Post

AWS - Part 2

Posted
By thirtyone
9 min read
AWS - Part 2

DNS(Domain Name System)

Responsible for translating human friendly hostnames to IP

Terminologies

  1. Domain Registrar - A company that registers domain names on behalf of individuals or organizations. Eg. GoDaddy, Namecheap, etc.
  2. DNS Record - A record that contains information about a domain name, such as its IP address.
  3. Name Server - A server that stores information about a domain name, such as its IP address.
  4. Top Level Domain/Root Level Domain - The highest level of the domain name hierarchy, such as .com, .org, or .net.
  5. Second Level Domain - The portion of a domain name that appears immediately to the left of the top-level domain (TLD), such as “google” in google.com or “amazon” in amazon.com

Q. What is the difference between authoritative and non-authoritative name servers? A. Authoritative name servers store and provide the original DNS records for a domain, while non-authoritative name servers retrieve and cache DNS information from authoritative servers — for example, if you own thirtyone.blog and manage its DNS with Namecheap, Namecheap’s nameservers are authoritative, whereas Google DNS (8.8.8.8) or your ISP’s DNS are non-authoritative because they simply fetch the records from Namecheap.

Amazon Route 53

highly available, scalable, fully managed DNS. DNS servers typically listens on port 53 in general thus the name Route 53.

Features

  1. Health Checks
  2. 100% availability SLA

To create a DNS record, domain name, TTL, record type(A, AAAA etc.), value is configured. Record types can be of following types:

  1. A - Maps hostname to IPv4
  2. AAAA - Maps hostname to IPv6
  3. CNAME - maps a hostname to another hostname

CNAME vs ALIAS

CNAME - Points a hostname to any other hostname but only applicable for non-root domains ALIAS - Tied to AWS ecosystem, points a hostname to any aws resource and works for both root and non-root domain. Target can be ELB, API Gateway, S3 websites, VPC Interfaces, Cloudflare distributions etc.

Routing Policies

Defines how Route 53 responds to DNA queries. The following route policies are supported:

  1. Simple – Routes traffic to a single resource without any special routing logic. Supports multi values, any one is chosen in case of multi values. No health check in place.
  2. Weighted – Distributes traffic across multiple resources based on assigned weights.
  3. Failover – Routes traffic to a primary resource and automatically switches to a secondary resource if the primary becomes unhealthy.
  4. Latency Based – Routes users to the resource with the lowest network latency for better performance.
  5. Geolocation – Routes traffic based on the user’s geographic location.
  6. Multi-Value – Returns multiple healthy IP addresses for a domain to provide basic load balancing and high availability. Health check in place.

Domain Registrar vs DNS Service

Domain Registrar – A company where you buy and register your domain name (e.g., Namecheap, GoDaddy, Google Domains). DNS Service Provider – A service that manages the DNS records (A, CNAME, MX, etc.) for your domain and routes traffic (e.g., AWS Route 53, Cloudflare, Namecheap DNS).

Beanstalk

Elastic Beanstalk is a PaaS — like Heroku or Google Cloud Run, you just deploy your code and it handles the servers, scaling, and load balancing for you. The difference is it’s built on real AWS infrastructure (EC2, load balancers, auto scaling groups), so if you ever need to fine-tune or override something under the hood, you still can.

S3

highly scalable, secure and durable object storage service

Use Cases

Backup and Storage, Disaster Recovery, Archive, Hybrid Cloud Storage, Application Hosting, Media Hosting, Software Delivery, Static Website

Buckets

  1. S3 allows to store objects in buckets.
  2. MultiPart Upload in S3 -> Techinque for uploading large files by breaking them into smaller independent parts. Files are then uploaded in paralell.
  3. Objects(files) have a key
  4. The key is the full path
  5. s3://my-bucket/my-file.txt
  6. s3://my-bucket/my-folder/another-folder/file.txt
  7. key = prefix + object name
  8. Object values are the content of the body

S3 Security

  1. IAM Policies around users
  2. Encryption of objects is possible using encryption keys
  3. SSE-S3 - Server-Side Encryption with Amazon S3-Managed Keys
  4. SSE-KMS- Server-Side Encryption with AWS KMS-Managed Keys
  5. SSE-C - Server-Side Encryption with Customer-Provided Keys
  6. Client-Side Encryption (SSE-C) - Encryption performed by the client before uploading the object to S3.

Note: AWS KMS (Key Management Service)

Fully managed service to create, manage, and control encryption keys.

Static Website Hosting

S3 can be used to host static websites. Lets you serve static files (HTML, CSS, JS, images) directly from a bucket — no servers needed.

S3 Versioning

  1. version files at bucket level
  2. Easy to rollback to previous versions.
  3. Protect against accidental deletes(restore version)

AWS S3 - Replication(CSR and SRR)

  1. Cross-Region Replication (CSR) - Replicates objects across different AWS regions. Use Case - Lower latency, disaster recovery, data redundancy.
  2. Same-Region Replication (SRR) - Replicates objects within the same AWS region. Use Case - Data redundancy, disaster recovery.

Copying is async.

S3 Storage Classes

  1. Amazon S3 Standard - Provides high durability and availability with moderate performance.
  2. Amazon S3 Standard-Infrequent Access (S3 Standard-IA) - Provides lower cost and moderate performance for less frequently accessed data.
  3. Amazon S3 One Zone-Infrequent Access (S3 One Zone-IA) - Provides lower cost and moderate performance for less frequently accessed data within a single Availability Zone.
  4. Amazon S3 Glacier - Provides low cost and low performance for long-term archival data.
  5. Amazon S3 Glacier Deep Archive - Provides lowest cost and lowest performance for long-term archival data.
  6. Intelligent-Tiering - Automatically moves data between storage tiers based on access patterns.
  7. S3 Express One Zone - Provides high performance and low latency for frequently accessed data.

Lifecycle Management

  • Automates transitions between storage classes and deletes objects based on rules.

Amazon S3 Analytics

  • Provides insights into object-level data access patterns and usage.

S3 Storage Lens

S3 Storage Lens provides insights into your storage usage and costs, helping you optimize your storage configuration and reduce costs.

S3 Analytics vs S3 Storage Lens

S3 Analytics → Helps optimize storage class transitions (e.g., when to move objects to Standard-IA or Glacier). Works at bucket/prefix level. Focused on lifecycle cost optimization. S3 Storage Lens → Provides org-wide visibility into storage usage, activity, cost efficiency, and best practices. Gives aggregated metrics, dashboards, and recommendations across accounts.

S3 Requester Pays

  • Allows the requester to pay for the data transfer instead of the bucket owner.

S3 - Event Notifications

S3 provides the ability to push notifications to Amazon Simple Notification Service (SNS), Amazon Simple Queue Service (SQS), or AWS Lambda when certain events occur. Events can be object creation, object deletion, object access, or object versioning.

S3 Access Logs

S3 Access Logs provide detailed information about the requests made to your Amazon S3 bucket. These logs can help you monitor and troubleshoot access to your data, identify potential security issues, and optimize your storage costs. Logs are stored in a separate bucket with a name that follows the pattern awslogs-{account-id}-{region}.

Pre Signed URLs

Pre-signed URLs let you grant time-limited, secure access to specific S3 objects without exposing AWS credentials. They inherit the permissions of the IAM role/user that generated them and automatically expire after a defined time.

Commonly used for secure file uploads/downloads (GET, PUT, POST) from browsers, mobile apps, or third-party systems—without routing the file through your backend.

S3 Glacier Vault Lock

S3 Glacier Vault Lock lets you enforce WORM (Write Once, Read Many) policies to prevent data deletion or modification for a fixed retention period. It’s commonly used for regulatory compliance (e.g., financial or healthcare data) where retention rules must be enforced and cannot be changed once locked.

S3 - Access Points

S3 Access Points provide a way to access objects in an S3 bucket from a different AWS account or region. They allow you to create a virtual endpoint that can be used to access objects in the bucket, without having to specify the bucket name or region in the request.

AWS CloudFront

CDN provided by AWS which offers high-performance content delivery and caching capabilities at the edge. Improves user’s experience.

Q. What is edge location? A. Edge locations are physical locations where AWS CloudFront caches content. They are strategically placed around the world to minimize latency and improve performance for users.

Q. What is AWS network? How is it different from public network? A. AWS network is a global infrastructure that provides secure and reliable connectivity between AWS services and resources. It includes a vast network of interconnected data centers and edge locations, which enable fast and efficient data transfer across the globe. It is different from a public network as it is managed and secured by AWS, providing a more reliable and secure environment for AWS services and resources.

CloudFront vs S3 as CDN

S3 → Object storage service. Can host static files, but not a true CDN. Content is served from a single AWS region. CloudFront → Global CDN. Caches content at edge locations worldwide, reducing latency and improving performance.

CloudFront - ALB or EC2 as an origin

CloudFront can be configured to use either an Application Load Balancer (ALB) or an EC2 instance as an origin. This allows you to serve dynamic content from your own servers while still benefiting from CloudFront’s global edge network.

Geo-restriction

CloudFront supports geo-restriction, which allows you to restrict access to your content based on the user’s location. You can specify which countries or regions are allowed to access your content, and which are blocked. This can be useful for compliance or security reasons.

Cache Invalidations

CloudFront supports cache invalidations, which allows you to remove cached content from the edge locations. You can invalidate individual objects or entire paths, and CloudFront will automatically update the cache accordingly. You can set TTL on objects as well.

AWS Global Accelerator

AWS Global Accelerator improves application availability and performance by routing user traffic through the AWS global network to the closest healthy endpoint (ALB, NLB, EC2, or EIP). It improves performance by using the AWS global backbone network and routing users to the nearest healthy regional endpoint via static Anycast IPs.

Unicast IP vs Anycast IP

Unicast IP → One IP address maps to one specific server/location. Traffic goes to a single destination. (Most common IP type.) Anycast IP → The same IP address is advertised from multiple locations, and traffic is routed to the nearest or best available location based on network routing.

AWS
AWS
This post is licensed under CC BY 4.0 by the author.