WELCOME BACK. back to day four of the AWS
Certified Solution Architect, associate 2022 bootcamp. And this is a completely free full
AWS course. So again, welcome back to the AWS Certified Solution Architect Associate
2022, free boot camp from go cloud careers. This is something we do a go cloud architects
and go cloud careers to help you build your absolute best career. That's why we do these
boot camps. We run them live and we run them free. So we really want to help you build
your best career. We'll begin in a few minutes first, for the people that celebrate it. Happy
Good Friday, everyone. And Happy Easter for those people that celebrate Easter. Now there's
other Easter's so for the Greek people, when we all celebrate our Easter later, you know,
happy Easter for that. And happy Passover, which begins tonight. Happy other holidays.
So really excited to have you back here today. So today, we are on day three of the AWS Certified
Solution Architect Associate course. And if you can start it out by saying, you're here
by typing a cloud hired. And also if you can tell us where you're at. We love knowing that
we love knowing it. Now a couple of things that I want to let you know, along with this
course, we have a full set of labs for you to do. You know, I focus on more of the architectural
considerations and how things work and why things work. But if you desire to be a Cloud
Admin or a cloud engineer, you got to get your hands dirty, we've got to set a labs
for you to do again, it's completely free, download them, the link is in description
below, we've got a full lab course where you where we walk you through how to do these
things. So get hired. Now, I gotta tell you some other good news. We extended ourselves
until the end of the weekend. Here's why. I got about 30 emails this morning that said,
why I really want this course I watched all your people get caught hard, but I can't do
it for another day or two, can you extend it? So I asked Chris, on the back end, he
extended the coupon for a couple more days. So throughout the weekend, you can still get
our cloud architect class, you can pre order our cloud engineering class, you can, you
can you can get our interview training program if you're trying to interview or if you're
already working in tech, and you want to move up the tech ranks become an engineering manager,
a distinguished architect from a regular architect, or move into management or leadership positions.
We've got the tech interview Mastery program, so now's your time, 30% off, let's get you
all cloud hired, cloud promoted and build the best career just want to help you all
get cloud hired. So we extended the sale. And I wanted to tell you guess what, brand
new news, we launched a brand new cloud engineering program. And this is where I get to get real
geeky. And we had some really incredible people help
us put this program together. Since cloud architects were system designers, we've been
getting people caught hired every day as cloud architects, and we love it. But now we're
going to train cloud engineers, cloud engineers need a completely different set of skills,
they'll have to know how to build things, they'll need to know how to code and configure,
they'll need to be experts in Linux, and they'll need to know TerraForm. And they're going
to be experts on building their own cloud. So the cloud engineering program, if you want
to be a cloud engineer, you know, somebody wants to be a cloud engineer, you're gonna
get cloud hired as a cloud engineer, and you're gonna love it. And you'll be ready on that
first day of the job, and I'm gonna get hired, but you'll be good, you'll be strong, and
you'll be getting promoted through your careers. And now we've got Cloud Architect program
for you and a cloud engineering program, guess what a cloud Linux engineer is coming soon
to and here's why. Everything is Linux, all the world's most important computers aren't
Linux. And we don't just teach Linux, we take somebody that used to work at Red Hat, and
we hire them to teach Linux. And that way, we get the best now the person that we hired
to teach our Linux was someone that I coached many years ago, who went on to Red Hat became
an architect at Red Hat, it knows a million times more than I'll ever know about Linux.
And that's why we hired a got TerraForm. So it's gonna be really great. So the cloud,
Linux engineer, Cloud Architect, cloud engineer, all coming. And today, I'm very proud to announce
that we've created somebody program for the military, someone for to take people from
the military and get them all their first six figure jobs in the civilian world. So
a program that will address the military to civilian leadership changes the needs of those
of us that come from a tactical background, where we've had lots of stress in our lives,
we address that. And we teach all this skills to get you hired, paid, well promoted, and
there's no veteran that we feel that you get less than a six figure job upon leaving the
military and we've got a program to help you achieve just that, and we're real proud of
it. So now you know what we are doing. Now today. We're here for day four of the AWS
Certified Solution Architect, associate 2020 bootcamp and we're excited. There's a companion
ebook that goes along with this complete and total book that'll help you with this exam
and also helping with the AWS Certified Solution Architect Professional. Here's you've completed
the AWS Certified Solution. architected associate 2022 program and guess what? It's completely
free and the link is in description below. So as you can see, all we do is try and help
you get caught hard. ON CLOUD Monday, we'll come back and answer any cloud architect career
questions or cloud engineer questions you have. And then on Thursday, next week, we
have our famous how to get your first cloud job webinar on this completely free to help
you get caught hired. So without further ado, we will get to the context. So let's see who
we've got over here in the room. I see we've got some people in Nigeria, California, New
Zealand, lovingness, Atlanta, California, Marla's over that Lana Marla's incredible
of ebook as your best friend. Yes, I completely believe you Tatta, my good friend from Cloud
heroes, Africa, welcome here. I haven't spoken to Simone a day or two. But I know you're
part of that wonderful, wonderful community. And I love being part of that as well. So
welcome, welcome. Welcome. And if you're from the word friend group, as well, we're thrilled
to have you here as well. So today we're going to talk about getting cloud hired. And I spent
lots of time in Philadelphia, and I spent lots of time and Felix and Marla I'm thrilled
to see on Mofaz over there in Nigeria, we gotta get you hired as well. And we got to
get Philomena hired in Georgia. And Kate Talley in Alabama. So yeah, fantastic. Fantastic.
Kevin's over there in Cameroon, we love people in the Cameroon, we love people all over the
world, we've got a lot of we do a lot of work in Cameroon, and we love it, get a lot of
work in Nigeria to South Africa, we do a lot of work all over the world. So Angela, I get
a load depending upon which country you're from happy everyone in bed Beto, one of my
wonderful students over there in Houston cloud hired. So we're super thrilled, we're super
excited. We're gonna get through the content today. And you know, we may have to go for
some more tomorrow, because it's, you know, a lot of content to cover, but we're having
fun, I hope I'm having fun. I hope you're having come and help Sony, we are super excited
to be working with you. And we think you're gonna have an incredible time. So
can't wait to work with you. I can't wait to see you in class. I love when people come
to class and they're on Zoom, and I can look at him and we can talk it really changes everything.
So excited to work with you LM you're here and you've got a friendly ghost with you.
I love that. There used to be a cartoon when I was younger, called Casper the Friendly
code. So we're gonna get back to the AWS Certified Solution Architect Associate 2022 course,
which is a free full AWS course. So in this section, we're going to talk about security.
Now, please understand, we're talking about AWS security, because this is an AWS certification
exam. No, the way we do security in reality, versus what we're teaching here may be very
different. So when the time comes, I will actually go through the differences between
certification training, versus what you actually do in the real job. And you'll see the differences
because you need to know both. We'll talk about it. So under the Security section, we're
going to have a lot of fun. We're going to talk about a lot of stuff, we're going to
talk about who's responsible for what part of your virtual private data center, we will
talk about something called the principle of least privilege, which I like to call need
to know. Let's talk about industry compliance. We'll talk about authentication, authorization
and accounting. We'll talk about these multiple accounts strategies, we'll talk about network
ACLs security groups, and basic cloud native firewalls like left them will probably tell
you what you can do instead of laugh when your customer when security matters. We'll
talk about intrusion detection and prevention, DDoS attacks, service catalogs and the systems
parameter, Systems Manager parameter store. So we're gonna get into a lot of hold the
AWS Certified Solution Architect Associate content, and AWS Certified Solution Architect
Professional content. So the first thing that we're going to discuss is who is responsible.
And let me tell you, this causes problems all over the world, when it comes to cloud
architecture, stuff, and security. And this shared security model may be the biggest cause
of 50% of the problems. And here's why. With regards to your cloud providers, and they
all have a shared security model, you and the cloud providers share security responsibilities.
And it's not necessarily the most clean defined thing. So the cloud provider like AWS will
maintain the security of their cloud, you maintain the security of your virtual private
data center. Now, if the cloud provider doesn't secure the cloud properly, here's what's going
to happen. Somebody's going to hack into the cloud. And we'll get into your secret private
data center. So keep that in the back of your mind. The cloud is always, always always more
risky than the data center. And here's why. In the data center, we've got some attack
vectors, internet, internal users, etc. We know what they are. On the cloud, we have
those identical attack vectors, none of them changed. They're the same inner Nexus users
Central all the same hackers were deal with them both in the data center or in the cloud.
But on the cloud. If the cloud provider gets hacked, we get hacked and the cloud is a bigger
higher value target. Because how can the AWS got access to millions of customers? How can
my cat cindy.com Guess what you get access to my cat, Cindy. So on the cloud, we have
more risks. Now, the cloud providers will tell you, they're more secure, because they
have more modern infrastructure. But here's the key, you can lock down in your data center
far more secure than you can in the cloud. And for organizations that need really deep
security, some of them will do certain things in the data center because of it. But in this
certification course, we're teaching you how to do security on the cloud. And for certification
purposes. And for business purposes, we're gonna say that the cloud is essentially equally
secure as the data center because for the most part it is, but under the shared responsibility
model, and here's where it gets challenging the cloud provider matters of security for
your cloud and you manage your VPC. But there's a lot of overlap and kind of ugly. So keep
that in the back of your mind. So what does that mean? It means the cloud provider is
securing their network, you have no control over it. So if they don't do a good job, you're
in trouble. Versus in the data center using Trello. But let's assume the cloud provider
builds the perfect network. Let's assume they have the perfect routing, let's assume they
have the perfect firewalls, the perfect intrusion detection, intrusion prevention systems, the
best access lists, security groups, they've optimized their servers, they've hardened
their systems, and let's pretend they're perfect. And just make that assumption. Nobody's perfect.
But there's that. And now you know the things. So the we manage the users and the users account,
we manage patching our operating systems, we manage the firewalls in and out of our
systems, the IDS IPS system in our system, we configure whatever AWS security options
they we can use, or we can go to the marketplace and get robust enterprise security options
like Palo Alto things, or Cisco. And we also must manage the physical device
that connects to the cloud. So here's the thing, if you've got a data center, and it
connects to the cloud over a wire or a direct connection like this, if somebody could just
walk in your data center, I'm probably going to call it guess what they're in. So this
morning, somebody asked me, Hey, Mike, do you think I can go visit a data center? And
somebody will explain it? I'm like, Well, no, because once you're in the data center,
you just violated their security they can't let you in. So it's kind of one of those kinds
of things. So data centers need to be locked down and secure.
So what's it really look like? Gonna look like this.
In this particular situation, here's what you can see. The cloud provider, in this case,
AWS, they manage their physical servers, their storage, their own physical databases, and
their own networking. They're dealing with the hardware, the physical network cards,
the GPUs, the CPUs, that de RAM, the routers, the switches, and the fiber connection. That's
the stuff that's there. They're managing this the hardware, the physical load balancers,
they're managing the regions, they're managing their data centers, availability zones, they're
managing their content delivery network or Edge locations, they're managing their other
points of presence, we come in for edge computing, such as local zone, they're managing all.
But what are you managing? Well, that's where it gets tricky. You are managing the customer
data. You're managing your firewall, our operating system tuning, you're managing the client
side encryption, you're managing the server side encryption, the traffic protection, so
you basically managing the stuff in your virtual data center, and they're managing the physical
data center. So for the most part, you have to maintain almost as much as you did before.
So now you know the shared responsibility, you're responsible for your VPC or your virtual
private data center, cloud, whatever I want to call it, they are responsible for the physical
infrastructure. So now you know. So make sure you do your part. And if you do their part,
and they if you do your part, and they do their part, we should all be in pretty good
shape. So we're going to just keep it that. Keep that in the back of your mind. Now we're
going to talk about the principle of least privilege. Now this is a very common security
thing. It matters whether you're in the US it matters whether you're in the UK, India,
everywhere in the world, does it guess what it matters in the military to the military
causes need to know? And I think that's a much more appropriate term. What does it mean
if you don't need access to the information you don't have it? Why? If you don't have
access to unnecessary information, you can't hurt the business. So need to know is the
better term for principle of least privilege and what is it all about? It's about giving
people access to only the information that they need to do the job and nothing more And
here's why. Let's say you give access to information, and then the person goes and works for your
competitor, they can give critical information to your competitors, about your intellectual
property. So, in organizations, the executives and the leadership know the most. And as people
get less trusted, they learn less and less than less. So different people need access
to different things. So if you're in helpdesk, you might not need access to rich people systems,
you might use good access. Likewise, a systems designer like me, or a cloud architect, like
me, I don't necessarily need access to half of these systems, I need access to the executive
telling me what they need, when I bring in my cloud engineering team to do a proof of
concept, they're gonna be the major access, and I'm gonna get it when they need it. But
once that's not needed, we're gonna revoke it. So principle of least privilege need to
know you need access is here, you got access, you don't need access to it anywhere who access
cut off. So principle of least privilege, otherwise known as need to know, I use need
to know it works out much better, it's a military term, I understand it. That's kind of the
same thing. So when you log into a Linux system, you don't log in as root. For that reason,
you can break things. But logging in as root is you protecting yourself from doing something
silly. This is basically making sure that other people can't damage the integrity of
our system. So give people only what they need. The second, they don't need it, take
it away. And you'll be in good shape. So visually, what's it look like and principle of least
privilege is going to be used with something called authorization, authentication, authorization
accounting, and I'll talk much more about that later. But really, what it's based on
is this, here, we've got this blue person on the top, and they're an administrator,
they need access. So they get access, they do their they go through, they got authenticated
and authorized to do whatever they need, good to go. And they're given information. Now
they got this user that needs where it's where cresting access to something they do need,
blocked, why is it blocked, there's no reason to do this. So you will see this multiple
times on your exam, they will call it the principle of least privilege, but I'm going
to tell you it need to know. And if you remember, if you don't need to know the information,
don't give it to the person, you will be in good shape. So I like to keep things simple.
Need to Know means principle of least privilege. So when ever we're dealing with tech, you
know, and we're dealing with industries, there's always some kind of crazy regulation. And
regulation is designed to make things cleaner, more legitimate, more efficient, whether it
works or not, that's neither here to be there. But there's a lot of industry compliance standards.
In medicine, we have HIPAA, that which is basically about who can learn what information
about whom and health care. If you want to deal with the US government, there's something
called FedRAMP. You're dealing with payment cards, there's a PCI DSS, you're dealing with
the International Standards Organization, we're dealing with things like the standard
is 9001 27,001 27,017 27,018. Anyway, there's a list of the security industry compliance
GDPR regulations in Europe, there's a million of them. Here's the key. AWS, like most good
cloud providers, supports the critical industry regulatory compliance, guess what so does
Azure, so does Google so to all your main players, but realize that if you're dealing
with us in an environment that requires industry compliance, you can do it on the cloud providers
because they got themselves certified to do so.
Now, the next thing we're going to talk about is a term I absolutely hate. It's called Identity
and Access Management. And what does that mean nothing to me. So I'm going to define
identity and access management under what we used to call them. Before we created a
fancy inflation in technical terms. We used to call it triple A, which meant Authentication,
Authorization, and Accounting and identity and access management is 100%. Authentication,
Authorization and accounting. So what is it is authentication. Who are you? So let's see
who's got a blue wrench that I can see from the chatbox. Leo parados has a blue wrench.
So here's what it comes. Leo wants to enter the system. When he logged in today. Leo entered
a username and password and identified himself as Leo. Because he was allowed Leo. He's logged
in as Leo he's got a blue wrench because he's got an account name Leo. Now then, when Leo
goes to type something, like he did over there when he said vote on next boot camp, which
I'm very grateful for, when Leo goes to type something Is he allowed the type that's referred
to as authorization and Then afterwards, I went to see what Leo pretties did, here's
what I can do, I can see the logs of what he did. So identity and access management
is determining who you are, what you're allowed to do, and then keeping track of it. And that's
all I am or identity and access management is, who are you? What are you allowed to do,
and then logging or keeping track of it. And once you think of it that way, you get rid
of the silly terms like identity and access management, you'll understand it, you'll be
successful. So you're dealing with customers, you're dealing with executives, you tell them
identity and access management, they're gonna laugh. But if you say, Look, we need a critical
to determine who your users are, what they're allowed to do, and then keeping track of what
they've done. Guess what, now you're talking something that executives work. So if you're
an architect, like a cloud architect, we recommend using the term authentication, authorization
and accounting and describe it to it authentication, who are you? Authorization, what are you allowed
to do? And accounting? What have you done. So, you know, learn here now, when we're dealing
with these identity and access management, or AAA things, everywhere, there's the concept
of users and roles. And here's the thing. And I'll give you a little bit different to
this. But AWS calls a user, a person, I'm a user, Chris is a user. Now, there's a concept
of one system accessing another system. So let's say you've got a web server that needs
to access a database. Now, there needs to be something in between them. Now, traditionally,
in the compute world, when you go from one system to another system is called the service
account. And if you were in the Google Cloud, it would be called the service account. And
if you went to Red Hat, Linux, and you wanted one system to talk to another, it would be
called a service account. But with AWS. In most cases, at least for the associate level.
And I am user is a person like Abigail, or Lille or filler, Sharon, or at least it's
over there, I get them. Now, by comparison, a row is a system attaching to another system
for the most part. Now, there's cross account roles and other things. But you know, for
the most part, and I am user is a human, and an I am role as a system accessing another
system. And if you see a test question that says, What is the equivalent of an IAM role
in Google, it's a service account as it is for the rest of the world. So AWS made up
the term Iam role. So you've got an easy to instance, or a virtual machine accessing something
now you're talking about an AI A M role, or a service account, I don't care what term
you use. So let's walk through it again, authentication, the user signs, then guess what? I sign in
with my username and password, my username as Mike, my password is Cindy. Obviously,
it's not I wouldn't talk about it. And I would have no password with any variation of something.
But let's just say my username is password. My username is Mike. And my password is Cindy.
So I sign on with this. Now, I may have the system send me a message,
Mike asking for a one time password, which would be two factor authentication. But we
could just enter the name Mike and the password Cindy, which would be totally stupid. And
we don't have any passwords like that anywhere. But let's do that. So then we've got a user
that authenticates to the system with his username and password. And then guess what
happens? The user tries to delete a file. And then we look, is the user allowed to delete
a file or access that resource? If so, yes, if not block and then so so I like to use
this in the position of people. So I'm gonna pick somebody that I know so I'm with the
blue red, so Abigail comes to Florida with her cat Noni. And she comes to Florida and
she wants to visit me. Now I know Abigail, she's one of my students. She's a great blockchain
engineer, great blockchain architect. Annegret. Cloud architecture is great in in many ways,
so many good things to say about AlphaGo. So because I know Abigail, and I trust Abigail,
here's what I do. I say Abigail, I want you to come to Palm Beach. When she gets to my
house. She knocks on the door. I give her a handshake. My wife gives her a hug and she
gives her keys to the house and keys to my car and my wife says Abigail. Welcome Abigail,
welcome known into the cat. You're here. Here's Mike's Mercedes, you have the keys while you're
here. Here's my Toyota, you have the keys while you're here. I bought all your favorite
foods for the refrigerator and just keep track of things lock the door when you leave. So
in her case, I knew I had to go so what are you do? I gave her effectively privileged
access to everything. Now 24 hours later, there's an knock on my door. And then knock
is from somebody that says, Mike, I want your cloud class and I say, Okay, I don't know
who you are, how do you find me? And they said, I saw you on the internet. I flew over
here from Thailand last night, and I'm at your door, because I want to talk to you now.
You know, I'd be so honored, I'd love to talk to this person. But I'm not giving this person
the keys to my house. I'll say to the person, I'm so honored, you're here. And now let's
go out to lunch, or buy you lunch. And we can talk about your goals. And so why would
I do that? Because I wouldn't give some of that I don't know, privilege entered my home.
So for that, I just wanted to make sure you understood it. So that's what we're talking
about principles of least privilege need to know who you're giving access to, you're giving
access to what's appropriate for the person to be successful. And no more no moss in any
way you want to say it no more. So now let's talk a little bit about I am users and I am
user than identity person who has the permission to interact with the resource, okay. Now,
who creates this. So basically, you need administrative access. So which is called the principal,
you need crip, anybody that uses the system as a principal, and you need administrator
access. Now with administrator access, I can make an account for child make an account
for Leo make an account for Chris make an account for Abigail or whatever I need. Now,
a user can be created, I can create a user account on the management console course,
CLI or being I can push it via an API through the software development kit. Now, this is
really important to remember, I am users are permanent until you get to delete them. So
you hire someone, they're a super user, they need to extend everything, you give them access
to everything, then they go to your competition, you cut that access off instantly, instantly.
And in a good organization, the second they've determined that you're not working there anymore,
or you've determined you're not working there anymore, within minutes, all your systems
accounts are locked down, you can't leave the system with your access to your information.
And it's all locked lock and more locks to kind of keep that in the back of your mind.
So let's talk a little bit about more and give you a graphical interface. So here we've
got a user that wants to access a virtual machine, some objects steward your database,
they log in with your user account, if they have permission, they get access. And if they
don't have permission, they know that simple. That simple. That's simple.
So we're gonna get into some Iam user concepts next. And it's going to be some cool and some
fun stuff. But let me do this. We've gone for about 20 minutes, because of about 20
minutes or so. Then what do you call it? Let's ask some questions. So seal is the principle
of least privilege and exam question. I would assume it would be until proven otherwise.
But more importantly, it's a critical thing for your job. Question, any, what's your advice
for temporary allowing a team to use root in order to get the project work started,
never do that. And then tune to control. So I'm going to give my users access to whatever
they need, I'm not going to give anybody root I'm going to give administrator privileges
which are slightly different than root. Or maybe power user privileges. And we'll talk
about that. But a power user can do everything other than create Iam accounts. So generally
speaking, I don't use root for anything. And the root of your account should never be given
to anyone, anywhere, anytime, because they can completely delete your account. And you
could have an organization that's got everything on a cloud, and somebody with root account
can literally take the whole thing down. So it's never recommended to log into root. There's
times where you have to superuser root and Red Hat. But if I still do sudo minus, I still
would do a sudo instead of a superuser whenever possible. And never never never give root
access to anybody other than you if you're the owner of the account.
Liz Nan should you know the compliance regulations? Well, no. But when you work with it, you do
so for example, I design healthcare architectures. I know the HIPAA requirements. Why? Because
it's critical to my world. Now HIPAA talks about who can access what information so HIPAA
says that if some provider has a business relationship with another provider, then they
can talk to each other. Now what does that mean? It means that if I'm dealing with my
patient from an internal medicine perspective, and I want to send my patient to a cardiologist
for a cardiology consult, I can send that patient to the cardiologist, I send my chart
to the cardiologist. And the cardiologist will see the patient, evaluate the patient
then sent me a letter, Michael Gibbs, thank you for the opportunity to consult on your
patient. Your patient, Jeff, is a really nice man. Upon evaluation, Jeff had EKG changes
and lead to most specifically, he had a q wave, which is indicative of a previous heart
attack. Now that cardiologist sends me back that letter, he's allowed to because he and
I are involved in my patients care. Now, if that cardiologist said, says to his wife,
Hey, I saw an interesting case today and shows that patient chart, well that cardiologist
gets sued loses their medical license and is done. Because the cardiologist is allowed
to share it with me, because I'm involved in the patient's care, but they can't share
it with anybody outside of the patient's care. Now, if they send the patient for cardiac
rehab, again, they can send it to that person because guess what, they will need to know
that information. So that's what that meant. You only need to know that when you're working
on individual architectures, you will need another standards to make sure they're compliant.
Differences between a user and a principal we're gonna get into that in a minute. See,
so where are the accounts stored? Now, here's the thing.
It's always going to be in a database like structure, so you can stored in the AWS environment,
and they won't tell you what their back end is. Or see. So what what do people really
do? Nobody uses AWS I am, nobody uses Azure I am they use Active Directory for their enterprise.
And they federate their Active Directory into the AWS or the Azure, I am with a Google I
am. So most likely, you'll be setting up an Active Directory server in your enterprise.
There's typically an Active Directory server that's responsible for the domain, the users
and the users permissions. And then the cloud would just connect to that. Otherwise, it'd
be crazy. We'd be handling manually entering usernames and passwords all day long. Another,
so you won't have a problem with that and then crashing, go to the next one. Well, I'd
be discussing policies, yes, JSON files, I'll briefly talk about it. But I'm not a software
engineer. So I don't write JSON policies. I'm an architect, not an engineer. So Brian,
I don't make JSON or anything. But the cloud engineers do need to know how to do this.
Is there a way to transition integrate on premise Active Directory? Yes, absolutely.
It's called ad connector. And it's what 99% of all organizations do? Absolutely. You connect
to a SAML to Dotto and they typically covered on the professional exam, we'll probably touch
upon on here a little bit as well. Good question. Okay, so we'll get back to the content. But
before we do if you can give me all our hashtag cloud hired, because everything we do is about
getting people caught hired, we hope you're enjoying day four of the AWS Certified Solutions
Architect Associate, full free AWS course. So while we're going through the course, and
we're having lots of great time, remember, there's a free book to download. The link
is in the description below. And if you give me a call hired in the cloud architect, I'll
be all kinds of happy. Oh, actually, while we're at it, you know,
I'm really bad about asking for this, because I don't know how to be master YouTube. But
I truly do. If you're enjoying our content, if you could leave a like, if you can subscribe,
if you're not a member, tell others about our channel, we want to get the world cloud
hired. And we'd love some of your help in getting the world to know about what we do.
So please like comment and share helps us with the algorithms and things like
that. So let's talk about some key Iam concepts now. Now we're going to talk about a principal
versus a user, say I totally get here. And a principle is an I A M entity that has access
to resource in the cloud. So anybody or anything, it can be a root user, an im user or role.
So the person that owns the account, anybody that can use as access or a system accessing
another system. So let's talk about the root users. So if Tom Orpheus is there, Wassily
Coase is what the root user is any Greek people for another non Greek people think of the
root user as a king. So when we're dealing with the root or the queen when we're dealing
with the root user, this is when we first create the account. This is the El primo user.
This is the king the Queen and everywhere in between root has access to everything.
And you can't lock it down. So root access wants to delete your entire Karkat cloud systems,
guess what they can do it. So do not use your root user, unless you need to take your root
user connect credentials, pop them on a, unlike an encrypted thing, stick them in a safe,
put the safe and another safe get three arm Navy SEALs outside to protect those root users
like your life depends on it. Never, never, never, ever give up. That's how strong you
got to protect us. So don't use it for daily things. Now. The passwords on your root account,
they're not going to be like C i N dy for the cat, they're going to be like one 742
equals 69432, hashtag bang, bang, bang, dollar sign dollar sign greater sign, see a K going
on. That's what the password for this is. And once you get past the password like that,
you should have multi factor authentication on this. And definitely don't use it as a
service account to allow one system to another system. This is that critical lockdown, like
your life depends on it. Because guess what, if you're designing a system for a hospital,
people will die. If the root user comes out and somebody damages the system, people will
die. So protect the root user like somebody's life depends on it, because in some industries,
they will. And that's why we have to be really serious with our architectures. Imagine somebody
breaks into a hospital. And they changed two milligrams of IV morphine for a chest pain
patient at 20 milligrams of IV morphine, that patient is going to stop breathing in five
minutes versus having their pain relief. So when we're dealing with mission critical systems,
military systems, healthcare systems, it's a matter of life and death, when we're dealing
with banking, it's a matter of minutes of downtime can be billions of dollars. So in
these highly important environments, security matters. And it's critical to get it right.
So now you know about the principle versus a user root root user. So here's the way I
see it. Here's your root user. The facility now wishes the Queen the facility Kosan Greek
versus the king, the king, queen anywhere in between, I don't care what you choose,
but that's the key, this person is in charge. And that's why they're wearing the crown.
And they can do anything they want. So use it when you need it. Keep it locked up the
rest of the time. know a little bit more about Iam identity and access management, which
I like to call authentication, authorization accounting, and then I understand what it
is I'm not big on complicated terms. I'm big on practicality as are your executives so
your identity access management will determine who can access the system what they're allowed
to do. So you've got a couple of ways you could do this. So here's the ridiculous way.
I got a user for challenge a challenge independent user, I make a user for Leo, I make user for
credits and make use it for Mike I make a user for Cindy the cat. I make a user for
Abigail's cat named noni, beautiful, beautiful, beautiful cat. And if you guys ever want a
cat calendar, let me know in the chatbox head cat calendar, and I'll get you some beautiful
cat photos. But that's neither here to there. And we're just sort of having fun with it.
But if you want to count calendar, but cat calendar in the chatbox, I got some cat friends
that are professional photographers that What have they got calendar, so gotta keep that
in the back of your mind. So you got two ways you do it. So I could go to this group right
now. And I could if I wanted to, I could create a username and account for Sharon j, then
a different one for Carl and a different one for medicine, and a different one for bebida.
And a different one for Philomena and a different one for Robert and different one for say gun
and Edie over there in Cameroon. I give him another one and Philomena over there in Atlanta,
I give her something else you see this would be a disaster, a total disaster. And yet,
I think we need to make a cat calendar actually. So there is neither here nor there. But that's
something going on. But when it comes from an identity and access management, you can
create a user or what could I do, I could create a user group called Blue wrenches.
And it could give the blue ranches a set of permissions and Leo, and Abigail and Chow
and Chris and me we would all have the same permissions because we're all blue wrenches.
Wow, that's so simple. Create a blue wrench group and just add the users to it. And that's
what people do. So what typically happens is you create a user group for your finance
team. Then you create a user group for your accounting team and you create a user group
for your HR. Then you create a user group for your programmers, you create a user group
for your network engineers, you create a new user group for Cloud Architect, the new user
group here cloud engineers because they all need access to different things. And that
way, you're doing this because imagine a company with 200,000 users is gonna like here we go.
Mikey gets this. Jesse gets this and he gets this known He gets this, I mean, the ridiculous.
Now the reality is what you're gonna do is you're gonna be setting this all up in Microsoft
Active Directory and federating it to but no matter what, understand, just like an Active
Directory, just like in RADIUS servers, we have the concept of users and groups, you
could if you wanted to literally make a policy for every single person to make a difference.
Or you can make a policy for a job or role. And it's called role based access control.
So finance gets access to this account and gets access to this and as the simplest, simplest,
simplest thing to do, and letting you know, that's what 99% of organizations do. Because
they're not crazy, and they need to make it as simple as possible. So let's look a little
bit more the way this works. So how does it work? Well, you create a group, give permission
to that group, and then you just add the user. So group blue wrench, permissions, type in
the blue wrench, chatbox, delete, inappropriate comments made by bots that are showing inappropriate
things. And then I add the users of the group, and my blue wrenches are doing a great job.
So love my blue wrenches out there. And super, super appreciative and grateful for all the
awesome blue wrenches that we have. But now you know why. So let's get a little deeper.
So if an im user is a human, and our role in AWS is a system, until we start getting
into federated or things where things are complicated, we have to remember that roles
are different. Now, there's going to be a couple of kinds of roles, there's going to
be a service role, which is how do you connect one system to another, your application server
to DynamoDB, or an SQS queue, that's a service role. A cross account role is, Hi, I'm go
cloud Greers. And we've just found another company and we love them. And I have access
to their system, we give them some access to our system, that's a cross account role.
And the next thing that becomes a relevant identity federation. So here, we got my AWS
cloud, and I am an enterprise. In my data center, I've got a beautiful Active Directory
server with all 200,000 employees. So I just connect that my AWS account to my Active Directory
server, and AWS inherits all those great things from my Active Directory server. And all of
my IAM is done or better yet, you can connect to an identity provider, connect to Google
login with your Gmail account. For example, single sign on. So once we get into that,
we're talking about roles. So I am as a user, I am users are people like me, like Cindy
the cat, like No, neither cat like Abigail like. But a role would be when my server connects
to another server, or if I log into my Active Directory server, and then it comes back,
it's also considered a role, not a user at that point. To keep them back of your mind,
and I am roles really enhance security. Because here's the thing, if you've got a server,
and you've got another server, and they need to talk to each other, what people used to
do was put a password on the server, username and password on the server, the server. Okay,
so let's think about this. Got an application server with a password to the database server,
you hack into the application server gets, which are hacked into the database servers
are no good, no good, no good. So we don't want to do that. So by doing this, by using
a role, we don't need to store credentials on the server. So it happens the AWS service
is providing a temporary token. So system one learns to do something. So it goes and
gets a token, the token was a one time password that's effective for a period of time, and
it can access the next system. And by doing that good security, and tokens expire. So
got a token on this server connecting to this server, they're all happy. You hack into this
server, the token expires 15 minutes later, what can you do in the server only 15 minutes,
nothing longer. So that's why we're doing roles. So a role can be used for a system
to access another system. A role can also be assumed by an application. So you've got
an application and you do something, it assumes a role and then connects to another system.
Now we're dealing with IAM roles versus users, were using short term credentials, and IAM
roles leverage the AWS Security Token Service, otherwise known as STS. And these are temporary
exposures. And the default time to expire is 16 minutes. But you can set it all the
way down to 15 minutes or 36 hours. So think about this. You've got a token that's good
for 15 minutes, somebody gets access to the token token, the maximum time they can hurt
you is 15 minutes. If they get access to the token in 14 minutes and the response resets
and one more minute, they have access to one minute now. If you change it to 36 hours.
Now somebody compromises your system on minute one of the 36 Hours, they've got 35 more hours
of damage they can do to you. So look at it this way. The more frequent the tokens, the
less scalability. But the more security, the less frequent the tokens, the greater the
scalability and the lower security. So the more often you do it, the less scalability
the greater security. So it's up to you these are architecture things and the architects
need to decide based upon the business requirements. Let's talk more about eight I am roles. And
what we're discussing I am roles let's have a little bit of fun with it. Or discussing
I am roles they typically used to grant permissions for applications running on like virtual machines
like an AC two instance, I am roles are used by people when connecting to external systems.
I am roles are pretty much used to grant permissions to an im user and the same account as the
role, for example, and it's also used to grant permissions to Iam users in different accounts.
Now, you know a lot about roles. Let's talk about the AWS Security Token Service. So the
AWS Security Token Service is really designed to provide trusted users with one time security
credential. So you know, one time passwords, things that expire. And you can specify the
expiration level, as I mentioned, between 15 minutes and 36 hours, but the default is
one hour. So what happens is, once these credentials expire, that's it, they're no longer recognized.
And that's what we love them. So temporary credentials are dynamic, and they're going
to be generated every time you use a request. So let's briefly talk about cross account
roles. Now cross account roles are roles that enable you access into another AWS accounts.
So Mike's cat Cindy's account, Abigail's cat known his account, they have ghost got little
websites of the cats doing all kinds of cool cat stuff. So now that we know that those
are what we're dealing with, in these particular situations, the noni and Cindy's so, you know,
Cindy wants to access know anything, Cindy's gonna need a cross account role to get into
known his virtual private cloud. And if nobody wants to get into Sydney's thing, she needs
a cross account role that's got access to the permissions that she needs to be able
to do her job. So you can set up an access to an account
that you don't know, for example, here's some best practices when dealing with cross account
roles, connecting to other organizations will okay, that gets pretty scary. So, you know,
as soon as you've got connectivity, both your connectivity should limit access to things,
buy, who has access to what route and what resources, systems should be firewalled off,
etc, as appropriate, but also, just what we need to lock our systems down, because if
nobody, the cat wants to get into the 70s, the cat system, maybe not only the cats got
some mischievous ideas, maybe she wants to steal, send us food, or send us rat or mouse
or send us birds or things. So, you know, Cindy wants to invite her friend noni into
the house. And there's that actually, you know, Chris right now has got a cat named
Sonny, who's also a beautiful cat. So, you know, now we're gonna give access to his Christmas
cat, sonny. To the VPC, we've got another cross account role. But see, suddenly, the
cat doesn't like other cats. So suddenly, the cat who's the most beautiful Maine Coon
orange cat you've ever seen in your life gets access to different positions than noted the
cat. And that way, everybody's happy. So whether you're dealing with cats, whether you're dealing
with people, or you're dealing with companies, it's the same issue, give access to what you
need, and nothing, nothing, nothing, nothing else. So let's look at some more cross account
role examples over here. So I can show you what it looks like if I can find this part
of my computer screen bear with me a little bit. Got too many windows open too many monitors
on my screen. So in this particular environment, here you can see we've got a company A, B,
and C. And the cross account roles are being able to get into a single account and access
information and things like that. And that's really why we love cross account roles because
they enable you to connect to other systems that are already on the cloud, like in a VPC
peering environment. So let's talk a little bit more about how it works over here. Basically,
you create a role for the external user. Now the external user like nobody, the cat connects
to the Token Service, the Security Token Service and gets the token. And then when only the
cat wants to get into Sydney, the cats VPC, she provides her token, and suddenly the cat
says, Welcome Noni. Now, let's share our cat kibble together. And then same thing happens
with Sunny the cut, but that's what we're doing. We're creating accounts across systems
that enable systems to talk to each other systems. So now let's talk about service accounts
or service roles. So normally speaking and I am role to connect to another system, I
would call the service account. Because I don't typically don't use AWS manufac marketing
made up terms, I typically use the industrial terms and the industry has been called as
a service account for as many decades as I remember. It's like call it a service account.
But you know, what is a service account, it's when you have access to one thing. So that's
all we're talking about with an easy to service from there is that we will need an easy to
roll or an easy to service role. For example, if when an easy to instance like a virtual
machine to post message in an SQS queue, if you want to access something in an s3 bucket,
if want to access one of the AWS relational databases, instead of creating our own database
system, we are going to need access to an AWS service role. And here's what it looks
like. We've got our system over here as mean blue, your virtual machines are easy to instance.
And it wants to connect to this proprietary, awesome no SQL database Dynamo DB. So what
happens the system has an easy to roll, it goes to the Security Token Service, the Security
Token Service gives it a token, and then EC two provides that token and gets access to
DynamoDB. And it can write its things down. Okay, now we're gonna get into the concept
of identity federations. And that stuff gets pretty, pretty ugly. But we need to cover
it. It's very important. So let's do this. Let's open it up for about five minutes of
questions. Since I know we haven't gone on that long. Let's try to answer some questions
and make sure that everybody's solid. Before we go on to the next question. I've been able
to see what's been coming on in the chat box. Okay, so a federated user is different than
an im user. Technically speaking, an im user is somebody in AWS. So here's what happens.
I could if I desired, create all my user accounts in AWS, I could do that. But then I've got
to do it here. And I'll by comparison, tada, if I connected my AWS environment to an Active
Directory server that has all of us, for whatever reason, AWS says, If you authenticate to Active
Directory, and you come back, it becomes a role. So federated user is not exactly the
same as an im user. Um, the difference is, is an im user is internal to the AWS internal
management system. And when we deal with, we're dealing with here, which is we're connecting
to an identity provider, it becomes a role and not a user, because it's external. So
it's more like the cross account role, even though it's not exactly a cross account role,
because of those reasons. So but the reality is, they do the same thing. So I could set
up a user group called Cloud heroes, Africa, which is a group that I'm very passionate
about. And I know you're a part of, and I work with, as well as my team, Chris Fernando,
and so many wonderful people that you see on this call. So you know, there's that and
we could do that. And I can Nick could enact called Heroes, Africa, which is a group of
people that I know and love so much through directly to my Active Directory server that
would have all my users and what could happen to is you could connect to my Active Directory
server, and then I could authenticate you for your own cloud here as Africa program
if I chose to. And that's what federated I am as federated domain is reaching out to
an identity provider, Instagram, Google, Facebook, LinkedIn, or an Active Directory server. Great
question there. So it is Microsoft was AWS use Microsoft ad
for I am. AWS has their own company. So they make their own proprietary thing. Now further
internal users, I'm sure they're using directory for their employees most likely now. will
say this, most enterprises use Microsoft ad and not the AWS function for it, they actually
federated to it. Nearly all of them are going to use single sign on so for the most part,
I don't know or have ever worked with anybody that would use AWS I am and here's the reason
why. They're going to all federate with Active Directory, who would use AWS I am my cat Cindy.
She's making a website because she's only got a few people who will use the AWS I am
somebody that's got a small number of employees, nothing to worry about. Who uses Active Directory,
everybody, every enterprise and why did they do it because it's easy to manage. So it's
all about choosing the right tool for the right use case. Good question here. Philomena,
how do you keep each use Her honor group accountable. Okay, so Philomena tomorrow, I would like
you to go to Coronado Island and walk onto a Navy SEAL base where they're doing training,
drive up to that front gate. And when you get to see a bunch of Marines or seals with
machine guns, and you're not getting into that camp, so I am does the same thing. Who
are you? Okay, you are Philomena. Now you're gonna go try and log into the server, you're
not allowed to, you're just gonna be blocked and denied. So it's kind of the same way as
if you tried to walk into a private party, and there was security guards at the door,
you walk in the door and they take out that door. That's exactly what's going to happen.
You're going to log into something you're going to try and log into, not only not be
you may have an alarm go off. And they may even send security to depending upon how tight
is this federation imply inheritance of credential information from one system for another for
authentication effectively? Yes, exactly. That's the whole point. Got your Active Directory
on the server. This isn't suddenly the cat can access this. And suddenly the cats allowed
access that based upon the information in the Active Directory server. Exactly, Liz
and fantastic. Let's see SIEM has how the scalability affected by the token left time
to live. Well think about it this way. If you're sending a token, every two minutes,
you're placing work on the systems, you're replacing tokens every two days or every day
and a half, it's less work. So always, the more frequent the updates, the lower the scalability,
the less frequent the updates, the more scalability. The more frequent the updates, the more dynamic
the environment is, the less frequent the updates, the more stable it is. It's up to
you, based upon the business needs the same question. Jonathan tokens don't create any
lag. So they're the it's not relevant at all. If the token expires between the test the
system is not allowed on, because the token will be rejected. So that's what happens if
you're hackers access to the token. And that's where we're using these tokens because once
that token has expired, it is worthless. That's the whole reason. All users are technically
principle you principles in AWS but the principle user are most effective user, that is the
root user. Okay, so good news. We got through that, because now we got to get into some
ugliness. But before we do that, please vote on the next bootcamp. Do you want it to be
a Google professional cloud architect? Or do you want an AWS? Or do you want an Azure
Solution Architect course, I don't care. They're all the same cloud one cloud to work on them
all. I just want you all happy. So you know, kind of do that.
And also, before we go back to this, you can give me a hashtag cloud hired Anna, hashtag
Cloud Architect. You know, for me, it's why I wake up. It's why I live while I breathe
while they sleep to get you all cloud hired. So you can give me a cloud hardened cloud
architect in the chat box, I'd be all kinds of happy. And if you want me to talk about
Azure, we'll talk about Azure. I love Azure, you I'm gonna talk about Google. We'll talk
about Google. I love Google. We're cloud architects, we work on all clouds. I just want to get
in cloud hired as a cloud architect, cloud engineer. And actually, instead of just doing
cloud architecture, if you want to be a cloud engineer, type hashtag cloud engineer, you
want to an architect, take passionate cloud architect, you want to be a Linux engineer,
talk hashtag Linux engineer. Let us know the goal of your dreams and we're gonna get you
there. We know your career will get you there. Get you caught hard cook mode. So vote on
our news boot camp, give me some of these things that make me happy if you don't mind
liking, commenting, subscribing, telling others telling friends. That's why we do what we
do. So we just want to get you to your goals. However we do that is totally fine. I don't
care. I just want you all cloud hired. So let's get back to the content over here. So
now we're getting into some deep deep, deep weeds here for a few minutes and we're going
to talk about identity Federation's apologies it's a little ugly, but it's great stuff.
So identity Federation's allow management of identities in a single place, aka Microsoft
Active Directory, beautiful system. What are the key components of an identity federation?
Let me tell you right now. An identity or a user, so a user and identity store where
you store your identities like Microsoft ad or Facebook, etc. Next, an identity broker,
we need an identity broker. What's that? That's going to be an application that's going to
check the identity store and provide temporary tokens. So what do we need a user and identity
store where the information is stored as a broker that's going to do The checking. So
now you know now here, this is the ugliest workflow, but I'm going to talk you through
it just so you know. Step one,
the user is going to log into the identity broker using your corporate credentials. That
will then happen is the identity provider is going to authenticate the user against
like an LDAP based identity store, for example. And then what will happen is your identity
provider is going to generate a SAML Security Assertion Markup Language token as a two Dotto
version of what we're talking with. And it's gonna have all the required information that's
going to submit this attestation Security Assertion to the identity broker. And then
what'll happen is the identity broker is next going to come up with this kind of a call
to assume role with SAML. And it's going to basically use the Security Token Service API.
And it's going to push the SAML assertion and the role to the resource name. And then
what's going to happen is assuming everything works, and the API responds, and if successful,
the AWS is going to provide like the temporary token and credentials. And then when the temporary
credentials are there, the client will perform the operation and access. So it's really an
ugly process where the users got to log into the identity broker, the identity provider
then authenticates that then a token is there. It sounds kind of complicated, but that's
exactly what you're doing. So next, with regards to these Federation's, you know, why are we
using them? Well, it's really just about enhancing scalability, because you really think that
a company with 300,000, users can enter username, password or username, password and permissions
for everybody. Of course not, it'd be insane. So we're doing this to increase scalability.
And what's going on was establishing a trust relationship between our AWS account and the
identity provider. And realistically speaking, we've got two ways we can connect to the identity
provider, we can use something called Open ID connect or SAML two Dotto, which is what
we're going to use now making things complicated. Now, who are these identity providers that
can connect to Google, just one, Amazon's another big one, Facebook's one, Twitter's
one, LinkedIn. And we're just pulling the information off of that.
So let's try to give you a little bit more on
this. AWS, Iam functions are connected based upon the identity provider. And that's what
we're doing. Users are going to request authentication that will be passed from AWS to the identity
provider, the identity provider will provide the right information and the users will get
access. Now you understand and this is going to be the way you're gonna deal it for 90%
of all global enterprises. Now, as we're dealing with all these identities and sign ons, you
know, we're starting to deal with users and user complexity. So in a really secure environment,
I worked in one, you log into one system, a minute later, you log into another system,
a minute later, you log into another system, a minute later, you log into another system.
And I remember on some days logging into 20 different systems to be able to share my job.
Now, I want you to think about that. If I have to remember 20 different passwords every
single day of the week. And I'm not allowed to use a password called Cindy like a cat.
And my passwords are all 18 characters. They include special characters, numbers, letters,
etc. That's what's reality in today's world 30 character passwords with crazy numbers.
So if I'm dealing with that, how do I remember my 20 password? I don't you know what I do?
I take sticky notes with passwords, and I put them on my desk so I can see them and
remind myself and everybody that passes my desk, you know what they do? They have access
to all my username and password. So because of this, because of the high security environment,
it goes so cuckoo, that we teach our people to create ways to break through our security.
That's what we're typically doing. So, you know, kind of keep that in the back of your
mind. So what's the solution to this? Well, single sign on. If we come up with a single
sign on solution, guess what? Our users won't be so angry at us, they're not going to do
crazy things to work around our system. So single sign in is an honor as an authentication
method lets you authenticate once and then be authenticated to multiple systems at the
same time. So AWS as a single sign on service that allows you to sign on one place and access
your resources everywhere. Single Sign On is usually used in a federated environment.
Single Sign On is beautiful. It's going to integrate with Microsoft Active Directory
as your Active Directory, Salesforce or other main directory services, and enables your
users to authenticate to the identity provider and then they don't need any more logins to
get anything else. And that we're super, super excited about. So when the user signs in,
they're authenticated against an identity provider, their group will be determined the
privileges will be an I love federated Access Map identity federation single sign on. For
those reasons, it keeps your user from doing crazy things to get past your crazy security.
So, basically speaking, we've got our nice on premise Active Directory server, which
we federate or connect to the AWS service. And now we log on to our Active Directory
server, we access our object storage bucket s3, or proprietary no SQL database Dynamo
DB, should we be using it or virtual machines, otherwise known as our AC finances, and that's
gonna work and it's gonna be perfect. Now understand, a lot of this is stuff that we're
covering now is more for the Certified Solution Architect Professional. But here's the thing.
It's information you need to know for your job. So we will never deliver courses based
upon delivering the minimum for certification. Everything we do is based upon giving you
skills that are marketable, valuable skills understand I'm going a little deeper than
you need to know here. From an architecture perspective, let's talk about another way
to do it on your friends arrays, Federation's. And and we're talking about Amazon Cognito.
Here, and what is Amazon Cognito, it's going to be a service that's going to provide authentication,
authorization and user management for web and mobile apps. Okay, it's a means to connect
your apps to identity providers, and Cognito enables organizations to synchronize their
identity management and data across multiple multiple devices, which we love. So you know,
we're kind of in one of these positions. So Cognito, users can sign in directly with your
username or password with a third party identity, such as Facebook or Google, how's it gonna
work, you got to use her, they authenticate against the Cognito app, then they get a token,
and they use the token for access to the AWS resources. nothing overly complicated. So
it's gonna look like something like this. Got your user, they authenticate to the system,
they get tokens, and the token gives them one time password. So it's super secure. So
when we're dealing with one single sign on, we're dealing with one time passwords, their
tokens. So if anybody compromises the password, guess
what? It doesn't matter, because they can't use it again. So that's how we're making the
single sign on and Federation things work intelligently. So when we're dealing with
Cognito, we're dealing with the concept of user pools and identity pools, here's a user
pool. It's a secure directory within Cognito that enables you to manage your users. That's
all it is. And upon successful authentication with Cognito, a simple set of temporary tokens
are typically a JSON Web Token position. Now we'll also talk about identity Federation's
Amazon Cognito identity pools. Amazon Cognito identity tools propose provide temporary AWS
credentials Cognito identity pools work with authenticated and unauthenticated users, we
can deal with guests or authenticated users mutoko. Now how does this Cognito user pool
work? Well, it's kind of ugly, just like anything else. So we'll describe it and its ugliness.
We got the user, they log into the identity provider. You log in and guess what, you get
authenticated, and you get a session key for the user. Then the user basically uses the
session key, and the M. And what's going to happen is the application will call an API,
most specifically the Amazon Cognito, get ID API. And it's going to get an identifier
for the user. And then what'll happen is Cognito will validate the session key from the identity
provider. And if the session key is valid, what will happen is the API will get kicked
in to get ID ID will get ID API will return an identifier back to the user, the user will
send that unique identity back to Cognito Cognito will validate their session token
against the identity provider. And if something is valid, they'll get a token an STS token.
And then Cognito returns the token to the applications, the application or the user
can access services. So that's how Cognito works.
Let's briefly talk about the AWS directory service. Now, normally, I said we use Windows
Active Directory servers, right? Well, if you don't have your own directory service,
AWS gives you that option to basically make a directory service. Now guess what? Here's
how you could do this. You could just set up a virtual machine and make it your own
Active Directory service or you can use AWS directory service and what do you think AWS
directory services? Nothing More than high availability, Windows Active Directory servers
that are fully managed for you. So in either case, you're still using Active Directory.
This is more inclined to the Azure AD that you would get an ad where you're getting active
directory servers that are part of Azure. Well, the AWS directory service is Microsoft
Active Directory servers hosted by AWS on the on AWS cloud. So if organizations have
Microsoft dependent workloads need Microsoft authentication, they have the AWS directory
service. Okay, so now when it comes the authentication, you know, we've got a couple of options. So
how do you want to log in? Well, there's a couple of ways and each way has its strengths
and weaknesses. Let's talk about the least secure way. username and password. Username,
cat, password, Cindy, clearly not optimal. So there's very few things that I have in
life that only have a password and like do they're going to be like 60 characters long.
Because that's the only way you can do it in today's world. So username, password, login,
get a password, but no, that's not greatest. Now, what if you wanted to get a little better?
Well, we can use an access key. And I access key is a combination of a 20 character, key
ID and a 440 character secret said, wow, who that's going to be used to connect to the
API that secure because he got 60 characters who, when it really matters, you can actually
use an access key and a session token loving this. Here's what goes on here. When the I
M authentication needs to occur under the assume role, a token can be provided. And
the token is given alongside the access key. So now you've got your 20 character key ID
and your 40 character key, secret jet, add a token at the same time now, nobody's breaking
you that easily. So this is what we love. So now you know, those we can use for authentication.
Let's talk authorization. Authorization is what are you willing allowed to do? So? Authentication,
let's go back to the cat. And the people Abigail comes my cat, she knocks on my door, I give
her keys to the house in the car and say go wherever you want. She's authorized. Chris
comes to my house to do the same thing. Leo comes to my house, I do the same thing. Now
Joey knocks on my front door, but I don't know Joey is so I say you stay there. Identify
yourself, as I looked through the window, provide an identification. Hold on Joey, while
I do a criminal background check on you, oh, wait, you have a criminal background check
came up positive, you're not allowed in and go away, or you have one then and I'll remediate
you, I don't care, whatever the case is. That's authorization. So what's going to happen is,
we're going to write an identity and access management policy. And I'm not going to say
we will, we will come up with the architecture of security architects and the cut engineers
will be writing this policy or to your security people. And they're going to be writing the
policy in JAVA script out of minification JSON format, format. So you want to see what
it's gonna look like, I'll show you basically speaking is you're going to create an a policy,
and there's going to be an effect, which is basically you want to allow it or deny it.
And then you're gonna have to tell it, what are you allowing denied, which is the service.
And then you're going to identify the resource by the an Amazon flow resource name, which
these are these ugly names like the Arn, Hacohen, AWS, if you've got something, so that's what
you're dealing with. And then in there, there's going to be an action, what do you want to
happen? And of course, you can add some conditional attributes, if you desire. So think about
it this way. What are you allowed to do what service you're giving access to, with the
exact resources that gets you pretty darn granular goes back to the same thing, authorization.
I want to go to s3, guess what I'm allowed. Now I want to go to the management console.
Nope, not allowed block block block. Why? Because I don't have the need to go there.
I am not authorized. So it's like showing up in a military base without the identification
you're not getting in. So let's talk a little bit about creating
some IAM policies. And then we'll take a break for some questions. So with regards to creation
of policies, there's a couple of ways you can do it. What is the policy just as who
does what? So there's a few ways you can do this. Well, you can take a managed policy
from AWS, which I love, or you can make your own. So let's now think about this. AWS does
have some extremely well made. I am Jose Castillo says Microsoft with Active Directory. And
these are common use cases and administrator a power user and generally speaking, what's
the difference between a power user and administrator to administer triggers can do create user
accounts. And generally power users can do everything other than that. So keep it down.
So that'll be an example. So when you're dealing with AWS, they'll be managed policies, policy
for this role, this role, this role, this role, this role in this role. And you know
what? These are good policies for the average enterprise, just like all cloud services is
for the average enterprise. So if you need one to use one of those, you can take an AWS
managed policy, and I'm going to tell you in like 95% of use cases, it's going to be
perfect. But what if it's not? What if it's not perfect,
but if you want to do something different? Guess what? No big deal. So good. Let's look
at this. So here's what we then do. So we can create our own.
We could write our own policy any way we want, if we need something custom. So let's talk
a little more about IAM policies, we can get standalone policies created by AWS permissions
for most use cases designed by people that know how to do it. common use cases. Based
on job Ra, they have basically two major identifiers, administrators who can do anything and power
users who can do anything but don't get access to IMS organizations. That's just one. But
we can make it whatever we want. If we need different. We can create a managed policy
and there's a couple ways to do it. We can sign into the im console with administrator
privileges, and the Navigation Pane choose the Manage policy template to use and does
nothing. How about a customer managed policy? Well, we got to create our own. So how do
you do this? Well, a couple of ways. We can take one of those AWS managed policies, we
can tweak it. And now let's add our own. So we can copy one and start. And if you're not
a great JSON programmer, this is what I recommend you do. Or there's the policy generator, and
I'll show you what the policy generator looks like in a second, you can go to this page
called the policy generator. And for the most part, it's going to ask you a bunch of questions,
what kind of policy this and it's going to automate something for you. And you know,
it's basically going to work. Or you can create one from scratch. What do you mean, create
one from scratch, if you've got good JSON programming skills, and you know, the proper
grammar and syntax, just make it yourself. And you know, if that's your key, you know,
greater yourself, tell me what you want to allow or deny, and what resources and what
conditions and you'll be done with it. And that's totally, totally appropriate. But you've
got to have some coding skills to do that. So keep that in the back of your mind. So
you get through the I am stuff and then we're gonna get into and we're done that we're actually
going to talk about security, which I'm looking forward to because I don't consider I am security
it's another career. So now you know we're talking about here we can create our own obviously,
they look something like that. How else can we further secure stuff? multi factor authentication.
So I go out there to Abigail, she comes over my house with no money the cat, none of the
cats beautiful looks a lot like my cat. They'd be great friends. She's knocking on the door,
right? And I'm not home. So what if, for example, I've got a security camera, and the security
camera sends her a challenge? You look like Abigail, but I'm not sure. Could you provide
your temporary authentication token. And then up it goes given the temporary authentication
token. And guess what? The door opens up automatically for her. Cindy, the cat comes in, rubs over
to her feet says hello, Cindy. The cat then walks known to the cat to her tuner ball and
her shrimp ball and her scouts bow. And the two of them have a party together. Multifactor
authentication. Let's face it, multi effective factor authentication is really critical in
today's world, you sign on the management console, you get a challenge, which is a one
time password, you provide the one time password, Bob's your uncle, you get access to this system
and everything is just beautiful, beautiful, beautiful. So we've spent an hour and 20 minutes
in what's most likely the ugliest content in the entire week. So woohoo, we kind of
covered that. Let's ask some questions. Let's make sure everybody's up and then we're gonna
get through the fun stuff. Seem although SSL alleviates the need to use
multiple names, doesn't it become easier for a hacker with one credential? Well, it would
be a scene but what's going on here is we're going to be using temporary credentials that
are going to expire. And that's how we're going to get to the same level of security.
And here's the secret dirty little secret of security. When you make security too complicated
to your users find ways to create backdoors. And I gotta tell you, in my 25 career careers,
I have seen more passwords, sticky notes on people's desktops. I have seen people that
have gone to extremes to violate the security ones too tight. So it's about using the right
security that is minimally intrusive to the user that provides the maximum protection.
That's what's the key to the architecture to make it work? Come Cognito is generally
used for mobile devices. Great question. Lm Absolutely. Multifactor authentication can
be compromised. Look, here's the thing. Identity and Access Management is not primary security.
It's your last line of defense. Your primary security is covered by your IDS, IPS, your
firewalls, your IDS, IPS systems, your access lists, your security groups, your host based
firewalls, your endpoint protection, that's your security, multi factor authentication.
And by the time we're using it, it's too late. I'm already knocking on your door here, I'm
here to attack you. That's what I am is all the other stuff that I'm talking about keeps
people from getting to the door in the first brace. So the key is, you know, we want to
get it we want from real security I am there's just a small component of security. Now fail,
this is so critical that I will tell you there are hacks every single day on the AWS cloud.
And most of them are related to misconfigured, s3 buckets. Now, I know some people in Israel
that find a new vulnerability and how they can hack into AWS or Azure every day of the
week. They can, but 16% of all cloud hacking attempts that occur or dude or misconfigured,
s3 buckets I missed the biggest problem we're dealing with. Because Christian, go to the
next one. The Annika thanks so much, you click the like button so much time you don't have
the like button doesn't have a thumb anymore. Thank you so much. And while we're at it,
if any of you are here, and you have a good time, if he can like comment or subscribe,
it signals the algorithms that we're doing this good work to help other people in the
world. And it will show this free training to more people so they can build their best
career. So please get us some likes, comments and shares, make a post about it, tell your
friends. It's all free. We just want to help people. And thank you so much Danica. Are
there default fault policies defined every well you determine what you're going to assign
to every user? You determine that and if you don't, anything that happens to automatic
or default is never good enough for anything, so you'd make those determinations.
Christian, go to the next one. You're more than welcome to
CNN. Thank you so much for participating. Okay,
well, now we get out of that I am ugly stuff and we get into some security stuff. And maybe
if you guys desire, we'll teach you how to put it together and the end of the class.
So the next thing we're going to talk about, which is one of my favorite things in the
world are firewalls. What is a firewall. So when it comes to enterprise security or security
in general, there's a lot of tools that we can do. But the firewall keeps unwanted traffic
out of our systems. I like to view a firewall as like, let's say we had a castle, and we
had 100 metre wall around the castle. And it's just big giant, well, that makes it hard
to get over. That's the firewall, here's what firewalls do. They allow our outbound traffic
out to the internet. And they allow return traffic in and they block all traffic. So
firewalls are used for perimeter protection. They filter traffic, they are stateful. And
they watch what's going on, by the way modern firewalls, real firewalls, the kind that you
should be using in your architectures, the kinds that are designed by what he called
Cisco, Palo Alto, and Fortinet, those firewalls are adaptive in nature in that, let's say
you've got this firewall with this, which is the equivalent of a 300 foot wall around
your building. And let's say on top of this 300 foot wall, you took some British shs Commandos,
and you took some Navy SEALs, and you took some Israeli commandos, and you stuck them
on top of that 300 foot wall and gave them sniper rifles. That's the equivalent of an
intrusion detection intrusion prevention system. And modern firewalls will do that. They'll
block all the attacks and if an attack happens, it's like having a bunch of seals on top of
the firewall. had to stop the attack in real time by resetting TCP connections, etc. That
is a next generation firewall. And that is what you should be using to secure your systems.
Okay, now we're going to talk about the AWS firewall, which doesn't do any of that good
stuff. But it's the one that's on your certification exam. So we will tell you this for the certification
exam. And then before we end the day, we will teach you how to secure your systems the right
way, the way your customers will expect. But this is a certification course, we've got
to teach you some of the certification things. So the thing that we're going to talk about
next is AWS WAF, which is a web application firewall that monitors for common routine
exploits. And basically, it monitors HTTP and HTTP requests. And that's it. And it looks
for exploits. And it can you can put it on my CloudFront distribution and API gateway
arrest API and a load balancer. And basically, what happens is waffle block connections at
the Edge locations or edge place before they get on your network. And it can control access
to content that users specify. But remember, this is an AWS proprietary managed firewall,
which means if you're going to go multi cloud, you don't want to use this because you're
gonna have the same firewall policies on multiple clouds. So this is something that we need
to talk about WAF is the AWS cloud native firewall on the AWS environment. If you are
protecting my cat Cindy's website, this is a beautiful, beautiful surface. If you're
dealing with global enterprise customers, they will expect a firewall from the marketplace,
a palo alto one a Cisco ONE, a fortunate one, a checkpoint on something major and industrial
grade. So kind of keep that in the back. But while we're talking about laugh, how does
it work? Basically, you enable it on the application device, you create a policy of filter this
versus this filter, this, the wife will analyze the traffic based upon policy, and only they're
permitted to mine it. And if a new attack occurs, guess what you create some new rules
to stop it. And it can integrate to CloudWatch to give you some system information, but remember,
this is an AWS firewall. And enterprises typically use more robust solutions. So here's what
it would look like with AWS, you basically assuming you're using their stuff, you basically
put your WAF on CloudFront, your load balancers, your gateways, you set some policy. And that's
it's a basic thing. No, I've never used what often an architecture, because I use enterprise
grade firewalls and IDS, IPS system, but understand this is the AWS cloud native way to do it.
And this is what's going to be on your security certification. This is where it's going to
be on your AWS certification. So understand Whap is the AWS firewall. So what does it
look like more holistically, that's really going to look like this.
It's really going to look like you're going to have your Internet Gateway. On your load
balancer, you're going to place a minimum, you know, what do you call it, a firewall.
And that's going to be then backed up by a network ACL a security group. And hopefully
you're doing something on the security instance doesn't that'll project generic wind protection,
it really well. There's nothing wrong with this architecture if you're using a single
cloud. But if you're using multi clouds, we can't be using proprietary firewalls that
don't work for the same, we have to use the same kind of firewall in all environments,
and everything is multi cloud. This isn't going to be a common architecture, you're
going to be deploying anything other than an exam. So next, let's talk about distributed
denial of service attacks. And how do we deal with them? So first, what is a distributed
denial of service attack? And here's what it looks like. Let's say we got a bad guy
or girl over here, we call him attacker. The attacker has a server. Now the attacker gets
really smart. And the attacker says, compromise all these servers. And what happens the attacker
creates an army of infected servers. And then the attacker launches this army of infected
servers on a single system. So imagine this, let's say we've got it where it says web application.
Let's say this is a beautiful web server, and it can serve 5000 requests per minute.
And it's doing great play here, the attacker decides to launch 100,000 requests per second
on a server that can handle 5000. So what happens as follows, requests, requests, requests
requests, the server gets busy responding to requests, the server can't meet the needs
and the server crashes or the server doesn't respond. Or the attacker fills up a buffer
flow and then kind of compromise the server but this is bad. So what's going on? What
is distributed denial of service attack? It's when you use systems on the internet to overwhelm
a system or a service. So how do you prevent it? Well,
a lot of ways. Let's talk about how do you do it? Well, first,
if the firewall blocks all unwanted traffic, getting into your systems, and not getting
a DDoS attack, now, we're typically going to use a content delivery network. I will
talk about CloudFront, we get into content delivery networks and on the content delivery
network, we can put some DDoS protection. And why do we love the DDoS protection and
content delivery networks, here's what you get a request that goes to the content delivery
network or the web server, the content delivery network looks at that request and says bad
request, don't even send it. So just by doing that, we get 100,000 requests per minute for
web pages that the content delivery network drops at all. So the content delivery network,
we chop it all then at the edge of our network, guess what, we put a firewall, the firewall
blocks all incoming traffic, then, with a modern firewall, guess what we do? We have
an intrusion detection intrusion prevention system. And what's the cool stuff about this?
It's like coming navy seals that are out there that are getting rid of anybody that bypassed
the content delivery network, but then bypassed the firewall. Now we've got the IDS IPS system.
So you can see this as labels. And then we keep traffic out of the subnet with an access
list. We're then going to keep traffic out of the server with the security group, you
see what it's layers here, then on the server, the server's themselves aren't hardened, we're
going to put another firewall and that server like Host Based firewall, Host Based IDs,
IDPs, intrusion detection prevention on there, we're going to disable unnecessary services
closed down IP ports, we're going to put some anti malware protection on the server. And
I mean, we're gonna have to harden the server as well. So you know, there that maybe we
encrypt the storage on the server. So you can see this is what goes into preventing
DDoS attacks. Now, adding a DDOS prevention service on the content delivery network is
excellent. And we strongly recommend it. If you use CloudFront, we've got a content delivery
network, we've got a DDOS service called shield. If you're using alchemize, Content Delivery
Network, guess what they have their own, if you're using azures. They have their own using
Google's content delivery network, they have their own, you're using conference content
delivery network, they also have their own DDoS protection, here's what it is, they don't
send illegitimate requests to the web servers. Now, AWS does have some very good DDoS protection,
it's excellent. Their shield and advance shield are very good. And they really do belong in
a good security, architecture, production and production. It's excellent. Cloud front
has a strong solid robust content delivery network and the DDoS protection on it is excellent.
There are two versions AWS shield, shield standard, shield advanced, excellent and real,
real, real relevant in today's world. So those are the things that make me excited when it's
actually relevant. So how does it work? Shield standard is comes free when you're using the
AWS firewall if you're using that, so you might want to stick your firewall on the CDN
shield and then use a real firewall to protect your enterprise like those from the marketplace,
something from a from like Cisco or etc. But shield is protects against common DDoS attacks
according to AWS, they say 96% I wouldn't believe it. Vendors always really exciting
rates, which look good on paper until the attacks change. So they say 96%, whatever
the point is, is relatively good. Shield standard protects against sins and aquafil attacks,
reflection attacks, HTTP slow relay attacks, so your main ones, but if they get blocked
based upon policy, so whatever you can figure is there. Now let's talk about shield advanced.
Now here's where we're starting to get to something. So shield advance is for shield
advanced is not free. It's a couple $1,000 a month. And it provides protection for load
balancers, virtual machines, cloud front route 53. And here's where you're starting to get
into some intelligent attack mitigation. So it's adaptive in nature, it looks for patterns
of behavior that are not normal and enforce them again, if you bought a firewall from
Palo Alto, it would do all of this automatically. But you know, as far as AWS using shield,
it gets adaptive when you start using services, such as shielded, VM advanced, and shield
advanced basically will deploy ACLs or whatever it needs to do. And it's looking for layer
three, four and seven attacks. And if you actually spend the money for shielded Balance,
you've got a 24 hour Bye. So 24 hours a day, seven days a week DDoS Response Team assuming
the customers on business or enterprise support. So now you know about shield. Now
we're going to talk about some AWS security services. And what we'll just talk about it.
Next service we're going to talk about is guard duty. Guard Duty is an automated service
to monitor your AWS account and analyze your cloud trail logs, DNS VPC, flow logs. And
here's the thing, it's going to look for patterns of behavior, and it'll send you messages to
say, if it sees things it doesn't like. Now, here's the key. If you were using a next generation
firewall, you would already know that and not need this. So if you're getting an industrial
grade firewall from the marketplace solution, things like guard duty becomes not that important,
because you're already getting get this information from your security devices. Let's talk about
the next Amazon security thing. So this is Amazon inspector. And this is an automated
security service that helps improve the security and compliance to planning your systems. It
effectively assesses your applications for exposure, deviations from best practices.
And after performing an assessment, guess what it sends you a detailed list. But automated
assessment, which means take the results with a grain of salt half are going to be great
half are going to be garbage because automated is never good enough. But automated gives
you something so it's a start. Next, we'll talk about Amazon Macy, which is a fully managed
data service and data privacy service. And what's going on here is it's using machine
learning and pattern matching heuristics to protect your sensitive data. And what it's
going to do is provide an inventory of your s3 buckets, encrypted unencrypted, and then
we'll put a machine learning algorithm to help you make the difference. So to last components,
we'll talk about insecurity. We will talk about the service catalog on the systems manager
parameter store. So what is the service catalog and it's a great idea. The service catalog
is this. Many years ago, when I was a little network engineer code before he became a network
architect, I remember the systems were slow. So I ran around with the protocol analyzer,
which we used to call a sniffer. I'd stick the sniffer on the network, and I would see,
okay, this user is going to this illicit website downloading inappropriate photos, this user
is downloading music, this user put in this server, this user put it in a video game server
and their desktop picks the hole from the firewall, this user did this. And as you can
see, you know, you've got some problems going on here, you've got systems on your system
or network that would come not secure in their attack vector. So AWS has something called
the service catalog. And it's a beautiful arrangement. It basically lets you control
what your people put on the systems. But it enables you to create a list of approved services,
machine images, servers, software, database application architectures. And then when your
systems admins, your cloud admins want to go build something, they go to the service
catalog, and they choose from the things that they're allowed to have. How cool is that
choose from the menu of what you're allowed and nothing else? So how does it work? Well,
you've got a user, they put their information in a service catalog, and you come up with
an infrastructure as code script to launch it. Personally, infrastructure code should
be TerraForm. Number AWS CloudFormation. And here's the reason why. There's no point in
anybody learning an AWS proprietary service. And guess what everybody else is using TerraForm,
which works on all clouds. And since only 87% of people are multi cloud, cloud formation
is a waste of your time, don't learn it, learn TerraForm instead. So kind of keep that in
the back of your mind. And the people that need to learn TerraForm are the cloud engineers
and the DevOps engineers, not cloud architects because we don't configure but different careers,
and we all need different skills. So going with this system manager parameter store,
which is the next thing, what is this, it's a place to secure your secure stuff. So what
do I mean by that? If this information is compromised, it can have some massive security
consequences. So kind of keep that in the back of your mind. So the systems manager
parameter store is a really great environment and what does it enable you to do is enables
you to store secret stuff, database strings, passwords, etc.
So kind of keep that in the back of your mind. So what we'll do here is for extremely sensitive
information, you want to encrypt your data, etc, etc, etc. So this stuff is going to separate
the code from the password so it's gonna give you a means to track your audit access, etc,
etc. So here's what we're going to do. Does everybody see how all these pieces and parts
fit together? Do you need me to walk you through a demo for about 15 minutes of how we put
systems together? And how we make them secure? Do you need that? If you do, let me know in
the chat box. If not, I'm going to keep going straight with the certification training.
So what I'm gonna do as follows, excuse me for the coughing as making sure, I'm going
to do about 10 minutes of questions, then I'm going to do 15 minutes on showing you
all the pieces and parts to tie together, and then we'll get back to the content. So
first, let's ask the questions, answer questions, and then I'll walk you through it. And then
we'll get on to the next topic, which is AWS applications and services. Which is a pretty
extensive section at that. From a certification point of view, do we need to know how to configure
policies roles Cognito, or just know their usage? So I'll tell you one thing. If you
knew the content, you could never configure anything, walk in and pass the certification
exam like nothing if you knew the concepts. Now, you will get a couple of extra questions,
right? If you do know how to configure things, but you're not going to be doing roles or
Cognito, I can tell you that in any kind of Certified Solution Architect Associate because
most of that stuff is things from the Certified Solution Architect Professional that I included
just to make sure you would know. rahmer on premise identity access provider leads to
AWS Single Sign On now you're regretting system, you're allowed to work on understanding the
federated yes, if you're using federated with systems, ID, log into that Active Directory
server, get a temporary token and go access all your systems with a temporary token Absolutely.
You can share I am users with other organizations, and then it becomes a federated identity or
a cross account role, etc, etc. Absolutely. WAF is kind of like a layer seven kind of
thing. So it's typically layer seven. How does the CDN required if it's common request
look like any other valid because it's very easy. When you get a sin, half open sin or
an incomplete request, it's very easy to look at the patterns of behavior on the CDN. That's
why I can describe it. When we talk about these things. We're talking about patterns
of behavior. So cops on it, I'll give you my life. Friday, let's pretend it was Monday.
And let's just say I was still working at Cisco as an architect. I'd go give a speech
in DC, I'd go to California give a speech, then the next day I go to England, give a
speech, go to Dubai and the next day, stop and Angular, spend the weekend because I want
to go to Mysore and practice on the standard yoga, spend the weekend in Mysore, then go
fly from India to Sydney, spend a day or two giving presentations in Australia, etc. etc.
Then go to Brisbane thing, go to Melbourne, then go stop at Cairo, then go to Cape Town
and then go back to Palm Beach. That's kind of the way my life would be. So Cal Sony,
when I go do this, my credit card company just lets me do it. Now, if you tried to do
that, and you didn't have a job like I had, we are going from country to country and place
to place you'd leave your house wherever you're at, you'd go to your first place, you'd buy
something and you might get a call from your credit card company. Wait, did you mean to
do this? So what happens is the credit card companies are trained to look for patterns
of behavior. It's called heuristics. On our intrusion detection and intrusion prevention
system, they look for patterns of things that look right. Because no, these don't look like
regular customers something different about the request, and we're getting a lot of things
that look normal. It stopped that just like when you would try and go to three countries
in a week, chances are your credit card company would call you and say Did you mean to do
this same kind of thing? Great question there cups on it. You're going to be a great architect.
Is it possible to use next generation firewalls? Yes. And we all do. None of us use WAF. Unless
it doesn't matter. We all use industrial grade firewalls. Where do we get them from the AWS
Marketplace from the Azure Marketplace from the Google marketplace from the Oracle marketplace?
Guess what? If we got two clouds can have one firewall here and another firewall with
different policies. That's not going to work. We go to get the same next generation firewalls
from the marketplace, the AWS Marketplace, the Azure Marketplace and they run on Virtual
Machines. We use network load balancers to do that. And I'll show you how to do it in
a few minutes. Great question. How does the DDoS How does? How is DDoS prevented?
Well, you know, lots of ways, you got a million requests coming from a million systems. If
you drop all million requests to the content delivery network, there's nothing there. Then
if they try to get through the firewall, and they can't, they're blocked over there. Now,
hopefully, you've got an access control list, protecting the subnet, so it can't get through,
hopefully, you then have a security group so that it can't go through. Now, hopefully,
your server has an IDS, IPS system and an Antifa and a firewall on it, and has been
locked down. So if you bypass all those, you still can't do anything. And then up and running.
How about auto scaling? Who who is scaling is great here. So we block everything at the
content delivery network, but some gets through, we block 98% of it at the firewall, but 2%
gets through our IDS, IPS system bucks, the rest of the 1% gets through vendor network
access control list box, another 99% of the tax, the security booklets another 90% And
whatever is left over from that now hit the server and has a host based firewall. And
it has an IDS IPS system, which stops the rest of it. And then if something gets passed
in the overwhelm that, then this is going to add capacity by adding 30 servers. And
at some point, if you set your growth and your servers right and your Auto Scaling group,
you'll auto scale the on the servers that are attacking you.
That's how we prevent DDoS. Attacks. Every user is a privileged user they
have user the question is what you give them what privileges they have.
Zscaler is an extremely good solution. It is an end to end solution that does. It's
a web application firewall, but it's next generation that's adaptive that got your intrusion
detection. It is a real end to end enterprise grade security solution. That's fantastic.
It provides exactly what I'm going to show you how to do next and a new more innovative
way to do that. Federal federated denition SSO the same thing No. Federated Identity
Management is as follows. I connect to an external provider and I get access to this
system. Single Sign On is connect sign on once and get access to everything. Now to
help Sony in most cases, we do do single sign on and identity Federation's at the same time,
but they're different. Great question. Okay, so let's play with this for about 10 minutes,
I'm going to walk you through, you know how the pieces and parts work together because
I'm teaching all these AWS services. And then the reality is, I probably use none of them,
except for a few. So I want you to at least understand what we're talking about. So let's
take this particular environment. The way we provide we protect our systems is with
a firewall at the perimeter of our network. So let's say we wanted to get a next check.
We wanted a firewall and the data center, our firewalls are high availability devices,
their physical devices, we plug them in, we can run to next to each other, they can run
a heartbeat, and we can determine which is the winner and the cloud. Are you allowed
to go into the cloud data center, rack up, rack up your firewalls, zip, zip, zip zip,
then plug them in and cable them up? Of course you can't. So in the cloud when we go to the
AWS Marketplace, the Azure Marketplace, the Google marketplace, the Oracle marketplace,
we get a virtual machine with firewall software. So here's typically what it's going to look
like. Now there's a rule when it comes to availability and performance. The rule is
two is one and one is none. So we need more than one firewall. So what do we do? We take
two firewalls. So let's say we go to the AWS Marketplace, and we buy to Palo Alto, next
generation firewalls, okay. Now, how do we manage the availability like if one of the
firewalls goes bad, we use a network load balancer. Oh, it works. Now we've got firewalls
that are next generation now that should stop and be adaptive in nature. But you know what?
Not me. I'm paranoid. So I even though I've got some intrusion detection, intrusion prevention
here, I'm going to do even more. I'm going to use another network load balancer and I'm
going to use a second set of IDS, IPS systems. And why? Because maybe a different intrusion
detection intrusion prevention system, catches some things that the Palo Alto system or the
Cisco ONE didn't do. Okay, so now, I'm dealing with an industry grade next generation firewall,
the way you would secure something that matters. And I've even got a second set of IDS, IPS
systems to block attacks when they occur now, that's not security still Let's put a say
I have an access control list that protects the subnet. Now, we're talking about AWS,
or we'll call it a network ACL. But it's just an ACL, the kind that Cisco has had for 30
years. And we'll put a security group over here, which is going to protect the server.
Well, that's not enough. On the on the server, we should probably put
a host based firewall. Extra one, we should probably put them Host Based IDS, IPS. Have
you guys ever done a netstat on your computer, you notice your computer's listening on like
18 million ports, guess what, you got to disable all those unnecessary ports. So we'll just
call it say Harden, disable unnecessary ports, patch, you know, all that stuff has to go
on here. This is the intro to security. This is an intro to junior level security. This
is minimum minimum security knowledge to work as an architect. So and guess what, as a cloud
engineer, you should know this is what it is to. It should scare you if all you see
is wife and she'll do and terrify me. Now it's not that wealth and shield aren't good.
But now think about this. How do you have two clouds and run a security policy by secure
by AWS native stuff its own way and then do the Google Cloud arm I think its own way and
they're both different. And they work. It's a disaster. But you got to checkpoint Cisco
Palo Alto Fortinet get the same firewall with the more features more robust security, and
it works in all clouds, ding, ding, ding, that is your solution. And this is how you
can design it. And that's why it's so much different than we'd be talking about if we
were talking about, for example, the cloud native versions, which are nowhere near this
robust, so there's that. So let's get back into the content. I hope we didn't call
it. Yeah, so if you're going to deal with enterprise architectures, and multi cloud,
you need vendor interoperable services, not proprietary service. So it was like yesterday
when we said, hey, multicloud use MongoDB over Dynamo DB, don't use Amazon, Aurora use
MySQL, Postgres, Maria, DB, etc, Oracle or Microsoft. And really, it's not because any
of the services are not good. I didn't multicloud we needed interoperability. And if I speak
Greek, and Abigail speaks English, it's not going to be the best combination of Abigail
speaks Greek and I speak Greek, we're sticking the same language. It's beautiful. If Abigail
speaks English, and I speak Greek, and I get to translate my English degree, it not everything
translates exactly perfectly. So that's the problem. We want everything perfectly translated.
So I hope you understand why we're doing what we're doing. So now, we're gonna get into
the AWS proprietary applications and services. So we're gonna go talk about them now. Now,
again, multicloud, a lot of these services become unusable. But they're good services.
There's nothing wrong with the services. They're excellent services, I just want you to know
what they are, there'll be on your exam. And then that then you have to learn the difference
between certification training versus career training, which is why we have our career
development program for the architects, the cloud architects in our cloud engineering
program. Because certification in the job are about 90% Different both both of these
quarters. So in this section, we're going to talk a lot about things. We're going to
talk about a simple queuing service, a simple notification service, a workflow service mapping
and reduction, streaming data with Kinesis. We're going to talk about container management
and many, many, many more things. So we're going to begin with an exceptionally good
service called Amazon Simple queue service. Now, unfortunately, I can't use this in any
of my interviews because it's AWS proprietary and I use the Apache Kafka. But the Amazon
Simple queuing service is an excellent queuing service and enables you to decouple your architecture.
So if you see a test question, why are we using Amazon Simple queuing service? It is
to decouple our application architectures and it is an exception with service if you're
only on AWS. But if you're going to be on AWS, Google and Azure use Apache Kafka because
it's vendor neutral, interoperable, and it works everywhere. But we're talking about
the AWS proprietary queue service, which is a great queuing service. There's just proprietary.
So what is SQS? It is a message queuing service that provides temporary storage of messages.
What it does is it plate that gives you a place to take messages before they're lost.
So think about it. You got messages coming in really fast from your web server, they're
hitting your application server, and now you got to send messages to the database. So if
the database is busy and busy, the message is dropped. What if you can put the messages
in a swimming pool, but the message in the swimming pool and then take each message out
of the swimming pool as necessary? If that's your killing system, whether it's Apache Kafka,
or AWS simple killing system, that's why we're using those. So, killing enhances application
availability by providing a message a means to keep the messages from being lost. We can
keep messages in there for 14 days, so we're not going to lose them. The queuing system
is amazing, because we can look at the depth of the message in the queue and say, add compute
capacity scale out auto scale. Now, normally, we auto scale based upon CPU usage. But if
we can actually auto scale based upon messages, we are perfectly in tune. So I love the AWS
SQS service. And don't get me wrong. If I'm on an AWS environment, I'm going to use this
because it's really great. It's just that how many customers want to do single cloud,
everybody wants to do multi cloud. And for those reasons, I can't use the proprietary
things. But it's awesome. It really is. To hear this way this works. We got an auditor,
let's say the auditor comes in through the web server hits the observer and has to hit
the database, which in this case is reflected by Amazon DynamoDB. Get another database,
very proprietary, but beautiful database. So the message has come in from the web server,
the app server and they get stuck in SQS. And they sit in SQS into Dynamo DB is ready
for him. So big improvement in scalability and performance. Let's talk about the standard
queues. So AWS as normally speaking, it's really fast, here's how the queue works. message
comes in comes out as fast as possible. So that means when they come in and come out,
they can no, there are times that you need messages to live be delivered in order. And
you can actually do that as well, you can set this to what's called the FIFO queue first
and first out queue, but you don't necessarily have to.
So keep that in the back of your mind. So when you set up first in first out queue,
meaning message one comes in for message 234. Message three, realize it will lower the performance
of The Killing system. Because sometimes small packets come through with so then big packets,
but whatever the case may be. But if you need if you need messages to be delivered in order,
you can enable a FIFO or first enter first dot q. Now we can also create a dead letter
crew which a dead letter Q, which is one of my favorite things, here's what the dead letter
Q is. If a message doesn't get delivered, we can keep it in there. So how does SQS work
very simply, the message is sent from the competing platform to the queue the messages
in the queue, and it waits to get scheduled for delivery. If the destination is busy and
doesn't hang down in the queue for a week or two or as long as it can be. When the when
the server is ready, it pulls the message from the queue to be processed. So it's gonna
look like this. Got our sender, we're sending our messages into the queue. Cool, cool, cool.
All right, the messages leave the queue and gets sent to the receiver. And then they are
drained from the queue. So they're not there anymore in the future. Simple, simple, simple,
simple and elegant. So when you use this simple queuing system, well, you're gonna use a queue
anytime you want to increase capacity, and then promote application scalability through
decoupling. If you want to make sure you don't lose orders or messages, which I strongly
recommend using Q. Great for cost optimization truthfully, because it enables you to right
size your applications, not oversized them for peaks, helps smooth out your system, but
also SQS. And we do love this. If you can look at the message queue depth and trigger
auto scaling, then you are in a position to add capacity as you need it perfectly. So
now let's talk about my new favorite thing called Amazon SNS simple notification service.
So not my new favorite thing. This is one of those things that I actually do like lots
of times we need to be notified of what's going on in our system. And Amazon provides
us a very simple, elegant solution called simple notification service. And this is a
great way to decouple messages. We can use it for fan out so we can have a message that
goes in to the simple notification service that can take the message and send it to a
queue and send it in systems administrator and email. So this is great. So how does the
simple notification service work? Like an email list? Let's call the publisher subscriber.
So here's what happens. You subscribe to a topic and the publisher prevents to it so
you subscribe to an email list and you get access to it. Same thing simple notification
service. So simple, simple. We can use it to send an SMS SMS message in email or post
message to multiple devices. So you know we're dealing with really great publishers who publishes
subscriber who subscribes think of a mail linguist. So here's what we're talking about
with regards to, to the concept. We can have a publisher send a message, the message can
go to a queue, and the lambda function and be sent as an email or any kind of notification
we want, all at the same time. So take a message, some message system, beautiful, beautiful,
beautiful. So let's talk a little bit more Amazon Asda
SNS, let's talk about the platform functionality. It is a high availability platform that runs
across across multiple availability zones. Yes, we can use SNS to trigger a lambda function,
if we chose to, etc, etc. So it can use to be fanned out messages. It allows the creation
of filter policies, so you only receive the notifications that you're interested in. And
SNS will encrypt your messages immediately to prevent unauthorized access. Let's talk
about some common SNS use cases, application and systems alert, hey, every time the CPU
of a system has over 80%, notify all the systems that are fires, or take a message, send it
to SQS and a lambda function at the same time or push a message to someone, maybe a retailer
selling some houses puts a message that a new house went on sale. These are what we're
dealing with with simple notification service. The next service is called Amazon simple workflow
solution. So this is a workflow management solution. So look at it this way, let's say
you've got multiple tests, test one and test two, test three, test four to five. It would
be really good if we can automate the moving from task to task and take people out of it.
And that's what Amazon simple workflow solution does. We'd love it. It's really, really, really
cool. So SWF is a workflow management solution. It
enables the coordination of different tests across distributed application. It enables
you to create a workflow of step by step tasks. And guess what, you don't need to code it,
because it's already pre made. So I'll give you an example. Let's say for example, I had
a video processing thing where the steps are I upload a video. And then it needs to be
web optimized. So maybe take it from uncompressed video to render it out and H dot 265. And
then maybe I want to get it sent to a transcription to add some captions. And then I want it to
be put in an s3 bucket and I want an email that says Mike is ready for download your
new video of your cat. So I could create a workflow that once I upload it, it kicks off
a lambda function that sends it to the optimization thing. And once that's done, it sends it to
the Amazon recognition for transcription or Amazon transcribe. And once that's done, kick
off a new lambda function to send it to someplace else. That's what we're talking about. And
we love that. So simple workflow solution is great. Now the next thing we're going to
talk about is mapping and reductions. So when we're dealing with data lakes and big data
environments, here's what we're really talking about. As a rule. We're talking about taking
the data out of relational database, taking the data out of a data warehouse, taking the
data out of a no SQL database, connecting it to object storage harmonizing normally,
and normally, what people do is they use a patchy spark to do this. And most of the big
data people that I'll tell you will write a custom Apache Spark script to do this, make
a Python spark script. Now, AWS, Elastic MapReduce is a premade script that for the most part,
does makes it that you don't have to create your own Apache sparks or Python spark script.
But you know, there's still going to take some tuning. So your big data, people will
choose to be the write their own thing, or use this AWS service to map and reduce it.
Really what it's about is architecturally it looks like this. You take your information
from one thing, you map it and you reduce it so you can go somewhere else. It's all
about harmonizing converting Greek, the Greek so to speak.
Let's discuss Amazon Kinesis. Now this is generally more of a Certified Solution Architect
Professional thing, but guess what I want to get in cloud heart, I want you to have
the skills to be employable. So that's what we're talking about. So we're going to talk
about Amazon Kinesis. Now, it's a rule. I don't have any use for Kinesis even though
it is one of the greatest services in the world because it's AWS proprietary and my
customers than than Apache Kafka. But in your certification exam, you will need to know
about Amazon Kinesis. And Amazon Kinesis is an excellent service for streaming data. It's
just a AWS proprietary. So, you're going to use multiple clouds, this is one of those
services that's not so great. If you're going to use a single cloud, this is a beautiful
service. So Kinesis is a service for collecting, processing and analyzing streaming data. Just
like Kafka, so Kinesis can collect and analyze your streaming data in real time, just like
Apache Kafka. Kinesis can collect your data from your video, your audio, your application
logs, or click streams, or IoT devices, just like Apache Kafka. And unlike a traditional
environment, where you're going to connect and store and analyze the function here with
Kinesis, or Kafka, we can do it in real time. So we love it. That's the difference. Traditionally,
you store your information in a data warehouse, and you take historical information for a
long period of time analyze it to make your business decisions, not here, in this particular
environment got something very special. In this particular environment, we are so good
to go that they can use Kinesis to do this. Now, when we use Kinesis, there's four kinds
of Kinesis Kinesis, video streams, Kinesis, data streams, Kinesis, fire hose and Kinesis
data analytics. And they all have different use cases. Let's talk about Kinesis data streams,
it's really for video, it enables Kinesis to collect video from multiple sources. It
enables the ingestion, the storing and the indexing of multiple streams. And it enables
videos obtained by Kinesis to be sent for media processing, machine learning, we love
it. So it's it's going to look like video coming in coming in coming in. It's going
to be streamed over for video media processing. Let's talk about the data streams. Kinesis
data streams is a highly scalable platform for real time data. It can capture real time
data and sent to a data lineage analytics application within 70 milliseconds. It can
capture strict gigabytes of data per gigabytes per second from hundreds of 1000s sources.
So why are we doing this Kinesis data stream I'm going to show you right now. We're taking
these data stream data stream into Kinesis. So we can analyze it with a business intelligence
tool like Power BI or Tableau or something like that, and actually see what's going on
in real time. So wow, I sales are doing this, let me affect pricing this way or this way.
So that's why we do these things. Let's talk about some key concepts with Kinesis. We've
got a data producer and a data consumer. The data producer is an application that emits
data records as they are generated on the Kinesis data stream. data producers assign
partition keys that data consumers that is basically someone who uses the distributed
Kinesis application or AWS service retrieving the data from all shards in the stream. Now
what is the data stream? A data stream is a logical grouping of shards shards are a
measure of our throughput. So what's Kinesis data streams used for well, large event data
collection, real time out of lakes, gaming data, mobile data,
etc. Great. So now the question that we want to really talk
about under under here is Kinesis data Firehose is a managed service to live streaming data
into something like s3 or redshift. So that's the last way we can do it. We can take our
data through Kinesis Firehose and store it somewhere. So let's go through these Kinesis
video streams for video Kinesis data streams to analyze real time data Kinesis data Firehose
store it somewhere. And now let's talk about Kinesis. Data Analytics. Kinesis data analytics
er is a managed service to transform analyzing streaming data in real time. And it's basically
based on Apache Flink to process data Kinesis streams is auto scaling and will meet your
needs. But here's the key. The data on Kinesis streams that's being aggregated and collected
can be done with SQS with standard SQL queries, bear with me one second.
I have an idea. I don't know if my team can do it. So bear with me. So let's talk though
about the last thing Kinesis data analytics. Basically what's going to happen it's going
to look like something in this particular situation, where we're going to be taking
our data in real time, running it through Kinesis analytics and looking at it a tool
like Power BI in order to make this a great, really, really great and end solution. So
that's what we're doing. Kinesis is all about getting information. So now let's talk about
something. And then we're going to talk about two things, we're going to talk about something
extremely proprietary, which I'm going to recommend you don't use. And then we're going
to talk about something more interoperable, which you could use. And then I'm going to
give you another way where you can do it where you don't have any of these things to worry
about. So in the cloud, we're going to be dealing with containers, and virtual machines,
that's all of our compute, for the most part. So virtual machines, we know how that works.
Now containers, there's three ways we can do it. There's an Amazon elastic container
service, which is a proprietary container management platform, there is the AWS elastic
Kubernetes service, which we'll talk about, which is AWS, managed, kind of kind of program.
And then let's talk about the third thing that we're actually talking about, which is
you build your own and manage your own Kubernetes cluster in every way you want. And it becomes
a really great environment. So kind of keep that in the back of your mind. So we'll start
with the Amazon proprietary management platform, the proprietary management platform is as
follows. We can use the Amazon elastic container service, which is basically a service that
manages your containers. And realistically speaking, so the container management system
manages your containers. And therefore, you don't have to create a container orchestration
thing. So the elastic container service, it's going to look like this. It's going to, you'll
see your server, you'll have your operating system and your container. So basically, we'll
create basically, a virtual machine. And on the virtual machine, you'll put all your containers,
and it'll be managed by the elastic container service, or there's a serverless environment,
we can put our containers called fargate, which we'll get to last. But the elastic container
service is an Amazon proprietary container management service that guess what, I don't
recommend you use this. It's proprietary in every way. So we'll talk about something that's
going to work much better in a minute. But I want you to understand what this was. The
elastic container service is a fully managed container management service, four nines availability,
so relatively decent availability. And it's going to be deployed in your V PC, which means
you can use network ACLs security groups to lock your system down. And you can put your
containers in a virtual machine like an EC two instance, or fargate. So what's that going
to look like? It's going to look like this. Without fargate, you're going to see this,
you're going to have your container management service. And this will be used to orchestrate
the container. So it's kind of like the conductor of the situation. So you'll then build your
containers, put your containers on a virtual machine, isolate the applications and special
containers manage them. And you'll be doing that. So that is the standard way to do it.
Basically speaking, you put it on our virtual machine, this is what we do in our data center.
So in our data center, we have a container management cluster. So usually OpenStack,
or Kubernetes is your standard. But whatever. Let's say the AWS proprietary elastic container
service does this. And it does it in a serverless manner. So there's nothing for you to patch,
now you've got a choice, you put those virtual machines in a virtual machine, or you stick
them in this serverless environment like we show you use the elastic container service
and manage the cluster, you stick your stuff on fargate, which is a place to host your
containers and you are done. And life is so easy. So now you know about the elastic container
service, we're going to go into the more vendor neutral, inter operable services. But let
me see if I can stop for 10 minutes. Also, here's what I want to do. If you guys are
with me, I'm thinking that it's Easter weekend, and nobody's really going to want to come
in on the Saturday to do this. I know that we can finish up today by about four to 430
If we keep going so we're gonna run until 4pm. So you guys can get all your great club
training and not only get your club training, so you can get caught hired. But you'll have
the whole weekend off. And you can go through the course of the second time if you want
to learn some stuff. So bear with me stay a little late. We'll make it a great thing.
We'll get out of here before the end of the day and you have your weekend free. So you've
got some questions, let's answer them and then we'll get back to the content. We've
been making lots of great strides today. Can SQS trigger a lambda function? Absolutely.
You're thinking like a Kata. Like the cloud people I'm loving that good job soldier
if you got some question Since please feel free to ask them. The only question
that I saw that recently came up that wasn't related to tech is how much different is our
cloud architect and engineering program completely, because the Cloud Architect job in the cloud
engineering job, couldn't be further separate apart. So we trained for the job we want.
And we'll be able to do that on Monday afternoon for much, much, much more detailed, but let
me tell you, when we train somebody for a job, we train them for that job. And here's
the reason why pilots don't become pilots by learning to be flight attendants. nurses
don't doctors don't become nurses. Doctors don't go to nursing school to learn medicine,
because it's a different job. So when our programs are different, they are based on
getting you hired, paid the most and promoted and having the best, fastest career progression.
So keep that in the back of your mind. So vote on the next bootcamp, you went Azure,
or do you want Google? I care because we give you what you need to get cloud hired. So tell
us what you want. We aim to please. So if there are no more questions, I'm gonna get
back to the content. Oh, one more thing. I forgot to tell you, my team decided to take
the sale, why ask them and extend it all weekend. So if you want to become a cloud engineer,
now's your time want to become a cloud architect, now's your time. If you've been training for
a year, and you need help with the interviews, now's your time for the tech interview Mastery
program. And if you've been working in tech, and you want to move up into management, you
want to leadership position, or something like that. We've got our tech inner, we got
a tech career accelerator program. And guess what? They're all 30% off except for the military
course, which right now is 50% off because it's brand new. If there's no more questions,
we're gonna get back to them. But if you give me a hashtag cloud hired and a hashtag cloud
engineer or a cloud architect, based upon your desired career, we'll be there.
There is one question between a lambda function. So a lambda function is just the ability to
do something very basic, send an email, notify you that a buckets there. So lambda function
is trivial, trivial, trivial. micro services is basically Kubernetes, where instead of
having a big monolithic application, we've chopped the application into many, many services
inside of containers that are self healing. So that's more of what we're talking about.
lambdas, simple functions, little mini things, versus micro services are a whole way to design
an application. But good question. So
getting back to the content here. Now let's talk about another container management platform,
a good one, the Amazon elastic Kubernetes service. Now,
we're getting some. Now we're getting some really, really great stuff. And now we've
got Amazon that's got a normal de facto standard, managed Kubernetes service, and everybody
uses Kubernetes Kubernetes, is OpenStack. Kubernetes is the de facto standard for container
management. And here we've got the AWS Kubernetes management service, which is a full management
service. So now, what we're doing is as file here,
we've got a professional vendor interoperability orchestration system. So if we've got a Kubernetes
container in our data center, we can just move that Kubernetes container in here. If
we're dealing with multiple clouds, and Amazon has their Kubernetes. And AWS has their earn
and Azure has their Kubernetes. It's still Kubernetes. So realistically speaking, I'm
going to tell you how I would do it, I would still not be this either. But guess what?
This Amazon elastic Kubernetes fully managed service is excellent. It's vendor interoperable,
it's industry standard. And here's the two ways you can use it, you can do it is the
following. We can set it up in either containers, or serverless. So let's imagine we use the
Amazon ECS. We set up a virtual machine like we have on the right side of this screen,
we can put all our containers in the virtual machine, this is identical effectively speaking
to what we'd have in the data center. Or we can host them in the service environment called
fargate. I host my stuff on virtual machines. And here's the reason why doesn't work well
with AWS, I take my virtual machine and move it to Azure, Google that five minutes later,
everything's up and running. So that's the way I do it. But I like to give my my customers
the most options to be up there. So I'm not going to be using fargate I'm going to be
using virtual machines. But there's a time and a place to go serverless But understand
this when you are serverless and you bring customers to serverless it is very hard for
them to leave. So the cloud providers are kind of like the cable company, you join them
they give you 30 40% off and you're First Year like a drug dealer would do. And then
after a year, they raise your rate when you're stuck on them. And if you're using serverless,
you can't leave without spending lots of money. So you put your stuff on fargate fully managed
as a container, you have less ability to get in and get off as easily as you could, if
you put your systems in on a virtual machine. So when should
you use this? If you've got to find if you want a fully
managed Kubernetes service, this is brilliant. It is industry standard and as interoperable
as great. Well, another way to do this, take a virtual machine, install the Kubernetes
service, have that running in your data center and take clouds and have them orchestrate
together Guess what? Perfectly interoperable to so make your own Kubernetes service use
the Amazon elastic Kubernetes service. Both of these are great. Both of these are interoperable.
They work. They're enterprise friendly, what's not elastic container service, you know why?
It's not interoperable, so your Kubernetes containers aren't going to work there. So
kind of keep that in mind. If you're going to design things and you want to interoperability
use industry standards and the elastic Kubernetes service is awesome.
The next service we're going to talk about is the Amazon Elastic Beanstalk. I'm gonna
give you a secret. Whenever you do anything that's automatic, it's never good. So design
your systems yourself. But if you're not skilled and you don't know and you're branded a couple
reality is you shouldn't be tootouching and called. But if you were going
to Amazon has something called Elastic Beanstalk. And for the most part, this is a service for
provisioning, deploying and scaling your applications. Basically, you upload your code, and automatically
AWS designs your architecture load balancers and puts it together for you from your code.
So keep that just know what it is. But, you know, if you want somebody to build your car
based on average, you know, there's that. So Elastic Beanstalk is a technically driven
semi automated to do it, you upload your code and go Java, dotnet, node.js, PHP, Python,
or Ruby, and it does its thing in the back end, it'll be using Cloud watch to monitor
your logs. So you know, it's simple and elegant. It really is. But after being an engineer
and an architect for 25 years, we're going to tell you auto magic is not something you
want to know, we used to call it automatic because we like automatically does only problem,
it doesn't. And when it does, automatically, isn't ever what you went into the so user
uploads their code, in order to please their stuff. And theoretically, it's all gonna work
and auto scaling auto everything, but I don't do auto anything. I'm an architect, I design
systems, and AI systems are based upon what makes the customer's business better, not
some arbitrary tech. So how there's no point in an architect's life for using like this,
because what are we doing, we're designing technology to solve customer problems. And
if you're a cloud engineer, you should know so much about that technology and still want
to use this because you're going to do it the way you want to deploy what you want how
you want it, you want it deployed with perfection, so take the time to care to do some manual
intervention. Now let's talk about CloudWatch. I love cloud watch, cloud watch is logging
or monitoring. So Cloud watch provides lots of metrics for you to monitor your stuff.
Everything we deal with has logs. CloudWatch can work with some built in metrics or custom
metrics. Here's the thing with complex, it's giving you logs. It's giving you information.
So it enables you to collect monitor act and analyzer information. Cloud watch is great.
Now, when it comes to CloudWatch, we have built in metrics and custom metrics. Now the
built in kawatte, met CloudWatch metrics are pretty terrible. Their CPU utilization their
disk read write in terms of IO, pF, and network utilization. And that is it. So if we want
real information, memory performance, API performance, or anything else, then we're
gonna have to get CloudWatch custom metrics we're gonna have to set up. And what is cloud
watch, it's really a notification system lets customers know when the scene seems that's
more your CloudWatch events, which is also often called the vendor bridge. And Cloud
watch events are awesome. Cloud watch events enable you to do the following. Look at something
that happens and auto scale kick off a lambda function, and SNS notification, or guess what,
even fix something, you can have a cloud watch event that something happened in s3, you can
kick off a lambda function to remediate it. So this is really, really, really, really
awesome. So when you set up CloudWatch, there's two
versions, there's basic monitoring, and there's detailed monitoring, with basic monitoring
data is available every five minutes at no charge. Now, here's the thing, if any, if
you've done monitoring, and you look at your data every five minutes, you can have a peak
of 100% and a low of 0%, that overtime average is a 50%. And you'll miss things because it's
too infrequent. detailed monitoring you can do which gives you data every minute, but
you got to pay extra for it. So it's like anything else in the cloud, you want the good
stuff, the real stuff we use in the data center, then you're gonna pay for it. And if you want
to adventure stuff, and you pay less work, or it's free. So when we're dealing with CloudWatch
events, and you know, what we're really talking to as follows CloudWatch events deliver near
real time, streams of events. So basically, as soon as something happens, you can get
told about it. So I kind of like something happens, you know, so what is cloud watch,
cloud watch is giving you notifications, etc, etc, etc. I'm gonna get to cloud trail, but
I'm going to just quick has helped Sonny's thing, using Elastic Beanstalk to automatically
create and design things where you is going to create and design things that don't work.
Now, that's very different helps me than for example, if we take our environment, and we
create, we deal with the DevOps team and they create an infrastructure as code for exactly
what we have replicated. And then we could use that infrastructure as code to redeploy
it in another cloud, but we're going to be using TerraForm for that, and not something
like an Elastic Beanstalk to design its own And, and hope it works, we're not going to
hope it works. We're going to create a real architecture that's going to match our architecture
that we designed. And our DevOps engineers will do it with TerraForm. Across all clouds,
because the same code will work. But it was a great question cup Sunday. And that's why
I brought up there. Now, if CloudWatch is logging, logging, remember this is test question
CloudWatch, monitoring, cloud watch logging, CloudWatch logging, CloudWatch logging, CloudWatch
logging. Gotcha. Now let's think. Let's go from CloudWatch logging to auditing. So on
your test, you will be heard of CloudWatch, which is logging, and cloud trail which is
auditing. So Cloud trail is auditing cloud trail as Ottoman why I don't want you getting
those two questions wrong, or three or more. So now you know that CloudWatch is for logging
and cloud trail is for auditing. So now we're going to talk about cloud trail cloud trail
is an AWS service that helps with auditing. It provides an audit log that assists with
risk management compliance really useful in regulated industries, for example, like medical,
or financial cloud trail is awesome. It's going to track what changes are made by to
an AWS account by user role or service. Cloud trail is enabled as soon as you enable your
account. But in order to use it, you have to start to create a trail which you do in
the cloud console, the CLI or the API. And Cloud trail will record events. And these
events are visible in the cloud trail console under event history. Cloud trail is something
you're going to use a lot of so great service, Great Service Great Service, the event history
will let you view events that have occurred in the last 90 days. Additionally, cloud trail
can be configured to store logs and s3 for long term storage. Guess what else it will
do, we can create a cloud trail that applies to one region, which is just a single region,
which is going to store your information and your logs in a single bucket. That's your
default. Or when comprehensive auditing, we create a trail that applies to all regions.
And this is going to provide the most comprehensive logging and auditing, it's going to provide
a record of all events that have occurred in the organization structure. And now what's
cool about this, when you see a problem, you'll be able to see what's going on here, here,
here and here. And that's how you're gonna get to the solution. So visually, what's it
going to look like? I'll show you right now. Cloud trail, you get logs from all this stuff,
who did what, when, how, where and why. And you're storing it in your object storage,
so you can go back there for future use. So pretty cool stuff. We love cloud trail, we
love CloudWatch, you've got to do monitoring. Now we're going to talk about AWS config,
another AWS service, guess what this one's for. So this is a service that enables the
assessment, auditing and evaluation of configuration provides an opportunity to see what changes
were made by whom, in your environment. So config tracks changes I love this changes
make a deal with config consent and simple notification alerts. So you get an email,
a text message, a push message when somebody does something. Now, why is this important?
Okay. Joey, comes in. Joey makes a chain. The chain Joey makes makes our systems hack
because his chains open this, this, this and this. As soon as Joey makes those chains,
because we're using SNS we systems admins get a notification that says, Charlie the
chain, no way Oh, look at Joey's changing, we go, Oh, no. And we get in there we call
Joe and we say Joey, do me a favor, stop touching the tech. And we go in and we fix the Joey's
mistakes instantly, and then we don't get hacked. So AWS config is amazing. It provides
a means to help with change management, identify things that somebody did. So you know, it's
not that different than cloud Trail, which gives you audit logs. But this is more real
time. You get to see it when it's occurring and how it's occurring, as opposed to finding
out in cloud trail a month later that something happened. So how does it work? Like this,
somebody makes a configure change agent was configured notes to change and records it
in a format and then configure what to check the change. Does it meet the organization's
policies, if so great. If not being needing needing emergency bad problem, bad problem,
sound off the fire alarm, notify the systems admins, the changes have occurred and they're
not good changes. So that's what we're really talking about with config and it's a great
service. I mean, it is a really, really great service. So configuration change config tolls,
everybody and life is good. As they say, in some parts of the world, Bob's your uncle.
Okay, now we're gonna get into the AWS content delivery network cloud front. And guess what?
Cloud front is awesome. And it's going to be fine talking about it, but the coverage
and logging services, some monitoring, service, and etc. So if there's about three to five
minutes of question we can use, we can answer them, and they'll go back to the training.
Chris, Did I miss any questions in those last five minutes when went through those services?
I don't think so. Oh, yeah. One just thank you. I think you got this one. Did you get
this one? Yes, I covered the difference. So Cloud trail
basically covers long term logs. Cloud Config basically gives you closer to real time configurations.
AWS config can be used security monitoring along with 40 or 50. Other tools for a comprehensive
program Absolutely. In SQS, if you have no data, because does the failed message become
like a zombie? Yes. But if you've got a dead letter queue, which what he's asking for is
when you're using a queueing system. If you know, if the queuing system has a two week
delivery, and it doesn't get drained out of the killing message is going to be lost. And
what we can do is set up a dead letter q and a dead letter Q comes from the post office
days. And here's what a dead letter Q is. The post man or post woman goes to deliver
messages and they can't they pop into this box. And then they try and figure out how
to deliver them as a secondary case. That's what a dead letter Q is. And yes, making a
dead letter queue when you're dealing with killing systems is a very smart thing to do.
So you don't lose messages. Absolutely. Great question. And that was it so far? Okay,
then content delivery networks, it is whoops, because this is really important stuff now
and content delivery networks, let me tell you are one of the most important things.
And I will tell you that they are almost exclusively described incorrectly. In fact, even if you
read the AWS documentation, they don't tell you about the content delivery network at
all, they only tell you about their caching servers, which is only half of the content
delivery network. So we're gonna explain it all. So you're a real architect, real engineering,
you know how to do it in real life, not just what you've heard in certification. So we're
going to talk about AWS CloudFront, which is the Amazon branded content delivery network.
And what is a content delivery network? You'll hear people say, it's a geographically distributed
set of servers to provide past content delivery. And yes, it's that but what's that missing?
The network. So really, the content delivery networks are about optimization and networking
and performance. So content delivery networks will reduce your bandwidth cost or reduce
your server loads. And they will improve your speed and performance. content delivery networks
do a world that good for your internet security. And here's why the request comes to the content
delivery network, it's a better request, the content delivery network says go away. You're
not real. So totally protecting the web server. So content delivery networks, website, scalability,
network, scalability, performance improvements, decreased interregional charges add higher
availability, so it's great in every way. So imagine this, you've got a web server,
it's down for 30 seconds, but the information is cached on the content delivery network,
some users are still getting service. So content over networks are awesome. And we're talking
about AWS, we're talking about CloudFront, because that's their branded content delivery
network. So CloudFront can really help boost your website for hosting performance. And
it's it's got a network and a set of caching servers. But then network is really the critical
thing. And we're going to show you how this work. So how does it work? So right now, here
I am, in my house, I'm home, it's a Friday, and I go to a website that says www.go careers.com.
And I go to this web site. Now the first time I go to this website, guess what? I go to
my regional location. It's not there. So the CloudFront Content Delivery Network says,
okay, Mike, and it sends it up the private network to the source. And the web server
answers the web server from good WWW dot coklat. careers.com sends the information to the regional
cache across the content delivery network, then sends it to the Miami CloudFront law.
occasion, then gives it to me now 10 minutes later, my cat Cindy decided she's going to
the internet, my cat Cindy's a genius. She's an expert troubleshooting code by unplugging
servers and chewing through ethernet cables and powering those switches with her paws.
And she decides to go to www.co careers.com because my cat was to become a cloud architect.
So she goes to WWE careers.com, I can't be goes there. Now. Because I went there before
Cindy, the cat went to my website, she got it immediately now, my wife decides she's
going to give a practicing cardiology. And she's going to be a cloud engineer. So she
goes to www.co Cloud careers.com webpage, who I went to who Cindy went to. And as soon
as she gets there, it's here on the cache. So the only time the web server answered was
for me, when Cindy went there, when my wife, Lisa went there, it didn't go back again.
So kind of keep it that. So the way these content delivery networks work as follows.
Let's say we've got a statically hosted Gokhan careers page, my first request, guess what,
it hits the content delivery network, and it's not there. So it goes through the content
delivery network to the source, which is my VPC or whatever. Or the s3 bucket, the s3
bucket then provides the information in the CloudFront content delivery network and sends
it to me. So the next user that wants to request something goes to the CloudFront. And Cloud
friend says I already have it, here you go. So this back end was only seen only seen one
time for everybody in that region until the cache dies out. So you know, this is really
cool. So when we talk about CloudFront, who are
content delivery networks, we're talking about caching, to make the map site more scalable.
We're talking about caching which offloads the servers by taking frequent requests to
the cache, the servers are less busy. So for frequently accessed content, it helps if the
content is not as dynamic and it changed. The queue doesn't help because if I go to
requesting different information than Cindy versus Lisa, guess what? None of us have the
information stored in the cache. So keep that in the back of your mind. No, we're dealing
with AWS CloudFront integrates pretty much everything. Why? Because it's a great content
delivery network. And we do so much web applications on the web. So whether we're dealing with
s3, EC two load balancers or route 53, we can stick CloudFront there. California is
often used to front end the static websites or object storage like s3, but it can also
be a front end to a virtual machine base website is something that load balancers used as part
of the architecture. So let me show you what it looks like. Realistically speaking, we've
got the user, they access CloudFront, they can either pull static content from an s3
bucket, or they can get dynamic content from a load balancer that's front ending. Give
me some virtual machines. That's pretty much it. So let's talk about some key CloudFront
concepts. We're dealing with concepts, there's three things we need to talk about distributions,
origins, and cache control. So when you sent upside of CloudFront, you're setting up a
distribution. And a distribution is going to be identified by a DNS name. And remember,
when we looked at, when we looked at Amazon, it was an ugly name like ABCDE, F, G, 123
four.cloudfront.net. And that's not a pretty name. So what you can do is you can leave
that as the URL for your website, I wouldn't worry, you can create a CNAME record, Cindy,
the cat maps to a B, C, D, E, F, G, H, I, J, K 123 four.com. And now you go send me
the cat versus that ridiculous thing. And you find the website. So now that you know,
and I showed you that yesterday, when we were looking at the what's the word I'm looking
for? I showed you that yesterday. So let's talk about the CloudFront origin. When we
yesterday, we did that when I did an NS lookup of amazon.com. So let's talk about the Amazon
CloudFront origin. When you set up a CloudFront, you set up an origin. So what the origin is
the location where your content is coming from and s3 bucket and EC 10 instance or virtual
machine, your load balancer, etc. And the origin is going to point to the DNS name of
the location. So let's talk about CloudFront cache control. So CloudFront about caching,
right. So let's think about this. If I cache my website, www.careerfh.com. And it's cached
out there and the cache is for a month, every single time somebody hits the cache, the infirm
He will be there for 30 days after it's first populated. Now, if it's there for 30 days,
and I changed my website, guess what, for up to 30 days, people are going to get access
to the old information. So the cache, we've got two options. How long do we keep information
in the cache, which is called Time To Live. So let's think about the Time To Live alternatives
for a minute. If we've got an incredibly long time to live, like a month, the data can be
stale, that's being served in the content delivery network for up to 30 days. If the
cache changes every five minutes, then it's gonna get new content every five minutes.
But five minutes later effort requests information and won't be on the cache and my web servers
are going to work. So what we need to do as architects is find the intersection of the
most scalability that we need by the length of how long it can be combined with how frequently
we change the content. So we don't have SkeleT content. So you, as an architect, or an engineer,
will need to know the needs of the business to say whether the content should be there
for a month, for example, or omitted, and relatively soon, I'm exaggerating the concept,
but you really need to know exactly how long your content should be there. So when you
do this, you have to let it know what you need. So when you set up CloudFront, you're
basically setting up your web servers you're putting your content on, then you're creating
your CloudFront distribution, and AWS will assign a name for the distribution.
And then if you accept the ugly thing, or you go back to the CNAME record, so let's
look at it in real time, let's put all the things together. So we've got the user, the
user wants to go to www.co ca careers.com. And we're using the AWS content delivery network.
So we got the user in the top right corner here, the user goes to www.go, Cloud careers.com.
So the user goes to the edge location, it's not there. So the edge location goes to the
regional cache, guess what it's not there, as the Edge locations, sends it to the source.
Now, the source, the EC, two instance, in the s3 bucket, they then send all the information
back to the regional cache, back to the edge, location, and back to me, and I'm all happy
because I got to find go click careers. Now, Jonathan comes, and he's also in Florida.
And he goes to that insane edge location. He requests that go cloud careers website,
and you send it instantly. Now Ray is interested, he goes to the Google Cloud careers website
hits that same edge location, he gets it, and all's good. Now, we've got Chris, who
doesn't live near Miami, he lives near campus, his major city near him. So Chris goes to
the Tampa edge location. And guess what, there's nobody there. So he requests are from the
edge location that goes to the regional cache, it goes to the source pump the reasonable
cash back to the education, they back to Chris. Now Chris is doing great. Now somebody else
is in the Tampa area, they go to the same website, they get sent here. Now, we set the
cash for three hours, it's been six hours since any of us requested this, the next user
on the top wants to have the cash this time that he or she goes to www.go click careers
that hits the edge location is not there, here's the original cash goes to the servers
back to the regional cash back to the edge location back to the users. And poof, everybody
is working. So that's the interplay. Now, here's the other secret that you need to know.
The internet has no guarantees the internet doesn't have to deliver your traffic. So while
everybody talks about this concept, here's the thing, when the user in the upper left
hand corner goes to that edge location. If it's not in the edge location, it's going
to write a private AWS own network back to the source. So we're taking our traffic from
the ugly, slow public internet into the AWS private network on the way to our servers.
So we get acceleration in every case, acceleration of the private network acceleration from caching.
And that's why it's called the content delivery network amount of content delivery caching
servers, because that network piece is the most critical piece of it. It's also the piece
that AWS doesn't talk about on their website, or in their certifications. It's the network
that makes this so good. Getting off the internet or onto a private network. So if we're using
CloudFront, what about private content? Well, we can deal with that too. How does this work?
If you've got a private you normally use Cloud front for a public website? But what do you
get paid website subscribers, private applications and you want to make it private? Well, you
can do the two there's three ways can do this, you can set up an origin access identity.
And you'll definitely see that on the Certified Solution Architect Professional, and most
likely the associate. And basically, you can restrict the area to a certain set of people,
you can sign your URLs, etc, etc, etc. Where you can use assign cookie. But these are the
ways you can give private content. So going back to common font, look at the content delivery
network, so can really boost your performance through content caching. And through a private
routing efficiency of private network. CloudFront maintains connections to the source persistent
connections. So there's not going to be a need to start a new session with the server
every time further reducing the load. At the time of writing, there are 217 points of presence
where CloudFront is used. So a lot of this, a lot of this we'll talk a little bit more
about CloudFront, you can put WAF, or web application firewall or DDoS protection as
we described in shield schauen standards included at no cost. Because CloudFront is a content
delivery network and only forwards good legitimate request to the servers, and it drops everything
else it's going to really helped with DDoS protection. Because it can't launch an attack
by sending bad messages through a content delivery network that just dropped all the
bad messages. And the good news is cloud watch can also provide encryption in transit by
doing so it takes the load off of the server can enforce an SSL or TLS protocol. And it
supports server name identification and custom SSL TLS certificates. So that's cloud front.
Number, getting it into a few more things before we're done for the day. But CloudFront
is a pretty big topics. I want to give it five minutes to see if anybody needs anything.
And then we're going to go straight back to the content. If there's any questions for
me from the CloudFront, let me know. Ruth, this CloudFront also use the edge location.
Absolutely. That's where the user connects to the edge location. Great question, Ruth.
Jonathan, does CloudFront only refresh content when the user requests it? Yes. When you request
it requested. Although with some of these content delivery networks, you can pre request
that ahead of time and that is possible. Is CloudFront. Proprietary? Yes, it's an AWS
proprietary content delivery network. And the reality is all content delivery networks
are owned by somebody and somewhat proprietary. So you know, you might have a AWS content
delivery network and an Azure content delivery network at the same time. Yeah, you know,
I got to tell you this. So when I teach live classes, it's easy because I can look the
expressions on my student faces. If I feel like they're, they're overloaded, I can back
off and we can talk about a cat for five minutes and answer some questions. And I do that not
being able to see anybody's faces not know who's tired, not know who's fully overloaded,
not knowing who needs a break. Yes, this makes it really challenging. So for all of those
guys are out there. That's why keep that chat window, please communicate with me, I want
to give you the best experience. It's very easy for us. It's very easy for the student,
but very challenging for the presenter. But we love doing this. I want everybody in the
world getting hired, I want to help you get there. So uncomfortable, comfortable. We're
just thrilled to be with you. My gosh, all these days such awesome and usable content.
Thank you so much, Mike and Chris and the Blue Crew for delivering such great presentations.
Yes, the Blue Crew and Chris, is there a way to clear the cache, there is absolutely a
way to clear the cache, just like anything else, there is a time and a place to kill
the cache. And if you ever wanted to do it, what you do, there's a command, I'm going
to put the command in the chatbox. Last time I checked, it was creating validation. And
I just posted it there, the single command that clears out the cache. Will so to good
question we covered in the first day. So go back and look at that. But I'll also give
you the answer right now. An edge location is where a user access a content delivery
network. A local zone by comparison is where is where we do edge computing. So the reason
we do edge computing is our data centers fast fast as fast as fast as good performance.
The cloud is far away so it's slow, slow, slow, slow, slow in terms of latency. The
point of an edge of a local zone is you can stick someplace in between you and the cloud
provider that's far so you can get closer to traditional data center like performance
closer and still be using cloud computing. So that's what a local is on it gets you're
competing closer to the user. So it performs closer to that additional network and data
center environment and less like a cloud. Because the cloud doesn't perform as well.
It scales better. It's more agile, and it makes sense. But we can do greater things
that higher performance in the data center and economical especially with regards to
latency. But a bit of security use on CloudFront. Truthfully, on CloudFront, the only security
I would be using a shield and the behind CloudFront. I will be using a next generation firewalls,
IDS, IPS systems, access control lists, security groups, endpoint protection, anti malware
protection, host based firewalls, Host Based IDS, IPS systems, encrypted storage, get really
good Identity and Access Management profiles. And we're just beginning to touch security
over that roof. Good question. Now not here's the scariness. When you're
dealing with an outsource person, provider, they manage everything they do, which doesn't
necessarily mean it's gonna be good or not, which means you may have to clear the cache.
But it's a very solid question. Cloud provider, they generally manage most of their stuff.
Can you tie route 53 to CloudFront? I sure can. So whenever you create a CloudFront distribution,
you will get a really, really, really, really ugly name. So for example, let's see if I
have the ability to do this. And I don't know if it's going to work your screen. Let me
see if I have the ability to do this up in Preferences.
Don't know if I can do this? If I can, what I'll actually do is as follows. I will Nope,
I can't do that. So I can't share that screen. Let me go find another slide where I'll show
you what it actually looks like. I'm going to cancel my way out of this because that's
not going to work out well. So let me go find a slide that I'll show you yesterday. And
here's what's going to happen. We're on slide 454 Chris, so you can remind me when we want
to go back to it we show you what it's going to look like bear
with me, I'm gonna go find it, I took a picture of an MS look up from my computer if I can find it, bear with me a minute. Okay,
here we go. So what you're going to see is as follows. The second you create a content
delivery network, which you're going to see is, you know, this is going to be your CloudFront
distribution, this delta three Alpha golf for hotel uniform, kilo kilo hotel six to
Yankee november.cloudfront.net, that is actually the name that you're going to get from your
CloudFront distribution, it's going to be something ugly like that. So what you really
need to do is as follows, you're going to take a CNAME record which AWS, which Amazon
did that map amazon.com to cloudfront.net. And we got to we got to get to the thing that
up and running put there because that's not accurate at all, at all. And I want to make
sure that we we solve this issue. So the Edge locations are not the backbone, the backbone
of the network are routers switches inside of the organization, they're running an interior
gateway protocols, such as OSPF, or intermediate systems, intermediate systems. As a general
rule, what they're going to be doing is they're also going to be running some RSVP signaling.
And they're going to be running some tag switching or label switching. That's going to be the
backbone. And it's going to have a bunch of explicit MPLS tunnels. Now outside of the
backbone, we have other entities and that's what the Edge locations are. It's not going
to be part of that organization, major backbone that's going to be specific systems in their
network that can be running multiple, multiple, multiple 100 Gig links to each other. And
that's where the Routing and Switching people like me are going to be designing their backbone.
Their backbone is this. This is a content delivery network which is separated from their
backbone that connects to their backbone but not their backbone to enable users on this.
Their backbone is very isolated from this and if it's not, every time they have an internet
hiccup, they'll have an app Amazon outage so totally totally, totally different. It's
not, it's not where the backbone ends at all. It's part of another part of the network that
gets attached back. So wanted to make sure we kept that kind of clear. backbone is very
specific. It is the heart of the network, the internal network, not the external network.
So yeah, sure, if you have a website and you want to do web caching, you're going to use
CloudFront. When are you going to use a NAT gateway, use a NAT gateway, anytime you want
to translate a private address to a public address for egress only internet access, meaning
go out to the internet, and bring your traffic back API gateways are just ways to integrate
into certain systems. And you can use that kind of the front end of microservice based
architecture. But most things aren't microservice based architectures. So you're not going to
be using as many. So keep that in the back of your mind. But good questions.
Good question. Were there any others I needed to get to? That's it. Okay, then we'll go
back to slide 454? Bear with me while I find that slide, and we're gonna get back to the
content. It did have a question come in, I think in
from up and running. Yeah. And yes, the connection from the edge
is going in. But that's still different than the backbone. The backbone is the core of
a systems network. And typically, what we have is we have a core, which is our internal
major stuff, we have a distribution layer, which connects to the core and aggregates
the access layer. And then we have the access layer of the system where it's fed into the
network. And that's what we're talking about with CloudFront. It's an access layer, not
a core. So that's why it's not part of the backbone. It's not even part of the distribution
layer. It's part of the access layer, access layer as a user access layer. And it's a very,
very big fan thing. And there's extremely different routing on the service provider
side. So that's what I was trying to say they're not even there at all. They're, they're totally
separate networks. And they're probably running different routing, and they've got a lot of
firewalling in between them. And they've got probably even a separate autonomous system.
It's definitely not the backbone. But I know why you were thinking that I just went, I
have a lot of network engineers, and network architects and people that really have a networking
background. And because most of the cloud architects I deal with are coming need a networking
background, we got to be very precision on our networking. And that's why I was being
extra careful here. I wasn't trying to be difficult. So now let's talk about Amazon
lambda. And we're talking about lambda, we're talking about a serverless service for basic
stuff. Basically, you upload Mini Code, and it happens and there's no Matt No operating
system to manage, etc. But this is for mini mini,
mini, mini, mini mini mini stuff, mini things. So it's a C sharp, go go Java, new JS Python
thing, but a very, very simple, simple thing. Very basic stuff. And you know, lambda is
stateless. And what I mean by stateless needs, it's not paying attention to every anything
at all. So once something happens, it's done, meaning it doesn't maintain it. So if you
want to do a lambda function, another lambda function, another lambda function, you need
a workflow to synchronize them. So keep that in the back of my land itself is stateless.
If an s3 bucket becomes public, and you kick off a lambda function and seal it off, that's
what we're dealing with. But you know, once the function is performed, it's completed.
Now, lambda is really, really useful. So get a System Event Log, do something about it,
remediate a security thing, patching operating system. So lambda functions are brilliant.
They're highly, highly useful in a variety of situations. And every cloud has a Azure
calls it a function. Basically, it's a little mini code in response to something. And that's
one of the things that makes the cloud so transformational is we can do these little
mini things. So we can set lambda to work off in response to some event in a VPC, like
if somebody put a file on a bucket. Think about this. Let's say I've got an application
where I've got a user who upload something into a bucket, which is something I do a lambda
function can say, hey, send it to video processing. And another lambda function could say hey,
Senator Transcription, another lambda function could be, hey, send it to the end. So hope
that makes sense. So when we look at lambda functions, and they are truthfully very cool,
and they cover them in much more depth in the professional exam, what we're dealing
with this here, in this particular example, let's say I uploaded my video to s3, I could
have a lambda function that sends it in does so much work for me. So that's kind of what
we're talking about as lambda. Now, if lambda is working inside of AWS on the AWS network
inside of our VPC, what if we wanted to run literally many little lambda functions? Before
they get to us? before they're even on our systems? We could do that too. And that's
called lambda at edge. And lambda edge enables you to make lambda functions. Where do you
think, close to the user at the edge location? So that's all that is. Now, I previously told
you that these little mini lambda functions are cool. Awesome, right. But I said they
weren't stateful. And they couldn't remember. So going back to my video thing, I upload
a thing I need to send it here, I need to send it here. I mean, the send it here. And
I told you, we could do with lambda functions, we can but we need to schedule those lambda
functions. Do this first, after this occurs do this. If so this occurs, do this. And after
this occurs, akute do that. So if we want to add some application logic, we use something
called step functions and step functions, let us sequence lambda functions. So step
one, step two, step three is declare and this is really brilliant. So if lambda functions
are cool, and AB, every cloud has their function thing, and we can now sequence them in step
one, step two steps three, thanks for now, just think about how brilliant that really
was. So loving it, loving it, loving it. So keep that in the back of your mind. So with
step functions, we can enable and multi step work. So workflow, so what's it going to look
like? We designed the steps, right? And creditor individual lambda functions, we configure
the workflow step one, step two, step three, step four, we connect the workflow components,
and then we execute the steps under normal use, and guess what? We've got it running.
And then all of a sudden, we determined that our workflow could be optimized, we optimize.
So same thing, it's always a state of optimization. In fact, in architecture and engineering,
I'll bring you to the Air Force Oda loop. So the Air Force has a concept called an Oda
loop, observe, orient, decide act? Well, when you're setting up a step function or website,
a new database, observe it, see what's going on, make a decision, and act make it better.
So you know, every day, learn something new, every day work on making your system better,
harder, more secure, more available, you should always be thinking about how we make things
better. And that's what step functions are for. So, visually, so one, lambda function,
step two, and step three, step four, step functions.
Okay, so let's talk about recognition. Amazon recognition is a way to analyze videos, using
machine learning. It can identify individuals in the video, people you want, or people you
don't want, it can look at people to facial expressions, maybe somebody's doing this in
the video. And you know what I mean, about smiling. So maybe it got somebody's content,
I actually saw I interviewed someone, and in the back while I was interviewing when
there were bombs all over the room. Now granted, if we're producing a video, it'd be cool if
we could look for content like that and remove it or not have it in there. What if I want
to search for a person, I can do that. Look at logs or logos, make sure they're consistent.
I can do that with recognition. So nice, beautiful pattern matching thing. And that's what we're
talking with recognition. So. Okay, now the next thing I'm going to tell you is something
called cloud formation, which should be something you should never ever think about our use
ever. And I'm gonna give you the reason why. This is 100% AWS proprietary coating on AWS
87% of customers are not AWS proprietary. So this is trash, trash, trash, trash, trash,
replace this with TerraForm, which works on all cloud. So your DevOps engineers that are
using TerraForm or even your cloud engineers that are using TerraForm, they use to terraform
and they can build it in AWS and if it doesn't work out with AWS because we haven't got any
cloud provider and then went anywhere, anytime. So never limit yourself. Don't handicap yourself.
Don't can cut yourself to a tray chop off both of your legs and say, hey, guess what
I'm using a proprietary service, use the vendor neutral, interoperable, use TerraForm. So,
cloud front is a means to use infrastructure as code in a proprietary manner on the AWS
cloud, you make a simple text file via supported programming languages. And from there, you
created neither JSON format, or Yamo. Template Wait, doesn't the other ones use something
else like go live. But either here, your code is stored on s3, and the code can be used
by a CloudFormation template from the CLI or the API. And it's going to provision your
system, like I said, work great, but it's only AWS proprietary, and nobody is crazy
enough to just use the cloud. So scrap, this tosses, AWS CloudFormation, template away,
trash, trash, trash, replace it with TerraForm. And you now can work everywhere, anytime,
which raises your value as a cloud architect, I'm sorry, as a cloud engineer, or a DevOps
engineer, be able to work in the good stuff. So let's now talk about the certificate manager
another important service. So when you're dealing with web stuff, you want to deal with
HTTPS, or secure sockets, and TLS certificates. So when you have to go to a website that's
SSL based, you have to be able to verify the authenticity of the website, and they need
to verify you and this happens via SSH, SSL TLS certificates. So the AWS certificate manager
is a great place to get an ID certificate for your AWS resources. It's quick, it's efficient,
it's awesome. And, you know, the certificate manager gives you free public certificates.
But you can also get private certificates for your internal stuff as well. So great
store, here's how it works. Here's what you do. You go to the certificate manager, and
you request your certificates and they give them to you great service, that's all you
need to know. Now, when you're dealing with the AWS certificate manager, there's two options.
There's the certificate manager, you want an SSL TLS certificate, perfect. You want
to deploy it in your load balancers, your CloudFront distribution, your API gateways,
whatever, you got it completely from the AWS certificate manager. Now, what if you wanted
a private certificate and internal certificate, you wanted to create some organizational hierarchy,
for example, you want to issue certificates for certain users have their computers and
appliances or applications or services. Now we can get a private certificate, which we
have to pay for. But that's okay. But we can't use a private certificate on the internet.
Just keep that in the back of your mind. I'm going to talk about three more proprietary
Amazon security services, there is Amazon guard duty, which can help monitor your AWS
accounts. It'll analyze your cloud trail logs, your DNS logs or VPC flow logs, and it's gonna
look for patterns of behavior that are compromised, and it will tell you, so you can fix it.
Again, you're gonna get a lot of this stuff out of good, strong next generation firewalls.
There's also another Amazon security service called inspector, which is an automated security
assessment that theoretically can improve your security and compliance of your systems.
Basically, what it does is it automatically assesses your applications for exposure vulnerabilities
deviations from best practices. And after performing the initial audit, it'll give you
its findings. So keep that in the back of your mind. And lastly, Amazon Basics is another
fully managed data security and privacy service. What it does is it will look at your s3 buckets,
and it's going to look for encrypted and unencrypted and public key things. And it'll apply some
machine learning and pattern matching techniques to identify if you have any kind of sensitive
data, personally identifying information that is open and available for the world. So we're
going to, I'm going to stop and take a few minutes of questions. Then we'll talk about
cost management, and two minutes of how about a little a couple minutes of high ability.
And then from there on in. We will talk about passing the exam and you'll have a great weekend,
everyone. So let's bring in some questions for a few minutes. See if there's anything
else. We can use lambda to do some optimization and tuning and some self healing. So if I
understand your question, I think I think I understand your question and the answer
is yes. Any other questions, because I'm happy to
answer them before we go on to the next topic. So I see there's a CloudFormation versus Elastic
Beanstalk. They're very similar but not exactly Elastic Beanstalk is basically you just upload
some code and it's going to theoretically designed and architected perfectly for them.
CloudFormation is when you know exactly what you want, and your DevOps engineers creates
it as infrastructure as code. Now, truth be told CloudFormation is a million times better
than Elastic Beanstalk. But the key is CloudFormation. Is AWS proprietary, and TerraForm is not.
So 99% of organizations don't use CloudFormation. They use TerraForm. Instead, for that reason,
gives them much more flexibility and opportunities. Great question that helps me. See what else
we have. So this is saying CloudFormation is infrastructure as service, beanstalk is
managed app service. That's what it says. I don't know if that's what it is. Because
it could be CloudFront, cloud formation cloud anything. So and in general, we never use
as architects, we never use any kind of acronym, because right now you and I think it's cystic
fibrosis, you think it's cloud front, it could be cloud formation, and I can give you at
least 15 More BS, I can give you what I actually think it is. But I'm not sure what he's actually
trying to mean. He could mean Bachelors of Science, he could mean BS in the way I'm actually
interpreting it. But I also know he means basic service, I still don't know. So it's
really hard for me to work with acronyms and try and understand them. A long time ago,
I learned a very valuable lesson not to use them. And here's how I learned them up and
running. About 20 years ago, I received the Konkol at three o'clock in the morning. And
one of the engineers on the team said, Mike, I'm having trouble with all these PVCs and
I said, give a lidocaine bolus at one and a half milligrams per kilogram, and then start
a drip. And he said, What do you mean? I said, you've got too many premature ventricular
contractions. I don't want to deal with the BTech. So give a lidocaine bolus and start
a lidocaine drip. And that's what happens. I wish I understood you up and running because
you seem really smart. You've done a lot of great things to say. I just don't understand.
Oh, okay. So CloudFormation infrastructures code? Yep. Beanstalk? Manage application service.
Absolutely. Completely agree. Yes. Yes. Yes. Is AWS spoken similar to Patrick? Logic? Yes,
exactly. Same concept. All these clouds are the same. They just named the things differently.
Probably identical. Okay, so do me a favor, vote on your next bootcamp. Google professional
cloud architect, Azure Solution Architect expert, you will be in charge. We're gonna
do it. We're gonna do all free. It'll be live and it'll be fun. So following your next boot
camp, we can't wait to see you. I see some zeros. I love them all. They're
all the same to me. But I'll do whichever one you like. Paris cloud I worked on was
the frame relay cloud, the ISDN cloud, the ATM called the VPLS called the BGP called,
I've been dealing with pilots clouds, clouds, clouds cloud. Okay, so you know, here's the
thing. Nic V, this is a really great question. So what is a point of presence? A point of
presence is generally when you take a bunch of internet service providers in there Wan
and they all run cross connects. So you take a building in the building you put NTT you
put Telefonica from Spain, Singapore Telecom, Vodafone, orange, a titsa, lot. Verizon 18
T, you bring them all with these 100 Gig connections all into a building. And then what do we do
in this building? AT and T and Verizon run out fiber optic 100 Gig cable between them.
We run 100 Gig cable between us and MTG etc, etc. That's the point of presence. Now, Nick
be if you're going to make a content delivery network, where would the smartest place to
look? Put your content delivery network be in an internet Point of Presence? So when
you're dealing with people that actually nibble things intelligently and call things like
Azure who don't make up names, Azure calls their Edge locations, points of presence,
because that's what it really, really is. But AWS never calls anything what it really
is. They add the word elastic, they make a fence in your marketing terms. So they came
up with the term edge location, but really, it's just a point of presence. Excellent.
McBee Excellent. Excellent, excellent question. Really good one. So we're gonna get to the
next content soon. But if you can give me a hashtag Claude hired and a hashtag with
a query like Cloud engineer, DevOps engineer or Cloud Architect with a hashtag give us
that in the chatbox and we'll get back to the content. Okay, so now we're going to talk
about cost control. Now we do this We're going to be talking about a lot of proprietary services
that can help you optimize cost according to the AWS way of doing it. Now, this does
not include negotiation, this does not include other cool things that you can do. If you
really know business and you're capable. This includes the stuff on cost management, that's
part of your certification exam, and I want you to pass it, but don't use these things
in real life. And what we're going to talk about first is the changing in cost structures.
Now moving to the cloud, has a very profound effect on an organization's technology cost,
huge, huge, huge effect in an organization's technology course, in many cases, going to
the cloud will be a lower total cost of ownership in many cases, but not always. The cloud can
be more expensive under some use cases at all. One thing is for sure, I'm going to tell
you this right now, when you go to the cloud that changes your cost structure from a capital
expense to an operational expense. Now, other certification courses are going to say this
is great. Well, and not really going to the cloud goes from a buying decision to a renting
decision. And is it cheaper or smarter for you to buy a house? Or cheaper or smarter
for you to rent a house? Well, the answer is, it depends. And going to the cloud can
be the best thing financially are the worst thing financially based upon use cases and
patterns. But just shifting from an OP X or operational expense to a capital expense is
not necessarily a good thing or a bad thing. It's just a thing. And you need to know that.
And the organization's weighted average cost of capital and use patterns will determine
that. So don't just say, hey, it's good to go to the cloud. If you do your replacement
will thank you for the really nice job that they got. Because as architects, we need to
know the business. So when it comes to cost management, let's talk about the traditional
environment and why it's a very high capital intensive products. In the traditional data
center, you've got to buy your physical servers, your routers, your switches, your firewalls,
your load balancers, your IDS, IPS systems, your racks, power distribution units, your
generators, or backup generators, your transformers on your battery, backup your generators, then
you need 1,000,001 air conditioners, we've done an air conditioners and real estate.
So building a data center is capitally. Intense, expensive. But remember, I could go right
now and buy a refurbished server that has two ie 526 ADV threes 256 gigs of RAM, and,
and three SSD drives. And I can buy that for 1800 bucks once, or I can run that in the
cloud for 1800 bucks per month, every month for years. So it's not that the cloud is cheaper.
Now, if on the network, I have to hire 10 CCIE is a $250,000 each. And I need 100 people
to maintain things and I need to buy all these routers, switches and electric, them paying
10 times more for service in the cloud might still be cheaper. And that the analysis, that's
the business case that the architect needs to do, it is not straight and cutting forward
it all. But one thing that straightening short at all is in the data center, we got to buy
a lot of stuff on the cloud, we don't have to now on the cloud, we pay 10 times more
to use this stuff, then we would have to buy the stuff in that data center. So usually
works out and it's still on usually cheaper in the cloud, because the management, the
overhead etc. So in the data center, we don't have a lot
of our bikes, but here's what our CapEx is electric bills and WAN connections and our
huge staff to do it. But most of our costs in the datacenter or equipment or capital
expenses. Now when they go to the cloud, we're not buying anything for the most part other
than the routers that connect to it, which means low capital overhead. But on the cloud,
we pay out the nose to use it. So extremely high ongoing expenses. Think about it. If
you're a landlord, and you buy a house and it cost you $2,000 for the house. You can't
rent it out for 2000 You got to rent it out for like 3000. So if AWS buys the server for
50,000, they're gonna be renting it out and getting a few 100,000 for the server in order
to make it work. But they manage almost everything for you need less stuff. So the trade off
is usually still cheaper on the cloud. So how do you manage cost on the cloud? Plan
it. So first step, provision only the resources you need, so don't do it. And the datacenter
we got to build for Christmas or peak in the cloud. We can plan for average and we can
auto scale. Keep that in mind the next thing you Want to do is monitor your systems constantly.
Here's why. If your systems are running at 10% utilization, you can use smaller systems
and save some money. If your systems are running at 80%, you need to go up to a bigger system
or add more systems. And you won't know that. Now if you monitor your systems, and you know
what you're using, then you can properly size your resources. So that stuff to size your
resources based on exactly what you need after monitoring. Base your systems on aggregate
or average use is not peak usage. I use auto scaling. decouple your application architecture.
So use the queues when you can, it enables you to use these smaller systems. Now use
the right platform. And here's what I mean. If you know you need 10 web servers at all
time, don't use on demand. Use reserved instances as your you know your capacity by him with
a commitment. If you need the server for three years, buy it for three years, it'll give
you like 40% off. If you've got batch workflow stuff to do, and it doesn't, it's not critical.
Use Spot Instances, they're really cheap. Use on mantra system for things that you're
not sure until you're sure. So we've got lots and lots of lots of cool stuff we can do here.
And I wanted to keep that for you there. You know your best is on average, going to be
a combination of on demand reserved spot. So purchase what you need and only what you
need. Remember, this is the cloud not the datacenter. So we can grow quickly, we don't
have to over buy. Now, when you use managed services and serverless, two things occur,
it generally gets a little cheaper. But you're also vendor locked in, you're like a prisoner
of the college your handcuffs are on you can't leave. So I don't use managed services whenever
possible. Because I don't like being locked into a vendor. I want to be able to negotiate
with two vendors of my customer and say, Guess what? Amazon and AWS, you know, AWS, you're
overcharging me, I'm going to make a press release to go to Azure. Oh, no, don't do that.
That's what AWS is, say you can insure this was press release, how about a 48% discount.
So when you have two clouds, you can negotiate against each other because the press release
to going another cloud can cause billions of dollars, but you're on AWS and you want
to leave your hands are tied, it's going to cost you a fortune. So according to the class,
use managed services and serverless use so with extreme care, because you may be locking
yourself in step five, you know, in the normal and network, you pay for the network, you
don't pay to use it, put on the cloud, you pay to use it. So figure out a way to manage
your inter regional transport costs, use CloudFront to serve content locally. Maybe replicate
your static s3 buckets across the region. So you're not constantly pulling data, you
know. And then think about your networking connections to the cloud. You know, if you're
using a little, the it's much cheaper, for example, to use a VPN, but if he hasn't a
lot of data, it might be cheaper to use a private line or a direct connection. Because
when you're dealing with AWS, they don't just pay you for the connections, they actually
pay to use them too. So you know, it's not like normal networking.
And what do I mean by that? So you understand. Let's say I get a 10 gig link to Chris's house,
over where he's at in Florida to me, let's get over this 10 Gig link or pay $5,000 a
month. Now on this candidate link, I can send 10 gigs, 24 hours a day, seven days a week,
and I don't pay any additional money. Now, when we go to AWS, I still get that same $10,000
connection from me to AWS. But something changes. Now AWS, in addition to paying the 10 Grand
for the connection, they charged me each day, they charged me a port, maybe have it there.
And then AWS actually charges me to use my connection. So as you can see, when you're
dealing with the cloud providers, you know, it can get really expensive, really fast.
So be careful with your networking. Now, one of the things that I like to tell my students
is, whenever they're doing labs, create a budget. Here's what it is. You say, I'm willing
to spend $15. When you get to a certain threshold, it'll send you a message that says here, you
spent $10, do you want to continue? So I usually recommend using a budget when you're setting
it up for these reasons. So kind of keep that in the back of your mind. There's also an
AWS service called trusted advisor. And basically what is trusted advisor it scans your infrastructure
and makes recommendations. So here's the thing, automated and Anything never good.
So that's kind of keep that. So now we're going to talk about building high availability
architectures. And this is going to be an interesting conversation.
So when we talk about this High Availability Architecture system, which we're going to
do, we're gonna have to get into that. So I'm gonna get into that next. So before we
do that, are there any other questions before we get to this next topic, because it's a
big topic so if there's any questions, great, if not,
I'm gonna remind you please make sure you download the completely free, AWS Certified.
Book. Soothing relaxations. We are straightforward. Our 30% off applies to everything every payment
on a payment plan or a single payment plan versus, and everything we do does that we
are 100%, straightforward, honest and ethical and what we do, if we say 30% off, it can't
just be on a single payment, it must be all payments, because otherwise it wouldn't be
fair to you. It wouldn't be a real 30% off, it wouldn't be ethical. And that's not us.
Great question. There's two things such as replies to all payments. What is my advice
on cloud security versus cloud architects? Well, let me tell you, I don't think you can
be a cloud architect without being without knowing security. So at least when I trained
my cloud architects, every one of my cloud architects has the security skills of a security
architect. They have the networking skills of a junior network engineer, or a network
engineer, and they all have the Cloud Architect skills to be successful. When my students
take the CISSP certification, which a lot of them do that one would be called security
architects, which I have my program, they call me up and they say, Mike, I was told
by everybody, the CISSP was a real examinable. It's basic. And they say, Oh, my God, I learned
more in your first two classes and this entire CISSP curriculum. So the key is security is
critical to the architect. And we teach extreme security. And all of our programs, cloud security
architect, Cloud Architect are both one focuses on security one focuses on end to end design.
And architect forever, security is so critical to me that I always focus on it. pick which
one you enjoy more. Either case, you're good. We get the next content 30% off on all of
our programs, payment plans, regular plans, you want to be a cut architect and get your
first cloud architect job. We have the Cloud Architect career development, whether it be
a cut engineer, we've got the cloud engineer program, want to be a leader, and take on
a leadership role and move up into a senior role. We've got the tech career accelerator
program, what a master and get hired an interview, got the tech interview Mastery program, all
30% off. So join us. Okay, so now we're gonna get into high availability. And this is where
I have a lot of cognitive dissonance. Because when I tell you the ways that AWS recommends
you build a High Availability Architecture, it makes me cringe inside because I would
never do it, because it's all really, really, really bad advice. So I'm going to tell you
what you shouldn't do. And I'm going to tell you what to do to pass your exams. What should
you do in real life, never, ever placed all your eggs in one basket. So if you're going
to backup your data in a company don't store your backups in the same building that you're
in, in case the building gets a flood or burns down, you lose everything. Never design a
network with a single service provider, nobody would do it for 30 years, you'd be crazy.
So when we make we build networks, and we have WAN connections, we always use two to
three service providers. Because if a service product goes down, we go down. Okay, keep
that in the back of your mind. So the concept of designing a system on a single cloud, I'm
going to tell you right now is insane. I don't ever recommend you do it. I've told people
forever not to do it. As your says don't do it. Google says don't do it. And AWS is the
only company in the world that says here, you can place all your eggs in one basket,
trust us trust us trust. So if it matters to you do multi cloud or hybrid cloud, or
hybrid cloud, multi cloud, not a single cup. If you build your systems on a single cloud,
you will pass the exam but you're replaceable. Thank you when you get hacked. So again, I
don't recommend this. So now we're going to talk about the AWS proprietary stuff in the
AWS environment, etc, etc, etc. And then I'll give it to you. So we'll talk about high availability
architectures. If somebody is asking me the CCIE versus the AWS Certified Solution Architect
Professional Well, when I did my CCIE, and my number is 7417. Back when was a two day
exam, I read over 100,000 pages for the Certified Solution Architect Professional we can squish
down into 450 pages so it's not even two pages. Sign up with a CCIE is. So up and running
that'll help you understand that it's this is nothing compared to a CCIE.
So, now going back to the tech here, now that I've told you never to do a single cloud under
any circumstances whatsoever, now I'm going to tell you the stuff you need to know for
the exam. So, according to AWS, we'll talk about availability. Now, availability refers
to this system being there when you need it. So we've got 99% availability, which is two
nines, we have 99.9%, which is three nines, 99.99%, which is four nines. This is where
the world starts to think about high availability, I don't consider this high availability yet,
then we get into five nines. Now, this is where I consider high availability. This means
99.999% of the time the systems are up and working. Now, most people like I said, we
consider four nines or 99.9% 99% to be good. But imagine you're a hospital 99.99% of the
time means 52 minutes of downtime per year. If your systems are down for 52 minutes in
a hospital, somebody's going to die. So this is obviously not good. Now, how about a bank?
How about a bank being down for an hour? Well, millions or billions of dollars can be less
than a bank in an hour if the systems go down at the wrong time. So what is high availability,
it's different based upon the business. And if it really matters, us two clouds, or a
data center recall or JSON or too close. But we're talking about the AWS recommended ways
as part of their certification exam. So here, we're gonna do this. So when we talk about
high availability, this is want you to understand, when we're dealing with 99% availability,
this is three and a half days of downtime per year. When you're dealing with 99.9%,
this is about the best you can hope for in your home internet connection, nine hours
of downtime per year. Now when we start to build for higher availability, four nines
gives you 52 minutes of downtime per year. Now I'm going to tell you, no cloud provider
delivered four nines last year, not a single one, no matter how many availability zones
or regions, none of the cloud providers were able to do this. Why? Because the single cloud
is a single point of failure. Now, five nines availability is 99.999%, which is five minutes
and 15 seconds of downtime per year, you got to understand that. So we're talking about
critical systems and critical mobility, you're not talking you shouldn't be using a single
cloud. So what goes into building us high performance high availability system redundant
power? Remember, AWS tried to tell us their global network outage was caused by a power
failure? Well, here's the thing in a real data center for real, you've got two power
companies, multiple transformers, multiple generators, multiple backup generators, and
multiple backup batteries. So I've never seen a data center power towers in 25 years, except
for AWS. Then, air conditioners, we need redundant air conditioners, networking connections,
we need lots of them routers, on routers, we not only need redundant routers inside
the routers, we need multiple control modules, multiple line cards, multiple power supplies,
same thing for our switches on our servers plugged into multiple outlets, load balancers,
DNS, redundancy, storage, redundant databases, everything we need at least to to is non winners,
two is one, one is not and three is greater than than two, so always more than one. Now,
according to AWS, they have redundant power, even though they had a power outage, I'm sure
they ever done the powder. I don't know why they had an outage. AWS will maintain redundant
cooling, of course they will because if an air conditioner goes down, guess what? Oh,
their systems go down. Now, AWS is going to have multiple redundant connections on their
background. Realistically speaking, they probably have 10 100 Gig connections between every
speed every switch, and that's still not enough. They're gonna redundant routers, redundant
switches, line cards, power supplies. Now according to AWS, if you want a high availability
system 99.99% Spread your things across two data centers, otherwise known as multiple
availability zone. And according to AWS, that'll get you the 99.99% available. Now, mind you,
AWS couldn't do it last year, Azure couldn't do it last year, and Google couldn't do it
last year. So if you think you can do it on a single cloud, you can't. But you know, for
your certification exam to get the 99.99 use two availability zones. Now, AWS will tell
you that if you did two regions in two availability zones, per region, then you'd be at 99.999%
or five nines. Okay, that means five minutes and 15 seconds of downtime per year, because
the AWS been able to deliver that of course they can't. And here's why. When you have
a single cloud, you have a single network backbone, and if any part of that backbone
goes you lose the entire cloud if the Cloud provider gets hacked, which is
probably far more likely than a power outage, the whole cloud can go down. Now, if something
gets involved in the orchestration or the control plane of the cloud, the whole cloud
goes down. So clearly, putting all your eggs in one basket is insanity. And I don't recommend
it. But now, you know, for high availability in each of those cloud, according to the certification
exam, multi AZ gets you to 99.99%, or four nines, multi region and multi availability
zone gets you to five nines, 99.99%. Keep that in the back of your mind. So what else?
Well, you're going to build a high availability system in the cloud, what about your network
connections, so you're not going to have an 18 T connection to the AWS and another at&t
connection to AWS, that's insanity, you're going to have an AT and T direct connection
and a Verizon direct connection, because they have to be across different service providers.
Because otherwise, when 18 t as a problem, you'll be cut off if you use both AWS. So
then the routers that connect to the cloud, guess what, multiple power modules why? Because
the power supply goes down, you know, when you're cutting, going down multiple brains
or control modules, why? Because one goes bad, you know, when your system is going down,
and ideally, spread your connections across multiple line cards, too. So if a card goes
your bad, so realistically speaking, this is how you build high availability. So kind
of keep that in the back of your mind. And we can talk about multi cloud a little bit.
So according to AWS, they would consider this to be a high availability connection. And
this could work. You know, we've got lots of organizations that connect to the cloud
via direct connection and use a VPN for backup that can work for customers that don't have
any critical systems. But more realistically, what I'm dealing with, I'm dealing with this,
I'm kneeling to need another two Dena direct connection, or multiple direct connections
to go to one environment, another direct connection that goes to another environment. And this
is really what I'm going to use. And I'm going to use this to connect to AWS, and I'm going
to use a similar solution just like this to connect to a second club for my customers,
because I'll never do a central card ever. Even when people asked me to do it. I'm like,
Well, I want to let you know, if you want me to do this, most likely you will be hacked,
or you will go down and when you're down, people will die. Are you sure you want me
to do that? And because I deal with a lot of medical institutions of banks, and once
I tell them that now they're like, No, thank you, Michael. I don't want to know what goes
into high availability security, right? If you get hacked your your systems up Nope.
So use the principle of least privilege use next generation firewalls, not cloud native
servers. Disable unnecessary services, use your intrusion detection prevention system,
patched new systems a security updates, limit the blast radius of problems using something
called AWS organizations. Keep unwanted traffic out of your subnet with an access list. Keep
unwanted traffic out of your servers with security groups. Use a next generation firewall
you shield for DDoS, protection IDS, IPS systems, physical security, make sure that nobody can
plug into the devices that are getting to your routers, lock on a building. Heck, hire
some Navy SEALs, if you have to, to guard it, do whatever you need to based upon your
security requirements. When you need a password, use a password but make it a secure password.
And guess what you're good. And when you've got good known configurations, have your DevOps
engineers template them in TerraForm. So you can deploy them the right way every single
time. Now, what about your data, back it up, back it up, back it up? Now here's the option.
If you backup your data in your same building, and the building gets a fire, you lose everything.
So when it comes to backing up, here's what you should do. backup images of every server
you have backup all your data and your databases and send it to a secure location. If you're
all on the AWS cloud, send it to Google. Put it somewhere else, just so you've got a disaster
recovery environment. Remember, one is none two is one and three is far greater than two.
So add some auto scaling to your infrastructures, why? If they get overloaded, guess what? If
they're overloaded. And we and we do this, we are in a great situation. So keep that
in the back of your mind. So auto scaling, decoupling, etc. Use DNS instead of an IP
address because it's easier to use. Use load balancers. They're one of my favorite devices.
Why do I love load balancers? Well, they improve performance and they decrease single points
of failure. So load balancers are good. What else? Logging why are we going to log because
the logs will tell us if something's gonna go wrong before it goes wrong. We're going
to look for systems alerts. We're going to look for security breaches. We're going to
monitor performance and usage so we can be proactive. It goes back to that Air Force
Oda loop, observe, orient decide act. That's what we're monitoring, logging etc.
Now here's the key, we're going to talk about change management. There is no high availability
system that doesn't include change management. Here's what change management is. Let me see
some of the people that are in the group. Okay? We got Martin, which is, is more like
Mars, and I always get his name wrong. He's an incredible guy over there in the Netherlands,
super smart architect, wonderful person and technology professional. We're thrilled you're
here margin, and I'm sorry, if I've got your name wrong, pronounced wrong. So if Martin
wants to make a change on the go clickers system, and he's part of our family, he should
send an email that says, hey, go club careers, people, guess what, I'm going to make this
change? Does it affect you? And HR? No, good job? Does it affect you in finance? No great
job, does it affect you here, not a great job. So keep that in the back of your mind.
And that's what we're talking about as change management. So, you know, we're really going
through things. So I'm going to talk about passing the exam for a minute, and then I'm
going to go back and answer questions. So passing the exams, here's what I'm going to
say. These exams are as following. They are the most silly exams I've seen in my 25 years
of certification. The questions can cover a wide variety of meaningless topics on and
off of the AWS curriculum. The questions are not difficult, but understanding the way they're
poorly written is a challenge. They're super wordy. They're not there may not be a good
real answer. There may be some answers on the way you do it in the data center versus
the Cisco way, etc, etc. So my recommendation is as following. Get a practice test, learn
the way AWS s questions, practice, practice tests. And when you're done with it, forget
about the certification and focus on learning your career. Because this isn't too related
to anything we do. But we still have to pass it because we need the certification for the
following certification gets us an interview won't get as hard, but it gets us an interview.
But if we can get to the hiring manager, and then we build the skills and learn the skills
to get hired, that's how you're getting hired. So we teach the skills to get hired around
here. So keep that in the back of your mind. So the night before, get some sleep, read
the book that goes along with this presentation, look at all diagrams, read the AWS white papers
and look at their services. Get a practice test, get a practice test, get a practice
test, how many Sharma for review, and prep has some excellent good practice tests. There
are 15 to $20, and not a big deal, and they're not super expensive. Andrew Brown of example,
as a completely free AWS Certified Solution, Architect Associate, of course, he and I are
friends. And sometimes it's courses free. And I think for 20 bucks, it's got a great
practice to take. Take that with mine. His is all about passing the exams. And mine's
a little bit more about how to actually work. So go take the exam, go pass the exam, and
be solid, solid, solid, solid, solid, you'll be good to go. Not on the day of the exam.
Get there early in person or not, trust me, the tech won't work. You can run into ID problems.
Don't forget your ID. So give yourself time. So you are relaxed and stress. So we have
reached the point where I am going to answer some questions. We've had a fun, exciting
week. If you've had some fun if you can give me a like a comment or subscribe. So we know
that you're there. And now I will start answering people's questions. And I absolutely love
answering questions. So let me know what kind of questions I can answer. Thank you Marcin.
And please hit the like button show some appreciation for us working really hard, and why do I really
care about it? So we can spread the word of others and other people can see it we work
hard to help the people in the developing world. Zim can it? How do you keep tabs of
all the services running in AWS when working with a client? Well, them I don't because
I'm an architect, and I design the system. So I design that system. Once I'm done with
the design, I never go back to him. So I don't have to keep track of all the systems running
in the AWS environment. Because I asked it as part of the design. I baseline it with
my cut engineers, I design an architecture I present it, I sell it and I'm done. Now
if I was working in a maintenance role like sis ops,
what will happen is there are actually really good network and systems management tools,
not a best tools, but systems management tools. And they will monitor like Zabbix is one but
there's other tools. They will monitor your systems in a data center, the cloud and three
different clouds and they'll gonna be able to help you keep track of what's going on.
But here's the things am can it when I actually design an architecture usually includes a
massive, not only diagram but a document that takes that's massive for the engineering team.
The document, it's the executive team, and it lists and it's blame everything that's
running. So there's never a time as part of a good architecture where people don't know.
But Sim can do it, let me explain. There's basically three roles that we're dealing with,
we're dealing with the architect that designs the system, the engineer that builds the system.
And once the engineer is done building it, they're kind of done, it gets handed over
a maintenance team called sis ops, and that's a manager. So kind of keep that in the back
of your mind. And that's how you'll that'll determine how you need to know based upon
the tools you need for your job. Great questions encountered. Chris, if you want to bring in
the next one. Marcin, I'm so good. I'm so happy and thankful
if I got it, right. We even so to please did you say 99? High Availability is a relic from
two availability zones regions. Yeah, according to AWS, you can get high availability 99.999%
by using two regions and using two availability zones and regions. Now, having said that,
they didn't do it last year, they didn't get the four nines last year, Azure didn't get
the four nines on Google, it didn't get the four nines and getting the five nines on a
single cloud, I'm going to tell you, it's pretty much impossible. But you know, Amazon
says they can do it by using two availability zones and two regions.
Chris, do you think that's correlation of the coupling and auto scaling? I'm not sure.
That's how that's how I interpreted. So if it's correlation between decoupling
and auto scaling, there is none. I mean, decoupling is this, take two things and separate them.
So have a sniper and spotter two people on the same team have an architect and an engineer
and people in the same team that's decoupling. Auto Scaling is this, have your systems they
run and all of a sudden, they're very busy. So go add more of them. So they're kind of
different. Now the only way you can relate these two is as follows. You could use something
like an SQS queue, which is part of decoupling the organization and the SQS queue could say,
Hey, wait, we've got a lot of messages, enable auto scaling. But you know, that's a use case
of an SQS queue. It has nothing to do with decoupling and auto scaling. But it's really
a great question there, Cecil. Calpe Soni, as an architect, you know, you
need to be really gross and clean on documentation, as well as presentation, sales all of it.
And of course, we cover that in our cloud architect training program. We cover presentations
and scales and documentation RFIs, RFPs, RFQs, how to negotiate how to present to the CEO
CSL relevancy, you know, whether you're dealing with analytical leaders, versus intuitive
leaders like me versus functional leaders, whether you're dealing with there's auditory
kinesthetic, how to read the room. Yeah, all that stuff's in there called Sonny. I mean,
this is a $50,000 program that we basically charged $700 for. And we're only doing it
because we're basically charging what it costs us to do it, and we're dealing to help the
world get hired. See, I felt really bad. I sold a certification that was out there. And
I knew none of those people are getting hired, I even interviewed 1000, AWS Certified people
that couldn't get hired. And I knew why after speaking to them, so our cloud architect training
program, and our cloud engineer training program, give the people the skills, all the skills
they need. So they're gonna get hired at the end of the program and be good at their job.
And of course, we cover it heavily, heavily, heavily.
That's exactly once the design is done work on somebody else's, we go to another customer.
Exactly the job. Good news is you get to meet lots and lots of executives along the way,
which means you build a super Rolodex, if you ever want to be a CTO or CIO. Definitely
DREW Good questions. So Chris, you bring the next one. So no, realistically speaking as
a cloud architect, all we're going to do is go design it and we're going to have another
team that's going to build it and that's going to be an engineering team. In 99% of all cases,
now there are one or 2% of the cases where they tried to have the engineer the architect
build it, but let me tell you, that is a disaster waiting to happen. Because as soon as the
architect gets involved in building, they lose all function of what's going on in the
design disastrous architecture. They have big outages and they get fired. So here's
the thing up and running, architects design and engineers build. Crispin go to the next
one. Mike in the earlier slide, putting security together, you saw network load balancers outside
the firewall, why not put load balancers inside the firewall. So Brian, I'm going to ask you
this. In a datacenter, we can have two firewalls in the rack, and it's all good. But in AWS,
we can't add them. So when we go to the marketplace, we're getting a virtual machine. Now, the
whole point of the load balancer Brian is if we've got two virtual firewalls and the
firewall one dies, if we don't have a load balancer, we lose all our security. So by
using a load balancer that must be outside the firewall, we can send it to a firewall
one, firewall two, or firewall three, and maybe we need the performance of more than
one firewall. So it has to be out there, where we also need a second for redundancy. But
in any case, we can't send the firewall in, we don't want to send it to a firewall that
dies, and then there's gonna go to the load balancer, we have to use the load balancer
to front end the virtual firewall. So if a firewall fails, when a load balancer runs
its health check, and it sees that the firewall fails, it redirects everything to the newt
to the other firewall, so it must be on the outside. Now on the inside a little bouncer
on the inside of the firewall, we're gonna have more load balancers. Like we'll have
a load balancer from the web servers, but that'll be inside. But in this case, it has
to be outside. Okay, let's see if there's any more questions.
Actually, let me get to the one question exam, can it that's a very good question.
Okay, Suzanne, can I T. So the skills for a solution architect our network and data
center knowledge, sales skills, documentation, skills, presentation skills, ROI, modeling
skills, business acumen skills, leadership skills and sales skills? We caught architects
do not code. And if you learn coding, it's kind of like a doctor saying, hey, guess what?
I learned yoga. Now, I am a yoga instructor. I love yoga, and I can practice medicine,
but nobody's gonna go to me for medicine, because I said, I know yoga. And you know,
it's like a doctor saying, I'm a photographer. So when you are an architect, and you learn
scripting and programming, you take your focus off of architecture, and you learn someone
else's career, which means when you're really good at someone else's career, you can't get
hired for your career, you can't get paid in your career, you can't feel it in your
career. Because if I want an airplane pilot, I hire an airplane pilot, that's an expert
pilot, not a programmer, and an architect doesn't touch technology ever. They design
it. So having hands on technology skills makes you a worse architect. You need better digital
transformation skills, better business acumen, better leadership, better skills. So you want
to be an Olympic martial artist, study martial arts, don't hang around and be competitive
swimmer, be a martial artist want to be a doctor, go to medical school, don't be a lawyer,
go to law school. But don't go to yoga instructor school to be a lawyer and don't learn how
to code if you want to be a system designer learn system design. Now, if you want to be
a cloud engineer, a cloud engineer does do coding. So if you want to be a cut engineer,
you got to get great with the management console the command line, you're gonna need to know
Python bash scripting, PowerShell scripting TerraForm if you're an engineer, so and that's
what we teach that for our engineers so then can it it's a matter of having the skills
for your job, mastering your job and being the best in the world at your job. It does,
you know, benefit to not learn the skills of your job, learn the skills from somebody
else's job, because when you're focused on somebody else's job, you're not becoming good
at your job, you becoming good at somebody else's job and there's no point to that.
So it'll just hurt your career. Okay, so no so kelps on I want you to think about this.
I practice medicine so today I'm practicing medicine. I am the architect of my patients
care. So CALP Tony, a patient comes into my office and they say I have chest pains of
cups on what I do. I see you go to the ER and I write admission orders I say to the
ER IV IV of normal saline nitrogen titrate to a BP of 110 systolic do run three sets
of cardiac enzymes and a 12 lead EKG caps on it I don't have to teach the nurses how
to do their job. They went to nursing school to learn how to do their job. So the doctor
makes the plan and the nurses carry it out. If I build an architecture and I tell my engineers,
I need this many load balancers, this much storage, this one's security. They know how
to do it, because that's their job. So I don't know why this seems like a very challenging
concept for people to understand. But let's get out of technology a building architect?
Would they do the same thing we do? As architects, they design a building? Now, does the building
architect need to tell the cement worker how to lace a man? Does the building architect
needs to tell the landscaper how to print grass? Does the building architect needs to
teach the construction worker how to use a hammer? Of course they don't? Of course they
don't. So it's a totally different job. And no, we don't need to teach people how to do
their jobs. They design it. So you know, if you had an architect designing a building,
the architect designing the building might speak to some structural engineers and contractors
along the way, and say, if I design it, what is this work? Can it work? Can you build will
it work? So there is that And truth be told helps only when I design an architecture,
I do it in collaboration with the engineers. And here's the reason why the engineers are
the deeply technical people of the bunch. So when I design an architecture, where the
reason an architect needs to have such good leadership skills is the following. A bank
says Mike, I want an architecture and I design the architecture. Now then they say, Mike,
I want to test it with a proof of concept. Now I'm an architect. architects don't know
how to touch anything. They don't know how to configure anything, they don't know how
to code, anything. That's not what they do. Their skill is designed, it's a very different
skill designers on how it works. Building is how to build, they're like opposite skills,
or they couldn't be in the same universe. So we caught architects, there's a proof of
concept, I'm gonna bring in 50, cut engineers, I gotta manage them and lead them. They know
their job, I don't know their job, kind of like if I got a traffic ticket. And I wanted
to go to a lawyer, I don't know what the lawyer is going to do. Because I have not a lawyer,
I don't need to know what the lawyer is going to do. Because the lawyer is trained in this.
So cops on a, there's a huge miscommunication in tech, that assumes that we need to teach
people how to do their jobs, we hire the right people, we don't teach people how to do their
jobs at all. We hire the process, but when we're dealing with architecture, it's always
going to be a collaboration. So that's really the key, I'm not going to go to a nurse and
say, here's how you do your job, they don't need direction, I'm not going to go to a lawyer
that's going to help me with a ticket and say, I'm going to teach you how to practice
law, even though I'm not a lawyer. And I'm not going to be an architect and try and tell
somebody how to do their job because I don't know their job as well as then I'm going to
collaborate with them in the design. I'm going to collaborate and ask them while I'm designing,
is this going to work? But that's it? No, I don't need to know how or what they
do. But you know what? When I stay in a hotel, the room magically gets cleaned. And I don't
know how they do it. So well. I don't need to know how they do it. So well. You know
what if I go to a restaurant, I don't need to know how the chef made the meal, I just
need to know what I ordered. So in practicality, that's the key. If you've got a doctor and
a nurse collaborating on the patient's care, or an architect and an engineer collaborating
on the best design, it's all the same. I don't need to tell somebody how to do their job.
And if I think I'm going to tell them how to do their job kelp, sunny, you know what's
gonna happen, I will be fired that day. And here's the reason why people do not like to
be micromanaged. And Cloud engineers are extremely educated professional people with a great
skill. And if I sat over their shoulder trying to tell them how to do their job, which I
don't even know how to do because it's third job. The only thing that would happen is they
say, Mike, no, thank you. Now we got to remember this kelp, sunny as an architect, when we
work with Cloud engineers, and they help us do a proof of concept and designs. They don't
work for us, they work for their own engineering managers. So when I call a team of 50, cut
engineers, I gotta not only do this, I gotta call my manager, all their managers and say,
Hey, can I borrow your people? And then telephony, since the people don't work for me, I gotta
encourage them to work. And let me tell you, if I try to tell someone how to do their job,
they won't be doing anything, anything, anything for me. So we don't ever need to give direction
for other people how to do the job. The only time we give directions is if we hire a junior
person, we've got to train them. But we're never going to be telling people how to do
their jobs and other careers. And that's why we don't need to know other careers and if
you're an expert at somebody else's career, you know But you're not, you're not an expert
at your career. And that's why doctors don't go to law school. And that's why airplane
pilots don't be complete attendants. Sean asked a great question, what does a security
architect do to a solutions architect? Well, Sean, very simple. As a solutions architect
or a cloud architect, we ask our customer about their business. We ask them about their
business goals or business pain points, their business challenges. And then we design an
end to end solution to solve them. So we do as a cloud architect. Now, as a cloud architect,
Shawn, when I'm designing an end to end solution, I'm just one person. And one person never
designs an architecture. So son, I've got a big architecture, here's what I'm going
to do. I'm going to hire a cloud network architect, a cloud security architect, a Cloud IAM architect,
three cloud engineers, two DevOps engineers, for network engineers, etc. And together,
the Cloud Architect will focus on the end to end and they will be the coordinator will
the smart people, the cloud security architect, or the security architect, is only focusing
on the firewalls, the security policy, the VPN design, the demilitarized, the access
control lists and filtering, what routes are filtering, they're only concerned about security,
where the architect is concerned about the end and business. So you notice, I didn't
say I am under security architect, Shawn, the reason I didn't is there's another kind
of an architect called an im architect that focuses exclusively on im systems like Active
Directory, and etc. So when I do something, I build an architecture team, the architect
is the coordinator of everything. And we get together with security architects to assign
our security network architects to do our networking, Big Data architects that do our
networking, cloud or big data, etc, etc. That's what we do. Great question.
Okay, so this is a great question for a data scientist. When you're dealing with life sciences,
do you use tools for predicting? Well, yeah, there are tools that you could use. But they're
the same tools you could use on and off of AWS. So typically, speaking for something
like this, we're typically dealing with an Ubuntu Linux system with a bunch of GPUs in
it that are using TensorFlow, or pytorch, or something like that, that are machine learning
tools and libraries that people use. And I'm not a data scientist. So AWS also has certain
tools that you could use, that are pre made tools for doing these things as as well. Now,
realistically speaking, if you're not going to create and code, your own tools, and you
really wanted to do machine learning on the cloud, I'd encourage you to think about this.
Who is the world's greatest algorithm maker, Google, who is the number one search engine
algorithm in the world, Google, who owns the number two search and conquer algorithm in
the world, Google. So if I was going to do a machine learning thing, and I wasn't going
to cut it myself, do it in my data center. I wanted to use pre use libraries. I would
be using Google because that's their whole business is algorithm. So yes, there are tools
you could use, but there probably be much better tools on Google.
Hey, Mike, you have the Okay, you see you have a certification as an architect and you
work in systems support, what things are necessary to acquire a Solution Architect position,
I'm going to tell you right now, and I can't go much longer, but I'm going to tell you
right now. So when you are an engineer, and you're working in support, and that's typically
an engineering role, the perception of you is that you're a techie techie techie. And
that, you know, that's it. So the things that we have to do to be an architect is we have
to change your brand. We have to change you from a technical person to a leadership brand.
And that's the first thing so we have to go through your resume and your certifications.
If you have too many certifications because you've got too much tackiness, we're gonna
have to remove the unnecessary certification, get the right certifications in there. Now,
Colin, if you've got any of this engineering stuff out there that says, worked in EBS,
s3 Easy to all this that shows you as a techie and that needs to come off of your resume
instantly know we can talk about setting up server virtualization containers, designing
and building clouds working with firewall architectures, designing DMZ, but we got to
get out of tech into the transformation. So when you're trying to be an architect, you're
a transformation specialist, not an engineer, not a technical professional. There are other
wonderful job but in this case you went in to be seen as a business leader. So what has
to happen As first you have to learn go from learning how to do to learning how to design.
That's the technical change. The next thing is the brand, you will need a massive resume
makeover, and a massive LinkedIn makeover. And Colin, we've done it for lots of our students
as part of our career development program, we'd love to do that and help you with it.
But that is really, really critical things for you do three in a job. Next, you must
learn the business acumen, you need to be able to look at a balance sheet financial
statement, you need to be able to calculate a return on investment capital model, you
need to be able to show customers the value of the solution is greater than its cost.
You will need presentation skills and they need to be expert and you will need it for
the interviews you need presentation skills training, you will need to be relevant to
the CEO versus the CTO versus CIO versus the CFO. So you're gonna need CXO relevancy training,
again, we train all of this, you're gonna need leadership training, because you're gonna
be leading a team of 50 really smart cloud engineers that don't work for you. And you've
got to make a motivated to work for you. Because let me tell you, as an architect, our strength
is how good we are with the engineers, because the engineers are the smartest people out
there. And they make our world so we help them as engineers, and they work with me.
So kind of keep them to that. So then presentation skills, and we have to teach you how to sell
and selling $100 million. Architecture is a different skill than selling a $50,000 car,
for example. So we have to teach those high end skills skills. And then we need to teach
business writing. And after that, guess what, you will be golden. And if you'd like to train
with us, we teach all of that in our career development program. But if not, now, you
know what you need to do. And you can get caught higher as an architect. But all these
careers are great, it's a matter of matching the one for those people that are really techies
that cutting their job is the best job in the world. For people that they like, talk
and meet people and get to know people and transform the architect jobs and that's world.
But it's, it's what makes you happy. That's all that really matters.
So it this point, and yes, I am actually fairly tired. It's
been a really, really, really long week. But I work hard to keep the energy up. And here's
the reason I've been a student too. I know what it's like to learn. It is not easy learning
this stuff. And I want you all cloud hired. So I'll be sleeping half of the weekend with
my beautiful cat Cindy, she'll be on my chest, and I'll be slipping within a few minutes.
But Cloud hired everybody. Let's get your cloud hired. Look, I love working with this
community. You guys are all amazing. Be proud of yourself for sitting together all week.
I mean, it's been a long week, you guys are special. I mean, truly amazing. So you know,
you are here for me and I'm here for you. So go out there and get yourself cloud hired.
Vote on the next boot camp. Because guess what you want to know Azure, Google, I don't
care. We'll teach you. We'll make sure you learn it for real. And you'll know how to
be hired. Cloud hired I'm loving it. If you can all give me a hashtag cloud hired on a
hashtag either cloud architect, cloud engineer, Cloud Admin, cloud DevOps, whatever job you
love, please let me know. So we can make programs and content to get you the world's best job.
So thank you so much. Nina. Qur'an. Thank you so much. Kata nines. I love that. Thank
you. You're more than welcome. Nick be caught hard cloud architect, Sharon J. Thank you
so much. And yes, thank you for my team. Have a great weekend. Gilbert cloud hired. Brian
cloud hired Mr. G. Cloud heart. I love that. Martin, thank you much for this free great
boot camp. Thank you so much margin. Thanks, Chris. And Blue Crew. Thanks, GCA. Family,
if possible, use this opportunity to extend that 30% discount. Please take advantage of
that. If you want to get hired. We really want to help you. Lm cloud cloud. I love it
all these cloud architects and con hires but maybe DevOps, whatever you like, Sam can Id
just be happy. Abigail Marx is in North Carolina and up and running. Good to see you up and
running. You're really techie. You're smart guy. And I loved having you here at Cloud
Nine Cloud Architect with Faza Thanks, as always, I'm thrilled you're here. And yes,
thanks Blue Crew. Thank you so much there and we can't wait to meet you Calvin class.
Leo cloud hired and Brian cod hired us in Philadelphia where I know my old stomping
grounds. Gilbert wonderful thing. Yeah. Danica Kado love and so many people so far, AJ. Oh,
wow. So good to see you. Robert. So good to see a class Good to see you. Cloud architects
soothing relaxations and Robert over there in the desert Good seeing you. See if you
see Isaac, my wife favorite I am architect. Please tell him I said hello, Robert. Ah,
lovely weekend. I'll say hi to Cindy. Absolutely. Cindy beautiful. Do we have any photos as
Cindy? Jonathan crow. Cloud hired everybody. Love motivation to absolutely love it. So,
have a wonderful weekend everyone. Can't wait to see on Monday I'll be here to answer any
cloud career questions you want. from two to four. Like I said, we have 30% off right
now take advantage of it. We've got a companion ebook that goes along with this. So please
get it. Happy Passover. Happy Easter. Happy, Good Friday. Love spending the week with you
all. You're all amazing. You inspire me every day with your effort and your will and your
goals to go do some great things and I'm here to help you. So get yourselves cloud hired.
Take care and have a great week.
