Training Review: Advanced Architecting on AWS

The Advanced Architecting on AWS course is a 3 day course provided by AWS training partners. I took the course in mid-April with ExitCertified.

This is not an exam preparation course and while there may be a lot of overlap between the topics covered and what you need to know for the AWS Certified Solutions Architect - Professional certification exam, the training isn't structured around the exam. The Exam Readiness: AWS Certified Solutions Architect - Professional serves that role, but is more a general overview of the topics the exam covers and example questions than a deep dive.

The course is pricey at around $2000 (USD), but discounts are available to Amazon Partner Network members, and some of the training providers may have other discounts available (e.g. for referrals). This review is to help you determine whether this is a worthwhile investment of your time and money on the path to the AWS Certified Solutions Architect - Professional certification.

Challenges of a Virtual Classroom

I originally signed up for the virtual classroom option expecting that it would be a nice change of pace from going into the office (it also saved some money). Then the world changed, and it would have been really nice to leave home for 3 days to attend a classroom course.

We had five students taking the course, and our instructor Mike encouraged us to ask questions, but we were a fairly quiet group. We had all been sent a webcam and headset in advance of the course, but after the first morning I turned the camera off (as did everyone else) because I found being on camera made me very self-conscious.

Spending 7 hours on a video call seemed more exhausting than a normal workday, and I was really glad when we came to a lab so that I could do something rather than just listen.

Course Content

The slide deck for the course is provided by AWS, so the structure of the course will be generally the same across different AWS training partners and instructors, but how they present it and what they talk about for each slide will vary.

I'm hoping this level of detail will be more useful than the high level overview that AWS provides.

Day 1:

• Architecting on AWS - Review: This section covered topics you were expected to already know to be attending this course, which unfortunately made it rather tedious if were already familiar with the content.

Our instructor decided to cover this after we'd introduced ourselves because there was a varying range of experience levels amongst the students.

• AWS account management: Mostly this covered why you would have multiple accounts and how you can manage them with AWS Organizations. I was familiar with some of this, but wasn't aware that you can enforce tag policies across an organization.

• Advanced Network Architectures: This was one of the most useful and in-depth sections covering a variety of different networking options, and connectivity to AWS. Honestly, not coming from a networking background, some of this went a bit over my head.

• Lab 1: Multi-VPC Connectivity over VPN: Connectivity to on-premise has always been something that's been set-up by the networking team, so I appreciated the opportunity to configure both sides of a VPN connection to AWS.

All the labs used the Qwiklabs platform, which provisions a temporary account for each student. These generally work pretty well, although you're usually following a set of instructions (click here, type this there) rather than figuring things out for yourself.

Day 2:

• Deployment management on AWS: Fairly high overview of infrastructure and deployment tools in AWS, covering services like Elastic Beanstalk and OpsWorks much more than CloudFormation. ECS and EKS for containers got very brief mentions.

At every AWS project I've worked on we've used Infrastructure as Code tools like CloudFormation or Terraform, but I've never really used either Elastic Beanstalk or OpsWorks. For as much as they're promoted by AWS in their training materials, I wonder how many people use them (especially for larger AWS deployments)?

• Exercise - Build a Hybrid Architecture: This is in the slides for the course, but we skipped over it. You are supposed to diagram a hybrid architecture for a company moving some of their services to AWS but keeping others on premise. I think this would have been a useful exercise (and similar to some of the questions in the certification exam), but I can see how it would have been more difficult to do in a virtual classroom.

• Data:

  • Designing Large Data Stores on AWS: Mostly covered S3, but also how you might combine data in S3 with other services to store metadata. Also discussed the two Elasticache services (Memcached and Redis) and how they scale and handle failover.
  • Lab 2: Failover with Route 53 and RDS Read Replication: Two Elastic Beanstalk environments, one pointing at RDS Master instance and the other at a read-replica, set up Route 53 with a healthcheck and failover and then kill the primary environment and promote the read-replica.
  • Moving Large Datastores into AWS: This section covered Snowball, S3 Transfer Acceleration, DataSync, and the various forms of Storage Gateway.
  • Migrating databases into AWS: Basically a pitch for using the Database Migration Service. Also a discussion about replacing an RDBMS with DynamoDB and some of the design considerations - in particular understanding how data is accessed.
  • Big Data Architectures on AWS: An overview of some of the services that can handle large datasets, including DynamoDB, Kinesis and EMR.

• Designing for large-scale applications: How to handle spikes in traffic by offloading web traffic (CloudFront/S3), Caching and Auto-Scaling (of various different kinds). This did include an interesting overview of the pros and cons of using the T3 instance types.

Day 3:

• Lab 3: Blue-green deployment using Elastic Beanstalk and Elasticache: This was leftover from the previous day, and was a simple example of deploying a new version of an application (to add caching) in beanstalk as a separate and then switching between them to do a blue-green deployment and verify that it no longer called the database as frequently.

• Exercise 2: All-in, Multi-region architecture: Another skipped exercise, this time considering data migration, replication and failover.

• Building Resilient Architectures: This covered various forms of DDoS attacks and the AWS mitigations against them like AWS Shield, and how to design applications to be resilient. Also, and overview of WAF, but unfortunately not much discussion of the different rulesets available.

One interesting thing this brought up was how to ensure that traffic doesn't bypass your WAF if you are using it in front of a CloudFront distribution. You need to restrict your application's Load Balancer security group to access from CloudFront; there's no simple way to do this, but the following lab shows the somewhat clunky way you can automate this.

• Lab 4: CloudFront and WAF rules: Configure a selection of different WAF rules to block SQL injection and other attacks. Lock down access to a security group to ensure it can only be accessed by CloudFront - this ran a script that pulled a list of CloudFront IP addresses and updated the security groups for a web server - it actually had to set-up two separate security groups because there were two many rules for a single security group.

• High Availability, SQL Server, Sharepoint and MongoDB: It felt like this section was intended to show you how painful it is to run certain applications in a highly available manner (and perhaps convince you to use Aurora instead, or at least use RDS). That's not to say it's more difficult to run them in the Cloud than on-premise, just that HA is inherently complicated.

• Encryption and Data Security: This covered how KMS works and contrasted it to using CloudHSM. The general advice given was to use KMS if you're allowed to, but CloudHSM is there if you have regulatory requirements that cannot be met by KMS. Also, a section on S3 covering encryption options and data security using Object Lock.

I wasn't aware that with SSE-C (server-side encryption with customer keys), you can't even retrieve the object if you don't have the key.

• Lab 5: Using AWS KMS Envelope Encryption: A slightly odd way to end the course, manually using KMS keys to encrypt/decrypt data using OpenSSL.

Was it worth it?

I found the course worthwhile, but a lot of it was a review of things I already knew. The new information was in small chunks scattered throughout the course.

In some ways this was a confidence boost because it means that I'm hopefully close to being ready to take the certification, but I won't really know until I take the practice test.

Because of the Coronavirus, AWS has extended the expiration of my associate certification for another 6 months. That takes the pressure off to take the exam, but I'd still like to try and take the test soon - which potentially means taking the test remotely.