Chandradeo Arya's Tech Blog

The Power of Career Compounding: Lessons from 25 Years in Finance by Saurabh Jhalaria

Chandradeo Arya — Fri, 07 Nov 2025 18:30:00 GMT

About the speaker

Saurabh Jhalaria is a prominent finance leader and an Aditya Birla Scholar from IIM Bangalore (Class of 2000). He is a founding member of the InCred Group, where he currently serves as the Chief Investment Officer (CIO) for Alternative Credit and heads the SME lending business. A CFA charterholder, he is recognized for his expertise in credit strategies and his active role as an angel investor in the Indian startup ecosystem.

Prior to InCred, Jhalaria spent over 13 years at Deutsche Bank, reaching the position of Managing Director. During his tenure in Singapore and Hong Kong, he led private financing and performing credit for India and Southeast Asia. He began his career at ICICI Securities after graduating from St. Xavier’s College, Kolkata, and has since become a key figure in evolving India’s non-banking financial landscape.

Summary of the talk

💡

A talk delivered at the Aditya Birla Scholars Reunion, November 2025

In finance, we talk a lot about terminal value and the compounding of capital. However, we often overlook how these same principles apply to our professional lives. If you want to build a career that doesn't just grow linearly but scales exponentially, you must understand how to let your skills, relationships, and experiences compound.

1. The Role of Mentorship in Navigating Transitions

One of the most vital ingredients for compounding is having a mentor. A mentor isn't just someone who gives you technical advice; they provide a perspective that you cannot see from where you are standing.

In my own career, having a mentor for the last 25 years has been transformative. Every three or four years, when I felt the itch to change my role or felt I had hit a plateau, my mentor helped me see the road from "A to B". They help you answer the critical question: "What comes after this?". When you are in the middle of a role, you are focused on the task; a mentor is someone who has already watched the full "movie" of a career and can tell you how the current scene fits into the long-term plot.

2. Own the Outcome, Not Just the Task

To truly compound, you must move away from a "clerical" mindset—the idea of "I did my work and I went home". High-growth careers are built by people who own the outcome.

Early in my career, I constantly looked at my boss and asked: "What is my boss doing that I am currently unable to do?". Whether it was a technical gap or a soft skill, I realized that if I couldn't serve the needs of the person above me, I couldn't eventually take their role. Compounding only works if you are internally motivated to move out of your "box" and understand the broader organizational goals. If you restrict yourself to your job description, you stop learning, and the moment you stop learning, you stop compounding.

3. Learn on the Job and Beyond

I remember my time in Hong Kong, which was then the biggest market in Asia. Every evening, I would sit down and chart out option pricing or structural launches, trying to understand the "why" behind the market moves.

The idea is not just to have technical events or certificates but to ensure that every day on the job adds to your knowledge base. If you stay in the same job or company for a long time, the only way to keep the compounding effect alive is to go deeper and broader into the business than what is required of you.

4. The Leap into Entrepreneurship

Nine years ago, I decided to leave a stable banking career to help build InCred. The goal was to build something larger and more autonomous.

Entrepreneurship is a different way of compounding. It forces you to pick up additional skills rapidly and provides a level of autonomy that a traditional job might not. Looking back at the last several years—navigating the India growth story, the 2017-2018 cycles, and the COVID-19 crisis—I’ve realized that careers aren't a straight line. There will be years where you feel you are not moving, but those are often the years where the "base" for future compounding is being built.

5. Integrity: The Non-Negotiable

Finally, we must talk about the "non-compromisables." In finance, and especially in leadership, your reputation is your terminal value.

Mistakes will happen. When a client or a firm looks at a mistake, they ask: "Is this irreversible? Is this a mistake of character or a mistake of judgment?". You can recover from a volumetric or a technical error, but an "integrity gap" is impossible to fix. It is very difficult to be a person of high integrity professionally if you are not an honest person personally. In the long run, the market identifies leaders not just by their intelligence, but by their fundamental character.

Closing Thoughts

As you look at your own career, don't just think about the next two years. Think about the skills you are compounding for the next twenty. Find a mentor, own your outcomes, stay curious, and never compromise on your integrity. That is how you turn a job into a legacy.

The Four Dimensions of Great Leadership: Beyond Academic Excellence by Shilpa Rangaswamy

Chandradeo Arya — Fri, 07 Nov 2025 18:30:00 GMT

About the speaker

Shilpa Rangaswamy is an Aditya Birla Scholar from the IIM Bangalore class of 2008 and a prominent consultant at Egon Zehnder. Based in Mumbai, she specializes in executive search, board advisory, and leadership development, with a particular focus on the Financial Services and Private Capital practices. She is also a core member of the firm’s Family Business Advisory, where she helps organizations navigate succession and leadership transitions.

Prior to her career in leadership advisory, Shilpa was a consultant at McKinsey & Company, serving major banks and conglomerates across India and Southeast Asia. She began her professional journey as a software engineer at Tata Consultancy Services after earning her engineering degree from Mumbai University. Today, she is recognized for her commitment to driving diversity in leadership and helping firms build resilient executive teams.

Summary of the talk

💡

A talk delivered at the Aditya Birla Scholars Reunion, November 2025

In my work at Egon Zehnder, I spend a significant amount of time with senior leaders—from rising executives to chairmen as old as 78. Whether I am coaching them through career choices or advising boards on CEO successions, one question remains central: What makes a great leader great?.

While academic excellence and professional "hunger" are baseline requirements for a group like the Aditya Birla Scholars, they eventually become "hygiene factors". Once you reach a certain level, everyone is smart and everyone is ambitious. To differentiate yourself, you must look at four specific traits that determine how much further you can go.

1. Curiosity: The "Child-Like" Wonder

The first trait is curiosity—a child-like willingness to never stop asking, "I wonder why?" or "What if?". Curiosity is not just about the world around you; it is about self-evolution.

I know very successful leaders who make it a point to speak to three people outside their industry every month just to gain a fresh perspective. They aren't afraid to ask basic questions like, "Why is it done this way?". This trait allows a leader to pivot—for example, moving from a lifelong career in banking to a leadership role in tech. If you stop being curious, you stop growing.

2. Insight: Connecting the Dots

Insight is fundamentally different from intelligence. Intelligence is numerical and memory-based; it’s the ability to read and remember information. Insight, however, is the ability to look at disparate data points and see a pattern that others miss.

Great leaders can sense a shift in the market quarters before it actually manifests in the numbers. When you ask them how they knew, they can explain the "why" by connecting experiences across different sectors. They don't just see the data; they see the story the data is trying to tell.

3. Determination: The Response to Failure

When boards interview CEO candidates, one of the most standard questions is: "Tell us about your most miserable failure". This is a test of determination.

Determination is not just about working hard; it is your ability to face a challenge and not just survive it, but be excited by it. When you are asked to run a business that is in "terrible shape," is your reaction to find an exit, or is it to say, "This is going to be interesting, and I will be much better for it on the other side"?. Your ability to "hold the line" during a crisis is what marks you as a leader.

4. Engagement: The Most Underrated Trait

Engagement is perhaps the most underrated quality in leadership. In our early careers, we often look down on the "soft skills" of people management. However, when we do CEO searches, nine times out of ten, the person who gets the job is the one people want to work for.

Leadership is ultimately about how you make people feel. Ten years from now, people won't remember your spreadsheets; they will remember how you treated the person sitting next to you. How you treat the person serving you coffee or a junior team member says more about your leadership potential than your technical output.

Navigating the "What Next?"

As you navigate your career, you will face moments of doubt—periods where the "energy factor" dips or you feel boxed in. During these times, comparison is often the biggest driver of anxiety. You see a peer become a partner at a top firm and wonder if you are falling behind.

My advice is to return to the core: Are you still curious? Are you still gaining insights? If you can't answer those questions with conviction, it may be time for a change. But remember, frequent job-hopping without delivery is a red flag. Boards look for leaders who have stayed long enough to see the results of their decisions.

Closing Thoughts

Great leadership isn't about being "Sampann" (perfectly complete). It’s about the constant practice of these four dimensions. Listen to your heart, stay curious, and focus on how you engage with the world around you. That is what determines how far the "roller coaster" of a professional career will take you

Exploration & Discovery: Career paths when the future is uncertain by Arijit Sarkar

Chandradeo Arya — Fri, 07 Nov 2025 18:30:00 GMT

About the speaker

Arijit Sarkar is an Aditya Birla Scholar (class of 2010) and an accomplished investment professional currently serving as a Director of Credit at Trifecta Capital. With over 13 years of experience, he has held diverse roles as an investor, entrepreneur, and senior business leader across sectors such as fintech, healthcare, and retail. His investment portfolio includes prominent companies like BharatPe, Vedantu, and Infra.Market, where he focuses on leveraging technology to create non-linear value.

Sarkar’s career history includes serving as a Strategy Consultant at McKinsey & Company, where he advised large financial institutions on growth and capital management. He also founded the fintech startup Tavaga and served as the CEO of Sugha Vazhvu, a sustainable primary healthcare business. Academically, he holds a degree from IIT Bombay (2006) and an MBA from IIM Bangalore (2012).

Summary of the talk

💡

A talk delivered at the Aditya Birla Scholars Reunion, November 2025

Life and careers rarely move in a straight line. While we often hear about the power of compounding within a single organization, my journey has been almost the opposite—one defined by exploration, pivoting between sectors, and navigating the friction of an uncertain future.

1. Beyond the Academic Pedigree

Coming from a background like the Aditya Birla Scholars, we often rely on our academic credentials—IITs, IIMs, and prestigious scholarships. Early in my journey, I followed the traditional technical path, influenced by a family of PhDs and scientists. I thought my future was in mathematical finance because I understood the "math" of it.

However, as I progressed, I realized that technical skills are just the baseline. The real world of business—the non-technical side—was just starting to open up during my undergraduate days with the arrival of consulting firms and investment banks. I had to learn that understanding a financial problem is not the same as understanding a business.

2. The Power of the "Privilege Trap" and Networks

We often talk about the "privilege trap"—having access to elite institutions gives you the flexibility to take risks that others cannot. I am a beneficiary of the network this scholarship provides.

When I was 22, I took a leap of faith and moved to Chennai—a city where I had no friends—to work with a small incubator focused on social justice and microfinance. I didn't fully understand that world at the time, but the network of high-quality mentors I met there allowed me to see how larger businesses are built from the ground up. Your network is not just for finding jobs; it is the safety net that gives you the confidence to explore when the market is in flux.

3. Transitioning from "Mathematical" to "Human"

My career moved from the mathematical rigor of finance to the "human" complexity of consulting and entrepreneurship. In consulting at McKinsey, I began to see how institutions actually breathe—how banks operate, how collections work, and how strategy is executed on the ground.

Later, starting my own venture taught me a level of accountability and satisfaction that you simply cannot get by analyzing cases from the outside. Even if a product doesn't scale exactly as planned, the learning you gain from building something of your own is a form of compounding that stays with you forever.

4. Evaluating the Startup Path

Now, as an investor, I look at the startup ecosystem differently. When the future is uncertain, many wonder if they should join a startup or start one. My advice is to rationalize the decision, but don't let the "math" make it for you.

When we invest, we look for founders who have a high "comfort with ambiguity". We look for people who can see what is possible without being bogged down by the limitations of the present. If you are in your 20s, the risk of failure is at its lowest. This is the best time to leverage your network and try something that conflicts with the "traditional" path.

Closing Thoughts

Don't be afraid if your career doesn't look like a straight line. Whether you are compounding within a firm or exploring through startups, what matters is whether you are learning and staying flexible. The advantage of being part of this elite community is that you have the privilege to earn, learn, and lead in any direction you choose.

Inside the AWS Community with Jason: A Candid Conversation in Bengaluru

Chandradeo Arya — Sat, 24 May 2025 18:30:00 GMT

Inside the AWS Community with Jason: A Candid Conversation in Bengaluru

Recently, at AWS Community Day Bengaluru, I had the pleasure of sitting down with Jason, the Community Head for the AWS Community Builders program. Jason’s journey from a self-taught tech enthusiast to a leader at AWS is as inspiring as the vibrant developer community he oversees.

We talked about everything from his unconventional career path to the incredible "India scale" of the AWS community. Here is the full podcast.

https://www.youtube.com/watch?v=lbcgmwTVxY4

Chandra: Jason, most welcome to the podcast! Let’s start with your career at AWS. How did it all begin for you?

Jason: Thank you, Chandra! I just celebrated my fifth anniversary with AWS. I was actually hired right at the start of the pandemic, in March 2020. I remember interviewing for the role while I was on vacation in Mexico with my family—which was pretty funny looking back. Starting a new job when the whole world was shutting down was definitely a strange experience.

Chandra: Did you apply specifically for the community program, or did your journey start elsewhere?

Jason: I actually wasn't part of the AWS community before this. I’m not a technical builder and I had never used AWS. My background is in marketing and communications. When I saw a job listing for a community program within the marketing department, it felt like the perfect fit for my skill set.

Chandra: That’s interesting! A lot of people are curious about your background. How did you get into this space?

Jason: I studied applied communications in school—things like public relations, writing, and organizational dynamics. But I never had a "traditional" communications job. For years, I was self-employed; I ran technology blog sites, was a YouTuber long before it was mainstream, and was a Microsoft MVP for 15 years for my contributions to their technical community.

Eventually, my freelance work for Microsoft transitioned into a role at HTC, where I worked on their Android phone community. From there, I moved to AT&T Business to manage a community of small business owners, and finally, I landed here at AWS.

Chandra: AWS is known for its incredible community. From your lens, what makes the program so special?

Jason: When I joined, I was amazed by the passion. I didn't know much about user groups back then, but my job was to tap into that energy and build a new type of community from scratch. We launched the AWS Community Builders program in beta in June 2020—just 60 days after I started. At Amazon, we have a leadership principle called "Bias for Action," so we just figured out the best way to get it out the door.

Chandra: You’re quite a celebrity here! People are lining up for selfies. Did you expect this kind of reception in India?

Jason: I had a hunch! At events like re:Invent, I take a lot of pictures, but I knew coming to India would be on another level.

Chandra: What is the most unique thing you’ve noticed about the developer community here?

Jason: It’s what I call "India scale". Everything is just bigger here. For example, when we opened Community Builder applications this year, we had about 4,700 total—and 2,000 of those were from India alone. This Community Day in Bengaluru feels like a professional AWS summit; the energy and the population of young developers are just incredible.

Chandra: You actually chose to attend this Community Day over the AWS Summit that happened two weeks ago. Why was that?

Jason: Two reasons. At a Summit, my job is mostly standing in a booth and shaking hands. But at a Community Day, I get to speak, present, and really get to the heart of the community. I had heard how amazing the Indian community events were, and I wanted to experience it firsthand.

Chandra: We’ve seen great growth in India, but what about regions where the community is smaller, like Saudi Arabia? Do you have plans for those areas?

Jason: It’s not always easy growing in new regions, but our strategy is to leverage existing members. We encourage our builders in places like Saudi Arabia to share the application and grow the base. User groups are the most important part of this; if we can get a user group started in a city, the community grows from there, eventually producing Community Builders and AWS Heroes.

Chandra: You also mentioned "Cloud Clubs" in your presentation. Can you tell us more about that?

Jason: Cloud Clubs is a newer initiative, launched around late 2023 or early 2024. It’s essentially a user group specifically for students at colleges and universities. It’s led by students, for students, to get them interested in AWS early on. We’re already seeing Cloud Club captains transition into becoming Community Builders.

Chandra: How many countries have you visited to build these communities?

Jason: Honestly, not that many yet! Last year was my first big international push—I went to Thailand and Malaysia. Malaysia was actually the first Community Day I ever attended. This year, India is my first stop, followed by Singapore, Indonesia, and Argentina. I’m trying to hit as many places as possible.

Chandra: For someone in a small city wanting to start a local user group, what is your advice?

Jason: We encourage people to partner with existing groups first. However, if you’re in a city where it’s not realistic for people to travel to the nearest group, we absolutely encourage you to start your own. Even in a "small" city of a million people—which I know is small by "India scale"—if there are people who want to learn, we want to help them connect.

Chandra: Finally, how has your actual stay in India been so far?

Jason: It had a rough start! I arrived at 4:00 AM after a long flight, and then the airline lost my bag. But now I’m well-rested, I have new clothes, and I’m looking forward to doing some "photo walking" around the city this weekend.

And the food has been great! Last night I had corn and cheese samosas from a food cart—I asked for the least spicy thing they had, and it was still pretty spicy for me, but delicious. I also had a sweet Lassi and some Gulab Jamun, which I’ve had before from my neighbors back home. I love Indian food!

Chandra: Jason, it’s been a pleasure. I hope your stay is memorable, and we look forward to seeing you back in India soon.

Jason: Thank you for having me! It’s been a great event.

MySQL to PostgreSQL: A Hands-On AWS DMS Migration Guide with AWS RDS Aurora

Chandradeo Arya — Wed, 22 Jan 2025 18:30:00 GMT

Database migration

Databases are important part of any applications. But due to various reasons like cost, compliance, application compatibility etc. database migrations are required. In this blog we will discuss importance of doing database migration in the right way and using AWS DMS for this purpose with a hands-on example.

Why a live database migration is challenge

During Live migrations it is required to keep the database operational during the transition, which risks data inconsistency, extended downtime, and increased manual effort. Database migration is challenge due to various reasons like:

Data Type Differences: Handling discrepancies between different data types like MySQL and PostgreSQL has certain difference in schema and conventions.
Schema Conversion: Adapting schema definitions and constraints to match PostgreSQL requirements.
Downtime: Potential service disruption if the database is live and critical.
Manual Effort: Increased risk of human error and additional time in manual configuration.
Data Integrity: Ensuring consistency and accuracy during data transformation and transfer.

Different ways to perform database migration

There are different ways to perform database migration. All of these approach have their own pros and cons.

One of the most popular approach is using SQL Dumps. Here we Use mysqldump to export data and import into PostgreSQL but this is manual and error prone. Similarly, various ETL tools like Talend or Apache NiFi can be used and there are various specialized utilities like pgloader for automated schema and data conversion as well.

But all these approaches have significant risks of data loss, downtime and human error. This is where AWS DMS comes in picture.

What is AWS DMS?

AWS DMS is a managed service from AWS that facilitates database migration to AWS. It supports both homogeneous (same database engine) and heterogeneous (different database engines) migrations.

When to Use AWS DMS

Migrating on-premises databases to the cloud.
Modernizing or consolidating databases across different environments.
Enabling continuous data replication during live migrations with minimal downtime.

Benefits of AWS DMS

Cost-Efficient: Reduces overhead with a managed solution.
Minimal Downtime: Supports continuous data replication, ensuring business continuity.
Simplified Management: Automates replication and offers robust monitoring tools.
Flexibility: Adapts to various migration scenarios, whether homogeneous or heterogeneous.

How to setup DMS

Migrating databases between different engines or environments can be challenging. As discussed earlier, out of various approaches AWS DMS provides the most robust way to perform this task. Let’s setup a DMS service using terraform.

Automating AWS DMS Cluster Deployment with Terraform

AWS Database Migration Service (DMS) setup with Terraform makes the process very highly automated and reproducible. In this lab, we’ll create a full Terraform configuration that provisions a DMS replication instance, configures source and target endpoints, defines a replication task for migrating an entire schema, and sets up the necessary IAM roles for seamless operation.

1. AWS Provider Setup

Terraform starts by configuring the AWS provider. This tells Terraform where to deploy your resources. Adjust the region as needed:

provider "aws" {
  region = "us-east-1"  # Adjust region as needed
}

2. Creating the DMS Replication Instance

The replication instance is the core compute resource for DMS. It handles the data migration process. Here’s the complete resource configuration:

resource "aws_dms_replication_instance" "dms_instance" {
  replication_instance_id   = "dms-instance"
  replication_instance_class = "dms.t3.medium"  # We are using Smallest available instance class for DMS to control cost.
  allocated_storage         = 50 # This is also smallest possible value
  publicly_accessible       = true # You can keep it false in prod env
}

In this code we are creating dms-instance and uses the dms.t3.medium class. We are allocatting 50 GB of storage.

3. Configuring DMS Endpoints

Endpoints specify where data is coming from (source) and where it is going (target). This example uses an Aurora MySQL database as the source and an Aurora PostgreSQL database as the target.

Source Endpoint – Aurora MySQL

resource "aws_dms_endpoint" "source_mysql" {
  endpoint_id   = "source-mysql-endpoint"
  endpoint_type = "source"
  engine_name   = "mysql"

  username      = "admin"
  password      = "SUPERSECRET"
  server_name   = "rds-mysql-url.us-east-1.rds.amazonaws.com"
  port          = 3306
  database_name = "sample_db"
}

Target Endpoint – Aurora PostgreSQL

resource "aws_dms_endpoint" "target_postgres" {
  endpoint_id   = "target-postgres-endpoint"
  endpoint_type = "target"
  engine_name   = "postgres"

  username      = "master"
  password      = "SUPERSECRET"
  server_name   = "rds-postgres-url.us-east-1.rds.amazonaws.com"
  port          = 5432
  database_name = "sample_db"
}

Here we are setting the source and target. We specify the PostgreSQL connection details ensuring that DMS knows where to load the data.

4. Defining the DMS Replication Task

The replication task orchestrates the data migration. This task defines what to migrate, the migration type, and includes detailed settings to control the behavior during the migration.

resource "aws_dms_replication_task" "dms_task" {
  replication_task_id      = "mysql-to-postgres-migration"
  replication_instance_arn = aws_dms_replication_instance.dms_instance.replication_instance_arn
  source_endpoint_arn      = aws_dms_endpoint.source_mysql.endpoint_arn
  target_endpoint_arn      = aws_dms_endpoint.target_postgres.endpoint_arn

  migration_type = "full-load"  # Use "full-load-and-cdc" for ongoing changes

  table_mappings = <"rules": [
    {
      "rule-type": "selection",
      "rule-id": "1",
      "rule-name": "IncludeAllTables",
      "object-locator": {
        "schema-name": "sample_db",
        "table-name": "%"
      },
      "rule-action": "include"
    }
  ]
}
EOF

  replication_task_settings = <"TargetMetadata": {
      "TargetSchema": "",
      "SupportLobs": true,
      "FullLobMode": false,
      "LobChunkSize": 64,
      "LimitedSizeLobMode": true,
      "LobMaxSize": 32,
      "InlineLobMaxSize": 0,
      "LoadMaxFileSize": 0,
      "ParallelLoadThreads": 0,
      "ParallelLoadBufferSize": 0,
      "BatchApplyEnabled": false,
      "TaskRecoveryTableEnabled": false
  },
  "FullLoadSettings": {
      "TargetTablePrepMode": "DO_NOTHING",
      "CreatePkAfterFullLoad": false,
      "StopTaskCachedChangesApplied": false,
      "StopTaskCachedChangesNotApplied": false,
      "BatchApplyEnabled": false,
      "BatchApplyPreserveTransaction": false,
      "BatchApplyTimeoutMin": 0,
      "BatchApplySkipErrorTables": false
  },
  "Logging": {
      "EnableLogging": true
  }
}
EOF
}

Important details:

Task Identification: The replication_task_id uniquely labels the task.
Migration Type: It uses full-load to migrate the entire schema and data at once.
Table Mappings: The JSON mapping rule ensures that all tables in the CompanyDB schema are included.
Task Settings: These JSON blocks provide detailed configurations like LOB handling and logging options, ensuring that the task behaves as expected.

5. Configuring IAM Roles for DMS

AWS DMS requires specific IAM roles to interact with your VPC and CloudWatch logs. Two roles are created—one for VPC management and another for CloudWatch logging.

IAM Role for VPC Management

resource "aws_iam_role" "dms_vpc_role" {
  name = "dms-vpc-role"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "dms.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dms_vpc_role_attach" {
  role       = aws_iam_role.dms_vpc_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole"
}

Here, we are granting the DMS service permission to assume the role.

IAM Role for CloudWatch Logs

Here we are handling the logging permissions. Policy Attachment ensures DMS can write logs to CloudWatch for monitoring and troubleshooting.

resource "aws_iam_role" "dms_cloudwatch_logs_role" {
  name = "dms-cloudwatch-logs-role"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Service": "dms.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dms_cloudwatch_logs_role_attach" {
  role       = aws_iam_role.dms_cloudwatch_logs_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonDMSCloudWatchLogsRole"
}

Creating the DMS cluster

Let’s apply the terraform configuration and observe the changes.

terraform apply

Observe the created DMS service

If everything is correct then it should start creating the DMS replication instance.

Pre-migration

Pre-migration assessment is important process to analyze the source database to identify compatibility issues, estimate migration effort, and plan the migration strategy.

Why is it important?

Detects schema and data type mismatches.
Estimates required changes and risks.
Helps choose the right tools and migration path.
Reduces surprises during migration.

Once you hit create migration assessment, it will start the process and give you the migration assessment result.

Reviewing migration results

After migration, AWS DMS can store detailed logs and migration reports in an S3 bucket. When you are reviewing them you can focus on these points:

Verify which tables and rows were migrated.
Identify any skipped or failed records.
Troubleshoot issues using detailed error logs.
Ensure data consistency between source and target.

This is how a sample report looks like

Finally, let’s start migration

Now comes the exciting part—starting the migration!

With everything configured and validated, kicking off the DMS task sets your data in motion. Watch as your tables begin flowing from MySQL to PostgreSQL, live and in real time. It’s the moment where planning turns into action, all with minimal downtime and full control via DMS.

Once this task is over, then your database has successfully migrated from Mysql to Postgres Sql. You can celebrate now! Yeyyy!

Beginners guide to learn and build Generative AI applications on AWS Bedrock

Chandradeo Arya — Tue, 16 Jan 2024 18:30:00 GMT

Intro and hype of GenAI

Generative AI (GenAI) a new field of artificial intelligence has taken the world on revolution with OpenAI Chatgpt being launch almost an year back. Using this we can create entirely new things, from text and images to code and music. It has the potential to transform many industries and our daily lives.

What future holds:

The Future of GenAI is very promising. With every predictions that GenAI models are going to become more sophisticated, affordable and accessible. We can expect even more creative applications, automation of complex tasks, and a deeper understanding of the world around us.

GenAI is going to increase enhanced creativity, increase efficiency, personalize experiences and propel speed of new discoveries.

Amazon Bedrock

Amazon Bedrock is a powerful platform that makes GenAI more accessible and user-friendly. AWS is bringing its decade long cloud leadership and experience in making GenAI available for developers and users.

Why Amazon Bedrock matters:

Amazon Bedrock is going to significantly effect the GenAI ecosystem due to following reaons:

Lower Barrier to Entry: Bedrock provides access to powerful generative models from various AI providers through a single platform. This eliminates the need for extensive technical knowledge. learning curve and huge cost investment. Pay-per-use model will make it more easily accessible.
Simplified Development: Bedrock offers pre-built tools and playgrounds for experimentation and fine-tuning models. Being part of AWS cloud it has deep integrations with various core AWS services like Opensearch, S3, IAM, KMS etc which will make development faster and simpler.
Focus on Innovation: Bedrock will abstract the infrastructure and technical complexities so that application developers can just focus on innovation rather than going into research which is different area of expertise.

Amazon Bedrock for Beginners: A Hands-on Guide for developers

This guide gets you started with Amazon Bedrock, a powerful tool for building generative AI applications. I'll break down the key concepts and present you a path forward to start your learning journey. The whole learning journey has been broken down in multiple modules.

Prerequisites:

This guide is focused on developer. I assume you should have basic understanding of GenAI ecosystem, prompting and AWS cloud. If not then these modules are also important to learn.

Getting Started (Optional):

Module 1: Introduction module covers the core ideas of generative AI and Amazon Bedrock if you are totally unaware of GenAI and its impact.
Module 2: Intro to AWS (optional) module is essential guides you through setting up an AWS account if you don't already have one. You should also learn basic AWS cloud services before going to use Amazon Bedrock.
Module 3: Prompt Engineering (optional) teaches you how to craft effective prompts, which are starting points for AI generation. It is optional but important to get quality response from the models.

Hands-on with Amazon Bedrock:

Once you have learnt the above concepts or modules then you are ready to dive into learning Amazon Bedrock with following lessons.

Module 4: In this module you should dive into learning Amazon Bedrock's playgrounds and demos. Here, you'll experiment with pre-built models for text, chat, and image generation. You'll also learn to fine-tune these models for specific tasks.

Deep Dive into Amazon Bedrock:

Module 5: Building Your App goes under the hood of Amazon Bedrock. You'll learn best practices for designing and building cost-effective and secure generative AI applications.

Building a Knowledge Base:

Module 6: Knowledge Base teaches you how to build a knowledge base, which is a collection of information your AI can access. You'll also learn how to secure this data.

Building Generative AI Agents:

Module 7: Building Agents walks you through creating secure and scalable generative AI applications. You'll learn to design and integrate the key components of these applications, called agents.

Building GenAI apps with Amazon Bedrock:

Building Generative AI Applications with Python:

Module 8: Building Applications shows you how to leverage foundational models for various applications. You'll build simple generative AI chatbots, image generators, and more using Python.

Wrapping Up:

Module 9: Putting it All Together discusses the ethical considerations of generative AI and how to stay updated on the latest developments in Amazon Bedrock. You'll also learn how to troubleshoot common issues.

Using AWS Organizations and AWS Nuke to create disposable low-cost cloud experience

Chandradeo Arya — Mon, 13 Nov 2023 18:30:00 GMT

Every beginner in AWS

Most AWS users in beginning miss to keep track of services they create. It’s very easy to forget the services creating via console in different regions. AWS is definitely a sea of services.

I myself have lost over 5000 in three occasions in total. With one alone being 4,000$ because I left a P5d.large Nvidia H100 GPU running which I created for an experiment.

Using AWS billings and alarms are some of the easiest way to keep track of AWS expenses. I also encourage using AWS organizations for centralised billing to utilise AWS accounts as disposals resources for all experiments and testing purposes.

I’ve written other blogs on using AWS billing and alarms and using AWS organizations effectively. In this article we will explore using AWS Nuke a powerful tool for destroying AWS resources.

I’m writing this blog as step by step lab instruction so that you can easily follow it just by running the given commands in sequence.

Objective of the lab:

Understand the purpose and functionalities of AWS Nuke.
Set up AWS Nuke for safe experimentation.
Write configurations to target specific resources for deletion.
Execute a dry run to simulate resource deletion.

Prerequisites

To finish this lab you should have:

An AWS account with access credentials. Preferably with some resources created.
Basic understanding of AWS resources.
Familiarity with the command line interface (CLI).

Use cases:

Destroying the disposable AWS accounts created for testing and experiments.
Destroying inter-dependable AWS resources which are otherwise hard to be deleted.
Finding all resources known or unknown in all regions and deleting them.

Steps:

Step1: Setting Up the Lab Environment (Optional)

If you have an AWS account with some resources which you don’t need then you can try this on same account or you must create a new AWS account for testing AWS Nuke.

Important Note: AWS Nuke is a destructive tool, so use it with caution even in a non-production environment.

Step 2: Install AWS CLI

If you running this command from your local machine or non-Amazon Linus EC2 server then you must install AWS CLI.

Running this command installs AWS CLI on Linux.

curl "" -o "awscliv2.zip"

sudo apt install unzip

unzip awscliv2.zip

sudo ./aws/install

For further guidance in setting up CLI and configuring it with credentials follow this link. https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html

You must ensure that using are using credentials of administrator level AWS user or root can be used as well (not preferred).

Step 3: Installing AWS Nuke

For macOS

brew install aws-nuke

For Linux machines

# Download and extract 
wget -c  -O - | tar -xz -C $HOME/bin

#Run
aws-nuke-v2.25.0-linux-amd64

You can find the latest version from release

Step 4: Configuring AWS Nuke basic configuration

AWS Nuke offers various configuration options. Explore the configuration file (~/.aws-nuke/config.yml) to customize behavior.

This is a minimal configuration

regions: # List of regions to execute
- eu-west-1
- us-east-1

account-blocklist:
- "999999999999" # production

accounts:
  "000000000000": {} # aws-nuke-example

Step 5: Adding target and excludes

aws-nuke provides option to target or exclude particular resources from deletion. There are multiple ways to configure this.

Using target to delete certain resources

---
regions:
  - "eu-west-1"
account-blocklist:
- 987654321

resource-types:
  # only nuke these three resources
  targets:
  - S3Object
  - S3Bucket
  - IAMRole

accounts:
  98769876: {}

Using excludes to delete all but specified resources.

---
regions:
  - "eu-west-1"
account-blocklist:
- 987654321

resource-types:
  # don't nuke IAM users
  excludes:
  - IAMUser

accounts:
  98769876: {}

Step 6: Using resources filtering

aws-nuke provides option to avoid deleting the current user for example or for resources like S3 Buckets which have a globally shared namespace and might be hard to recreate. Currently the filtering is based on the resource identifier.

For example we can delete all resources but certain IAMUser and IAMUserPolicyAttachment

---
regions:
  - "eu-west-1"

account-blocklist:
- 1234567890

accounts:
  0987654321:
    filters:
      IAMUser:
      - "admin"
      IAMUserPolicyAttachment:
      - "admin -> AdministratorAccess"
      IAMUserAccessKey:
      - "admin -> AKSDAFRETERSDF"
      - "admin -> AFGDSGRTEWSFEY"

aws-nuke supports using multiple types of filters like exact filter, contains, regex, date based etc.

Example configuration file.

version: 0.34.0  # Replace with the installed version

resources:
  - type: EC2
    filters:
      - Name: tag:Name=chandra-ec2
  - type: S3Bucket
    filters:
      - Name: name  # Matches bucket names containing "test"
        values:
          - application-data-store-12345364

Explanation of the configuration file

version: Specifies the AWS Nuke version used.
resources: This section defines the resources to target.
- The first entry targets EC2 instances with the tag Name: My-Test-Instance.
- The second entry targets S3 buckets containing "test" in their names.

Filters:

Filters allow for more granular targeting within a resource type.
In the first entry, we use a tag filter to target a specific EC2 instance.
The second entry uses a name filter with a value to target buckets containing application-data-store-12345364.

Step 7: Executing a dry run

AWS Nuke is very distructive so it provides option to perform a dry run to see which resources would be deleted.

Run the following command with flag --dry-run in the config path.

aws-nuke --dry-run -c nuke-config.yml

This command simulates the deletion process based on your configuration. It will display a list of resources slated for deletion without actually deleting them.

Step 8: Review and Deletion (ACTUAL & DISTRUCTIVE)

This step involves actual resource deletion. Here we just remove the --dry-run flag and run only when we are confident in the targeted resources.

Important: This will permanently delete the targeted resources. Use this step with extreme caution!

Result

Easily removed AWS resources giving me peace of mind with no surprise bills anymore.

Founders first moves to start building on AWS: situation and solution

Chandradeo Arya — Sun, 29 Jan 2023 11:23:36 GMT

Move #1 : Deciding Budgets and over-utilisation alarms

Situation:

Budget is always a constraint for startups
With founders wearing multiple hats, it’s easy to lose the track of cost. Common resources are unattached EBS volumes, Elastic IPs, Bastion hosts, Instances for ML model trainings etc.
You wake up with surprise bills
AWS provides billing predictions which helps to plan runway

Solution

AWS Billing provides budget planning and tracking features
You can create billing alarms to track unused resources and outlier costs
Alerts can be created on forecasted costs or actual costs

AWS recommends following two approaches:

Proactive approach: AWS Instance Scheduler This approach involves using tags to resources like EC2/RDS instances and then create schedule to start or stop.

Reactive approach: AWS Budgets - This is the most basic and must do approach which involves creating email alerts when monthly AWS spend exceeds the budget threshold.

Move #2 : Deciding Infrastructure as Code (IAC)

Infrastructure as Code enables programmatic provisioning and management of cloud resources. It help to improve the efficiency, reliability, and scalability of your infrastructure, while also reducing costs and increasing flexibility.

Situation

As startup grows services grow and scale increases. It becomes difficult to track resources and configurations.
With increasing user demands need to deploy additional server in a different availability zones or region increases which is difficult to replicate in absence of IAC.
Once the “Too small to be be notices” phase ends for a company attackers can create security nightmares. Implementing security policies and best practices are consistently applied across the infrastructure is difficult in absence of IAC.
As startup budget is always a constraint. IAC reduces time-consuming and error-prone manual tasks and brings automation and hence cost saving.

Solutions:

AWS CloudFormation: AWS CloudFormation is a good choice for organizations already using AWS, but it only supports AWS. This is a free tool and low learning curve. This is specially useful for startups to experiment faster.
Terraform: Terraform is a good choice for organizations looking to support multiple cloud providers. But that has steeper compared to other Cloudformation and its complexity is higher as well.

Generally speaking for startup cloudformation is easier option to start with because of easiness to adopt, low learning curve and simplicity.

Move #3 :Choosing managed AWS services

AWS managed services can help organizations achieve greater scalability, reliability, security, and cost-effectiveness. Managed services are always updated to the latest cloud technologies and best practices in the industry.

Situation

Self managed services have high cost and require more efforts in maintenance. So, to reduce cost and human efforts you should always use the correct AWS managed services.
As a startup you should ways focus on your niche and innovate around that. Managing cloud is just a side hassle to be always avoided.
As a startup you can never scale to match the level of experts of the domain like AWS and its engineers. So best idea is to just use the innovation at scale.
Managed services have built-in features such as automated backups, disaster recovery, and security controls. You just need to plug and play.

Solution

Just use the right managed services.

Here is a table comparing self-managed solution with an AWS managed service.

Use case	Don’t	Do
User authentication and management	Building own solution using library	Just use Amazon Cognito
Orchestration of containers	Using Docker swarm or Kubeadm etc	Just use ECS or EKS. For most general startups they are good.
Self-hosting MySQL or MongoDB	Launching mysql or MongoDB on EC2 or on-premise	Just use AWS Amazon DocumentDB or RDS.
CICD	Launching Jenkins on EC2	Just use AWS CICD tools like Codebuild, codepipeline etc. It has native support for Jenkins as well.

Top 6 AWS certification exam passing technique

Chandradeo Arya — Thu, 10 Mar 2022 19:40:19 GMT

Cracking AWS certification exams requires knowledge and experience. But at the same time being smart and hacky with choosing the right approach to solve the question to equally important. This becomes more relevant for professional exams which are tough and questions are lengthy.

In this blog we are going to look at five such technique which give you edge in the exam. All techniques are discussed with examples and alerts or warning for all questions.

Question technique 1

An application uses an Application Load Balancer, an Auto Scaling Group and currently, 10 EC2 instances. To ensure cost efficacy you have been asked to ensure that when average CPU utilisation is below 20% instances are terminated and added when average CPU is above 70%.

Alert1 - As it can be seen this is a pretty average type of question in term of its length and difficulty. All questions have some unnecessary information so we should start with identifying the keywords in it which actually matter. Click toggle button below to find the idetified keywords.

Question highlights

An application uses an Application Load Balancer, an Auto Scaling Group and currently, 10 EC2 instances. To ensure cost efficacy you have been asked to ensure that when average CPU utilisation is below 15% instances are terminated and added when average CPU is above 65%.

Which option should you suggest?

Implement a Scheduled Scaling Policy to add instances during periods of heavy CPU usage and remove them when CPU usage is below 20%
Run a script on each EC2 instance to report the CPU load back to the auto scaling service which can make decisions based on target rules
Implement Target Tracking Scaling Policies at 20% and 70%, use an IAM Role to provide the policies with permissions to add and remove EC2 instances
Use CloudWatch to monitor average CPU levels and create simple scaling policies within the Auto Scaling Group

Answer highlights

Implement a Scheduled Scaling Policy to add instances during periods of heavy CPU usage and remove them when CPU usage is below 20%

not the case of scheduled scaling policy. Eliminated.
Run a script on each EC2 instance to report the CPU load back to the auto scaling service which can make decisions based on target rules

This is not the case of scheduled scaling policy and secondly we hardly use script based solution in AWS.
Implement Target Tracking Scaling Policies at 20% and 70%, use an IAM Role to provide the policies with permissions to add and remove EC2 instances

This talks about target tracking while questions seems to be needing simple scaling and it talks about IAM Role which we don’t use for autoscaling.
Use CloudWatch to monitor average CPU levels and create simple scaling policies within the Auto Scaling Group

Only option which fits well after elimination.

Trick1 - Eliminate absurd answers.

Start with identifing the keywords in the question and the answer and eliminate one or two answers quickly.

Question technique 2

A professional baseball league has chosen to use AWS DynamoDB for its backend data storage. Many of the data requirements involve high-speed processing of images caputured using a flying drone. All these data including position and images are stored in DynamoDB. Users of the analytics applications using this database complain of slow load times for the positioning data including images. Currently the data and related informations are stored within DynamoDB.

Which option represents the best fix for this type of problem?

Alert2- Just think why it mentions DynamoDB as backend data storage. It also mentions storing image in the database. Why would someone use DynamoDB to storage images.

Question highlights

A professional baseball league has chosen to use AWS DynamoDB for its backend data storage. Many of the data requirements involve high-speed processing of images caputured using a flying drone. All these data including position and images are stored in DynamoDB. Users of the analytics applications using this database complain of slow load times for the positioning data including images. Currently the data and related informations are stored within DynamoDB.

Which option represents the best fix for this type of problem?

Which options do you suggest

Which option represents the best fix for this type of problem? (choose one)

Change from DynamoDB to Aurora running in a VPC and use multiple replicas to scale read capability for the analytics application.
Copy the drone images to S3, replace the database stored images with a link to the S3 location.
Change from DynamoDB to Aurora running in a VPC and use multiple replicas to scale read capability for the analytics application.
Modify the DynamoDB table to use on-demand pricing to cope with the incoming demand, use an SQS queue to buffer writes to cope with peak load.

Answer highlights

Change from DynamoDB to Aurora running in a VPC and use multiple replicas to scale read capability for the analytics application.

Analytics application is based on nosql database. We can’t change the whole database and application.
Copy the drone images to S3, replace the database stored images with a link to the S3 location.

As it can be seen the main issue storing the captured image data in DynamoDB itself. DynamoDB has limits on per items storage and that loading will take time. Changing this to point to image location on S3 seems a good option as with minimal changes in the application to show the images from the coming link will solve the issue.
Adjust the RCU and WCU on the DynamoDB tables to 10,000 each to cope with the load on the database.

There is no limit to increasing the RCU and WCU. What if larger images keep getting stored in the database.
Modify the DynamoDB table to use on-demand pricing to cope with the incoming demand, use an SQS queue to buffer writes to cope with peak load.

Similar to the last option, there is no limit to increasing demand of the application. Main issue is storing the image.

Trick2- Find anti-patterns.

Some questions give application level information which are not written obviously. Like this question mentions storing image in the DynamoDB itself. DynamoDB is not good for storing binary data. So trick is to find anti-patterns that the application might be using.

Question technique 3

A non-profit organization elastic **website runs on EC2 instances provisioned and terminated by an Auto Scaling Group. Authors connect to the system publish a post with attached images which can receive millions of views a day. With the introduction of the auto scaling group to allow the site to scale a regular bug is that posts have broken links instead of images.

Which of the following options is a potential fix? (choose one)

Motivation - This question is actually interesting because it doesn't give you a heads as to what is the root cause of the problem. It is very open ended and they give you little information about its implementation.This means to get additional information to about the question we will have to use the answers. It also mentions that ec2 instances termination of older instances by auto scaling group. This means problem is likely to be related to this change. This could be causing the broken links in the broken images. Good thing with this question is the its answers are very short so easier and quicker to evaluate.

Question highlights

A non-profit organization elastic website runs on EC2 instances provisioned and terminated by an Auto Scaling Group. Authors connect to the system publish a post with attached images which can receive millions of views a day. With the introduction of the auto scaling group to allow the site to scale a regular bug is that posts have broken links instead of images.

Which options do you suggest

Implement CloudFront to cache images to avoid the broken links
Change the EC2 volumes on all instances in the ASG from ST1 to GP2, adjust the ASG to use GP2 for any newly provisioned instances
Implement EFS and configure all Instances to mount it via a Mount Target
Use EBS Snapshots to restore any missing images on a case by case basis

Answer highlight

Implement CloudFront to cache images to avoid the broken links

Can’t decide to use CloudFront without actually knowing the backend source of images.

Change the EC2 volumes on all instances in the ASG from ST1 to GP2, adjust the ASG to use GP2 for any newly provisioned instances

ST1 to GP2 only changes the performance. Not the actual problem.

Implement EFS and configure all Instances to mount it via a Mount Target

This is the only good option after elimination of rest three. This is a shared file system to all instances with images stored in it permanently. So this will work like a charm.

Use EBS Snapshots to restore any missing images on a case by case basis

Elastic solutions need to be automated. Not case by casis.

Trick3 - Get clue from answers for open ended questions

This question required you need to read between the lines and understand the reasons why images could be broken because the storage of the instnace is vanishing as instances get terminated by ASG. This type of questions which require reviews and analysis are very common in the professional level. Even in associate level certifications have some questions like this.

Question technique 4

You are auditing a serverless application for a live aution system. The application uses API Gateway, S3 and Lambda to provide the frontend serverless compute and DynamoDB for backend data storage. During yearly auction registration periods the system is expected to have 10000x the load vs other times of the year. The DynamoDB tables use provisioned capacity of 50 RCU/WCU.

Which architecture changes could you suggest to reduce the impact of the extra load? (choose two)

Motivation- This is a clasic example of burst problem that for a certain period of time large amount of requests come which vanish later. If we look closely we find that frontend and backend part of the application is serverless which means it will scale automatically so this can’t be a concern for us to scale. API gateway, S3 and lambda are serverless services. But if we look at DynamoDB it is not. So, we may have to focus on this. Last part mentioning 50 RCU/WCU also gives us clue that this detail is useful to us. So answer mostly lies in DynamoDB.

Question highlights

You are auditing a serverless application for a live aution system. The application uses API Gateway, S3 and Lambda to provide the frontend serverless compute and DynamoDB for backend data storage. During yearly auction registration periods the system is expected to have 10000x the load vs other times of the year. The DynamoDB tables use provisioned capacity of 50 RCU/WCU.

Which architecture changes could you suggest to reduce the impact of the extra load? (choose two)

Which options do you suggest

Launch 100 DynamoDB databases during the peak period to spread the 10000x load
Backup the data from DynamoDB and restore the snapshot into an Aurora Serverless cluster, configure for public access and modify the application code
Change from provisioned to on-demand capacity
Add an SQS queue, modify the application so it writes to the queue and use a backend Lambda to parse auction registration records from the queue and add to the database over time
Increase the RCU and WCU on the table from 50 to 500,000 for the brief peak periods and return afterwards

Answer highlights

Launch 100 DynamoDB databases during the peak period to spread the 10000x load

Straight no.
Backup the data from DynamoDB and restore the snapshot into an Aurora Serverless cluster, configure for public access and modify the application code

Straight no. Can’t replatform.
Change from provisioned to on-demand capacity

Yes. Let AWS handle the scaling. It may be very costly but this solution will work. So it is a potential solution. Since we have to select two this can be one of that. If we were to select cheapest one, then we could avoid this. But that’s not the case here.
Add an SQS queue, modify the application so it writes to the queue and use a backend Lambda to parse auction registration records from the queue and add to the database over time.

Decoupled solution are great. This soultion will work at low cost as well and handle the peak volume using SQS queue. So, it is a great solution.
Increase the RCU and WCU on the table from 50 to 500,000 for the brief peak periods and return afterwards

Nope. We need automated solution and there is no limit to load increase. What if load increases even higher.
Trick4- Focus on non-serverless services for performance. Go for decoupled solutions.

Question technique 5

You are auditing the AWS environment for an enterprise application. It runs from EC2 instances provisioned via an ASG connected to an application load balancer. A SysAdmin team manages the AWS and EC2 environment, and development teams connect to EC2 when they perform application maintenance. You're adding SSL capability and need to ensure the Development team, who have Root access to the EC2 instances can't access the SSL Certificate for the application.

Which solution should you suggest? (choose one)

Motivation -

Question highlights

You are auditing the AWS environment for an enterprise application. It runs from EC2 instances provisioned via an ASG connected to an application load balancer. A SysAdmin team manages the AWS and EC2 environment, and development teams connect to EC2 when they perform application maintenance. You're adding SSL capability and need to ensure the Development team, who have Root access to the EC2 instances can't access the SSL Certificate for the application.

Which solution should you suggest? (choose one)

Which options do you suggest

Store the SSL Certificate on S3, copy onto the EC2 instances at boot, load and remove afterwards
Store the SSL certificate on the EC2 instances and set the permissions to allow access onto from the SysAdmins IAM group
Generate a certificate within ACM, configure it on the ALB and set the EC2 instances to use the HTTPS protocol for ALB -> Instance connections
Import the certificate into ACM, configure it on the ALB and set the EC2 instances to use the HTTP protocol for ALB-> Instance Connections

Answer highlights

Store the SSL Certificate on S3, copy onto the EC2 instances at boot, load and remove afterwards

Once certificate is loaded on the instance root user will still have access to it.

Store the SSL certificate on the EC2 instances and set the permissions to allow access onto from the SysAdmins IAM group

Any user with root permission could remove this still.
Generate a certificate within ACM, configure it on the ALB and set the EC2 instances to use the HTTPS protocol for ALB -> Instance connections

If you set certificate on ALB then ALB→ instance connection will become http not https without setting another certificate on ec2 again.
Import the certificate into ACM, configure it on the ALB and set the EC2 instances to use the HTTP protocol for ALB-> Instance Connections

Works well. Set the certificate on ALB and that make the application level access to the end users https and we can leave the ALB→instance connection http.

Trick5- Focus on wording difference in similar answers.

In this case last two options were very similar which is good because they have higher chances of being a valid answer and it is easy to find the keyword difference between them. And just focusing on that part will answer the question.

In this case first option of the last two options are the same because ACM supports both options → generating and importing certificates. Just focusing on the second part of the answers shows the difference.

Question technique 6

A software gaming company has produced an online racing game which has become an overnight craze. Due to the overwhelming success of the gaming application you need to implement security controls within the environment. The application uses EC2 instances, provisioned by an ASG, connected to an application load balancer. You need to implement a system using AWS tools and services which can conduct an analysis of EC2 instances checking for vulnerabilities. And a tool which can check the AWS account, products and services for compliance against best practice standards over time.

Which AWS products should you suggest? (choose two)

Motivation - Essentially this question revolves around security. It talks about vulnerabilities scan and compliance. Most likely everything about ALB, ASG are just useless information. Also it asks for AWS products recommendations so we just need to find a suitable service which meets the requirement.

Question highlight

A software gaming company has produced an online racing game which has become an overnight craze. Due to the overwhelming success of the gaming application you need to implement security controls within the environment. The application uses EC2 instances, provisioned by an ASG, connected to an application load balancer. You need to implement a system using AWS tools and services which can conduct an analysis of EC2 instances checking for vulnerabilities. And a tool which can check the AWS account, products and services for compliance against best practice standards over time.

Which AWS products should you suggest? (choose two)

Which options do you suggest

CloudTrail
AWS Config
Inspector
WAF & Shield

Answer highlights

CloudTrail

Used for access logging. Nothing to do with vulnerabilities scan.

AWS Config

Great to check mismatch from compliance standards.

Inspector

Great to do vulnerability scan on ec2.

WAF & Shield

Used for application security. Nothing to do with AWS account or ec2 instances.

Trick6- Ignore the garbage

Some questions have large amount of unncessary information. Finding this comes with experience. For example in this last two requirements actually matter. Rest whole paragraph is useless.

AWS Kinesis optimal shards and cost estimation

Chandradeo Arya — Sun, 23 Jan 2022 08:23:39 GMT

Amazon Kinesis makes it easy to collect, process, and analyze real-time, streaming data at any scale at the most optimal costs. It supports real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for various applications.

Calculation of optimal number of shards is important for improving the efficiency and lower the cost of the data stream.

We are going to use a simpler producer and consumer process using the code base present in this repo Kinesis shard estimation

Producer

Generates random characters, and then put the generated random characters into the stream as records.

Consumer

Gets batches of records and then seeks through the records for the search pattern and shows on terminal.

Now, install boto python package for interaction with AWS. pip install boto and start the long running tasks.

Long running tasks

nohup python producer.py test --shard_count 1 --poster_count 50 --poster_time 34560 --quiet &

nohup python worker.py test --sleep_interval 0.1 --worker_time 34560 > 01consumer.out 2> 01worker.err < /dev/null &

With this setup done we will start getting the results from consumer where it will find the patterns in the data.

+-> shard_worker:0 Got 25 Worker Records
+--> egg location: [797, 1893] <--+
+--> egg location: [1113] <--+

With this basic understanding and hands on we will look at a real world example and perform shard and cost estimation.

Shard estimation

Question

20 stock exchange servers are generating 10 records of 250kb of data each second. 3 trading servers are consuming 50000kb of such data each second. Estimate no. of shards required for this requirements in AWS Kinesis.

Solution

AWS has defined the below formula to calculate the number of shards

Number_of_shards = max(incoming_write_bandwidth_in_KiB/1024, outgoing_read_bandwidth_in_KiB/2048)

In our case,

incoming_write_bandwidth_in_KiB =

avg.data size in kb * records per second
                                = 250 * 20* 10 = 50000

outgoing_read_bandwidth_in_KiB =

incoming_write_bandwidth_in_KiB * consumers
                                =  50000 * 3 = 150000

So, No.of.Shards

= max (50000/1024,150000/2048)
                 = max (48.8 , 73.2)
                 = 73.2

and hence 74 shards.

Cost estimation

Total number of shards = 74 Hours in a month = 730

74 shards x 730 hours in a month = 54,020.00 Shard hours per month

54,020.00 Shard hours per month x 0.015 USD = 810.30 USD

Shard hours per month cost: 810.30 USD

There can be additional cost based on Extended data retention or Enhanced fan-out etc. if being used.

Enable Cluster Autoscaler in EKS with easy steps

Chandradeo Arya — Wed, 17 Nov 2021 20:03:09 GMT

Kubernetes offers human intervention free function to scale up or down the resources to meet the changing demands. Cloud Autoscaler is an EKS supported feature to enable on any existing cluster.

Prerequisites

An existing Amazon EKS cluster
Access to Kubeconfig file
Kubectl and AWS Cli

Right now the applied IAM roles in your cluster and nodes would be looking like this. We will be adding new IAM policy in our IAM role on the nodes.

Configuring Cluster Autoscaler

Create a policy with following content. You can name it as ClusterAutoscalerPolicy.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Attach this policy to the IAM Worker Node Role which is already in use.

Deploy the Cluster Autoscaler with the following command.

kubectl apply -f https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/aws/examples/cluster-autoscaler-autodiscover.yaml

Add an annotation to the deployment with the following command.

kubectl -n kube-system annotate deployment.apps/cluster-autoscaler cluster-autoscaler.kubernetes.io/safe-to-evict="false"

Edit the Cluster Autoscaler deployment with the following command.
```
kubectl -n kube-system edit deployment.apps/cluster-autoscaler
```
This command will open the yaml file for your editting. Replace value with your own cluster name, and add the following command option --skip-nodes-with-system-pods=false to the command section under containers under spec. Save and exit the file by pressing :wq. The changes will be applied.
Find an appropriate version of your cluster autoscaler in the link. The version number should start with version number of the cluster Kubernetes version. For example, if you have selected the Kubernetes version 1.17, you should find something like 1.17.x.

Then, in the following command, set the Cluster Autoscaler image tag as that version you have found in the previous step.

kubectl -n kube-system set image deployment.apps/cluster-autoscaler cluster-autoscaler=us.gcr.io/k8s-artifacts-prod/autoscaling/cluster-autoscaler:

Conclusion

The Kubernetes Cluster Autoscaler is an easy to use function to prevent downtime when pods fail or are rescheduled onto other nodes by adjusting the number of nodes. This is typically already installed as a Deployment in an EKS cluster. Basic familiarity can save extensive human resources.

Dynamic Volume Provisionining in AWS EKS using EBS

Chandradeo Arya — Wed, 29 Sep 2021 07:10:03 GMT

Pods in Kubernetes need to store data which gets lost if kubelet restarts the pod or pods are intentionally deleted or recreated.

Empty Dir volume or Host path volume use the local disk of the node to mount the volume. Cloud volumes like AWS EBS mount the disk in the same manner but with different implementation.

In this tutorial we will learn the concept of Persistent Volume and Persistent Volume Claim and its implementation on AWS EKS using EBS.

Persistent volume (PV)

As we saw that Empty Dir or Host path are tightly coupled with pods as they use the local disk of the node to mount the volume. It is a piece of storage in the cluster that has been provisioned by an administrator or dynamically provisioned using Storage Classes.

Important things to remember is:

It is a resource in the cluster just like a node is a cluster resource.
PVs are volume plugins like Volumes, but have a lifecycle independent of any individual Pod that uses the PV.
PV is used in the same manner as emptyDir or hostPath but not provisioned by pods.
It removes provisioning burden from developers to admin.

Persistent volume claim (PVC)

Cluster administrator creates the volumes as we saw previously and now pods can access them through PVC. It's a level of abstraction between the volume and its storage mechanism. Once PVC is created requirements of your application only matters eg. space, type, permission.

We can also give different level of access permission in PVC.

ReadWriteOnce - where only one node is allowed access to the volume.
ReadOnlyMany - where one is allowed full access and other nodes are allowed read-only permission
ReadWriteMany - for volumes that can be shared among many nodes and all of them have full access to it

Dynamic Volume Provisionining in AWS EKS using EBS

Create a StorageClass with the following settings.

$ cat storage-class.yaml
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: aws-standard
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
provisioner: kubernetes.io/aws-ebs
parameters:
  type: gp2
  fsType: ext4

Create StorageClass with kubectl apply command.

$ kubectl apply -f storage-class.yaml
storageclass.storage.k8s.io/aws-standard created

Explain the default storageclass

$ kubectl get storageclass
NAME                     PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
aws-standard (default)   kubernetes.io/aws-ebs   Delete          Immediate              false                  37s
gp2 (default)            kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  112m

Create a persistentvolumeclaim with the following settings and show that new volume is created on aws management console.

$ cat pvc.yaml
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: pv-claim
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 3Gi
  storageClassName: aws-standard

$ kubectl apply -f pvc.yaml
persistentvolumeclaim/pvc created

List the pv and pvc and explain the connections.

$ kubectl get pv
NAME                                       CAPACITY   ACCESS MODES   RECLAIM POLICY   STATUS   CLAIM                     STORAGECLASS   REASON   AGE
pvc-250719ae-36b8-441a-ad04-f6f69c1a11f0   3Gi        RWO            Delete           Bound    default/pv-claim   aws-standard            18s
$ kubectl get pvc
NAME              STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
pv-claim   Bound    pvc-250719ae-36b8-441a-ad04-f6f69c1a11f0   3Gi        RWO            aws-standard   2m30s

Create a pod with the following settings.

$ cat dynamic-storage-aws.yaml
apiVersion: v1
kind: Pod
metadata:
  name: test-eks-dynamic-storage
  labels:
    app : web-nginx
spec:
  containers:
  - image: nginx:latest
    ports:
    - containerPort: 80
    name: test-aws
    volumeMounts:
    - mountPath: /usr/share/nginx/html
      name: aws-pd
  volumes:
  - name: aws-pd
    persistentVolumeClaim:
      claimName: pv-claim

$ kubectl apply -f dynamic-storage-aws.yaml
pod/test-eks-dynamic-storage created

Enter the pod and see that ebs is mounted to /usr/share/nginx/html path. As it can be seen EBS has been mounted to the path and once we are done we can delete this.

$ kubectl exec -it test-aws -- bash
root@test-eks-dynamic-storage:/# df -kh
Filesystem      Size  Used Avail Use% Mounted on
overlay         8.0G  4.3G  3.7G  54% /
tmpfs            64M     0   64M   0% /dev
tmpfs           2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/xvda1      8.0G  4.3G  3.7G  54% /etc/hosts
shm              64M     0   64M   0% /dev/shm
/dev/xvdbq      2.9G  9.0M  2.9G   1% /usr/share/nginx/html
tmpfs           2.0G   12K  2.0G   1% /run/secrets/kubernetes.io/serviceaccount
tmpfs           2.0G     0  2.0G   0% /proc/acpi
tmpfs           2.0G     0  2.0G   0% /proc/scsi
tmpfs           2.0G     0  2.0G   0% /sys/firmware
root@test-eks-dynamic-storage:/#

Delete the storageclass that we created once done.

$ kubectl get storageclass
NAME                     PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
aws-standard (default)   kubernetes.io/aws-ebs   Delete          Immediate              false                  16m
gp2 (default)            kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   false                  39m
$ kubectl delete storageclass gp2
storageclass.storage.k8s.io "gp2" deleted
$ kubectl get storageclass
NAME                     PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
aws-standard (default)   kubernetes.io/aws-ebs   Delete          Immediate           false                  16m

Delete the pod as well once done

$ kubectl delete -f dynamic-storage-aws.yaml 
pod "test-eks-dynamic-storage" deleted

Conclusion

As we saw Kubernetes volume provides an easy solution to solve the problem of ephemeral nature of storage in the container and secondly allows sharing files between containers.