Open in app

Sign in

Write

Sign in

How to pass AWS Solutions Architect Professional Exam?

Talha Ocakçı
9 min readSep 8, 2018

--

First things first: Passing the exam does not mean you are a solutions architect. Second, the real target is to be a solutions architect, not a plain certificate holder. So, a certificate may be required but not sufficient for real job.

If we agree on it, we may talk about the details of both exam and AWS environment and how AWS certification exam evaluates you. By the way, I have prepared for the associate exam with this course. I highly recommend it.

AWS simply evaluates if you may imitate a network structure with real machines, cables, routers etc in a cloud environment on virtual machines. Also your capability to for protecting the network structure from internal mistakes and external assaults while minimizing the costs and preventing repeating operations and automating the tasks.

How AWS Solution Architect Associate and Professional Exams evaluate you?

Associate exam simply evaluates your familiarity with

  1. Network terms such as CIDR, subnets, routers, gateways, load balancers, firewalls etc and their combination for architecting a secure and scalable network.

2. Responsibilities of the AWS customers and AWS itself.

3. Usage of AWS-specific services.

Learning the first two items is great for both on-prem networks and all of the cloud suppliers. Second and third items are AWS-specific and may be different on other cloud suppliers and may not exist for on-prem networks. While learning the AWS specific services, I have learnt so many things related to software programming. Thus, paying attention to the internal details of these services will open your eyes, I think. For instance I enjoyed while reading abut DynamoDB billing algorithm, some algorithms in Kinesis, usage of Elastic Network Interfaces, IAM roles usage and much more things.

Professional exam evaluates whether you really used what you demonstrated that you know in associate exam. Also many questions about on-prem and cloud network connections are asked. Many questions make you select 2 or 3 possibly correct options out of 5 or 6 options. You need to select the options with minimum cost, minimum effort or maximum security.

Creating a secure network and serving your application

The most important AWS items are VPC and EC2 since they are the backbone for any type of application. We construct everything upon them. You must be comfortable on these topics:

Serving your applications inside a virtual private cloud network (VPC). You need to set up several subnets for your application servers, DB servers etc… And you need to make them communicate with each other with route tables while preventing other VPC subnet connections or external connections with security groups or network control access lists.

Protecting your network from outside assaults: When to use security groups, when to use IAM roles or users, when to use network access control lists. Managing inbound and outbound connections and stateful/stateless rules are important.

Connecting your VPC to internet with Internet Gateway or NAT servers. You need to be able to prefer IGW to NAT instances, for instance. You need to know the reasons. Also you need to know when and why NAT instances may be bottleneck.

  • Using enhanced networking with a placement group for minimizing the latency between application servers.

Autoscaling the application servers for higher availability and fault tolerance

One of the most important reasons of using cloud platforms is being able to use new virtual machines and using them as cluster for horizontal scaling.

AWS uses auto scaling groups and EC2 instances (spot, reserved and on-demand) for horizontal scalability.

Certification exam evaluates whether you can

  • Recognize the spikes in CPU and RAM usage with CloudWatch
  • Creating auto scale groups with several EC2 instances using Amazon Machine Images and distribute the common configurations to new EC2 instances

Scale down when the CPU or RAM load decreases on virtual machines for minimizing the costs

Ignore the CPU bursts and prevent unnecessary scale up operations. This is crucial. Some DDOS attacks may cause several scale up operations that will burst the costs. You need to make sure if a scale up is necessary or not by using warm up thresholds.

Use the correct type of load balancers and configure them for multi AZ (availability zone) load distribution.

  • Use Route 53 for distributing the load to multiple regions for high availability. You also need to be able to select correct load balancing strategy like latency based, weight based…
  • Minimize the costs with reserved instances, spot instances or regular instances
  • Know TLS and SSL terminations. Decide whether you need to terminate SSL on load balancer or ECS machines, know the differences between them.
  • Using Elastic Network Interfaces (ENI) for using constant IP address on different EC2 instances to deal with EC2 failures

Managing data with EBS, EFS

Each EC2 instance may get data from different sources. EBS (Elastic Block Storage) and EFS (Elastic File System) can be thought as hard disks of the virtual machines. Data is stored as blocks.

Certification exam evaluates whether you can:

  • Select the correct EBS type for EC2 instances. Selecting between instance store and EBS is a trade off between cost, availability, resizability, behavior when EC2 is terminated the etc. You need to be able to select the correct one according to the scenario.
  • Calculate the required IOPS and select the correct optimized versions of EBS.
  • Create a backup strategy for EBS volumes. Selecting the correct EBS type for minimizing the costs but keeping the availability of the data after a server restart.

Using S3 for object storage

S3 (simple storage service) is different from EBS and EFS. S3 stores data as objects. That means each file is an object in S3. You need to know how to

  • Use S3 for object storage.
  • Protect S3 buckets and objects with bucket policies
  • Selecting IAM roles or bucket policies for different scenarios
  • Back up or delete S3 objects with lifecycle events, archiving them automatically to Glacier for minimizing costs.
  • Use S3 for serving static website.
  • For minimizing the costs, not using the redundancy for unnecessary objects.
  • Connect S3 and CloudFront for cross-region access to files. How to authorize the connection between S3 buckets, EC2 instances, CloudFront distributions without exposing these AWS items to outer world?

Using DynamoDB and RDS

DynamoDB is the NoSql solution and used for key, value pairs. Values are mostly JSON objects.

RDS is the managed service for storing relational data, simply, an RDBMS system such as Aurora (MySQL fork), Oracle is installed on a virtual machine and most of the operations like automatic backups and configuration management is done by AWS.

You may simply create an EC2 instance and install MongoDB or Mysql, but it requires to have some experience to optimize the configurations. If you are not experienced enough, using DynamoDB or RDS might be a solution. But consider the higher prices. As a solution architect you need to lower the costs, don’t forget!

You need to know below for passing the exam:

  • Provision DynamoDB instance according to data retrieval and update operations. How to minimize the costs of DynamoDB by caching the data. How to architect the DB structure for getting the DB items only by Id since DynamoDB does not have complex query capabilities.
  • Creating a cluster of DynamoDB or RDS instances and balancing the load with load balancers
  • Using read replicas with RDS for fast data retrieval. While using this, you need to know: Read replicas increases availability and also decreases data retrieval times but may cause some lags while synchronizing data.

Distributing data with CloudFront

CloudFront is CDN (content delivery network) of Amazon and used for replicating and caching your dynamic or static content to the regions that are accessed frequently for quicker delivery times.

You need to know

  • Adding, editing, removing content to/from CloudFront
  • Cache the contents by query parameters, headers and cookies

Adjusting the cache times

  • Connecting S3 object with CloudFront distribution

Using Origin Access Identity when the origin is S3 object

Connecting AWS with on-premise network

This is possibly the most important topic when you work with the clients with existing network infrastructure on on-premise machines. Possibly, you will need to migrate the infrastructure gradually to AWS or maybe you will never be able to migrate some parts to AWS. That’s why you need to connect existing infrastructure with the AWS environment.

This is really a hard task for software developers with no network maintenance experience. At least, it was really hard for me.

You need a really deep understanding of DirectConnect besides VPC, and bastion hosts.

Please read this for an introduction: https://aws.amazon.com/tr/blogs/apn/amazon-vpc-for-on-premises-network-engineers-part-one/

Route53 and managing DNS records

Route53 is the DNS management service of AWS and used for DNS records of your system. Route53 is simply used for routing the traffic to your environment according to the DNS records. That’s why you need to know A records, ALIAS records, where to use them and their pricing in AWS.

When you need to manage the environment above region level, you will deal with Route53 records.

For instance when the EC2 instances on a region fails completely, you need to reroute the traffic to another AWS region. This is done with a combination of Route53 health checks and DNS fail-overs.

Tracking the environment

Tracking user activities in your AWS account with CloudTrail

Tracking who is doing what in you AWS environment is so important. For instance when an EC2 instance is terminated with an AWS user, you need to figure out the responsible person and then take some precautions for not letting it again. You may find the responsible person by CloudTrail and then act accordingly. For instance you may first add termination protection to the EC2 instances first and then let only the trusted people by creating IAM roles with required permissions and assigning them to trusted people.

AWS checks your ability with several use cases in the certification exam.

Watching system metrics

CloudWatch is a service for watching the system metrics and setting up alerts according to these metrics. Yo may watch CPU, RAM, network usage easily.

For instance you may set up an alert when the CPU usage is above 90% and alert an autoscaling group for scaling up or you may just inform a user with dropping a message to SNS. (Simple Notification Service)

Also, we may tag some resources for managing the permissions. For instance we may track the cost of some EC2 instances and load balancers with custom tags on them. For instance you may track production, test and development costs by using tags.

Automating tasks

Creating your infrastructure automatically is a must have for reducing operation costs. When you define every item and their relations with a metadata, reconstructing it would be so quick and easy. In AWS we use CloudFormation for this.

There will be more than 5 questions about CloudFormation. So allocate some serious time for CloudFormation usage.

Using other AWS services

AWS has lots of other services. Let me just summarize the ones you will probably encounter in exam. The most important one is Kinesis since data streaming and analytics is so much important in modern applications.

Second one is SWF (Simple Workflow Service). SWF is used for managing, scaling background jobs with each other and human intervention.

Other ones are SNS (Simple Notification Service) and SQS (Simple Queue Service).

Cost management and consolidated billing

As a solutions architect, our primary concern is security and low cost. For reducing the costs we may consolidate our accounts. For instance you may consolidate the costs of different departments of your company so that you may get the extra discounts according to usage volume by joining the volumes together. That’s why you need to know how to set up consolidated accounts.

Also you need to track the usage volumes of each EC2 instance with CloudWatch and change instance type if you don’t fully leverage the capacity of the machines.

Lambda functions

Amazon tries to demonstrate serverless architectures. So, certification exam allocates about 5 questions for Lambda functions, pricing of it and connecting lambda functions with SQS or Kinesis.

Originally published at: http://www.buildtalents.com/how-to-pass-aws-solutions-architect-professional-exam/

AWS
Amazon Web Services
Cloud
Cloud Services

--

--

Talha Ocakçı

Written by Talha Ocakçı

3.2K Followers

Yazılarımda bazı şeyleri yanlış anlatıyor olabilirim. Kesin yanlış anlatıyorumdur.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams