UDP floods, reflection attacks, and other Layer3/Layer4 attacks + +### AWS Shiled Advanced + +- Always on, flow-based monitoring +- 24/7 access to DDos response Team(DRT) to help and mitigate application-layer +- Protect your AWS bill against higher fees due to ELB, CloudFront, Route53 usage spikes during a DDos attack +- Costs 3,000 USD per month. + +![image](https://gist.github.com/assets/31009750/48e719e9-d9dc-4ad3-96ac-1cb50cc19b5c) + +> Shield Protection against Layer3/Layer4 attacks + +## Filtering Traffic with WAF + +> WAF: web application firewall to monitor: http/https requests that are forward to Amazon CloudFront or an Application Load Balancer. It also let you control access to your content. + +- You can configure: ip addresses, query string parameters to be allowed +- It will return error 403 if the requests are not allowed +- Operate at Layer 7 + +WAFs allow you: + +- Allow/Block all requests except the ones you specify +- Count the requests that match properties you specify + +Conditions: + +- Ip addressess, +- Country +- Values in headers +- Presense of SQL code(SQL Injection) +- Presense of scripts(Cross Site Scripting) +- Strings that appear in requests(specific strings/regex) + +## Guard your network with GuardDuty + +- Threat Detection service that uses machine learning to continous monitor malicious behavior from: unusual API calls, calls from malicious ip, attempt to disable CloudTrail logging, unauthorized deployments +- Alerts appear in GuardDuty console and CloudWatch Events +- Receives feeds from third party Proofpoint, as well as AWS Security about known malicious domain or IP addresses, etc +- Monitor CloudTrail logs, VPC Flow logs, DNS logs +- Machine learning and anomaly detection +- 7days-14days to set baseline, once active you will find GuardDuty console, and in CloudWatch Events + +## AWS Firewall Manager + +- Security management service in a single pane of glass. Allow you to centrally set up and manage firewall rules across multiple AWS accounts and applications in AWS Organizations +- You can create WAF rules for your ALB, API Gateways, Amazon CloudFront, or Shield Protection for your ALB, Elastic IPs + +## Monitoring S3 Buckets wih Macie + +### Personal Identifiable Information + +- Personal Data used to establish an individual's identity +- This data could be exploited by criminals, used in identity theft and financial fraud +- Home address, email address, Social Security Number +- Passport number, driver license number + +> Macie uses machine learning and pattern matching to discover sensitive data in S3 + +- Alerts you about unencrypted buckets +- Alerts you about public buckets +- Alerts you about buckets shared with AWS accounts outside of those defined in your AWS Organizations. +- Great for frameworks like HIPAA and GDPR +- It looks for PI, PII and financial data + +### Security Operating system using Amazon Inspector + +- Used to perform vulnerability scans on both EC2 instances and VPCs: host assessments and network assessments. + +## Manage Encryption Keys with KMS and CloudHSM + +### KMS + +- KMS: key management service to create and control encryption key to encrypt your data. Integrated with EBS, S3, RDS. +- Centralized control +- Shared tenancy +- Automatic key rotation +- Automatic key generation + +### CMK + +- A customer master key(CMK) is a logical presentation or master key. Includes: metadata, description, key state. +- To start using KMS you start with request of creating a CMK. + +### HSM + +- A hardware security module is a physical computing device that safeguards and manage digital keys, perform encryption/decryption functions. +- A HSM contains one or more secure cryptoprocessor chips. +- Dedicated HSM +- Full control of users, groups, keys +- No automatic key rotation + +## Storing Your Secrets in Secret Mananger + +> A service that securely stores, encrypts, rotate your database credentials and other secrets + +- Encryption in transit and at-rest using KMS +- Automatically rotates credentials +- Apply fine-grained access control using IAM policies +- Costs money but is highly scalable +- Your appplication makes an API call to Secrets Manager to receive the secret programmatically + +> What can be stored: + +- RDS credentials +- Credentials for non-RDS databases +- Any other types of secrets: ssh keys, API keys + +> If you enable rotation, SM immediately rotates the secret once to test the configuration + +## Storing your secrets in Parameter Store + +- AWS Systems Manager to store configuration data: passwords, database strings, AMI IDs, license. Your values can be stored as plain text or encrypted data +- Parameter is free +- Limit number of params: 10,000 +- No Key Rotation + +## Temporately shared S3 object with presigned URLs + +- When you wanna share private files in your S3 buckets, thinks about presigned URLs + +## IAM Policy Documents + +### Amazon Resource Names(ARNs) + +- Uniquely Identify a resource in Amazon + +![image](https://gist.github.com/assets/31009750/c0273391-6c5c-493e-a5fd-d90665e4ebca) + +- IAM : global, so there is no region +- S3 : global namespace, so there is no region + +### IAM Policy + +- JSON document defines policies +- Identity policy +- Resource policy +- No effect until attached + +### Policy Document + +- A list of statements + +![image](https://gist.github.com/assets/31009750/210dfab7-b6f2-422d-8e50-d903142f75e7) + +![image](https://gist.github.com/assets/31009750/a9caf348-ca38-4735-b5fb-c6bf9aa829c6) + +- Not explicit allowed <==> Implicitly defined +- Explicit Deny > everything +- Only attached policies have effect +- AWS joins all applicable policies + +### Permission Boundaries + +![image](https://gist.github.com/assets/31009750/4407a4e5-bb2e-4039-bd08-70b686ffa479) + +## AWS Certificate Mananger + +- Allow to create,manage,deploy public or private SSL certificates +- Free SSL +- Automated Renewals and Deployment +- Easier to setup +- Supported services: ELB, CloudFront, API Gateway + +## Audit Manager + +- Continually audit your AWS usage to make sure you stay compliant with industry standards: PCI compliance, GDPR, ... +- Compliance with HIPAA, GDPR, continous auditing and automate auditing reports + +## Downloading Compliance Documents from AWS Artifact + +- Single source to get compliance-related information: compliance reports: HIPAA, GDPR, ... + +## Authentication Access with Cognito + +- Provide authentication, authorization, and user management for web and mobile apps in a single service without the need for custom code. It supports user login via SNS accounts(social network service account: google, facebook, apple) + +There main two components of Cognito: + +- User pools: directories of users that provide sign-up/sign-in options for your application users. +- Identity pools: allow you to give your users access to other AWS services + +![image](https://gist.github.com/assets/31009750/0bc74ab6-0f64-4762-b160-cb4a5996c77f) + +![image](https://gist.github.com/assets/31009750/745e20d8-9f12-425c-b6b7-2dc11e5d8342) + +## AWS Network Firewall + +- Physical firewall protected your VPCs +- Works with AWS Firewall Manager +- Filter Internet traffic with ACL +- Filter Outbound traffic: url/domain name, ipaddress +- Layer 4 Firewall + +## Other services + +### Amazon Detective + +- Triage Security Findings: resources, ip addresses, aws accounts +- Threat Hunting +- Analyze root course of event across multiple AWS services. + +### Security Hub + +- Single place to view all your security alerts service: GuardDuty(Threat Detection service AI), Amazon Inspector(automate security assessments), Amazon Detective(Root cause detective) and AWS Firewall Manager across multiple AWS security services and accounts diff --git a/content/post/aws-series-serverless-computing.md b/content/post/aws-series-serverless-computing.md index 85b36f72..5d46f41c 100644 --- a/content/post/aws-series-serverless-computing.md +++ b/content/post/aws-series-serverless-computing.md @@ -39,3 +39,211 @@ image: "https://gist.github.com/assets/31009750/6ec743dc-da52-49ca-b3fa-b7d06ece ![image](https://gist.github.com/assets/31009750/49b202ec-4f9a-48a9-87fd-739efe2feb1d) ![image](https://gist.github.com/assets/31009750/e754c0d1-09f6-46ab-b5d3-74b6e49b29d4) + +## Serverless Application Repository + +- Serverless Apps: allow user to easily find, deploy, or even publish their own serverless applications. +- Ability to privately share applications within orgs or publicity for the world +- AWS SAM template: upload load your application code and a manifest file. +- Deeply integrated with AWS Lambda service. Appears with console. + +### SAM + +> Serverless Application Model + +```yml +AWSTemplateFormatVersion: 2010-09-09 +Transform: AWS::Serverless-2016-10-31 +Resources: + getAllItemsFunction: + Type: AWS::Serverless::Function + Properties: + Handler: src/get-all-items.getAllItemsHandler + Runtime: nodejs12.x + Events: + Api: + Type: HttpApi + Properties: + Path: / + Method: GET + Connectors: + MyConn: + Properties: + Destination: + Id: SampleTable + Permissions: + - Read + SampleTable: + Type: AWS::Serverless::SimpleTable +``` + +### Publish and Deploy + +#### Publish + +- Makes them available for others to find and deploy +- Define apps with AWS SAM template +- Set to private by default +- Must explicit share if desired + +#### Deploy + +- Find and deploy published applications +- Browse public apps without needing an AWS account +- Browse within AWS Lambda console +- Be careful of trusting all applications + +## Running container in Amazon ECS or Amazon EKS + +### Problems with Containers + +![image](https://gist.github.com/assets/31009750/de720c02-35c3-49ce-9ec3-847e89ff12ca) + +### ECS or EKS + +#### ECS + +- Proprietary AWS Specific container management solution +- Best use when you're all in on AWS +- You're looking for something simple to orchestrate containers + +#### EKS + +- AWS managed version of opensource Kubernetes container management solution +- Best used when you're all in on AWS +- Significantly more work to configure and integrate with AWS + +Both of them are greate for long running applications. + +### AWS Fargate + +- AWF Fargate is a serverless compute engine for docker containers +- AWS owns and manages the infrastructure +- Require use of ECS or EKS +- Support both Linux and Windows Container + +#### EC2 vs Fargate + +**EC2** + +- You are responsible for underlying operating system +- EC2 pricing model +- Long-running containers +- Multiple containers can share same host +- Capable of mouting EFS file systems for persistent, shared storage + +**Fargate** + +- No operating system access +- Pay based on resources allocated and time ran +- Short-running tasks +- Isolated environment per container +- Capable of mounting EFS file systems for persistent, shared storage + +#### Fargate vs Lambda + +**Fargate** + +- Select Fargate when you have more consistent workloads. +- Allow Docker use across the organization and a great level of control by developers + +**Lambda** + +- Great for unpredictable or inconsistent workloads +- Perfect for applications that can be expressed as a single function + +## Amazon EventBridge + +- Amazon EventBridge(formerly CloudWatch Events) is a serverless event bus +- It allows you to pass events from a source to an endpoint. It's the glue that holds your serverless application together + +### Main concepts + +- Events: a recorded changed in an AWS environment, SaaS partner, or one of your own configured applications/services. This also included scheduled events +- Rules: criteria used to match incoming events and send them to the appropriate targets. Based on either event patterns or schedules +- Event bus: A router that receives events and delivers them to targets(destinations). Every account has a default bus, and you can create other custom buses. + +#### Rule Triggers + +- Event Pattern: Define an event source and event pattern that trigger your rule. Eg: EC terminated. +- Scheduled: Set up a recurring schedule for trigger your rule. Eg: Rate-based(1hour), Cron-based(0 12 \* _ ? _) + +### Event Bridge Architecture + +![image](https://gist.github.com/assets/31009750/04f5d25a-2057-4acf-857c-8ad6dd780eda) + +## Amazon ECR + +> Amazon Elastic Container Registry + +- AWS-managed container image registry +- Private container image repositories with permissions via IAM +- Supported formats: OCI images, Docker images, OCI artifact +- Lifecycle policies: rules for expering and removing unused/older images +- Scan on push repository settings +- Sharing: Cross region, cross account, configured per repository and per region +- Cache rules: pull through cache rules allow for caching public repos privately +- Tags: prevent image tags from being overwritten, configured per repository this setting +- Integrations: your own container infrastructure, Amazon EC2, Amazon EKS clusters, Amazon Linux can be used locally + +## Amazon EKS Distro + +- Amazon EKS Distro(Amazon EKS-D) is Kubernetes distribution based on and used by Amazon EKS +- Amazon EKS is fully managed by you +- Where: anywhere +- Self-managed Kubernetes deployments + +## Amazon EKS, ECS anywhere outside AWS + +### EKS Anywhere + +- On-premises EKS : on-premises way to manage K8s clusters with same practice use EKS, based on EKS distro, full lifecycle management of multiple K8s clusters, required enterprise subscriptions + +### ECS anywhere + +- Management of container-based apps on-premises +- No need to install and operate local container orchestration software +- No ELB support for inbound traffic + +Requirements: + +- SSM Agent +- ECS Agent +- Docker +- Must register external instances as SSM Managed Instances +- Can install scripts using ECS console +- Execute scripts on-premises VMs or bare-metal servers +- Deploy containers using the EXTERNAL lauch type + +![image](https://gist.github.com/assets/31009750/4460ef27-ace9-40ba-8f06-115fcf499318) + +## Amazon Aurora Serverless + +- On-Demand and Auto-scaling +- Aurora Capacity Unit(ACUs): measurement on how your clusters scale +- Set a minimum and maximum ACUs for scaling requirements. v1 can be set 0, but from v2 only to minimum +- Allocated(quickly) by AWS-managed warm pools +- Each ACU: 2 Gib memory + matching CPU, networking capability +- Same data resiliency as Aurora provisioned: six copies of data across 3 AZs +- Multi-AZ deployments for establing highly available clusters + +![image](https://gist.github.com/assets/31009750/38efc98c-f1e1-49cd-8d61-40d09c83ad75) + +## X-Ray for Amazon App-Insight + +- App-Insight: insights about request/response +- Downstream: view calls to downstream AWS resources and other microservices/apis/databases +- Traces +- Multiple options:tracing headers, send tracedata, run X-Ray deamon +- header contain: X-Amzn-Trace-Id +- AWS X-Ray deamon, software listen UDP at port 2000. Collects raw segment data and sends it to AWS X-Ray API + +![image](https://gist.github.com/assets/31009750/56ff3d88-58ee-4999-aa65-a37ddc532e5c) + +## AWS Appsync for GraphQL Interfaces + +- Robust, scalable GraphQL interfaces for application developers +- Combine data from multiple resoures: DynamoDB, Lambda +- Easy interact via GraphQL +- GraphQL: data language that enables app to fetch data from servers +- Seamless integration with: React, ReactNative, IOS and Android