AWS Certified Advanced Networking Study Guide E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

Dedication

Acknowledgments

About the Author

About the Technical Editor

Introduction

Interactive Online Learning Environment and Test Bank

AWS Certified Advanced Networking - Specialty (ANS-C01) Study Guide Exam Objectives

Objective Map

How to Contact the Publisher

Assessment Test

Answers to Assessment Test

PART I: Network Design

Chapter 1: Edge Networking

Content Distribution Networking

CloudFront

Global Accelerator

Elastic Load Balancers

API Gateway

CloudFront Design Considerations

Summary

Exam Essentials

Exercises

Written Lab

Review Questions

Chapter 2: Domain Name Services

DNS and Route 53

DNS Logging and Monitoring

Route 53 Advanced Features and Policies

Route 53 Service Integrations

Route 53 Application Recovery Controller

Hybrid Route 53

Multi-account Route 53

Multi-Region Route 53

Using Route 53 Public Hosted Zones

Using Route 53 Private Hosted Zones

Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures

Using Route 53 for Global Traffic Management

Domain Registration

Summary

Exam Essentials

Exercises

Review Questions

Chapter 3: Hybrid and Multi-account DNS

Implementing Hybrid and Multi-account DNS Architectures

Route 53 Hosted Zones

Traffic Management

Domain Delegation and Forwarding

Configuring Records in Route 53

Configuring DNSSEC

Multi-account Route 53

DNS Endpoints

Configuring Route 53 Monitoring and Logging

Summary

Exam Essentials

Written Labs

Review Questions

Chapter 4: Load Balancing

Elastic Load Balancing

ELB Connectivity Patterns

Autoscaling

AWS Service Integrations

ELB Configuration Options

Target Groups

Encryption and Authentication

Summary

Exam Essentials

Exercises

Written Labs

Review Questions

Chapter 5: Logging and Monitoring

CloudWatch

Transit Gateway Network Manager

VPC Reachability Analyzer

Access Logs

X-Ray

Flow Logs

Baseline Network Performance

Inspector

Application Insights

Config

Summary

Exam Essentials

Written Labs

Review Questions

PART II: Network Implementation

Chapter 6: Hybrid Networking

Hybrid Connectivity

OSI Layer 1

OSI Layer 2

Encapsulation and Encryption

Routing Fundamentals

The BGP Routing Protocol

Direct Connect

Site-to-Site VPN

AWS Account Resource Sharing

Summary

Exam Essentials

Exercises

Written Labs

Review Questions

Chapter 7: Connecting On-Premises Networks

On-Premises Network Connectivity

VPNs

Layer 1 and Types of Hardware to Use

Transit Gateway

PrivateLink

Resource Access Manager

Testing and Validating Connectivity Between Environments

Summary

Exam Essentials

Written Labs

Review Questions

Chapter 8: Inter-VPC and Multi-account Networking

Networking Services of VPCs

Hub-and-Spoke VPC Architectures

Wide-Area Networking

Expanding AWS Networking Connectivity

Authentication and Authorization

Summary

Exam Essentials

Exercises

Review Questions

Chapter 9: Hybrid Network Routing and Connectivity

Industry-Standard Routing Protocols Used in AWS Hybrid Networks

Optimizing Routing

Connectivity Methods for AWS and Hybrid Networks

AWS Networking Limits and Quotas

Available Private and Public Access Methods for Custom Services

Available Inter-Regional and Intra-Regional Communication Patterns

Summary

Exam Essentials

Written Lab

Exercises

Review Questions

PART III: Network Management and Operations

Chapter 10: Network Automation

Network Automation

Infrastructure as Code

Integrating Network Automation Using Infrastructure as Code

Summary

Exam Essentials

Exercises

Review Questions

Chapter 11: Monitor, Analyze, and Optimize Network Traffic

Monitoring, Analyzing, and Optimizing AWS Networks

Monitor and Analyze Network Traffic to Troubleshoot and Optimize Connectivity Patterns

Analyzing Logging Output to Assess Network Performance and Troubleshoot Connectivity

Optimize AWS Networks for Performance, Reliability, and Cost-Effectiveness

Optimizing Network Throughput

Summary

Exam Essentials

Written Labs

Exercises

Review Questions

PART IV: Network Security, Compliance, and Governance

Chapter 12: Security, Compliance and Governance

Security, Compliance, and Governance

Threat Models

Common Security Threats

Securing Application Flows

Network Architectures That Meet Security and Compliance Requirements

Securing Inbound Traffic Flows

Securing Outbound Traffic Flows

Securing Inter-VPC Traffic

Implementing an AWS Network Architecture to Meet Security and Compliance Requirements

Develop a Threat Model and Identify Mitigation Strategies

Compliance Testing

Automating Security Incident Reporting and Alerting

Summary

Exam Essentials

Exercises

Written Labs

Review Questions

Chapter 13: Network Monitoring and Logging

Network Monitoring and Logging Services in AWS

Alerting Mechanisms

Log Creation with Different AWS Services

Log Delivery Mechanisms

Mechanisms to Audit Network Security Configurations

Traffic Mirroring and Flow Logs

CloudWatch

Correlating and Analyzing Information Across Single or Multiple AWS Log Sources

Summary

Exam Essentials

Exercises

Review Questions

Chapter 14: Confidentiality and Encryption

Confidentiality and Encryption

Network Encryption Options Available on AWS

VPN Connectivity Over Direct Connect

Encryption Methods for Data in Transit

Network Encryption and the AWS Shared Responsibility Model

Security Methods for DNS Communications

Implementing Network Encryption Methods to Meet Application Compliance Requirements

Implementing Encryption Solutions to Secure Data in Transit

Certificate Management Using a Certificate Authority

Summary

Exam Essentials

Exercises

Review Questions

Appendix: Answers to Review Questions

Chapter 1: Edge Networking

Chapter 2: Domain Name Services

Chapter 3: Hybrid and Multi-account DNS

Chapter 4: Load Balancing

Chapter 5: Logging and Monitoring

Chapter 6: Hybrid Networking

Chapter 7: Connecting On-Premises Networks

Chapter 8: Inter-VPC and Multi-account Networking

Chapter 9: Hybrid Network Routing and Connectivity

Chapter 10: Network Automation

Chapter 11: Monitor, Analyze, and Optimize Network Traffic

Chapter 12: Security, Compliance and Governance

Chapter 13: Network Monitoring and Logging

Chapter 14: Confidentiality and Encryption

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 AWS ELB Product Comparisons: ELB Types

TABLE 1.2 AWS ELB Product Comparisons: Layer 7

TABLE 1.3 AWS ELB Product Comparisons: Characteristics

TABLE 1.4 AWS ELB Security

TABLE 1.5 AWS ELB Kubernetes Controller

TABLE 1.6 AWS ELB Logging and Monitoring

Chapter 8

TABLE 8.1 Standard vs. Enterprise

Chapter 9

TABLE 9.1 BGP Limits

TABLE 9.2 Amazon Route 53

TABLE 9.3 AWS Transit Gateways

TABLE 9.4 AWS App Mesh

Chapter 14

TABLE 14.1 IPSec TLS Comparison

List of Illustrations

Chapter 1

FIGURE 1.1 AWS global CloudFront network

FIGURE 1.2 AWS CloudFront edge distributions

FIGURE 1.3 AWS CloudFront regional edge nodes

FIGURE 1.4 Caching data at CloudFront edge locations

FIGURE 1.5 Origin Shield

FIGURE 1.6 Lambda@edge

FIGURE 1.7 Geo-restriction

FIGURE 1.8 Geolocation

FIGURE 1.9 Global Accelerator high-level architecture

FIGURE 1.10 Global Accelerator speed comparison test

FIGURE 1.11 Cross-zone load balancing

FIGURE 1.12 ALB features

FIGURE 1.13 Gateway load balancer features

FIGURE 1.14 Gateway load balancer VPC interconnections

FIGURE 1.15 NLB features

FIGURE 1.16 Edge API gateways

FIGURE 1.17 Regional API gateways

FIGURE 1.18 API Gateway deployed in a VPC

FIGURE 1.19 Private API gateways

Chapter 2

FIGURE 2.1 URL format

FIGURE 2.2 DNS server hierarchy

FIGURE 2.3 DNS resolution process

FIGURE 2.4 Sample resource record

FIGURE 2.5 DNSSEC key creation

FIGURE 2.6 DNSSEC KSK generation

FIGURE 2.7 DNS Resolver

FIGURE 2.8 Route 53 health checks

FIGURE 2.9 Route 53 health check configuration

FIGURE 2.10 Route 53 health check notification

FIGURE 2.11 Route 53 routing policies

FIGURE 2.12 Route 53 simple routing policy

FIGURE 2.13 Route 53 Multivalue response

FIGURE 2.14 Route 53 latency-based routing policy

FIGURE 2.15 Route 53 failover routing policy

FIGURE 2.16 Route 53 round-robin routing policy

FIGURE 2.17 Route 53 weighted routing policy

FIGURE 2.18 Route 53 geolocation routing policy

FIGURE 2.19 Route 53 geo-proximity routing policy

FIGURE 2.20 Hybrid DNS architecture

FIGURE 2.21 Multi-account DNS

FIGURE 2.22 Multi-account forward requests

FIGURE 2.23 Resolver endpoints

FIGURE 2.24 Route 53 regional failover

FIGURE 2.25 Domain lookup

FIGURE 2.26 Domain choice

FIGURE 2.27 Route 53 domain registration contact information

Chapter 3

FIGURE 3.1 Route 53 hosted zones

FIGURE 3.2 Route 53 private hosted zones

FIGURE 3.3 Route 53 public hosted zones

FIGURE 3.4 Traffic policy editor

FIGURE 3.5 Traffic policy creation step 1

FIGURE 3.6 Traffic policy creation step 2

FIGURE 3.7 Traffic latency-based routing

FIGURE 3.8 Geolocation routing

FIGURE 3.9 Weighted-based routing

FIGURE 3.10 Failover-based routing

FIGURE 3.11 Multivalue-based routing

FIGURE 3.12 Health check configuration step 1

FIGURE 3.13 Health check configuration step 2

FIGURE 3.14 Resolver forwarding rules

FIGURE 3.15 Route 53 record types

FIGURE 3.16 A record

FIGURE 3.17 AAAA record

FIGURE 3.18 CNAME record

FIGURE 3.19 MX record

FIGURE 3.20 Start of Authority record

FIGURE 3.21 TXT record

FIGURE 3.22 PTR record

FIGURE 3.23 Alias record

FIGURE 3.24 SRV record

FIGURE 3.25 SPF record

FIGURE 3.26 NAPTR record

FIGURE 3.27 CAA record

FIGURE 3.28 Inbound/outbound endpoint configuration

FIGURE 3.29 Outbound resolver endpoints

FIGURE 3.30 Outbound endpoint configuration

FIGURE 3.31 Inbound resolver endpoints

FIGURE 3.32 Inbound endpoint configuration

FIGURE 3.33 CloudTrail event history

FIGURE 3.34 Route 53 query logging configuration

Chapter 4

FIGURE 4.1 Gateway load balancing

FIGURE 4.2 Internal load balancing

FIGURE 4.3 External load balancing

FIGURE 4.4 Autoscaling

FIGURE 4.5 Global Accelerator

FIGURE 4.6 Certificate Manager integration with ALB

FIGURE 4.7 Cross-zone load balancing

FIGURE 4.8 Sticky feature configuration

FIGURE 4.9 Deregistration delay

FIGURE 4.10 ELB deletion protection

FIGURE 4.11 ELB deletion protection warning

FIGURE 4.12 Health check configuration

FIGURE 4.13 SSL/TLS offload

FIGURE 4.14 SSL/TLS passthrough

Chapter 5

FIGURE 5.1 CloudWatch metrics

FIGURE 5.2 CloudWatch metric groups

FIGURE 5.3 Enabling detailed monitoring

FIGURE 5.4 CloudWatch log groups

FIGURE 5.5 CloudWatch alarms configuration screen

FIGURE 5.6 CloudWatch Metric Insights

FIGURE 5.7 Network Reachability Analyzer configuration screen

FIGURE 5.8 Network Reachability Analyzer trace results

FIGURE 5.9 Network load balancer CloudWatch logs

FIGURE 5.10 CloudTrail logs

FIGURE 5.11 X-Ray workflow map

FIGURE 5.12 Creating a VPC Flow Log

FIGURE 5.13 Config dashboard

FIGURE 5.14 Config query editor

Chapter 6

FIGURE 6.1 OSI model

FIGURE 6.2 Small form-factor pluggable interfaces

FIGURE 6.3 Ethernet MAC address

FIGURE 6.4 Ethernet MAC address format

FIGURE 6.5 802.1Q VLAN identifiers

FIGURE 6.6 VxLAN tunnel with endpoints

FIGURE 6.7 GRE header

FIGURE 6.8 IPSec transport mode header

FIGURE 6.9 IPSec tunnel mode header

FIGURE 6.10 BGP ASs

FIGURE 6.11 BGP peering table

FIGURE 6.12 Direct Connect private VIF

FIGURE 6.13 Direct Connect public VIF

FIGURE 6.14 VPN backup

FIGURE 6.15 Hardware high availability connections

FIGURE 6.16 Direct Connect configuration wizard

FIGURE 6.17 Direct Connect configuration dialog

FIGURE 6.18 Direct Connect review and create dialog

FIGURE 6.19 Virtual interface creation

FIGURE 6.20 LAG creation

FIGURE 6.21 Direct Connect gateway

FIGURE 6.22 Virtual private gateway

FIGURE 6.23 Site-to-site VPN

Chapter 7

FIGURE 7.1 Dual tunnel site-to-site VPN

FIGURE 7.2 Accelerated site-to-site VPN

FIGURE 7.3 Layer 2 switch

FIGURE 7.4 Basic routing

FIGURE 7.5 Gateways

FIGURE 7.6 Software-defined networking

FIGURE 7.7 Windows

ping

FIGURE 7.8 Windows traceroute

Chapter 8

FIGURE 8.1 VPC peer connection

FIGURE 8.2 Nontransitive peering

FIGURE 8.3 Meshed VPC peering

FIGURE 8.4 Shared resource VPC

FIGURE 8.5 PrivateLink VPC endpoint partner configuration

FIGURE 8.6 PrivateLink VPC endpoint AWS Services configuration

FIGURE 8.7 Hub-and-spoke VPC networks

FIGURE 8.8 AWS Transit Gateway service

FIGURE 8.9 SD-WAN basic architecture

FIGURE 8.10 AWS organizations

FIGURE 8.11 AWS Directory Service configuration screen

Chapter 9

FIGURE 9.1 Edit VPC route

FIGURE 9.2 Route table configuration

FIGURE 9.3 Enabling route propagation

FIGURE 9.4 Service quota dashboard

FIGURE 9.5 Service request

FIGURE 9.6 Quota history tracking

Chapter 10

FIGURE 10.1 Cloud Development Kit workflow

FIGURE 10.2 CloudFormation workflow

FIGURE 10.3 CloudFormation designer

FIGURE 10.4 EventBridge scheduler

FIGURE 10.5 EventBridge target

FIGURE 10.6 EventBridge create schedule

FIGURE 10.7 S3 bucket listing

FIGURE 10.8 S3 bucket object listing

Chapter 11

FIGURE 11.1 Unicast data flow

FIGURE 11.2 Multicast data flow

FIGURE 11.3 Configuring Transit Gateway multicast

FIGURE 11.4 Edge caching

FIGURE 11.5 DynamoDB Accelerator

Chapter 12

FIGURE 12.1 Monolithic architecture

FIGURE 12.2 Microservices architecture

FIGURE 12.3 Serverless architecture

FIGURE 12.4 Containerized architecture

FIGURE 12.5 Edge architecture

FIGURE 12.6 Network Firewall traffic flow

FIGURE 12.7 AWS Shield DDoS protection

FIGURE 12.8 AWS VPC security group inbound

FIGURE 12.9 AWS VPC security group outbound

FIGURE 12.10 AWS VPC NACL inbound

FIGURE 12.11 AWS VPC NACL outbound

FIGURE 12.12 NACL subnet associations

FIGURE 12.13 Untrusted VPC

FIGURE 12.14 Perimeter VPC

FIGURE 12.15 Three-tier architecture

FIGURE 12.16 Hub-and-spoke architecture

Chapter 13

FIGURE 13.1 VPC Flow Logging

FIGURE 13.2 Creating a VPC Flow Log

FIGURE 13.3 Creating a VPC Flow Log

FIGURE 13.4 Created VPC Flow Log

FIGURE 13.5 Flow Log tab

FIGURE 13.6 Flow Log data

FIGURE 13.7 VPC security group inbound

FIGURE 13.8 VPC Traffic Mirroring

Chapter 14

FIGURE 14.1 IPSec VPN

FIGURE 14.2 IPSec handshake

FIGURE 14.3 TLS handshake

FIGURE 14.4 CloudFront edge TLS encryption

FIGURE 14.5 Encrypted load balancing

FIGURE 14.6 Bastion host

FIGURE 14.7 RDS encryption

FIGURE 14.8 S3 encryption

Guide

Cover

Title Page

Copyright

Dedication

Acknowledgments

About the Author

Introduction

Table of Contents

Begin Reading

Appendix: Answers to Review Questions

Index

End User License Agreement

Pages

iii

iv

v

vii

ix

xxvii

xxviii

xxix

xxx

xxxi

xxxii

xxxiii

xxxiv

xxxv

xxxvi

xxxvii

xxxviii

xxxix

xl

xli

xlii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

486

487

488

489

491

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512

513

514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539

540

541

542

543

544

545

546

547

548

549

550

551

AWS®Certified Advanced NetworkingStudy Guide

Specialty (ANS-C01) Exam

Second Edition

Copyright © 2024 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.Published simultaneously in Canada and the United Kingdom.

ISBNs: 9781394171859 (paperback), 9781394171873 (ePDF), 9781394171866 (ePub)

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permission.

Trademarks: WILEY, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. AWS is a registered trademark of Amazon Technologies, Inc. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic formats. For more information about Wiley products, visit our website at www.wiley.com.

Library of Congress Control Number: 2023945280

Cover image: © Jeremy Woodhouse/Getty Images, Inc.Cover design: Wiley

This book is dedicated to My Nguyen for all her support and patience.

Acknowledgments

First off, I would like to acknowledge and thank you, the readers of this book. You are the reason for all the long hours of research and writing to complete this rather large undertaking. I truly want to give back to the tech community, and this is my contribution to the networking community that I have spent my life in. I hope that by allowing me to transfer some of my knowledge to you, you can be more successful in your career and, of course, pass the AWS Advanced Networking exam. If you become a better networking engineer because of something you picked up reading this book, then I will feel satisfied.

To my wonderful daughter, who is now in college at Georgia State University, I want to thank you for the support and giving me encouragement when yet another weekend was consumed writing this book. My Nguyen was so understanding and supportive, it just never stops amazing me. She understood the sacrifices made and our missed time together as I hid out in libraries around the city pounding out text to complete yet another chapter. She is an amazing woman and helped me across the finish line of completing this book. Thank you, My!

There is the whole team at Wiley that I want to acknowledge and thank for all the support and assistance they gave me through this project. Thank you, Ken Brown, helping me through every project I undertake with Wiley; you have helped me so much over the years and I really appreciate everything you do. Kelly Talbot was the force behind the scenes as the development editor who tried to keep me out of the ditch as much as possible. Kelly, thank you for all the hours you dedicated to making this book as professional and accurate as we possibly could, I know it was not easy. I want to thank the managing editor, Pete Gaughan, for all his hard work. As always, there is a team of Wiley professionals in offices coast to coast who work behind the scenes to edit and produce quality books. To all the hidden Wiley professionals, thank you for all the great work you do!

—Todd Montgomery

About the Author

Todd Montgomery has been in the networking industry for more than 40 years. Todd holds many AWS, CompTIA, Cisco, and Juniper certifications. Todd has spent most of his career in the field working on-site in data centers throughout North America and around the world. He has worked on the most advanced networks of equipment manufacturers, systems integrators, and end users in the data center and cloud computing environments of the private sector, service providers, and the government sector. Todd currently works as a data center network automation engineer in Austin, Texas. He is involved in network implementation and support of emerging data center technologies and AWS public cloud services. Todd lives in Austin, Texas, and in his free time enjoys auto racing, traveling, general aviation, and Austin's live music venues. He can be reached at [email protected].

About the Technical Editor

Doug Holland is a software engineer and architect at SnapLogic and previously spent 13 years at Microsoft Corporation. He holds a master's degree in software engineering from the University of Oxford. Before joining Microsoft, he was awarded the Microsoft MVP and Intel Black Belt Developer awards.

Introduction

There is a lot to know to really understand advanced networking in general and specifically how to configure and manage all the networking services AWS offers us in their cloud. As I was researching and performing deep dives into all the topics I needed to cover for the exam, I kept thinking, this could really be a massive book that would take years to put together and then still not cover everything with as much detail as I wanted. However, that is the business we are in; it's very complex, and the technologies, protocols, and service offerings change all the time. Maybe that's why we find networking so interesting. I have been a hands-on networking engineer for my whole career and have worked on some of the largest networks in the world and helped bring many new networking technologies to the global market. I have also taken more than 50 networking certification exams over the last 30 or so years. The AWS Advanced Networking Specialty Exam ranks as one of the most difficult tests I have ever taken. I came from the enterprise networking world and spent many years working with many AWS cloud services and still found it to be a difficult exam. This exam is very different than a networking vendor's certification test track. I cannot stress this enough: you must learn networking from a cloud perspective and know the material in the exam blueprint at a deep and detailed level. This is not an associate level certification; it goes very deep into networking, and you must know the material well if you expect to pass the exam.

Every effort has been made to include as much detail as possible in the guide. However, I strongly suggest that you also read the FAQ, developer guides, and white papers that AWS has posted on the services covered in the exam. As is often said, the more, the better. Many of the services covered in this book are chargeable in AWS; however, I urge you to get as much console time as you can to better understand the topics. You do not have to enable everything; just “take a look” in the console to get a better understanding of the services.

The exam goes way beyond just identifying the services and their basic functions. There will be detailed scenario questions that really make you think. Read the questions carefully and take the time to really understand what is being asked before you select the best answer. There may be several answers that look plausible, but read each one closely and select the most appropriate answer from the options given. Remember, one word in the question or answer can change everything.

Interactive Online Learning Environment and Test Bank

Studying the material in the AWS Certified Advanced Networking Study Guide Specialty (ANS-C01) Exam Second Edition is an important part of preparing for the AWS Certified Advanced Networking - Specialty (ANS-C01) exam, but we provide additional tools to help you prepare. The online test bank will help you understand the types of questions that will appear on the certification exam.

The Sample Tests in the test bank include all the questions in each chapter as well as the questions from the assessment test that appears after this introduction. In addition, there are two practice exams with 50 questions each. You can use these tests to evaluate your understanding and identify areas that may require additional study.

The flashcards in the test bank will push the limits of what you should know for the certification exam. There are 100 questions provided in digital format. Each flashcard has one question and one correct answer.

The online glossary is a searchable list of key terms introduced in this exam guide that you should know for the AWS Certified Advanced Networking - Specialty (ANS-C01) exam.

To start using these to study for the AWS Certified Advanced Networking - Specialty (ANS-C01) exam, go to www.wiley.com/go/sybextestprep, register your book to receive your unique PIN, and then once you have the PIN, return to www.wiley.com/go/sybextestprep; find your book and click register or log in and follow the link to register a new account or add this book to an existing account.

 Like all exams, the Advanced Networking certification from AWS is updated periodically and may eventually be retired or replaced. At some point after AWS is no longer offering this exam, the old editions of our books and online tools will be retired. If you have purchased this book after the exam was retired or are attempting to register in the Sybex online learning environment after the exam was retired, please know that we make no guarantees that this exam's online tools will be available once the exam is no longer available.

AWS Certified Advanced Networking - Specialty (ANS-C01) Study Guide Exam Objectives

This table provides the extent, by percentage, that each section is represented on the actual examination.

Section

% of Examination

Domain 1: Network Design

30%

Domain 2: Network Implementation

26%

Domain 3: Network Management and Operations

20%

Domain 4: Network Security, Compliance, and Governance

24%

Total

100%

 Exam objectives are subject to change at any time without prior notice and at AWS's sole discretion. Please visit the AWS Certified Advanced Networking - Specialty (ANS-C01) website at https://aws.amazon.com/certification/certified-advanced-networking-specialty for up-to-date information on the certification and details on taking the exam. It is important to be familiar with the current exam objectives that can be downloaded here: https://d1.awsstatic.com/training-and-certification/docs-advnetworking-spec/AWS-Certified-Advanced-Networking-Specialty_Exam-Guide.pdf.

Objective Map

Objective

Chapter

Domain 1: Network Design

1.1: Design a solution that incorporates edge network services to optimize user performance and traffic management for global architectures.

1

1.2: Design DNS solutions that meet public, private, and hybrid requirements.

2

1.3: Design solutions that integrate load balancing to meet high availability, scalability, and security requirements.

4

1.4: Define logging and monitoring requirements across AWS and hybrid networks.

5

1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS cloud.

6

1.6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS regions, and VPCs to support different connectivity patterns.

6

Domain 2: Network Implementation

2.1: Implement routing and connectivity between on-premises networks and the AWS cloud.

7

2.2: Implement routing and connectivity across multiple AWS accounts, regions, and VPCs to support different connectivity patterns.

8

2.3: Implement complex hybrid and multi-account DNS architectures.

3

2.4: Automate and configure network infrastructure.

10

Domain 3: Network Management and Operations

3.1: Maintain routing and connectivity on AWS and hybrid networks.

9

3.2: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.

11

3.3: Optimize AWS networks for performance, reliability, and cost-effectiveness.

11

Domain 4: Network Security, Compliance, and Governance

4.1: Implement and maintain network features to meet security and compliance needs and requirements.

12

4.2: Validate and audit security by using network monitoring and logging services.

13

4.3: Implement and maintain confidentiality of data and communications of the network.

14

How to Contact the Publisher

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but even with our best efforts an error may occur.

To submit your possible errata, please email it to our Customer Service Team at [email protected] with the subject line “Possible Book Errata Submission.”

Assessment Test

You have deployed AWS Lambda@edge to run code that gets triggered by CloudFront events. You want to validate that the Lambda function is triggered when a specific header is present in the request. Which action should you take?

Modify your CloudFront distribution to forward the specific header to the origin

Modify your CloudFront distribution to add a custom header and prepend the value of true

Modify CloudFront to whitelist the specific header

Code the Lambda function to check for the presence of the specific header in the request

Implement the AWS WAF service to create a rule that allows requests with the specific header

You are deploying the AWS Elastic Load Balancer service to distribute inbound traffic across multiple EC2 instances. You want to verify that the load balancer is routing traffic to instances in multiple availability zones. Which action can you take to accomplish this?

Modify the load balancer to use the cross-zone algorithm

Create a load balancer all-at-once routing policy

Launch the backend EC2 instances in multiple availability zones and register them with the load balancer

Use the weighted routing policy on the load balancer

Enable Route 53 latency-based routing to route traffic to instances in multiple availability zones

You are the senior cloud networking engineer for an international e-commerce company. You manage a global network of web servers that are hosted in six different AWS regions. The current task is to configure Route 53 to route traffic to the web servers in the region that have the lowest latency for each user. Which routing policy would you use to accomplish this?

Simple routing

Failover routing

Geolocation routing

Geo-proximity routing with traffic biasing

Latency routing

You manage the public hosted zone for your domain

tipofthehat.com

and want to configure Route 53 to route traffic for the

www.tipofthehat.com

subdomain to a new EC2 instance you are deploying in us-east-1. Which option is the correct configuration?

Create an

NS

record for the

www.tipofthehat.com

subdomain that points to the name servers for the public hosted zone

Create an

A

record for the

www.tipofthehat.com

subdomain that points to the public IP address of the EC2 instance

Create an

MX

record for the

www.tipofthehat.com

subdomain that points to the mail servers for the public hosted zone

Create a

TXT

record for the

www.tipofthehat.com

subdomain that contains the public IP address of the EC2 instance

Create a

CNAME

record for the

www.tipofthehat.com

subdomain that points to the public IP address of the EC2 instance

Your company has a pool of EC2 instances running web applications. You plan to use the AWS Network Load Balancer service to distribute traffic across the EC2 instances. You must architect the network to ensure that the load balancer is able to handle spikes in traffic and that it is highly available. Which configuration should you use?

Deploy a single network load balancer with a single subnet

Configure a single network load balancer with multiple subnets in the same availability zone

Use a single network load balancer with multiple subnets in different availability zones

Deploy a multi-AZ network load balancer with a single subnet in each availability zone

Deploy a multi-AZ network load balancer with multiple subnets in each availability zone

You are a cloud networking engineer for a large financial services company. The firm has a fleet of EC2 instances that are all running a web application. You plan on using CloudWatch to monitor the network performance of the EC2 instances. Your plan is to generate CloudWatch alerts if the network performance drops below a defined threshold that you configure. Which metrics would be the best to monitor for the network performance of the EC2 instances?

NetworkIn

NetworkOut

PercentPacketLoss

PacketsReceived

PacketsSent

Your company has a VPC that contains a fleet of EC2 instances running a web application. You are planning to configure CloudTrail to log all API calls that are made to the EC2 instances. You also want to use VPC Flow Logs to capture information about the network traffic that is flowing to and from the EC2 instances. Which one of the following options will enable you to capture the source and destination IP addresses, the ports, and the protocols of the network traffic that are associated with the API calls?

Configure CloudTrail to log all API calls to the EC2 instances and configure VPC Flow Logs to export the logs to CloudWatch Logs

Configure CloudTrail to log all API calls to the EC2 instances and configure VPC Flow Logs to export the logs to Amazon S3

Configure CloudTrail to log all API calls to the EC2 instances and configure VPC Flow Logs to export the logs to a Lambda function

Configure CloudTrail to log all API calls to the EC2 instances and configure VPC Flow Logs to export the logs to a CloudWatch Logs Insights query

You are setting up AWS GuardDuty for a large construction company in Austin, Texas. They have multiple accounts and VPCs in the company. You need to ensure that all findings are sent to a central security operations center account for correlation, analysis, and a unified response. Which option would best fit this requirement?

Enable GuardDuty in each account and configure it to send findings to the SOC account using Amazon SNS

Enable GuardDuty in the SOC account and monitor all the accounts using cross-account access

Enable GuardDuty in each account and configure it to send findings to the SOC account using Amazon SQS

Enable GuardDuty in the SOC account and configure it to assume an IAM role in each monitored account

Enable GuardDuty in each account and configure it to send findings to the SOC account using AWS Lambda

Your company has a default VPC running in the ap-northeast-2 Seoul region that hosts a fleet of EC2 instances running a web application. You want to use AWS Direct Connect to connect the VPC to your on-premises data center in Goyang. You must establish a connection that is highly available. Which of the following offers the highest level of availability?

Establish a single Direct Connect connection with a single 10 Gbps port

Establish a single Direct Connect connection with two 10 Gbps ports

Establish two Direct Connect connections, each with a single 10 Gbps port

Establish two Direct Connect connections, each with two 10 Gbps ports

You are a senior networking engineer at a large bank that has a VPC that contains a fleet of EC2 instances running a web application. You also have data center servers that need to be able to communicate with the EC2 instances. You want to use AWS Transit Gateway to connect your VPC to your data center. You must ensure that the connection is highly available, and you can scale the network as needed. Which of the following will meet this requirement?

Create a single Transit Gateway attachment with a single 10 Gbps BGP session

Create a single Transit Gateway attachment with two 10 Gbps BGP sessions

Create two Transit Gateway attachments, each with a single 10 Gbps BGP session

Create two Transit Gateway attachments, each with two 10 Gbps BGP sessions

You work for a construction company that has a VPC that contains a fleet of EC2 instances running a web application in the eu-west-2 London region. You want to use the AWS Reachability Analyzer to verify that the EC2 instances are reachable from the Internet. You need to be able to trace the path the network traffic takes from the Internet to the EC2 instances. Which option should you use to configure AWS Reachability Analyzer?

Configure AWS Reachability Analyzer to analyze the path from a specific IP address on the Internet to the EC2 instances

Configure AWS Reachability Analyzer to analyze the path from a specific CIDR block on the Internet to the EC2 instances

Configure AWS Reachability Analyzer to analyze the path from a specific EC2 instance to the Internet

Configure AWS Reachability Analyzer to analyze the path from a specific VPC to the Internet

Your company has two VPCs, one for production and one for development. You want to allow the EC2 instances in the production VPC to communicate with the EC2 instances in the development VPC. Your CIO has asked you to do this without using a VPN or Direct Connect. Which option should you use to configure VPC peering?

Create a VPC peering connection between the production VPC and the development VPC

Create a VPN connection between the production VPC and the development VPC

Create a Direct Connect connection between the production VPC and the development VPC

Create a Bastion host in the production VPC and allow the EC2 instances in the development VPC to connect to the Bastion host

Your company has a microservices architecture that is deployed on AWS. They are requesting that you use AWS App Mesh to control the traffic between the microservices. You must ensure that the traffic is routed in a way that minimizes latency and maximizes availability. Which of the following options should you use to configure App Mesh?

Create a virtual service for each microservice and use a service mesh router to route the traffic between the virtual services

Create a virtual service for each of the microservices and use a service mesh router to route the traffic between the microservices

Create a virtual service for each microservice and use a service mesh proxy to route the traffic between the microservices

Create a single virtual service for all the microservices and use a service mesh proxy to route the traffic between the microservices

Your company has a VPC that runs six EC2 instances hosting a custom web application. You want to use CloudFormation to create a new subnet in the VPC and then launch a new EC2 instance in the subnet. Which of the following options best fits this requirement?

Create the new subnet in the VPC using the AWS CLI. Then, deploy the new EC2 instance to the subnet using the AWS CLI

Create the subnet in the VPC using the AWS Management Console. Then, deploy the new EC2 instance to the subnet using the AWS Management Console

Create a new subnet and deploy the new EC2 instance using a CloudFormation template

Create the new subnet using the AWS CLI and deploy the new EC2 instance using a CloudFormation template

The research organization that you work for has deployed a cluster of EC2 instances that are running a high-performance computing application. You want to implement the AWS Elastic Fabric Adapter interface to increase the performance of the application. Which options would provide the best performance improvement?

Create a single Elastic Fabric Adapter interface and attach it to all the cluster EC2 instances

Create multiple Elastic Fabric Adapter interfaces and attach one EFA to each EC2 instance in the cluster

Create a single Elastic Fabric Adapter interface and attach it to a subset of the cluster EC2 instances

Create multiple Elastic Fabric Adapter interfaces and attach one EFA to a subset of the EC2 instances in the cluster

You are the senior network engineer for a large shipping company. The company's production VPC hosts a fleet of EC2 instances running a custom web application. You are planning on configuring Traffic Mirroring to capture all ingress and egress traffic from the EC2 instances and storing the captured traffic into a CloudWatch Logs log group. What is the best way to configure VPC Traffic Mirroring?

Create a VPC traffic mirror session that mirrors all the traffic to a network interface in the VPC. Then, enable your CloudWatch Logs subscription for the network interface

Configure a VPC traffic mirror session that mirrors all the traffic to a CloudWatch Logs log group

Set up a VPC traffic mirror session that mirrors all the traffic to an AWS S3 bucket Next, configure a CloudWatch Logs subscription for the S3 bucket

Configure a VPC traffic mirror session that mirrors all the traffic into a Kinesis Data Firehose stream. Then, create a CloudWatch Logs subscription for the Kinesis Data Firehose

You work as the senior cloud network engineer for a data analytics company. The company's eu-west-1 Ireland test VPC hosts six large EC2 instances that are all running an AI application. You want to use an AWS Elastic Network Interface (ENI) to create a dedicated network interface for each of the EC2 instances. Which option should you use to create dedicated network interfaces for each EC2 instance?

Create a single ENI and attach it to all the EC2 instances in the VPC

Create multiple ENIs and attach one each to the EC2 instance in the VPC

Create a single ENI and attach it to a subset of the EC2 instances in the VPC

Create multiple ENIs and attach one ENI to a subset of the EC2 instances in the VPC

You are a network engineer for a large university. It has a website that is hosted in the AWS us-west-1 California region. You are concerned about the website being attacked by a DDoS attack and are planning on using the AWS Shield service to protect your website. Which of the following provides the best protection against a DDoS attack?

Enable AWS Shield Standard

Enable AWS Shield Advanced

Enable AWS Shield Standard and AWS Shield Advanced

Enable AWS Shield Advanced and configure custom DDoS protection rules

Your company has a fleet of EC2 instances running a critical web application. You are planning on using the AWS Firewall Manager to create a centralized firewall policy for all of the EC2 instances. Which option allows you to create a centralized firewall policy?

Create a firewall policy in each VPC that the EC2 instances are in

Create a firewall policy in a single VPC and attach it to all the EC2 instances

Create a firewall policy in AWS Firewall Manager and attach it to all the EC2 instances

Create a firewall policy in AWS Firewall Manager and attach it to the VPCs that the EC2 instances are in

You are a network engineer for a chain of retail stores in eastern Canada. The company has deployed a fleet of EC2 instances running a secure web application. You plan to use the AWS Certificate Manager to create a certificate to secure the web application. Which option allows you to create a certificate that will be trusted by all major browsers?

Create a self-signed certificate

Create a certificate that is signed by a third-party certificate authority

Create a certificate that is signed by AWS Certificate Manager

Create a certificate that is signed by Amazon Trust Services

Answers to Assessment Test

D. To accomplish this requirement, you would need to modify the Lambda function to check for the presence of the specific header in the request. The Lambda function will trigger only when a specific header is present in the request. You must modify the Lambda function code to check for the presence of the header, and if the header is present, the function will continue processing; otherwise, it can return the appropriate response that you define. The other options are not correct because they do not provide a way to trigger the Lambda function based on the presence of a specific header. Forwarding headers and adding custom headers do not affect how Lambda functions are triggered. Whitelisting headers can allow CloudFront to forward headers to the origin but does not affect how Lambda functions are triggered. The AWS Web Application Firewall is used to protect against web exploits but does not affect how Lambda functions are triggered.

C. To ensure that Elastic Load Balancer routes traffic to instances in multiple availability zones, launch the backend EC2 instances in multiple availability zones and register them with the load balancer. Once this has been completed, the load balancer will automatically distribute incoming traffic across the registered instances in all availability zones. The other options are incorrect because they do not provide a way to route traffic to instances in multiple availability zones. Cross-zone load balancing and routing policies will affect how traffic is distributed across registered instances but do not ensure that instances are launched in multiple availability zones. Using Amazon’s Route 53 DNS latency-based routing can route traffic based on the lowest network latency but does not affect how the Elastic Load Balancer routes traffic.

D. Geo-proximity routing with traffic biasing is the best routing policy to use to accomplish this requirement. Geo-proximity routing with traffic biasing routes traffic to the resource that is closest to the user's location, but it also allows you to configure bias routing so that traffic is more likely to be routed to a particular region. This ensures that traffic is routed to a region that has the lowest latency for a particular user. Geo-proximity routing with traffic biasing uses the source IP address of the user's request to determine the closest AWS resource. The user's IP address is used to calculate the distance between the user and the resource. The resource that is closest to the user is then routed to. If you have configured Route 53 traffic biasing, it will also consider the weight that you have assigned to each region. This means you can bias the routing so that traffic is more likely to be routed to a particular region. Simple routing is the simplest routing policy. It routes traffic to the first resource that is listed in the record and does not consider the location of the user. Failover routing is used to route traffic to a backup resource if the primary resource is unavailable and is not the best routing policy to use in this case. Geolocation routing routes traffic to the resource that is closest to the user's location, and latency routing routes traffic to the resource that has the lowest latency; however, neither of these routing policies allow you to bias the routing.

E. A

CNAME

record maps a subdomain to another domain name or IP address. In this requirement, you must map the

www.tipofthehat.com

subdomain to the public IP address of the EC2 instance. The

NS

record specifies the name servers for a hosted zone and is not used to route traffic to a specific IP address. The

A

record is used to specify the IP address for a domain name and is not used to route traffic to a subdomain.

MX

records specify the mail servers for a domain name.

TXT

records are used to specify text associated with a domain name. MX and txt records are not used to route traffic to a specific IP address.

E. The multi-AZ network load balancer has two load balancers that are in different availability zones. Deploying the multi-AZ network load balancer with multiple subnets in each availability zone is the best configuration to use to meet your requirements. The multi-AZ network load balancer is highly available because it has two load balancers each in a different availability zone. If one availability zone goes down, the other availability zone will still be able to handle traffic. Also, using multiple subnets in each availability zone will help to distribute traffic across the subnets, which will improve performance. Using a single NLB with a single subnet is not highly available. If the subnet goes down, the load balancer will also go down. Using a single NLB with multiple subnets in the same availability zone is not as highly available as a multi-AZ NLB. If the availability zone goes down, all subnets in the availability zone will also go down. Deploying a single NLB with multiple subnets in different availability zones is not a good option because it does not distribute traffic across the subnets. Configuring the multi-AZ NLB with a single subnet in each availability zone is not a good option because it does not distribute traffic across the subnets.

C. PercentPacketLoss would be the preferred metric for monitoring the network performance of the EC2 instances. PercentPacketLoss measures the percentage of packets that are lost in transit. If the metric is high, it means that there is a problem with the network performance. A high packet loss metric indicates that there is a problem with the network performance. This could be because of a congested network, a faulty network device, or a software bug. NetworkIn measures the number of bytes that are received by the EC2 instance. NetworkOut measures the number of bytes that are sent by the EC2 instance. PacketsReceived measures the number of packets that are received by the EC2 instance and PacketsSent measures the number of packets that are sent by the EC2 instance. These metrics are not as useful for monitoring network performance as PercentPacketLoss because they do not consider the number of packets that are lost.

A. The best option is to configure CloudTrail to log all API calls to the EC2 instances and enable VPC Flow Logs and export the logs to CloudWatch Logs. CloudTrail will log the source and destination IP addresses, the ports, and the protocols of the API calls. VPC Flow Logs will log the source and destination IP addresses, the ports, and the protocols of the network traffic. When you combine the logs from CloudTrail and VPC Flow Logs, you will be able to see the source and destination IP addresses, the ports, and the protocols of the network traffic that is associated with the API calls. CloudTrail allows you to track AWS API calls made on your behalf. VPC Flow Logs enables you to capture information about the network traffic that is flowing to and from your VPC. By combining the logs from CloudTrail and VPC Flow Logs, you can get a complete picture of the activity that is happening in your VPC.

Configuring CloudTrail to log all API calls to the EC2 instances and configuring VPC Flow Logs to export the logs to Amazon S3 is not as good an option as configuring the logs to export to CloudWatch Logs. By using CloudWatch Logs, you have a centralized location to store and analyze your log data, which makes it easier to troubleshoot problems. Configuring CloudTrail to log all API calls to the EC2 instances and configuring VPC Flow Logs to export the logs to a Lambda function is not as desirable an option as configuring the logs to export to CloudWatch Logs. Lambda functions are a powerful tool that can be used to automate tasks, but they are not as good a solution for storing and analyzing log data as CloudWatch Logs. Configuring CloudTrail to log all API calls to the EC2 instances and configuring VPC Flow Logs to export the logs to a CloudWatch Logs Insights query is not as good an option as configuring the logs to export to CloudWatch Logs. CloudWatch Logs Insights is a powerful tool that allows you to query your log data, but it is not as easy to use as CloudWatch Logs.

B. GuardDuty supports cross-account access enabling you to designate one AWS account as a master account that can view and manage GuardDuty findings from member accounts. This enables you to centralize the management of GuardDuty findings in a single SOC account. SNS, SQS, and Lambda are not used for sending GuardDuty findings between accounts, assuming an IAM role is not necessary for cross-account access with GuardDuty.

C. AWS Direct Connect is a service that allows you to create a dedicated network connection between your on-premises network and AWS. Establishing two Direct Connect connections, each with a single 10 Gbps port, will provide the highest availability. If one connection goes down, the other connection will still be available. Creating a single Direct Connect connection with a single 10 Gbps port will not provide the highest level of availability. Establishing a single Direct Connect connection with two 10 Gbps ports would also not provide the highest level of availability. In both options, if the connection goes down, you will lose connectivity to AWS. Creating two Direct Connect connections, each with two 10 Gbps ports, will provide more bandwidth at a higher cost than option C.

D. AWS Transit Gateway service allows you to create a central hub for your network traffic. Transit Gateway attachments allow you to connect your VPCs and on-premises networks to the gateway. BGP sessions are used to establish communication between the Transit Gateway and your networks. Creating two Transit Gateway attachments, each with two 10 Gbps BGP sessions, will meet the requirements of the scenario. This is because it will provide the highest level of availability and the ability to scale the network as needed. Creating a single Transit Gateway attachment with a single 10 Gbps BGP session will not meet the requirements of the scenario because it will not provide high availability. Creating a single Transit Gateway attachment with two 10 Gbps BGP sessions does not provide the ability to scale the network as needed. Creating two Transit Gateway attachments, each with a single 10 Gbps BGP session, will not provide the highest level of availability.

B. AWS Reachability Analyzer service allows you to analyze network paths between two points in your AWS network. You can use Reachability Analyzer to troubleshoot connectivity issues and to verify that your network is configured correctly. Configuring AWS Reachability Analyzer to analyze the path from a specific CIDR block from the Internet to the EC2 instances is the best option in this case. This is because it will allow you to see the path that the network traffic takes from the Internet to the EC2 instances, regardless of the specific IP address that is used to access the EC2 instances.

Configuring AWS Reachability Analyzer to analyze the path from a specific IP address on the Internet to the EC2 instances is not as good an option as configuring the analysis to analyze the path from a specific CIDR block on the Internet to the EC2 instances. This is