AWS X-Ray

  • AWS X-Ray analyzes and debugs production, distributed applications, such as those built using a microservices architecture. With X-Ray, you can identify performance bottlenecks, edge case errors, and other hard to detect issues.
  • Concepts
    • A segment provides the name of the compute resources running your application logic, details about the request sent by your application, and details about the work done.
    • A segment can break down the data about the work done into subsegments. A subsegment can contain additional details about a call to an AWS service, an external HTTP API, or an SQL database.
      • For services that don’t send their own segments, like Amazon DynamoDB, X-Ray uses subsegments to generate inferred segments and downstream nodes on the service map. This lets you see all of your downstream dependencies, even if they don’t support tracing, or are external.
      • Subsegments represent your application’s view of a downstream call as a client. If the downstream service is also instrumented (like an AWS SDK client), the segment that it sends replaces the inferred segment generated from the upstream client’s subsegment.
    • X-Ray uses the data that your application sends to generate a service graph. Each AWS resource that sends data to X-Ray appears as a service in the graph.
    • A service graph is a JSON document that contains information about the services and resources that make up your application. The X-Ray console uses the service graph to generate a visualization or service map. Service graph data is retained for 30 days.
    • Edges connect the services that work together to serve requests. Edges connect clients to your application, and your application to the downstream services and resources that it uses.
    • A trace ID tracks the path of a request through your application. A trace collects all the segments generated by a single request.
      • That request is typically an HTTP GET or POST request that travels through a load balancer, hits your application code, and generates downstream calls to other AWS services or external web APIs.
    • To ensure efficient tracing and provide a representative sample of the requests that your application serves, the X-Ray SDK applies a sampling algorithm to determine which requests get traced.
      • By default, the X-Ray SDK records the first request each second, and five percent of any additional requests.
    • For advanced tracing, you can drill down to traces for individual requests, or use filter expressions to find traces related to specific paths or users.
    • Groups are a collection of traces that are defined by a filter expression. Groups are identified by their name or an Amazon Resource Name, and contain a filter expression.
    • Annotations are simple key-value pairs that are indexed for use with filter expressions. Use annotations to record data that you want to use to group traces.
      • A segment can contain multiple annotations.
      • System-defined annotations include data added to the segment by AWS services, whereas user-defined annotations are metadata added to a segment by a developer.
    • Metadata are key-value pairs with values of any type, including objects and lists, but that are not indexed. Use metadata to record data you want to store in the trace but don’t need to use for searching traces.
    • When an exception, error or fault occurs while your application is serving an instrumented request, the X-Ray SDK records details about the error, including the stack trace, if available.
  • Features
    • AWS X-Ray can be used with applications running on Amazon EC2, Amazon ECS, AWS Lambda, AWS Elastic Beanstalk. You just integrate the X-Ray SDK with your application and install the X-Ray agent.
    • AWS X-Ray provides an end-to-end, cross-service, application-centric view of requests flowing through your application by aggregating the data gathered from individual services in your application into a single unit called a trace.
    • The X-Ray SDK captures metadata for requests made to MySQL and PostgreSQL databases (self-hosted, Amazon RDS, Amazon Aurora), and Amazon DynamoDB. It also captures metadata for requests made to Amazon SQS and Amazon SNS.
    • You can set the trace sampling rate that is best suited for your production applications or applications in development. X-Ray continually traces requests made to your application and stores a sampling of the requests for your analysis.
    • AWS X-Ray creates a map of services used by your application with trace data. This provides a view of connections between services in your application and aggregated data for each service, including average latency and failure rates. You can create dependency trees, perform cross-availability zone or region call detections, and more.
    • AWS X-Ray lets you add annotations to data emitted from specific components or services in your application.
  • How X-Ray Works
    • AWS X-Ray receives data from services as segments. X-Ray then groups segments that have a common request into traces. X-Ray processes the traces to generate a service graph that provides a visual representation of your application.

AWS X-Ray Diagram

  • X-Ray SDK
    • The X-Ray SDK provides:
      • Interceptors to add to your code to trace incoming HTTP requests
      • Client handlers to instrument AWS SDK clients that your application uses to call other AWS services
      • An HTTP client to use to instrument calls to other internal and external HTTP web services
    • AWS X-Ray supports tracing for applications that are written in Node.js, Java, and .NET.
    • Instead of sending trace data directly to X-Ray, the SDK sends JSON segment documents to an X-Ray daemon process listening for UDP traffic.
    • The X-Ray daemon buffers segments in a queue and uploads them to X-Ray in batches.
  • AWS Service Integration and Service Graph
    • You can easily integrate AWS services with AWS X-Ray. Service integration can include adding tracing headers to incoming requests, sending trace data to X-Ray, or running the X-Ray daemon.
    • X-Ray uses trace data from the AWS resources that power your cloud applications to generate a detailed service graph.
    • You can use the service graph to identify bottlenecks, latency spikes, and other issues to solve to improve the performance of your applications.
    • There are four types of X-Ray integration:
      • Active instrumentation – Samples and instruments incoming requests.
      • Passive instrumentation – Instrument requests that have been sampled by another service.
      • Request tracing – Adds a tracing header to all incoming requests and propagates it downstream.
      • Tooling – Runs the X-Ray daemon to receive segments from the X-Ray SDK.
    • The following services provide X-Ray integration:
      • AWS Lambda – Active and passive instrumentation of incoming requests on all runtimes. AWS Lambda adds two nodes to your service map, one for the AWS Lambda service, and one for the function.
      • Amazon API Gateway – Active and passive instrumentation. API Gateway uses sampling rules to determine which requests to record, and adds a node for the gateway stage to your service map.
      • Elastic Load Balancing – Request tracing on application load balancers. The application load balancer adds the trace ID to the request header before sending it to a target group.
      • AWS Elastic Beanstalk – Tooling.
  • Pricing
    • You pay based on the number of traces recorded, retrieved, and scanned. A trace represents a request to your application and may include multiple data points, such as for calls to other services and database access.
    • The maximum size of a trace is 500 KB.
    • Trace data is retained for 30 days from the time it is recorded at no additional cost.

 

Deep Dive into AWS X-Ray: Monitor Modern Applications

AWS X-Ray-related Cheat Sheets:

 

Validate Your Knowledge

Question 1

A newly hired developer has been instructed to debug an application. She tried to access the X-Ray console to view service maps and segments but her current access is insufficient. Which of the following is the MOST appropriate managed policy that should be granted to the developer?

  1. AWSXrayReadOnlyAccess
  2. AWSXRayDaemonWriteAccess
  3. AWSXrayFullAccess
  4. AmazonS3ReadOnlyAccess

Correct Answer: 1

You can use AWS Identity and Access Management (IAM) to grant X-Ray permissions to users and compute resources in your account. IAM controls access to the X-Ray service at the API level to enforce permissions uniformly, regardless of which client (console, AWS SDK, AWS CLI) your users employ. To use the X-Ray console to view service maps and segments, you only need read permissions. To enable console access, add the AWSXrayReadOnlyAccess managed policy to your IAM user.

For local development and testing, create an IAM user with read and write permissions. Generate access keys for the user and store them in the standard AWS SDK location. You can use these credentials with the X-Ray daemon, the AWS CLI, and the AWS SDK.

To deploy your instrumented app to AWS, create an IAM role with write permissions and assign it to the resources running your application. AWSXRayDaemonWriteAccess includes permission to upload traces, and some read permissions as well to support the use of sampling rules.

The read and write policies do not include permission to configure encryption key settings and sampling rules. Use AWSXrayFullAccess to access these settings, or add configuration APIs in a custom policy. For encryption and decryption with a customer managed key that you create, you also need permission to use the key.

Hence, the AWSXrayReadOnlyAccess managed policy is the most appropriate one to grant to the developer in order for her to access the X-Ray console. This also abides with the standard security advice of granting least privilege, or granting only the permissions required to perform a task.

AWSXRayDaemonWriteAccess is incorrect because this policy is more suitable if you want to grant permission to upload traces to X-Ray.

AWSXrayFullAccess is incorrect because although this can provide the required access to the developer, it does not abide with the standard security advice of granting least privilege. Hence, this is not the most appropriate policy to use.

AmazonS3ReadOnlyAccess is incorrect because this policy just provides the instance permission to download the X-Ray daemon from Amazon S3.

References:
https://docs.aws.amazon.com/xray/latest/devguide/xray-permissions.html
https://docs.aws.amazon.com/xray/latest/devguide/security.html

Question 2

In the next financial year, your company decided to develop a totally new version of their legacy application which will be using Node.js and GraphQL. The new architecture should provide them an end-to-end view of requests as they travel through their application, and shows a map of the application’s underlying components. The application will be hosted in an Auto Scaling group of Linux EC2 instances and it must be instrumented so it can send the trace data to the AWS X-Ray service.

Which of the following options is the MOST suitable way to satisfy this requirement?

  1. Include the xray-daemon.config configuration file in the AMI.
  2. Enable active tracing on Amazon Inspector.
  3. Refactor your application to send segment documents directly to X-Ray by using the PutTraceSegments API.
  4. Use a user data script to install the X-Ray daemon.

Correct Answer: 4

The AWS X-Ray SDK does not send trace data directly to AWS X-Ray. To avoid calling the service every time your application serves a request, the SDK sends the trace data to a daemon, which collects segments for multiple requests and uploads them in batches. Use a script to run the daemon alongside your application.

To properly instrument your application hosted in an EC2 instance, you have to install the X-Ray daemon by using a user data script. This will install and run the daemon automatically when you launch the instance. To use the daemon on Amazon EC2, create a new instance profile role or add the managed policy to an existing one. This will grant the daemon permission to upload trace data to X-Ray.

The AWS X-Ray daemon is a software application that listens for traffic on UDP port 2000, gathers raw segment data, and relays it to the AWS X-Ray API. The daemon works in conjunction with the AWS X-Ray SDKs and must be running so that data sent by the SDKs can reach the X-Ray service.

Hence, the most suitable way to instrument your application is to use a user data script to install the X-Ray daemon.

Including the xray-daemon.config configuration file in the AMI is incorrect because this configuration file is only applicable in Elastic Beanstalk. You have to install the X-Ray daemon via a user data script.

Enabling active tracing on Amazon Inspector is incorrect because active tracing is only applicable in Lambda. Moreover, the Amazon Inspector is just an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. This service is not suitable for use in integrating your applications with AWS X-Ray.

Refactoring your application to send segment documents directly to X-Ray by using the PutTraceSegments API is incorrect because although this solution will work, it entails a lot of manual effort to perform. You don’t need to do this because you can just install the X-Ray daemon on the instance to automate this process.

References:
https://docs.aws.amazon.com/xray/latest/devguide/xray-daemon-ec2.html
https://docs.aws.amazon.com/xray/latest/devguide/xray-daemon.html#xray-daemon-permissions

For more AWS practice exam questions with detailed explanations, check this out:

Tutorials Dojo AWS Practice Exams

XX

Sources:
https://aws.amazon.com/xray/features/
https://aws.amazon.com/xray/pricing/
https://docs.aws.amazon.com/xray/latest/devguide/aws-xray.html
https://aws.amazon.com/xray/faqs/

***

AWS Certifications are consistently among the top paying IT certifications in the world, considering that Amazon Web Services is the leading cloud services platform with almost 50% market share! Earn over $150,000 per year with an AWS certification!

Subscribe to our newsletter and notifications for more helpful AWS cheat sheets and study guides like this and answer as many AWS practice exams as you can.🙂

Enroll Now – AWS Certified Cloud Practitioner Practice Exams

AWS Certified Cloud Practitioner Practice Tests

Enroll Now – AWS Certified Solutions Architect Associate Practice Exams

AWS Certified Solutions Architect Associate

Enroll Now – AWS Certified Developer Associate Practice Exams

AWS Certified Developer Associate Tutorials Dojo

Enroll Now – AWS Certified SysOps Administrator Associate Practice Exams

AWS Certified SysOps Administrator Associate Tutorials Dojo

Enroll Now – AWS Certified Solutions Architect Professional Practice Exams

AWS Certified Solutions Architect Professional Tutorials Dojo

Affordable AWS Educational Materials

Browse Other Courses

Generic Category (English)300x250

Recent Posts