Notes on: Linux Academy: AWS CSAA: 11) Advanced DNS, CSN and Failover Networking

Just a place to put some notes on the “AWS Certified Solutions Architect - Associate (New!)” course from https://linuxacademy.com

Things to Know

Route 53 Essentials:

- Route 53 is a domain management service (DNS hosting solution) provided by AWS

- Key features include:

+ Domain Registration

-- Register domain names

+ Doman Name System (DNS) service

-- Translates friendly domain names into IP addresses

-- Amazon Route 53 responds to DNS queries using a global network of authoritative DNS servers, which reduces latency

+ Health Checking

-- Amazon Route 53 sends automated requests over the internet to your application to verify that it’s reachable, available, and functional

- Route 53 can manage external DNS for domain routing (routing to the proper AWS resources such as a CloudFront distribution, ELB, EC2 instance, or RDS server)

- Route 53 is commonly used with an ELB to direct traffic from the domain to the ELB (and thus have traffic evenly distributed among servers running your applications)

- Route 53 can also be used to manage internal DNS for custom internal hostnames within a VPC as long as the VPC is configured for it

- Latency, GEO, basic, and failover routing policies allow for region-to-region fault tolerant architecture design

- You can easily configure for failover to S3 (if website bucket hosting is enabled) or CloudFront

Route 53 Hosted Zones:

- A Hosted Zone stores DNS records for your domain

- Basically, it contains the rules (record sets) that tells Route 53 what to do with a DNS request

- There are both public and private hosted zones:

-- A public hosted zone is a container that holds information about how you want to route traffic on the Internet for a domain and its subdomains

-- A private hosted zone is a container that holds information about how you want to route traffic for a domain and its subdomains within one or more Amazon Virtual Private Clouds

- After you create a hosted zone for your domain, you can create resource record sets to tell the Domain Name System (DNS) how you want traffic to be routed for that domain

- Hosted zones come pre-populated with NS (name server) and SOA (start of authority) record sets

Route 53 Record Sets:

- Record sets are instructions that actually match domain names to IP addresses

- Record sets are comprised of various options, including:

-- Record type

-- Standard/alias

-- Routing policy

-- Evaluate target health

Common record types include:

- A: Used to point a domain to an IPv4 IP address

- AAAA: Used to point a domain to an IPv6 IP address

- CNAME: Used to point a host/name to another host/name

- MX: Used to route email (mail exchange)

Alias Record Sets:

- Instead of an IP address (standard record sets), an alias record set contains a pointer to an AWS specific resource, such as:

-- An elastic load balancer

-- CloudFront distribution

-- Elastic Beanstalk environment

-- Amazon S3 bucket that is configured as a static website

Routing Policy:

- Simple: Route all traffic to one endpoint

- Weighted: Route traffic to multiple endpoints (manual load balancing)

- Latency: Route traffic to an endpoint based on the users’ latency to various endpoints

- Failover: Route traffic to a “secondary” endpoint if the “primary” is unavailable

- Geolocation: Route traffic to an endpoint based on the geographical location of the user

Evaluate Health Check:

- Can monitor the health of your application and trigger an action

S3 for DNS Failover:

- By using a failover routing policy in a Route 53 DNS record set, an S3 bucket can be used as a failover endpoint

- This can provide an extremely reliable backup solution if your primary endpoint fails

- And even though S3 should only be used for static web hosting, it gives you the opportunity to provide your users with some type of information unil the primary endpoint is working again

- An S3 bucket can also be used as a primary endpoint, if you just want to host a simple static site

Note: For a DNS record to use an S3 bucket as an endpoint, the bucket name MUST be the same as the domain name.

CloudFront Essentials

- CloudFront is a global CDN which delivers content from an “origin” location (the source of the content) to an “edge” location (AWS CDN data center)

- An edge location allows the caching of static objects from the origin location

- An origin can be an:

-- S3 bucket

-- Elastic Load Balancer that distributes requests among origin EC2 instances

- CloudFront can integrate with Route 53 for “alternate” CNAMES

-- This allows you to create a URL such as http://cdn.mydomain.com that works with your distribution

CloudFront Benefits:

- Users experience lower latency and content load time

- Reduces load on your applications resources (origin services) - thus reducing cost

Updating Cached Files:

- Caching is done based off the object name

- In order to server a new version of an object, either create a new object with a new name or create an “invalidation” on the CloudFront distribution based off the object name

- “Invalidations” have a cost, so if you have to invalidate a large CloudFront distribution then perhaps you should just create a new distribution and move DNS names

- Cached objects can also be set with a specific expiration time/date, or set to not cache at all

Signing URLs:

- Signed URLs allow access to “private content” by creating a temporary, one-time-use URL based off of the number of seconds you want it to be accessible

- Signed with a X.509 certificate

CloudFront Performance Considerations

- CloudFront performance can be affected by:

+ File size and type of file

+ Having to remake the request from the Edge location to the origin

-- Downloading the object from the origin takes time

-- As well as writing it to cache and responding to the end user request

-- The more requests that have to go to the origin, the higher the load is on your source - which can also cause latency and load performance issues

+ The end location that the user’s request goes to is dependent upon a “DNS check” to determine the closest EDGE location - so slow DNS issues can cause performance issues

+ Query strings (request to the origin to serve a specific object) reduce cache “hits”

-- It reduces performance because query strings are often unique so it reduces the cache hits and also requires extra “work” in order to forward to the origin location

- CloudFront performance can be increased by:

-- Longer cache periods increases performance (less frequent request to the source)

Quiz: DNS, CDN, and Failover Quiz

Q: You are migrating your existing web application from your on-premise data center to the AWS cloud. As part of testing your AWS infrastructure, you only want to have 20% of traffic to hit AWS resources and the other 80% to hit your on-premise resources. What record set routing policy should you choose to accomplish this?

A: Weighted

E: A weighted routing policy allows for "manual" load balancing between different endpoints.

T: An alias record set contains a pointer to an AWS-specific resource.

E: An alias record set contains a pointer to an AWS-specific resource and is used to direct traffic to ELBs, CF distributions, and S3 buckets.

T: CloudFront caching is based on the object's file name (not its type).

Q: If you want to point a domain name to an AWS elastic load balancer in Route 53, how would you need to configure the record set?

A: Alias with a type "A" record set

E: You will need to configure the record set as a type "A" alias. An alias allows you to point the domain to an AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket (as opposed to just an IPv4 IP address).

T: A public hosted zone should be used for routing Internet traffic for a domain, and a private hosted zone should be used for routing traffic within a VPC.

Q: What is a main benefit of using a CloudFront distribution?

A: Reduces load on your applications resources

E: Once an object is cached at an edge location, all other requests for that object will be handled by the edge location, not your application. This can significantly reduce the amount of times your resources are hit.

Q: You have set up a CloudFront distribution but find that instead of each edge location serving up objects that should be cached, your application's origins are being hit for each request. What could be a possible cause of this behavior?

A: The cache expiration time is set to zero

E: If the cache expiration time is not set (or set to zero), then CF will not cache objects at the edge location. This will prompt the behavior where the edge location will have to request the same object from the origin for reach request.

Q: Your CloudFront distribution is performing well, but you are still getting too many request at the origin locations. What could be one way to increase CloudFront performance?

A: Increase the cache expiration time

E: If your cache expiration times are too short, you may have request from the edge location to the origin occurring when they are not required. If you increase the cache expiration date, you should experience less hits to the origin.

Q: What is an absolute rule when using an S3 bucket for Route 53 DNS failover?

A: The S3 bucket must be the same as the domain name

E: To use an S3 bucket for Route 53 DNS failover, the bucket name must match the domain name.

T: A CloudFront origin is the source of the object, and an edge location is where the object is cached.

Architecture Diagrams

Image: Physical & Networking Layer - Networking

Image: Physical & Networking Layer - CloudFront