- Okay Cloud Academy ninjas, let's review some of the key points we have to keep in mind around implementation and deployment. So subnets. If a subnet has an internet gateway and a route to that internet gateway, then it's a public subnet. If a subnet doesn't have an internet gateway, or more importantly a route to that gateway, then it's a private subnet. If a subnet only routes traffic to the virtual private gateway, or the VPG, then it's a VPN-only subnet. Now route tables are the rules for where traffic is allowed to go. And a route table enables EC2 instances within different subnets to talk to each other. Now let's make sure we're clear on IP addressing and the VPC. So public IP addresses are owned and assigned by AWS. And they can be automatically assigned to instances launched within the VPC. Now an EIP or an elastic IP address, is also an AWS-owned public IP address. But it's one that you can allocate to your account. And by default, we're allowed five IP addresses per region, which corresponds to the number of VPCs we're allowed to stand up per region. And the EIPs are free if we're using them. But we do pay if we have an EIP allocated that is not being used. Sounds confusing, I know. But this is just to prevent people from reserving a whole lot of elastic IP addresses. So basically, you're only charged for them if you don't use them. A few things to keep in mind about the VPC. So the minimum subnet size you can have in a VPC is a /28 side up. And the maximum size you can have in a VPC is /16. And you can't change the CIDR block of a VPC once it's been created. And you're gonna need to have two public subnets and two private subnets if you have a High Availability design that's using two availability zones, right? So if you get a question about how many subnets you need, you're gonna need two public and two private, so four subnets in total. Now network ACLs or NACLS, are associated to a VPC subnet to control traffic flow. And by creating an IGW and a route to that IGW, you're creating a public subnet. Now you can only have one internet gateway for each VPC. When you create a VPC, all subnets can communicate with each other by default. Now if you're setting up a net gateway, remember you need to disable the source and destination checks on the NAT instance, to enable traffic flow. Now an elastic IP address remains associated with an instance when an instance is stopped. In an EC2 classic network, the elastic IP address will be dissociated from the instance on a stop or start event, but not in a VPC. A stop and start of an EBS-backed EC2 instance always changes the underlying host computer. Can't guarantee it but generally a stop and start of an EBS-backed EC2 instance changes the underlying host. Now if you attach an EIP to an instance that is associated to a different subnet, then that instance will be dual-homed. 

Reserved instances enable cost savings if you need to run instances full time. For example, regular applications that run nine to five Monday to Friday, or perhaps to best respond to website traffic. With reserved instances, you can change an instance type within the same instance family and you can change the Availability Zone. But that's generally all. On-demand instances, on the other hand, enable flexibility to handle spikes in traffic; so if you've got a retail site or a marketing campaign that may suit on-demand. Now spot instances are a really cost effective way to provide computing on-demand, when we're not time constrained. So if it's not an urgent requirement that could tolerate an interruption, say batch processing or number crunching, well spot instances will suit that use case. Now dedicated instances insure your application will not be run on hardware used by any other client. But of course dedicated instances can cost you way more. Now the instance type itself defines the virtual hardware. And it's the AMI that determines the initial software state. The instance type and the AMI, those are the two things you need when you start up a new instance. If you do have multiple security groups, then the rules for all of those groups will be aggregated as far as the instance is concerned. Now if you enable enhanced networking, that enables more packets to travel per second, it enables a lower latency, and it provides less jitter. Now if you're using SSL, an SSL certificate must specify the name of the website it's been used for in either the subject name or listed as a value in the SAN extension of the certificate. If you don't do that, the connecting clients will see an error. 

Now a VPN is a private connection between network resources using an IPSEC tunnel. An IPSEC encrypts the traffic passed between the network points. And to set up a VPN, you need a few things. First, you need a VPG or a virtual private gateway on the AWS side of a network. We also need a CGW or a customer gateway. And that is generally a physical device or a software appliance on the customer side of a network. And a VPN needs to be initiated from the customer side. So by default we get two VPN tunnels with an IPSEC connection. Which adds another layer of durability to your networking. Now IPSEC encrypts the transport but it doesn't increase the resilience of your connection. So to do that, we use Direct Connect, which is a dedicated connection between your network and AWS, i.e. traffic sent over Direct Connect does not rely on the internet, right? So it's more resilient and less prone to traffic fluctuations. Okay, a few things to keep in mind with the services. So the Simple Workflow Service is an important one to remember. And that enables coordinated tasks across distributed components. And Simple Workflow Service is really useful for coordinating tasks say at auto-processing application. Now an SWF workflow is a collection of activities performed by Simple Workflow Service actors, right? So an SWF actor can be a worker, a workflow starter or a decider. And each workflow runs in a domain. And you can have multiple domains per account, per your account, but workflows from domains can't interact with each other. Now remember that Simple Notification Service is an asynchronous push notification service. Different from Simple Queue Service, which is a queuing service. So Simple Notification Service enables a publisher to send notifications to an individual or groups of subscribers. And Simple Notification Service can use HTTP, HTTPS, SMS, email, email-JSON or even Amazon SQS or Lambda as a protocol. So the key elements to remember for Simple Notification Service are a publisher and a subscriber and a topic. The Simple Queue Service visibility timeout window is a period of time where simple queue service prevents other applications or services from accessing or receiving a message, as another component has already accessed that message. Now the default message visibility timeout is 30 seconds. And the maximum time you can set for a visibility timeout is 12 hours. So by default the order in Simple Queue Service messages cannot be set. However Simple Queue Service now supports first-in first-out ordering, which is FIFO, which enables you to set message ordering when it's enabled. So by default, Simple Queue Service messages are retained for 14 days. Now if you need to store messages for longer, cull them out and store them on Amazon S3. Now Simple Queue Service Long Polling is another very important feature. And that allows an application to poll the Simple Queue Service queue with a weight factor, which you can set to be between one and 20 seconds. So if there's no message in there, Simple Queue Service holds the requests, rather than returning an empty response. So Long Polling reduces queue request CPU cycles. So if you get a question about how to reduce the number of cycles and polling, increasing your Long Polling value may help. Okay, so those are few things to keep in mind for our exam preparation. Let's get into the next domain.