Common AWS Architecture Patterns
Compute
High availability and elastic scalability for web servers
=> Use Amazon EC2 Auto Scaling and an Application Load Balancer across multiple AZs
Low-latency connections over UDP to a pool of instances running a gaming application
=> Use a Network Load Balancer with a UDP listener
Clients need to whitelist static IP addresses for a highly available load balanced application in an AWS Region
=> Use an NLB and create static IP addresses in each AZ
Application on EC2 in an Auto Scaling group requires disaster recovery across Regions
=> Create an ASG in a second Region with the capacity set to 0. Take snapshots and copy them across Regions (Lambda or DLM)
Application on EC2 must scale in larger increments if a big increase in traffic occurs, compared to small increases in traffic
=> Use Auto Scaling with a Step Scaling policy and configure a larger capacity increase
Need to scale EC2 instances behind an ALB based on the number of requests completed by each instance
=> Configure a target tracking policy using the ALBRequestCountPerTarget metric
Need to run a large batch computing job at the lowest cost. Must be managed. Nodes can pick up where others left off in case of interruption
=> Use a managed AWS Batch job and use EC2 Spot instances
A tightly coupled High Performance Computing (HPC) workload requires low-latency between nodes and optimum network performance
=> Launch EC2 instances in a single AZ in a cluster placement group and use an Elastic Fabric Adapter (EFA)
LOB application (Line of Business) receives weekly burst of traffic and must scale for short periods – need the most cost-effective solution
=> Use reserved instances for minimum required workload and then use Spot instances for the bursts in traffic
Application must startup quickly when launched by ASG but requires app dependencies and code to be installed
=> Create an AMI that includes the application dependencies and code
Application runs on EC2 behind an ALB. Once authenticated users should not need to reauthenticate if an instance fails
=> Enable Sticky session for the target group or alternatively use a session store such as DynamoDB
Databases
Relational database running on MySQL must be migrated to AWS and must be highly available
=> Use Amazon RDS MySQL and configure a Multi-AZ standby node for HA
Amazon RDS DB has high query traffic that is causing performance degradation
=> Create a Read Replica and configure the application to use the reader endpoint for database queries
Amazon RDS DB is approaching its storage capacity limits and/or is suffering from high write latency
=> Scale up the DB instance to an instance type that has more storage / CPU
Amazon RDS database is unencrypted and a cross-Region read replica must be created with encryption
=> Encrypt a snapshot of the main DB and create a new encrypted DB instance from the encrypted snapshot. Create a encrypted Cross-Region read replica
Amazon Aurora DB deployed and requires a Cross-Region replica
=> Deploy an Aurora MySQL Replica in the second Region
Amazon Aurora deployed and app in another Region requires read-only access with low latency – synchronization latency must also be minimized
=> Use Aurora Global Database and configure the app in the second Region to use the reader endpoint
Application and DB migrated to Aurora and requires the ability to write to the DB across multiple nodes
=> Use Aurora Multi-Master for an in-region multi-master database
Application requires a session-state data store that provides low-latency
=> Use either Amazon ElastiCache or DynamoDB
Multi-threaded in-memory datastore required for unstructured data
=> Use Amazon ElastiCache Memcached
In-memory datastore required that offers microsecond performance for unstructured data
=> Use Amazon DynamoDB DAX (DAX)
In-memory datastore required that supports data persistence and high availability
=> Use Amazon ElastiCache Redis
Serverless database required that supports No-SQL key-value store workload
=> Use Amazon DynamoDB
Serverless database required that supports MySQL or PostgreSQL
=> Use Amazon Aurora Serverless
Relational database required for a workload with an unknown usage pattern (usage expected to be low and variable)
=> Use Amazon Aurora Serverless
Application requires a key-value database that can be written to from multiple AWS Regions
=> Use DynamoDB Global Tables
Deployment and Management
Global company needs to centrally manage creation of infrastructure services to accounts in AWS Organizations
=> Define infrastructure in CloudFormation templates, create Service Catalog products and portfolios in central account and share using Organizations
Company is concerned about malicious attacks on RDP and SSH ports for remote access to EC2
=> Deploy Systems Manager agent and use Session Manager
Development team require method of deploying applications using CloudFormation. Developers typically use JavaScript and TypeScript
=> Define resources in JavaScript and TypeScript and use the AWS Cloud Development Kit (CDK) to create CloudFormation templates
Need to automate the process of updating an application when code is updated
=> Create a CodePipeline that sources code from CodeCommit and use CodeBuild and CodeDeploy
Need to safely deploy updates to EC2 through a CodePipeline. Resources defined in CloudFormation templates and app code stored in S3
=> Use CodeBuild to automate testing, use CloudFormation changes sets to evaluate changes and CodeDeploy to deploy using a blue/green deployment pattern
Company currently uses Chef cookbooks to manage infrastructure and is moving to the cloud. Need to minimize migration complexity
=> Use AWS OpsWorks for Chef Automate
Security
Need to enable custom domain name and encryption in transit for an application running behind an Application Load Balancer
=> Use AWS Route 53 to create an Alias record to the ALB’s DNS name and attach an SSL/TLS certificate issued by Amazon Certificate Manager (ACM)
Company records customer information in CSV files in an Amazon S3 bucket and must not store PII data
=> Use Amazon Macie to scan the S3 bucket for any PII data
For compliance reasons all S3 buckets must have encryption enabled and any non-compliant buckets must be auto remediated
=> Use AWS Config to check the encryption status of the buckets and use auto remediation to enable encryption as required
EC2 instances must be checked against CIS benchmarks every 7 days
=> Install the Amazon Inspector agent and configure a host assessment every 7 days
Website running on EC2 instances behind and ALB must be protected against well known web exploits
=> Create a Web ACL in AWS WAF to protect against web exploits and attach to the ALB
Need to block access to an application running on an ALB from connections originating in a specific list of countries
=> Create a Web ACL in AWS WAF with a geographic match and block traffic that matches the list of countries
Monitoring, Logging and Auditing
Need to stream logs from Amazon EC2 instances in an Auto Scaling Group
=> Install the unified CloudWatch Agent and collect log files in Amazon CloudWatch
Need to collect metrics from EC2 instances with a 1 second granularity
=> Create a custom metric with high resolution
The application logs from on-premises servers must be processed by AWS Lambda in real time
=> Install the unified CloudWatch Agent on the servers and use a subscription filter in CloudWatch to connect to a Lambda function
CloudWatch Logs entries must be transformed with Lambda and then loaded into Amazon S3
=> Configure a Kinesis Firehose destination, transform with Lambda and then load into an S3 bucket
CloudWatch Logs entries must be analyzed and stored centrally in a security account
=> Use cross-account sharing and configure a Kinesis Data Stream in the security account to collect the log files then use Lambda to analyze and store
Access auditing must be enabled and records must be stored for a minimum of 5 years. Any attempts to modify the log files must be identified
=> Create a trail in CloudTrail that stores the data in an S3 bucket and enable log file integrity validation
API activity must be captured from multiple accounts and stored in a central security account
=> Use CloudTrail in each account to record API activity and use cross account access to a security account to store the log files in a central S3 bucket
Need to trace and debug application with distributed components
=> Use AWS X-Ray to trace and debug the application
Analytics
Athena is being used to analyze a large volume of data based on data ranges. Performance must be optimized
=> Store data using Apache Hive partitioning with a key based on the data. Use the Apache Parquet and ORC storage formats
Lambda is processing streaming data from API Gateway and is generating a TooManyRequestsException as volume increases
=> Stream the data into a Kinesis Data Stream from API Gateway and process in batches
Lambda function is processsing streaming data that must be analyzed with SQL
=> Load data into a Kinesis Data Stream and then analyze with Kinesis Data Analytics
Security logs generated by AWS WAF must be sent to a third-party auditing application
=> Send logs to Kinesis Data Firehose and configure the auditing application using a HTTP endpoint
Real-time streaming data must be stored for future analysis
=> Ingest data into a Kinesis Data Stream and then use Firehose to load to a data store for later analysis
Company runs several production databases and must run complex queries across consolidated data set for business forecasting
=> Load the data from the OLTP databases into a RedShift data warehouse for OLAP
Migration and Transfer
Company is migrating Linux and Windows VMs in VMware to the cloud. Need to determine performance requirements for right-sizing
=> Install the Application Discovery Service discovery connector in VMware vCenter to gather data
Company has a mixture of VMware VMs and physical servers to migrate to AWS. Need to identify dependencies for grouping applications for migration
=> Install the Application Discovery Service discovery connector in VMware vCenter and the discovery agent on physical servers
Need to migrate an Oracle data warehouse to AWS
=> Migrate using AWS DMS and SCT to a RedShift data warehouse
Snowball Edge used to transfer millions of small files using a shell script. Transfer times are very slow
=> Perform multiple copy operations at one time by running each command from a separate terminal, in separate instances of the Snowball client
Need to minimize downtime for servers that must be migrated to AWS
=> Use AWS SMS and perform a final synchronization before cutting over in a short outage window
Need to migrate 50TB of data and company only has a 1Gbps internet link. Requirement is urgent
=> Use AWS Snowball to transfer the data
Containers and PaaS
Company plans to deploy Docker containers on AWS at the lowest cost
=> Use Amazon ECS with a cluster of Spot instances and enable Spot instance draining
Company plans to migrate Docker containers to AWS and does not want to manage operating systems
=> Migrate to Amazon ECS using the Fargate launch type
Fargate task is launched in a private subnet and fails with error “CannotPullContainer”
=> Disable auto-assignment of public IP addresses and configure a NAT gateway
Application will be deployed on Amazon ECS and must scale based on memory
=> Use service auto-scaling and use the memory utilization
Application will run on Amazon ECS tasks across multiple hosts and needs access to an Amazon S3 bucket
=> Use a task execution IAM role to provide permissions to S3 bucket.
Company requires standard Docker container automation and management service to be used across multiple environments
=> Deploy Amazon EKS
Company needs to move many simple web apps running on PHP, Java, and Ruby to AWS. Utilization is very low
=> Deploy to single-instance Elastic Beanstalk environments
Business critical application running on Elastic Beanstalk must be updated. Require zero downtime and quick and complete rollback
=> Update using an immutable update with a new ASG and swap traffic
A development application running on Elastic Beanstalk needs a cost-effective and quick update. Downtime is acceptable
=> Use an all-at-once update
Need a managed environment for running a simple web application. App processes incoming data which can take several minutes per task
=> Use an Elastic Beanstalk environment with a web server for the app front-end and a decoupled worker tier for the long running process
Serverless
Application includes EC2 and RDS. Spikes in traffic causing writes to be dropped by RDS
=> Decouple EC2 and RDS database with an SQS queue; use Lambda to process records in the queue
Migrate decoupled on-premises web app. Users upload files and processing tier processes and stores in NFS file system. Should scale dynamically
=> Migrate to EC2 instances, SQS and EFS. Use Auto Scaling and scale the processing tier based on the SQS queue length
Lambda function execution time has increased significantly as the number of records in the data to process has increased
=> Optimize execution time by increasing memory available to the function which will proportionally increase CPU
API Gateway forwards streaming data to AWS Lambda to process and TooManyRequestsException is experienced
=> Send the data to a Kinesis Data Stream and then configure Lambda to process in batches
Migrating app with highly variable load to AWS. Must be decoupled and orders must be processed in the order they are received
=> Implement an Amazon SQS FIFO queue to preserve the record order
Company needs to process large volumes of media files with Lambda which takes +2hrs. Need to optimize time and automate the whole process
=> Configure a Lambda function to write jobs to queue. Configure queue as input to Step Functions which will coordinate multiple functions to process in parallel
Objects uploaded to an S3 bucket must be processed by AWS Lambda
=> Create an event source notification to notify Lambda function to process new objects
Company requires API events that involve the root user account to be captured in a third-party ticketing system
=> Create a CloudTrail trail and an EventBridge rule that looks for API events that involve root, put events on SQS queue; process queue with Lambda
Legacy application uses many batch scripts that process data and pass on to next script. Complex and difficult to maintain
=> Migrate scripts to AWS Lambda functions and use AWS Step Functions to coordinate components
Lambda processes objects created in bucket. Large volumes of objects can be uploaded. Must ensure function does not affect other critical functions
=> Configure reserved concurrency to set the maximum limit for the function. Monitor critical functions’ CloudWatch alarms for the Throttles Lambda metric
EC2 instance processes images using JavaScript code and stores in S3. Load is highly variable. Need a more cost-effective solution
=> Replace EC2 with AWS Lambda function
Solutions Architect needs to update Lambda function code using canary strategy; traffic should be routed based on weights
=> Create an Alias for the Lambda function and configure weights to Lambda versions
App uses API Gateway regional REST API. Just gone global and performance has suffered
=> Convert API to an edge-optimized API to optimize for the global user base
App uses API Gateway and Lambda. During busy periods many requests fail multiple times before succeeding. No errors reported in Lambda
=> Throttle limit could be configured a value that is too low. Increase the throttle limit
Need to ensure only authorized IAM users can access REST API on API Gateway
=> Set authorization to AWS_IAM for API Gateway method. Grant execute-api:Invoke permissions in IAM policy