AWS Certified Advanced Networking - Specialty Exam Guide E-Book

AWS Certified Advanced Networking - Specialty Exam Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin BorichaAcquisition Editor: Heramb BhavsarContent Development Editor: Abhishek JadhavTechnical Editor: Prachi SawantCopy Editor:Safis EditingProject Coordinator: Jagdish PrabhuProofreader: Safis EditingIndexer: Tejal Daruwale SoniGraphics: Jisha ChirayilProduction Coordinator: Jayalaxmi Raja

First published:  May 2019

Production reference: 1240519

Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK.

ISBN 978-1-78995-231-5

www.packtpub.com

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Marko Sluga has had the opportunity to work in computing at a very exciting time and has been privileged enough to witness the rise of cloud computing in the last 20 years. Beginning his career as a service technician, he excelled at solving difficult problems. He worked his way up the IT food chain to work on servers, operating systems, virtualization, and the cloud. In the past, Marko has architected numerous cloud computing solutions, and today works as a cloud technology consultant and an Authorized Amazon Instructor. He is AWS-certified, holding the Architect, SysOps, and Developer Associate AWS certifications, the DevOps and Architect Professional AWS certification, and the Security, Advanced Networking, and Big Data Specialty AWS certifications.

About the reviewer

Zubin Ghafari is an AWS cloud certified professional and a consultant in cloud engineering and architecture. He currently holds over 8 AWS certifications at the Associate, Professional, and Specialty levels. With a passion for consulting and the cloud, Zubin enjoys spending his time experimenting and developing customized solutions for the AWS Cloud Computing platform. He has immense gratitude for his peers at Slalom who have supported him in his career.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

AWS Certified Advanced Networking - Specialty Exam Guide

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Introduction

Overview of AWS Certified Advanced Networking - Specialty Certification

Technical requirements

The exam blueprint

The exam requirements

The exam structure

Scoring

Knowledge domains

Taking the exam

Summary

Section 2: Managing Networks in AWS

Networking with the Virtual Private Cloud

Technical requirements

Introduction to the VPC

VPC networks

Private and public subnets

Public, elastic, and private IPs

Working with VPCs

Creating a VPC

Configuring DHCP options

VPC networking components

ENI

Routing, NAT, and internet access

Connecting public subnets to the internet

Connecting private subnets to the internet

VPC endpoints and PrivateLink

Gateway endpoint

Interface endpoint – powered by AWS PrivateLink

Configuring an endpoint 

VPC peering

Limitations of VPC peering

Best practices

Network and VPC sizing 

High availability

Routing

VPC peering recommendations

VPC limitations

Summary

Questions

Further reading

VPC Network Security

Technical requirements

An overview of network security

Understanding network security vulnerabilities

Network layer attacks

Service layer attacks

Exploiting vulnerabilities

Application layer attacks

Security in the OSI model

Layer 2

Layer 3

Layer 4

Layer 7

WAN to LAN access patterns

Controlling port-based traffic

Controlling access to applications

Securing the VPC

Security groups

NACLs

Controlling access

VPC Flow Logs

VPC Flow Log examples

Securing EC2 instance operating systems

EC2 network adapter characteristics

Controlling traffic to and from EC2 instances

Controlling access with the OS firewall

Advanced EC2 operating system security

Delivering advanced network security in AWS

Threats to modern applications

AWS WAF concepts

DDoS mitigation

Packet security

Advanced network security patterns

Summary

Questions

Further reading

Connecting On-Premises and AWS

Technical requirements

An overview of on-premises connectivity

Connecting VPCs and private networks

Connectivity across networks

Public IPv4 and IPv6 traffic patterns

IPv4

IPv6

Public routing and BGP

VPN with the virtual private gateway

Working with VPN

The VGW service limits

Securing VPNs

Connecting with Direct Connect

Working with Direct Connect

Direct Connect requirements

Securing Direct Connect

Designing highly available and secure WAN links

Reliability

Routing

Encryption

Summary

Questions

Further reading

Section 3: Managing and Securing Network-Attached Platform Services in AWS

Managing and Securing Servers with ELB

Technical requirements

Introduction to ELB

Types of ELB

Classic Load Balancer (CLB)

Application Load Balancer (ALB)

Network Load Balancing (NLB)

Working with the ELB

Cross-zone load balancing

Securing traffic on the ELB

Security controls on the ELB

Security of the traffic contents with encryption

Protection against DoS attacks

Summary

Questions

Further reading

Managing and Securing Content Distribution with CloudFront

Technical requirements

Introducing CloudFront

Working with CloudFront

Securing content delivery

Encryption

DDoS mitigation

Summary

Questions

Further reading

Managing and Securing the Route 53 Domain Name System

Technical requirements

Introduction to Route 53

DNS resource record types

Routing policies

Simple routing

Multi-value response

Latency-based routing

Failover routing

Weighted routing

Geo-location routing

Geo-proximity routing

Health checking

Registering a domain name

Best practices

Summary

Questions

Further reading

Managing and Securing API Gateway

Technical requirements

Introduction to API Gateway

How API Gateway works

Pricing

Securing API Gateway

Authentication and authorization

Cognito and IAM

Resource policies

Lambda authorizers

Usage plans

Encryption

DoS mitigation and enhanced security

Summary

Questions

Further reading

Section 4: Monitoring and Operating the AWS Networks

Monitoring and Troubleshooting Networks in AWS

Technical requirements

Introducing CloudWatch

How CloudWatch works

Metrics, logs, and alarms

Metrics

Logs

Alarms

Monitoring types – standard and detailed

Creating a CloudWatch alarm

AWS CloudTrail

Working with VPC Flow Logs

Flow logs recommendations and limitations

Monitoring network components

Monitoring ELB

Monitoring CloudFront

Monitoring the API gateway

Monitoring Route 53

Troubleshooting

EC2 instance not accessible

ELB not responding or responding with 503

CloudFront connectivity issues

Route 53 issues

 Summary

Questions

Further reading

Section 5: Network automation in AWS

Network Automation with CloudFormation

Technical requirements

Introduction to CloudFormation

IaC versus the traditional approach

Benefits of IaC

CloudFormation basic elements

Templates

Template sections

Template policies

CreationPolicy

DeletionPolicy

UpdatePolicy and UpdateReplacePolicy

DependsOn

Stacks

Change sets

How CloudFormation works

Creating network services with CloudFormation

The VPC

Public subnets

Private subnets

Network access control lists

Trying out the template

Best practices

Summary

Questions

Further reading

Section 6: The Exam

Exam Tips and Tricks

Technical requirements

Introduction to the exam

Domain 1 – Design and implement hybrid IT network architectures at scale

Domain 2 – Design and implement AWS networks

Domain 3 – Automate AWS tasks

Domain 4 – Configure network integration with application services

Domain 5 – Design and implement for security and compliance

Domain 6 – Manage, optimize, and troubleshoot the network

Summary

Further reading

Mock Tests

Mock Test 1

Mock Test 2

Assessments

Chapter 2 – Networking with the Virtual Private Cloud

Chapter 3 – VPC Network Security

Chapter 4 – Connecting On-Premises and AWS

Chapter 5 – Managing and Securing Servers with ELB

Chapter 6 – Managing and Securing Content Distribution with CloudFront

Chapter 7 – Managing and Securing the Route 53 Domain Name System

Chapter 8 –  Managing and Securing API Gateways

Chapter 9 – Monitoring and Troubleshooting Networks in AWS

Chapter 10 – Network Automation with CloudFormation

Mock test 1

Mock test 2

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Before we begin, let me thank you for choosing this book as your guide to the AWS Certified Advanced Networking - Specialty exam.  The intention of this book is to provide you with a tool that will help you to gauge your AWS and general networking knowledge in order to determine your confidence level for passing the AWS Certified Advanced Networking - Specialty exam.

The goal of the book is to focus exclusively on the networking components of AWS. We will be discussing the networking services and their features in great detail and a lot of depth. This does, however, come with a caveat—I will be assuming the reader has previous experience of working as a networking engineer and is familiar with AWS services and concepts. This assumption will come at the expense of explaining basic networking concepts such as how the OSI model works, how the IP protocol operates, how we calculate IP addresses, and so on.

Furthermore, the assumption implies that the reader is familiar with AWS and the services AWS provides to run applications. The assumption will mean that some AWS services mentioned in this book will need to be read up on outside of the context of this book. If you cannot determine how comfortable you are with AWS services, I recommend picking up a copy of AWS Certified SysOps Administrator - Associate Guide or the AWS Certified Solutions Architect - Associate Guide, both available from Packt Publishing, because both of these books are great tools to get you started with AWS.

Who this book is for

If you are a system administrator or a network engineer interested in getting certified with an advanced cloud networking certification, then this book is for you. Prior experience of cloud administration and networking is necessary.

What this book covers

Chapter 1, Overview of AWS Certified Advanced Networking – Specialty Certification, outlines the AWS Certified Advanced Networking – Specialty exam and highlights the critical aspects, knowledge areas, and services covered in the official blueprint published by Amazon.

Chapter 2, Networking with VPC, describes how you can create a Virtual Private Cloud (VPC) and start building a secure network with a number of components of AWS networking services.

Chapter 3, VPC Network Security, describes how you can secure a VPC with a number of security features of the VPC and other AWS security services.

Chapter 4, Connecting On-Premise and AWS, provides an overview of the connectivity services available in AWS and the security features and controls provided for these AWS features.

Chapter 5, Managing and Securing Servers with ELB, describes the way to secure the ELB and elaborates on the critical aspects of the ELB service.

Chapter 6, Managing and Securing Content Distribution with CloudFront, provides an overview of some of the critical features of CloudFront to help you manage and secure it.

Chapter 7, Managing and Securing the Route 53 Domain Name System, introduces you to the Route 53 service and describes various components of the service.

Chapter 8, Managing and Securing the API Gateway, takes a look at how to maintain security and the highest possible uptime of the content being delivered through the API gateway.

Chapter 9, Monitoring and Troubleshooting Networks in AWS, describes how you can use  CloudWatch, CloudTrail, and the VPC Flow Logs Services to collect and track network state and metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

Chapter 10, Network Automation with CloudFormation, provides an overview of the CloudFormation service as it relates to network services.

Chapter 11, Exam Tips and Tricks, provides elaborate guidance on how to prepare for the exam, and provides tips and tricks on the topics covered in the book.

Chapter 12, Mock Tests, consists of two mock tests for readers to test their knowledge. It tries to cover all the topics from the exam and challenges your understanding of the topics. Each mock test contains 60 questions. You should try to complete a mock test in 90 minutes.

To get the most out of this book

The knowledge that is required by readers in order to benefit from this book is as follows:

A basic understanding of general cloud computing terminology and environments

A basic understanding of networking, the OSI layers, and the IP stack

A basic understanding of network function devices, such as routers, firewalls, load balancers, and content delivery networks

A basic understanding of virtualization and server operating systems

A basic understanding of user and security management

A basic understanding of storage concepts (for example, object storage, block storage, and file storage)

A basic understanding of database services

A basic understanding of messaging in applications

A basic understanding of serverless computing

A basic understanding of automation and orchestration

In addition, a more in-depth understanding of the following topics will be beneficial:

Designing applications for high availability and resilience

Operating system scripting languages

Database structures

The JSON data format

Programming languages and application design

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at

www.packt.com

.

Select the

SUPPORT

tab.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/AWS-Certified-Advanced-Networking-Specialty-Exam-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789952315_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "To perform this, we can add WaitCondition toCreationPolicy."

A block of code is set as follows:

{ "Transform" : { "Name" : "AWS::Include", "Parameters" : { "Location" : "s3://cftemplatebucket/simple-network-stack.json" } }

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Open the CloudFormation console and click on Create stack."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Introduction

Amazon publishes an official blueprint for each certification exam. The blueprint elaborates the scope of the exam, prerequisites to attend the exam, and the knowledge required to successfully complete the exam. This section outlines the AWS Certified Advanced Networking – Specialty exam and highlights the critical aspects, knowledge area, and services covered in the blueprint.

In this section, we will cover the following chapter:

Chapter 1

, 

Overview of AWS Certified Advanced Networking - Specialty Certification

Overview of AWS Certified Advanced Networking - Specialty Certification

In this chapter, we will be taking a look at the characteristics and structure of the AWS Certified Advanced Networking – Specialty certification exam. This chapter is intended to provide a baseline understanding of the approach to taking the exam and the type and depth of knowledge you will need to be able to successfully pass the exam. 

The following topics will be covered in this chapter:

The exam blueprint

The exam requirements

The exam structure

Scoring

Knowledge domains

Taking the exam

Technical requirements

There are no special technical requirements to follow through and understand in regards to this chapter; however, familiarity with general networking concepts will help you get a better grasp of the concepts that will be discussed. The chapters that follow will require deeper knowledge of different aspects of networking, from IP to the OSI layer to security. Additionally, topics covering network connectivity with AWS will require that you have a broad understanding of WAN connectivity types and routing protocols, especially the Border Gateway Protocol (BGP) routing mechanism.

The exam blueprint

The exam blueprint outlines that the following skills will be tested:

An understanding of the AWS network concepts

An understanding of hybrid IT network architectures

An understanding of network automation tools provided in AWS

The ability to configure network services and integrate them with applications

The ability to design and implement network security

The ability to optimize and troubleshoot networking issues

The exam requirements

AWS outlines several different requirements as prerequisites so that you're able to pass the exam. These include both the understanding of the networking components and services within AWS, as well as general networking concepts. Alongside theoretical knowledge, practical experience on large-scale network deployments is a big bonus.

The ideal exam candidate should be able to identify that they have the following list of skills:

A minimum of five years experience using AWS services with a focus on networking

A detailed understanding of the OSI model

The understanding and ability to implement AWS security best practices

The understanding of the AWS storage options and their features

The understanding of and the ability to integrate AWS networking components 

The understanding of global enterprise networking requirements

The understanding of network high availability

Deep understanding of the TCP/IP stack and IPv4 and IPv6 protocols

Can demonstrate the ability to automate networks and deploy at scale

Experience with advanced LAN networking architectures and WAN options

Experience with routing architectures and IPv6 network transitions

Experience with network security features such as WAF, IDS, IPS, and DDoS protection

The exam structure

The exam was designed in a multiple choice, multiple answer question format. There are approximately 65 questions in the exam, and you will have 170 minutes to complete them. The questions in the exam are content heavy, so this time should be used wisely. The exam is available in English, Japanese, and Simplified Chinese, and you can also sign up for an online practice exam before taking the exam with a registered exam proctor. The registration fee for the actual exam is $300 USD, and that of the practice exam is $40 USD. The exam questions come in three different formats:

Multiple choice

: You will need to select the option that provides the best answer to the question or select an answer that completes a statement. The question may come in the form of a graphic, where you will be able to point and click on the answer.

Multiple response

: You will need to select more than one option that best answers the question or completes a statement. Multiple response questions are limited to a maximum of four correct answers.

Sample directions

: You will read a statement or question and must select only the answer(s) that represent the most correct or logical response.

Scoring

When scoring the exam, the score for each of the questions is given only for fully correct answers. This means that the question will be deemed as correctly answered only when the correct answer or all of the correct answers are selected. A single incorrect answer in a multiple-response question invalidates the entire question.

The exam pass/fail grade is independent of the number of correct answers, and is calculated based on the score that's achieved out of 1,000. Each question carries a different number of points since each question is considered to be of a different level of difficulty. This means that even if you were to answer 70% of the questions correctly, you can get scored at 60% or lower if all the questions that were answered correctly carried a lower score. I encourage you to answer all the questions during the exam, as even a few unanswered questions can affect the scoring dramatically.

Historically, the community has determined that the passing scores of different AWS exams has been set to between 650 and 750 points out of a possible 1,000. The benefit of this variable passing score is that the more difficult the exam, the lower the passing score will usually be, although depending on being able to pass the exam due to a low threshold is not recommended. Once the exam is released, the metrics that are received from the exam takers are taken into account and the passing score of a particular AWS exam is adjusted periodically. This implies that the actual passing score at the time when you attempt the exam might not reflect the definition set out in this chapter. Because of this, I recommend that each exam taker has the confidence that they can answer at least 80% or more mock questions correctly before attempting the real thing.

Knowledge domains

The questions in the exam are broken down into knowledge domains. Each knowledge domain will have a defined percentage of questions in the exam. However, the exam blueprint specifies that the knowledge domains might not match the number of questions exactly, and the percentages are posted for orientation purposes only.

The following knowledge domains are defined for the AWS Certified Advanced Networking – Specialty exam:

Domain 1: Design and implement hybrid IT network architectures at scale – 23%

: The questions focus on assessing the exam taker's ability to demonstrate the understanding of external network connectivity options and their characteristics. Expect questions on Direct Connect, VPNs, IPSec, bandwith, BGP routing, and prioritizing traffic.

Domain 2: Design and implement AWS networks – 29%

: This domain represents the core of the exam and will assess the exam taker's ability to understand and design AWS network concepts. Expect questions on VPCs, subnets, gateways, routing, and NAT.

Domain 3: Automate AWS tasks – 8%

: Automation is a big part of AWS, and domain 3 will assess the exam taker's ability to use CloudFormation to automate the deployment and management of networks and their topologies at scale. Expect questions on CloudFormation, with a focus on networking.

Domain 4: Configure network integration with application services 

–

15%

: This domain assesses the exam taker's ability to implement and integrate networking components with applications running in AWS. Teams in the cloud will have to understand each other's components and responsibilities, meaning that network engineers will now be required to understand both the application and the services the application depends on to correctly and efficiently configure the network. Questions will require a general understanding of AWS services and their relationship to the network.

Domain 5: Design and implement for security and compliance – 12%

: This domain focuses on security. Questions will assess whether the exam taker is able to design and configure networks in a secure and compliant manner and apply AWS best practices to the network configuration. Expect questions on NACLs, security groups, DDoS prevention, WAF, CloudFront, and the API gateway.

Domain 6: Manage, optimize, and troubleshoot the network – 13

%: The last domain focuses on testing and assessing the exam taker's ability and understanding of management, optimization, and the troubleshooting tools that are available and practiced in AWS. Expect questions on network service configuration techniques and procedures, as well as tools for optimizing and troubleshooting networks, such as flow logs. 

Taking the exam

The first step to being prepared for this exam is, of course, the level of practical experience you have on AWS. No book can replace your day-to-day hands-on experience, and your years spent working, troubleshooting, and learning about networking technologies. The goal of this book is to provide the next step and allow you to focus on passing the exam with a well-structured approach that will enable you to rapidly prepare yourself for a pass.

Once you have acquired the relevant knowledge that's covered in the knowledge domains, you will need to assess your confidence level at passing the exam. I personally recommend that my readers and students need to achieve a confidence level of 80% or higher before taking the exam, as this is a good indicator that they can pass the exam, no matter the passing score that AWS sets for that day. To determine your confidence level, you will need to run through some practice questions. The final two chapters of this book provide you with a total of 130 original questions that simulate the types of questions and content you might find in the real exam. The ability to answer 80% or more of the mock exam questions correctly should assure you that you will be able to pass the exam. In case you require additional assurance, I would also recommend that you take the practice exam, as the questions in the practice exam will be very close to the ones in the full exam.

Summary

In this chapter, we have taken a short look at the blueprint, requirement, structure, and knowledge domains of the AWS Certified Advanced Networking – Specialty exam. We have also discussed the scoring of the exam and determined that the best strategy for passing the exam is having high confidence in passing by being able to answer mock questions correctly at a very high rate.

In the next chapter, we will be taking a look at the core networking component of AWS, the Virtual Private Cloud(VPC). The VPC gives us the ability to build a private, layer 2, isolated networking layer for our applications in the cloud.

Section 2: Managing Networks in AWS

Virtual Private Cloud (VPC) forms the basic building blocks of networking on the AWS cloud. It enables the user to create a private network on AWS infrastructure. This section describes how you can create a VPC and start building a secure network with a number of components of AWS Networking Services. We will also see how you can secure a VPC with a number of security features of the VPC and other AWS Security Services. One of the requirements for a lot of modern businesses is the need to connect existing infrastructure with the AWS data centers and services. In this section, we will get an overview of the connectivity services available and the security features and controls provided for these AWS features.

We will cover the following chapters in this section:

Chapter 2

,

Networking with the Virtual Private Cloud

Chapter 3

,

VPC Network Security

Chapter 4

,

Connecting On-Premises and AWS

Networking with the Virtual Private Cloud

In AWS, the core networking component is the Virtual Private Cloud (VPC). It serves as a private, layer 2 isolated networking layer that allows us to build applications in the cloud. VPCs can be connected to each other, on-premise locations, and AWS services, and give us a lot of flexibility when it comes to choosing built-in and custom security solutions.

This chapter will walk you through all you need to know about VPCs. First, you'll install and configure a basic VPC. Then, you'll learn about its networking components and even set some of them up. Finally, you'll engage with some best practices to ensure that you not only know everything about VPCs, but also learn how to use them in the best possible manner.

The following topics will be covered in this chapter:

Introduction to the VPC

Working with VPCs

VPC networking components

Best practices

Technical requirements

You need a solid understanding of IT networking terminology, including the ability to identify and manage resources, including, but not limited to, local area networks (LANs), routing, network address translation (NAT), the OSI layers, Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6), and the differences between these two protocols. The exam will also require that you have the ability to calculate IP address ranges and their characteristics, which falls under a basic prerequisite knowledge of networking and will not be covered in this book. You should also have experience with AWS. Familiarity with the most frequently used AWS services, such as EC2, S3, RDS, and DynamoDB, is also required. At least one year of hands-on experience in configuring AWS services and their networks is recommended.

Introduction to the VPC

The VPC service provides us with the ability to provision logically isolated networks in AWS. With VPC, we are able to design, create, and manage all aspects of networking in the AWS Cloud. When creating a VPC, we start by creating a range of IPv4 and/or IPv6 addresses that we can then split into subnets. We also have the ability to configure all aspects of routing and control how and where we attach network gateways. The VPC is the main environment that provides logical network isolation and grouping of resources, such as Elastic Compute Cloud (EC2) or Elastic Container Service (ECS) instances, and other AWS services that we want to connect to via private IP ranges.

VPC networks

When creating a VPC, we always specify a network range for the VPC. This range is limited to sizes between /28 and /16 according to the Classless Inter-Domain Routing (CIDR)definition of network addressing. Each VPC network can then be further subdivided into subnets. Addressing in VPC defaults to IPv4, but IPv6 and dual stacks can be run in a VPC if required. When running IPv6 or dual stacks, we need to be aware of the implications of the protocol and its effects on how traffic will pass through to the internet and back.

When creating a network, we need to be aware of the approximate number of addresses we will be consuming in each VPC and each subnet. This is important as the provisioning process in VPC is irreversible – when we provision a network, we cannot change it. We should try and make sure that we have designed the VPC with ample space for our application to run and possibly grow with time.

We should also consider that there will be some services running in the VPC that are reserved by AWS; for example, an IP address will be consumed for the internet gateway (IGW), the DHCP service, the NAT gateway, and the reserved addresses that AWS keeps unused for future services.

Private and public subnets

AWS defines two types of subnets that can be created within a VPC network – public and private. By design, the only difference that makes a subnet public rather than private is that instances running in a public network will be able to access the internet by default and also be made public by attaching a public or Elastic IPs to them. The public subnet would also be identified easily as it will have an IGW attached to it and aroute for all addresses pointing to the IGW.

We can think of a public subnet as a sort of DMZ in classical network terms. The subnet is hidden from public view via a router (the IGW) with 1:1 DNAT rules attached that map the public or Elastic IPs to the IPs of our instances running in the subnet. 

Private networks are completely cut off from any access to the internet by default, but can communicate with any instances running in all subnets that exist in the VPC. We can also control the traffic between all subnets through the VPC's network access control lists (NACLs) and define rules that will prevent certain subnets from communicating from each other. Private subnets are also able to connect to other networks via a NAT gateway that will allow outbound traffic, as well as through a VPN Gateway or Direct Connect connection that will allow the private subnets to communicate without on-premise systems. 

This holds true for IPv4, but when we're using IPv6, there is no such concept as NAT due to the fact that all IPv6 addresses are global unicast addresses. This means that the only way to allow an IPv6 subnet to communicate with the internet is to attach an IGW to the subnet. All IPv6 addresses in a subnet with an IGW attached are inherently able to access the internet and instantly become accessible from the internet. But what if we want to keep our instances private and still communicate with the internet? For this purpose, AWS has introduced a so-called egress-only gateway that can be used to allow instances with IPv6 addresses to communicate with the internet, but does not allow any traffic into the subnet since ingress traffic is automatically blocked. This is an easy way of making an IPv6 subnet private.

Public, elastic, and private IPs

When we use IPv4 networks and have created some resources in a VPC subnet, we will need to make them available on the internet. As we've already mentioned, we can attach an IGW to the subnet and make it public. Once we have spun up some instances in the subnet, we can either attach a public IP address or an Elastic IP address.

Public IPs are sourced from one or more AWS-controlled public IP address pools and are attached to the instance randomly whenever an instance is started. When an instance using a public IP address fails and is recreated or shut down and restarted, it will not maintain the same public IP address.

This is probably the biggest advantage of Elastic IPs. An Elastic IP address is associated with your account and is persistent. This means that you have the ability to assign the Elastic IP to your instance to retain the address when it is shut down and restarted, or you can attach the same Elastic IP the failed instance was using to an instance that was recreated.

A public or Elastic IP attachment means that a virtual 1:1 DNAT connection between the public or Elastic IP is established with the instance's private IP. When the user inspects the IP address within the instance with operating system tools, they will not be seeing the public or Elastic IP. However, we do have an option to see the public or Elastic IP address from the instance itself by looking at the instance metadata. The instance metadata is available on an APIPA address of 169.254.169.254. We can see the contents of the metadata by browsing or issuing a command to inspect the address and retrieve information about our instance that would normally be invisible in the operating system. For example, when searching for the public IP, we can browse to the following URL: http://169.254.169.254/latest/meta-data/public-ipv4.

The following diagram represents a fully redundant VPC deployment with two private subnets and two public subnets. The following numbers correspond to what is labelled in the diagram:

The VPC is deployed within an AWS region.

The VPC network address range is designated as

10.0.0.0/20

.

Two public subnets are created with IP ranges

10.0.1.0/24

and

10.0.2.0/24

.

Two private subnets are created with IP ranges

10.0.3.0/24

and

10.0.4.0/24

.

All traffic between any subnets in the VPC is allowed by default as the local route points to the VPC address range of

10.0.0.0/20

. Any additional subnets that are created in this network will also be accessible to all subnets.

The public subnets have a connection to the internet gateway.

Any EC2 instances with public or Elastic IPs assigned are accessible on the public subnet.

Any private EC2 instances in the private subnet can reach the NAT gateway.