Start with this:

  • How to scale RDS?

Vertical scaling – Increase the instance size
Horizontal Scaling – Add read replicas

  • What’s the diffrence between security groups and NACL?

Security Group Network ACL
Operates at the instance level (first layer of defense) Operates at the subnet level (second layer of defense)
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it’s associated with (backup layer of defense, so you don’t have to rely on someone specifying the security group)

Tell us about well architected architecture?

Serverless Micro Services or ECS/EC2 Standard…

The AWS Well-Architected framework includes strategies to help you compare your workload against our best practices, and obtain guidance to produce stable and efficient systems so you can focus on functional requirements.

Performance Efficiency
Cost Optimization
Operational Excellence

  • Difference between public and private subnets?

The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can’t. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet.

  • What is an IAM role?
    An IAM role is an IAM entity that defines a set of permissions for making AWS service requests. IAM roles are not associated with a specific user or group. Instead, trusted entities assume roles, such as IAM users, applications, or AWS services such as EC2.
  • What problems do IAM roles solve?
    IAM roles allow you to delegate access with defined permissions to trusted entities without having to share long-term access keys. You can use IAM roles to delegate access to IAM users managed within your account, to IAM users under a different AWS account, or to an AWS service such as EC2.
  • What is difference between Group & Role?

We Group users.. and apply roles, i.e. what they can do!

  • What is an AWS policy?

  • A policy document that contains permissions to add to the specified users or groups. AWS Identity and Access Management (IAM) requires that policies be in JSON format. However, for templates formatted in YAML, you can create an IAM policy in either JSON or YAML format.What’s the difference between Managed & Inline policy?

Using IAM, you apply permissions to IAM users, groups, and roles (which we refer to as principal entities) by creating policies. You can create two types of IAM, oridentity-based policies:

  • Managed policiesStandalone policies that you can attach to multiple users, groups, and roles in your AWS account. Managed policies apply only to identities (users, groups, and roles) – not resources. You can use two types of managed policies:
    • AWS managed policies – Managed policies that are created and managed by AWS. If you are new to using policies, we recommend that you start by using AWS managed policies.
    • Customer managed policies – Managed policies that you create and manage in your AWS account. Using customer managed policies, you have more precise control over your policies than when using AWS managed policies.
  • Inline policiesPolicies that you create and manage, and that are embedded directly into a single user, group, or role. Resource-based policies are another form of inline policy. Resource-based policies are not discussed here. For more information about resource-based policies, see Identity-Based (IAM) Permissions and Resource-Based Permissions.

Application Load Balancer (Layer 7)

Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers.

Network Load Balancer (Layer 4)

Network Load Balancer is best suited for load balancing of TCP traffic where extreme performance is required. Operating at the connection level (Layer 4), Network Load Balancer routes traffic to targets within Amazon Virtual Private Cloud (Amazon VPC) and is capable of handling millions of requests per second while maintaining ultra-low latencies. Network Load Balancer is also optimized to handle sudden and volatile traffic patterns.

Classic Load Balancer (Layer 5)

Classic Load Balancer provides basic load balancing across multiple Amazon EC2 instances and operates at both the request level and connection level. Classic Load Balancer is intended for applications that were built within the EC2-Classic network.

Comparison of Elastic Load Balancing Products

You can select the appropriate load balancer based on your application needs. If you need flexible application management, we recommend that you use an Application Load Balancer. If extreme performance and static IP is needed for your application, we recommend that you use a Network Load Balancer. If you have an existing application that was built within the EC2-Classic network, then you should use a Classic Load Balancer.

Feature Application Load Balancer Network Load Balancer Classic Load Balancer
Platforms VPC VPC EC2-Classic, VPC
Health checks
CloudWatch metrics
Zonal fail-over
Connection draining (deregistration delay)
Load Balancing to multiple ports on the same instance
IP addresses as targets
Load balancer deletion protection
Path-Based Routing
Host-Based Routing
Native HTTP/2
Configurable idle connection timeout
Cross-zone load balancing
SSL offloading
Server Name Indication (SNI)
Sticky sessions
Back-end server encryption
Static IP
Elastic IP address
Preserve Source IP address

What is a VPC?

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

  • Can a VPC of any size be created?


IPv4 and IPv6 Characteristics and Restrictions

IPv4 IPv6
The format is 32-bit, 4 groups of 4 numerical digits. The format is 128-bit, 8 groups of 4 hexadecimal digits.
Default and required for all VPCs; cannot be removed. Opt-in only.
The VPC CIDR block size can be from /16 to /28. The VPC CIDR block size is fixed at /56.
The subnet CIDR block size can be from /16 to /28. The subnet CIDR block size is fixed at /64.
You can choose the private IPv4 CIDR block for your VPC. We choose the IPv6 CIDR block for your VPC from Amazon’s pool of IPv6 addresses. You cannot select your own range.
There is a distinction between private and public IP addresses. To enable communication with the Internet, a public IPv4 address is mapped to the primary private IPv4 address through network address translation (NAT). No distinction between public and private IP addresses. IPv6 addresses are public.

What is an Internet gateway AWS?

Internet Gateways. An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
  • What is NAT in AWS?
NAT Instances. You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet.
  • What is a NAT gateway?
NAT Gateways. You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
  • What is route table in AWS?
Route Tables. A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet.
  • What is a CIDR block?
Classless inter-domain routing (CIDR) is a set of Internet protocol (IP) standards that is used to create unique identifiers for networks and individual devices. The IP addresses allow particular information packets to be sent to specific computers. … That system is known as CIDR notation.
  • What is a bastion host?

A bastion host is a computer that is fully exposed to attack. The system is on the public side of the DMZ, unprotected by a firewall or filtering router. Frequently the roles of these systems are critical to the network security system.

Access to the bastion host is ideally restricted to a specific IP range, typically from your organization’s corporate network. The benefit of using a bastion host in this regard is that access to any of the internal hosts is isolated to one means of access: through either a single bastion host or a group. For further isolation, the bastion host generally resides

in a separate VPC.

  • What is Amazon CloudWatch?

Amazon CloudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CloudWatch to collect and track metrics, collect and monitor log files, and set alarms. Amazon CloudWatch can monitor AWS resources such as Amazon EC2 instances, Amazon DynamoDB tables, and Amazon RDS DB instances, as well as custom metrics generated by your applications and services, and any log files your applications generate. You can use Amazon CloudWatch to gain system-wide visibility into resource utilization, application performance, and operational health. You can use these insights to react and keep your application running smoothly.

  • What is AWS CloudTrail?
AWS CloudTrail is a web service that records activity made on your account and delivers log files to your Amazon S3 bucket.

  • What are the benefits of CloudTrail?

CloudTrail provides visibility into user activity by recording actions taken on your account. CloudTrail records important information about each action, including who made the request, the services used, the actions performed, and parameters for the action, and the response elements returned by the AWS service. This information helps you to track changes made to your AWS resources and to troubleshoot operational issues. CloudTrail makes it easier to ensure compliance with internal policies and regulatory standards.For more details, refer to the AWS compliance white paper “Security at scale: Logging in AWS”.

  • EC2 & AutoScaling?
  • What is a VPC End point?

A VPC endpoint enables you to create a private connection between your VPC and another AWS service without requiring access over the Internet, through a NAT device, a VPN connection, or AWS Direct Connect. Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and AWS services without imposing availability risks or bandwidth constraints on your network traffic.

Important – Currently, AWS only supports  connections with Amazon S3 and DynamoDB.