Knowledge

Tuesday, June 17, 2025

EBS

EBS

Class 47th AWS ECB June 17th

Elastic Block store -EBS (Ec2,RDS these are resouces data will store in EBS)

File Storage -->EFs ,fsx

Object Storage -->S3

Block level Storage -->EBS

Data divides in to equal parts and store in multiple drives.
It has no structure.
It can host operating system
It is bootable and mountable
Ex: Elastic Block store(EBS)

Basic Terminology

Booting is the process of starting up the entire system and loading the operating system
Mounting Is the process of attaching a file system to the directory structure of an already running operating system,make it accessible for use
IOPs Measures the number of read and write operations a storage system can perform per second. (SSO hard disk we choose usually Iop,through put is high)
Throughput Measures the amount if data transferred to and from a storage system per unit of time, typically expressed in megabytes per second(MB/s) or gigabytes per second(GB/s)

EBS Volume

The EBS volume is a durable,block level storage device that you can attach to you instances.
After you attach a volume to an instance,you can use it as you would use a physical hard drive.
EBs volumes are persistent,meaning that the data stored on them remains intact even after the Ec2 instance is stopped or terminated.
We can encrypt the volumes using AWS KMS.
Volume size can be in between 1 GIB to 16382 GIB(1 GB=0.9313 GIB).
Per each 1 GIBm3 IOs will be allocated .Maximum 16000 IOPS can be allocated per each volume.
Up-to 33GiB (gibibyte)100 iOps will be allocated, after each 1 GIB 3 IOPS will be added.

for ex: 33 gib --100 ,34 -103,35-105,36-108,37-111..

Volume Type:

SSD(Solid state drive) --> General purpose Gp1,Gp2 --> Provisioned Iops Io1,Io2

HDD(hard disk drive) ST1 SC1

EBS types

EBS Architecture

EBS volume mount and unmount (Linux & Windows)

Snapshots

Life cycle manager

Practical :

For the instance you can able increase the volume , but you can not decrease the volume which was assigned already

Step1: Created three instances

If you are created the volume you can able attach same region instances, if region is different you can not able attach the volume.

you want to attach volume same region with difference availability zone ,need to create snapshot for the volume backup, though snapshot you can copy the different availability zone

Step2:

Create Volume:

Ec2>Volumes >Create volume with 1 GB space

As see below Three volumes are in-use those are all out three Ec2 volume used,1 GB space we have create volume showing available , you can attach these volume any of the instance.

Select the available volume >action attach the volume, as you see below ,we have created two instances same available zone ,so the reason came instance in the list

Step3: Now the volume attached to specific instance

Select any instance for two instance1,instance2, devicename just label you can select any then click attach volume

Now the volume state change to in-use,the volume we have added window1 instance

Instance 1

Instance ID: i-05a32041621371409

Private ip : 10.0.1.60

Public ip : 18.133.155.176

Instance 2

Private ip : 10.0.1.57

Public ip 18.171.238.132

Instance 3

Private ip : 10.0.1.72

Public ip 35.178.189.221

Step4: Right click one EC2AMAZ-A6QD5IG >Click New volume , Click Bring Online

Step5: Click next , next,next and then creaate

Completion in progress compeleted.

See now new D drive added ,add one sample folder and add one file

Step6: Now you can detach the volume to the server

Select one 1 GB volume action > detach volume

The volume d drive volume detached from the server ,showing in the volume list available

Step7: you can attach the same volume to difference instance this time, i mean instance2

Action >attach volume, as see below instance2 volume added file also came with volume in d drive

Step8: Snapshot: Snapshot means backup of volume if you make that public and you can use any where in aws , for particular region only where every the snapshot was created region.

Existing 1GB volume Click create snapshot ,Give any description name "snapshot_volume" click create snapshot.

Create successfully snapshot, you use this snapshot create volume also.

For the snapshot , we can create volume to another available zone

Availability zone need to change to euwest-2b,out two instance1,instance2 same available zone ,we have other instance3 ,it is different available zone 2b,click create volume

Step9:As see below one volume create through snapshot 2b, now you can attach the volume instance 3

Step10:As see below Instance3, snapshot using volume with data came.

If You want to copy the snapshot different region , you select snapshot >copy snapshot

Step1: Select differenct region ap-south

See below the snapshot moved to Mumbai region ,with this we can able create volume and attach the instance where every you required.

Public and private snapshots

Amazon Elastic Block store(EBS) snapshots can be managed as either private or public depending on how you want to share or restrict access to them

By default, all EBS snapshots are private,meaning they can only accessed by the AWS account that created them.

Aws provides the ability to share EBS snapshot with specific Aws account or make them public so that any AWS user can access them.

1.Private EBS snapshots(default)

2.Public EBS snapshots

3.Sharing EBS snapshots.

Summary of public vs Private snapshots

Feature	Private snapshot	Public snapshot
Access	Only the owner account can access	Accessible by anyone with an aws account
Default setting	yes	No
Visibility	Only to the account owner	Visible to all AWS users
Sharing	Can be shared with specific AWS account	Available to all AWS users globally
Use Cases	Backups,recovery,internal sharing	Public AMIs,software distribution,public data sets

Consideration when making a snapshot public

Data security: Once a snapsot is public,anyone can acces it, so it’s crucial to ensure that it doen’t contain sensitive or personal information.

Costs:While sharing a snapshot does not incur additional costs ,any data transfers or new volumes created from the snapshot will result in charges.

Public snapshot use cases: Public AMIs for software vendors,public datasets for research or analytics, or community-shared resources.

Snapshot we can able to take backups also using Lifecycle manager

Elastic File system (EFS)

What is the file storage system

A file storage service is a type of data storage system that allows users and applications to store,manage and access files in a hierarchical structure of directories and subdirectories.

This service is often used for storing unstructured data,such as documents,images,videos,and other file types,and allows for easy access and sharing of files across different devices and users.

Typically it is not suitable for hosting the operating system

File storage service are fundamental for many organizations,as they provide a convenient and organized way to manage and access files,whether on-premises or in the cloud

For ex:- usually our project related files commonly store shared drivers ,in EBS we don't have that option for that in aws Linux we have Elastic file system, for window fsx

Step1:create two linux instances ,in public subnet

Step2:>EFS >Click Customize

Now need to create EFS,give any name ccit_efs, uncheck the enable automatic backups( automatically backup your file based on lifecycle policy),and uncheck enable encryption (encrypt the file for secrity reasons)

here you choose Enhanced only ,Bursting means it will give you additional IOPs though put based on you work load and performance,Click Next

Network ,Choose your VPC and available zone, here We are planning to creating Mount target, mount target files will plan to attach the our two instance which was created. i.e Shared files, those two instances.

Policies optional not select any click next

Next Click Create

File system created successfully

After create file system need to attach these file system to our instances.

Click Attach

Below are the commands ,we mount to the server these mount points

sudo mount -t efs -o tls fs-039d118041cebdc3f:/ efs

sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-039d118041cebdc3f.efs.eu-west-2.amazonaws.com:/ efs

Prior you need install these util to the server

yum install amazon-efs-utils

server1:

[root@ip-10-0-1-62 ~]# yum install amazon-efs-utils

Is this ok [y/N]: y
Complete!

server2:

[root@ip-10-0-1-70 ~]# yum install amazon-efs-utils

Is this ok [y/N]: y
Complete!

Creating one directory

[root@ip-10-0-1-62 ~]# mkdir ccit

[root@ip-10-0-1-70 ~]# mkdir ccit

Step 3: here we give our folder name, run these command to our servers

sudo mount -t efs -o tls fs-039d118041cebdc3f:/ ccit

Step4: Getting some error ,we have DNS hostname enable in the VPN

[root@ip-10-0-1-62 ~]# sudo mount -t efs -o tls fs-039d118041cebdc3f:/ ccit

Failed to resolve "fs-039d118041cebdc3f.efs.eu-west-2.amazonaws.com" - check that your file system ID is correct, and ensure that the VPC has an EFS mount target for this file system ID.

See https://docs.aws.amazon.com/console/efs/mount-dns-name for more detail.

Attempting to lookup mount target ip address using botocore. Failed to import necessary dependency botocore, please install botocore first.

Step5: Enable DN hostname check,previousily it was unchecked that click save if required .

[root@ip-10-0-1-62 ~]# mount -t efs -o tls fs-039d118041cebdc3f:/ ccit

[root@ip-10-0-1-70 ~]# mount -t efs -o tls fs-039d118041cebdc3f:/ ccit

Step6 : i have created one touch file in ccit server 2, the file came automatically server1,

so here mount was ccit mount both the instance, that means shared folder for the both instances

Server 2:

[root@ip-10-0-1-70 ~]# cd ccit

[root@ip-10-0-1-70 ccit]# touch hello.txt

Server 1:

[root@ip-10-0-1-62 ~]# cd ccit

[root@ip-10-0-1-62 ccit]# ls -lrt

total 4

-rw-r--r--. 1 root root 0 Jun 19 19:02 hello.txt

Server 1:

[root@ip-10-0-1-62 ccit]# cat hello.txt

Server1 changes

Server 2:

[root@ip-10-0-1-70 ccit]# cat hello.txt

Server1 changes

Server 2

[root@ip-10-0-1-70 ccit]# vi hello.txt

[root@ip-10-0-1-70 ccit]# cat hello.txt

Server1 changes

Server2 changes

Server1

[root@ip-10-0-1-62 ccit]# cat hello.txt

Server1 changes

Server2 changes

Web Host Using second command efs

Server 1 :

Step1: here html page create one instance

[root@ip-10-0-1-70 ccit]# sudo yum install -y httpd

[root@ip-10-0-1-70 ccit]#sudo systemctl start httpd

[root@ip-10-0-1-70 ccit]#sudo systemctl enable httpd

[root@ip-10-0-1-70 ccit]# sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-039d118041cebdc3f.efs.eu-west-2.amazonaws.com:/ /var/www/html/

Server 2:

[root@ip-10-0-1-70 ccit]#sudo yum install -y httpd

[root@ip-10-0-1-70 ccit]#sudo systemctl start httpd

[root@ip-10-0-1-70 ccit]#sudo systemctl enable httpd

[root@ip-10-0-1-70 ccit]# cd /var/www/html

[root@ip-10-0-1-70 html]# vi index.html

[root@ip-10-0-1-70 html]# cat index.html

<h1> welcome Server1 Efs</h1>

[root@ip-10-0-1-62 ccit]# sudo mount -t nfs4 -o nfsvers=4.1,rsize=1048576,wsize=1048576,hard,timeo=600,retrans=2,noresvport fs-039d118041cebdc3f.efs.eu-west-2.amazonaws.com:/ /var/www/html/

[root@ip-10-0-1-62 ccit]# cd /var/www/html

[root@ip-10-0-1-62 html]# ls

index.html

[root@ip-10-0-1-62 html]# cat index.html

<h1> welcome Server1 Efs</h1>

Server 2 change index.hmtl added some text

Step3:

[root@ip-10-0-1-70 html]# vi index.html

[root@ip-10-0-1-70 html]# cat index.html

<h1> welcome Server1 Efs, Server2 im changing</h1>

Changes are reflecting, both the index.html pages successfully.

--Thanks

Friday, June 13, 2025

VPC part4

Class 44th AWS VPC June13th

Hybrid Networking

What is VPN?

Software VPN

Hardware VPN

Direct Connect

Software VPN Demo

Hybrid Networking

Establish the communication between two different environments
VPC Peering is the hybrid networking concept in AWS
AWS takes the complete responsibility of maintaining the peering
We can create communication between on-premise data center to cloud,cloud-cloud also
To create communication between on-premise to cloud we need to take the help of come explicit service like VPC(Virtual private network)

VPN(Virtual Private Network)

A virtual Private Network(VPC) is a technology that creates a secure ,encrypted connection over ales secure network,such as the internet

it is two type:

i.Software VPN

ii.Hardware VPN

i.Software VPN: onprem-> cloud able connect , cloud ->onprem not able connect

We need to install a software to establish the communication between the networks
We should select a public subnet server and install the software VPN as well in the On-premise system.
The public server works as a central location to maintain the traffic
The communication establishes over internet using the encrypted tunnels
We can connect to private servers from around the world using a SW VPN(No location dependency)
It provides one-way communication only
For example :Open VPN,Any connect (free service),cisco,AWS client connect.

ii.Hardware VPN

Here router setup(On-premise) required to establish the communication(encrypted tunel)
It is a fixed setup works from the office environment only
It is costlier than software VPN setup
The communication establishes over internet using the encrypted tunnels
It provides two-way communication
For example :aws site-site VPN(s2s)

Direct connect (DC/DX)

Here AWS provides service over the physical cables. Here internet is not required to setup the communication.
Not only Ec2-IAM,S3 and all other AWS services we can connect without internet.
It provides high data transfer as they connected directly over the cables
The problem with DC is data transfer happen without encryption .We need to take the help of S2S to send the data securely
It provides two-way communication

Software VPN

AWS Client VPN

3rd Party providers -openVPN ,cisco etc.

Any connect (free service)

Hardware VPN

aws site-site VPN(s2s)

Practical Software VPN

Step1: Create one instance using private VPC,Create one more instance public PVC there we setup VPN

Step2:Create one more instance for VPN setup, Browse more AMIs select any connect

VPN Giving ubuntu, click subscribe, don't change any security related changes

Select Create security group only , don't change that there will be create some protocols for vpn ,not do any change click launch the instance.

You connect ubuntu AWS console terminal only not ssh , if you want connect ssh change from

ssh -i "AMAZON-LNX-KEY.pem" root@35.177.128.51 --> ssh -i "AMAZON-LNX-KEY.pem" openvpnas@35.177.128.51

it is Agreement , just give yes, after please click enter,enter all enter default yes

You can now continue configuring OpenVPN Access Server by

directing your Web browser to this URL:

https://35.177.128.51:943/admin

During normal operation, OpenVPN AS can be accessed via these URLs:

Admin UI: https://35.177.128.51:943/admin

Client UI: https://35.177.128.51:943/

To login please use the "openvpn" account with "APkByt1I7gxT" password.

See the Release Notes for this release at:

https://openvpn.net/vpn-server-resources/release-notes/

Step 3: admin Connect user name login please use the "openvpn" account with "APkByt1I7gxT" password

https://35.177.128.51:943/admin

and accept the agreement

Step 3: Client Connect user name login please use the "openvpn" account with "APkByt1I7gxT" password

Client UI: https://35.177.128.51:943/

click window install the vpn client locally

Click next and install, Click Agree ,Delete existing connection, need supplu ubutun public ip

Click next and guve user name password "openvpn" account with "APkByt1I7gxT" password.

enable VPN give password more time VPN will connect

Step4: Now we can take window machine in you local using RDP private ip

10.0.1.43

Private Cloud connect successfully in On-prem machine local, usually database point view we can use this real time

-- VPN Concept completed

Organizations

Introduction

Create Organization

Add and remove accounts

Service control policies (SCPs)

AWS SSO-Identity Centre

Aws Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage.

AWS Organization includes account management and consolidated billing capabilities that enable you to better meet the budgetary, security, and compliance needs of your business.

Introduction

An organization helps you to maintain all the aws accounts under one account called management account.
The management account is the parent container for all the added accounts(member accounts).
You create a policy(service control policy –SCP) to restrict the resource access and apply it to all or selected member accounts in the organization
An Organization has one management account along with zero or more member accounts.
An account can be the member of only one organization at a time
Management account admin has the ultimate privileges to invite new members and remove the existing members in the organization
Management account is the responsible for the payments of all member accounts in the organization
We can divide & manage the member accounts in different categories called organizational units(OUs)
Free-tier feature are applicable with conditions,instead,AWS gives credits to the organization which can share with the member accounts.
Management account can create new member accounts,only emailed enough to create the account as management account takes care of billing activities
No pending bill should remain to the member account in case the account want to come out of the organization

Key point about SCPs:

SCPs apply to accounts, not individual IAM users or roles.
Scps set the maximum available permissions for all IAM users and roles in an account.
If an action is denied by an SCP,no IAM policy can override it.
Scps are enforced only on member accounts –not on the management account
AWS Oganizations is an account management service.
Centraized billing and access management
Services and regions access can be restricted through service control policies(SCPs)
Eligible to get credits/discounts from AWS and can share the discounts to the memer accounts.
Members can be divided into organizational unit (OUS) and maintain the security more flexibly
Management account has ultimate privileges to add/remove the member accounts and set the SCPs

Practical

>AWS Organizations >Creating an organization>click Create organization

Step1: Below is the my vakatisubbu my management account ,adding one more aws account

Step2: Adding one more account invite the organization using his aws accountid give and click send invite ,the notification send to invited person in the aws organization

Step3:After send invited person , below screen he accept the request

Step4: The acceptance will come to you organization, showing accepted

Step5: As see below member account added successfully, now my management account is responsible for the member account , if member account is not paid any bills that bills will need to pay by management account .

Step6:We can create policies restrict the member with out leaving the organization

AWS Organization >Policies > click enable service control policies.

Step7:By default we have Full AWS Access ,instead of the create policy your own,

Give the policy name any :Org-block

Al lservice Choose Organization select Leave Organization policy

Click Add resource and then click create policy

After created the policy attach the policy to the member

Step8: Now the member unable to leave the organization ,getting error permission denied

Step9: Using service control policy ,you can control the limitation to the member , for example you want to block S3 bucket

Step10: If you the create group of unit, all members unique policy create group move the user to the group

Step11:give any name Group-unit and click create organizational unit

Step12:Click the members action ,move to select the Group-unit ,move account-account

Step13: Added the member to the group

Step14: Which is we have created policy earlier s3, we can attach to group-unit (group)

not individual members, for us only 1 member

Identity Center: it is used in Single sign on

is a service that makes it easy to centrally manage access to multiple AWS accounts

Click enable

Step1:Click Create permission sets > give name "permssion-set"select Custom permission set ,choose EC2,S3,im

Step2: added the policy click create, need to add this policy to user

Step3: Create user now , give any dummy email id Click next ,Group(0) click next ,Click add user

Step4:

You need one thing disable Users >setting >multi-factor authentication > configuration select never

click save changes

Step5: with the url username and password ,able to login successfully.

Step6:There above screen shot showing nothin because we are not give any permission to the user

for that click user which we have created and then assign account

Step7:ccit-ssouser , we need select the member permission set then click assign

Click Assign now user can able to access the member permission

Step8:

now you see nprabhu AWS account user permission given to ccit-sso (identity user)

identity user can use nprabhu memeber policies

Step9: Login Identity user created one bucket and uploaded image successfully

rprabhu member account Bucket created and object uploaded successfully

Step10: See below given 3 Permission, given to ccit-ssouser identity user (it is single sign on)

Step11: Action >Remove the member and delete the identity user

Step12: Complete Identity center you need delete

Step13:Now complete Identity center Organization was delete successfully click confirm.

Getting message like below after confirm
The AWS IAM Identity Center configuration in the Europe (London) region has been successfully deleted. You can enable it again in this or any other supported region

Note: Identity center will be applicable only for the one AWS account not possible multiple regions.

--Thanks