My AWS Rocks!

Security at Depth - AI

Fri, 27 Feb 2026 00:00:00 +0000

AWS Skill Builder is an online learning center where you can learn from AWS experts and build cloud skills online. With access to 600+ free courses, certification exam prep, and training that allows you to build practical skills there’s something for everyone.

AWS Skill Builder - Security Compliance and Governance for AI Solutions

Data Security at all levels

Sat, 11 Oct 2025 00:00:00 +0000

In most organisations data is the primary source of value. Wether that data is the source code to the next big breakthrough, a list of opportunities and sales tactics, or a more traditional data set such as a back catalogue of music, how it is managed is critical to modern businesses and losing that data brings major consequences.

This post in a series on security at all layers focuses on the security of data. I'll look at how data can be protect in three states; At Rest (Store), In Transit (Move), and In Use (Access), and in three ways; Encryption, Permissions, Resiliency.

Network Security at all levels

Sat, 19 Jul 2025 00:00:00 +0000

In this, the second of a multi-part series on securing your workloads, I'll look more broadly and why, where, and how, you should be securing your network. I'll look at both the principles and AWS services that help you reduce the risk of network based breaches. The introduction to the Security at all levels gives an overview of what I believe security in depth means and why we should all follow the principles.

Security at all Layers

Fri, 16 May 2025 00:00:00 +0000

Security in depth, defence in depth, layered security, zero trust; all terms that get spoken but often not fully understood. Mainly because much of these security principles have evolved over time and depending on the lens applied a different term has emerged.

In this, the first of a series focused on security, I'll try and unpack what security in depth means (at least for me) and why you should be considering a layered security approach. I will try and keep these posts a mix of technical and non-technical details, and where possible utilise real world examples to highlight my thoughts. Future post will focus on the implementation of security from different perspectives such as application, data, and infrastructure.

Cost Savings and Sustainability; Byproducts of Well-Architected

Sun, 13 Oct 2024 00:00:00 +0000

In this post I will look at why I find it hard to understand why people have to focus specifically on cost-optimisation and sustainability initiatives rather than them being part of everyday design and build activities.

I am not implying these two items are not relevant, I am also not saying they shouldn't be in the Well-Architected Framework.

What I am saying is that, if you do the first 4 pillars (Operational Excellence, Security, Reliability, Performance Efficiency) well, then most of the benefits should have already been achieved and there should not be a need to perform "Cost Optimizations" or "Sustainability Audits" of your AWS estate. There might be some tweaks and improvements but the base level of "Well-Architected" for those pillars should have been achieved.

Wait! IP4 has a cost?

Sun, 11 Aug 2024 00:00:00 +0000

Caveat: I started this post in April because lots of people were shocked at the cost appearing on their bill. I got half way and though it wasn't worth publishing as the chatter would die down. However 4 months later I am still seeing people ask what can they do about IPv4 costs so thought I'd finish it off.

So you will know, or should know, that the 1st February 2024 saw AWS introduce charges for all public IPv4 addresses in use within an AWS account.

Don't get trapped by the elephant in the room!

Sat, 27 Jul 2024 00:00:00 +0000

I was part of a webinar with Jeff Barr where he was discussing creating your own luck. One of the elements he talked about was doing something quickly and more frequently can often be better than waiting to ensure you are doing the right thing. He talked about the OODA model which I discuss later, but it got me thinking about how often in technology we so often get caught up in the detail, or even worse, the wrong detail and we end up not doing anything.

My bill is how much‽

Thu, 21 Dec 2023 00:00:00 +0000

One of the most common post by newcomers to AWS seems to be bill shock or unexpected charges.

Some of this is from using a service with out knowing the costs or forgetting to shut something down and incurring costs for longer than planned.

Some however is where accounts have been compromised and resources used by someone else.

So what can you do to prevent this?

This article will look at ways of securing your account and managing your costs. It is a high level article and doesn't go into every service mentioned in detail, however it should give you enough to protect yourself and point you to further resources.

AWS Golden Jacket; Is it worth the race?

Thu, 17 Aug 2023 00:00:00 +0000

So, I've just completed my AWS Machine Learning Specialty certification. This now brings my total active certifications to 12, the "full suite" of achievable certification. In doing so I'm now eligible for the elusive "golden jacket" awarded by AWS to holders of all certifications.

I've had a few people ask my about my certification journey and as often as the how did I do it, is they why did I do it.

AWS Well-Architected - Why so many get it wrong

Fri, 07 Jul 2023 00:00:00 +0000

This blog follows on from my speaking session as a Community Builder at the AWS Summit in London (June 7th 2024).

I looked at why so many people miss understand the Well Architected Framework, and as a result perform poorly in Well-Architected Reviews.

While this post will not cover everything I talked about it should give you an idea of the content and act as a reminder if you were at the event.

How to excel at operational excellence.

Thu, 06 Jul 2023 00:00:00 +0000

Following on from my talk at the London AWS summit in June, I thought I'd write a series on how to perform well in each pillar. In this first post I'll look at the operational excellence pillar and provide some things you need to consider to perfom well from an operations perspective

Firstly, let's take a look at the design principles as outlined in the pillar

Perform operations as code
Make frequent, small, reversible changes
Refine operations procedures frequently
Anticipate failure
Learn from all operational failures

For me the first 3 can be summarised as treat everything you need for operations the same as any other part of your application. Put everything as code, even if scripting cli commands, and follow a software lifecycle where you are makeing small changes that are refined over time. I treat this as part of the "shift left" mindset.

You put what in a public subnet‽

Tue, 04 Apr 2023 00:00:00 +0000

Its great seeing peoples designs for modern solutions and especially serverless. What is more impressive is, where VPC services are in use, they are splitting them out into separate tiers and subnets.

😕

But why do so many people put things in public subnets that don't need to be?

In this article I'll look at what I think should be in public subnets and why you try not to put anything in a public subnet you don't need to.

Troubleshooting with VPC Flow Logs

Thu, 05 Jan 2023 00:00:00 +0000

So you built your secure VPC, but things are not working as expected.
Or maybe something changed on the infrastructure and now things are not working.

And as any network engineer knows, every application fault is always due to the network! So how do we prove traffic is getting to our systems and it's not the network?

The answer is VPC Flow Logs.

There is great guidance on Flow Logs in the AWS VPC documentation so I will try not to cover that. What I will try and do is clarify some areas and explain how we can then use them to understand what is going on in our network. Specifically how we can use the AWS CloudWatch Logs console to find out what is happening in our VPC and give us some pointers on what might be wrong.

How to use NACLs and Security Groups

Tue, 06 Dec 2022 00:00:00 +0000

Following up from my last post (here) on what Network Access Control Lists (NACLs) and Security Groups (SGs) are, I will now take a look at where and how I think you should use them to ensure you have a secure network.

I'll use a basic scenario of a VPC (10.0.0.0/16) split into two public subnets, with access to the internet (10.0.0.0/24 and 10.0.1.0/24), and two private subnets, with no route the the internet (10.0.10.0/24 and 10.0.1.0/24). The application is running on 2 EC2 behind an application load balancer to discuss the options.

Network Access Control Lists vs Security Groups

Sat, 22 Oct 2022 00:00:00 +0000

Both are used to protect networks and resources, but there is often confusion about the difference between Network Access Control Lists (NACLs) and Security Groups, and when each should be used.

This post, aims to demystify the two concepts.

The differences that we will cover are:

Stateful vs Stateless
Inbound vs Outbound
Allow vs Deny
Rule Order

Future post will then look at how to use this knowledge to apply both NACLs and Security Groups, and how to troubleshoot connectivity issues when NACLs and Security Groups are in place.

Are you 'The One'

Wed, 28 Sep 2022 00:00:00 +0000

AWS Certified Global Community Challenge

In June I was asked to participate in creating a challenge as part of a series of challenges for the AWS Certified Global Community.

The idea of the challenges was to provide example of code that had been broken by hackers with the goal of remediating the issues to return the system back to a fully functioning state.

By completing the challenges, individuals not only gained points for the community leaderboard, but also were able to learn new skills and real like usage of code.

Why use a Transit Gateway

Tue, 05 Jul 2022 00:00:00 +0000

You may see in my designs and discussions that I always use an AWS Transit Gateway for connections outside of the VPC.

While there are use cases where this does not make sense, which I'll describe, for the majority of organisations' use cases I believe that using Transit Gateways is the preferable solution.

Cost 💰

Firstly lets address the cost implications of using an AWS Transit Gateway over VPC Peering, as many will use this to justify using peering because they see it directly on their bill.

What it's like as an AWS Certification Subject Matter Expert (SME)

Tue, 28 Jun 2022 00:00:00 +0000

So you may have seen some of the AWS Certification SME badges on peoples profiles and asked what is an SME?, how do I become one?, and why should I become one?

The goal of this post is to give you some insight into the programme, how and why you should apply, and what I've gained from participating.

What is an SME?

So the first real question is what is an AWS Certification Subject Matter Expert (SME)?

Creating a Well-Architected VPC

Wed, 20 Apr 2022 00:00:00 +0000

So this is the first in my posts walking through how to deploy a solution in AWS. Hopefully you find it useful as VPCs are the foundation for private and secure networking in AWS and an area many struggle. This guide is designed to ensure that your VPC deployments can be Well-Architected and provide a base level of network security but is only one option for VPC layout. While it will meet a vast majority of workloads you might want to review the structure and reduce, or increase, the number of subnets as well as other components.

Cheat Sheet or Quick Reference?

Sat, 02 Apr 2022 00:00:00 +0000

Cheat Sheet, Quick Reference, Key Facts, Quick Start Guide, the list of names for similar types of reference documents are as varied as the topics they cover. So why do Cheat Sheets seem to be the most popular name and format?

In this post I'll give my view on the use of cheat sheets, and the term in general, and why I think they've become popular. I'll also explain why I hate them (cheat sheets) and the misuse of term.

Useful AWS Training Resources

Fri, 24 Dec 2021 00:00:00 +0000

One thing I think is important in technology is to never stop learning. For me change in technology is like a river, it never stops flowing, and at times such as re:invent it can feel like a flood. Things are changing so rapidly if you don't keep up to date you will drown in all the announcements and changes.

Hopefully you have all heard about the skillbuilder.aws website that has over two and a half thousand digital courses in 16 languages. What you may not know is that there is a raft of other training material out there either direct from AWS or others that can help with your learning journey.

How to Well-Architect network connectivity to AWS services.

Sun, 05 Dec 2021 00:00:00 +0000

With so many possible paths which do you take?

So a few weeks ago I was asked what my strategy was for accessing internal AWS resources such as S3, DynamoDB etc. where it is possible to access over VPC endpoints as well as the internet. My first point of reference for them was the great map by Corey Quinn, Chief Cloud Economist at The Duckbill Group which looks at the costs for moving data around AWS.

Setting up your AWS account

Sun, 24 Oct 2021 00:00:00 +0000

So you want to get your own AWS account and get started with hands on deployments. What should you do?

Firstly take a look at the AWS Getting Started Guide. In particular follow at least the first 3 steps of the setting up your environment. This will go through account creation, securing your root account and creating an admin account for you to use on a daily basis.

How to Setup Your Development Environment for AWS | Introduction

Learn how to setup your development environment for AWS. This tutorial includes setting up and securing your account, installing the AWS CLI, and getting started with Cloud9.

Amazon Web Services, Inc.

The are a few addition items I would recommend doing in addition to the steps provided by AWS.

AWS Community Builders

Fri, 01 Oct 2021 00:00:00 +0000

Over the summer I saw a few of my connections on LinkedIn announce that they were selected by AWS as a Community Builder. It was one of a few programs I have heard about from AWS that focus on building content and knowledge within the AWS community.

As you can guess by this blog, one of the things I'm keen on is sharing knowledge. I believe that we all benefit when people share knowledge. Looking into the program interested me for two reasons.

4x or 1x Certified - Does it matter?

Mon, 20 Sep 2021 00:00:00 +0000

I often see in peoples LinkedIn headline is stats around how many certifications they hold such as 6x AWS | 4x AZURE | 2x GCP . The question is what does this actually show? Does someone with 7 certificates have more knowledge than someone with 4? What about those without any certifications?

Numbers don't always add up.

The problem with just comparing the numbers mathematically is that not all certifications are equal. 4x does not always equal 4x!

Career Routes

Mon, 03 May 2021 00:00:00 +0000

There is always a huge debate on which certificates and skills are required for which role, or which certification someone should do next. So I thought I'd pitch in with my view on the matter. Please note the following is based on planning at the beginning of your cloud career. If you are changing roles later in your career the order and certifications could change drastically.

For me there are three categories of AWS roles; Architect, Engineer and Specialist. Bear in mind roles will always have overlaps and depending on the company there will be nuances. In addition, as you move up from an entry level role to a lead role it is normally expected that your depth in knowledge increases.

CloudFormation 101

Thu, 01 Apr 2021 00:00:00 +0000

In this post we will look at the basics of CloudFormation, what you need to know and how to get started in writing templates.

So you may be asking why I am writing a post about template basics when I have said I'll try not repeat information available on AWS.

Two reasons. Primarily to demystify the template and secondly to provide pointers to resources you might find useful as you improve your CloudFormation knowledge.

Security 101

Mon, 15 Mar 2021 00:00:00 +0000

Following on from the foundational architecture post I thought I'd give a dive into security of the AWS cloud. For me this is the most important element to understand before even creating an AWS account as if you get this wrong it can be costly in more ways than one. There are a few items that need to be looked at when considering security. These include, but are not limited to:

How to use the AWS Well-Architected Framework

Mon, 01 Mar 2021 00:00:00 +0000

This is the final part in a three part series on the AWS Well-Architected Framework. It is based on my presentation at the AWS Thames Valley user group "How to design well when there is no rule book". In this part we will look at how to use the Well-Architected Framework and also some resources to help you further understand the framework and review process.

Firstly I think we should look at how not to use the framework and review as often I see people getting dishearten or resenting the review because it is used in the wrong way.

Why use the AWS Well-Architected Framework

Mon, 15 Feb 2021 00:00:00 +0000

This is the second in a three part series on the AWS Well-Architected Framework. It is based on my presentation at the AWS Thames Valley user group "How to design well when there is no rule book". In the first part of this series I looked at what the Well-Architected Framework is. In this part we will look at why you should use the Well-Architected Framework.

I split the what of the framework into 3 categories; Cloud Roadmap, Design Principle; Cloud Assessment. For the reasons as to why use the framework I am also splitting it into 3 area; Promote discussion, Plan for Progress, and AWS best practices.

What is the AWS Well-Architected Framework

Mon, 01 Feb 2021 00:00:00 +0000

This is the first in a three part series on the AWS Well-Architected Framework. It is based on my presentation at the AWS Thames Valley user group "How to design well when there is no rule book". This first part looks at what the Well-Architected Framework is.

On the AWS website they describe the framework as:

The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud. By answering a set of foundational questions, you learn how well your architecture aligns with cloud best practices and are provided guidance for making improvements.

About Me - Robin

Mon, 25 Jan 2021 00:00:00 +0000

I have been working in technology for over 20 years, and with AWS technologies since about 2010. My main focus has been on traditional infrastructure and networking but have a strong security mindset. Up until recently I had little DevOps experience but something I have concentrated on over the last 2 years.

Currently I am working for Accenture as part of the Accenture Amazon Business Group (AABG) as a senior technical architect and lead of the UK&I Well Architeced practice.

AWS Foundational Architecture

Mon, 18 Jan 2021 00:00:00 +0000

When building a house, the most important thing to get right is the foundations. With out a good foundation everything that is built on top will have issues and, worse case, completely fail. Building IT solutions is no different. We have to ensure the basic foundations are in place in order to build good solutions for the business we are working for.

Often I see organizations trying to implement the foundations once they have built the first few systems or they realize that "this cloud craze is real". Many times it is after a proof of concept has suddenly become a production system. What ever the reason for the delay it always causes rework, at a cost to the business, and can cause friction or resentment from engineers who implemented the first solutions.

My GitHub

Mon, 04 Jan 2021 00:00:00 +0000

As well as my personal GIT repository, I also have a GIT Organization for code related to this blog and my YouTube videos.

At present I have two public repositories available, blog-code and templates.

myawsrocks

myawsrocks has 2 repositories available. Follow their code on GitHub.

GitHub

‌As the name suggests, the blog-code repository contains all the code ‌that I use in examples and walkthroughs, either on this site or YouTube.

Each folder in the repository relates to a single blog/video and contains all the code that I refer to. In each folder is a README.md file that gives s brief outline of the project as well as links to this site and/or the YouTube video.

AWS Basics

Fri, 01 Jan 2021 00:00:00 +0000

Lets discuss some of the basics you need to begin to rock your AWS solutions.

Firstly everything has to be via code! Doing things via the console is not the way to go long term. As soon as you can look at using the Command Line Interface (CLI). Even using the CLI will start to give you a better understanding of how AWS works under the hood and allow you to design and build better solutions. See the links at the bottom on how to install the CLI.

Search

Fri, 01 Jan 2021 00:00:00 +0000

Why CloudFormation

Fri, 01 Jan 2021 00:00:00 +0000

People have asked why I use CloudFormation (CFN) and not other tools such as Terraform or AWS Cloud Development Kit (CDK). There are several reasons for this.

Firstly, I'm not a developer. I come from an infrastructure background and although understand scripting and programming constructs it's not my expertise. This means no matter what tool I had to learn it was all relatively new to me.

Secondly, when I started my Infrastructure as Code (IaC) journey Terraform had been out for less than a year. I was also working with AWS engineers who only dealt in CFN templates and the boot-camp I attended at re:invent 2015 all focused on CFN.

About this site

Wed, 01 Jan 2020 00:00:00 +0000

Why another blog about AWS?

I took a while before deciding to create this blog and I am sure many people will be asking why create yet another AWS blog. I thought the same but looking at most the blogs out there many were focused on either complicated implementations or regurgitating AWS documentation. My hope is that this site and content will be useful for those looking to advance their understanding of AWS and improve their deployments.

Mon, 01 Jan 0001 00:00:00 +0000

About Me

Huabing Zhao is a software architect, an Istio Member and an ONAP PTL. He has a solid experience in the information and telecommunication technology industry for more than 17 years.

Throughout his career, he has built a number of large-scale, cross-country software systems, most of them are still running in production.

He loves open source and has been contributing to various open source projects, he is a member of Istio, previous PTL of ONAP, the author of the Hugo clean-white theme and the open source project Aeraki Mesh.

Mon, 01 Jan 0001 00:00:00 +0000

Go 语言学习笔记

Envoy 学习笔记

Mon, 01 Jan 0001 00:00:00 +0000

Posts Archive

Mon, 01 Jan 0001 00:00:00 +0000