#Infrastructure

300 posts

AWS Certified Solutions Architect - Associate (SAA-C03) #5 Domain 1-4 Secure Architectures — WAF , Shield , Cognito , Secrets Manager
6 min read

AWS Certified Solutions Architect - Associate (SAA-C03) #5 Domain 1-4 Secure Architectures — WAF , Shield , Cognito , Secrets Manager

The final post of the SAA-C03 security domain. It covers application-layer protection and credential management: WAF web ACLs and rules (SQLi , XSS , rate , geo), the difference between Shield Standard and Advanced, the role distinction between Cognito User Pool (authentication) and Identity Pool (temporary AWS credentials), and a comparison of Secrets Manager and Parameter Store.

Certified Kubernetes Administrator (CKA) #3 Cluster Architecture 2: Node (kubelet/kube-proxy/CRI), the Pod Networking Model
12 min read

Certified Kubernetes Administrator (CKA) #3 Cluster Architecture 2: Node (kubelet/kube-proxy/CRI), the Pod Networking Model

The third post in the Certified Kubernetes Administrator (CKA) series. Once the control plane makes a decision, the actual containers run on the nodes. We lay out the roles of the three node components — kubelet, kube-proxy, and the container runtime — and the CRI interface, then look from an operations angle at the Kubernetes Pod networking model where every Pod communicates without NAT, and at where the CNI plugin fits in.

AWS Certified Solutions Architect - Associate (SAA-C03) #4 Domain 1-3 Secure Architectures — VPC Security
6 min read

AWS Certified Solutions Architect - Associate (SAA-C03) #4 Domain 1-3 Secure Architectures — VPC Security

The third post of the SAA-C03 security domain. It covers network-boundary security: the difference between security groups and network ACLs (stateful vs. stateless) and how rules are evaluated, the two kinds of VPC Endpoint (Gateway , Interface) and how to choose between them, the structure for exposing a service privately with PrivateLink, bastion hosts and Systems Manager Session Manager, and VPC Flow Logs.

Certified Kubernetes Administrator (CKA) #2 Cluster Architecture 1: Control plane (apiserver/etcd/scheduler/controller-manager)
12 min read

Certified Kubernetes Administrator (CKA) #2 Cluster Architecture 1: Control plane (apiserver/etcd/scheduler/controller-manager)

The second post in the Certified Kubernetes Administrator (CKA) series. We look at how a cluster actually runs, starting from the control plane. We cover what kube-apiserver (the gateway for all communication), etcd (the cluster state store), kube-scheduler (the Pod placement decision), and kube-controller-manager (the reconciliation loop) each do, how the control plane runs as static Pods, and what happens to the cluster when a component dies — all from an operator's point of view.

AWS Certified Solutions Architect - Associate (SAA-C03) #3 Domain 1-2 Secure Architectures — KMS and Encryption
7 min read

AWS Certified Solutions Architect - Associate (SAA-C03) #3 Domain 1-2 Secure Architectures — KMS and Encryption

The second post of the SAA-C03 security domain. It covers KMS key types (AWS managed, customer managed, customer provided), how envelope encryption works, the difference between at-rest and in-transit encryption, the encryption options for S3, EBS, and RDS and how to encrypt resources that already exist, key policies and cross-account key sharing, and the difference from CloudHSM.

Certified Kubernetes Administrator (CKA) #1: The Exam Environment — alias and dry-run, vim/yq setup, time management
8 min read

Certified Kubernetes Administrator (CKA) #1: The Exam Environment — alias and dry-run, vim/yq setup, time management

The opening post of the Certified Kubernetes Administrator (CKA) series. We lay out the structure of the 2-hour hands-on exam, the weight of the five domains (Troubleshooting at 30% is the crux), the passing line, and the testing environment — then drill the setup (alias, dry-run, vim/yq, etcdctl, systemctl) that decides how your exam time runs. This 27-part series targets a CKA pass, wrapping up with a hands-on mock exam in #27.

AWS Certified Cloud Practitioner (CLF-C02) #10: Full-Scale Mock Exam — 50 Questions with Explanations
19 min read

AWS Certified Cloud Practitioner (CLF-C02) #10: Full-Scale Mock Exam — 50 Questions with Explanations

The final post of the CLF-C02 series. Fifty questions sized to match the real exam domain weights (24/30/34/12%). Domain 1 (Cloud Concepts) 12 questions, Domain 2 (Security) 15 questions, Domain 3 (Cloud Technology) 17 questions, Domain 4 (Billing) 6 questions. The real exam is 65 questions in 90 minutes; this mock is scored over 50 questions, target 60–75 minutes, and 36+ correct (72%) puts you in safe passing territory. Each question is followed by the answer and an explanation.

AWS Certified Solutions Architect - Associate (SAA-C03) #2 Domain 1-1 Secure Architectures — IAM in Depth
8 min read

AWS Certified Solutions Architect - Associate (SAA-C03) #2 Domain 1-1 Secure Architectures — IAM in Depth

The first post of the SAA-C03 security domain. After a quick review of the four IAM components (User/Group/Role/Policy), it covers the policy evaluation logic (explicit Deny wins), the difference between trust policies and permission policies, temporary credentials and AssumeRole via STS, cross-account access, and permission boundaries and SCPs at the SAA level. On the exam, the security domain carries the largest weight at 30%, and IAM is its core.

K8s Practice #6: Operations Checklist — Upgrades / Backup,Recovery / Cost / Security
13 min read

K8s Practice #6: Operations Checklist — Upgrades / Backup,Recovery / Cost / Security

The last post in the K8s Practice series. Bringing up a cluster and operating it safely for a year are different kinds of work. This post organizes the EKS upgrade cycle, node group replacement pattern, RDS automated backup and PITR, cost management with Karpenter and Spot, and regular security checks with kube-bench and Trivy. It also includes a retrospective of the 6-post K8s Practice series and the full 26-post K8s track.

AWS Certified Cloud Practitioner (CLF-C02) #9 Exam Tips and Common Mistake Patterns
10 min read

AWS Certified Cloud Practitioner (CLF-C02) #9 Exam Tips and Common Mistake Patterns

A condensed read-once-more piece for the moments right before you walk into the CLF-C02 exam. Time management for 65 questions in 90 minutes; common pitfall question shapes like multiple-response and double negatives; pairs of services people confuse (S3 vs EBS, CloudTrail vs Config, ALB vs NLB, and so on); four techniques for narrowing down answers; and a final 30-minute pre-exam checklist. The next post, #10, is the full-scale mock exam.

AWS Certified Solutions Architect - Associate (SAA-C03) #1 Exam Introduction — Exam Structure and Study Roadmap
8 min read

AWS Certified Solutions Architect - Associate (SAA-C03) #1 Exam Introduction — Exam Structure and Study Roadmap

The opening post of the AWS Certified Solutions Architect - Associate (SAA-C03) series. It covers the structure of 65 questions, 130 minutes, and a 720 passing score; the weight and meaning of the four domains (Security 30% , Resilience 26% , High Performance 24% , Cost 20%); how it differs from Cloud Practitioner; and a study strategy that turns the intuition built on the hands-on [AWS track](/en/posts/aws-basics-1) and [CLF-C02](/en/posts/aws-clf-1-exam-introduction) into design-oriented exam answers. This 16-part series targets a SAA-C03 pass, wrapping up with a full-scale mock exam in #16.

K8s Practice #5: Monitoring & Alerting — Prometheus / CloudWatch / Alertmanager
11 min read

K8s Practice #5: Monitoring & Alerting — Prometheus / CloudWatch / Alertmanager

The `myshop-api` built in [#4](/en/posts/k8s-practice-4) now has code-to-deploy automation, but operations do not work unless you can see what it is doing. This post organizes the EKS cluster observability stack. We install Prometheus + Grafana + Alertmanager at once with kube-prometheus-stack, combine that with CloudWatch via Container Insights and Fluent Bit, standardize myshop-api metrics and alerts via ServiceMonitor / PrometheusRule, and organize the on-call flow with the 4 golden signals rule set and Slack / PagerDuty routing.