All Amazon AWS Certified Solutions Architect - Associate SAA-C02 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the AWS Certified Solutions Architect - Associate SAA-C02 AWS Certified Solutions Architect - Associate SAA-C02 practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

EC2 Storage - EBS & EFS

6. EBS Operation: Volume Encryption

Alright, finally, let's talk about the last operation, which is how do you encrypt an EBS volume? So when you create an encrypted EBS volume, right away you get the following: You receive data that is encrypted and at rest within your volume. All the data in flight between the instance and the volume is encrypted. All the snapshots will be encrypted. And all volume names in the snapshots are encrypted. So there's encryption all around the place.

And the old encryption and decryption mechanisms are handled transparently for you, so you have nothing to do. It's all handled by ECQ and EBS behind the scenes. So encryption overall is something you should use because it has a very minimal impact on latency, almost nothing, and it leverages keys from KMS. So AES 256 is something that you should know. And so when you copy and paste unencrypted snapshots, you enable encryption. So let's talk about a very important thing: how do you encrypt unencrypted EBS volumes? So to encrypt an unencrypted EBS volume, which is a very tough thing to say, you create an EBS snapshot of the volume. Then you encrypt the EBS snapshot using the copy function. Then we create a new EBS volume from the snapshot, and that volume will also be encrypted. And now we can attach the encrypted volume to the original instance. So let's go take a look at how we do this in the console.

So, if we look at our volumes, this is the one we created previously. The encrypted flag says it is not encrypted. So this volume is not encrypted. And maybe we wanted to encrypt it. So we right-click, and we create a snapshot. But we've already done that. So we go to the snapshot, and here is our snapshot. Our snapshot, as we can see, is not encrypted. So because we took a snapshot of a non-encrypted EBS volume, we get a non-encrypted snapshot. Now, if I right-click on it and want to create a volume from it, as you can see, the volume will also not be encrypted. So it's not what we want. So, as I said in the lecture, what I need to do is right-click and copy. By copying the snapshots, I can click here and encrypt the snapshots. So I can put any region I want, but I can stay within the same region, which I will do, and I will say, "Okay, encrypt the snapshot using the default AWS EBS master key copy." And here we go. Now the snapshot is being copied. And if I refresh now, we can see that we have copied a snapshot right away from here. So the snapshot has been created.

Now, if we look at the bottom right of the snapshot, it says encrypted, encrypted. And then we get some KMS information about how it's been encrypted, which is quite neat. So let me just wait for the encryption copy to happen. And so now that it's completed, I right-click and create a volume from it. And here we go. Now, the encryption is encrypted. And so if we were to create a volume of 5GB and maybe EU B just to keep the same AZ, click on "create volume," and go to that volume now in the Volume EBS thing, So I'll just wait a little bit. Here we go. Here it is. Now we can see that this new volume in EU West One B is immediately available and encrypted for us. So this is pretty cool. This is the method for encrypting NEVs volumes. I know it's very manual, so you could automate this if you wanted to, but it's super important for you to see it at once. Okay. I hope you enjoyed it. I will see you at the next lecture.

7. EBS vs Instance Store

So let's talk about the difference between an EBS volume and an Instant Store. So basically, some instances do not come with root EBS volumes. They just come with something called "Instant Store." And instant storage is equivalent to ephemeral storage. So what's the difference between instance store and EBS volumes? Well, Instant Stores is something that is physically attached to your hardware, whereas EBS was a network drive.

And so imagine that the big racks inside Amazon's data centers, some of these machines, some of these EC2 instances we get, will have a physically attached disk, and there will be an instance door. And the idea is, why would we even use this? Well, because there is no network. You're going to get better eye performance. You're going to get good utilization. You want to scratch it out if you want to have a buffer, a cache; you want to store temporary content. And if you wanted to, for example, reboot your instance, that's fine. The data will survive your reboot. But why would you not use an instance store? Well, on stopper termination, your entire instance store data is lost. So it's not very good. Furthermore, unlike EBS volumes, you cannot resize the instance store on the fly. And if there are any backups you need to do, you can't just, like, right-click on backup. You need to do this yourself. So instance stores do have a big use case for caching or whatever, but they're not for every different kind of use case.

So if in an exam they ask you, "should we use an EBS volume or instance?" To consider whether you are okay with losing your data or whether your data is ephemeral. If not, why not use EBS? I just want to reiterate what I already told you, but it's very important that I make sure you understand this perfectly. So the instance store is a physical disc attached to the physical server where your EC2 is. And it has very high IOPs because it's physically attached. Okay? EBS volumes were network-based, so there was networking between your instances and, therefore, limited IOPS. But with EC two instances, it's really, really high IOPS. Here's the example from the documentation. If you consider, for example, an I three-eight X large, we're talking about 7200 write IOPS and 11651 (6.55 million) read IOPS. So this is huge. And obviously, you can go even higher, to 2 million, 3 million IOPs on the read, and 4 million on the rights. So when you're in the exam, you think about having high IOPS—maybe hundreds of thousands of IOPS. You have to think that local EC-two instancestore EBS cannot achieve such IOPS for you.

Okay? They're limited to 640 IOPS, and that's for IO 1. However, the discs can hold up to 7.5 terabytes. That can change over time. So maybe as AWS adds more instances, they will be bigger, and they can be striped to reach all the way to 30 terabytes. That number can change over time. But once you set up a disc in the local instance store, it cannot change its size. It's also block storage, so you can have a file system on it just like EBS. So, from your perspective, it's still a file system. It's still just a disk. OK. The difference is that it's a physical disk, not a network disk.

And so, as I said, yes, it cannot be increased in size. So once you provision your local EC2 instance store, you cannot resize it over time or add new ones, whereas for EBS, you could change its size over time. And finally, I've told you this again, but I'll tell you it again: there's a risk of data loss if your hardware fails. That is, if you stop your instance and lose it, you will have lost the physical disc attached to it as well as your data. So make sure you don't store very sensitive data on your instance store as long as it's not replicated, okay? Make sure that if you use an instance store, you're going to replicate your data across other instance stores in other instances to have some kind of redundancy, OK? So if I wanted to go ahead and launch an instance from there, I'd choose Amazon Linux 2.

I'll select this, and in terms of the instance type, I will choose something that has an instance store. So, as we can see, for example, C 5dlarge will have an instant store. So I will click on this. Click on "configure instance." Details Click on "Add Storage." And as you can see now, we have a root volume right here, which is still an EBS volume, but the volume type we have here is called ephemeral zero. So it's an instance store. So it's going to be named Ephemeral, and we have a 50-gigabyte instance store that we can use. And the really cool thing is that it will have a high performance for this 50 GB. So we could place some cache data, for example, there. So this is what I want to show you. I'm not going. to go ahead and create that instance because it's pointless and I'll waste money on it However, just to ensure that you create a store-backed and easy-to-instance instance, You must select one of several types of instances. So I hope you liked it, I hope you enjoyed it, and I will see you in the next lecture.

8. EBS RAID configurations

Okay, here are a few more things you should know about EBS. So EBS has the raid option, and raid is usually traditionally used with discs in your own data center. But EBS is a bit special because it already has some sort of redundant storage. It's already been replicated in your AZ. But if you wanted to increase your IAPS to, say, 1000 IAPS, how would you do that? Or what if you wanted to mirror your EBS volumes because you didn't trust Amazon to make your storage redundant? What if you wanted to mount volumes in parallel using rate settings? And that's something you can do. And this rate is possible as long as your operating system supports it. So that means Linux or Windows, and you have many price options out there. There's rate zero and rate one, and these are the ones that they will ask you about at the exam. But there's also rate five, which is not recommended for ABS. You have to see the documentation for Y and W, which is also not recommended for abstraction. Write ten as well. But we're not talking about it. So in this lecture, we're just going to focus on an introduction to rating zero and rating one for EBS.

Okay? So what is rate zero? And you need to know about it. It is a way to increase performance. So if you need to make a mind map, zero means performance. So we have our C-2 instance, and it has one logical volume. But that volume is a bit special because it is backed by two or more EBS volumes. So we have EBS volumes one and two in this example. As a result, when you make a right, it will either go to EBS volume one or EBS volume two. So when you write data, for example, I'm writing blocks A-B-C-D. As you can see, they are distributed between the two volumes. So you combine these two volumes into a single logical rate zero stripe, and the result is the total disc space in I O. So if your EBS volume one is 50 GB and your EBS volume two is 50 GB, you get 100 GB. The idea, though, is that if one of these discs fails, you lose all your data; all your logical volumes are gone. So when you have this, you increase performance, but you are also risking more. You are increasing your chances of having flaws. Use cases for this would be an application that requires a high number of IOPs but does not require fault tolerance.

Or maybe a database that already has replication built in can leverage a bit of fault tolerance as well. So using this mechanism, we can have a disc with a lot of IOPS. We can go all the way to 1000 IOPS if you want by using ten volumes with 100 IOPS each. So here's an example: if you have two final gigabytes of Amazon EBS IO 1 volume and each of them has 4000 provisioned IOPS, that will create a 1000 GB rate-zero array with an inevitable bandwidth of 80 IOPS and 1000 megabytes of throughput. And so that's the cool thing here. We get to see how things work, and we get to see that, yes, if we do have two EBS volumes in RAID zero mode, then you're going to sum up the size, the disc space, and the I/O. Now, similarly, there's rate one, and this one is to increase fault tolerance. As a result, enter "0" for performance and "1" for fault tolerance.

And so the diagram is kind of similar. We have an issue instance, and it has one logical volume exposed to it. But this time we have EBS volumes one and two, and we are going to write to both at the same time. So anytime we write block A on volume one, it will also go to volumes B and C. The same thing will happen with the OS size. So your EC2 instance will be writing to both volumes at the same time. And so this is the right one, and it's called mirroring. So you can mirror a volume to another because volume one and volume two have the exact same data. The idea is that if one of these volumes fails, our logical volume is still working because we have a copy of the data somewhere else. So we have to send the data to two EBS volumes at a time. That means that we have to use two times the network throughput. So it is something to really make sense of because if you use Raid 1, you're going to need an Easy-2 instance that has more network throughput to handle the rights to two EBS volumes at a time. Use cases for this will be an application that needs to increase volume fault tolerance and you don't trust AWS, or an application where you need to service disks.

So for example, if you have 250 gigabytes of Amazon Ebbs Volumes IO 1 with 4000 provisioned IOPS each, that will create just one 5000 GB gigabyte, write one array, and it will have the exact same IOPS, 4000 IOPS, and will have 500 megabytes of throughput. So the only thing that you've added here is fault tolerance. You haven't added any performance to it. So you must remember these two numbers, zero and one. And it's not something you can do in the AWS console; you have to do it on the operating system, on Linux or Windows. So we have to go through some configuration. Now in the documentation, there is a way to do it, and you can just walk through it on your own for practice. But for the Sydapps exam, they don't expect you to know how to do it. They just expect you to know that you can use EBS volumes in a grade zero or rate one setting. And here is how they work: So I hope you enjoyed it, I hope you liked it, and I will see you in the next lecture.

9. EFS Overview

Okay, so now let's talk about EFS. EFS is a service you need to know at a high level going into the exam, but it is very interesting from an architectural standpoint and has a really amazing set of features, so what is EFS? It stands for Elastic File System, and it is a managed NFS, or network file system, that can be mounted on many different instances across many different availability zones.

As previously stated, it works with multi-AZ, which is a significant difference between EFS and EBS. EBS was locked into a single availability zone, whereas EFS is going to be mountable across multiple availability zones, and as such, it's highly available, scalable, but also extremely expensive. It's about three times the cost of a GP to drive, but you only pay for what you use. So if you don't store that much data, it will be cheaper to use EFS than EBS based on how well you manage your data sets and the size of your EFS drive. So here's your EFS, and this is a network file system, and you attach a security group to it to manage incoming connections, and so you have different EC2 instances across multiple AZ. So US East One A, USB One B, and USB One Cand will all be mounting the same NFS and the same EFS onto their file systems, and they will all access the same files.

Okay? So EBS was something that was linked to one Et instance at a time, and so the data was not shared between multiple Et instances, but in this case with EFS, it's a network file system, and as such all the instances have access to the same files on your EFS drive. So use cases for this are content management, webserving, data sharing, or a WordPress website. Now you need to know it uses the standard NFS, the 4.1 protocol, so it is a standard way to mount a network drive, and to access the EFSfile system, you need to use security groups. So this is network security. EFS will only work with Linux-based AMI, not Windows. So this is something that's extremely important: Windows instances cannot mount an EFS onto their file system.

To encrypt the EFS, you can use KMS keys at rest, and again, as I said, EFS is going to be used only for POSIX file systems. So basically, Linux has a standard file API and the file system will scale automatically; there is no capacity planning, so that makes it a very easy offering to use. Now, let's talk about some configurations that you have for EFS and what's important to understand going into the exam. The first one is around the scale. As a result, EFS is designed to support thousands of concurrent NFS clients on thousands of EC2 instances mounting the same NFS drive at the same time, and it is also massively scalable. We're talking about throughputs of 10GB or more per second.

The way AWS advertises EFS is that it can grow to be a petabyte-scale network file system automatically. As a result, it is truly significant in terms of performance mode. You have two ways of setting it, and you set it at creation time. We have general purpose, which is the default length of the use case. So we have a web server or CMS, et cetera. So this is going to be the default one for EFS, but also for max IO. And this is going to give you more throughput. It's going to be more highly parallel, but it's going to have a higher latency. As a result, if you have a large data workload in media processing, this is an excellent choice. So big files—huge files—can be accessed with a bit more latency. So you need to be able to choose a purpose, usually for anything web-related from Max IO, which can be anything processing-related and then extremely important. And you have to remember that there are different storage tiers for EFS.

As a result, you have a lifecycle management feature that enables you to move files from one tier to another after a set number of days. So the standard storage tier is for frequently accessed files. So files are going to be frequently requested into the file system, and they're going to remain in this standard storage tier. But in case you have some files that are infrequently accessed, you have the infrequent access storage here on the FS called EFSIA, and I can come up with the exam. And the idea is that because the files will be accessed less frequently, it will cost less to store them. However, if you do need to retrieve these files for any reason, you will be charged a retry fee and a small fee. Okay? And so again, you need to remember that maybe some files are going to be better off in the standard storage tier and some files will be better off in the infrequent access storage tier. And that's it for EFS. I hope you like this, and I will see you in the next lecture.

10. EFS Hands On

So let's go and create our first EFS network file system. So let's type EFS, and we are in the EFS console. So let's create a file system, and as we can see, we have a very simple dialog, and you can click on Create and it will just go ahead and create it, but we want to go through the options, so we'll click on Customize to look at all the options for our elastic file system.

So the name is optional, so we'll leave it empty. We can enable automated backups to just have a backup of our network for them, which is nice. And we have a lifecycle management tab. So here we can use something called the EFS Infrequent Access storage class, and the idea is to say, "Okay, if a file has not been accessed in 30 days, it looks like it's a file that is infrequently accessed, therefore move it to the EFS Infrequent Access storage class in order to save some cost." and that makes sense.

So you can say seven days, 14 days, or 30, 60, or 90 days. OK, so we'll just leave it as a default of 30 days. Then we get different performance modes. So we have general purpose and max, respectively. And General Purpose, as the name indicates, is ideal for latency-sensitive use cases such as web serving environments and content management systems. So if you have a WordPress, for example, this would be a great use case, and Max IO scales to a higher level of aggregate throughput and operations per second with a bit more latency.

This is better for a big data or file processing type of use case. So we'll just leave it at general purpose for now. The throughput mode can be "bursting," which means that the throughput will scale with the filesystem size, allowing for short bursts, or "deterministic," which means that the throughput will be deterministic for your EFS file system. Perhaps because you are aware that you have a small EFS file system but require high throughputs. Then you can provision however many megabytes you want, up to 1024 MIB. so many megabytes per second. We'll just leave it at that as well. We can enable encryption at rest for our EFSL system and scroll down. Now let's click on "next." Very important now are the network access settings. So we are operating in our VPC, which we can mount across multiple different availability zones. So EFS is a network file system, and we can have it across different AZs, as I will demonstrate to you in a second. And so for each AZ, you should define a security group. And so right now, I'm going to go ahead and create the security group we need.

So let's go into the EC2 console, and I will go into the Security Groups tabs on the lefthand side and create a security group. I'll call this one my EFS demo, and for now there are no inbound rules, so I will go ahead and create the security group. Okay, so make the EFS security group. So now we'll use my EFS demo in this dialogue. So I'll delete all of these security groups and select my EFS demo, for which I'll most likely have to refresh this page. So let me do this right now. I'll refresh this page, very quickly scroll down, click on next, and here we go. So I'll use my EFS demo as the security group for each different attachment point right now. So, OK, and the last demo from one of my friends is good. So, in a second, we'll see how that security group affects things. Then I will click on "next." File system policy is optional, and this is out of scope. So I will just go ahead and skip this. And finally, we can review everything. so we can review and create. So everything looks good here. We have encryption, we are in our VPC, we have IA enabled, we have three availability zones that are going to work with our EFS file system, and they all have the same security group that we just created.

And I will just go ahead and click on "Create." So now my file system is being created, and while it is doing so, I can go ahead and create two simple instances that will access that EFS file system. So, as you can see, let's go ahead and create the file system; it's created, and if we look at the size, we can see that we're using 6. We'll only pay in EFS for what we're using. So we're using 6GB. So this is what we're going to pay for. And we can also get some information about the size and EFS's infrequent access. So how many files have been moved into that much lower price tier in EFS? Okay, so everything looks good right here. Now let's go ahead and create our easy two instances. So I'll select Amazon Linux at 2:00 a.m. and click "launch an instance." I switched to micro to stay in the free tier. And then I will choose one instance and launch it in EU West 2B. For example, as my first AZ, If you scroll down, you can see that there is a file system, and you can add your EFS file system here, but we'll not do that.

I want to show you how it's mounted. So don't click here; we'll click on "Add storage." We can keep the storage as is and add tags later. This is fine. I'll go ahead and create a new security group for my instance, and I'll call it EC Two to EFS because this is my EC Two instance that's going to access my EFS network file system. We'll allow SSH review and launch, and yes, this key pair will launch my instance. So now this instance is launching, and I'm going to launch a similar one, but in a different availability zone. So I did a right click. Launch more like this, and then in my instance details, I'll edit the instance details and change the availability zone from EUWest to A. This instance should be reviewed and launched, launched, and launched again. So, here we go. Now, we have two instances that have been launched in two different availability zones. So this one and that one And we want them to be able to access our EFS network file system. So I'm going to SSH into each of these instances.

So this first one is right here. I'm going to launch my SSH command. So simple to teach PM, and such an easy user at my IP. I'm in my first host, and I'm going to launch a similar command using this IP from my second ECTwo instance. So here we go. easy to use at the IP. OK, so I've done SSH into both instances, and they're both in two different availability zones. Next, I need to install EFS on these instances. So the easiest way is to go back to the EFS console, and on the top right, there is Attach. And this gives you some information about how you can attach EFS to your instances. So, as you can see, we can mount via DNS or mount via IP. We'll use Mount Vids, and we'll use the EFS mount helper. So to use this thing, we have to go into the user guide in the documentation and install a small package onto our EC2 instances called the Amazon EFS utilities package. So, on Amazon Linux 2, we click on installing the AmazonEFS utils package. And as you can see, we can scroll down and do this pseudo-Yam install command. So let's go ahead and do this, um, install command on both my instances. And this is going to install the necessary packages to use this EFS mount helper. Okay, so this was very quick. Now we return to EFS.

We need to create the EFS directory. So doing so is extremely simple. We're going to make EFS for deer. So now, if we look into both of our instances, they both have an EFS folder. Next, I'm going to run this command right here to mount the EFS drive using TLS. So they will be in flight encryption, and I will mount it into this EFS directory. So let me copy this command right here and paste it. Press Enter. And as you can see, there is a timeout because we need to modify the security group settings. So let's get this command started. And I'm going to go into my EC2 console, and we need to modify one security group. So, if we recall correctly, we attached this security group to our EFS network file system. My EFS demo, and currently my EFS demo in terms of inbound rules, does not allow anything. What needs to happen is that my EFS definition allows inbound traffic from ECQ to EFS. So very simply, let's edit the inbound rule, add a rule, and we'll look for NFS, and the source of it is going to be EC-2 to the EFS security group. And so we allow EC two instances into EFS, we save this rule, and now that this rule has been done, we should be able to go back into EFS, try this command again, and then it should succeed. And it has succeeded.

I can apply the very same command in here on the right-hand side, and it has succeeded as well. OK, good. So what did happen? Well, let's go into the EFS directory. So I just changed directories into the EFS directory, and currently we can see there are no files. But what if I create a helloworld.txt file here? Because I lack sufficient permission, I will perform pseudotouch hello world TXT. That should do it. Now, if I look into the files, I have a hello.world TXT file here, and if I look now on the right hand side and list the files into EFS, we can see the same hello.world file has been created. So, if I run sudo echo or sudo nano hello world XT, I simply edit and say hello world from the first instance and save the file. So, if we look at the content of this file, helloworld.txt, we can see that it says hello world from the start. If we look at the content of the same file on the right-hand side instance, we can see that it also contained a welding from the first instance. As a result, the file system mounted on the left and right sides is the same. It is a shared network file system, and that is the whole power of EFS.

And that's it. It's very simple. So when you're done with this, you can go ahead and delete the EFS file system, obviously, and you could go ahead and terminate these two easy instances if you needed to. So you click on these two instances, "action," and then "terminate," and you'll be good to go. So that's it for me. I hope you liked it, and I will see you in the next lecture.

Amazon AWS Certified Solutions Architect - Associate SAA-C02 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass AWS Certified Solutions Architect - Associate SAA-C02 AWS Certified Solutions Architect - Associate SAA-C02 certification exam dumps & practice test questions and answers are to help students.