Resources#
TODO#
- take notes
- revision
- whizlabs
- mocks (by topic)
- mock 1 (udemy)
- mock 2,3,4 (whizlabs)
- examtopic
- udemy quiz + exercise
Revision#
The numbers below are the page no of the udemy course’s pdf: AWS Certified Networking Specialty Slides v1.1.
Summary#
- DNS (151)
- Advanced Networking (188)
- VPC Endpoint (292, 298)
- Site-to-site VPN (347, 401, 407)
- VPN Tunnels and Routing (348, 352)
- DX Gateway with VGW (532)
- DX with TGW (547)
- DX Billing (624)
- DX (630)
- Troubleshooting in DX (626)
- Gateway Load Balancer (816)
Q & A#
- ALB (677)
- DX (625)
Good to know#
- SG (46)
- BYOIP (90)
- VPC Traffic Mirroring (105)
- DHCP Option Sets (124)
- TGW (251)
- AWS Site-to-Site VPN (403)
- Network Load Balancer (656)
Comparisons#
- private, public and EIP (33)
- IPv4, IPv6 (36)
- NACL, SG (48)
- NAT Gateway, Instance (64)
- VPC Peering vs Transit Gateway
- Cloudfront function vs lambda@edge (703)
- AWS global accelerator vs Cloudfront (711)
Exam Essential#
- VPC Fundamentals (67)
- Advanced VPC (190)
- VPC Peering Endpoint (301)
- AWs Site-to-Site VPN (402)
- Direct Connect (632)
- Firewall (806)
- Gateway Load Balancer (817)
Revision by topic#
Playlists#
- global accelerator
- api gateway
- client vpn
- cloudformation
- cloudfront
- cloudwatch
- cloudhsm
- cognito
- config
- dx
- edge computing
- elb
- firehose
- guarduty
- inspector
- lambda
- organization
- route53
- s3
- sqs
- ssm
- vpc
- vpn
- waf
- workspace
References#
- accelerator - custom routing
- accelerator - custom routing
- alb - limit request to clondfront only
- aurora - regional failover
- aws organization - SCP
- cloudfront - origin types
- cloudfront - signed url vs signed cookies
- cloudfront - troubleshooting
- cloudfront - will forward the response when first byte arrives from the origin
- cloudhsm - auto ha
- cloudtrail - 5 trails for region
- cloudtrail - log encryption with KMS
- cloudtrail - use integrity validation to check the log was modified, delete or change
- cloudwatch - namespace valid characters
- cloudwatch - no need to config sns to provide data every minute
- cloudwatch - skip metrics
- config - managed rules
- config - renaming the delivery channel
- config - requirements
- config - type of triggers
- config - viewing configuration compliance
- costs model
- costs model 2
- dhcp - cannot modify and one vpc one dhcp options
- dx - dx in public regions can access any other public region
- dx - faq
- dx - lag requirement 1
- dx - lag requirement 2
- dx - public vif
- dx - public vif connectivity
- dx - quotas
- dx - requirements for virtual interfaces
- dx - vif
- dx - virtual Interfaces to Direct Connect connections or LAG bundles
- dx - vpn as backup
- ec2 - http proxy
- ec2 - network performance
- ec2 - retrieve instance metadata
- eip - hostname will be changed once eip attached
- eip - public ip change every time stop and start the instance
- eip - public ip will be released once eip attached
- eip - reverse dns record for mailserver
- eni - limitation
- flow log
- local zone - alb limitation
- local zone - supported service
- ms ad - limitation - not compatible with exchange and skype
- ms ad - requirements
- nacl - default rule# in nacl
- nat - need egress-only-internet-gateway for ipv6 to ipv6 commnuication
- nat - only support tcp udp and icmp
- nat - pricing
- nat - tcp connectin fail as tcp does not support ip fragmentation
- placement group - can add / move / remove instance from group
- placement group - can launch with diff instance type but not recommended
- placement group - can span vpcs
- placement group - cannot merge placement group
- placement group - stop and start is fine but may have insufficient capacity error without capacity reservation
- quicksight - private connection with rds
- redishift - private connectivity with enhanced vpc routing
- route53 - a/p failover
- route53 - aws services which support alias records
- route53 - can attach private hosted zone with overlapping namespace in same vpc
- route53 - dns resolution b/w on-premise and aws with ad
- route53 - dns server with custom domain (white-labe and reusable delegation set)
- route53 - health check rules
- route53 - system rules when forwarding less specific domain
- simple ad - requirement
- sns
- tgw - peering
- tgw - quotas
- tgw - route table priority
- vpc - aws cidr tier
- vpc - aws does not support broadcast in vpc
- vpc - ipv4 subnet cidr prefix
- vpc - ipv6 subnet cidr prefix
- vpc - jumbo frame packet drop as Don't Fragment flag is set but the network does not support higher MTU
- vpc - multicast support
- vpc - reserved address in cidr
- vpc - route table qutoa
- vpc - route table troubleshoot
- vpc - usage of enableDnsHostnames and enableDnsSupport
- vpce - service endpoint support ipv4 over tcp only
- vpce - tagging is suported
- vpce - use prefix list in security group
- vpn - ipv6 support on tgw but not vgw
- vpn - static route a/p mode (priority)
- vpn - troubleshooting
- vpn - why cannot overlap the cidr
- vpn -ipsec encryption algorithms
- waf - config count action to test (monitor mode)
- waf - rule statement list
- workspaces - requirements
- appliance in shared vpc
- cloudhub
- mult vpc with single customer gateway
- multi-vpc network infrastructure
- route table options
- shared vpc
- transit vpc
- Virtual Private Cloud Connectivity Options
- vpc peering with cidr overlap
- vpc with subnet overlapping
VPC Fundamentals (17)#
What is TCP/IP?#
Answer
What is OSI? (306)#
Answer
Answer
2^(32-28)=16
Can we override the main route table in VPC? (26)#
Answer
override it at subnet level
Which IPs are reserved for a vpc? (29)#
Answer
5
What is the default behaviour of SG (inbound and outbound)? (46)#
Answer
How is the NAT gateway charged? (59)#
Answer
Can we apply SG on a NAT gateway? (59)#
Answer
no
What is the port range NAT gateway needs for outbound connection? (59)#
Answer
1024-65535
Why don’t we need cross-AZ failover in NAT ? (62)#
Answer
because if az down, nat and app are down too
What is the most important setting to setup NAT with EC2? (63)#
Answer
disable the source and destination check
Advanced VPC (72)#
What is the limitation of adding a secondary CIDR? (79)#
Answer
How many private, public and elastic ip and sg can one ENI have? (81, 85)#
Answer
What is the use case of dual home setup with multiple ENIs? (84)#
Answer
What are the prerequisites of BYOIP? (89, 90)#
Answer
What type of Flow Logs can we capture from a VPC? (92)#
Answer
Where does the Flow Logs Action field come from? (97)#
Answer
security group / nacl
What type of record cannot be captured in a flow log? (98)#
Answer
What can be the source & target of a VPC Traffic Mirror? (102, 105)#
Answer
What port does the VPC Traffic Mirror require? (105)#
Answer
udp 4789
How to set a custom domain / dns on an EC2 instance? (113)#
Answer
change the dhcp-option
VPC DNS and DHCP#
What does enableDNSSupport do? (117)#
Answer
resolve the dns
What does enableDNSHostname do? (117)#
Answer
assign hostname to the ec2 instance
How to resolve the hostname in VPC peering and TGW? (132)#
Answer
enable dns support
How to resolve the hostname in Hybrid cloud (AWS to on-premise, on-premise to AWS) (old & new way)? (132-150)#
Answer
old:
new:
VPC Network Performance and Optimization#
Formula of throughput (154)#
What is Jumbo frame? (154)#
Answer
MTU > 1500 (9001 / 8500)
What is Path MTU Discovery? (155)#
Answer
check the max MTU support between 2 routes
What are the advantages of using placement group - cluster (162)#
Answer
low latency higher bandwidth
What is the bandwidth limitation between VPC, EC2 instances, VPN and DX (179-183)?#
Answer
VPC Peering#
What is the limitation of VPC Peering? (207)#
Answer
non-transitive cannot access igw, nat, vpn, peer, gateway endpoint
TGW#
What is the difference between vgw and tgw? (211)#
Answer
vgw is non-transitive cannot access igw, nat, vpn, peer, gateway endpoint
what attachments does TGW support? (211)#
Answer
vpn vpc tgw dxgw
What is the special route in TGW? (230)#
Answer
custom route table for each tgw attachment
VPC Endpoint#
How many types of VPC endpoint? What is the difference between them? (258)#
Answer
Can on-premises network access to the gateway endpoint with VPN/DX? (273)#
Answer
no
What kind of source can be used in a private link? (281)#
Answer
nlb and alb
How to use hostname in interface endpoint? (288)#
Answer
enable private dns
How to use the interface endpoint without private DNS? (290)#
Answer
use the dns name with "region"
When should we use a private link? When should we use VPC Peering (297)#
Answer
AWS Site-to-Site VPN#
What port does IPsec need? (309)#
Answer
udp/500
Range of public and private ASN (313)#
Answer
4 common BGP Param for routing (319)#
Answer
What type of VPN does AWS support Site-to-Site VPN? (327)#
Answer
ipsec
What routing method does AWS support in Site-to-Site VPN? (329)#
Answer
bgp / static
What port is required in VPN for NAT-T? (335)#
Answer
udp/4500
VPN Tunnels and Routing#
How to set Active/Active tunnel (351)#
Answer
What is DPD? Port to send messages? default timeout? timeout action? (354)#
Answer
dead peer detection. detect the dead peer tunnel. 30s. action: clear, restart, none
How to prevent a tunnel from terminating due to inactivity (355)#
Answer
ping the aws network each 5 seconds to prevent idle tunnel
How to monitor the tunnel status? (357)#
Answer
set alarm with cloudwatch metrics
DX#
What is the fibre mode of DX? (450)#
Answer
single
what is the data link requirement of DX (450)#
Answer
fibre 802.1vlan LX
What are the requirements for a customer router? (450)#
Answer
bgp
What is the port of BGP? (457)#
Answer
179/tcp
What is BFD? How to enable it? (458)#
Answer
auto failover dx is enabled by default. enable it on the customer router
lower the failure detection time
How long does it take for failover with and without BFD? (458, 597, 598)#
Answer
300ms * 3times = 1s default 30s * 3 = 90s; DPD = method to detect the failure (for ipsec+bgp). BFD = method to lower the failure detection (for bgp)
How can a user whitelist the ips range from AWS? (459)#
Answer
whitelist the ip in ip-range.json
How many VIF can a hosted connection have? (465)#
Answer
1
What Ip type does DX support? (498)#
Answer
ipv4 and ipv6
How many route prefixes can the public vif advertise? (503)#
Answer
1000
How many route prefixes can a private vif advertise? (507)#
Answer
100
What is the limitation of vif and vgw location? (507)#
Answer
in the same region
What service cannot access inside a VPC with DX? (510)#
Answer
nat, nat + igw, peered vpc, gateway endpoint ,dns
What is the usage of DX gateway? (517)#
Answer
connect dx and vpc in any regions (pri/transit vif)
How many vif can a DX connection have? (526)#
Answer
50(pub + pri)
How many transit vif can a DX connection have? (547)#
Answer
1(transit)
How many DX gateways can a vif have? (530)#
Answer
1
How many vif can a DX gateway connect to? (530)#
Answer
30
How many vgw can a DX gateway have? (526,547)#
Answer
10
How many tgw can a Dx gateway have? (538)#
Answer
3
What is the charge for using Dx gateway? (533)#
Answer
no
How many routes can be advised per TGW through the DX gateway? (539)#
Answer
100 (bgp)
what is ECMP (251, 556) - only support BGP#
Answer
load balancing between different dx connection the same dx location
how to setup Active-Active with public vif and public ASN (554, 558)#
Answer
how to setup Active-Active with private vif and public ASN (558)#
Answer
no
how to setup Active-Passive with public vif and public ASN (561)#
Answer
how to setup Active-Passive with public vif and public ASN (561)#
Answer
advertise more specific prefix route
how to constrain the adviser routes to on-premises with public vif (567)#
Answer
on-premises routes advertise the bgp communities to ask aws to advertise specific routes only (region / inter-region / global)
how to filter the adviser routes from aws in on-premises with public vif (567)#
Answer
based on the bgp communities from aws. it tells where the route comes from
what is the routing policy with private vif (577, 582)#
Answer
What is LAG? (584)#
Answer
aggregate the dx connection to a larger bandwidth
How many DX connections can a LAG have? (584)#
Answer
4
What is the bandwidth requirement of a LAG? (584)#
Answer
same bandwidth and on the same customer device
What is the operation connection attribute in LAG? (589)#
Answer
no of connection that aws treating the LAG is up and running
how to increase the resiliency of DX? (3 methods) (590)#
Answer
how to encrypt DX traffic? (2 methods) (601)#
Answer
When will the Dx connection be charged? (Hosted and Dedicated connection) (621)#
Answer
What will be charged in Dx? (615)#
Answer
Who will be charged for the DTO fee? (622)#
Answer
the resource owner to send out the traffic
ELB#
What Layer ALB, CLB, NLB, GLB belong to? (639)#
Answer
What protocol does ALB, CLB, NLB, GLB support? (641)#
Answer
Why does NLB have less latency than ALB? (652)#
Answer
do not need to read the packets (we only check the ip port and protocol)
What kind of target can be used in the ALB and NLB target group? (653)#
Answer
What kind of protocol is supported in the health check? (653)#
Answer
tcp
What are the connection idle timeouts of ALB, NLB, CLB? (657)#
Answer
What routing algorithm supported by ALB, NLB, CLB (659)#
Answer
How to keep the client ip in ALB, NLB (671, 672)#
Answer
alb & clb: x-forwarded-For nlb: proxy protocol 2 clb: proxy protocol 1
How to keep the client on the same instance for a period of time? (661)#
Answer
sticky session
What is Cross-Zone Load Balancing? (663)#
Answer
What is SNI and which ELB does it support? (667)#
Answer
What is Connection Draining (670)#
Answer
remove opening connections from died instance (auto scaling group)
Cloudfront#
What services / source can be Cloudfront’s origin? (683)#
Answer
Why public access is needed in cloudfront’s origin (683)#
Answer
Cloudfront does the health check from the internet
What is the origin group (687)#
Answer
How to change custom header / behaviour in Cloudfront? (698)#
Answer
use lambda@edge or cloudfront actionfunction
How to restrict the content to specific geolocation? (696)#
Answer
What is AWs global accelerator? What does it work (709)#
Answer
use anycast(2ips). will send traffic to aws edge locations and then reach to your service through aws backbone network
What is the difference between AWS global accelerator and cloudfront? (711)#
Answer
cloudfront only supports http / https. accelerator using a transport layer so it can be udp volip mqtt
Route53#
What is the longest and shortest TTL in route53 (721)#
Answer
What are the alias targets in route53 (724)#
Answer
How to bind an RDS DB instance in route53 (748)#
Answer
cname
Routing Policies in Route53? (725)#
Answer
How does Route53 perform the health check in a private VPC? (732)#
Answer
setup a health check with cloudwatch alert
How to setup hybrid DNS (754)#
Answer
use route53 forwarderresolver. create outbound(forward on-premise domain query to on-premise dns) and inbound (for on-premise forwarderresolver to forward the query to aws vpc domain) endpoint
How does AWS ensure the HA in route53? (807)#
Answer
Network firewall#
What layer SG, NACL, network firewall, WAF, shield?#
Answer
What is the VPC level in SG and NACL? (766)#
Answer
When should we use nacl instead of sg? (768, 769)#
Answer
to block something (sg cannot block traffic)
When should we use WAF instead of lacl ? (770)#
Answer
Stateless and stateful of sg, nacl, network firewall, shield? (773)#
Answer
How can a SYN cookie prevent DDos in packet flooding?#
Gateway Load balancer#
what is the use case of gateway load balancer (813)#
Answer
applicane (ip ec2)
what port does gateway load balancer need for GENEVE (817)#
Answer
GENEVE UDP 6081
Other#
Centralised VPC Interface endpoint 295#
access s3 with endpoint#
use a private link to access a web server (NLB/EC2)#
VPC peering connections (125)#
VPC peering allows using Security group (301)#
how many ip can BYOIP bring in (90)#
How many VPC CIDRs can a VPC have? (72)#
dns of vpc .2 169.254.169.253 (117)#
Why is edge location safe? (711)#
What must be enabled to use route53 in vpc?#
Demo (266)
Hand-on Labs#
https://www.whizlabs.com/learn/course/aws-advanced-networking-speciality/195
EC2#
- 30
CloudFront#
- 1
- 2
- 10
ALB#
- 3
- 4
- 5
WAF#
- 11
- 12
ACL#
- 18
- 29
VPN#
- 21
Endpoint#
- 23
- 24
- 25
Flow Log#
- 26
Container#
- 28
VPCs Connectivities#
| Solution / Situation | same region | cross account | cross region |
|---|---|---|---|
| VPC Peering | OK | OK | OK |
| TGW Peering | OK | OK | OK |
| TGW (attach VPC) | OK | OK | NO |
| AWS Managed VPN | OK | OK | OK |
| EC2 Based VPN | OK | OK | OK |
Private Link is something like tgw peer but for specific service only. It can cross regions and accounts.
Scope#
| Resource | Scope |
|---|---|
| VGW | VPC |
| TGW | VPC |
| NLB | VPC |
| ALB | VPC |
| Route53 | VPC |
| NAT | Subnet |
Common Pattern#
- Routing (582)
Site-to-Site Connection routing#
- Static - Active/ Active Tunnels (349)
- Static - Active/ Passive Tunnels (350)
- Dynamic - Active/ Active Tunnels (351)
TGW#
- Centralised NAT gateway (241)
- Centralised NAT instance (243)
- Centralised NAT instance + VPN (244)
- Centralised VPC interface endpoint + VPN (245)
- Hybrid VPN (247)
- Hybrid DX (248)
VPC Peering#
Failed cases#
| Page | Title |
|---|---|
| 207 | CIDR overlap or transitive routing |
| 208 | from DX or VPN |
| 209 | to IGW |
Site-to-site VPN / DX with VGW#
Use cases#
| Page | Title |
|---|---|
| 335 | Site-to-site Connection with NAT-Traversal |
| 361 | Single Site-to-site Connection with VGW |
| 363 | Multiple Site-to-site Connection with VGW |
| 365 | Redundant VPN connections for HA |
Failed cases#
| Page | Title |
|---|---|
| 340 | Site-to-site VPN to IGW |
| 341 | Site-to-site VPN to NAT |
| 343 | Site-to-site VPN to VPC Peering |
| 344 | Site-to-site VPN to VPC Gateway endpoint |
Successful cases#
| Page | Title |
|---|---|
| 342 | Site-to-site VPN to NAT Instance |
| 345 | Site-to-site VPN to VPC Interface endpoint |
| 345 | Site-to-site VPN to on-premise NAT to Internet |
Site-to-site VPN with TGW#
| Page | Title |
|---|---|
| 362 | Multiple Site-to-site Connection with TGW |
VPN CloudHub#
- 369
EC2 Based VPN#
| Page | Title |
|---|---|
| 375 | Single instance |
| 376 | HA |
| 378 | Horizontal scaling - VPN EC2 per subnet |
| 379 | Horizontal scaling - Split traffic |
Transit VPC#
| Page | Title |
|---|---|
| 391 | Transit VPC |
| 398 | global regions with single Transit Hub |
| 398 | global regions with multiple Transit Hub (GRE) |
| 549 | Direct Connect and Transit VPC |
DX#
Use cases#
| Page | Title |
|---|---|
| 591 | VPN as a backup |
| 592 | Dual Devices |
| 593 | Dual locations |
| 594 | Dual locations with DX connection backup |
| 602 | VPN over DX |
Failed cases#
| Page | Title |
|---|---|
| 530 | DX Gateway with multiple customer sites |
| 542 | DX Gateway with multiple TGWs |
Successful cases#
| Page | Title |
|---|---|
| 546 | DX Gateway with multiple customer sites |
Network Firewall#
Use cases#
- Centralised: single firewall subnet / vpc. connect with tgw (791)
- Distributed: firewall subnet per vpc (790)
Limitation#
Peering#
VPC Peering: 125
Routing#
| Resource | Limit |
|---|---|
| Private VIFs | 100 |
| Public VIFs | 1000 |
MTU (159)#
| Resource | Limit |
|---|---|
| VPC | 9001 |
| VPC Peering | 1500 |
| DX | 9001 |
| TGW (to DX) | 8500 |
| TGW (to VPN) | 1500 |
| VPC Endpoint | 1500 |
| NAT | 1500 |
| IGW | 1500 |
| VPN | 1500 |
Bandwidth#
VPC (180)#
| Resource | Limit |
|---|---|
| VPC Peer | no |
| IGW | no |
| NAT | 5-45 Gbps |
| TGW | depends |
| VGW | 1.25Gbps |
| VGW (to DX) | depends on DX |
TGW#
- 1 VPN can have 2 tunnels
| Resource | Limit per resource |
|---|---|
| VPC | 50Gbps |
| DX | 50Gbps |
| TGW | 50Gbps |
| VPN tunnel | 1.25Gbps |
VPN Tunnel#
1.25Gbps
EC2#
EC2 network performance rules:
- single flow limit
- within regions and other
| Situation | Limit |
|---|---|
| w/i the region | 100% |
| to other regions | 50% |
| igw | 50% |
| dx | 50% |
Single Flow#
| Situation | Limit |
|---|---|
| w/i placement group | 10Gbps |
| other | 5Gbps |
Aggregated#
| Situation | Limit |
|---|---|
| w enhanced networking | 100Gbps |
| w/o enhanced networking | 25Gbps |
| Network Driver | Limit |
|---|---|
| Intel 82599VF | 10Gbps |
| ENA | 100Gbps |
| EFA | 100Gbps |