ACP cloud computing engineer exam knowledge points

Insert image description here

ECS
security group
Scaling group
SLB
VPC
OSS
RDS
CDN
DNS
DTS
Cloud security
Cloud monitoring

1. ECS instance

ECS components: In ECS, it is composed of CPU, memory, disk (there is no concept of hard disk in ECS), network configuration, and operating system.
ECS usage restrictions: ① Installation of virtualization software and secondary virtualization is not supported; ② Sound card applications are not supported; ③ Direct loading of external hardware devices is not supported
ECS state: divided into intermediate state and stable state. ① Intermediate state: starting, stopping, preparing; ② Stable state: running, stopped, expired.
ECS instances are divided into many specifications, among which the general type is the ECS main body, and other types are computing type, memory type, big data type, local SSD type, high frequency type, GPU computing type, burst type, and shared type. The difference is the difference in CPU/memory/network configuration/mirror.
General-purpose instances: suitable for high network packet sending and receiving scenarios, such as video barrage, telecom service forwarding, etc.; enterprise-level applications of various types and sizes; websites and application servers; game servers; small and medium-sized database systems, caches, and search clusters; Data analysis and computing; computing clusters, memory-dependent data processing
Burst instance: It is an instance specification that uses CPU points to ensure computing performance. It is suitable for scenarios where the CPU usage is usually low but occasionally has sudden high CPU usage. A burst performance instance can continue to obtain CPU points after it is created. When the performance cannot meet the load requirements, the computing performance can be seamlessly improved by consuming more CPU points without affecting the environment and applications deployed on the instance. To put it bluntly, it is an example of charging based on CPU usage.
Shared instances: Shared instances adopt non-bound CPU scheduling mode. Each vCPU will be randomly assigned to any idle CPU hyperthread. Different instance vCPUs will compete for physical CPU resources, causing unstable computing performance fluctuations under high load. There is an availability SLA guarantee, but no performance SLA guarantee. Compared with enterprise-class instances, shared instances focus on sharing resource performance in terms of resource utilization, so they cannot guarantee the stability of instance computing performance, but the cost is lower. To put it bluntly, this is not an instance, but a bunch of CPU resources that can be allocated on demand.
Shared instance uses: small and medium-sized websites and web applications; development environments, build servers, code repositories, microservices, testing and staging environments, etc.; lightweight databases, cached lightweight enterprise applications, comprehensive application services, equipped with The database service cannot be used.
ECS instance startup template: Instance startup template is a feature that persists ECS instance configuration and can be used to quickly create instances. The instance startup template contains configuration information used to create an instance and can store any configuration information except passwords, including key pairs, RAM roles, instance types, and network settings.
ECS deployment set: Deployment set is a strategy for controlling the distribution of ECS instances, allowing you to design disaster tolerance and availability when creating ECS instances. You can use deployment sets to disperse the ECS instances involved in your business on different physical servers to ensure the high availability and underlying disaster recovery capabilities of your business. When you create an ECS instance in a deployment set, the ECS instances will be started in a distributed manner in the specified region according to the deployment policy you set in advance.
Limitations on the use of ECS deployment sets:
① Deployment sets do not support merging with each other.
② Preemptible instances cannot be created in a deployment set.
③The deployment set does not support the creation of dedicated hosts.
④When creating ECS instances in a deployment set, up to 7 ECS instances can be created in one availability zone.
ECS system resource monitoring: What is the content of the cloud server ECS system resource monitoring DashBoard page? CPU usage, disk IO, network bandwidth
ECS connection method - Linux instance: ① WIN local computer connection methods include Workbench, VPN, PuTTY and other client tools; ② Linux local computer connection methods include Workbench, VPN, SSH command connection.
ECS connection method - Windows instance: ① WIN local computer has Workbench, VPN, remote desktop; ② Linux local computer has Workbench, VPN, rdesktop and other client tools
ECS connection method - API call ECS knowledge (required test): ECS API supports HTTP or HTTPS network request protocol, allowing GET and POST methods. When calling ECS using HTTP, the returned results are mainly in two formats: XML and JSON. The default is XML (I have encountered at least 2 exams about the default return format in the simulation questions)
ECS connection method - API call ECS common sense (side exam point): The API service address of cloud server ECS is ecs.aliyuncs.com instead of ecs.aliyun-api.com
ECS connection method - unique identification code: ECS, regardless of whether each interface call request is successful or not, the system will return a unique identification code (return parameter) Requestld
Remote connection test questions: The remote desktop tool that comes with Windows can only remotely connect to the Windows system. If the ECS is CentOS and your computer is WIN, the remote desktop cannot connect to the ECS. You can only choose Alibaba Cloud's console, putty, xshell, secureCRT and other tool links.
Remote link test questions: Alibaba Cloud provides multiple ways to log in to ESC, such as using VNC or workbench to log in. Among them, VNC login is suitable for: ①1. The instance startup self-check and other reasons cause the startup speed to be slow. The solution is to check the self-check progress; ② The instance accidentally turns on the operating system firewall; ③ The cloud server crashes and consumes high CPU and bandwidth.
Operating system-Linux instance setting conflict: After installing Cent OS on ECS, especially in Linux systems, do not enable the NET Work Manager service. This service will conflict with Alibaba Cloud's internal network services, causing network abnormalities.
Operating system - SELINUX: Security-Enhanced Linux (Security-Enhanced Linux), referred to as SELinux, is a Linux kernel module and a security subsystem of Linux. The main function of SELinux is to minimize the resources accessible to the service process in the system (the principle of least privilege). Enabling SELINUX will have a great impact on the monitoring function of ECS.
Disk - ECS disk replacement: When an instance replaces the system disk or expands the data disk, the instance needs to be stopped, which will temporarily interrupt your business; and after the system disk is expanded, the IP address of the ECS will not change.
Disk - Replace system disk: This refers to reassigning a system disk to the ECS instance. The system disk ID will be updated (so the snapshot of the previous system disk cannot be used on the new system disk), and the old system disk will be released. The cloud disk type, instance IP address, and elastic network adapter MAC address of the system disk remain unchanged. If you select the wrong operating system when creating an ECS instance, or need to use another operating system, you can change the operating system by replacing the system disk.
Disk - High risks of replacing the system disk: ① You need to redeploy the business operating environment in the new system disk, which may cause long-term interruption to your business; ② Historical system disk snapshots cannot be used to roll back the new system disk; ③The snapshots you create manually will not be released, and custom images can still be created from these snapshots. If the old system disk has automatic snapshots set to be released with the disk, the automatic snapshots will be automatically deleted; ④ If the system is a Linux system before and after the replacement, and a data disk is mounted on the ECS instance and the partition is automatically mounted at startup. After replacing the system disk, the data disk partition mounting information in the old system disk is lost;
Disk - Uninstall system disk: Alibaba Cloud ECS supports uninstalling system disk. When the file is damaged and the ECS instance cannot be started, you can unmount the system disk and mount it as a data disk to another ECS instance for repair. After the repair is completed, mount it as a system disk to the source ECS instance.
Dark common sense: You can uninstall the system disk of one ECS and use it as a data disk on another ECS in the same region.
Disk - local disk: The local disk is the local hard disk device on the physical machine where the ECS instance is located. Local disks are suitable for business scenarios that have extremely high requirements on storage I/O performance and mass storage cost-effectiveness.
Disadvantages of disk-local disk: ① The local disk comes from a single physical machine, and data reliability depends on the reliability of the physical machine. There is a risk of single point of failure. To put it bluntly, using local disks to store data has the risk of losing data, such as where the ECS instance is located. When a hardware failure occurs on the physical machine. Do not store business data that needs to be saved for a long time on the local disk; ② The local disk does not support self-mounting, the use of snapshots to create local disks, expansion, initialization, and snapshot rollback are not supported; ③ Mounting local disks Finally, in addition to upgrading the bandwidth, ECS instances cannot expand the configuration or replace the operating system, nor can they be uninstalled from ECS. Only the local disk is supported when releasing ECS.
Disk - a pitfall of mounting a local disk: When ECS is bound to Alibaba Cloud's local disk or SSD disk, because the local disk is a dedicated physical disk for users in the Alibaba Cloud computer room, ECS with a local disk is purchased. Configuration cannot be upgraded or downgraded, only bandwidth can be upgraded.
Disk-ECS mounted data disk: The data disk purchased with the instance has been automatically mounted to the instance. Data disks purchased separately must be mounted to an instance before they can be formatted. When mounting a data disk mounted on ECS, the data disk needs to be formatted first. Secondary partitioning can be performed before mounting, so the data disk can also be configured with multiple partitions. If you do not use the disk management tools that come with Windows or Linux, but use third-party tools for partitioning, exceptions are likely to occur.
Disk-ECS uninstall data disk: When the billing method of the data disk is pay-as-you-go, you can uninstall the data disk from the ECS instance. Alibaba Cloud ECS does not support unmounting local disks used as data disks.
Disk - Release Cloud Disk: When manually releasing a cloud disk and turning on or off release with an instance for a pay-as-you-go data disk, the cloud disk status must be pending for mounting. If you set automatic snapshots to be released with the cloud disk, the cloud disk's automatic snapshot will be released together, and manual snapshots will not be affected by cloud disk release.
Dark common sense: You can uninstall the system disk of one ECS and use it as a data disk on another ECS in the same region.
Storage Capacity Unit Package SCU: (Storage Capacity Unit) supports the deduction of pay-as-you-go bills for multiple storage products, such as cloud disks, OSS, NAS, snapshots, etc. SCU adopts a prepaid billing method and supports all prepaid payment methods.
Region: ① Cloud server ECS, relational database RDS, and object storage service OSS intranets in different regions are not interoperable; ② Cloud server ECS in different regions cannot be deployed with cross-regional load balancing; ③ Resource prices in different regions may be different.
Migration to the cloud: When you move your local server to the cloud, you can deploy and configure an ECS in Alibaba Cloud, quickly copy the server through mirroring mode, and deploy local applications on the ECS (due to local When the server directly mirrors, there is an incompatibility between the local system and the Alibaba Cloud system, causing the local image to fail to execute in Alibaba Cloud ECS)
SMC: Server Migration Center SMC (Server Migration Center) is a migration platform independently developed by Alibaba Cloud. SMC can migrate single or multiple migration sources to Alibaba Cloud. Migration sources include IDC servers, virtual machines, cloud hosts on other cloud platforms, or other types of servers.
SMC advantages: ① Supports multi-platform and multi-environment migration; ② Does not rely on the underlying environment of the source server; ③ Supports non-stop migration; ④ Simple, lightweight and flexible configuration; ⑤ Migration is safe, stable and has a high success rate
SMC migration process: Server Migration Center SMC consists of client and console. First, import the source server information to the console through the client, and connect the source server to your Alibaba Cloud account. Then create and start a migration task for the source server through the console to migrate the source server to Alibaba Cloud.
ECS is used in website dynamic pages: If the user's website contains dynamic content, ECS is needed for dynamic deployment, and RDS needs to be used to save the dynamic data.
ECS private IP: If you want to modify the private IP of ECS, you need to shut down ECS.
ECS and EIP: EIP is a kind of NAT IP, which is located on the public network gateway of Alibaba Cloud. It is mapped to the bound ECS instance on the private network card through NAT. Therefore, private network type ECS instances bound to an EIP can directly use this IP for public network communication. But you cannot see this IP address on the network card of the ECS instance.
Prerequisites for binding EIP to ECS: ① ECS must be in a stable state such as running or stopped; ② ECS and EIP must be in the same Region; ③ There is no public IP bound to the ECS main network card, and ECS is on a private network.
ECS and security groups: Each ECS instance can join up to 5 security groups. When the number exceeds 5, no other security groups can be added. When adding ECS to a security group, it has nothing to do with the status and bandwidth of the ECS.
Mirror-Copy Mirror: Suitable for deploying ECS instances across regions and backing up data across regions. After copying the image, you will get the image with the same configuration and different ID in the target region.
Image - shared image: can be used to deploy ECS instances across accounts. After creating a custom image, you can share the image with other Alibaba Cloud accounts. This account can use your shared custom image to quickly create ECS instances running the same image environment.
Shared image restrictions: ① Cross-regional image sharing is not supported. If you need to share an image across regions, please copy the image to the target region before sharing it; ② You can only share your own custom images, and images shared by other users cannot be shared again.
Snapshot: When taking a snapshot, when the automatic snapshot policy is turned on, the name of the automatic snapshot starts with auto. Manually created snapshots must not begin with auto.
Snapshot rollback requirements: ① You have created a snapshot for the cloud disk, and the cloud disk to be rolled back does not currently have a snapshot being created; ② After replacing the system disk, historical system disk snapshots cannot be used to roll back the new system disk (a pitfall) Pitfall, this is a flaw); ③ When the cloud disk is used to create a dynamically extending volume or RAID array, you must stop all I/O operations in advance, and then use a snapshot to roll back the cloud disk; ④ The cloud disk must have been mounted to a certain computer ECS instance, and the instance has been stopped.
The difference between snapshots and mirrors: ① Mirrors can be used directly to create ECS instances, but snapshots cannot. ② Snapshots can only be used for data recovery of the current ECS instance disk, while mirroring can be used for the current ECS instance and other instances to replace the system disk or create a new ECS instance; ③ Snapshots can be data backup of the ECS instance system disk or data disk, and The image must contain the data of the ECS instance system disk.
Factors for passive snapshot deletion: When the system disk is replaced, the snapshots you create manually will not be released, and these snapshots can still create custom images. If automatic snapshots are set for the old system disk when the disk is released, the automatic snapshots will be automatically deleted.
Uncommon test question: In Alibaba Cloud ECS, regardless of whether each interface call request is successful or not, the system will return a unique identification code (return parameter) Requestld to the user.
Common question: The difference between ECS monitoring and cloud monitoring functions. Question: You can use this method to monitor the operating data of your Alibaba Cloud cloud server ECS instance, so as to analyze the monitoring information to determine the operating status of the business. (Number of correct answers: 2) ① Monitor the CPU utilization and network outgoing and incoming status through the instance details page of Alibaba Cloud's ECS management console; ② Monitor the instance running status through the management console of the cloud monitoring service Monitor and set alarm rules for customized monitoring; ③ Monitoring alarms can be set through the management console of cloud server ECS; ④ Monitor ECS instance CPU utilization through Cloud Shield. Answer: First exclude ④ Because Cloud Shield Without the ability to monitor ECS asset status, the error-prone options are ① and ③. This is a very detailed issue and requires a relatively in-depth console operation. Currently, monitoring and alarm settings are only supported in the cloud monitoring management console. In the resource monitoring on the ECS page, you can only view it, but you cannot set alarm thresholds and rules.
Practice (Test Point) ECS and web: Premise: If the content provided by the user's WEB application or website requires authorization to view, then an ECS product is required to deploy authorized applications and provide authorized services.
Practice (Test Point) ECS and web: Customer Xiao Wang is planning to build a static website and wants to provide customers with quick access to the website based on the multi-line BGP capability provided by Alibaba Cloud. Xiao Wang can only use the Alibaba Cloud Object Storage OSS product can be achieved. The answer is wrong. Because it is a static website, it can be directly hosted on the object storage OSS_ and services can be provided directly. If it is a dynamic website, the project needs to be deployed through ECS to provide services.
Practice (Test Point) ECS and web: Alibaba Cloud Object Storage OSS provides a rich set of file upload and download interfaces, and users can easily manage large-capacity storage space through the API. If you want to build a large-scale picture sharing site that allows a large number of users to upload and share pictures through the WEB, you can use Alibaba Cloud's products in conjunction with OSS. Answer: ECS. Because users need to share through WEB. Therefore, this behavior, like dynamic and authorization, requires application support, so ECS is required to deploy the application.

2. Security Group

Create security group rules: required fields are authorization object, authorization policy, and port range
Security group: A security group is a virtual firewall with stateful inspection and packet filtering functions. Instances that join the same common security group are allowed to access each other through all protocols and ports by default. In order to meet the need for network isolation between instances in common security groups, Alibaba Cloud has enriched security group network connectivity policies to achieve network isolation within common security groups.
When setting up network isolation within a security group, you need to pay attention to the following matters:
① Only set up network isolation within the specified common security group, and do not change the default network connectivity policy. That is, other existing and newly created common security groups, as well as enterprise security groups will still be configured. Use the default policy.
② Network isolation within a security group is between network cards, not between ECS instances. If multiple elastic network adapters are bound to an instance, you need to set intra-group network isolation for the security group to which each network adapter belongs.
③ Network isolation within a security group has the lowest priority. That is, after setting network isolation within a group, network isolation between instances in the group is only guaranteed when there are no custom rules in the security group.
Instances in a security group can still access each other in the following situations:
When an instance belongs to multiple security groups at the same time, one or more security groups do not set intra-group isolation.
It not only sets up isolation within the security group, but also sets up ACLs that allow instances in the group to access each other.
This is a very biased question
Security group rules: In the security group rule settings, as long as the inbound and outbound pages have the same page settings, they are authorization policy (allow or deny), weight, protocol type, port range, and authorization object. There are no so-called internal network rules or external network rules. In the final analysis, all security rules are internal network rules under the VPC. In a very unanswered question, there are two options: A. Add an intranet rule to the security group rules of this cloud server instance to deny incoming TCP access from port 3389. B. Add an intranet rule to the security group rules of this cloud server instance. Add an external network rule to the security group rules to deny incoming TCP access from port 3389. This is a scam. There are no internal network rules or external network rules. In fact, whichever one you choose is wrong, but the correct answer must be A.
ECS and security groups: Each ECS instance can join up to 5 security groups. When the number exceeds 5, no other security groups can be added. When adding ECS to a security group, it has nothing to do with the status and bandwidth of the ECS.
SSH key pair: Alibaba Cloud SSH key pair is a safe and convenient login authentication method, consisting of a public key and a private key, and only supports Linux instances.
How to use SSH key pair: SSH key pair generates a pair of keys through an encryption algorithm. The default encryption method is RSA 2048-bit. To use an SSH key pair to log in to a Linux instance, you must first create a key pair, specify the key pair when creating the instance, or bind the key pair after creating the instance, and then use the private key to connect to the instance. After successfully creating an SSH key pair: ① Alibaba Cloud will save the public key part of the SSH key pair. In a Linux instance, the public key content is placed in the ~/.ssh/authorized_keys file; ② You need to download and keep the private key properly (after using the key pair to bind the ECS instance, you will not be able to log in to the ECS without the private key Example). The private key uses unencrypted PEM (Privacy-Enhanced Mail) encoded PKCS#8 format.
Priority VS weight: Both are set numerically. However, the smaller the priority number, the higher the priority, such as 1, which is the highest priority; but on the contrary, the weight, the larger the number, the greater the weight. Although this is common sense, it is very easy to get confused during the exam.
Security group policy priority: If the two security group rules are otherwise the same and only the authorization policy is different, the denial of authorization will take effect and the allow policy will not take effect. Different from the forwarding strategy of load balancing, when multiple scheduled tasks of SLB expire at the same time, the latest created task will be executed first.
Error-prone question: There is a true or false question: the operational adjustment of the security group has no impact on the user's service continuity. Analysis: Which user is the user's service? Is it a user who purchases Alibaba Cloud? Or is it a customer or customer who uses the services provided by Alibaba Cloud's enterprises. First of all, within a security group, you can only allow or deny protocols and ports in the inbound and outbound directions. Changing the security group rules at will will definitely cause the interruption of ECS external connections. However, the original words in the Alibaba Cloud document say that the operational adjustments to the security group will have no impact on user service continuity. It seems that Alibaba Cloud's perspective in formulating the question is that of an Alibaba Cloud employee. The users he refers to are enterprises that use Alibaba Cloud. To explain the topic from this perspective, if the user operates the security group, it may cause the request to access ECS to fail, but it will not affect the operation of the services carried on ECS. Are you irresponsible when you say this?
Question: When purchasing ECS, you must set up a security group. Security group is a very important service in ECS. What are the main ways of using security group? A. Use of whitelist; B. Use of blacklist; C. Blacklist inbound and outbound rules restrictions; D. Intranet inbound traffic restrictions. The main settings in the security group are the permission or denial of protocols and ports in the inbound and outbound directions. If the settings are denied, there will be countless ports that need to be set. Therefore, the security group mainly sets the allowed ports or IPs, so the main use of the security group is the use of whitelists.

3. Elastic expansion and contraction

Create a scaling group: When creating a scaling group, users need to set scaling configurations, scaling activities, and scaling rules. The scaling trigger task is not a required option for creating a scaling group.
Deleting a scaling group: When deleting a scaling group, there are two modes: forced deletion and non-forced deletion. In the non-forced deletion mode, the following must be met: ① There is no scaling activity in the scaling group; ② The current instance of the scaling group is 0
Scaling group: defines the minimum and maximum number of instances
Scaling rules: Define how many instances are added or removed during shrinking and expansion.
Scaling modes are divided into: cloud monitoring alarm tasks (generally refers to automatic scaling based on CPU/memory usage thresholds when demand is uncertain), fixed quantity mode (manually set a fixed number of instances added to the scaling group), scheduled tasks, and health mode (Keep all instances in the scaling group healthy) So the topic: A video company uses SLB to distribute access to 20 instances. The Spring Festival is approaching. According to experience, the number of visits will double. What kind of scaling should be used at this time? The model is more appropriate. In this question, it has been pointed out that users can accurately judge the number of future visits. Increasing the instance to a fixed 40 units can satisfy the application. Therefore, the dynamic mode of cloud alarm task is not necessary, at least not necessary.
Manual ECS release: If the manually created ECS in the scaling group is hosted by the automatic scaling group, during the shrinking activity, the ECS will be removed and will not be deactivated and released; only when the ECS is not in the protection state, Then host it to the scaling group. When shrinking, the manually created ECS will be deactivated or released.
How to release the ECS running the application without affecting the customer experience? In Alibaba Cloud elastic shrink, if the shrink activity is performed, stopping or releasing the ECS running the application will affect customer use. Therefore, if you want to complicatedly set up the released ECS, you need to process the tasks running on the machine before releasing it. , you need to store a script containing processing logic in the image used to create ECS, and set it to automatically execute the script when the ECS operating system is shut down.
Auto Scaling - Instance Standby State: You can turn an ECS instance that is not in use temporarily into a standby state. The load balancing weight of the ECS instance in standby state will be reset to zero. Auto scaling does not check the health status of ECS instances in standby state, nor does it release ECS instances.
Auto Scaling-Standby State Function: ①The load balancing weight of the ECS instance will be set to zero. ②The ECS instance remains in standby state until it is manually moved out of standby state. ③Auto scaling does not manage the life cycle of ECS instances, but is managed by you. ④When scaling activities occur within the scaling group, the ECS instances in standby status will not be removed. ⑤When the ECS instance is stopped or restarted, the health check status of the ECS instance will not be updated. ⑥You need to remove the ECS instance from the scaling group before releasing it. ⑦ If you delete the scaling group, the ECS instance will automatically release the standby status and be released together with the scaling group. To put it simply, when the ECS in standby state is turned on, it will no longer be assigned work, and apart from the user directly killing it, the elastic scaling service has nothing to do with it.
Auto Scaling - Instance protection status: You can change the ECS instances that do not want to be removed from the scaling group to the protection status. The load balancing weight of the ECS instances in the protection status will not be affected. Auto scaling does not check the health status of ECS instances in protected status, nor does it release ECS instances. To put it simply, the instance with the protected state turned on is still working, but you can do whatever you want, elastic scaling will not care about you.
Auto-scaling-protection status effect: ① If the scaling group where the ECS instance is located is configured with load balancing, it will not affect the load balancing weight of the ECS instance. ②The ECS instance remains in the protection state until you move it out of the protection state. ③If changes in the number of ECS instances in the scaling group and monitoring tasks trigger automatic scaling activities, the ECS instances in the protected state will not be removed. You need to move out of the ECS instance yourself before releasing the ECS instance. ④When the ECS instance is stopped or restarted, the health check status of the ECS instance will not be updated.
Auto Scaling - Downtime: If the instance recycling mode of the scaling group is downtime recycling mode, you can manually change the service status of the ECS instance to deactivated. When an elastic expansion activity occurs, Auto Scaling will give priority to starting the deactivated ECS instances. To put it bluntly, the shutdown state means that this instance was old and lustful and was relegated to the cold palace by the emperor. When the palace is ready to expel people, it will be the first to be expelled.
Prerequisites for using elastic scaling-downtime: ① The network type of the scaling group is a dedicated network. ②The scaling group instance recycling mode is shutdown recycling mode. ③The instance is an automatically created ECS instance.
Auto Scaling - Scaling group managed instance: When the manual instance, the protection state is not turned on, is managed by the scaling group, the manual instance will be deactivated or released along with the automatic instance when there is too much activity; if the manual instance is not managed by the scaling group, During scaling activity, only manual instances are removed. To put it bluntly, I have no time to take care of you anymore, so I will leave you to the old Wang next door. If you want to be killed or chopped into pieces, just follow the old Wang.
Scaling rules: Scaling rules define specific expansion or contraction operations, such as adding or removing N ECS instances.
Scaling configuration: Scaling configuration defines the configuration information of ECS instances used for elastic scaling.
Use the features of scaling configuration to achieve automated deployment: In order to provide more elastic and flexible scaling services, scaling configuration supports labels, key pairs, instance RAM roles, and instance custom data.
Scaling configuration image: In the configuration, the instance creates an image, which supports custom images, shared images, and public images. Cloud market images are not supported.
Scaling activity: After the scaling rule is successfully triggered, a scaling activity will be generated. Scaling activities are mainly used to describe changes in ECS instances within a scaling group. Features: ① Scaling activities cannot be interrupted. For example, a scaling activity that creates 20 ECS instances is in progress. When the fifth ECS instance is created, you cannot forcibly terminate the scaling activity. ② When the scaling activity fails when an ECS instance joins the scaling group, it is necessary to maintain the integrity of the ECS instance-level transactions rather than the integrity of the scaling activity-level transactions, that is, only the ECS instance-level rollback is performed, not the scaling activity-level rollback; ③ Since auto scaling relies on Alibaba Cloud's RAM (Resource Access Management) service to flexibly create ECS instances through ECS OpenAPI, the rolled back ECS instances will still be charged before they are released.
Scaling (trigger) task: a task used to trigger scaling rules, such as scheduled tasks and cloud monitoring alarm tasks.
Priority of multiple trigger tasks starting at the same time: If there are multiple scheduled tasks in the scaling group that are started at the same time, the newly created scheduled task will be started first, and the remaining scheduled tasks will try to start after the cooling time.
Health check: The health check task will regularly check the health of scaling groups and ECS instances. If an unhealthy ECS instance is found (for example, the ECS is in a non-Running state), a request to move out of the ECS instance will be triggered.
Cooling time: The cooling time refers to the locking time after the execution of a scaling activity is completed in the same scaling group. Features: ① During the cooling time, the scaling group will only reject scaling activity requests of the cloud monitoring alarm task type. Other types of triggered tasks (such as manual execution of scaling rules, scheduled tasks, etc.) can bypass the cooling time and perform scaling activities immediately; ② After the last ECS instance of each scaling activity is successfully added to or removed from the scaling group, the cooling time of the entire scaling group starts.
The cooling time can be overcome by stopping and restarting the scaling group: when a scaling activity occurs, the cooling time will enter. If the user deactivates the scaling group and then restarts the scaling group, the previously ongoing cooling time will expire, and scaling can be performed immediately after restarting. Activity.
The relationship between the scaling group and ECS: ① The scaling group and ECS must be in the same Region; ② During the scaling activity, ECS is automatically created and RDS and SLB are configured (according to the scaling configuration and rules, after the specified number and configuration of ECS are created, the newly created The ECS intranet IP is automatically bound to the RDS whitelist, and the newly created ECS is automatically added to the SLB specified by the scaling group); ③ The ECS in the scaling group must be in the running state. If it is not running, it will automatically Release the ECS and create a new ECS; ④ The ECS automatically created by the scaling group can only be pay-as-you-go or preemptive ECS, and there is no charge for ECS shutdown; ⑤ If the account is in arrears, all automatically created stopped ECS in the scaling group will be will be automatically released; ⑥An ECS can only be added to one scaling group. ⑦ The protection mode can be turned on for manually created ECS, and the scaling rules will not be released or deactivated. In addition, if the manual ECS is not hosted in a scaling group, the manual ECS will only be removed from the scaling group and will not be released or deactivated.
AS function limitations: ① Only supports increasing and decreasing the number of ECS, and does not support automatically reducing or increasing the configuration of a single ECS; ② Applications deployed on ECS instances in the scaling group must be stateless and horizontally scalable; ③ ECS in the scaling group Instances may be automatically released, so they are not suitable for saving session records, application data, logs and other information.
Scaling group and SLB/RDS: ① The same scaling group can be bound to multiple SLBs (a scaling group can be bound to up to 20 SLBs. Only load balancing that has been configured with monitoring and enabled security checks and is in the same region as the AS can be scaled. Group use) and RDS; ② The ECS automatically created during scaling activities will automatically bind the RDS whitelist and SLB;
Basic operations of auto scaling: The prerequisites for creating a scaling group are: 1. Manage roles related to auto scaling services 2. Set up a security group (the security group must be in the same region as the scaling group). After the scaling group is created, the region cannot be changed, and the region cannot be changed. During scaling configuration, only ECS under the classic network can be created;
Scaling group status: inactive, active, deleting.
Expected number of scaling instances (referred to as expected number): After setting the expected number, the scaling group automatically maintains the number of ECS instances at the expected number without manual intervention. If not filled in, the scaling group will only be initially created based on the minimum number of instances filled in the scaling rules. The expected number priority is at the lowest level, so manual operations, health checks, minimum number of instances checks, etc. will change the expected number.
The purpose of the expected number: ① When the scaling activity fails to execute, the expected number is adjusted twice to avoid manual retries; ② When there is an executing scaling activity, another scaling activity cannot be executed. At this time, the expected number can be At the same time as the scaling activity, a scaling activity is concurrently executed.
Scaling configuration test points: ① The instance corresponding to the earliest scaling configuration: Filter out the instance corresponding to the scaling configuration and startup template with the earliest addition time. Manually added instances are not associated with scaling configurations or startup templates, so manually added instances are not selected first. If all associated instances have been removed and instances still need to be removed, the manually added instances will be removed randomly. (The scaling configuration mentioned in the instance corresponding to the earliest scaling configuration generally refers to the source of instance configuration information in the group, including scaling configuration and startup template); ②Earliest created instance: Filter the instance with the earliest creation time. ③Latest created instance: Filter the instance with the latest creation time.
Instance recycling mode: shutdown recycling: ① During elastic shrinkage, the automatically created ECS instance will enter the shutdown state. When the ECS instance is in the downtime and no-charge state, the vCPU, memory, and fixed public IP are recycled. Therefore, the vCPU, memory, and fixed public bandwidth are no longer charged, but resources such as cloud disks and elastic public IP are still retained and charged. These downed ECS instances form a downed instance pool. ② During elastic expansion, the ECS instances in the stopped instance pool will enter the running state first. When the number of ECS instances in the stopped instance pool is not enough to meet the demand, new ECS instances will continue to be automatically created. However, there is no guarantee that the ECS instances in the stopped instance pool will successfully enter the running state. If the ECS instances in the downtime and no-charge state cannot enter the running state due to inventory and other reasons, the scaling group will release these ECS instances and create new ECS instances to ensure that the results of elastic expansion meet expectations.
Lifecycle hook: To put it bluntly, after starting the scaling task and before starting the scaling activity, the ECS that will be put into the scaling group is hooked to an area for a period of time. During this period of time, the user can make more complex settings, such as installing Small software, install a small environment or something, if the user does not do any operations, after this period of time, ECS will automatically be placed in the scaling group.
Life cycle hook notification methods: MNS topic, MNS queue, OOS template. (Test this damn thing in the exam!!)
OOS: Operations Orchestration Service (OOS) is an automated cloud operation and maintenance service provided by Alibaba Cloud, which can automatically manage and execute tasks. You can define execution tasks, execution sequence, execution input and output through templates, and then execute the template to complete a set of operation and maintenance operations. OOS templates are a collection of operation and maintenance operations. They provide public templates. You can complete common operation and maintenance operations with one click without worrying about the specific implementation. Custom templates are also supported.
Use OOS templates to respond to life cycle hook notifications: Life cycle hook notifications directly trigger operation and maintenance actions, without the need to manually parse the notification content. Process: ① The ECS instance is suspended by the life cycle hook and enters the suspended state; ② Auto-scaling automatically sends notifications to trigger the execution of operation and maintenance operations defined in the OOS template; ③ The operation and maintenance operation is executed successfully, ends the suspended state and continues scaling activities , when expanding, continue to complete the expansion process and the ECS instance is added to the scaling group; when scaling down, continue to complete the scaling process and the ECS instance is removed from the scaling group.
Questions linking OSS to the life cycle: (Multiple choice) A user built an ECS+SLB+RDS business application architecture on the cloud and used the Auto Scaling service to elastically expand and contract the service resource ECS. Due to business needs, users need to activate the cloud database Redis as a cache storage for hot data to ensure high-speed access to data by applications. However, since scaling groups cannot be associated with Redis instances, users need to manually configure ECS instances to be added to or removed from the access whitelist of Redis instances, which is time-consuming, labor-intensive, and inefficient. If you were an Alibaba Cloud product manager, you would recommend that users configure elastic lifecycle hooks and Alibaba Cloud service templates through ___ to automatically add ECS instances to and remove them from the Redis instance whitelist. (Number of correct answers: 2) A. Auto-scaling life cycle hook B. OOS template C. MNS D. Instance startup template Answer: AB
Elastic self-healing: Auto scaling provides a health check function to automatically monitor the health status of ECS instances in the scaling group to prevent healthy ECS instances in the scaling group from falling below the minimum value you set. When it is detected that an ECS instance is in an unhealthy state. Auto scaling automatically releases unhealthy ECS instances and creates new ECS instances, and automatically adds new ECS instances to the access whitelist of the backend server of the load balancing instance and the RDS instance.
Elastic self-healing and error-prone questions: This is an error-prone question. There are often question options that test what elastic self-healing is. The description of self-healing is amazing. For example, ① If the status of an ECS instance in the scaling group is not running, Alibaba Cloud elastic scaling First, the ECS will be automatically restarted. After the restart is successful, it will continue to remain in the scaling group. If the restart fails, the ECS instance will be restored to its initial state using the specified image and will continue to remain in the scaling group or ② If an ECS in the scaling group If the instance status is not running, Alibaba Cloud Auto Scaling will first automatically restart the ECS. After the restart is successful, it will continue to remain in the scaling group. If the restart fails, it will be removed from the scaling group and a new ECS instance will be created and entered into the scaling group. Or ③ If the status of an ECS instance in the scaling group is not running, Alibaba Cloud Auto Scaling will start the fault check and repair process of the ECS instance and automatically repair the ECS instance, both of which are wrong. In fact, this is a very good vision for Alibaba Cloud, but Alibaba has not yet achieved it, so we have no choice but to judge these three options as wrong explanations of elastic self-healing.
Auto-scaling alarm trigger conditions: ① For ECS: CPU usage, internal and external network inbound and outbound traffic, system disk read and write BPS/IOPS ② For cloud monitoring: CPU usage, CPU idle rate, memory %, average system load, TCP, intranet /The number of packets sent by the external network card. Among them, cloud monitoring has the most alarm triggering conditions, especially the parameter that supports the system average load, which makes people feel very advanced.
Exam question: When using Alibaba Cloud Auto Scaling, if an RDS instance is specified in the scaling group, the scaling group will automatically add the intranet IP of the ECS instance added to the scaling group to the access whitelist of the specified RDS instance. Which of the following statements is wrong? A. If the ECS instance cannot be added to the RDS access whitelist, the ECS instance will be rolled back and released. B. The specified RDS instance must be in a running state. C. The number of IP addresses in the whitelist accessed by the specified RDS instance cannot reach the upper limit. D. After the scaling group is successfully created, the scaling group will not take effect immediately. Only when the scaling group is enabled can it accept the triggering of scaling rules and perform related scaling activities.
Answer: A Analysis: ① First add a knowledge point. The whitelist of RDS has an upper limit. ② This is a trap question. Option A seems fine at first glance, but ECS capabilities are divided into manual and automatic creation. Among them, automatic creation will Released by AS, manual ones will only be removed.
Exam question: Which of the following image types are supported in the Scaling Configuration of Alibaba Cloud Auto Scaling? (Number of correct answers: 3) A. Custom image B. Public image C. Shared image D , Cloud market image
Answer: D Analysis: In order to verify this question, I operated the cloud console. After creating the scaling group, there was indeed no cloud market image in the scaling configuration! This question can only be said to be too biased.

4. SLB load balancing

SLB: It is an Alibaba Cloud network product and is divided into public network and private network SLB. Load balancing SLB (Server Load Balancer) is a service that distributes traffic on demand. It expands the service throughput capacity of the application system by distributing traffic to different back-end services, and can eliminate single points of failure in the system and improve Application system availability. SLB is often said to have elastic scaling in its connotation.
The composition of SLB: load balancing instance, monitoring, and back-end server. SLB can only be used with ECS, and it has nothing to do with RDS, CDN, or OSS.
SLB charges: divided into two items. ① Load balancing instance. When creating a load balancing, you need to create an instance. As long as the instance is not released, even if SLB is not used, the instance itself will deduct a certain fee every hour; ② Traffic fee: Load balancing forwards traffic to the back-end server Complete the load, so whether it is a private network or public network SLB, traffic fees will be charged as long as the business is forwarded to the back-end ECS; ③Bandwidth fee: Public network SLB needs to accept access data through the public network, so as long as it is accessed from the public network, All traffic will be generated by the operator's broadband.
SLB charging test questions (very interesting): Alibaba Cloud's load balancing SLB provides traffic distribution services for multiple cloud server ECS instances. It has the advantages of high availability, low cost, security and reliability. Regarding low cost, which of the following statements is correct__ (2 correct answers) A. Both public network and private network type instances support billing based on traffic and bandwidth B. There is no need to purchase expensive load balancing equipment at one time C. Operation and maintenance The investment is greatly reduced. D. Only traffic fees are charged, that is, you pay based on the actual traffic used, and there is no need to pay rent for load balancing. Answer: At first glance, it seems that option C is not very suitable, and option D looks more like the right one. However, the "no need to pay rent for load balancing" in option D is very vague. If you think about it carefully, the SLB instance itself needs to be paid by the hour whether it is used or not. Therefore D is the wrong option, but option D fooled me several times.
SLB specification types: ① Traditional load balancing CLB (original load balancing SLB): supports TCP, UDP, HTTP and HTTPS, has powerful layer 4 processing capabilities, and basic layer 7 processing capabilities; ② Application load balancing ALB: specialized For layer 7, it provides superior business processing performance, such as HTTPS offloading capability. The QPS (Query Per Second) of a single instance can reach 1 million times. At the same time, ALB provides advanced content-based routing features, such as forwarding, redirection, and rewriting based on HTTP headers, cookies, and query strings. It is the official cloud-native Ingress gateway of Alibaba Cloud.
Load balancing instance types: shared instances and performance guaranteed instances. The three key indicators of performance-guaranteed instances are: ① Max Connection ② New connections per second (CPS) ③ Queries per second (QPS)
SLB network type: Load balancing SLB is a load balancing service that distributes traffic to multiple cloud servers. It provides two types of load balancing instances: public network and private network. It is different from ECS allocating private and public IPs. Public network SLB only assigns a public network IP. SLB can be accessed through the Internet and does not assign a private network IP.
SLB private network type: SLB that supports passive access to the public network and SLB that supports passive access to the private network. Both VPC and classic networks in the private network can be selected. So there is classic network load balancing.
SLB and EIP: EIP is a public network IP that can be purchased independently without being bound to any product. A load balancing of a private network can only be bound to one EIP.
Relationship between SLB and ECS: ①SLB cloud products need to be deployed on a dedicated instance, called a load balancing instance. ② Regardless of the public network/private network, communication between the load balancing SLB and the back-end ECS is through the intranet. ③ Load balancing does not support cross-region deployment. Make sure that the region to which the ECS instance belongs and the region to which the load balancing instance belongs are the same; ④ Load balancing itself does not limit which operating system the back-end ECS instance uses. As long as the two operating systems of your two ECS instances The application service deployment is the same and data consistency is ensured; ⑤ You can increase or decrease the number of backend ECS of the load balancing instance at any time, and you can also switch traffic distribution between different ECS instances.
Question on the relationship between SLB and ECS: An online education website adopts SLB+ECS combination in the cloud. If the website wants to save the visitor/user access information (source IP, visited page URL, residence time), so as to use it as a basis for market activity analysis. Where can the data be saved? Answer: There is an error-prone option "Each ECS in the scaling group saves the user access information processed by itself. The data on these ECSs can be accessed and analyzed at any time. This method is the most efficient, stable, and economical." At first glance, there is nothing wrong with it, but if you think about the knowledge about scaling groups, "Since instances in scaling groups may be released according to scaling rules and scaling activities, instances in scaling groups should not save important data or need to be saved for a long time. "data", so the biggest drawback of this option is that it is unstable. It is not an option.
Backend server and EIP: ① If the backend ECS only handles requests from load balancing, you do not need to purchase public network bandwidth (ECS, public IP, elastic public IP, NAT gateway, etc.) ② If you need to directly connect to the outside through the backend ECS To provide services, or if the back-end ECS needs to access the external network, you need to configure or purchase ECS, public IP, elastic public IP, NAT gateway and other services accordingly.
Back-end ECS accesses SLB through public IP: It is related to the forwarding principle of SLB. Back-end ECS has been bound to the specified SLB through the intranet as a real server. This means that even if ECS purchases an EIP, it can no longer be used as a server with SLB. Logically independent clients access the SLB.
Disaster recovery deployment of SLB back-end ECS: Divide SLB and back-end ECS into active and standby. The main ECS deployment goal is low latency, that is, ECS and SLB instances are deployed in the same zone, while the standby ECS takes into account high availability. For balance, deploy the standby ECS in a different availability zone from the SLB. It is best to deploy each standby ECS in a different availability zone.
The performance difference between SLB and ALB: ① SLB single instance QPS is 50,000, and ALB single instance QPS reaches 1 million; ② SLB is oriented to layer 4 forwarding, and the layer 7 forwarding capability is insufficient; ALB is oriented to HTTP/HTTPS/QUIC, and it can be said that it is only oriented to layer 7 services. Traffic; ③ALB is a cloud native product
Load balancing applicable objects: The backend servers in SLB can only be Alibaba Cloud ECS instances. It cannot load local IDC servers or ECS from other cloud vendors.
SLB billing mode: Load balancing SLB provides pay-by-bandwidth and pay-by-flow instances: 1. The peak bandwidth of the pay-by-flow instance is only used as a reference value and the upper limit of the bandwidth peak, and the bandwidth peak is not used as a business commitment indicator. 2. The peak bandwidth of the pay-per-bandwidth instance is the business commitment indicator. The peak bandwidth of the pay-per-bandwidth instance in the cloud direction is consistent with the peak bandwidth in the out-cloud direction. Users only need to pay for the bandwidth in the out-cloud direction. 3. When resource contention occurs, the peak bandwidth of pay-per-bandwidth instances is guaranteed, but the peak bandwidth of pay-per-flow instances may be limited.
SLB architecture: Four layers of load balancing are implemented through LVS (Linux Virtual Server) + keepalived, and seven layers of load balancing are implemented through Tengine (a web server project initiated by Taobao.com, based on Nginx, to meet the needs of websites with large visits). optimized) implementation.
The three-layer structure of the LVS cluster: load scheduler, server resource pool, and shared storage.
Exam question on the quality of the architecture: Determine whether the load balancing cluster is implemented using LVS and Tengine. The 4-layer listening (TCP/UDP) directly reaches the back-end server after passing through LVS, while the 7-layer listening (HTTP/HTTPS) passes through LVS and Tengine and finally reaches the back-end. server. The performance of layer 7 is not as good as that of layer 4. Answer: That's right. Since Layer 7 monitoring and relaying needs to pass through Layer 4 LVS and then forward to Layer 7 Tengine for forwarding, Layer 7 has one more link than Layer 4. The load balancing performance of layer 4 is better than that of layer 7.
SLB forwarding algorithm: While supporting the function of callback retention (layer four is based on source port, layer seven is based on cookie), it supports the minimum number of connections, weighted polling, and polling, and also includes the consistent hash (CH) scheduling algorithm. Notice! Big problem! Layer 7 load balancing does not support consistent hashing! This is a comment on an exclamation sentence in the Ali document!
Weight-Test question: If in the weight setting of SLB's four back-end servers, the weight of one ECS is set to 100, what impact will it have on load forwarding? Analyze in three aspects: 1. The total value of the weight is not 100. You can set the weight of all ECSs to 100. The final weight is calculated as a percentage. 2. The remaining 3 ECSs in the question did not say to be set to 0, so when the access comes , SLB will still distribute access to each server with a set weight; ③ There are 4 servers, and only one weight is set, and the other weights are empty. There is no comparison, which is equivalent to no weight setting, so SLB cannot calculate the allocation to these servers. What proportion of visits will lead to an inability to judge!
Listening function: The listening function is responsible for checking connection requests and then distributing the request traffic to the back-end server according to the forwarding policy defined by the scheduling algorithm. Load balancing provides layer four (TCP/UDP protocol) and layer seven (HTTP/HTTPS protocol) monitoring. You can choose the monitoring protocol according to the application scenario.
Applicable scenarios for TCP protocol monitoring: suitable for file transfer, sending or receiving emails, and remote login;
Applicable scenarios for UDP protocol monitoring: Scenarios that focus on real-time performance but relatively little emphasis on reliability, such as video chat and real-time financial market information push.
Applicable scenarios for HTTP protocol monitoring: applications that need to identify data content, such as web applications, small mobile games, etc.;
Applicable scenarios for HTTPS protocol monitoring: applications that require encrypted transmission
Forwarding policy: Load balancing supports configuring forwarding policies based on domain names or URL paths. You can forward requests from different domain names or URL paths to different backend server groups to reasonably allocate server resources. Only Layer 7 monitoring (HTTPS/HTTP protocol) supports configuring forwarding policies.
Listening and forwarding test questions: An e-commerce website uses the architecture of a combination of Alibaba Cloud's load balancing SLB instances and back-end cloud server ECS instances. When a user initiates a product query request, the product description and product pictures will be returned. If you want the image type request in the request to be forwarded to a specific image server for processing, the text type request in the request will be forwarded to a specific text server for processing. Which service implementation of load balancing SLB is suitable for the above scenario? A. Layer 7 service B. Layer 4 service (TCP protocol) C. Layer 4 service (UDP protocol) D. Network access protocol exchange Answer: A Analysis, the user starts
from A product query request is initiated in HTTP on the website, which is of course forwarded by HTTP/S.
Solutions to abnormal load balancing SLB layer 4 (TCP/UDP) health check: 1. Wrong health check parameter setting 2. Listening port problem 3. Security protection software problem 4. Backend server load is too high
Log function: SLB's access log function collects detailed information on all requests sent to the load balancer, including request time, client HP address, delay, request path, and server response. As a public network access portal, load balancing carries a large number of access requests. You can analyze client user behavior, understand the geographical distribution of client users, and troubleshoot problems through access logs. Therefore, when asked the question: During the process of using load balancing, it is found that the access speed is very slow for a certain period of time. How to quickly locate the abnormal backend server? Answer: Original words from the help document: When client access is delayed for a certain period of time, you can combine Alibaba Cloud Log Service and run dashboard inspections to analyze the response time of load balancing and quickly locate abnormal backend servers.
Monitoring and health check: For layer four services (TCP/UDP), port monitoring is used (① For TCP: use SYN request packet to see whether the back-end server returns ACK+SYN; ② For UDP, send a message to see whether an error message is returned ); for layer seven (HTTP/S), the judgment is made by checking the status code returned by the server (the health check obtains status information through HTTP HEAD detection). The monitoring and checking mechanism of layer 7 services is that the load balancing SLB instance initiates an HTTP request to the default homepage configured by the application server of the intranet IP address of the back-end cloud server ECS instance, and then determines the return code of the request to perform a health check.
Health check time window: health check interval (how often a health check is performed) response timeout (time to wait for the server to return a health check) check threshold (number of consecutive successes or failures in health checks). Health check failure time window = response timeout time × unhealthy threshold + check interval × (unhealthy threshold - 1).
Health check time question: ① If the ECS response timeout is 5s, the health check interval is 2s, and the check threshold is 3 times, how many seconds does it take to remove the ECS after an abnormality in the backend ECS is discovered? Answer: 3 checks, each response timeout is 5 seconds, which is 15 seconds. There are 2 check intervals between the 3 checks. The check interval is 2 seconds, which is 4 seconds, which adds up to 19 seconds. ② (Continued from ①) When the ECS is removed and a new ECS is added, assuming that the response time of a healthy ECS is 1 second, the time for SLB to determine the health of the new ECS is 1 second, repeated 3 times, with 2 intervals in between. , 2 seconds each time, attack for 7 seconds.
Side effects of the health check time window: If the target ECS is abnormal and is in the health check failure time window, and the health check has not reached the number of check failure determinations (the default is three), the corresponding request will still be distributed to the ECS, which will lead to Frontend access request failed.
Turn off health checks: Only Layer 7 HTTP and HTTPS listening supports turning off health checks. Layer 4 UDP and TCP listening cannot turn off health checks.
Status code - HTTP status code: First of all, 2XX means the request is successful, 3XX means further operations are required, 4XX means the visitor's own problem (request error, wrong password, or being blacklisted by the website), and 5XX means an error on the website server.
Status code—4XX status code: 400 Bad Request The client's request has a syntax error and the server cannot understand it. 401 Unauthorized The request requires the user's identity authentication. 402 Payment Required | Reserved for future use. 403 Forbidden The server understands the client's request, but refuses to execute the request. 404 Not Found The server cannot find the resource (webpage) according to the client's request. 403 is the password error and 404 is the input URL error.
Status code—5XX status code: 502 Bad gateway 504 Gateway timeout
Session persistence (test point): Session persistence in SLB, in layer 7 http/https, is based on cookies. SLB provides seven-layer session persistence and provides two functions: cookie implantation and cookie rewriting.
Load balancing certificate hosting: You can directly use the certificate in the SSL certificate service or upload the required third-party signed server certificate and CA certificate to the load balancing. After uploading, there is no need to configure the certificate on the back-end server ① Server certificate: you need to upload the certificate content and private key ② CA certificate: you only need to upload the certificate content
Load balancing mounts multiple HTTPS websites: Background Multiple HTTPS certificates have been uploaded in load balancing, and requests from different https are sent to their respective backend server groups. ①Add HTTPS monitoring: Select the SLB instance in the SLB console to add monitoring, select the https protocol-select the listening port-select the server certificate, then create a forwarding, and set up respective virtual server groups for different https; ②Add redirection (optional) ) Set up http monitoring and forward it to https address ③Configure forwarding rules to forward requests from different domain names to different server groups. In the instance-monitoring-click to add monitoring forwarding policy-fill in the domain name and select the server group ④Configure the extended domain name for the new one The https listening extension wants to add several https domain names to enable multiple certificates to be carried on a single SSLIP address.
HTTPS two-way authentication strategy: Server SSL certificate and client CA certificate required to be hosted on SLB
SLB's SB blacklist and whitelist: Responses to not adding any IP to the load balancing whitelist or blacklist: ① Turn on the whitelist: If no IP is added to the access policy group, the load balancing listener will forward all requests. ② Turn on the blacklist: If no IP is added to the access policy group, the load balancing monitor will forward all requests. In a word, as long as the IP is added to the load balancing whitelist and blacklist, forwarding will be allowed.
Real IP (lots of pitfalls): ① Based on the listening and forwarding mechanism, layer 4 is inherently capable of seeing the user’s real IP, but layer 7 needs to check it from the http header; ② When using Alibaba Cloud’s load balancing SLB instance, for layer 7 ( HTTP protocol) service, since the request is forwarded by replacing the IP address of the HTTP header file, the access IP seen by the back-end cloud server ECS instance is the IP address of the load balancing SLB instance, not the real IP of the actual visitor. (This sentence is correct)
Practice (Test Point): Why do IPs starting with 100 or 10 frequently access SLB backend ECS? In addition to forwarding external access requests to the back-end ECS instances through the internal IP of the system server, the load balancing system also performs health checks and availability monitoring on the ECS instances. The sources of these accesses are initiated by the load balancing system. of. The address segment of the load balancing system is 100.64.0.0/10 (it is an address reserved by Alibaba Cloud. Other users cannot be assigned to this network segment and there is no security risk), so there will be many IP addresses starting with 100 accessing ECS instances. To ensure the availability of your external services, ensure that access rules for the above addresses are configured. If your business is highly sensitive to load, high-frequency health check detection may affect normal business access. You can reduce the impact on your business by reducing the frequency of health checks, increasing the intervals between health checks, and changing the seven-layer inspection to four-layer inspection based on your business conditions. But in order to ensure the continued availability of the business
Practice (Test Point): Why is the Transfer-Encoding: chunked field added to the header of the HTTP request? After resolving the domain name to the service address of Layer 7 load balancing, when accessing the domain name from the local host, it was found that a Transfer-Encoding: chunked field was added to the header of the HTTP request. However, when accessing the backend server directly from the local host, there was no such field. of.
Because the seven-layer load balancing is implemented based on Tengine reverse proxy. The Transfer-Encoding field indicates how the web server encodes the response message body. For example, Transfer-Encoding: chunked indicates that the web server transmits the response message body in chunks.
Practice (test point): Why do backend instances in SLB have the same weight, but access imbalance occurs during actual access? Answer: If you enable the session persistence function at the same time, the access to the backend server may not be exactly the same. If access imbalance occurs.
Practice (Test Point): How to redirect HTTP access to HTTPS? Set up port forwarding by creating a new listener.
Practice (Test Point): Which of the following parameters represents the unique identifier of an SLB instance? LoadBalancerId!
Practice (test point): When using Alibaba Cloud Load Balancing SLB, the back-end server can set up a primary and secondary server group. When the host is working normally, the traffic will go directly to the host; when the host goes down, the traffic will go to the standby server. Regarding the protocols supported by the active and standby server groups, the following statement is correct: only four-layer protocols (TCP/UDP) are supported.
Practice (Test Point): When SLB distributes the load to multiple ECSs, how to obtain the user's real IP? Answer: ① The 7-layer service can obtain the visitor’s real IP through HttpHeader: UDP is a transport layer protocol connection based on the real source IP and source port, so you can get the user's real IP without setting it up.
To sum up, which functions or configurations can only be used on the fourth or seventh floor? ① Consistent hashing, there are 4, no 7; ② Turn off health check, only 7, no 4; ③ Forwarding performance, 4 is better than 7; ④ Configure forwarding policy, there are 7 configurable, 4 is mandatory; ⑤ Active and backup architecture, Only 4, no 7; ⑥ Obtain the user’s real IP, obtained naturally at layer 4, and HTTP Header settings are required for layer 7.

5. VPC private network

VPC—Network type: divided into public network and private network. The public network is the Internet, and the private network is the LAN. Alibaba Cloud divides private networks into classic networks and private networks.
IP: The IP of a classic network is created and assigned by the system and cannot be changed; while the IP of a VPC can be customized by the user.
VPC—Composition: Each VPC consists of a router, at least one private network segment, and at least one switch.
VPC—with cloud products: ECS, RDS, SLB. Cloud resources cannot be deployed directly in a VPC and must belong to a switch (subnet) within the VPC. You can create cloud resources in the switch. All Alibaba Cloud's cloud products support VPC. This question is wrong.
VPC—Isolation mechanism: ECS instances in different VPCs are naturally isolated because they have different tunnel IDs and are on different routing planes.
VPC—Common sense: VPC is a Layer 2 isolated network environment, and the switches in VPC are Layer 3 switches.
VPC—Default VPC: When creating an Alibaba Cloud product instance, you can select the system's default VPN and switch. These two items confirm the default network location of the cloud product instance in the availability zone of the private network. The default VPC in each region is only One is automatically created by the Alibaba Cloud system. The VPC created by the system by default does not occupy the user's VPC quota.
Internal connection—Switch connection within the VPC: ① Each switch in the VPC is connected by default ② If you want several switches in the VPC to not allow access to each other, you can rely on the security group policy. The ECS added to the security group must first be in the same region, and secondly only When adding instances under the same VPC, you can create different security groups and assign ECS under different switches to different security groups. First, set the security group to allow access to the entire network segment, and then set a rule to not allow access to other switches. Network segment access (the latter has higher priority than the former).
External connection—VPC is connected to the public network (Internet): EIP, load balancing, NAT gateway, fixed public network IP.
External connection—connection between two VPCs (same/different regions): cloud enterprise network, VPN gateway
External connection—VPC and local IDC connection: high-speed channel, cloud enterprise network, intelligent access gateway, VPN gateway.
External connection—Cloud Enterprise Network is awesome: Cloud Enterprise Network (high-speed channel) is very awesome, interconnecting VPCs with the same account and region/interconnecting VPCs with the same account across regions/interconnecting VPCs across accounts and the same region/interconnecting VPCs across accounts and regions even.
Cross-network connection - classic network and VPC interconnection: VPC itself has the ClassicLink function to achieve this without relying on any other products.
Cross-network connection—migrating classic network to VPC: In the Cloud Console—Instance Management, after finding the target ECS instance in the instance list, click More > Network and Security Group > Schedule migration to a private network.
Router: The router (VRouter) is the hub of the private network. As an important functional component in the private network, it can connect various switches in the VPC and is also a gateway device connecting the VPC and other networks. After each private network is successfully created, the system will automatically create a router. Each router is associated with a routing table.
Switch: A switch (VSwitch) is a basic network device that forms a private network and is used to connect different cloud resources. After you create a VPC, you can divide the VPC into one or more subnets by creating switches. Intranet communication between different switches in the same private network. You can deploy applications on switches in different availability zones to improve application availability.
Switch network segment: After creating a VPC, users can divide one or more subnets into the VPC by creating switches. When setting the IPv4 network segment of the switch, users need to understand the network segment restrictions of the switch, including but not limited to the fact that the switch network segment must be a subset of its VPC network segment and that the switch network segment must not conflict with the network segment to be communicated and that the switch network segment must not conflict with the network segment to be communicated with. The segment cannot be larger than or equal to the target network segment range of the route in the routing table of the VPC to which it belongs.
Routing table: After creating a VPC, the system will automatically create a default routing table for you and add system routes to it to manage VPC traffic. You cannot create or delete system routes, but you can create custom routes to route traffic from a specified target network segment to a specified destination.
Custom routing table: You cannot create or delete the system routing table, but you can unbind the switch from the system routing table, then create a custom routing table within the VPC, and bind the custom routing table to the switch for control Subnet routing for more flexible network management.
Switch - The relationship between each component and the switch is: binding the subnet to the switch, binding the routing table to the switch, and binding the network ACL to the switch. The security group is a logic composed of ECS and has nothing to do with the switch.
Switch - switch and routing table: Each switch can only be bound to one routing table and must be bound to one routing table. A switch's (subnet's) routing policy is governed by its associated routing table.
Switch - Alternative knowledge about switches: Before deleting the switch, you must delete the ECS connected to the switch.
Switch - VPC and switch: Different switches under the same VPC can communicate with each other within the intranet by default.
Switch - Exam question: To determine if ECS instances in the same VPC want to communicate with each other within the intranet, two conditions need to be met: (1) be under the same switch (2) be in the same security group, or be in two security groups but allowed by the rules Interoperability. Answer: This question is very confusing. First of all, (1) and (2) are correct, but in (1), there is an extension, that is, default interoperability between different switches under the same VPC. Therefore the title is wrong.
Switch - CIDR: Classless Inter-Domain Routing (CIDR) CIDR is a technology developed to help mitigate the problem of IP address and routing table growth. The basic idea of CIDR (Classless Inter-Domain Routing) is to cancel the classification structure of IP addresses and aggregate multiple address blocks together to generate a larger network to contain more hosts.
Switch - CIDRBlock: When creating a new switch, the name of the CIDRBlock is globally unique and cannot be changed after creation. Therefore, the CIDRBIock used in a new switch cannot conflict with the CIDRBlock of an existing switch.
Routing - VPC and router: When a user creates a VPC, the system creates a router in the vpc by default, and the router comes with a default routing table. Routers cannot be deleted or created by users. Each VPC has only one router. When the VPC is deleted, the router is automatically deleted.
Routing - VPC and routing table: When a user creates a VPC, the system creates a router in the vpc by default, and the router comes with a default routing table. The default routing table does not allow creation or deletion. However, users can create their own custom routing tables. Each VPC can have up to 10 routing tables, including system routing tables
ACL: Network ACL (Network Access Control List) is the network access control function in the private network VPC. You can customize network ACL rules and bind the network ACL to the switch to control access to the traffic of ECS instances in the switch.
The difference between ACL and security group:
① ACL: runs at the switch level; stateless: return data flow must be explicitly allowed by the rules; the switch to which the ECS instance belongs is only allowed to bind one network ACL.
② Security group: runs at the instance level;; stateful: return data flow will be automatically allowed and will not be affected by any rules; one ECS instance can join multiple security groups.
Network ACL features in VPC: ① Network ACL rules only filter the traffic of ECS instances in the bound switch (including the traffic forwarded by the load balancing SLB to the ECS instances). ② Network ACL rules are stateless, that is, after setting the allowed request in the inbound direction rule, you need to set the corresponding outbound direction rule at the same time, otherwise the request may not be responded to. ③ When there are no rules in the network ACL, access in all inbound and outbound directions will be denied, which is contrary to load balancing. If no IP is added to the load balancing whitelist or blacklist, forwarding will be used by default. ④Network ACL is bound to the switch and does not filter the traffic between ECS instances in the same switch (ACL acts on the switch, regardless of the traffic between components in the switch).
Basics of Internet Protocol: The foundation that can connect tens of millions of computers together in the Internet is the TCP/IP protocol. In the Internet, TCP/IP is a general term for various protocols. TCP, UDP, IP, FTP, HTTP, ICMP, SMTP, etc. all belong to the protocols within the TCP/IP family.
Elastic public IP: (EIP) is a public IP resource that can be purchased and held independently. It can be bound to the ECS of the private network, the SLB of the private network under the private network, the auxiliary network card of the dedicated network type, the NAT gateway and Highly available virtual IP. It cannot be bound to RDS for use.
Elastic network card: ENI (Elastic Network Interface) is a virtual network card that can be bound to a private network VPC type ECS instance.
Network card attributes: ① Public network card and auxiliary network card. The main network card: is created together with the instance, and its life cycle is consistent with the instance. Unbinding from the instance is not supported. ② Availability zone: The switch to which the elastic network card belongs and the bound instance must belong to the same availability zone. ③The network card can be bound to one or more elastic public IPs;
NAT Gateway: NAT Gateway is an enterprise-level public network gateway that provides NAT proxy (SNAT and DNAT) functions, has 10 Gbps level forwarding capabilities and cross-availability zone disaster recovery capabilities.
NAT gateway and EIP: As a gateway device, the NAT gateway needs to be bound to a public IP to work properly. The NAT gateway is bound to multiple EIPs (up to 20). When one of the EIPs is attacked, the ECS instance can randomly use other EIPs. Access the public network to ensure the normal operation of the business to the greatest extent.
NAT gateway and VPC: The same VPC supports the creation of multiple enhanced NAT gateways. You can forward traffic to different destination addresses through different NAT gateways, and can implement different security protections for different NAT gateways to achieve better results. Delicately deploy public access networks.
NAT gateway function: ① SNAT function: Provides proxy service for accessing the public network for ECS instances in the VPC that do not have a public network IP. The SNAT function of the NAT gateway has security protection capabilities. Only when the ECS instance in the VPC actively accesses the outside can a connection be established. communicate, but the outside world cannot actively access the ECS instances in the VPC. The SNAT function blocks the external ports of the ECS instances in the VPC to protect the ECS instances in the VPC from external intrusions and attacks. ②DNAT: Map the EIP bound on the NAT gateway to the ECS instance in the VPC, so that the ECS instance can provide services to the public network.
VPN: VPN gateway is an Internet-based network connection service that uses encrypted channels to achieve safe and reliable connections between enterprise data centers, enterprise office networks, or Internet terminals and Alibaba Cloud Private Network (VPC). VPN gateway provides IPsec-VPN connections and SSL-VPN connections.
IPsec-VPN: Routing-based IPsec-VPN, you can use the IPsec-VPN function to connect the local data center to a VPC or different VPCs, suitable for large-scale site-to-site connections. IPsec-VPN supports IKEv1 and IKEv2 protocols. As long as the devices supporting these two protocols can be interconnected with the Alibaba Cloud VPN gateway, such as Huawei, H3C, Shanshi, Sangfor, Cisco ASA, Juniper, SonicWall, Nokia, IBM and Ixia, etc.
SSL-VPN: SSL-VPN is based on the OpenVPN architecture. You can use the SSL-VPN function to remotely access applications and services deployed in a VPC from a client. After the deployment is completed, you only need to load the certificate in the client to initiate a connection to achieve remote access.
VPN applicable scenarios: ① Local data centers and VPCs can be quickly connected through IPsec-VPN to build a hybrid cloud. ② Two VPCs can be quickly connected through IPsec-VPN to realize cloud resource sharing; ③ A single mobile client and VPC can be connected by establishing an SSL-VPN tunnel to meet the needs of remote office; ④ IPsec- can be used in combination VPN and SSL-VPN, extended network topology. After the client is connected, it can not only access the VPC, but also the connected office network.
VPN applicable restrictions: First of all, there are limits on the number of VPNs under one account, including the number of IPsec-VPN and SSL-VPN under each VPN.
VPN billing: Currently only annual and monthly subscriptions are supported.
Cloud enterprise network: Different from VPN, VPN reaches the VPC through the public network to the gateway. The Cloud Enterprise Network is a set of global local area networks built by Alibaba Cloud. Cloud VPCs and local IDCs around the world that join the cloud enterprise network can be connected at high speed.
The composition of the cloud enterprise network: ① The cloud enterprise network instance is the basic resource for creating and managing an integrated network. After creating a cloud enterprise network instance, load the network instances that need to be interconnected into the cloud enterprise network instance, then purchase a bandwidth package and set the cross-regional interconnection bandwidth to achieve global network resource interconnection. ②Network instance: The network instance loaded into the cloud enterprise network is fully interconnected. The network instance includes the private network (VPC), border router (VBR) and cloud connection network (CCN). ③Network instances in the same region can communicate with each other without purchasing bandwidth packages. To interconnect network instances across regions, you must purchase a bandwidth package for the region to which the region to be interconnected belongs and set up cross-region bandwidth.
Purpose of Cloud Enterprise Network: It can quickly build a global network of hybrid cloud and distributed business systems to achieve global network interconnection. You can load the network instances to be interconnected into the created CEN instance to achieve network interconnection.
Cloud enterprise network advantages: ① One network connects the world; ② Low latency, high speed; ③ Nearest access and shortest link interoperability
True or False question: When creating a cloud product instance in the Alibaba Cloud private network VPC created by the user, the switch where the cloud product instance is located must be specified, otherwise the cloud product instance of the VPC cannot be created.
Answer: First of all, I think it is right, but the simulation question bank said it is wrong. I think even the default switch created by the system is still a switch. When you create a cloud product, you must specify it as the default switch. In particular, there is an ACP exam question about "switch, which is the basic network device that makes up the VPC network. It can connect different cloud product instances. When creating a cloud product instance in the VPC network, you must specify the switch where the cloud product instance is located. The following is about Which statement about the switch is wrong?" It's already been said in the question, so are all the questions wrong?

6. OSS object storage

Atomicity of OSS: Object operations are atomic on OSS. The operation either succeeds or fails, and there will be no Object with an intermediate state. OSS ensures that the Object read by the user once the upload is completed is complete, and OSS will not return to the user an Object that has been partially uploaded successfully.
Strong consistency of OSS: Object operations also have strong consistency in OSS. Once the user receives a successful upload (PUT) response, the uploaded Object is immediately readable, and the redundant data of the Object has been written successfully. There is no intermediate state of uploading, that is, read-after-write but cannot read the data. The same is true for the deletion operation. After the user successfully deletes the specified Object, the Object immediately ceases to exist.
OSS compliance retention policy: Object Storage OSS supports the WORM feature, allowing users to save and use data in an "undeletable, non-tamperable" manner, complying with the compliance requirements of the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA). OSS provides strong compliance policies, and users can set time-based compliance retention policies for storage space (Bucket).
OSS charges are divided into four parts: storage, traffic, number of visits, and data processing. There is a big pitfall. Intranet access traffic is free, but the number of visits costs money regardless of the internal or external network.
"Private" OSS file sharing: files stored in OSS can be shared and downloaded. Among them, in Buket's "private" mode, the URL shared externally is based on a limited time. If the limited time is exceeded, the shared link will become invalid.
Object specifications: The maximum limit of a single Object in OSS is 48.8TB
Object consists of: meta information, user data, name. This is due to the KV structure adopted by OSS. So the name is KEY, not ID. Therefore, when a multiple-choice question appears to select the component elements of Object, select meta (metainformation), date (user data), key (name), and do not include ID.
Bucket naming: The Bucket name in OSS must be globally unique and cannot be changed once created. In the ACP test, the Bucket naming rules are tested, and the naming rules can only include lowercase letters, numbers, and dashes.
Delete Bucket: Before deleting the storage space, please make sure that all files (Object), fragments (Part) and Livechannel stored in it have been deleted.
Practice: Set the Object header through COPY Object in the OSS API. COPY Object is modified.
Commonly used OSS tools include: ① Graphical tool: ossbrowser ② Command line tool: ossutil ③ FTP tool: ossftp ④ File organization tool: ossfs
OSS principle: Object Storage Service (OSS) is a massive, secure, low-cost, and highly reliable cloud storage service. The core function of the object storage gateway is to implement one of the traditional file storage protocols and the HTTP protocol used by object storage OSS. conversion between.
OSS file upload: ① The size of the file uploaded by the console does not exceed 5G and can be uploaded in the OSS console ② It can be uploaded using the OSS API
API upload of OSS: simple upload; form upload (suitable for web-side upload to share OSS performance pressure); fragmented upload; append upload (artifact)
OSS simple upload: refers to uploading a single file (Object) using the PutObject method in the OSS API. Simple upload is suitable for scenarios where the upload can be completed with one HTTP request interaction, such as the upload of small files (less than 5 GB).
OSS form upload: refers to using the PostObject request in the OSS API to complete the upload of Objects. The uploaded Object cannot exceed 5GB. Form upload is very suitable for embedding in HTML web pages to upload objects. The more common scenario is website applications;
OSS multipart upload (Multipart Upload) and breakpoint resume function: you can divide the file to be uploaded into multiple data blocks (also called Parts in OSS) and upload them separately. After the upload is completed, you can call the OSS interface to combine these Parts. into an Object to achieve the effect of resumed uploading. It is suitable for when using the simple upload (PutObject) function to upload larger files to OSS. If a network error occurs during the uploading process, the upload will fail and the process will be repeated. The attempt must be uploaded from the beginning of the file. In this case, you can use multipart upload to achieve the effect of resuming the upload after a break.
OSS append upload: refers to using the AppendObject in the OSS API to directly append content after the uploaded Appendable Object type file. The previously mentioned upload methods, such as simple upload, form upload, breakpoint resume upload, etc., create Object They are all of Normal type. The content of this Object is fixed after the upload is completed and can only be read and cannot be modified. If the object content changes, you can only re-upload the object with the same name to overwrite the previous content. This is also a major difference between the use of OSS and ordinary file systems. Because of this characteristic, it is very inconvenient in many application scenarios, such as video surveillance and live video fields, where video data is continuously generated in real time. If you use other upload methods, you can only divide the video stream into small pieces according to certain rules and then continuously upload new objects. In order to simplify the development cost in this scenario, OSS provides the append upload (Append Object) method to directly append content after an Object. The type of Object operated in this way is Appendable Object, while the type of Object uploaded in other ways is Normal Object. Each additional uploaded data is immediately readable.
OSS-based API operation commands: compulsory questions that often appear. ①Operation objects: Bucket, Object, Multipart Upload (batch upload), cross-regional sharing, Live Channel (playback channel for video and audio) ②Common API operations on Bucket and Object: putObject (upload)/put Bucket (create space) ), getXX (get), copyXX (copy), DeleteXX (delete), HeadXX (only returns the meta information of an Object, not the file content), PostObject (upload Object through HTML form upload), PutObjectACL (modify Object access rights), selectObject (select/query content)
Test questions based on OSS upload:
① In addition to uploading files to OSS through the PUT Object interface, OSS also provides another upload mode?
A.Put Bucket B.Head Object C.Multipart Upload D.Get Object The answer is Multipar Upload batch Upload
② If a user wants to simulate the folder creation operation in OSS, which API needs to be used? A. putObject B. Multipart Upload C. Copy Object D. Get Object The answer is put Object
Data disaster recovery - redundant storage in the same city: OSS uses a multi-availability zone (AZ) mechanism to store user data in three availability zones in the same region. When a certain availability zone is unavailable, normal access to data can still be guaranteed. In-city redundant storage can provide computer room-level disaster recovery capabilities. When a network or power outage occurs, or a disaster event renders a computer room unavailable, OSS can continue to provide strongly consistent services. Users are unaware of the entire failover process, and services are not interrupted or data is lost, meeting the strong requirements of critical business systems for "recovery time objective (RTO)" and "recovery point objective (RPO)" equal to 0.
Data disaster recovery - cross-region replication: Cross-Region Replication is an automatic, asynchronous (near real-time) replication of files (Object) across storage spaces (Buckets) in different OSS data centers (regions). It will Operations such as create, update, and delete are copied from the source storage space to the target storage space in a different region. Supports real-time data synchronization.
Data disaster recovery - cross-region replication application scenario: suitable for OSS cross-region disaster recovery, or cross-region active-active. You have extremely high requirements for data security and availability, and you want all written data to be replicated in another location. The data center explicitly maintains a copy so that when a major disaster (such as an earthquake, tsunami, etc.) causes damage to one OSS data center, the backup data of another OSS data center can be enabled.
IMG service: IMG is an image processing service provided by OSS. Upload images to OSS. Through a simple RESTful interface, at any time, place and device, users can ① add parameters to the image URL for word processing ② use OSS SDK Image Processing ③ Use image styles to uniformly process different images. The image processing function in OSS first needs to upload the image to Buket in OSS, so the image processing is based on the image processing function in Buket. After the image is processed, the results will be returned directly to the specified location of the file provided by the user. Not Put it in OSS.
OSS domain name binding (demanding test questions): The OSS domain name binding (CNAME) function only supports binding oss with third-level domain names. That is, your oss access method is (Bucke name).${region}.aliyuncs.com. The domain name bound to CNAME must be a domain name registered with the Ministry of Industry and Information Technology. It does not matter whether Alibaba Cloud has been registered.
OSS-ECS reverse proxy test questions: The storage space (Bucket) access address of Alibaba Cloud OSS will change randomly. You can configure the reverse proxy of OSS on the ECS instance to access the OSS storage space through a fixed IP address.
ECS reverse proxy: Alibaba Cloud OSS provides external services through Restful API, and end users access it through the OSS default domain name or a bound custom domain name. However, due to the security mechanism, an enterprise needs to configure policies on the egress firewall to restrict internal employees and business systems to only access the designated public network P. However, the OSS Bucket access IP will change randomly, resulting in the need to frequently modify the firewall policy. It is recommended that they use ______. to solve this problem. The answer is: configure the reverse proxy of OSS through ECS.
Channel: (Channel) Channel is a namespace on IMG and is also the management entity for advanced functions such as billing, permission control, and logging. The IMG name is globally unique in the entire image processing service and cannot be modified. A user can create up to 10 Channels, but there is no limit to the number of Objects stored in each Channel, but the upper limit of the size of each Object is 20MB, so There is no limit to the number and total size of Objects stored in the Channel. That’s right. The space of the channel is infinite. Currently, the Channel corresponds to the Bucket of OSS, that is, users can only create a Channel with the same name as their own Bucket on OSS.
OSS data redundancy mechanism: ① OSS adopts a data redundancy storage mechanism to store the different redundancies of each object on multiple devices in multiple facilities in the same area to ensure data persistence and availability when hardware fails. That is to say, for OSS's three-copy storage, the copies are in different availability zones in the same region, or different devices in the same availability zone. They cannot cross regions because public network fees will be incurred across regions. ② Data redundancy is based on erasure coding data protection method. The so-called erasure coding is to divide the data into fragments, extend and encode the redundant data blocks, and store them in different locations, such as disks, storage nodes or Other geographical locations. Erasure coding creates a mathematical function that describes a set of numbers so that they can be checked for accuracy and recovered if one of the numbers is lost.
OSS access control: ①ACL read and write permissions ②RAM account read and write permissions ③Anti-leeching black and white list ④Bucket Publice ⑤STS temporary authorization
OSS-STS temporary authorization: OSS can be temporarily authorized for access through Alibaba Cloud STS (Security Token Service). Through STS, you can issue an access credential with customized validity and permissions to third-party applications or sub-users (that is, users whose user identities are managed by you).
ACL control in OSS: Object ACL is Object-level permission access control. There are currently four access rights: private, public-read, public-read-write, and default. Among them, default is the default permission, and ACL indicates that an Object is a resource that follows the bucket's read and write permissions, that is, what permissions the Bucket has, what permissions the Object has, which is also called inheriting the Bucket.
Anti-hotlinking: The anti-hotlinking function restricts only domain names in the whitelist from accessing resources in your bucket by setting a Referer whitelist and whether to allow empty Referers. OSS supports setting anti-leeching based on the Referer field in the HTTP and HTTPS headers. OSS's Refer is different from CND, only a whitelist is set.
Anti-hotlinking trigger scenarios: ① Only when accessing the Object through a signed URL or anonymously, perform anti-hotlinking verification. ② When the requested header contains the Authorization field, it is a confusing option that often appears in exam questions, and it is also an incorrect option and will not trigger anti-leeching verification.
Anti-hotlinking test questions: When website users perform what operations, OSS will perform anti-hotlinking verification? A. Access object with "Authorization" field in the requested header B. Access object through URL signature C. Access object anonymously D. Access object through whitelist Answer: BC Analysis: Although accessing object through URL signature, it literally has nothing to do with anti-leeching. , but in fact it is one of the two reasons for anti-hotlink triggering. And option A is very deceptive, because this word means authorization verification. From a sensory perspective, authorization VS verification is related, but in fact it has nothing to do with anti-leeching. So remember this question in particular.
Side-by-side OSS version control: In order to prevent your data stored on OSS from being accidentally deleted, OSS provides a version control function for Buckets. After version control is turned on, data overwriting and deletion operations will be saved in the form of historical versions. After a user mistakenly overwrites or deletes an object, OSS can restore the object stored in the bucket to the historical version at any time. Version control applies to all Objects in the Bucket. When version control is enabled for a Bucket for the first time, all Objects in the Bucket will be under version control thereafter (cannot be released, can only be paused), and each version has a unique version ID. You can perform operations such as uploading, listing, downloading, deleting, and restoring objects in a Bucket with version control enabled. You can also pause versioning to stop accumulating new versions of the same object in the bucket. After pausing version control, you can still download, copy, delete, etc. historical version Objects by specifying the versionId. OSS charges for each version, and you can automatically delete expired versions through life cycle rules. To put it bluntly, the name of this version control is not appropriate. It is better to call it buket snapshot or objecr snapshot.
Version control usage restrictions: If the Bucket has turned on version control, it does not support setting compliance retention policies, mirror back-to-origin, or static website hosting; if the Bucket has set up compliance retention policies, mirror back-to-origin, or static website hosting, it does not support turning it on. version control.
Practice (side exam questions): For security reasons, Alibaba Cloud Object Storage OSS directly enters the OSS communication domain name (oss.aliyuncs.com) in the browser address bar, such as visiting: http://bucketname.oss.aliyuncs.com/ a.jpg (file types include: txt, btml, htm, picture formats, video formats, audio formats and other security-sensitive files), are restricted to the browser client to open the file in the "save as" download method. If you need to open this type of file directly in the browser, how should you configure it? A. Modify the ACL in the security management menu of OSS to allow direct access by the browser. SMS verification is required during setting. B. Bind a user-defined domain name (can be Third-level domain name) C. In the OSS management console->0object management, modify the HTTP header information of the file. D. OSS does not directly provide such a function and requires secondary development. Answer: B Analysis: If you use the domain name that comes with OSS, They are all restricted to opening the file in the browser using the "Save As" download method, and the file cannot be browsed directly. Therefore, you need to bind the customized domain name access to your own Bucket, that is, CNAME. After the domain name is successfully bound, in order to use the domain name to access OSS normally, you need to add a CNAME record to point to the external domain name corresponding to the storage space.
Practice (test point): Customer Xiao Wang is planning to build a static website and wants to provide customers with quick access to the website based on the multi-line BGP capability provided by Alibaba Cloud. Xiao Wang can achieve this through only the Alibaba Cloud Object Storage OSS product. The answer is right. Because it is a static website, it can be directly hosted on the object storage OSS_ and services can be provided directly. If it is a dynamic website, the project needs to be deployed through ECS to provide services.
Practice (partial test point): OSS is a fee-based service. In order to prevent users' data on OSS_ from being stolen by others, OSS supports an anti-leeching method based on the referer field in the HTTP header. The correct statement about OSS hotlink prevention is 3 (number of correct answers: 3) A. The Referer parameter supports wildcard characters ". " and "?" B. When the whitelist is empty, it will not check whether the referer field is empty. C. In supporting wildcards, you can use question mark "?" to replace 0 or more characters. D. The whitelist is not empty, and a rule is set that does not allow the referer field to be empty; then only requests whose referer belongs to the whitelist are allowed. , all other requests will be rejected. Answer: In supporting wildcards, the correct way is to use asterisk : to replace 0 or more characters
Sensitive exam vocabulary: When the words static, file, video, picture, etc. appear, the option is OSS. If dynamic words such as transactional, interactive, and file owner information appear, the option is RDS.
Practice (test questions): Channel test questions (multiple choice): Which of the following statements about OSS image processing API channels are correct? A. Each Channel supports up to 2PB of storage capacity B. A user can create up to 10 Channels C. Each Channel There is no limit on the number and total size of Objects stored in D. The IMG name is globally unique in the entire image processing service and cannot be modified. Answer: BCD
Practice (examination questions): Video on demand websites or APPs often include complete functions of video uploading, storage, video transcoding, distribution and video playback. Therefore, video uploading and storage require the use of OSS products; video transcoding requires short video SDK + media processing functions; media distribution requires CDN; and video playback requires Alibaba Cloud player products.

7. RDS database

RDS specifications: shared specifications (entry-level), common specifications (entry-level), exclusive specifications (enterprise-level), and exclusive specifications (exclusive physical type).
Database migration to the cloud: The database can be migrated to the cloud through DTS. During the cloud migration process, the data generated by the local database in real time will also be synchronized to the cloud database.
Data backtracking: You need to set up the primary and secondary architectures, create temporary instances, and perform cloning operations.
The difference between data warehouse and database: 1. Database: ① The data structure in the business database is designed to complete transactions, not for the convenience of query and analysis. ② Most business databases are optimized for reading and writing, which requires both reading (viewing product information) and writing (generating orders and completing payments). Therefore, there is insufficient support for reading large amounts of data (query indicators, generally complex read-only type queries). 2. Data warehouse: ① The data structure is for the convenience of analysis and query; ② A read-only optimized database, that is, it does not need to be written fast, as long as it can do complex queries of large amounts of data fast enough.
Database type: Relational Database Management System (RDBMS); NoSQL (not onlySQL); OLAP (big data data engine)
Test questions: True or False: Alibaba Cloud's cloud database is perfectly compatible with Oracle's PL/SQL, data types, advanced functions, and data dictionaries.
Answer: Wrong. Although Alibaba Cloud's help documentation tries its best to speak its own good. But it’s perfectly compatible, so I don’t dare to brag about this awesomeness for the time being. At present, there are still many places in the Oracle database that are not compatible.
Exam question: The database audit service is a professional, proactive, and real-time audit product that monitors database security. It can be used to audit _______ and other products in the Alibaba Cloud platform. Answer: RDS/NoSQL/Maxcompute

8. CDN content distribution network

CDN infrastructure:
1. LVS does four-layer load balancing: ① DR mode ② Dual LVS does Active-Active mutual backup ③ The load balancing algorithm uses wrr
2. Tengine does seven-layer load balancing: ① Active health check ② SPDY v3 supports
3.Swift Do HTTP caching: high-performance Cache; disk (SSD/SATA)
What is CND? CDN is the abbreviation of Content Delivery Network. It is a virtual distributed network based on the bearer network. It can intelligently cache the origin site content (including various dynamic and static resources) to node servers around the world to facilitate users. Obtain content nearby, improve resource access speed, and at the same time share the pressure on the origin site.
Outside of CDN? In addition to CDN, there are two products: full-site acceleration and security acceleration SCDN. Whole-site acceleration: It is an independent product of Alibaba Cloud. It is mainly used to accelerate dynamic web pages and can also achieve dynamic and static separation. It is suitable for websites containing a lot of dynamic content and dynamic content mixing, especially when it contains many dynamic resource requests such as asp, jsp, and php. files in other formats. Security acceleration: Suitable for finance, government and enterprises, games, and e-commerce, which need to take into account both security and acceleration to prevent DDos, CC, crawlers, and tampering.
CDN is paired with cloud products: ECS/OSS/SLB/video live broadcast/video on demand/cloud analysis and other products.
CDN billing method: ①Basic service billing: traffic or peak bandwidth; ②Value-added service billing: Value-added service billing items include the number of HTTP and HTTPS requests, the number of QUIC requests, the number of real-time logs, image pornographic identification and full-site acceleration.
CDN network attributes: CDN is a complete public network product, so the connection between CDN and any cloud product is through the public network and will incur fees. Even if the CDN node and the cloud product are in the same region, as long as the data needs to be transmitted to the CDN network, it must pass through the public network.
CDN network attribute test questions: True or False: Between CDN and cloud service ECS instances in the same region, the source traffic fee will not be recovered. Answer: Wrong
CDN provides different business types: ① "Image and small file acceleration" type If the website is a portal, news, e-commerce, picture or game website, the content is mainly pictures and small files, and the file types are mainly pictures, html, css, js small files. ② "Large File Download" business type, mainly suitable for websites such as various client downloads, APP stores, etc., the content is mainly when a single file is larger than 20M, and can even be downloaded at GB level; ③ "Video Live Broadcast" and "Live Streaming Media" 》Business type, the applicable website or APP business is mainly content distribution or comprehensive video distribution;
Alibaba Cloud CDN advantages: ① Alibaba Cloud has 2,800+ nodes around the world. Mainland China (Mainland) has 2,300+ nodes, covering 31 provincial-level regions, and a large number of nodes are located in first-tier cities such as provincial capitals. There are 500+ nodes overseas, in Hong Kong, China, Macau, China and Taiwan, covering more than 70 countries and regions. ② All nodes of Alibaba Cloud are connected to 10G network cards. The storage capacity of a single node reaches 40TB _{1.5PB, the bandwidth load reaches 40Gbps} 200Gbps, and it has a bandwidth reserve capacity of 130Tbps. ③Extensive layout of high-performance nodes significantly improves information transmission efficiency. You can also respond better when facing emergencies. ④ Withstand the Double 11 traffic peak: With nationwide acceleration nodes, intelligent elastic scheduling system and security protection capabilities, it perfectly supports QPS peaks of over 100 million, ensuring that hundreds of millions of buyers around the world can quickly browse high-definition pictures and videos and place orders smoothly.
CDN cache node: The cache node is divided into LI and L2. L1 is a node in various provinces and cities across the country. L2 is located on the upper layer of L1 and is a CDN regional node. When the L1 node has a cache resource, it will hit the resource and return the data directly to the client. When the L1 node has no cached resources, it will request the corresponding resources from the L2 node. If the L2 node has cached resources, the resources will be synchronized to the L1 node and returned to the user; if the L2 node has no cached resources, it will be directly returned to the customer's origin site to obtain them. Resources are cached according to the configured caching policy.

11. CND working principle:

① When the end user (Beijing) initiates a request for the specified resource under www.a.com, it first initiates a domain name resolution request to LDNS (local DNS).
②LDNS checks whether there is an IP address record of www.a.com in the cache. If there is, it will be returned directly to the end user; if not, it will query the authorized DNS.
③When authorizing DNS to resolve www.a.com, the IP address corresponding to the domain name CNAME www.a.tbcdn.com is returned.
④The domain name resolution request is sent to the Alibaba Cloud DNS scheduling system, and the best node IP address is assigned to the request.
⑤LDNS obtains the resolved IP address returned by DNS.
⑥The user obtains the resolved IP address.
⑦The user initiates an access request to the resource from the obtained IP address.
12. CDN usage scenarios: divided into static content acceleration, dynamic content acceleration and security acceleration. Among them, Alibaba Cloud CDN is only used for static content acceleration; dynamic content acceleration requires Alibaba Cloud full-site acceleration; security acceleration requires Alibaba Cloud Security Acceleration.
13. CDN usage restrictions: ① Domain names connected to Alibaba Cloud CDN for acceleration need to decide whether to complete ICP registration according to the acceleration area. If when you add a domain name, the selected acceleration area is global or only mainland China, the domain name must be registered; ② All domain names connected to CDN must undergo content review. Currently, domain names that Alibaba Cloud CND does not support access include: cannot be accessed normally Or the content does not contain any substantive information; game private servers; legendary or card games; P2P financial websites; lottery websites; 14. CDN deactivation:
When the CDN is deactivated, the cached data in the CDN node is still there. After the CDN is restored, There is no need to return everything to the origin; after deactivating the CDN, when there is access, the access will automatically return to the origin site across the CDN for access.
15. CDN access control: ① Configure Refere anti-leeching: set up blacklist and whitelist to implement access filtering; ② Configure IP blacklist and whitelist to identify and filter visitor identities, thereby restricting users who access CDN resources ③ By configuring User-Agent blacklist and whitelist, you can identify and filter visitor identities, thereby restricting users who access CDN resources; ④URL authentication: By configuring URL authentication, you can protect user site resources from being downloaded and stolen by illegal sites. Simply put, CDN access control can control access to referer, IP, UESR-Agent, and URL (CDN access control is a common test point).
16. Referrer blacklist: You can identify and filter visitor identities by configuring the accessed Referer blacklist and whitelist, thereby restricting users who access CDN cache node resources and improving CDN security. The anti-leeching function is based on the Referer mechanism supported by the HTTP protocol. It tracks the source through the Referer and identifies and determines the source.
17. URL authentication: The URL authentication function is mainly used to protect user site resources from being downloaded and misappropriated by illegal sites. Adding Referer blacklists and whitelists through the anti-hotlinking method can solve part of the problem of hotlinking. Since the Referer content can be forged, the Referer anti-hotlinking method cannot completely protect site resources. Therefore, you can use URL authentication to protect origin site resources more securely and effectively.
18. URL, referer and IP blacklist: ① When the question mentions illegal downloading for profit, you should choose URL and refer, where URL performance is better than refer; ② When a fixed IP is being stolen, use the IP blacklist.
19. OSS/ECS permissions and CDN permissions: After activating the CDN service, even if the OSS/ECS has set up anti-leeching or IP blacklists, the cache on the CDN will still be downloaded and stolen by criminals. Therefore, after activating the CDN, you should first set up CDN access control cuts off upper-layer resources that users can access.
20. CDN external resource optimization functions: ① Page optimization: compress and remove useless blank lines, carriage returns, etc. in the page, effectively reducing the page size; ② Intelligent compression: supports intelligent compression of multiple content formats, effectively reducing the amount of content you transmit The size of After receiving the URL request, determine whether the URL carrying parameters needs to be returned to the origin site
21. Accelerated domain name: that is, the domain name that you need to use CDN to accelerate. A domain name is the address of a group of servers, which can be a website, email, FTP, etc. In the Alibaba Cloud CDN help documentation, accelerated domain names usually refer to domain names. The default number of IP origin sites for each accelerated domain name is limited to 10 IP addresses.
22. Refresh and preheat function: ① The refresh function means that after submitting a URL refresh or directory refresh request, the cached content of the CDN node will be forcibly expired. When you request resources from the CDN node, the CDN will directly return to the origin site to obtain the corresponding The resource is returned to you and cached. The refresh function will reduce the cache hit rate. ② The preheating function means that after submitting a URL preheating request, the origin site will actively cache the corresponding resources to the CDN node. When you make your first request, you can directly obtain the latest requested resources from the CDN node cache without re-routing. Get it back to the source site. The warm-up function will improve the cache hit rate. CDN refresh and prediction functions, the refresh functions are: ① directory refresh; ② URL refresh; ③ regular refresh; CND preheating only provides URL preheating.
23. Applicable scenarios for preheating: You can preheat popular resources before business peaks, or you can preheat accelerated domain names with low traffic to improve cache hit rates.
24. CDN Refresh Question: Regarding the suggestions and description of Alibaba Cloud CDN cache data update, which one is wrong?_? A. Cache refresh refers to forcibly marking the cached resources on the distribution node as expired when the user initiates a request for the resource again. When, the node will go back to the source to pull the resources and cache an updated resource. When distributing node B and the domain name is updated, you can submit a refresh request from the console or use the API to complete the active refresh. C. When the domain name is updated, if not Active refresh, you can only wait for the cached file to expire before you can go back to the source to pull the latest file. D. Alibaba Cloud CDN supports real-time updates to domain name updates. Users can automatically refresh
answers as long as they make relevant configurations without actively submitting requests. Yes D CDN refresh can only be refreshed actively and automatic refresh cannot be set. The original words of the help document "Alibaba Cloud CDN supports real-time updates of updates with the same name. As long as users make relevant configurations, CDN will not automatically implement refresh requests when you do not actively submit requests." 25. P2P node: (Peer-to-
Peer Network) node refers to a common user-shared bandwidth acceleration service in the CDN industry. Users share the idle uplink network bandwidth at home through personal computers, routers and other devices, and become a micro CDN distribution service node, allowing other customers to obtain a nearby acceleration experience in downloading, live broadcasting, games and other scenarios.
26. P2P node role: CDN+P2P multi-node scheduling. One request can be provided by CDN and multiple P2P sources at the same time, improving service availability through resource redundancy.
27. PCND: P2P Content Distribution Network (English name: P2P CDN, hereinafter referred to as PCDN) is a low-cost, high-quality content distribution network service based on P2P technology and constructed by mining and utilizing massive fragmented idle resources in telecom edge networks. After customers access this service by integrating PCDN SDK (hereinafter referred to as SDK), they can obtain distribution quality equivalent to (or slightly higher than) CDN, while significantly reducing distribution costs. PCDN products are suitable for business fields such as video on demand, live broadcast, and large file downloads. Initially, content acceleration services will only be provided for customers above 50 Gbps.
28. Channel service: records files and endpoint address information that owns files, and provides the nearest endpoint address for downloading
29. Origin site: the server for your actual business. The origin site type can be selected from OSS domain name, IP, origin site or function computing domain name.
30. Back-to-origin: When the CDN node does not cache the requested resource or the cached resource has expired, it returns the resource to the origin site and returns it to the client. For example: when you access a URL, if the resolved CDN node does not cache the resource, your access request will go directly to the origin site to obtain the resource and return it to you based on the URL request.
31. Return to origin rate: Return to origin rate is divided into two types: the proportion of the number of return to origin requests and the proportion of return to origin traffic. ①The ratio of the number of back-to-origin requests: refers to the proportion of edge node requests that have no cache, cache expired (cacheable), and uncacheable requests to all request records. The lower the value, the better the performance; ② Back-to-origin traffic ratio: Back-to-origin traffic is the traffic generated by the file size of the back-to-origin request and the traffic generated by the request itself. Therefore, the return-to-origin traffic ratio = the return-to-origin traffic/(the return-to-origin traffic + the traffic requested by the user). The lower the ratio, the better the performance.
32. Back-to-origin HOST in CDN: Back-to-origin HOST refers to the domain name of the site that the CDN node accesses at the origin site during the back-to-origin process. When your origin site is shared by multiple services, you can distinguish different services by the return-to-origin HOST carried in the user's return-to-origin request.
33. The difference between CDN-origin site and return-to-origin HOST: ①Origin site: The origin site determines the specific IP address requested when returning to the origin. ②Back-to-origin HOST: The back-to-origin HOST determines the specific site on the IP address that the back-to-origin request accesses.
34. Back-to-origin HOST application: ① The origin site is www.a.com, and the back-to-origin HOST is www.b.com. Then the actual back-to-origin request is to resolve to www.b.com, that is, the site www on the corresponding host. a.com ②The origin site is 1.1.1.1, and the return HOST is www.b.com. Then the actual return source is the site on the host 1.1.1.1 corresponding to www.b.com. In a word, the actual address of the return source is the address of the HOST.
35. Cache hit rate: refers to the ratio of the number of times that the node has cached the data to be accessed to the total number of accesses when an end user accesses an acceleration node. The higher the cache hit rate, the better the performance.
36. Separation of activity and static: An e-commerce platform includes many online systems and links, such as user registration, login, product browsing, shopping settlement, etc. Due to the mix of dynamic and static resources on the site, unstable access to the network across operators, and network congestion caused by sudden traffic, problems such as online payment, second bar, slow response time during promotions, and unstable service often occur. If you were an Alibaba Cloud product manager, would you recommend users to activate Alibaba Cloud services to solve the problem? Choose CDN acceleration because one of the keywords is confusion of dynamic and static resources, which is the benchmark function of CDN to solve the separation of dynamic and static resources.
37. CNAME: CNAME is known as canonical name. This type of record allows you to map multiple names to the same computer. Usually used for computers that provide both WWW and MAIL services. For example, there is a computer named "r0WSPFSx58." (A record). It provides both WWW and MAIL services in order to facilitate users to access services. Two aliases (CNAME) can be set for this computer: WWW and MAIL. The same method can be used when you have multiple domain names that need to point to the same server IP. In this case, you can make an A record for one domain name and point it to the server IP, and then make other domain names aliases (i.e. CNAME) to the domain name of the A record. ; Then when your server IP address changes, you don’t have to change the pointing of each domain name. You only need to change the domain name of the A record to the new IP of the server, and the pointing of other domain names that are aliased (i.e. CNAME). It will be automatically changed to the new IP address (the above operations need to be performed at DNS).
38. CNAME usage: Connect to CDN and add an acceleration domain name to the Alibaba Cloud console. Alibaba Cloud CDN will assign you a CNAME domain name. The CNAME domain name is in the form *. kunlun .com. You need to add a CNAME record to your DNS resolution service provider to point your accelerated domain name to the *.kunlun.com domain name. After the record takes effect, the domain name resolution work will be officially transferred to the CDN service, and all requests for the domain name will be transferred to the CDN node to achieve an acceleration effect.
39. SSL: SSL (Secure Sockets Layer, secure communication protocol) is a secure socket layer built on top of TCP. It can effectively assist Internet applications to improve data integrity and security during communication. After standardization, the name of SSL was changed to TLS (Transport Layer Security, Transport Layer Security Protocol), so many related documents refer to the two together (SSL/TLS)
40. CDN-HTTPS acceleration: HTTPS enabled in the Alibaba Cloud CDN console The protocol will implement HTTPS encryption of requests between the client and Alibaba Cloud CDN nodes. When the CDN node returns the resources obtained from the origin site to the client, it follows the configuration method of the origin site. It is recommended that the origin site configure and enable HTTPS to achieve full-link HTTPS encryption. Therefore, if the origin site does not enable HTTPS and only the CDN is enabled, full-link HTTPS cannot be achieved.
41. HTTPS certificate format: Whether it is CDN or SLB, only certificate files in PEM format are supported. If it is not in PEM format, you need to convert the format and upload it.
42. Common website service performance values: ① pv refers to the number of times a page has been viewed. For example, if you open a web page, then the pv of this website is added once; ② tps is the number of transactions per second, such as a dml operation, then the corresponding The tps will increase; ③ qps refers to the number of queries per second. For example, if a select operation is performed, the corresponding qps will increase.
43. The access page appears blank after CDN acceleration. Solution: ① Use Chrome browser to access the origin site, press F12 to open the developer tools, click NetWork, and check whether the Content-Length configuration item is 0; ② If Content-Length is configured If the item is 0, check whether the origin site returns Transfer-Encoding: chunked header information. CDN does not support this header information, just remove this header information (remember by rote!).
44. Practice: Recently, the Alibaba Cloud CDN team discovered that some domain names had abnormal business access, resulting in bandwidth bursts and high bills. Solution: ① Analysis: Your domain name may be maliciously attacked and traffic stolen, resulting in sudden high bandwidth or large traffic, resulting in a bill higher than daily consumption ② Measures: To ensure the normal operation of the service and avoid When high bills appear, it is recommended to turn on the protection function (CDN has WAF protection function) or manage the traffic accordingly (there is a bandwidth peak cap in the advanced settings). ③Measures: If your business is potentially at risk of being attacked, it is recommended to activate SCDN products. SCDN products have stronger overall security protection capabilities. 45. Side question: What
domain names can be added to CDN domain name management? Answer: Function calculation domain name, OSS domain name, IP, origin site domain name;
46. Side question: What are the data service level indicators of CDN? Answer Data persistence, data reliability, data portability, data privacy, data right to know, data auditability.
47. Error-prone question: Company B wants to build a pure WEB version of the network disk based on Alibaba Cloud's products to store and share internal files of the company's 3,000 employees. Employees are required to upload and download files online and view the file list. Employees can be authorized to share viewing and downloading with a storage capacity of 10Tb. Then Company B should choose Alibaba Cloud's products to ensure the scalability of the network disk. Answer: Web applications need to be installed on ECS. File upload and storage require OSS; employee information, download links, and basic file information are dynamic information and are best handled by RDS. Since the scenario only involves employees of the same company and is not distributed, the DNS content distribution system is good at such things as regionality and quick access, which are not applicable in this scenario.
48. Error-prone question: Regardless of refreshing or preheating, there is no option to refresh or preheat the entire site/entire site. So there is an exam question (I don’t know if it is a real exam question). How many methods does Alibaba Cloud CDN provide to refresh the cache? (There are 3 correct answers) The answers are A. Full site refresh B. Directory refresh C. URL refresh D. URL warm-up. This question itself has an unclear proposition. If it is limited to refresh, the answers are only BC and D. It's not a refresh, it's a warm-up. However, apart from the proposition, there is no option to refresh the whole site in the Alibaba Cloud help documentation and console CDN actual operation page. Therefore, among the two errors, proposition error and option error, to choose the one with higher weight, you can only choose D. I highly suspect this question is wrong.

9. DNS analysis

Cloud DNS: Cloud DNS (Alibaba Cloud DNS) is a secure, fast, stable, and scalable authoritative DNS service. Cloud DNS helps enterprises and developers convert domain names that are easy to manage and identify into computers for interconnection and communication. Numeric IP address, thereby routing the user's access to the corresponding website or application server.
DNS record type: Cloud resolution DNS supports A, CNAME, MX, TXT, SRV, AAAA, NS, and CAA record types. ①A record: IPV4 record, supports mapping domain name to IPv4 address; ②AAAA record: IPV6 record, supports mapping domain name to IPv6 address; ③CNAME: alias record, supports pointing domain name to another domain name (corresponding to HTTP referer) ); ④MX: Email interaction record, supports pointing domain name to email server address
DNS common nouns:
① TTL: The full English name is Time To Live. This value tells the local domain name server that the domain name resolution result can be cached for the longest time. After the cache time expires, the local domain name server will delete the data of the resolution record. After deletion, , if a user requests a domain name, the process of recursive query/iterative query will be re-executed;
② URL forwarding: Cloud Resolution DNS supports users to configure explicit/implicit URL forwarding, which can guide users accessing the current domain name to the customer-specified Another network address;
③ Request volume statistics: Cloud Analysis DNS provides customers with domain name or subdomain name resolution request data summary and report download functions;
④ Secondary DNS: Cloud Analysis DNS can be set as a secondary DNS, and when the customer uses the primary DNS update When recording, the corresponding records in the cloud resolution DNS will be automatically updated;
⑤ Global Traffic Manager (Global Traffic Manager), referred to as GTM, can achieve nearby access for users to access application services, high-concurrency load balancing, and can conduct traffic based on health checks Switching can flexibly and quickly build multi-active and remote disaster recovery services in the same city.
Cloud resolution DNS application: ① Application to website construction: Customers can use A records to point the website domain name to the website's server address to achieve the effect that users can open the website. ② Applied to high-traffic services: When multiple servers serve the same business, the weighted polling resolution mechanism can be used to allocate traffic to each server to spread the business pressure; ③ Applied to cross-network users /Cross-regional access scenario: When users are scattered across different operators or regions, through intelligent parsing configuration, parsing results can be intelligently returned according to the user's different geographical locations or network environments; ④ Applied to CDN acceleration: Customers can apply CNAME The record points to the alias provided by the CDN service provider, thereby ultimately improving the response speed or download speed of the user's access to the website.
The hierarchical structure of DNS: root DNS server-top-level domain name server-authoritative domain name server-local domain name server
The hierarchical structure of domain names: top-level domain name (com) - main domain name (aliyun.com) - sub-domain name/second-level domain name (examle.aliyun.com) - third-level domain name (www.example.aliyun.com)
Recursive query: means that the DNS server must return an accurate query result to the user when receiving a request initiated by the user. If the DNS server does not store the corresponding information locally, the server needs to query other servers and submit the returned query structure to the user.
Iterative query: means that when the DNS server receives a request initiated by the user, it does not directly reply to the query result, but tells the address of another DNS server, and the user then submits a request to this DNS server, and so on until it returns search result.
DNS cache: stores the parsing data close to the client that initiates the request. It can also be said that DNS data can be cached in any location. The ultimate goal is to reduce the recursive query process and allow users to obtain request results faster.
Intelligent parsing: Traditional DNS parsing does not determine the source of the visitor, and will randomly select one of the IP addresses and return it to the visitor. Intelligent DNS resolution will determine the source of the visitor and intelligently return different IP addresses for different visitors. This allows visitors to obtain the user-specified IP address when visiting the website, which can reduce resolution delays and improve website access. The effect of speed.
Intelligent resolution application: For example, the domain name www.dns-example.com has three servers, namely Unicom IP, Mobile IP, and Telecom IP. The DNS resolution configuration is as follows. ① Traditional DNS resolution does not determine the source of the visitor. It will return all three addresses 1.1.1.1, 2.2.2.2, and 3.3.3.3 to the visitor’s LocalDNS. The visitor’s LocalDNS will randomly or preferably select one of the IP addresses. The address is returned to the visitor. Traditional DNS resolution may cause cross-network access by the visitor. ② Cloud Analysis will determine the source of the visitor, and return the resolution address of 2.2.2.2 for visitors from mobile operators, and return the resolution address of 3.3.3.3 for visitors from telecom operators, and other sources. The visitor cloud resolution returns the resolution address of 1.1.1.1.
Intelligent analysis implementation principle: Cloud analysis determines the source of the visitor by identifying the exit IP of LOCALDNS.
Intelligent parsing to deal with engine crawlers: ① When a website is accessed by search engine crawlers, it will consume server traffic and bandwidth. You can effectively control the crawling path of spiders by specifically pointing to a server address in the search engine line. ② To temporarily close the site to protect SEO inclusion and ranking, you can set up a search engine dedicated line through the search engine line. In this way, although the site is closed, spider crawlers can still crawl the website information normally, thereby reducing the impact on the site's SEO revenue and ranking.
DNS polling function: SLBs created in multiple Regions can be coordinated together to form a highly reliable region-level disaster recovery SLB.
DNS monitoring: DNS monitoring uses nodes across the country to simulate users initiating a DNS query request to the domain name every 5 minutes, which can monitor the availability of the user's local operator's DNS and the query response time of the local operator's DNS.
DNS monitoring usage restrictions: ① The subdomain names added by DNS monitoring are only available for two record types: A and CNAME. ②DNS monitoring only supports the use of domain names whose DNS is hosted in cloud resolution DNS. ③DNS monitoring does not support pan-analytic domain name addition monitoring.
Secondary DNS: Secondary DNS is a DNS disaster recovery backup service provided by Cloud Analysis for users who use self-built DNS or third-party DNS. When the secondary DNS is enabled for a domain name, the DNS currently used by the domain name is the primary DNS, and Cloud Analysis defaults to the secondary DNS. DNS, we establish a regional data transmission mechanism between the primary DNS and the secondary DNS based on the RFC standard protocol. When the primary DNS encounters a failure or service interruption, the secondary DNS can still continue to provide resolution services, so it can ensure that your business is global. Stable operation. Secondary DNS is open to users of Cloud Resolution DNS Enterprise Ultimate Edition.
Cloud Analysis Log: Cloud Analysis DNS provides two dimensions of log query, namely operation log and analysis log.
Cloud DNS operation log: In the Cloud DNS operation console, you can view the domain name management operation log in the DNS domain name list. You can view the operation time, operation domain name, and operation behavior. Operational behaviors include adding domain names, deleting domain names, retrieving domain names, etc.
Cloud DNS analysis log: In the Cloud DNS operation console, you can view the operation log of the resolution record, and you can view the operation time, operation behavior, and operator IP. Operational behaviors include adding, deleting, and modifying parsing records, etc.
HTTP DNS: Specifically designed to solve the problem of Internet application customers who are unable to connect to websites or applications due to local DNS tampering with IP addresses.

10. DTS data migration

Alibaba Cloud DTS data migration service: It is a database migration tool that supports data interaction between RDBMS, NoSQL, OLAP and other data sources. DTS is widely used in database cloud migration, local database expansion, merger, and database aggregation. Among them, the former type of cloud migration ① achieves zero downtime during the migration process, which means that during data migration, the local database can provide normal services. After the migration is completed, the business can be directly switched from local to cloud RDS; ② DTC provides migration back The roll-out solution means that after the migration is completed, if an exception occurs when the business is switched to the cloud database, the business can be switched back to the local database in seconds. When local database cloud expansion occurs, DTS achieves end-to-end real-time data synchronization with millisecond-level latency. Using the database synchronization function, you can realize remote disaster recovery, remote multi-activity, real-time data warehouse, and application scenarios of database read and write separation.
DTS advantages: ① Rich and diverse: DTS supports migration between multiple homogeneous or heterogeneous data sources, such as Oracle->MySQL, Oracle->PPAS. For migration between heterogeneous data sources, the data transfer service supports structural objects Conversion of definitions, such as converting synonyms in Oralce to corresponding synonym definitions in PPAS. ② High performance: The real-time synchronization function of DTS can reduce the concurrency granularity to the transaction level (smaller particles than the table - "record" level), and can concurrently synchronize updated data of the same table, thereby greatly improving synchronization performance. ③ Safe and reliable: The bottom layer of DTS is a service cluster. If any node in the cluster goes down or fails, the control center can switch all tasks on this node to other nodes in seconds, and the link stability is high.
Data migration: Helps you realize data migration between homogeneous/heterogeneous data sources. It is suitable for business scenarios such as data migration to the cloud, cross-instance data migration within Alibaba Cloud, and database splitting and expansion.
Data migration type: Data migration supports structure migration, full data migration and incremental data migration. ① Structure migration: DTS migrates the structure definition of the objects to be migrated in the source library to the target library (such as tables, views, triggers, stored procedures, etc.), supporting heterogeneity. ② Full data migration: DTS migrates all the existing data of the objects to be migrated in the source database to the target database. If you select only structure migration and full data migration when configuring a data migration task, new data in the source database will not be migrated to the target database during the migration process. ③ Incremental data migration: DTS will first implement a static snapshot in the source database, then migrate the snapshot data to the target database, and finally synchronize the incremental data generated by the source database to the target database in real time during the migration process (incremental data migration will Maintain real-time synchronization, so the migration task will not end automatically, you need to end the migration task manually).
Data migration restrictions: Take MySQL as an example: ① Do not perform DDL operations that change the database or table structure during the link creation phase; ② If you need to perform incremental data migration, you need to enable Binlog; ③ When the source database is a self-built database, please Do not perform active/standby switching during data migration; ④ The server to which the database belongs must have sufficient egress bandwidth and CPU resources.
Data integration: As an extension of the data migration function, the data integration function can regularly migrate the structure and inventory data in the source database to the target database according to the configuration of the scheduling strategy, helping you build a more flexible data warehouse (such as building T+ 1 periodic position).
Data synchronization: Helps you achieve real-time data synchronization between data sources. It is suitable for data relocation in remote locations, data remote disaster recovery, local data disaster recovery, cross-border data synchronization, query and report offloading, cloud BI and real-time data warehouse, etc. business scenario.
Data synchronization features: ① The selection granularity of synchronization objects is library, table, and column. You can select the synchronization objects according to your needs. ; ② Dynamically increase or decrease synchronization objects: During the data synchronization process, users can add or reduce objects that need to be synchronized at any time; ③ Complete monitoring system: Data synchronization provides alarm monitoring functions for synchronization job status and synchronization delays. Users can customize the synchronization delay alarm threshold according to business sensitivity; ④ Various ETL features: support three-level object name mapping of library table columns, which can realize two different library names, table names or column names of the source and target instances. Data synchronization between objects; data filtering is supported, and certain SQL conditions can be set for the tables to be synchronized to filter the data that needs to be synchronized.
Data synchronization restrictions: In order to ensure that DTS can normally read the database table information of the source database and connect the source and target databases, when configuring or modifying the data synchronization job, the source database and the target database cannot be upgraded, modified, network switched, or cross-available. Area migration and other states, that is, the source database and target database must be in a normal running state.
Data subscription: (incremental data synchronization) helps you obtain real-time incremental data of self-built MySQL, RDS MySQL, PolarDB MySQL, DRDS, and Oracle. You can freely consume incremental data according to business needs. It is suitable for cache update strategies and business asynchronous Various business scenarios such as decoupling, real-time data synchronization of heterogeneous data sources and complex ETL data real-time synchronization.
Data subscription type: The granularity of subscription object selection is library or table. DTS divides the incremental data types of the source library into structure change DDL and data change DML. ① Structure change DDL: Subscribe to the structure creation, deletion and modification of all objects in the entire instance. You need to use the subscription client to filter the required data. ②Data change DML: Subscribe to incremental data updates of selected objects, including INSERT, DELETE and UPDATE operations of data.

11. Cloud security

DDos threshold: Alibaba Cloud's DDos protection function can set cleaning thresholds for traffic accessing ECS in the management console. The settable thresholds are ① traffic per second, ② messages per second, and ③ HTTP requests per second. All are critical values in seconds.
DDos basic protection features: ①BGP backbone line protection; ②Precise protection; ③No installation and maintenance required
Introduction to DDos basic defense: Alibaba Cloud Cloud Shield provides cloud products with free protection against traffic attacks with a maximum total volume of 5 Gbit/s by default. Therefore, if the ECS or cloud product deployed by the website suffers three 2G attacks, the total volume is 6G. It has exceeded the scope of free services.
DDos attack types: There are the following types, but are not limited to: malformed packets, transport layer (Syn Flood, Ack Flood, UDP Flood, ICMP Flood, RstFlood, etc.), Web application DDoS attacks, DNS DDoS attacks, connection-type DDoS attacks.
Practice (exam question): What types of attacks can Cloud Shield’s DDoS protection function protect against? (Multiple choice) ACK, SYN, ICMP, UDPflood. Answer: They are all types of protection against DDOS transport layer attacks.
DDos high-defense service: supports daily billing, provides accurate traffic tables and attack details, flexible adjustment of protection thresholds, and can be upgraded and high-level protection at any time, without interrupting business
DDOS high-defense traffic diversion method: DDoS high-defense high-defense supports two traffic diversion methods through DNS and IP direct pointing to achieve access protection for website domain names and business ports.
DDOS basic and advanced defense service scope: Alibaba Cloud Ddos basic defense: only serves Alibaba Cloud products, is free to activate, and provides a total of 5G protection; however! DDOS high defense products can provide protection for Alibaba Cloud or non-Alibaba Cloud hosts.
Protection objects of DDOS protection: provided by ECS, load balancing, EIP, NAT gateway, and VPC. Not provided for OSS or RDS.
Traffic cleaning: After enabling basic DDoS protection, Cloud Shield will monitor the traffic entering the ECS instance in real time. When detecting extremely large traffic or abnormal traffic including DDoS attacks, without affecting normal business, Cloud Shield will redirect the suspicious traffic from the original network path to the purification product, identify and strip the malicious traffic, and Inject the restored legitimate traffic back into the original network and forward it to the target ECS instance. This process is traffic cleaning.
Traffic cleaning methods: filter attack packets, limit traffic speed, limit data packet speed, etc.
Alibaba Cloud's security products that provide DDOS protection functions for ECS include: Cloud Security Center, DDOS Advanced Defense, and DDOS Basic Protection
The difference between Server Guard and Security Manager: ① Alibaba Cloud Server Guard is a host security hardening product that has withstood the stability test of millions of hosts and supports automated real-time intrusion threat detection (port check, remote login reminder, password profiteering, WEBSHELL check ), virus scanning, intelligent vulnerability repair, one-click baseline inspection, web page anti-tampering and other functions, it is a unified management platform to build a host security defense line. ②Alibaba Cloud Security Manager Service is a comprehensive security technology and consulting service provided by Alibaba Cloud security experts to cloud users based on Alibaba Cloud's years of best security practice experience. It establishes and continuously optimizes cloud security defense systems for cloud users and protects user businesses. Safety. The security butler service is specifically divided into three versions: enterprise version, escort version, and server security version, that is, three different service categories, including the manual service of server hosting. Therefore, Server Guard is a software and Security Manager is a human service.
Server Guard test points: The question states that Server Guard provides password brute force cracking for WEB application systems, which is wrong.
Cloud Security Center: The Cloud Security Center is a unified security management system that identifies, analyzes and warns security threats in real time. It provides security alerts, virus defense, vulnerability detection and other security capabilities through anti-ransomware, anti-virus, anti-tampering, compliance inspection and other security capabilities. Comprehensive security services such as repair, baseline inspection, asset fingerprinting, and attack analysis. Server Guard is the host version of Security Center and has the same functions. Simply put, it consists of four parts: system vulnerabilities, virus detection, account management, and asset management. Does not contain DDOS attacks.
Cloud Security Center alarm method: Supports sending alarm notifications to you through SMS, email, site messages and DingTalk robots
Cloud Security Center whitelist: In the Cloud Security Center, some legitimate programs and normal behaviors will be identified as security threats or alarm events. For this scenario, the Cloud Security Center provides a whitelist function. After it is turned on, the Cloud Security Center will no longer prompt This alert.
To realize the functions of the Cloud Security Center, you need to install the Agent plug-in on the ECS that needs to provide protection functions (to manually install the agent in non-Alibaba Cloud products, you must run the Server Guard Agent plug-in installation program with administrator rights) before it can be accessed by the Security Center. Monitoring displays any vulnerabilities, alarms, and asset fingerprints of the asset. ECSs that do not install or uninstall the Agent will not be protected by the Security Center, but the Cloud Security Center does not provide unbinding ECS services, so even after uninstalling the Agent, the ECS will appear offline in the server list of the Security Center.
Installation of Cloud Security on a non-Alibaba Cloud host: After the user installs the Cloud Security Center (Server Knight) client on a non-Alibaba Cloud server (server other than Alibaba Cloud), the non-Alibaba Cloud server needs to enter the installation verification key to associate with your Alibaba Cloud account
Situational awareness: Situational awareness includes abnormal login detection, website backdoor detection, website backdoor detection, abnormal process behavior, sensitive file tampering, abnormal network connections, Linux software vulnerabilities, Windows system vulnerabilities, Web-CMS vulnerabilities, emergency vulnerabilities, and Web vulnerabilities Scanning, host baseline, cloud product baseline, asset fingerprint, AK and account password leakage, large data screen, log retrieval, full log analysis.
WAF: Web Application Firewall (WAF for short) provides one-stop security protection for website or App business. WAF can effectively identify the malicious characteristics of Web business traffic. After cleaning and filtering the traffic, it returns normal and safe traffic to the server, avoiding problems such as abnormal server performance caused by malicious intrusions into the website server, and ensuring the business security and data of the website. Safety.
Cloud Firewall: Alibaba Cloud Cloud Firewall is the industry's first cloud platform SaaS-based firewall. It can uniformly manage north-south and east-west traffic and provide traffic monitoring, precise access control, real-time intrusion prevention and other functions.
Cloud firewall control module: ① North-south traffic control module: mainly used to implement access control from the Internet to hosts, supporting layer 4-7 access control; ② East-west traffic control
module: mainly used for interaction between hosts using security groups Traffic is controlled to achieve layer 4 access control.
ActionTrail helps you monitor and record the activities of your Alibaba Cloud account, including access to and use of cloud products and services through the Alibaba Cloud console, OpenAPI, and developer tools. All will be tracked and recorded. You can create a trace. Save the operation logs to the designated storage space so that the logs can be saved permanently and used for operations such as behavior analysis, security analysis, resource change behavior tracking, and behavior compliance auditing.
Key management service KMS (Key Management Service) provides services such as secure hosting of keys and cryptographic operations. KMS has built-in security practices such as key rotation, and supports other cloud products to encrypt and protect user data managed by them through one-party integration. With KMS, you can focus on business functions such as data encryption and decryption, electronic signature verification, etc., without spending a lot of money to ensure the confidentiality, integrity, and availability of keys.
Encryption service: The key of Cloud Shield encryption service must be authenticated through the identity card USER KEY method, because all key management must rely on the identity card. If the identity card is lost by the user, Alibaba Cloud cannot retrieve it. The encryption service is similar to the bank USB shield. The user has a physical encrypted identity card (in the form of a USB flash drive)
CA certificate: In electronic contracts, to confirm authenticity and identity. CA is an authoritative and credible third-party organization and the "certification authority". A CA certificate is a "document" issued by a CA and is used to prove one's identity, just like an ID card and driver's license.
RAM service: Access control (RAM) is a service provided by Alibaba Cloud to manage user identities and resource access rights. RAM allows you to create and manage multiple identities under one Alibaba Cloud account, and allows you to assign different permissions to a single identity or a group of identities, so that different users have different resource access permissions, such as for assigning employee accounts and setting Access permissions for each account. RAM users can be assigned usage rights to various cloud products.
Prophet Plan: Prophet Plan is a platform that helps enterprises establish private emergency response centers. After companies join the Prophet (Security Public Testing) platform, they can independently release reward plans to encourage security experts on the Prophet Platform to test and submit their own websites or business systems. loopholes.
The purpose of the Prophet program: Enterprises need to establish a vulnerability collection channel. The Prophet Program gathers various real-name certified experts through enterprise bounties to provide enterprises with vulnerability titles and details, vulnerability levels, vulnerability status, and displays the vulnerability submitter. Vulnerabilities will not be disclosed without the consent and authorization of the enterprise. However, it does not provide vulnerability patching methods for enterprises. If the enterprise is the main body of vulnerability patching, the Prophet Plan will assist the enterprise to patch the loopholes within its capabilities.
Content safety: On the Internet, any content that involves pornography, gambling, drugs, or endangers national security or misleads the people is illegal or illegal content. However, the country and the public circles basically do not talk about auditing the content. Instead, they use a vague term called Internet content security. Alibaba Cloud Green Network is also a so-called product that provides Internet content security.
Content security occupies resources: Content security provides services in the form of API and does not occupy the CPU resources of the user's ECS.
Risk identification: Risk identification has many special scenario products: ① Registration risk identification is mainly aimed at the risk of a large number of false users that appear in the company's new recruitment, marketing and other activities; ② Login risk identification is mainly aimed at high-value assets (such as balances, bank cards , points, credit limit, etc.) to prevent hacked companies from using malicious means to steal accounts, lose money, or even cause security issues for account users. Alibaba Cloud builds a multi-dimensional identification strategy based on geographical location, risk network, equipment environment, abnormal behavior, etc. With the model, the risk of account theft can be quickly and accurately identified; ③ Marketing risk identification mainly targets the "snatching" risks caused by companies using subsidies, discounts, etc. to acquire users. Alibaba Cloud risk identification combines big data, artificial intelligence with Taobao , Alipay, etc. have many years of experience in preventing and controlling activity fraud, and can effectively, quickly and accurately identify activity fraud risk behaviors and users; ④ Device risk identification is mainly aimed at malicious users encountered by enterprises in mobile APP business scenarios using emulators and multi-open software ⑤Business risk intelligence is mainly aimed at the problems caused by the platforms of Internet, financial and other enterprises that use false information to conduct malicious fraud, cheating, false transactions, etc.; ⑥Email profiling is mainly aimed at enterprises facing the problems of shady products The extensive use of low-cost batch-generated mailboxes creates risks such as batch registration, ticket fraud, and wool harvesting; ⑦ Address scoring is mainly aimed at the waste of company human resources and the waste of company human resources caused by malicious users using invalid addresses in large numbers for e-commerce, logistics, banks and other companies. Risk of loss of funds
(Partial exam question) Secure large-screen login method: ① Direct access: Click Direct Access to enter the large-screen page; ② Free login configuration: Click Free login configuration to create a large-screen free login address, which is convenient for you to control without logging in to the Cloud Security Center In the case of Taiwan, directly open the secure large screen page through the login link.
Eye of Horus: Eye of Horus provides you with a visual interface for cloud asset panorama, network topology and security posture. Comprehensive display of the security posture of your assets from three dimensions: security score, security products and cloud products. The Eye of Horus is not a sub-product of the security large screen product, it is an independent product.
Important common sense: Password brute force cracking mainly targets SSH and RDP (Remote Desktop) protocols.
Which Cloud Shield services are free: Cloud Security Center, Content Security, and Ddos Basic Protection all provide free versions.
What security products can be used for non-Alibaba Cloud servers: DDOS Advanced Defense (excluding basic protection!), cloud security, cloud monitoring, Server Guard, and WAF.
ISC responsibility: The security of cloud computing services requires the joint participation of cloud service providers (such as Alibaba Cloud), ISVs (Independent Software Vendors) and users. Omissions by any party may cause security risks. ISVs of cloud computing services need (number of correct answers: 2) A. Develop a complete business process B. Develop good development specifications and testing specifications, and have a complete software delivery and acceptance process C. Have a unified process when deploying cloud computing applications Operational specifications, the operation process can be traced D. Different roles in the application system have different permissions, and sharing of account and password is prohibited.
Answer: CD Just remember it. ISV provides cloud security needs ① There are unified operating specifications when deploying cloud computing applications. The process is traceable ② Different roles in the application system have different permissions, and sharing of account and password is prohibited

12. Cloud monitoring

Cloud monitoring products are provided for Alibaba Cloud or non-Alibaba Cloud (install the cloud monitoring plug-in) ① Cloud product monitoring, you can view the running status of specified resources and the usage of various indicators in the target cloud product, and set alarm rules for monitoring items; ② Host Monitoring, by monitoring basic indicators such as CPU usage, memory usage, and disk usage of cloud server ECS, to ensure the normal use of the host; ③Site monitoring, currently only provides protocols HTTP (HTTPS), ICMP, TCP, UDP, and DNS , SMTP, POP3, FTP monitoring settings can detect the availability, response time and packet loss rate of your site, allowing you to fully understand the availability of the site and handle it promptly when the site is abnormal.
Cloud monitoring notification methods: Currently, the cloud monitoring alarm service supports multiple methods such as phone calls, text messages, Wangwang, emails, and DingTalk robots. Want Want only supports PC-side alarm message push. If you have installed the Alibaba Cloud APP, you can also receive alarm notifications through the Alibaba Cloud APP; (updates change too quickly, but this is something you need to take in the exam)
Easy-to-mix words: Situation awareness in the cloud security center refers to the timely distribution of newly emerged malicious IPs and latest vulnerabilities to users across the entire network based on the collection of security intelligence from a large number of front-end users. In cloud monitoring, by monitoring the site or user-defined monitoring, and through thresholds such as access traffic and bandwidth, you can know the sudden traffic of your website in a timely manner.
Monitoring indicators: Fixed basic knowledge of hardware. Operating system level monitoring indicators include CPU usage, total memory, average load, disk I0 read/write, disk usage, number of TCP connections, total number of processes, etc. Please note that memory usage is not part of operating system level monitoring.
Cloud monitoring data viewing and downloading: Monitoring data can be viewed through the cloud monitoring console and OpenAPI; currently cloud monitoring data does not support downloading.
Customized monitoring: Users can monitor the businesses they care about, report the collected monitoring data to Cloud Monitoring, and Cloud Monitoring will sort the data and set alarms. There is no upper limit on the number of custom monitoring , and based on the nature of cloud monitoring products, it can provide services for non-Alibaba Cloud servers.
Self-built alarm system access: If the user wants to build his own alarm system, he needs to connect the existing alarm notifications of Alibaba Cloud Monitoring. He needs to: call the data query interface provided by Cloud Monitoring, query regularly, and then write his own code to determine whether the indicators are abnormal. Because the operation is very troublesome, it is not recommended that users build their own alarm systems.
Alarm groups and reporting contacts in cloud monitoring: ① When there is only one alarm contact in the alarm contact group, deletion is not allowed; ② Deleting the alarm contact group will not delete the alarm contacts of the alarm contact group; ③ Deleting the alarm contact , the alarm contact in the alarm contact group is automatically deleted.
Cloud Monitoring Contact Person—Test Question: An employee of a company who is responsible for operating and maintaining Alibaba Cloud products has resigned. ________ operations should be performed to ensure that the resigned employee no longer receives alarm notifications from Cloud Monitoring. Answer: The contact group in Cloud Monitor contains contacts, and notification methods include email, phone, and DingTalk. You do not need to pass verification to delete a contact, you can delete it directly.