Services comparsion
Development
CDK vs Cloudformation
source: Rapid and flexible Infrastructure as Code using the AWS CDK with AWS Solutions Constructs
CloudFormation template is YAML, is not type-safe, you can make errors and you only know at the very end if it worked or not. But with the CDK, you can define those using constructs and a programming language.
CDK VS SAM
- SAM:
- Serverless focused
- Write your template delcaratively in JSON or YAML
- Great for quickly getting started with Lambda
- CDK:
- All AWS services
- Write infra in a programming language JavaScript/TypeScript, Python, Java, and .net
- Leverages CloudGormation
Network
A VPC SG and an EC2 security
TL;DR - Your ec2 instance is assigned to a vpc, so the VPC-SG security group becomes the outer most security layer and EC2-SG security group comes next.
A Virtual Private Cloud (VPC) Security Group (SG) and an Elastic Compute Cloud (EC2) Security Group are both types of security groups that are used to control inbound and outbound traffic to resources in the AWS environment.
A VPC Security Group is associated with a VPC and is used to control the traffic to resources such as instances, subnets, and network interfaces within that VPC. It acts as a virtual firewall for the VPC and can be used to control traffic to and from the Internet, as well as traffic between different resources within the VPC.
An EC2 Security Group, on the other hand, is associated with an EC2 instance and is used to control the traffic to that specific instance. It acts as a virtual firewall for the instance and can be used to control traffic to and from the Internet, as well as traffic between different instances within the VPC.
In summary, a VPC Security Group controls the traffic to resources within a VPC, while an EC2 Security Group controls the traffic to a specific EC2 instance.
ALB vs API Gateway
Yes, API Gateway can replace what a Load Balancer would usually provide, with a simpler interface and many more features on top of it. The downside is that it doesn’t come cheap.
Despite the similarities, there are some key differences between ALB and API Gateway that could influence your decision over which one to adopt.
- Load Balancers (ALB): Traditionally used for load distribution in horizontally scaled infrastructure clusters to handle high demand. They also decouple clients and services, following good cloud architecture practices.
- API Gateway: Manages and balances network traffic in a distinct way, directing requests to specific resources based on the requested endpoints. It plays a crucial role in microservices architectures and is capable of routing requests to the appropriate backend services.
- Scaling: API Gateway, when integrated with AWS Lambda, seamlessly handles network scaling and request spikes, automatically adjusting to match demand without manual configuration. This can be crucial for avoiding throttling of client requests and maintaining performance.
- Additional Features: API Gateway offers features such as authentication, authorization, API token issuance, SDK generation, and IAM integration, simplifying access control and ensuring compliance with business requirements.
The following table summarizes some of the key differences between ALB and API Gateway:
Feature | API Gateway | ALB |
Protocols supported | HTTP/2 (HTTP API, REST API), WebSockets | HTTP/2, WebSockets, gRPC |
HTTPS | Out-of-the-box support | SSL certificate configuration required for SSL termination |
A/B testing support | Support through defining separate routes | Load balancing based on % of traffic |
Load balancing strategy | Round robin | Round robin or least connections strategies |
AWS service integration | Amazon EC2, Amazon ECS, AWS Lambda, Amazon S3, Amazon Kinesis | Amazon EC2, Amazon ECS, AWS Lambda |
Sticky session support | No out-of-the-box support | Direct support |
REST API management support | Integrated REST API management platform | Requires additional coding to support |
References:
- Can API Gateway act as Load Balancer
- API Gateway vs ALB
- Battle of the Serverless API Routers: ALB vs. API Gateway - Feature Comparison
Which to Use?
The choice between API Gateway and ALB depends on factors like traffic levels, features required, and cost considerations. ALB is cost-effective for low-traffic or undifferentiated applications, while API Gateway is suitable for complex security measures and fine-grained access control that could save development teams hours of maintenance in the long run. The limitations include a 29-second timeout for API Gateway, while ALB can scale to handle very high request volumes.
That said, we’d be remiss if we didn’t point out that, sometimes, the answer to the question of ALB versus API Gateway is “both”! An HTTP API in API Gateway can itself redirect to an ALB, which then load-balances requests across back-end resources such as EC2 instances or Docker containers. Such an architecture is ideal if you want to add load balancing capabilities to the powerful REST API management capabilities of API Gateway.
Kinesis
Kinesis Data Firehose vs Kinesis Data Streams
- Kinesis Data Streams provides support for real-time processing of streaming data. It provides ordering of records, as well as the ability to read and/or replay records in the same order to multiple downstream Amazon Kinesis Applications. [Output is data processing tool (Consumer)]
- Kinesis Data Firehose is used to load streaming data into data stores ( S3, Redshift, Elasticsearch Service, and Splunk) [Output is datastore]
- Kinesis Data Firehose also natively integrates with Amazon Kinesis Data Analytics which provides you with an efficient way to analyze and transform streaming data using Apache Flink and SQL applications.
Kinese Data Stream vs SQS
With Kinese Data Stream, you need to manually provision shards in case the load increases or you need to use CloudWatch alarms to set up auto scaling for the shards.
Kinese Agent vs Kinese Producer Library
Kinesis Agent is a stand-alone Java software application that offers an easy way to collect and send data to Kinesis Data Streams. The agent continuously monitors a set of files and sends new data to your stream. The agent handles file rotation, checkpointing, and retry upon failures. It delivers all of your data in a reliable, timely, and simple manner. It also emits Amazon CloudWatch metrics to help you better monitor and troubleshoot the streaming process.
The KPL is an easy-to-use, highly configurable library that helps you write to a Kinesis data stream. It acts as an intermediary between your producer application code and the Kinesis Data Streams API actions.
Cloudfront
Signed URL(Cloudfront) vs Cookies (Cloudfront) vs Presigned URL
There is a execellent post that you would check - CloudFront Signed URLs / Cookies and S3 Presigned URLs
S3 and CloudFront signed URLs
As a rule of thumb, if the content is stored in S3 then opt for S3 signed URLs as they provide the greatest flexibility.
If you need to serve a lot of files and want to take advantage of the request multiplexing of HTTP/2, tunnel S3 signed URLs through CloudFront.
Security
WAF VS AWS Shield Advanced
TL;DR
- AWS WAF
- It provides protection on the application layer (layer 7) and AWS Shield protects the infrastructure layers (layer 3/4) of the OSI model.
- It is for common web exploits such as cross-site scripting, SQL injection, and brute-force HTTP flood attacks.
- AWS Shield Advanced is for DDoS attacks.
AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards web applications running on AWS. It also provides protection against common and most frequently occurring infrastructure (layer 3 and 4) attacks like SYN/UDP floods, reflection attacks, and others to support high availability of your applications on AWS.
AWS Shield Standard cannot protect your AWS bill from usage spikes due to DDoS attacks. Only with AWS Shield Advance, you get DDoS cost protection for scaling, a feature that protects your AWS bill from usage spikes on your AWS Shield
AWS WAF is included in AWS Shield Advanced subscription, so basically, AWS Shield is not a WAF, but if you use the Advanced subscription, you will get a WAF for free.
AWS WAF
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing you to configure rules that allow, block, or monitor (count) web requests based on conditions that you define. These conditions include IP addresses, HTTP headers, HTTP body, URI strings, SQL injection and cross-site scripting.
You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.
Monitor
AWS Health Dashboard
At of Feb 28,2022, AWS combine both AWS Service Health Dashboard and Personal Health Dashboard into AWS Health Dashboard. Ref
Source: New – AWS Personal Health Dashboard – Status You Can Relate To
AWS Health notifies you about service events, planned changes, and account notifications to help you manage and take actions. Sign into your AWS Health Dashboard to view account-specific Health information or receive Health event updates using Amazon EventBridge. You can also access AWS Health programmatically using AWS Health API, available with AWS Premium Support.
You can select the following types of targets when using Amazon EventBridge (Amazon CloudWatch Events) as a part of your AWS Health workflow:
- AWS Lambda functions
- Kinesis streams
- Amazon SQS queues
- Built-in targets (CloudWatch alarm actions)
- Amazon SNS topics
The AWS Health API provides programmatic access to the AWS Health information that appears in the AWS Personal Health Dashboard. You can use the API operations to get information about events that might affect your AWS services and resources.
You must have a Business or Enterprise Support plan from AWS Support to use the AWS Health API. If you call the AWS Health API from an AWS account that doesn't have a Business or Enterprise Support plan, you receive a SubscriptionRequiredException
error.
Management & Governance
AWS SSO VS AWS Cognito
- Amazon Cognito is an identity management solution for developers building B2C or B2B apps for their customers, which makes it a customer-targeted IAM and user directory solution.
- It also provide access to certain security feature such as Advance security feature, integration with WAF, customizing the login page, which would provide you an edge with your web application.
- AWS SSO is focused on SSO for employees accessing AWS and business apps, initially with Microsoft AD as the underlying employee directory.
Reference:
Billing Alerts vs AWS Budgets
Source: Control Your AWS Costs
Billing Alerts are very limited as compared to Budgets. Most notably, the billing alarm represents only the amount you have been already charged. In contrast, a budget can alarm you based on forecasted charges, which can give you a bit of head up to figure out what's happening before you get hit with excess bill usage.
The other key difference is that Budgets allow you to create filtered alarms, only for some regions and services of interest. Filtering by region is not possible with billing alerts. Another thing is that budget support linked accounts, which again is not possible with the billing alerts.
Finally, budgets are far easier to use, set up and manage, than billing alerts.