SAP-C02 Amazon AWS Certified Solutions Architect Professional – New Domain 5 – Continuous Improvement for Existing Solutions part 10
- Understanding AWS Certificate Manager
Hey everyone and welcome back. Now in today’s lecture, we are going to look into one of the new services call as a double certificate manager. Now, this is a very, very great feature which AWS has extended to the customers and it really makes life simple. So let’s look into the Use case which will help us understand how the AWS certificate manager helps the clients to have their life simple. Now, in the earlier approach, whenever a client, let’s assume that I have a website and I need to use Https. Now there are two ways in which I can use it. One is with the help of self signed certificate and second would be the CA certificate authority signed certificate. So if you’re using a self signed certificate, the browser will show you these error like a red that the site security certificate cannot be trusted.
However, if you use a genuine CA signed certificate, then you will have a nice Https based browser URL that you will see. However, problem is, the CA signed certificate are generally paid ones. So let me show you the example. So I’m in the name comssl, and here you see there are various SSL certificates that I can purchase. Now one of the certificates, you see, it starts with the basic Commodore Essential. It starts with $10 per year. So $9. 99 per year. However, if you go for the extended certificates, then you actually have to pay a much more larger amount. So if you go into the Komodo essential SSL wildcard, so this is basically the wild card certificates. It is actually $130 per year. So quite expensive.
And specifically for a very new organization, or for the people who wants to have Https on their personal website or on their personal blog, they must pay for the SSL certificate in most of the Use cases. The second major problem is that it gets expired after one year. So after one year, if you do not renew your certificate, then you will have this red color mark on your website. And this is a very, I would say, challenging thing because I have seen many of the big organizations, they have SSL certificates, genuine SSL certificate, but after one year, they forget to renew their SSL and the entire website breaks. So entire website gets these warning. And specifically when you talk about the clients like Android or iOS, these clients will not work if you have the certificate.
They only work if you have the genuine certificates. So the entire website fails, or all the Android, the iOS, as well as the Windows application, they throw an error. So any user who are using those applications, the application will throw an error. And this is quite a pain because every one year, or maybe every five years, you have to renew the certificate. And if there are any vulnerabilities which are present, you again have to renew the certificate. So it’s quite a big pain. And this is the reason why AWS actually decided to launch an AWS certificate manager service. So if I just go to the certificate manager so this certificate manager is responsible for provisioning, managing and deploying the SSL TLS certificates. So if you’ll see over here in the first, you can provision the certificate. So you see, ACM manages the renewal of SSLT certificates issued by the Amazon for you.
So whenever you create or whenever you create your own certificate through authority like Commodore SSL, it’s quite pain because you have to do a lot of things like they’ll call you for validation. So there are a lot of things involved. However, through ACM, life is much more simpler. We’ll see on when we deploy our search for certificate with the help of ACM. Along with that, whatever certificates that we get from the certificate managers, they are completely free. Like, you do not really have to pay anything for the certificates which are launched to the AWS certificate managers. So there are certain big advantages ACM, and this is the reason why a lot of startups they are now moving to ACM, which makes their life simpler. So let’s do one thing, we’ll conclude the lecture for the time being and in the next lecture we’ll look into how we can provision our first certificate with the help of AWS certificate manager. Thanks for watching.
- Provisioning first TLS certificate with ACM
Hey everyone and welcome back. So let’s do one thing in today’s lecture. We’ll be deploying our first SSL certificate with the help of the AWS certificate manager. So click on Get started. And the first thing that you need to do in ACM is that you have to put your domain name. Now, I have one funny domain name which I have registered and integrated it with the Route 53. So I’ll copy this domain and I’ll just paste it over here. Perfect. And I’ll click on next. Now, there are two types of validation that you can use. One is the DNS validation and second is the email validation. So I prefer DNS validation. So let’s go ahead with the DNS validation and I’ll click on Review and let me go ahead and click on Confirm and Request. Perfect. So now that the request is in progress, what it expects us to do is that it expects us to add a certain records within this specific domain. So I’ll just click on Export DNS configuration to a file and if I open up it with the Excel, there are certain records that it wants us to put.
So let’s try this out. Just maximize it so that it becomes much more clearer. Perfect. So let’s copy this first field. I’ll copy it and I’ll go to my Route 53. I’ll create a new record set with the type CNAME and I’ll just put the details which is expected. Perfect. So this is the first and the type is CNN and it needs a certain value. So I’ll copy this value up, I’ll paste it here and I’ll click on Create. Perfect. So now we have the CNAME which was asked for us is entered in our Route 53 record set. So we can go ahead and click on Continue. So it is on the pending validation side and it will take a certain amount of time. And after a few seconds, ten to 15 seconds, you see that your certificate was issued successfully. So, if you see, this is one of the very easy approach in which you can have the domain name validation. Now, there is second approach that we have discussed based on the email validation that you can use.
- Configuring ELB with HTTPS for SSL offloading
Hey everyone and welcome back. Now, in the earlier lecture we were discussing on how we can create our own certificate with the help of AWS Certificate Manager service. Now, I am sure you must have noted that I had to stop that lecture abruptly. Actually some of the people had come to my house and this is the reason I had to stop. And I thought I will not just rerecord entire thing again because the main lecture was recorded. So actually this is the reason why I actually decide to record the lecture in the morning 03:00 to avoid all these disruptions. But it actually becomes quite difficult because it is winter in India and waking up at 03:00 is actually a big challenge anyways, so I’ll try to do that from tomorrow.
Anyways, so coming back to the topic, since we have a domain Munu. com which is created, the certificate for this domain is created. What we’ll do is we’ll look into how we can have a website based on Https with the help of ACM. So in the ELB listeners part, specifically for the Http and Https based listener, if you look into the second use case where website using ELB to offload the SSL decryption. So let me show you what I mean by this. So if I just open the domain, umu. com, it is based on Http. Okay? And now what we want is we want this to be Https. And basically what we have is we have a load balancer and the traffic if you will see the record set of the munmu. com, it is actually pointing to the ELB DNS name and this is the ELB DNS name.
So whenever I type this domain, the traffic goes to the ELB and ELB will forward the request to the back end EC two instance. Now, since I want an Https over here, we can try this out in ELB. So, one of the major advantages of AWS certificate Manager is that it supports ELB directly. So let’s do one thing, let’s go to listeners. I’ll click on edit, I’ll add a listener this time I’ll create a port of Https. Now, whenever I create a port of Https, there are two options which are highlighted. One is the cipher and second is the SSL certificate. So you must put an SSL certificate when you want the ELB to offload the encryption and decryption related functionality. So if I click here on change I’ll choose the ACN. I can even upload my certificate and private key if I obtained it through a third party CA.
However, I’ll just use ACM and it is asking me which certificate within the ACM I want to use. And since I only have one certificate, I’ll select it and I’ll click on save. So you see the SSL certificate part is automatically changed to using ACM and I’ll click on save. Perfect. So now we have a new listener of based on Https. So now the elastic load balancer is listening on port four four three, and it is sending the traffic to the port 80. So let’s look into what I mean. So now what we have done is we have an ELB. We have a certificate in the ELB which is of ACM. So from the client to ELB, I have a secure connection. So you see, I have a secure connection from client to ELB. And from ELB to the back end instance, I again have a plain text Http connection.
So let’s try this out. I’ll just copy the domain, I’ll put Https. Let’s try it out. Perfect. Now, you see, you have a perfectly secure Http connection for this domain. And the certificate which is used here is the ACM certificate which got issued by the Amazon for free. So this is how you can actually use the ACM certificate for your website. So go ahead and try this out because this is quite interesting. And if you’re using production environments, I will hundred percent recommend you go ahead and use ACM because this will actually make your life much, much more simpler. So this is it about this lecture. I hope this has been informative for you and I look forward to seeing you in the next lecture.
- ELB – Cross Zone Load Balancing
Hey everyone and welcome back to the Knowledge Portal video series. Now, in the previous lecture, we looked into great detail related to the elastic load balancer nodes as well as the routing and the visibility aspect of them. Now, in today’s lecture, we will continue related to the default configuration that we were speaking about. And thus today we will be speaking about cross zone load balancing. So let’s look into what it is. Now, if you remember earlier we spoke that if there is an ELB node which is launched in Availability Zone One, it can only send or it can only route traffic to the EC To instance in the same Availability Zone. Same for easy to this node can only route traffic to the instance within the Availability Zone.
So when we discuss the overall concept about a load balancer, when specifically when it comes comes to round robin of 50 50% configuration, ideally the request one should come to the first instance, request Two should come to the second instance. Again, if there is a Request three, request three should come to the first instance and request four should come to the second instance. So this is something that we already looked in the previous lecture. Now the problem is by default configuration since the nodes are not able to send traffic. So if request one comes to this node, it gets received to the EC to instance one. However, if the request two comes to the same node, it will forward the request to the same EC Two instance.
So the basic property of load balancer does not get fulfilled. And this is the reason why default configuration is not much worthy. So this is the reason why cross zone load balancing got introduced. What really happens in cross zone load balancing is that the ELB node can route traffic across instances in Availability Zones. So this ELB node in easy one can send traffic to EC Two instance in same AZ. Along with that, it can send traffic to the EC Two instance in different Availability Zones as well. So in this case, if the ELV node receives two requests based on round robin or 50 50% configuration, the first request the node will send to the EC two instance one, and the second request it will send to the EC Two instance two, depending if the cross zone load balancing is enabled.
So let’s do one thing. If you remember we had cross zone load balancing disabled for our KP Labs demo load balancer. I will go ahead and I’ll enable the cross zone load balancing. Let’s just quickly verify. Okay, I’ll just re enable it again. Perfect. So now the cross zone load balancing is enabled for a load balancer. So if you remember in the previous practical, when we used to send the request to one IP address corresponding to the node, it only used to route traffic to a EC To instance in that node. So let’s do one thing. Let me do a curl. I’ll paste it now. So now if you see it is actually sending to the EC to instance which is present in different availability zone. So if I do one more time now you see you are actually having a proper load balancing.
I’ll do one more time. Perfect. So now we know that the first node is doing a proper load balancing. Let’s do a curl on the second node. So this ELB node used to only route a traffic to a server which used to respond. This is server three. Now let me paste it again. Oops, I’ll copy this and I’ll paste it here. Okay. This is server three. Let me do it once more. And now again if you see that now ELB nodes are able to route traffic across the availability zones and now we are having a proper load balancing which is really happening. So this is one of the idle scenarios. Now the reason why we actually spent a lot of time on this because I still remember a few months back there was a load balancer which was created and it had cross zone load balancing as disabled. Someone disabled it and due to that the system administrator were really, they were troubleshooting the server. They actually spent many hours trying to figure out what is wrong only to fix figure out at the end that the cross zone load balancing was disabled. So I hope you got the basic understanding about the default configuration as well as the need of cross zone load balancing in an elastic load balancer. So I hope this has been informative for you.
- CloudWatch Events
Hey everyone and welcome back. In today’s video we’ll be discussing about the Cloud Watch events. Now, Cloud Watch events is a great feature which AWS has released and basically it allows us to respond to the changes that happens within your AWS environment in real time. Now, one of the example use case that I can share in fact, this is something that we used to implement in one of the organization that I have been working with. Let’s say that an EC two instance gets terminated. Now, if that EC two instance is connected to a central server, it can be a spacewalk satellite or any other central server. We want to deregister that instance from those central servers so that those servers will not try to monitor and unnecessarily alert.
So whenever an easy to instance used to get terminated, we used to receive a Cloud Watch event which was associated with the lambda function. Lambda function in turn used to deregister that instance from all the central servers. Now, another example use case that I can share again, used to implement that in production environment. Like we did not really have any auto scaling group, so we had an alarm where Cloud Watch events was used. So anytime EC two instance used to get stopped or used to get terminated, we used to receive an email as well as Slack notification saying that specific instance ID has been stopped or specific instance ID has been terminated. Now again, there can be huge amount of use cases that you can achieve with the help of Cloud Watch events.
Let’s jump into practical and see on how exactly it looks like. So currently I am in my Cloud Watch console. So within Cloud Watch you have the tab of events and within this you have a sub tab of rules. So this is where you can create the rule. Let’s go to event and let’s click on Get Started. Now, if you click on Get Started it takes you the step one of creating a rule. Now, while creating a rule, you have the option of service name and event type. So service name depending on what are the use cases that you have, you can select the service name accordingly. Again, I’ll tell you one of the very common use case which organization uses. So typically in dev environment for organizations who have hundreds of EC two instances during night, the EC two instances are running and it just increases the cost.
So what you can do is you can shut down all the EC two instances in a specific environment during the night time, let’s say from 09:00 P. m. To 09:00 A. m. . And Cloud Watch events are the easiest way in which you can implement that. So if you click here so there are two options. One is the event pattern and second is the schedule. So schedule is like a cron. Now, typically what used to happen was Quran was something where a dedicated instance was used. So let’s say you can specify a cron expression over here. Let’s say that the expression would be invoked at 09:00 P. m. In the night and it would call a target. So the target would be the lambda function and that lambda function would stop all the EC two instances of a specific region.
Let’s assume that the region is only for dev environment. So it will stop all the EC two instances in dev environment. Now again, there would be one more schedule during the morning 09:00 A. m. . And again there would be a second lambda function which would start the instances at 09:00 A. m. In the morning. So this is one of the use cases which a lot of organization uses. Anyways, for our demo use case, what you can do is you can go let’s select EC two over here and here there are a lot of event types. You have EC two, change notification, EBS volume notification and various others. So currently if you would have seen the rule I already have one rule created. So if you click on this rule you can see this is the event pattern. The source is easy to and the state is running or stopped and the target here is a SNS topic.
So what happens is that anytime instance starts or instance stops, then I would receive a notification in my email.So let’s look into how exactly that would work. Like so I have one running instance over here. So let me go ahead and let me stop this instance. Great. So now the instance statist stopped and you would see the mail change from 119 to 120. Now, within my mailbox this is the JSON event which appeared. Let’s do one thing. I’ll just copy this JSON event and I’ll just paste it in a website which does the JSON formatting so it becomes easier for us to read. Now, here the detail type. It says that easy to instance state change notification. It gives you the account ID quite useful. If you have multiple accounts, it gives you the ARN. And here it gives you the precise instance ID which was changed. And the status here it says the status stopped.
So this is quite useful. Now again, this is one simple example. There can be n number of possibilities that you can achieve with the help of cloud watch events. One thing that I already shared is that you can stop all the easy two instances at night in dev environment and start back in the morning. Helps save huge amount of cost anyways, so let’s do one thing. Now that we have seen the demo, let’s do it practically so that we are aware on how to do that. So I’ll go ahead and I’ll create a rule. Now the rule will create off type EC two. Now, we don’t want all the events, we just want the EC to instance state change notification. And here you can specify any state or you can specify a custom state warrior. Now, within the custom state you can specify when you want to receive a notification.
So it might happen that it’s better to receive a notification when an instance gets terminated in a production environment, specifically if you’re not running auto scaling group, otherwise you will get a lot of spam there. So let’s do one thing. I’ll say running and we’ll have one more state as stopped. So these are the two states and in the target there can be a lot of targets that you can associate with lambda function is again a great target and it allows you to have n number of possibilities here. Now, one of the important targets, specifically if you want to receive an email or SMS, is the SNS topic. So before we do that, we need to create a SNS topic here. Let’s go to topics. And here I already have one topic created, but for the sake of demo, we’ll create one more topic.
I’ll name it as KP Labs. Hyphen Events hyphen Demo let’s go ahead and create a topic. Let’s go inside and we’ll create a new subscription. So the subscription protocol would be email and the end point. I’ll give the end point which is instructors at the rate KP lapse or tent. Once you are done, you can go ahead and create a subscription. Great. So once you have done that, you would typically receive an email asking for the confirmation. And if you see over here, this is the email. Now if everything seems to be perfect, you can go ahead and click on confirm subscription. Great. So now the subscription has been confirmed. So from the targets this time we’ll just select SNS topic over here and we’ll select our KP Labs Hyphen Events Hyphen Demo. In case this does not appear, you might have to refresh your page there. We can go ahead and we can click on configure details.
So just give it a name. I’ll say Kplabs demo and the state needs to be enabled. We can go ahead and we can create a rule. Great. So this rule is now enabled. So what I’ll be doing is the first rule which we had used for demo. I’ll just delete it or let me just disable it so we don’t really get confused on this part. So now once you have done that, let’s go to the EC to instance and I’ll start our EC two instance here. So once the instance state changes from pending to running, you should typically receive a new email. And you have this new email over here. Now let’s do one thing. Let me just paste this in the JSON formatter so it becomes easier for us to read. And again it says the account ID, it tells you the source, it tells you the region, it gives you the ARN and here it gives you the exact instance ID. And what is the current state? The current state is running.