Tag Archives: Amazon Web Services

AWS Service Catalog

AWS, , ,

service catalog

A service of AWS that fails to get a ton of attention is Service Catalog. This service seeks to enable organizations to create and manage catalogs of IT services that are approved for use on AWS. It permits organizations to centrally manage their commonly deployed IT services and can help maintain appropriate governance and compliance.

The idea is your end users (IT staff) can quickly deploy the IT services they need that you have approved and that they will do so following the constraints that you have set.

Benefits include:

  • Standardization – you can place restrictions on the types and configurations of AWS resources launched
  • Self-service discovery and launch – permit users to browse listings of services and applications available to them, and to launch them as provisioned products
  • Fine-grained access control – IAM users and groups form the basis of permissions for the resources listed in the catalogs
  • Extensibility and version control – products can be added to various portfolios from a single copy, and versioning updates all copies

AWS Service Catalog terminology:

  • Products – an IT service that you want to make available for deployment on AWS. It can consist of AWS resources such as EC2 instances, storage volumes, databases, monitoring configurations, and networking components. You create products through the import of CloudFormation templates.
  • Portfolios – a collection of products along with configuration information.
  • Versioning – Service Catalog allows you to manage multiple versions of products in your catalog.
  • Constraints – Template and Launch constraints allow you to carefully control deployments.
  • Stack – as mentioned above, the building block for the Products are CloudFormation stacks.

Some AWS Virtual Private Cloud (VPC) Components to Review for Sol. Arch.

AWS, , ,

Solutions Architect

Here are some key VPC components I would like you to review for the Solutions Architect – Associate certification (2018 edition).

VPC Endpoint

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.

There are two types of VPC endpoints – interface and gateway VPC endpoints. The interface type (powered by AWS PrivateLink) is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. The gateway type is a target for a specified route in your route table, used for traffic destined to a supported AWS service.

Examples of services supported for the VPN interface endpoint type are:

  • EC2 API
  • EC2 Systems Manager
  • Kinesis Data Streams
  • AWS Key Management Service
  • AWS Service Catalog
  • Elastic Load Balancing API
  • Endpoint services hosted by other AWS accounts

Examples of services supported for the VPN gateway endpoint type are:

  • S3
  • DynamoDB

Keep in mind that by default, IAM users do not have permission to work with endpoints. You can create an IAM user policy that grants users the permissions to create, modify, describe, and delete endpoints.

VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you have created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.

Flow logs can help you with a number of tasks; for example, to troubleshoot why specific traffic is not reaching an instance, which in turn helps you diagnose overly restrictive security group rules. You can also use flow logs as a security tool to monitor the traffic that is reaching your instance.

There is no additional charge for using flow logs; however, standard CloudWatch Logs charges apply.