#AWS
23 posts
-
CloudFront CDN in Practice (4) — Image Resizing and Video Transcoding (Media Serving)
Resize images on demand and cache them in CloudFront (Lambda@Edge, S3 Object Lambda); transcode video with MediaConvert and deliver HLS/DASH via CloudFront. The weight difference between the two transforms, plus caching and private-video protection
-
CloudFront CDN in Practice (3) — Private Content, Edge Logic, Security, Monitoring
Protect private content with Signed URLs/cookies, run edge logic with CloudFront Functions vs Lambda@Edge, harden security with a custom domain (ACM), S3 OAC, and WAF, and monitor with cache hit ratio, CloudWatch, and logs plus cost optimization — advanced CloudFront operations
-
CloudFront CDN in Practice (2) — Putting a Spring Boot + Kotlin Origin Behind CloudFront (Terraform)
Put a Spring Boot + Kotlin app as the origin and CloudFront in front. Set Cache-Control/ETag in Kotlin, split /api/* (no cache) and /static/* (cached) behaviors, build it in Terraform, verify hit/miss via X-Cache, and run an invalidation
-
CloudFront CDN in Practice (1) — How a CDN and CloudFront Work
From why a CDN matters to CloudFront's building blocks (Distribution, Origin, Behavior, edge caches), how caching works (cache key, Cache-Control, TTL, hit/miss), and invalidation vs versioning — the CDN fundamentals to know before putting a Spring Boot origin behind it
-
AWS VPC Edge Routing Guide Part 5: Four Standard Patterns — From Decision Tree to First Sketch
After Parts 0–4 unpack the decision trees, the blank canvas still feels paralyzing because trees give you candidates and forks but never the starting point, ordering, or interdependencies. This closing post pins down the four standard patterns that 90% of real workloads converge on (Serverless API / Container Web / Global Latency-sensitive / Hybrid Enterprise), maps each pattern's defaults onto Parts 0–4's decision trees, and recasts the trees as the tool you reach for when you need to deviate from the pattern — not as the starting point itself.
-
AWS VPC Edge Routing Guide Part 4: DNS Decisions and Route 53 — Hosted Zones, the Six Routing Policies, Alias vs CNAME, and Health Checks
The decision that always comes before the entry points in Parts 1, 2, and 3 — DNS. Route 53's Public vs Private Hosted Zones, the decisive difference between A / CNAME / Alias records, the six Routing Policies (Simple / Weighted / Latency / Geolocation / Geoproximity / Multi-value / Failover), the three kinds of Health Check, and the decision boundary among Route 53, Global Accelerator, and CloudFront. The DNS layer in the series; the synthesis closes in Part 5.
-
AWS VPC Edge Routing Guide Part 3: How Packets Actually Flow Inside a VPC — IGW, NAT Gateway, Route Tables, Security Group vs NACL
The four components (IGW, NAT GW, Route Table, SG vs NACL) that decide where packets go inside a VPC and where they get blocked. The real difference between Public and Private subnets, NAT Gateway mechanics, Route Table evaluation order, the decisive split between stateful and stateless firewalls, and the common anti-patterns. The final post in the AWS VPC Edge Routing Guide series.
-
AWS VPC Edge Routing Guide Part 2: Connecting a VPC to Other VPCs, AWS Services, and On-Prem — A Decision Tree for VPC Endpoint, PrivateLink, Peering, Transit Gateway, and Direct Connect
There are six ways to connect a VPC to another VPC, an AWS-managed service, or on-premises. Which decision problem each one solves, where they split on cost, scalability, and transitivity, and the common anti-patterns. A practical guide that ends in a single decision tree. Part 2 of the AWS VPC Edge Routing Guide series.
-
AWS VPC Edge Routing Guide Part 1: Picking the Right Entry Point — A Decision Tree for ALB, NLB, API Gateway, CloudFront, and Global Accelerator
There are five candidates for fronting a VPC on AWS. Which OSI layer each one operates at, the decision variables that separate them, and the common anti-patterns. A practical guide that ends in a single decision tree. Part 1 of the AWS network service blocks series.
-
AWS VPC Edge Routing Guide Part 0: Network and AWS Fundamentals — OSI, VPC, CIDR, ENI, Reverse Proxies, and the Core AWS Services You Need Before the Series
A primer that lands before the decision-tree posts. OSI 7-layer and L4/L7, VPC / Subnet / CIDR / AZ, ENI / EIP / Source NAT, HTTPS / TLS / mTLS / auth jargon, reverse proxies, and a one-page taxonomy of core AWS services — every concept the rest of the series leans on, gathered into one post.
-
Understanding AWS Credential Federation — How IAM, STS, and OIDC Actually Fit Together
A foundational guide for engineers who followed a GitHub Actions OIDC tutorial but still aren't sure what STS really is, why it has no console page, what 'federation' actually means, or why the trust policy's sub condition matters so much. Covers IAM/STS/OIDC mechanics in depth, plus SAML, IAM Identity Center, and EKS IRSA as variants of the same pattern.
-
AWS Private EC2 Operations Guide Part 5: Cost Analysis and Optimization — NAT, ALB, EC2, and Data Transfer
Pull the monthly bill of the environment Parts 1–4 produced apart, line by line, and find where to cut. Real numbers for NAT Gateway, ALB, EC2, and data transfer; the levers that matter (S3 Gateway Endpoint, Graviton, Savings Plans); and budget templates for side-project, startup, and enterprise tiers.
-
AWS Private EC2 Operations Guide Part 4: Deploying to Private EC2 from GitHub Actions — OIDC, SSM Run Command, CodeDeploy
Build a deployment pipeline that puts no port 22 and no AWS access key on the path. OIDC federation removes static credentials, S3 acts as the artifact hub, and either SSM Run Command (simple) or CodeDeploy (zero-downtime) lands the code on the instance.
-
AWS Private EC2 Operations Guide Part 3: Connecting Without Bastion via SSM Session Manager — IAM Role, VPC Endpoint, and Port Forwarding
How to land a shell on a Private EC2 without ever opening port 22. The mechanics of SSM Session Manager (the agent polls AWS), the three prerequisites (Agent / IAM / network path), the cost trade-off between NAT Gateway and VPC Endpoints, and the port-forwarding pattern that securely reaches RDS without a VPN.
-
AWS Private EC2 Operations Guide Part 2: Building VPC Infrastructure with Terraform — VPC/Subnet/Route Table/SG/ALB/EC2 in a Single main.tf
Turn the Part 1 architecture into real code. We build a 10.0.0.0/16 VPC, 2AZ Public/Private subnets, IGW/NAT Gateway, the SG-references-SG pattern, and ALB + EC2 — all in one main.tf that comes up with a single terraform apply.
-
AWS Private EC2 Operations Guide Part 1: Why Private Subnet? — The ALB + NAT Gateway Standard Architecture and Sizing-Based Decision Criteria
We unpack the 'why' behind the standard pattern of placing EC2 in a Private Subnet wrapped by ALB and NAT Gateway. Public IPv4 vs Elastic IP, sizing recommendations, HA basics, and the concrete risks of putting PII-handling servers in a Public Subnet. Part 1 of a Bastion-less AWS EC2 operations series.
-
Terraform Fundamentals: A Complete Guide
A comprehensive guide covering IaC fundamentals, Terraform core concepts, workflow, count/for_each, dependencies and lifecycle, dynamic blocks, state management (import, moved, remote_state), and modules -- everything in one post for developers getting started with infrastructure as code
-
Building a GitOps Pipeline with ArgoCD on EKS
A guide to installing ArgoCD on EKS and building a complete GitOps CI/CD pipeline with GitHub Actions
-
Production-Level EKS Cluster Setup Guide
A practical guide to building production-grade EKS clusters from eksctl to Terraform, including networking setup
-
AWS Database Selection Guide: EC2+Docker vs RDS vs Aurora
How to choose between running a DB directly on EC2 with Docker, RDS, Aurora, and Aurora Serverless v2 — a detailed comparison based on cost, performance, and operational burden
-
Complete Guide to AWS CLI Setup and Resource Queries
A comprehensive guide to AWS CLI authentication methods (CloudShell, IAM Identity Center, access keys) and resource query commands for major services
-
AWS Bastion Host Setup Guide
A complete guide to configuring SSH access to Private EC2 instances through a Bastion Host
-
AWS EC2 Guide
A complete guide from EC2 instance basics to production operations