AWS Cloud Architecture & Engineering
CORE CLOUD BOUNDARIES & COMPUTING
Meet Your Instructor
Niran Maharjan
Senior DevOps & Cloud Engineer
- 6+ Years of Production Systems Operations: Built, migrated, and scaled systems across public cloud and hybrid environments.
- Core Competence Area: Network Systems, Telecommunication infrastructures, and advanced Systems Automation.
- Primary Engineering Stack: Amazon Web Services, GitOps, CI/CD automated release pipelines, & Terraform Infrastructure as Code.
"Cloud is not magic. It's software controlling physical machinery."
We are going to learn structural system design, not console shortcuts.
What is Cloud Computing?
The absolute abstraction of physical infrastructure hardware over the network.
Instead of acquiring, cooling, and maintaining physical server rooms on-premise, cloud technology lets companies access compute, storage, and networking pools exactly when needed.
- Zero Upfront Investment: Replace massive capital expenditures (CapEx) with agile, usage-based operational expenses (OpEx).
- Aggregated Utility Scaling: Massively optimized unit rates powered by AWS global economies of scale.
- Instant Variable Capacity: Stop guessing system loads. Run exactly what you need.
⚡ On-Demand Allocation
Deploy complex networks and systems instantly with API commands or configuration scripts.
🛡️ Natively Resilient
Failovers across distant geographic datacenters are built straight into the core infrastructure layer.
Types of Cloud Services (IaaS, PaaS, SaaS)
The management boundary shifts depending on the system delivery model:
Infrastructure as a Service
You get raw, fundamental infrastructure blocks: networking virtual lines, compute processors, and bare storage volumes.
AWS Standard: Amazon EC2, Amazon VPC.
Platform as a Service
AWS handles operating system patching, runtime system updates, and hypervisor scaling. You only write and upload application code files.
AWS Standard: Elastic Beanstalk, AWS Lambda.
Software as a Service
Completely managed software execution stack. You operate strictly as an end-user configuring software settings.
AWS Standard: Amazon Rekognition, Amazon SES.
Public vs. Private vs. Hybrid Cloud
🏛️ Public Cloud Boundary
All underlying infrastructure assets are owned, cooled, and managed entirely by the third-party provider (AWS) and reached over standard networks.
🔒 Private Cloud Isolation
Infrastructure operations run entirely inside proprietary enterprise perimeters (local server racks). Expensive capital overhead.
⚡ Hybrid Cloud Bridging
Connects secure, local private servers to high-capacity public cloud infrastructure fleets securely via VPN or physical fiber lines.
The Core Hybrid Use Case:
Secure legacy transactional databases remain on physical hard drives within local private offices, while fast web servers scale globally in seconds on AWS.
Benefits of Cloud Infrastructure
System Architecture Benefits of AWS:
- High Availability (HA): Deploy identical machines in multiple isolated datacenters to survive catastrophic structural disasters.
- Extreme Elasticity: Scaling rules automatically add computing processors when user demand spikes, and terminate them when demand drops.
- Rapid Agility: Get your applications in front of global markets in minutes rather than spending months procuring server racks.
| Criteria | On-Premise Racks | AWS Cloud Engine |
|---|---|---|
| Provision Time | 4-12 Weeks | Seconds |
| Financial Model | High CapEx | Low OpEx |
| Physical Space | Limits Capacity | Infinite Utility |
Introducing Amazon Web Services
The Pioneer & Market Leader of Public Cloud.
Originally launched in 2006 with SQS, AWS has spent nearly two decades refining hyper-scale systems operation globally.
- Global Dominance: Leads the public cloud space with over 31% of the infrastructure market share.
- Breadth of Catalog: Offers more than 200 fully featured, independent, production-grade cloud systems.
- Gartner Position: Rated the clear global Leader in Cloud Platform Services for 13+ consecutive years.
$90B+
Annual Revenue Run Rate (2024+)
AWS Global Infrastructure & Regions
The 4 Cornerstones of Region Selection:
- Legal Compliance & Sovereignty: Local regulatory rules regarding where data is physically stored.
- User Proximity: Minimize packet transit delays (networking latency) for your customers.
- Service Availability: Not all cutting-edge AWS systems are live in every region immediately.
- Price Optimizations: Computational power rates vary globally due to local electricity and fiber overheads.
Your data NEVER leaves your selected region without explicit configuration permission.
AWS Availability Zones (AZs)
Regions are divided into independent, physical fault-domains:
- Structural Composition: Every Availability Zone is composed of one or more isolated physical datacenters.
- Disaster Isolation: Placed miles apart on distinct utility grids to survive fires, floods, and power outages.
- High-Speed Interconnect: Linked via private redundant dark-fiber networks with ultra-low latency.
Introduction to Amazon VPC
Your logically isolated, custom private network inside AWS.
The VPC is your structural perimeter inside public hardware resources. You have absolute control over address configurations.
-
IP Address Selection: Define custom private
IPv4/IPv6 CIDR blocks (e.g.,
10.0.0.0/16). - Routing Customization: Define custom route tables to dictate traffic flow directly.
- Subnet Division: Divide the network block into isolated public and private areas.
Why we build VPCs:
"Every database, EC2 server, and compute thread must live in a subnet. You can't provision servers until you have structurally designed and established your network private space."
Public vs. Private Subnets
🌐 Public Subnet (Interactive Routing)
Attached directly to an Internet Gateway (IGW) route. Instances booted here get public IPs. Perfect for load balancers and edge proxies.
🔒 Private Subnet (Absolute Isolation)
Has NO route to the outside internet directly. Uses a outbound-only NAT Gateway to download security patches. Perfect for database backends.
Security Groups: Stateful Perimeters
The bouncers protecting our EC2 instances:
- Host-Level Firewalls: Controls inbound and outbound paths explicitly at the instance network card level.
- Stateful Processing: If an inbound request is authorized and allowed in, the response is automatically allowed out.
- Absolute Deny-By-Default: No outside networks can send packages to your machines unless allowed.
★ SAMPLE INBOUND POLICY SHEET
| Port | Protocol | Source CIDR |
|---|---|---|
| 22 | TCP (SSH) | Your-IP/32 |
| 80 | TCP (HTTP) | 0.0.0.0/0 |
AWS Identity & Access Management (IAM)
Decide who can access what API endpoints in AWS.
- Global Access Plane: Changes, users, and credentials propagate globally across AWS in seconds automatically.
- Users & Groups: Create direct user profiles for your team members and put them into secure permission categories.
- IAM Roles: Essential for software applications and EC2 machines to call AWS APIs securely without hardcoded keys.
🛡️ Least Privilege Principle
Every user, machine, and code function starts with absolute zero permissions. You must explicitly assign only the absolute baseline permissions required to complete an operation. Never use or share root account credentials!
IAM Policy Document Anatomy
A typical AWS identity JSON document contains:
-
Version: The policy language specification
version (always use
"2012-10-17"). -
Effect: Explicitly state
"Allow"or"Deny". - Action: The matching AWS API action path to authorize.
- Resource: The exact ARN targeted by this statement rule.
Hands-On Lab
Let's construct our network boundary from scratch:
- https://github.com/techaxis-bootcamp/aws-bootcamp
Laptops Open!
Navigate to your AWS Management Console dashboard to initiate the session.