TeachToJava: AWS cloud concepts

Here’s a concise summary of AWS Cloud Architecture concepts from an interview point of view—tailored for technical roles like Cloud Architect, DevOps Engineer, or Backend Developer:

✅ 1. Core AWS Services to Know

Category	Key AWS Services	Purpose
Compute	EC2, Lambda, ECS, EKS, App Runner	Run applications
Storage	S3, EBS, EFS, FSx	Object/block/file storage
Database	RDS, Aurora, DynamoDB, Redshift	Relational and NoSQL
Networking	VPC, ALB/NLB, Route 53, API Gateway	Private network, DNS, Load Balancing
IAM & Security	IAM, KMS, Secrets Manager, Cognito	Identity, secrets, encryption
Monitoring	CloudWatch, CloudTrail, X-Ray	Logs, metrics, auditing
Messaging	SQS, SNS, EventBridge, Kinesis	Messaging/event streaming

✅ 2. Design Principles

Be ready to discuss and apply:

Principle	Example
Scalability	Use Auto Scaling, Lambda for on-demand scaling
Fault Tolerance	Multi-AZ RDS, ELB, Route 53 failover
Security	Least privilege with IAM, VPC isolation
Cost Optimization	Use S3 for storage, Spot Instances for batch jobs
Automation	Use CloudFormation or Terraform for IaC

✅ 3. Architecture Patterns

Explain how you design using:

🟦 Microservices

Containerized with ECS/EKS
Decoupled via API Gateway + Lambda or REST APIs
Communication via EventBridge/SQS

🟦 Serverless

Lambda for compute
API Gateway + Lambda + DynamoDB
S3 for storage, SNS for notifications

🟦 3-Tier Architecture

Web Layer: S3 + CloudFront
App Layer: ECS/EC2/Lambda
DB Layer: RDS/Aurora

✅ 4. Security Best Practices

Use IAM roles not long-lived credentials
Store secrets in Secrets Manager/SSM
Use VPC, NACLs, and Security Groups
Enable encryption at rest (S3, RDS) and in transit (TLS)

✅ 5. High Availability & Resilience

Use Multi-AZ for RDS, ECS
Use Auto Scaling Groups for EC2
Design for failure (e.g., fallback logic)

✅ 6. Cost Awareness

Monitor via AWS Cost Explorer
Use S3 Lifecycle policies and Intelligent-Tiering
Right-size EC2 instances and leverage Spot Instances

✅ 7. CI/CD and DevOps

Use CodePipeline, CodeBuild, CodeDeploy
Automate deployments with CloudFormation or Terraform
Store configs/secrets securely using SSM Parameter Store

✅ 1. How would you design a high-availability web app on AWS?

🔹 Architecture:

Frontend: Host static assets (HTML/CSS/JS) in Amazon S3, served via CloudFront for global distribution.
Backend: Use Amazon ECS (Fargate) or Auto Scaling Group with EC2 in Multi-AZ for fault tolerance.
Load Balancer: Use Application Load Balancer (ALB) across multiple Availability Zones (AZs).
Database: Use Amazon RDS (Multi-AZ) or Aurora for high availability and automated failover.
Storage: Store user uploads or logs in S3.
DNS: Use Amazon Route 53 with health checks and failover routing.

🔹 Key Concepts:

Redundant resources across AZs
Auto scaling and self-healing
Health checks and monitoring (CloudWatch)
Database backups & replication

✅ 2. How do you secure a Lambda function that accesses S3 and RDS?

🔹 IAM-Based Access Control:

Assign a dedicated IAM role to the Lambda function with:
- s3:GetObject, s3:PutObject permissions for specific S3 bucket
- RDS access via Secrets Manager (for DB credentials)

🔹 Secure Environment:

Use VPC: Place Lambda in a private subnet to connect to RDS in VPC.
Restrict outbound internet via NAT Gateway, if needed.

🔹 Secrets Handling:

Store DB credentials in AWS Secrets Manager or SSM Parameter Store with encryption.
Grant the Lambda role access to decrypt secrets.

🔹 Encryption:

Enable S3 bucket encryption (SSE).
Use SSL for RDS connections.

✅ 3. How do you handle blue-green deployment on ECS?

🔹 Blue-Green Strategy with ECS (Fargate or EC2):

Use AWS CodeDeploy with ECS and Application Load Balancer (ALB).
Register both blue (current) and green (new) task sets under the same service.
CodeDeploy shifts traffic from blue to green in a controlled manner.

🔹 Steps:

Green version is deployed alongside blue.
Health checks validate the green version.
If healthy, traffic is rerouted via ALB listener rules.
If failure occurs, rollback to blue.

🔹 Tools:

CodePipeline + CodeDeploy for automation
CloudWatch alarms for rollback triggers

✅ 4. What's your approach for a multi-region architecture?

🔹 Goals:

Global availability
Regional failover
Lower latency for users

🔹 Strategy:

Frontend: Use CloudFront to serve static content from edge locations.
Backend: Deploy app stacks in multiple AWS regions (e.g., us-east-1 and eu-west-1).
Database:
- Read Replicas in other regions (for RDS)
- Or use Amazon Aurora Global Database
- Or DynamoDB Global Tables for NoSQL
DNS Routing: Use Route 53 latency-based routing or failover routing.
Data Sync:
- Use S3 Cross-Region Replication
- EventBridge + Lambda for syncing data/events

🔹 Considerations:

Handle data consistency
Use infrastructure as code (CloudFormation/Terraform) across regions
Monitor each region with CloudWatch dashboards

✅ General AWS Architecture

1. What is the difference between scalability and elasticity in AWS?

Scalability means the ability to handle increasing workload by adding resources (either vertical or horizontal).
Elasticity means the automatic provisioning and de-provisioning of resources based on current demand (e.g., AWS Lambda auto-scales per invocation).

2. How do you design for fault tolerance in AWS?

Use multi-AZ deployments (RDS, ALB, EC2 ASG).
Replicate data (e.g., S3 replication, cross-region).
Use Auto Scaling for redundancy.
Implement health checks, retries, and graceful failover (e.g., Route 53 failover routing).

3. Explain the Well-Architected Framework's 5 pillars.

Operational Excellence – Monitor, automate, and evolve procedures.
Security – Apply least privilege, enable traceability, encrypt data.
Reliability – Recover quickly from failures, test recovery.
Performance Efficiency – Use the right resource types and scaling strategies.
Cost Optimization – Avoid overprovisioning, use spot instances, monitor usage.

4. What is a VPC and why is it important?

A Virtual Private Cloud (VPC) is an isolated network within AWS.
It lets you control networking (IP ranges, subnets, route tables), security (NACLs, security groups), and connectivity (VPN, Direct Connect).
Essential for securing and segmenting your AWS environment.

5. How do you secure a web application on AWS end to end?

Use HTTPS with ACM.
Place app behind WAF and ALB.
Authenticate with Cognito or OAuth.
Encrypt data using KMS and S3/RDS encryption.
Apply IAM with least privilege, restrict S3 access, and use private subnets for backend resources.

✅ VPC & Networking

6. What's the difference between Security Groups and NACLs?

Security Groups: Stateful, instance-level firewall.
NACLs: Stateless, subnet-level firewall.
Use security groups for primary control; NACLs for coarse subnet rules.

7. How do you connect your on-premise data center to AWS?

VPN Connection: Encrypted IPsec tunnel over the internet.
AWS Direct Connect: Dedicated high-speed line for low-latency, secure data transfer.

✅ Compute

8. Difference between EC2, ECS, EKS, and Lambda?

Service	Description
EC2	Virtual servers you manage
ECS	AWS container orchestration
EKS	Managed Kubernetes
Lambda	Serverless function execution without managing servers

9. When would you choose Lambda over ECS or EC2?

Choose Lambda for event-driven, stateless, short-lived functions (like API triggers).
Choose ECS/EC2 for long-running apps, custom networking, or stateful services.

10. How do you handle session state in a stateless EC2 or Lambda setup?

Use ElastiCache (Redis), DynamoDB, or S3 to store session state.
Never store session state on the compute instance itself.

✅ Storage & Database

11. When would you use DynamoDB over RDS?

Use DynamoDB when you need:
- High throughput and low latency
- NoSQL schema flexibility
- Serverless scaling
Use RDS for complex relationships, joins, and strong ACID transactions.

12. How do you design a backup strategy for databases in AWS?

Enable automated backups and snapshots in RDS.
Use Point-In-Time Recovery (PITR) for DynamoDB.
Schedule cross-region backups using AWS Backup or Lambda automation.

✅ Security

13. What is the principle of least privilege in IAM?

Users and services should only get the minimum permissions needed to perform their job.
Prevents lateral movement and security breaches.

14. What are resource-based vs identity-based policies?

Identity-based: Attached to IAM users, roles, or groups.
Resource-based: Attached directly to resources (e.g., S3 bucket policy, Lambda function policy).

✅ Automation & DevOps

15. How do you automate deployments in AWS?

Use:
- CloudFormation or Terraform for infrastructure as code.
- CodePipeline, CodeBuild, CodeDeploy for CI/CD.
- GitHub Actions, Jenkins, or GitLab CI can also integrate with AWS.

16. How do you troubleshoot a failing Lambda function in production?

Check CloudWatch Logs for stack traces.
Use AWS X-Ray for distributed tracing.
Validate IAM permissions and environment variables.
Check timeout, memory limits, or input payload issues.

✅ High Availability & Disaster Recovery

17. How would you implement DR (Disaster Recovery) for an RDS database?

Use:
- Multi-AZ for automatic failover.
- Snapshots for backup/restore.
- Cross-region read replicas for regional disaster recovery.

18. What are different Route 53 routing policies?

Simple: Single IP or record.
Weighted: Distribute traffic by percentage.
Latency-based: Route to region with lowest latency.
Failover: Active-passive setup.
Geolocation: Based on user’s location.
Multivalue: Return multiple records for load balancing.

19. What is an active-active vs active-passive multi-region architecture?

Active-active: All regions serve traffic simultaneously; requires data sync.
Active-passive: One region serves all traffic; another is on standby for failover.

✅ ECS / Deployment

20. How do you handle blue-green deployment on ECS?

Use AWS CodeDeploy with ECS and ALB:
1. Deploy new version (green) alongside old (blue).
2. Register new tasks in ALB target group.
3. Shift traffic after health checks.
4. Roll back if issues arise.

Friday, August 1, 2025

AWS cloud concepts