walcron logo

Certification

Having taken some certifications over the years, I've decided to put them here for reference. I'm not a big fan of certifications, but they are a good way to structure my learning and ensure I cover the fundamentals.

Cloud Microservice

Services:

  • Data Service - source within the system (not limited to DB)
  • Business Service - abstraction that build on data services. Also known as Domain Based Services - Service is aligned with business domain.
  • Edge Service - responsible to service data to user and external system
  • The Platform - all encompassing infrastructure for all service operations, it include network, identity, databse, storage and etc.

Patterns:

  • Strangler Pattern - split monolith application to microservice. Gradually replace function in monolith application with microservice.
  • Sidecar Pattern - Deploy a helper container alongside the main application container to handle cross-cutting concerns such as logging, monitoring, and security.
  • Gateway Pattern - a single entry point for all clients. It provides a unified API for multiple microservices. Split to edge(split per client) and aggregator(1 main to serve multiple client) pattern.

Microsoft Certified: Azure DevOps Engineer Expert (AZ-400)

A practical hands-on exam that tests your ability to design and implement DevOps solutions on Azure. It is a challenging exam that requires a good understanding of Azure DevOps and DevOps practices. Most learning resources can be obtained from Microsoft Learn.

Additional Notes: Azure DevOps

AWS Certified AI Practitioner(AIF-C01)

Very useful to understand the AI services provided by AWS and how to use them in real world scenarios.

Notes: AI Fundamentals
Linked Notes to AWS Certified AI Practitioner.,
Practically learned:
  • Machine Learning and Terminology
  • Prompt Engineering
  • AWS AI Services
Learning Prompt Engineering with Google
Input PromptReference
Task
Describe your task, specifying a persona and format preference.
  1. Give a persona (optional)
  2. Define the task
  3. Define the output/format
Context
Specify goals, constraints, and requirements. Context has the potential to be the longest piece of a prompt. One of the most powerful and reliable ways to provide an AI tool with context is to give the model specific reference materials to use.
  • Persona
  • I would like...
  • Use this template...
Tips: Don't use gender bias. E.g. firefighter not fireman.
Reference
Add examples, zero/single/few shots for gen AI tool can use to inform its output. Use:
  • Transitional phase, i.e. use this template
  • Markdown tags
  • XML
Evaluateevaluate the output to identify opportunities for improvement.
IterateIterate on your initial prompt to attain those improvements.
Example:

          I want to surprise my friend with a birthday meal. <- why task
          Can you suggest a Gourmet chef <- task
          I want a list of vegetarian food menu item. <- task/context
          She prefes Italian food, and she is allergic to nuts. <- context
          She is a vegetarian. <- context
          She is a fan of pasta. <- context/reference
          I want asian cuisine like Dim Sum. <- reference
          I know Ching Chong restaurant is good in serving Dim Sum. <- reference

I want a gourmet chef suggestion for a list of vegetarian food menu to bring my Chinese friend for a surprised dinner. She prefers Asian food. Could you suggest a menu list? I would prefer to bring her to a dim sum restaurant similar to Ching Chong restaurant located in Los Angeles.

I am tight on budget, so list me 2 menu and no appetizer.


Output expectation / control:
  1. Revisit the prompting framework - add personas, context
  2. Break the prompt into shorter sentences - chain of thoughts
  3. Introduce contrainsts
  4. Tweak your phrasing / swith analogous task
Important are the following:
  • Subject
  • Format
  • Size
  • Color
  • Asthetics

Example: Use LLM to generate prompt for image generation. I.e. create a poster. Then using that prompt to generate an image, remember to set the a format. E.g.

        Generate a poster for a music concert <- task
        The image should be photorealistic <- format
        The poster should display a sense of excitement and energy <- aesthetics
        The color scheme should be vibrant and eye-catching <- color
        The poster should be in portrait orientation <- format
        The poster should include the following text: "Live in Concert: The Rocking Band" <- context
        The poster should be 24 inches by 36 inches in size <- size
Add all the images or url required.
  • Protecting privacy: Removes potentially sensitive information from previous interactions.
  • Avoiding bias: Prevents the tool from carrying forward assumptions or stereotypes from earlier prompts.
  • Reducing confusion: Ensures the tool focuses solely on the current task and context.
  • Troubleshooting: Refreshes the tool when it seems stuck or is producing unexpected results.
RiskMitigation
Bias
  • Diversify
  • Audit by Challenge Assumption
Hallucination
  • Fact check
  • Use clear detail explanations
Inconsistency and relevance
Example of word: "Think outside the box"
  • Provide references
  • Provide context
  • Use few shot examples
  • Break down complex tasks
Responsibility
  • Consider use of AI
  • Approval of using AI
  • Security and implications
  • Evaluate generated content
  • Disclose use of AI

AWS Solution Architect Associate

  • CLI -> create access key
  • Role -> AWS Service, AWS Account, Web Identity, SAML 2.0 Factory
  • Security Tools
    • IAM Credential Reports(all users + various credential + last used)
    • IAM Access Advisor(services access & not & permission)
  • Guidelines
    • Don't use root access except to create account
    • One physical user = One access user
    • Assign user to group & assign permission to group
    • Create strong password
    • Enforce MFA - virtual, universal, hardware FOB
    • Create & use role for giving permission to AWS Service
    • Use Access Key for program access (CLI, SDK)
    • Audit permission of account using IAM Credential
    • Never share IAM user & access key
  • IAM Role & IAM Policies(JSON)
  • {
                Version: 2012-10-07
                Id: "s3-access",
                Statement: [
                    {"{"}
                        "sid": 10202
                        "Effect": "Allow" // Deny
                        "Princial": {"{"}
                            "AWS": ["arn.aws..."],
                            "Canonical user": "123",
                            "Federated": []
                        "Resource": "s3:mybucket" //NOT Resource
                        {"}"}
                    {"}"}
                ]
            }
  • Have an instance store.
    • On-Demand
    • Reserved Instanced & Convertible
    • Saving Plans - commit of min usage and allow convertible, get charged even not used (used to be Capacity Reserved)
    • Spot Instance
    • Dedicated Host
    • Dedicated Instance
  • Spot Instance can only terminate if Open/Active/Disabled
  • Spot can have x5, c5 in instances too
  • Spot Fleet - Set of instance + optional on Demand
    • Lowest Price
    • Diversified
    • Capacity Optimized
    • Price Capacity Optimized
  • Elastic IP - > 1 public ip, max 5
  • Elastic Network Interface (ENI) - > 1 private ip, same Az and has MAC Address
  • Placement group:
    • Cluster - same Az
    • Spread - Different region or Az, 1 Az max 7
    • Partition - up to 7 partition, partition do not share rack & can be in same Az or not
  • Hibernate - only if EBS encryption enabled, save the RAM state. Only charge storage.
  • Instance Store - ephemeral, physical and very high IOP, emptied when stop.
  • Root volume type are default deleted on terminate.
  • It's a network drive.
  • To move to new Az use snapshot
  • To Hibernate at instance stop, needs to use encrypt. It stores all RAM into EBS.
  • Snapshot archive are cheaper (72%) but takes 24-72 restore
  • Recycle bin 1 to 1 year retention
  • Fast snapshot restore - $$$$
  • Types:
    only gp(General SSD) & io(Provisioned IPs) can be use as Root Volume
    • gp3 - can increate IOP to 16k, throughput 1000MBis
    • gp2 - max 16k with 3 IOP per GB, 5334 max IOPs
    • io1 - 4-16GB, max PIOP 64k
    • io2 - max 256k with 1000:1, Support EBS multi-attached
    • st1 - 125GB-16TB of HDD
    • sc1 - infrequent access 250 IOP of Cold HDD
  • Multi-attached is only for Same Az, max 16 EC, and for filesystem that is cluster aware (linux)
  • Encryption:
    • Data is encrypted when 1) at rest, 2) snapshot and 3) in-flight between instance and volume
    • To encrypt un-encrypted data -> snapshot -> copy -> create new EBS
  • Snapshot templates and even EBS storage.
  • Region specific but can be copied over via console/commandline.
  • $$$ than 3 gp price
  • Encryption at rest using KMS.
  • Use NSF v4.1 and Linux based AMI.
  • Can be Multi-Az of One Zone. One Zone is only for IA
  • Can be access by Lambda, EC2 and Sagemaker
  • Through Put:
    • Provisioned
    • Elastic
    • Bursting
  • Storage Tier:
    • Standard
    • Infrequent Access(IA)
    • Archive
    • Lifecycle Policy - Standard to IA
  • Enable to EC by security group not ip
  • Types:
    • Application Load Balancer - routing table based on hostname, path, header or querystring. X-Forwarded-For/Port/Proto. Target group can be by ip, instance or lambda.
    • Network Load Balancer - 1 EIP, TCP/UDP, NLB can have sub ALB
    • Gateway Load Balancer - target group is 3rd-party. GENEVA protocol 6081.
  • Multi Az but spread across Region
  • Access via DNS except for Network that has ip
  • Can have healthcheck
  • Sticky Session
    • Only GLB no sticky
    • AWSALB and AWSALBAPP is for application based cookie
    • AWSALB and AWSALBTG is for duration based cookie
  • Cross Zone Balancing - enabled and not by instance, but sub-sub zone.
  • Server Name Indication(SNI) - solve multiple TLS certificate onto one webserver/ALB.
  • Connection Draining - allow EC2 to finish all request before shutdown. Time based, 0 is disabled.
  • Launch Template to define AMI, Instance Type, EBS Volume, Security Group, SSH key pair, IAM Role, VPC, LB
  • Specify Min, Max and Initial
  • Can use Cloudwatch as alarm
  • Health check can be for both EC2 / ELB, health check terminates the EC2.
  • Scaling strategy Scheduled, Predictive(AI), Dynamic(resource) , default is 30second cooldown.
  • Able to integrate with CloudWatch(with custom metric) to trigger alarm, and configure scaling to run based on alarm.
  • Auto scale, if free storage *lt; 10% and for 5minutes
  • 6 hours past last configuration.
  • 1 master multiple Replica
  • Supported Postgres, MySql, MariaDB, Oracle, SqlServer, DB2, Aurora
  • Multi Az support does not require connection string change. (Only read replica required)
  • Replica
    • Up to 15 read replica
    • Free if same Az
    • Sync for multi Az
    • Ansync (Eventually Consistent) for same Az
  • Aurora
    • Auto Multi Az & Multi Region
    • Regional cluster with 1 writer endpoint and reader endpoint
    • Only 4 replica up only can write, 3 replica up only can read.
    • Machine Learning by SageMaker and Comprehend
    • Can have custom endpoint(a reader endpoint) to point specific instance.
    • Can use serverless - Aurora Fleet
    • Global Aurora - Cross Region or Global DB (1 primary region, up-to-5 secondary region, up-to 16 read replica per region)
  • RDS Proxy - db connection pool and must be private!
  • ElasticCache
    • Redis Auth - IAM, use password token or SSL
    • Memcache - supports SASL based authentication
    • Redis supported sorted set guaranteed.
    • Pattern
      • Lazy Loading
      • Write through(add/update db)
      • Session Store(ttl)
  • RDS Custom - only Oracle and SQL Server, can SSH to do patch.
  • Security
    • Data encrypted at rest, but KMS must be defined on creation.
    • Master not encrypted, replica is not
    • To encrypt an unecrypted, go snapshot route
    • IAM Authentication except Oracle and SqlServer, but can SSH
    • Audit log can be sent to Cloud Watch
    • Security Group to control network.
  • Backup auto every 5mins. Aurora cannot be disabled)
  • Backup snapshot is 1 to 35 days.
  • Backup Snapshot only restores to new DB and only MySQL/Aurora support from S3. Aurora used percona to do it.
  • Cloning feature only available for Aurora.
  • Record Types:
    • A - map hostname to ipv4
    • A (alias) - like CNAME but have native healthcheck, can set APEX but not TTL
    • AAAA - map hostname to ipv6
    • CNAME - map hostname to hostname
    • NS - name server for hosted zone
  • Routing Policy:
    • Weighted
    • Simple - multiple A with random
    • Latency - closest, but you need to set region yourself
    • Failover - one primary, one secondary
    • Geolocation - same as latency, but specify country. If default is set means have default.
    • geoproximity - weighted region
    • ip base routing - use CIDR
    • multivalue - like simple but add health check
  • Health Check
    • Calculated Health Check - up to 256 & can be OR/AND, 30 seconds interval with 18% of 2xx or 3xx
    • Private Hosted Zone - Have to go thru CloudWatch
  • Cannot route based on path
  • Different than ALB, loadbalanced by region, health check is by TTL
  • Bucket name is globally unique and region based
  • Naming is lowercase + number + only allow dash (-) except -s3alias and --
  • Key consist of prefix(path) + object_name
  • Max 5MB and big upload is via multi-part
  • Security
    • Userbase (IAM)
    • Resource based - Bucket Policy / Object ACL / Bucket ACL
    • Can be encrypted
    • S3 have a Block public access and highest even from IAM and Resource control. Means this have to be enabled before Bucket policy
  • Support make S3 as static website
  • Versioning
    • When disabled all object have version = null. Important for on and off versioning.
    • Suspend versioning does not delete prev version
    • Delete versioning only add DELETE MARKER
    • If delete a file with version (show version), it is Permanent Delete
  • Replication
    • Same Region Replica
    • Cross Region Replica
    • Only new objects are replicated, but can use S3 Batch Replica to do old
    • Able to replicate DELETE MARKERS but need to be enabled. NOTE: records with version are not replicated.
    • No chain - do not support bucket 1 TO bucket 2 TO bucket 3
  • Types:
    • Standard - have > 3 zones
    • Infrequent Access
    • Intelligent Tiering
    • One Zone IA
    • Glacier Storage
      • Instant Retrieval - like I/A min 90days
      • Flexible Retrieval - take 1 - 5 min, 3 - 5 hours, 5 - 12 hours
      • Deep Retrieval - 12 - 48 hours
  • Possible to make requester pays for S3.
  • S3 Lifecycle
    • use Storage Class Analysis - a tool for Standard and Standard IA to help analyze a report between 24-48 hours
    • Move non-current version and can set to permanent delete too.
    • Can have delete non-complete multi-part objects
    • Rules can be added to tags.
    • Can add delete on expire.
  • Event supported Event Bridge, Lambda Function, SQS, SNS
  • Transfer - Transfer Acceleration via multipart, s3 byte range transfer, batch via s3 select
  • S3 storage lens - analyze object, discover anamolities, cost efficiency. split to:
    • Organization
    • Account
    • Region
    • Bucket
  • Encryption: (policy runs before encryption so header can be checked.)
    • SSE KMS - cheaper for custom with bucket key
    • DSSE KMS - 2 x faster
    • SSE-C - https with a key but still via kms, s3-x-ams-server-side header
    • Client side encryption
  • Other features include:
    • CORS
    • MFA Delete
    • Access logs
    • Presigned URL - up-to 12 hours, can even delete or upload
    • Object Lock
      • Compliance (fixed)
      • Goverenence (some can change)
      • Retention Period (can extend to indefinitely)
      • Legal Hold (with s3:PutObjectLegalHold role, one can change it)
    • Access Point: Good for s3 Lambda Function
  • Always us-east-1 server
  • Underlyer of API-Gateway
  • Can use geographic restriction
  • If to allow ec2 need to find all edge locations
  • 3 class
    • All
    • class 200 - except south america and australia
    • only US and Europe
  • use anycast to nearest edge
  • Have 1 static ip
  • Can do health checks
  • For Elastic ip, ec2, ALB and NLB

AWS Certified Cloud Practitioner

  • Spot Instances
  • On Demand
  • Reserved Instances (1 yr / 3yr)
  • Convertible Reserved Instances (Only 1 Available Zone)
  • Savings Plan (min usage of RI)
  • Dedicated Hosts (License)
Responsibility for Patch Management, Configuration Management and Awareness and Training
  • Business Perspective
  • People Perspective
  • Governence Perspective
  • Platform Perspective
  • Security and Operation Perspective
  • Rehosting
  • Replatforming
  • Retire
  • Repurchase
  • Refactoring and Retaining / Rearchitecture
Operation Excellence → Security → Reliability → Performance Efficiency → Cost Optimisation → Sustainability
  • Trade Fixed Expenses for Variable Expenses
  • Benefit from Massive scale of Economics
  • Stop Guessing Capacity
  • Increase Speed & Agiity
  • Stop Spending money running & maintaining data center
  • Go global in minutes