AWS Certified Advanced Networking Official Study Guide E-Book

AWS®Certified Advanced Networking

Official Study Guide Specialty Exam

Senior Acquisitions Editor: Kenyon Brown

Project Editor: Gary Schwartz

Copy Editor: Kezia Endsley

Editorial Manager: Pete Gaughan and Mary Beth Wakefield

Production Manager: Kathleen Wisor

Executive Editor: Jim Minatel

Book Designers: Judy Fung and Bill Gibson

Proofreader: Nancy Carrasco

Indexer: Johnna VanHoose Dinse

Project Coordinator, Cover: Brent Savage

Cover Designer: Wiley

Cover Image: ©Jeremy Woodhouse/Getty Images, Inc.

Copyright © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Published by John Wiley & Sons, Inc., Indianapolis, Indiana

Published simultaneously in Canada

ISBN: 978-1-119-43983-7

ISBN: 978-1-119-43988-2 (ebk.)

ISBN: 978-1-119-43990-5 (ebk.)

No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750–8400, fax (978) 646–8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748–6011, fax (201) 748–6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762–2974, outside the U.S. at (317) 572–3993 or fax (317) 572–4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Control Number: 2017962409

TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a registered trademark of Amazon Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

To those who designed and built what we explain herein.

Acknowledgments

The authors would like to thank a few people who helped us develop and write this AWS Certified Advanced Networking – Specialty Official Study Guide.

First, thanks to all of our families for supporting us in our seemingly endless efforts to produce this book. We know the hours away from home were only possible because of you. The readers of this book owe you a debt of gratitude, as well.

A huge thanks to our colleagues, Dave Cuthbert and Dave Walker, who guest authored the chapters on automation and risk and compliance, respectively. Many thanks to James Hamilton for the Foreword and to Mark Ryland and Camil Samaha for their cover-to-cover contributions.

When we wrote this book, many of the features and services described were only on the drawing board. Thanks to the product and engineering teams for taking the time to provide us with insight into new and exciting capabilities. Our readers thank you, too!

Of course, we must thank all of the supporting team members who helped shepherd us to the finish line: Nathan Bower and Victoria Steidel, our thoughtful technical editors, who reviewed and edited all of the content; Mary Kay Sondecker, who answered our call for project help; and Sharon Saternus, our project manager, who had the task of herding cats – the authors.

About the Authors

Sidhartha Chauhan, Solutions Architect, Amazon Web Services

Sid works with enterprise customers to design highly-scalable cloud architectures. He has a special inclination toward computer networking technologies and holds a master’s degree in computer networking from North Carolina State University, along with various leading industry certifications. Before joining Amazon, Sid worked with a large telecommunications organization designing large-scale Local Area Network (LAN)/Wide Area Network (WAN) networks. In his free time, Sid plays guitar for an award-winning New York City-based Indian band called “Rhythm Tolee.” He also enjoys photography and fitness.

James Devine, Solutions Architect, Amazon Web Services

Using AWS to help design solutions for nonprofit customers who are making a difference in the world is what keeps James motivated. He holds a bachelor’s degree in computer science from Allegheny College and a master’s degree in computer science from the Stevens Institute of Technology. Prior to joining AWS, James was a senior infrastructure engineer at MITRE Corporation, a nonprofit government contractor, where he used his skills in infrastructure to help various government organizations solve some of their toughest problems and realize the value of cloud computing.

Alan Halachmi, Senior Manager, Solutions Architecture, Amazon Web Services

Alan leads a team of specialist solutions architects supporting public sector customers. These specialists provide deep expertise in domains such as Geospatial Information Systems (GIS), High Performance Computing (HPC), and machine learning. Alan supports public sector organizations across the globe in the areas of networking and security. He holds a Certified Information Systems Security Professional (CISSP®) certification as well as a half-dozen AWS certifications. He participated in the development of the Solutions Architect – Associate, Solutions Architect – Professional, and Advanced Networking – Specialty exams. Additionally, Alan has authored multiple AWS whitepapers that focus on the intersection of networking and security. Prior to joining Amazon, he worked in various leadership positions focused on homeland protection and identity systems at both established and startup companies in the private sector. Alan holds a bachelor’s degree in network communication and information security from Duke University. In his free time, Alan enjoys family and tinkering with new toys.

Matt Lehwess, Principal Solutions Architect, Amazon Web Services

Matt has spent many years working as a network engineer in the network service provider space, building large-scale WAN networks in the Asia Pacific region and North America, as well as deploying data center technologies and their related network infrastructure. As a result, he is most at home working with Amazon VPC, AWS Direct Connect, and Amazon’s other infrastructure-focused products and services. Matt is also a public speaker for AWS, and he enjoys spending time helping customers solve large-scale problems using the AWS Cloud platform. Outside of work, Matt is an avid rock climber, both indoor and outdoor, and a keen surfer. When he misses the waves of his hometown back in Australia, a trip to Santa Cruz, California from his home in San Francisco soon alleviates any homesick feelings.

Nick Matthews, Senior Solutions Architect, Amazon Web Services

Nick Matthews leads the networking segment of AWS partner support organization. He helps AWS partners create new networking solutions and make traditional networking products work on AWS. He enjoys assisting AWS customers to architect their networks for scalability and security. Nick also speaks at industry events on networking and security best practices. Before joining Amazon, Nick spent 10 years at Cisco working on Voice over IP (VoIP), Software-Defined Networking (SDN), and routing (Cisco Certified Internetwork Expert [CCIE] #23560). He founded the Network Programmability Users Group (npug.net) to help users with SDN and programming network equipment. In his free time, he enjoys eating, drinking, and playing beach volleyball.

Steve Morad, Senior Manager, Solutions Builders, Amazon Web Services

Steve Morad holds a BA in computer science from Wheaton College (IL), and an MBA from Virginia Tech. He started his career by graduating from college and running off to join the circus. Since then, he gained systems administration, development, and architecture experience in the entertainment, financial services, and technology industries. Steve spent five years as a principal solutions architect supporting customers of all sizes and maturity levels, with a sub-specialty in AWS networking and security. He helped develop the Solutions Architect Associate, Developer Associate, SysOps Associate, Solutions Architect Professional, DevOps Professional, and Network Specialty exams. Steve is also an AWS public speaker and has developed network-related technical articles, whitepapers, and reference implementations. Steve is currently a senior manager of solutions builders at AWS. Outside of work, Steve enjoys helping coach soccer goalies and watching his kids perform in various musical ensembles.

Steve Seymour, Principal Solutions Architect, Amazon Web Services

Steve is a principal solutions architect and networking specialist within the AWS team covering Europe, the Middle East, and Africa. He uses his networking expertise to help customers of all sizes—from fast growing startups to the world’s largest enterprises—use AWS networking technologies to meet and exceed their business requirements. Steve has more than 15 years of experience working with enterprise infrastructure, data center implementations, and migration projects with complex IP communications requirements. He is passionate about applying this experience to a broad range of industries to support customer success on AWS. Steve enjoys the outdoors, regularly coaches canoeing, and goes geocaching whenever traveling.

Contents

Acknowledgments

About the Authors

Foreword

Introduction

What Does this Book Cover?

Interactive Online Learning Environment and Test Bank

Exam Objectives

Objective Map

Assessment Test

Answers to Assessment Test

Chapter 1 Introduction to Advanced Networking

AWS Global Infrastructure

Amazon Virtual Private Cloud

AWS Networking Services

Summary

Resources to Review

Exam Essentials

Exercise

Review Questions

Chapter 2 Amazon Virtual Private Cloud (Amazon VPC) and Networking Fundamentals

Introduction to Amazon Virtual Private Cloud (Amazon VPC)

Subnets

Route Tables

IP Addressing

Security Groups

Network Access Control Lists (ACLs)

Internet Gateways

Network Address Translation (NAT) Instances and NAT Gateways

Egress-Only Internet Gateways (EIGWs)

Virtual Private Gateways (VGWs), Customer Gateways, and Virtual Private Networks (VPNs)

VPC Endpoints

VPC Peering

Placement Groups

Elastic Network Interfaces

Dynamic Host Configuration Protocol (DHCP) Option Sets

Amazon Domain Name Service (DNS) Server

VPC Flow Logs

Summary

Resources to Review

Exam Essentials

Exercises

Review Questions

Chapter 3 Advanced Amazon Virtual Private Cloud (Amazon VPC)

VPC Endpoints

VPC Endpoint Overview

Gateway VPC Endpoints

Interface VPC Endpoints

Transitive Routing

IP Addressing Features

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 4 Virtual Private Networks

Introduction to Virtual Private Networks

Site-to-Site VPN

Client-to-Site VPN

Design Patterns

Summary

Resources to Review

Exercises

Review Questions

Chapter 5 AWS Direct Connect

What Is AWS Direct Connect?

Physical Connectivity

Logical Connectivity

Resilient Connectivity

Billing

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 6 Domain Name System and Load Balancing

Introduction to Domain Name System and Load Balancing

Domain Name System

Amazon EC2 DNS Service

Amazon Route 53

Elastic Load Balancing

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 7 Amazon CloudFront

Introduction to Amazon CloudFront

Content Delivery Network Overview

The AWS CDN: Amazon CloudFront

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 8 Network Security

Governance

Data Flow Security

AWS Security Services

Detection and Response

Summary

Resources to Review

Exam Essentials

Exercises

Review Questions

Chapter 9 Network Performance

Network Performance Basics

Amazon Elastic Compute Cloud (Amazon EC2) Instance Networking Features

Optimizing Performance

Example Applications

Performance Testing

Summary

Resources to Review

Exam Essentials

Exercises

Review Questions

Chapter 10 Automation

Introduction to Network Automation

Infrastructure as Code

Network Monitoring Tools

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 11 Service Requirements

Introduction to Service Requirements

The Elastic Network Interface

AWS Cloud Services and Their Network Requirements

Amazon EMR

Amazon Relational Database Service (Amazon RDS)

AWS Database Migration Service (AWS DMS)

Amazon Redshift

AWS Glue

AWS Elastic Beanstalk

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 12 Hybrid Architectures

Introduction to Hybrid Architectures

Application Architectures

Access VPC Endpoints and Customer-Hosted Endpoints over AWS Direct Connect

Use of Transitive Routing in Hybrid IT

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 13 Network Troubleshooting

Introduction to Network Troubleshooting

Methodology for Troubleshooting

Network Troubleshooting Tools

Troubleshooting Common Scenarios

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 14 Billing

Billing Overview

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 15 Risk and Compliance

It All Begins with Threat Modeling

Ownership Model and the Role of Network Management

Controlling Access to AWS

Encryption Options

Network Activity Monitoring

Malicious Activity Detection

Penetration Testing and Vulnerability Assessment

Summary

Exam Essentials

Resources to Review

Exercises

Review Questions

Chapter 16 Scenarios and Reference Architectures

Introduction to Scenarios and Reference Architectures

Hybrid Networking Scenario

Multi-Location Resiliency

Summary

Resources to Review

Exam Essentials

Exercises

Review Questions

Appendix Answers to Review Questions

Chapter 1: Introduction to Advanced Networking

Chapter 2: Amazon Virtual Private Cloud (Amazon VPC) and Networking Fundamentals

Chapter 3: Advanced Amazon Virtual Private Cloud (Amazon VPC)

Chapter 4: Virtual Private Networks

Chapter 5: AWS Direct Connect

Chapter 6: Domain Name System and Load Balancing

Chapter 7: Amazon CloudFront

Chapter 8: Network Security

Chapter 9: Network Performance

Chapter 10: Automation

Chapter 11: Service Requirements

Chapter 12: Hybrid Architectures

Chapter 13: Network Troubleshooting

Chapter 14: Billing

Chapter 15: Risk and Compliance

Chapter 16: Scenarios and Reference Architectures

Advert

EULA

List of Tables

Chapter 2

TABLE 2.1

TABLE 2.2

TABLE 2.3

TABLE 2.4

TABLE 2.5

TABLE 2.6

TABLE 2.7

Chapter 3

TABLE 3.1

Chapter 6

TABLE 6.1

TABLE 6.2

Chapter 9

TABLE 9.1

TABLE 9.2

TABLE 9.3

Chapter 13

TABLE 13.1

List of Illustrations

Chapter 1

FIGURE 1.1

AWS global infrastructure

FIGURE 1.2

Overview of the AWS service locations

Chapter 2

FIGURE 2.1

VPC, subnets, and a route table

FIGURE 2.2

Subnet identifier

FIGURE 2.3

Public, private, and VPC-only subnets

FIGURE 2.4

48-bit MAC to 64-bit modified EUI-64

FIGURE 2.5

VPC, subnet, route table, and Internet gateway

FIGURE 2.6

Egress-Only Internet gateway

FIGURE 2.7

VPC with a VPN connection to a customer network

FIGURE 2.8

Route table for a VPC endpoint

FIGURE 2.9

VPC peering connections do not support transitive routing

Chapter 3

FIGURE 3.1

Amazon S3 endpoint

FIGURE 3.2

A proxy fleet is configured to access an Amazon S3 endpoint over AWS VPN.

FIGURE 3.3

An Amazon Kinesis endpoint interface is created using AWS PrivateLink.

FIGURE 3.4

An endpoint service is created from the service provider VPC to the service consumer VPC. An interface endpoint is created in the service consumer VPC.

FIGURE 3.5

A shared service uses a Network Load Balancer and AWS PrivateLink to provide endpoint services into spoke VPCs.

FIGURE 3.6

An example of adding a CIDR range to an existing VPC. New subnets can use the new CIDR addresses.

Chapter 4

FIGURE 4.1

VPN termination at VGW

FIGURE 4.2

VGW HA endpoints

FIGURE 4.3

Avoiding asymmetric routing by using BGP parameters

FIGURE 4.4

AWS VPN CloudHub functionality

FIGURE 4.5

Graphical representation of VPN metrics in the Amazon CloudWatch dashboard

FIGURE 4.6

VPN termination in an Amazon EC2 instance

FIGURE 4.7

High availability when terminating VPN on an Amazon EC2 instance

FIGURE 4.8

High availability when terminating VPN on an Amazon EC2 instance—automated failover

FIGURE 4.9

AWS Marketplace

FIGURE 4.10

Vertical scaling with load balancing—single Availability Zone

FIGURE 4.11

Vertical scaling with load balancing—multiple Availability Zones

FIGURE 4.12

Horizontal Scaling based on VPC Subnets

FIGURE 4.13

Horizontal Scaling based on destination prefix

FIGURE 4.14

Customer gateway

FIGURE 4.15

Customer gateway high availability

FIGURE 4.16

Client-to-site VPN

FIGURE 4.17

Transitive routing

FIGURE 4.18

Enabling transitive routing in AWS

Chapter 5

FIGURE 5.1

Physical components of AWS Direct Connect

FIGURE 5.2

Direct Connect Gateway

FIGURE 5.3

Single connection with VPN backup

FIGURE 5.4

Dual connections: single location—VPN backup

FIGURE 5.5

Single connections: dual locations—VPN Backup

FIGURE 5.6

VPN over Direct Connect public VIF

FIGURE 5.7

Transit VPC with detached VGW

Chapter 6

FIGURE 6.1

FQDN components

FIGURE 6.2

NAT at the VPC Internet gateway

FIGURE 6.3

Amazon EC2 DNS instance acting as resolver and forwarder

FIGURE 6.4

Amazon EC2 DNS instances with segregated resolver and forwarder

FIGURE 6.5

Amazon Route 53 traffic flow—an example traffic policy

FIGURE 6.6

Amazon Route 53 health checking

FIGURE 6.7

Classic Load Balancer

FIGURE 6.8

Application Load Balancer

FIGURE 6.9

Network Load Balancer

FIGURE 6.10

ELB sandwich

Chapter 7

FIGURE 7.1

Configuring your Amazon CloudFront distribution

FIGURE 7.2

Amazon CloudFront content delivery

FIGURE 7.3

Amazon CloudFront content delivery

FIGURE 7.4

Streaming distributions, web, and RTMP

Chapter 8

FIGURE 8.1

Templates and stacks

FIGURE 8.2

AWS Service Catalog workflow

FIGURE 8.3

Shuffle sharding

FIGURE 8.4

Web ACLs, rules, and conditions

FIGURE 8.5

VPN over Public VIF

FIGURE 8.6

VPN over Private Virtual Interface

FIGURE 8.7

Shared responsibility model

FIGURE 8.8

SSH login attempts overview

FIGURE 8.9

Network traffic analysis overview

FIGURE 8.10

IP reputation overview

Chapter 10

FIGURE 10.1

Minimal VPC with a single public subnet

FIGURE 10.2

The stack state in the AWS Management Console when the stack has been rolled back

FIGURE 10.3

The stack events showing the route failed to create because it could not reference the Internet gateway

FIGURE 10.4

Parameters for the single public subnet template with the Availability Zone drop-down menu

FIGURE 10.5

Creating a change set for an existing stack

FIGURE 10.6

Examining the changes that would result by narrowing the CIDR range

FIGURE 10.7

A VPC with a private subnet connected to an on-premises network via a VPN.

FIGURE 10.8

AWS CodePipeline continuous deployment example

FIGURE 10.9

Amazon CloudWatch graph showing standard VPN metrics

FIGURE 10.10

Amazon CloudWatch custom metrics showing packet loss to three different hosts

FIGURE 10.11

Amazon CloudWatch dashboard for a VPN connection

FIGURE 10.12

Creating an alarm for a custom packet loss metric

FIGURE 10.13

The format of the received alarm over SMS (left) and email (right)

Chapter 12

FIGURE 12.1

Hybrid web application using AWS Load Balancing

FIGURE 12.2

Hybrid web application using DNS and AWS load balancing

FIGURE 12.3

Hybrid Active Directory setup

FIGURE 12.4

Quality of Service implementation

FIGURE 12.5

AWS CodeDeploy endpoint access over public VIF

FIGURE 12.6

Using AWS Direct Connect and VPN for Amazon WorkSpaces connectivity

FIGURE 12.7

Accessing Amazon S3 over AWS Direct Connect private VIF

FIGURE 12.8

VPN to VGW over AWS Direct Connect public VIF

FIGURE 12.9

VPN to Amazon EC2 instance over AWS Direct Connect private VIF

FIGURE 12.10

Isolating routing domains using VRF

FIGURE 12.11

VPN to Amazon EC2 over AWS Direct Connect public VIF

FIGURE 12.12

Transit VPC architecture

FIGURE 12.13

VPC peering vs. transit VPC for spoke-to-spoke communication

FIGURE 12.14

Transit VPC vs. AWS Direct Connect Gateway for hybrid traffic

FIGURE 12.15

Transit VPC vs. AWS Direct Connect Gateway for hybrid traffic

FIGURE 12.16

Detached VGW vs. on-premises initiated VPN

FIGURE 12.17

Global transit VPC

FIGURE 12.18

Global transit VPC with regional transit hub

Chapter 14

FIGURE 14.1

Scenario 1

FIGURE 14.2

Scenario 2

FIGURE 14.3

Scenario 3

FIGURE 14.4

Scenario 4

FIGURE 14.5

Scenario 5

FIGURE 14.6

Scenario 6

Chapter 15

FIGURE 15.1

Policy evaluation decision flow

FIGURE 15.2

Rotated plot of Amazon VPC flow logs: time/destination port/activity

Chapter 16

FIGURE 16.1

Current application network design

FIGURE 16.2

Web and application server network design

FIGURE 16.3

Regional availability

FIGURE 16.4

Multi-regional resiliency

FIGURE 16.5

Multi-region disaster planning

Guide

Cover

Table of Contents

Introduction

Pages

vii

ix

x

xi

xxxiii

xxxiv

xxxv

xxxvii

xxxviii

xxxix

xl

xli

xlii

xliii

xliv

xlv

xlvi

xlvii

xlviii

xlix

l

li

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

42

43

44

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

129

130

131

132

133

134

135

136

137

138

139

140

141

142

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

330

331

332

333

334

335

336

337

338

339

340

341

342

343

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

419

420

421

422

423

424

425

427

429

430

431

432

433

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

467

468

469

471

472

473

475

476

477

478

479

480

481

482

483

485

486

487

488

489

490

491

492

493

494

495

496

497

498

499

500

Table of Exercises

EXERCISE 1.1 Review Network Service Documentation

EXERCISE 2.1 Create a Custom VPC

EXERCISE 2.2 Create Two Subnets for Your Custom VPC

EXERCISE 2.3 Connect Your Custom VPC to the Internet and Establish Routing

EXERCISE 2.4 Launch a Public Amazon EC2 Instance and Test the Connection to the Internet

EXERCISE 2.5 Launch a Private Amazon EC2 Instance and Test the Connection to the Internet

EXERCISE 3.1 Create a Gateway VPC Endpoint for Amazon S3

EXERCISE 3.2 Create a VPC Endpoint Service

EXERCISE 3.3 Create VPC endpoint

EXERCISE 3.4 Working with Transitive Routing

EXERCISE 3.5 Add IPv4 CIDR Ranges to a VPC

EXERCISE 4.1 Create a VPN Connection Using the AWS-Managed VPN Option

EXERCISE 4.2 Create a VPN Connection Using an Amazon EC2 Instance as the VPN Termination Endpoint

EXERCISE 4.3 Connect Two Remote Networks Using a Detached VGW and VPN Connections Leveraging AWS VPN CloudHub

EXERCISE 4.4 Create a VPN Overlay to Allow Connections Between Two VPCs via a Transit Point

EXERCISE 5.1 Create a Public VIF

EXERCISE 5.2 Create a Private VIF

EXERCISE 5.3 Add IPv6 to a Private VIF

EXERCISE 5.4 Create a Private Hosted VIF

EXERCISE 5.5 Create a LAG

EXERCISE 6.1 Register a New Domain Name with Amazon Route 53

EXERCISE 6.2 Configuring Elastic Load Balancing

EXERCISE 6.3 Create an Alias A Record with a Simple Routing Policy

EXERCISE 6.4 Create a Weighted Routing Policy

EXERCISE 6.5 Deploy a Set of HAProxy Instances in an ELB Sandwich Configuration

EXERCISE 7.1 Create an Amazon CloudFront Web Distribution

EXERCISE 7.2 Create an Amazon CloudFront RTMP Distribution

EXERCISE 7.3 Add an Alternate Domain Name to Your Amazon CloudFront Distribution

EXERCISE 7.4 Configure Amazon CloudFront to Require HTTPS Between Viewers and Amazon CloudFront

EXERCISE 7.5 Delete a CloudFront Distribution

EXERCISE 8.1 Create a Static Amazon S3 Website

EXERCISE 8.2 Set Up an Amazon CloudFront Distribution

EXERCISE 8.3 Use an Amazon CloudFront Origin Access Identity

EXERCISE 8.4 Configure Amazon CloudFront to Block Requests

EXERCISE 8.5 Deploy AWS WAF to Block a Specific IP Address

EXERCISE 9.1 Test Performance Across Availability Zones

EXERCISE 9.2 Inside a Placement Group

EXERCISE 9.3 Jumbo Frames

EXERCISE 9.4 Performance Between Regions

EXERCISE 9.5 Use Amazon CloudWatch Metrics

EXERCISE 10.1 Create a Template

EXERCISE 10.2 Update a Stack

EXERCISE 10.3 Parameterize Templates

EXERCISE 10.4 Rollbacks

EXERCISE 10.5 Version Control

EXERCISE 10.6 Pipeline Integration

EXERCISE 10.7 Monitor Network Health

EXERCISE 11.1 Set Up Amazon WorkSpaces

EXERCISE 11.2 Set Up Amazon RDS

EXERCISE 11.3 Create an AWS Elastic Beanstalk Application

EXERCISE 11.4 Create an Amazon EMR Cluster

EXERCISE 11.5 Create an Amazon Redshift Cluster

EXERCISE 12.1 Set Up a Hybrid Three-Tier Web Application Using Network Load Balancer

EXERCISE 12.2 Access Amazon S3 over AWS Direct Connect

EXERCISE 12.3 Set Up Encryption over AWS Direct Connect

EXERCISE 12.4 Create a Transit VPC Global Infrastructure

EXERCISE 13.1 Set Up Flow Logs

EXERCISE 13.2 Test Instance-to-Instance Connectivity with ping

EXERCISE 13.3 Inspect Amazon VPC Flow Logs

EXERCISE 13.4 Using traceroute

EXERCISE 13.5 Use AWS Trusted Advisor to Troubleshoot Service Limits

EXERCISE 14.1 Create a Billing Alarm

EXERCISE 14.2 Configure a Budget

EXERCISE 14.3 Enable Cost and Usage Report

EXERCISE 15.1 Use Amazon Inspector

EXERCISE 15.2 Use AWS Artifact

EXERCISE 15.3 Use AWS Trusted Advisor

EXERCISE 15.4 Enable AWS CloudTrail Encryption and Log File Validation

EXERCISE 15.5 Enable AWS Config

EXERCISE 16.1 Enterprise Shared Services

EXERCISE 16.2 Network Security

Foreword

Cloud computing is fundamentally disrupting most aspects of the information technology business. Users no longer buy hardware, storage, or databases. Instead, they rent what they need in a consumption-based model—by the gigabyte per day or hour for storage, by the hour, minute, or even millisecond for compute. For example, as of this writing, users of Amazon Web Service’s Lambda event-driven functional compute service pay $0.0000002 per request, and $0.000000208 per 100 milliseconds of compute time for functions when using 128 MB of RAM, but only after first using up one million requests and 3,200,000 compute-seconds that are provided free of charge each month.

A critical part of this disruption is the radical changes happening in the networking market. For years, networking was the last bastion of the mainframe computing model: vertically integrated, incredibly complex, very slow to evolve, and with ridiculously high margins. Networking has been completely different from the server world, where competition has emerged at every level: the component level, the finished server level, the operating system level, and of course the application stack, which has literally thousands of competitors. Networking has been like a step backwards in time, where one company produced everything from the core ASIC, to the finish router, through to the control software and protocol stack.

FIGURE 1 Comparison of networking equipment and general-purpose servers

What’s changing in the networking world is that there is now a variety of competitors emerging for all components in a networking device, and cloud computing providers have the scale to be able to justify investing in a very well-staffed network engineering team. There now is another way and, consequently, networking costs are falling fast while bandwidth is escalating and latency is improving.

Building networks using custom-designed routers running custom control software and protocol stacks is a substantial undertaking, and only the largest operators have the scale to justify the investment. Those that can support the research and development effort of going to a fully-customized hardware and software networking stack are rewarded with far lower costs and much higher availability. The biggest availability improvements come from focusing the complexity on exactly what is needed to support a single homogeneous but massive world-wide networking plant rather than having to support simultaneously a hodge-podge of diverse networks implemented by generations of networking engineers over decades at enterprises throughout the world.

How does the rest of the world take advantage of this first level of disruption at the physical network level? Primarily at the next level. The second level of change and disruption is loosely described as “software defined networking” or SDN. At this level, a cooperating set of components (networking devices, Hypervisors, network coprocessors on hosts, and so forth) conspire to create networking constructs—CIDR ranges and subnets, IP addresses, LANs, routes, and so on—dynamically and under software control as exposed through APIs. In this area, Amazon Virtual Private Cloud technology is one of the largest and most mature SDN technologies in the industry, but there are many other interesting and important developments and initiatives in this area.

The third level of change and disruption is a further development of the first two, and it is just now beginning to show its presence in AWS. Let’s step back. If you want to define networking behavior in software and you’re dealing with cloud-scale systems, then you’re going to need to dynamically re-write packets in parallel flows at massive scale. Take something as apparently simple as outbound traffic from a private network to the Internet that flows through a network address translation/port address translation (NAT/PAT) gateway. Historically, the NAT/PAT use case was limited to a single networking device because there is a shared state (the port/address mapping table) that all flows need to access constantly. The only way to support large numbers of high-speed connections is to scale up the device, and then availability becomes a challenge—if that single device goes down, all connectivity is lost.

Suppose that we build a distributed state machine—hundreds of cooperating hosts that have a shared state table for NAT/PAT, but one that can operate on the multiple network flows in parallel. That’s exactly what AWS has done with its NAT Gateway service, as I discussed on my blog at the time. And, more recently, AWS launched the Network Load Balancing service, which is in many ways the mirror image of the NAT Gateway service. In those services and many more under development, we take advantage of the scale of the AWS cloud to build highly-available, massively-parallel networking engines on Amazon Elastic Compute Cloud (Amazon EC2) itself with customized hardware assist. These engines appear to both sides of the connection as a single IP address—like a giant switch or router. In between the “inner” and “outer” single IP addresses could be dozens or hundreds of powerful hosts pumping packets at their maximum per-host rate, potentially rewriting those packets at line rate, all the while participating in a distributed state machine that has the high availability and massive scalability of parallel and distributed cloud architecture.

Using these and a range of other new technologies, AWS is able to provide a set of powerful networking and security features, dynamically defined by software, supported by hardware assist and delivered very inexpensively. The beneficiaries are every kind of IT consumer, all the way from national governments and large enterprises, to start-ups, non-profits, and small businesses.

I’ve mostly been talking about the guts of our cloud networking system: How it’s built and what’s inside. But the most important thing is not how (which can and will change dynamically under the hood as we constantly iterate and advance our technology) but the what; that is, what you as an IT professional can do with the features that these advanced technologies expose.

In this book, AWS experts will take you through that what. In the following chapters, you’ll begin with the basics and then advance through the most sophisticated networking features that the AWS cloud has to offer. When you complete this study guide, you will have the fundamental knowledge required to succeed on the AWS Certified Advanced Networking – Specialty certification.

The best thing about networking in the cloud is that networking is no longer a static, expensive, and labor-intensive domain managed only by experts and evolved only at great expense in labor and hardware. Networking is now an integral part of developing, deploying, and managing powerful and highly-secure software using modern secure dev/ops approaches. Networking is now open to builders. Now go build!

James Hamilton

Vice President and Distinguished Engineer

Amazon Web Services

Introduction

There’s a lot to know if you want to provide highly available, scalable, performant, and flexible architectures. This study guide is designed to help you develop appropriate networking solutions using AWS and to provide you with the knowledge required to achieve the AWS Certified Advanced Networking – Specialty certification.

This study guide covers relevant topics on the exam, with additional context to help further your understanding. By referencing the exam blueprint, this study guide provides a comprehensive view of the knowledge required to pass the exam. While Chapter 2, Amazon Virtual Private Cloud (Amazon VPC) and Networking Fundamentals, provides a review of key networking fundamentals for Amazon Virtual Private Cloud (Amazon VPC), this study guide does not include many of the concepts covered by the prerequisite exams. It is also expected that you have hands-on experience architecting and implementing network solutions.

This study guide begins with an introduction to AWS networking, which is then followed by chapters on the topics covered in the exam. Chapters include specific information on services or topics, followed by an Exam Essentials section that contains key information needed for your exam preparation.

Each chapter includes an Exercise section with activities designed to help reinforce the topic of the chapter with hands-on learning. Each chapter then contains Review Questions to assess your knowledge. Note that the actual exam questions will require you to combine multiple concepts to determine the correct answer. The Review Questions in this study guide focus specifically on the topics and concepts of a given chapter.

The guide also contains a self-assessment exam with 25 questions. Two practice exams with 50 questions each are also included to help you gauge your readiness to take the exam, as well as flashcards to help you learn and retain key facts needed to prepare for the exam.

What Does this Book Cover?

This book covers topics that you need to know to prepare for the Amazon Web Services (AWS) Certified Advanced Networking – Specialty exam:

Chapter 1: Introduction to Advanced Networking This chapter provides an overview of the AWS Global Infrastructure, Amazon Virtual Private Cloud, and other AWS networking services. The chapter provides a baseline understanding of concepts like AWS Regions and Availability Zones. It also characterizes where various network capabilities reside within the overall AWS infrastructure.

Chapter 2: Amazon Virtual Private Cloud (Amazon VPC) and Networking Fundamentals This chapter reviews the basics of Amazon VPC and the components within it. The content covers the foundational knowledge required for operating both IPv4 and IPv6 in an Amazon VPC. Subsequent chapters build on the information provided in this chapter.

Chapter 3: Advanced Amazon Virtual Private Cloud (Amazon VPC) In this chapter, you will learn advanced Amazon VPC concepts such as AWS PrivateLink, VPC endpoints, and transitive routing. There is a review of a few of the ways to connect services privately in different VPCs. In addition, there are some advanced IP address features, such as reclaiming elastic IP addresses.

Chapter 4: Virtual Private Networks This chapter is intended to provide you with an understanding of how to design Virtual Private Networks (VPNs) on AWS. We go into detail on the various options available for VPN termination in AWS. We evaluate the options in terms of ease of VPN creation and management, high availability, scalability, and additional features. We sum up the chapter by talking about various design patters around VPN use in AWS including transitive routing.

Chapter 5: AWS Direct Connect In this chapter, we will expand on the elements involved in deploying AWS Direct Connect, beginning with Physical Connectivity at Direct Connect Locations, the provisioning process, and finally covering the logical configuration of Virtual Interfaces. Both hosted connections and dedicated connections are covered along with Public and Private Virtual Interfaces including integration with Direct Connect Gateway.

Chapter 6: Domain Name System and Load Balancing This chapter begins with an overview of Domain Name System and Amazon EC2 DNS. It then describes Amazon Route 53, including domain registration and routing policies. This chapter then dives into Elastic Load Balancing and each of the three types of Load Balancers: CLB, ALB, and NLB.

Chapter 7: Amazon CloudFront This chapter describes the Amazon CloudFront service, its components, and how Amazon CloudFront distributions can be uses to serve static, dynamic, and streaming objects.

Chapter 8: Network Security This chapter focuses on the network security capabilities provided by or enabled through AWS services. You will learn about the spectrum of network security options available from the edge of the network through to individual Amazon EC2 instances. This chapter also discussed new AWS offerings that leverage Artificial Intelligence and Machine Learning to protect information regarding your network infrastructure.

Chapter 9: Network Performance This chapter discusses network performance. There is a brief review of the components of network performance, how they are implemented in AWS, and how to configure your applications for better network performance. The chapter also reviews some example use cases where network performance is important for applications.

Chapter 10: Automation This chapter describes how to automate the deployment and configuration of networks on AWS. You’ll start by learning how to maintain the network infrastructure as code by creating AWS CloudFormation templates and stacks, and how to use AWS CodePipeline to enable the continuous deployment of this infrastructure at scale. The chapter finishes by covering Amazon CloudWatch to monitor the health and performance of your network and how to create alarms that alert you when an issue arises.

Chapter 11: Service Requirements This chapter discusses AWS services that can be launched within a VPC. It maps the service requirements of each service to the corresponding network requirements. Knowledge of network requirements for each service will help you design and assess appropriate network architectures on the exam.

Chapter 12: Hybrid Architectures This chapter explains how to design hybrid architectures using the technologies and AWS Cloud services. We go into detail on how AWS Direct Connect and Virtual Private Networks (VPNs) can be leveraged to enable common hybrid IT application architectures. We also dive deep into the transit VPC architecture, discussing the various design elements of the architecture and the various use cases where it can be leveraged.

Chapter 13: Network Troubleshooting This chapter begins with a discussion of both traditional and AWS-provided network troubleshooting tools. It then addresses common troubleshooting scenarios and the steps to take in each scenario.

Chapter 14: Billing In this chapter, we will cover the elements involved in AWS billing as it relates to Networking. The content considers factors such as data processing fees, data transfer fees, and hourly service charges in relation to Amazon EC2, VPN, AWS Direct Connect, and Elastic Load Balancing. The chapter also discusses data transfer specifically between Availability Zones and AWS Regions.

Chapter 15: Risk and Compliance In this chapter, you will learn about a range of risk and compliance considerations when leveraging the cloud. The chapter begins with a review of threat modeling, access control, and encryption. The chapter then discusses network monitoring and malicious activity detection. Finally, you will learn about executing penetration and vulnerability assessment on your AWS workloads.

Chapter 16: Scenarios and Reference Architectures This chapter covers scenarios and reference architectures for combining different AWS network components to meet common customer requirements. These scenarios include implementing networks that span multiple regions and locations, connecting to enterprise shared services, and creating hybrid networks.

Interactive Online Learning Environment and Test Bank

The authors have worked hard to provide you with some really great tools to help you with your certification process. The interactive online learning environment that accompanies the AWS Certified Advanced Networking – Specialty Official Study Guide provides a test bank with study tools to help you prepare for the certification exam. This will help you increase your chances of passing it the first time! The test bank includes the following:

Sample Tests All of the questions in this book, including the 25-question Assessment Test at the end of this introductory section and the Review Questions are provided at the end of each chapter. In addition, there are two Practice Exams online with 50 questions each. Use these questions to test your knowledge of the study guide material. The online test bank runs on multiple devices.

Flashcards The online test banks include 100 Flashcards specifically written to quiz your knowledge of AWS operations. After completing all of the exercises, Review Questions, Practice Exams, and Flashcards, you should be more than ready to take the exam. The flashcard questions are provided in a digital flashcard format (a question followed by a single correct answer). You can use the Flashcards to reinforce your learning and provide last-minute test prep before the exam.

Glossary A Glossary of key terms from this book is available as a fully-searchable PDF.

 Go to http://www.wiley.com/go/sybextestprep to register and gain access to this interactive online learning environment and test bank with study tools.

Exam Objectives

The AWS Certified Advanced Networking – Specialty Exam is intended for people who have experience designing and implementing scalable network infrastructures. Exam concepts that you should understand for this exam include the following:

Designing, developing, and deploying cloud-based solutions using AWS

Implementing core AWS services according to basic architectural best practices

Designing and maintaining network architecture for all AWS services

Leveraging tools to automate AWS networking tasks

In general, certification candidates should understand the following:

AWS networking nuances and how they relate to the integration of AWS services

Advanced networking architectures and interconnectivity options (for example, IP VPN, and MPLS/VPLS)

Networking technologies within the OSI model and how they affect implementation decisions

Development of automation scripts and tools

Design, implementation, and optimization of the following:

Routing architectures

Multi-region solutions for a global enterprise

Highly-available connectivity solutions

CIDR and subnetting (IPv4 and IPv6)

IPv6 transition challenges

Generic solutions for network security features, including WAF, IDS, IPS, DDoS protection, and Economic Denial of Service/Sustainability (EDoS)

Professional experience using AWS technology

Experience implementing AWS security best practices

Knowledge of AWS storage options and their underlying consistency models

The exam covers six different domains, with each domain broken down into objectives and subobjectives.

Objective Map

The following table lists each domain and its weighting in the exam, along with the chapters in the book where that domain’s objectives and subobjectives are covered.

Domain

Percentage of Exam

Chapter

Domain 1.0: Design and implement hybrid IT network architectures at scale

23%

1, 3, 4, 5 12, 16

1.1 Implement connectivity for hybrid IT

4, 12

1.2 Given a scenario, derive an appropriate hybrid IT architecture connectivity solution

3, 4, 12, 16

1.3 Explain the process to extend connectivity using AWS Direct Connect

5

1.4 Evaluate design alternatives that leverage AWS Direct Connect

1, 4, 5, 12

1.5 Define routing policies for hybrid IT architectures

3, 4, 5, 12

Domain 2.0: Design and implement AWS networks

29%

1, 2, 3, 6, 7, 8, 9, 10, 13, 14, 16

2.1 Apply AWS networking concepts

1, 2, 3, 10, 13

2.2 Given customer requirements, define network architectures on AWS

8, 10, 16

2.3 Propose optimized designs based on the evaluation of an existing implementation

10, 16

2.4 Determine network requirements for a specialized workload

6, 7, 9

2.5 Derive an appropriate architecture based on customer and application requirements

3, 6, 7, 8, 9, 10

2.6 Evaluate and optimize cost allocations given a network design and application data flow

14

Domain 3.0: Automate AWS tasks

8%

8, 10

3.1 Evaluate automation alternatives within AWS for network deployments

10

3.2 Evaluate tool-based alternatives within AWS for network operations and management

8, 10

Domain 4.0: Configure network integration with application services

15%

1, 2, 6, 7, 11, 12

4.1 Leverage the capabilities of Amazon Route 53

1, 6

4.2 Evaluate DNS solutions in a hybrid IT architecture

6, 12

4.3 Determine the appropriate configuration of DHCP within AWS

2

4.4 Given a scenario, determine an appropriate load balancing strategy within the AWS ecosystem

1, 6

4.5 Determine a content distribution strategy to optimize for performance

1, 6, 7

4.6 Reconcile AWS service requirements with network requirements

11

Domain 5.0: Design and implement for security and compliance

12%

1, 3, 4, 5, 8, 12, 15

5.1 Evaluate design requirements for alignment with security and compliance objectives

3, 8, 15

5.2 Evaluate monitoring strategies in support of security and compliance objectives

8, 15

5.3 Evaluate AWS security features for managing network traffic

1, 8, 15

5.4 Utilize encryption technologies to secure network communications

4, 5, 8, 12, 15

Domain 6.0: Manage, optimize, and troubleshoot the network

13%

13

6.1 Given a scenario, troubleshoot and resolve a network issue

13

Assessment Test