Architecture Services

Amazon SQS

  • ideal for solutions that must be durable and loosely coupled
  • pull-based (use SNS for pushing messages, especially broadcasting to multiple services)
  • Standard vs. FIFO: FIFO is very rigorous whereas Standard is best-effort. The trade-off is that Standard has unlimited throughput of transactions per sec. 
  • Short polling vs. Long polling = time to wait before polling again
    • ​Short polling is the default. When you poll the SQS, it doesn’t wait for messages to be available in the queue to respond. It checks a subset of servers for messages and may respond that nothing is available yet.
    • Long polling waits for a message to be in the queue before responding, so it uses fewer total requests and reduces cost.
  • batching adds efficiency
  • SQS doesn’t prioritize items in the queue. If you need to prioritize use multiple queues, one for each priority type
  • Max message size is 256kb (otherwise use S3 to log events), and max retention time of 14 days
  • When a reader picks a message from the queue, the message stays in the queue but is invisible until the job is processed. If the visibility timeout occurs (job is not processed in time), then the message reappears in the queue for another reader to take.
  • To use industry standards with Apache ActiveMQ, use an Amazon MQ instead of SQS (this is similar to using EKS instead of ECS, the industry-standard version of containers rather than the Amazon proprietary version)

Amazon SNS

  • fully managed messaging service for pushing async notifications, especially used for broadcasting to multiple services

Amazon Kinesis

  • for use cases that require ingestion of real-time data (e.g. IoT senor data)
  • Kinesis data stream is made up of shards, which are made up of data records, which each have a sequence #. Then you map devices to partition keys which group data by shard.

Amazon API Gateway

  • Throttling limits: you can configure a server-side throttling limit, a per-method throttling limit, a per-client throttling limit, and an account-level throttling limit.
  • API Caching for a STAGE by specifying a TTL = time-to-live (by default 300 seconds).

Amazon CloudFront

  • CloudFront distributes files from an origin. The origin can be an S3 bucket, EC2 instance, ELB, Route 53, or external.
  • CloudFront+S3
    • S3 can host a static website but not over HTTPS. For HTTPS use CloudFront+S3 instead. 
    • To prevent users accessing S3 content directly, create an origin access identity (OAI) which is a special CloudFront user and change S3 bucket permissions so that only the OAI can access. This is specific to CloudFront+S3.
  • Lambda@Edge is a feature of CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency
  • Field-level encryption is a feature that applies extra encryption at edge locations to ensure sensitive data provided by the user (e.g. PII) is secured end-to-end
  • Can be configured to load an error page (“content not found”) for operationally simple error handling
  • Not just for static content, CloudFront is used for streaming content too
  • Geo restriction (whitelist/blacklist access to content by country, e.g. due to copyright restrictions) 
  • Set the price class to US, Canada, Europe, etc. to determine where the content will be cached
  • To only allow specific IP addresses to access content, CloudFront can use signed URLs or signed cookies which include an expiration timestamp, and the range of IP addresses of users who can access the content.

AWS Global Accelerator

  • increases availability and performance
  • can be expensive
  • runs over AWS global network 
  • directs traffic to optimal endpoints across multiple regions
  • By default, provides you with 2 static IP addresses that are anycast from the AWS edge network. You can migrate existing IPv4 (/24) IPs rather than creating new.

AWS STS (Security Token Service)

  • request temporary limited-privilege credentials for IAM users, or for users that you authenticate such as federated users from an on-prem directory
  • Federation: STS can be used Federation (typically with Azure AD). It uses SAML 2.0 for authentication to grant temporary access based on the AD creds
  • Single Sign-On: STS can be used to develop a custom identity broker for SSO to a service such as the AWS management console:
    1. Verify that the user is authenticated on the local IDP (AD)
    2. Call STS AssumeRole or GetFederationToken API to get temp credentials
    3. Pass the temp creds to AWS federation endpoint to request a sign-in token
    4. Construct a URL to the service that includes the token which can be provided to the user

Amazon ECS

  • Container management service for Docker containers
  • Highly scalable / high performance, lets you run applications on an EC2 cluster 
  • ECS Launch Types
    1. Fargate Launch Type is serverless, managed by AWS
    2. EC2 Launch Type gives you direct access to the instances, but you have to manage them
  • ECS uses the ECS Service Auto Scaling (aka Application Auto Scaling) service to scale tasks using a scaling policy that you configure.  
  • ECS is about tasks. You pay for the running time of tasks. For example, you can’t add container instances to an IAM group, you associate tasks with IAM roles/groups.