AWS Certified Advanced Networking - Specialty

Resources #

• Exam Landing Page
• Sample Questions
• Exam Guide
• udemy course
• udemy mock exam
• whizlabs test & hand-on labs

TODO #

• take notes
• revision
• whizlabs
• mocks (by topic)
• mock 1 (udemy)
• mock 2,3,4 (whizlabs)
• examtopic
• udemy quiz + exercise

Revision #

The numbers below are the page no of the udemy course’s pdf: AWS Certified Networking Specialty Slides v1.1.

Summary #

• DNS (151)
• Advanced Networking (188)
• VPC Endpoint (292, 298)
• Site-to-site VPN (347, 401, 407)
• VPN Tunnels and Routing (348, 352)
• DX Gateway with VGW (532)
• DX with TGW (547)
• DX Billing (624)
• DX (630)
• Troubleshooting in DX (626)
• Gateway Load Balancer (816)

Q & A #

• ALB (677)
• DX (625)

Good to know #

• SG (46)
• BYOIP (90)
• VPC Traffic Mirroring (105)
• DHCP Option Sets (124)
• TGW (251)
• AWS Site-to-Site VPN (403)
• Network Load Balancer (656)

Comparisons #

• private, public and EIP (33)
• IPv4, IPv6 (36)
• NACL, SG (48)
• NAT Gateway, Instance (64)
• VPC Peering vs Transit Gateway
• Cloudfront function vs lambda@edge (703)
• AWS global accelerator vs Cloudfront (711)

Exam Essential #

• VPC Fundamentals (67)
• Advanced VPC (190)
• VPC Peering Endpoint (301)
• AWs Site-to-Site VPN (402)
• Direct Connect (632)
• Firewall (806)
• Gateway Load Balancer (817)

Revision by topic #

Playlists #

• global accelerator
• api gateway
• client vpn
• cloudformation
• cloudfront
• cloudwatch
• cloudhsm
• cognito
• config
• dx
• edge computing
• elb
• firehose
• guarduty
• inspector
• lambda
• organization
• route53
• s3
• sqs
• ssm
• vpc
• vpn
• waf
• workspace

References #

• accelerator - custom routing
• accelerator - custom routing
• alb - limit request to clondfront only
• aurora - regional failover
• aws organization - SCP
• cloudfront - origin types
• cloudfront - signed url vs signed cookies
• cloudfront - troubleshooting
• cloudfront - will forward the response when first byte arrives from the origin
• cloudhsm - auto ha
• cloudtrail - 5 trails for region
• cloudtrail - log encryption with KMS
• cloudtrail - use integrity validation to check the log was modified, delete or change
• cloudwatch - namespace valid characters
• cloudwatch - no need to config sns to provide data every minute
• cloudwatch - skip metrics
• config - managed rules
• config - renaming the delivery channel
• config - requirements
• config - type of triggers
• config - viewing configuration compliance
• costs model
• costs model 2
• dhcp - cannot modify and one vpc one dhcp options
• dx - dx in public regions can access any other public region
• dx - faq
• dx - lag requirement 1
• dx - lag requirement 2
• dx - public vif
• dx - public vif connectivity
• dx - quotas
• dx - requirements for virtual interfaces
• dx - vif
• dx - virtual Interfaces to Direct Connect connections or LAG bundles
• dx - vpn as backup
• ec2 - http proxy
• ec2 - network performance
• ec2 - retrieve instance metadata
• eip - hostname will be changed once eip attached
• eip - public ip change every time stop and start the instance
• eip - public ip will be released once eip attached
• eip - reverse dns record for mailserver
• eni - limitation
• flow log
• local zone - alb limitation
• local zone - supported service
• ms ad - limitation - not compatible with exchange and skype
• ms ad - requirements
• nacl - default rule# in nacl
• nat - need egress-only-internet-gateway for ipv6 to ipv6 commnuication
• nat - only support tcp udp and icmp
• nat - pricing
• nat - tcp connectin fail as tcp does not support ip fragmentation
• placement group - can add / move / remove instance from group
• placement group - can launch with diff instance type but not recommended
• placement group - can span vpcs
• placement group - cannot merge placement group
• placement group - stop and start is fine but may have insufficient capacity error without capacity reservation
• quicksight - private connection with rds
• redishift - private connectivity with enhanced vpc routing
• route53 - a/p failover
• route53 - aws services which support alias records
• route53 - can attach private hosted zone with overlapping namespace in same vpc
• route53 - dns resolution b/w on-premise and aws with ad
• route53 - dns server with custom domain (white-labe and reusable delegation set)
• route53 - health check rules
• route53 - system rules when forwarding less specific domain
• simple ad - requirement
• sns
• tgw - peering
• tgw - quotas
• tgw - route table priority
• vpc - aws cidr tier
• vpc - aws does not support broadcast in vpc
• vpc - ipv4 subnet cidr prefix
• vpc - ipv6 subnet cidr prefix
• vpc - jumbo frame packet drop as Don't Fragment flag is set but the network does not support higher MTU
• vpc - multicast support
• vpc - reserved address in cidr
• vpc - route table qutoa
• vpc - route table troubleshoot
• vpc - usage of enableDnsHostnames and enableDnsSupport
• vpce - service endpoint support ipv4 over tcp only
• vpce - tagging is suported
• vpce - use prefix list in security group
• vpn - ipv6 support on tgw but not vgw
• vpn - static route a/p mode (priority)
• vpn - troubleshooting
• vpn - why cannot overlap the cidr
• vpn -ipsec encryption algorithms
• waf - config count action to test (monitor mode)
• waf - rule statement list
• workspaces - requirements
• appliance in shared vpc
• cloudhub
• mult vpc with single customer gateway
• multi-vpc network infrastructure
• route table options
• shared vpc
• transit vpc
• Virtual Private Cloud Connectivity Options
• vpc peering with cidr overlap
• vpc with subnet overlapping

VPC Fundamentals (17) #

What is TCP/IP? #

What is OSI? (306) #

Can we override the main route table in VPC? (26) #

Which IPs are reserved for a vpc? (29) #

What is the default behaviour of SG (inbound and outbound)? (46) #

How is the NAT gateway charged? (59) #

Can we apply SG on a NAT gateway? (59) #

What is the port range NAT gateway needs for outbound connection? (59) #

Why don’t we need cross-AZ failover in NAT ? (62) #

What is the most important setting to setup NAT with EC2? (63) #

Advanced VPC (72) #

What is the limitation of adding a secondary CIDR? (79) #

How many private, public and elastic ip and sg can one ENI have? (81, 85) #

What is the use case of dual home setup with multiple ENIs? (84) #

What are the prerequisites of BYOIP? (89, 90) #

What type of Flow Logs can we capture from a VPC? (92) #

Where does the Flow Logs Action field come from? (97) #

What type of record cannot be captured in a flow log? (98) #

What can be the source & target of a VPC Traffic Mirror? (102, 105) #

What port does the VPC Traffic Mirror require? (105) #

How to set a custom domain / dns on an EC2 instance? (113) #

VPC DNS and DHCP #

What does enableDNSSupport do? (117) #

What does enableDNSHostname do? (117) #

How to resolve the hostname in VPC peering and TGW? (132) #

How to resolve the hostname in Hybrid cloud (AWS to on-premise, on-premise to AWS) (old & new way)? (132-150) #

VPC Network Performance and Optimization #

Formula of throughput (154) #

What is Jumbo frame? (154) #

What is Path MTU Discovery? (155) #

What are the advantages of using placement group - cluster (162) #

What is the bandwidth limitation between VPC, EC2 instances, VPN and DX (179-183)? #

VPC Peering #

What is the limitation of VPC Peering? (207) #

TGW #

What is the difference between vgw and tgw? (211) #

what attachments does TGW support? (211) #

What is the special route in TGW? (230) #

VPC Endpoint #

How many types of VPC endpoint? What is the difference between them? (258) #

Can on-premises network access to the gateway endpoint with VPN/DX? (273) #

What kind of source can be used in a private link? (281) #

How to use hostname in interface endpoint? (288) #

How to use the interface endpoint without private DNS? (290) #

When should we use a private link? When should we use VPC Peering (297) #

AWS Site-to-Site VPN #

What port does IPsec need? (309) #

Range of public and private ASN (313) #

4 common BGP Param for routing (319) #

What type of VPN does AWS support Site-to-Site VPN? (327) #

What routing method does AWS support in Site-to-Site VPN? (329) #

What port is required in VPN for NAT-T? (335) #

VPN Tunnels and Routing #

How to set Active/Active tunnel (351) #

What is DPD? Port to send messages? default timeout? timeout action? (354) #

How to prevent a tunnel from terminating due to inactivity (355) #

How to monitor the tunnel status? (357) #

DX #

What is the fibre mode of DX? (450) #

what is the data link requirement of DX (450) #

What are the requirements for a customer router? (450) #

What is the port of BGP? (457) #

What is BFD? How to enable it? (458) #

How long does it take for failover with and without BFD? (458, 597, 598) #

How can a user whitelist the ips range from AWS? (459) #

How many VIF can a hosted connection have? (465) #

What Ip type does DX support? (498) #

How many route prefixes can the public vif advertise? (503) #

How many route prefixes can a private vif advertise? (507) #

What is the limitation of vif and vgw location? (507) #

What service cannot access inside a VPC with DX? (510) #

What is the usage of DX gateway? (517) #

How many vif can a DX connection have? (526) #

How many transit vif can a DX connection have? (547) #

How many DX gateways can a vif have? (530) #

How many vif can a DX gateway connect to? (530) #

How many vgw can a DX gateway have? (526,547) #

How many tgw can a Dx gateway have? (538) #

What is the charge for using Dx gateway? (533) #

How many routes can be advised per TGW through the DX gateway? (539) #

what is ECMP (251, 556) - only support BGP #

how to setup Active-Active with public vif and public ASN (554, 558) #

how to setup Active-Active with private vif and public ASN (558) #

how to setup Active-Passive with public vif and public ASN (561) #

how to setup Active-Passive with public vif and public ASN (561) #

how to constrain the adviser routes to on-premises with public vif (567) #

how to filter the adviser routes from aws in on-premises with public vif (567) #

what is the routing policy with private vif (577, 582) #

What is LAG? (584) #

How many DX connections can a LAG have? (584) #

What is the bandwidth requirement of a LAG? (584) #

What is the operation connection attribute in LAG? (589) #

how to increase the resiliency of DX? (3 methods) (590) #

how to encrypt DX traffic? (2 methods) (601) #

When will the Dx connection be charged? (Hosted and Dedicated connection) (621) #

What will be charged in Dx? (615) #

Who will be charged for the DTO fee? (622) #

ELB #

What Layer ALB, CLB, NLB, GLB belong to? (639) #

What protocol does ALB, CLB, NLB, GLB support? (641) #

Why does NLB have less latency than ALB? (652) #

What kind of target can be used in the ALB and NLB target group? (653) #

What kind of protocol is supported in the health check? (653) #

What are the connection idle timeouts of ALB, NLB, CLB? (657) #

What routing algorithm supported by ALB, NLB, CLB (659) #

How to keep the client ip in ALB, NLB (671, 672) #

How to keep the client on the same instance for a period of time? (661) #

What is Cross-Zone Load Balancing? (663) #

What is SNI and which ELB does it support? (667) #

What is Connection Draining (670) #

Cloudfront #

What services / source can be Cloudfront’s origin? (683) #

Why public access is needed in cloudfront’s origin (683) #

What is the origin group (687) #

How to change custom header / behaviour in Cloudfront? (698) #

How to restrict the content to specific geolocation? (696) #

What is AWs global accelerator? What does it work (709) #

What is the difference between AWS global accelerator and cloudfront? (711) #

Route53 #

What is the longest and shortest TTL in route53 (721) #

What are the alias targets in route53 (724) #

How to bind an RDS DB instance in route53 (748) #

Routing Policies in Route53? (725) #

How does Route53 perform the health check in a private VPC? (732) #

How to setup hybrid DNS (754) #

How does AWS ensure the HA in route53? (807) #

Network firewall #

What layer SG, NACL, network firewall, WAF, shield? #

What is the VPC level in SG and NACL? (766) #

When should we use nacl instead of sg? (768, 769) #

When should we use WAF instead of lacl ? (770) #

Stateless and stateful of sg, nacl, network firewall, shield? (773) #

How can a SYN cookie prevent DDos in packet flooding? #

Gateway Load balancer #

what is the use case of gateway load balancer (813) #

what port does gateway load balancer need for GENEVE (817) #

Other #

Centralised VPC Interface endpoint 295 #

access s3 with endpoint #

use a private link to access a web server (NLB/EC2) #

VPC peering connections (125) #

VPC peering allows using Security group (301) #

how many ip can BYOIP bring in (90) #

How many VPC CIDRs can a VPC have? (72) #

dns of vpc .2 169.254.169.253 (117) #

Why is edge location safe? (711) #

What must be enabled to use route53 in vpc? #

Demo (266)

Hand-on Labs #

https://www.whizlabs.com/learn/course/aws-advanced-networking-speciality/195

EC2 #

• 30

CloudFront #

• 1
• 2
• 10

ALB #

• 3
• 4
• 5

WAF #

• 11
• 12

ACL #

• 18
• 29

VPN #

• 21

Endpoint #

• 23
• 24
• 25

Flow Log #

• 26

Container #

• 28

VPCs Connectivities #

• Transit gateway peering attachments
• What is VPC peering?
• Transit Gateway vs VPC peering

Private Link is something like tgw peer but for specific service only. It can cross regions and accounts.

Scope #

Common Pattern #

• Routing (582)

Site-to-Site Connection routing #

• Static - Active/ Active Tunnels (349)
• Static - Active/ Passive Tunnels (350)
• Dynamic - Active/ Active Tunnels (351)

TGW #

• Centralised NAT gateway (241)
• Centralised NAT instance (243)
• Centralised NAT instance + VPN (244)
• Centralised VPC interface endpoint + VPN (245)
• Hybrid VPN (247)
• Hybrid DX (248)

VPC Peering #

Failed cases #

Site-to-site VPN / DX with VGW #

Use cases #

Failed cases #

Successful cases #

Site-to-site VPN with TGW #

VPN CloudHub #

• 369

EC2 Based VPN #

Transit VPC #

DX #

Use cases #

Failed cases #

Successful cases #

Network Firewall #

Use cases #

• Centralised: single firewall subnet / vpc. connect with tgw (791)
• Distributed: firewall subnet per vpc (790)

Limitation #

VPC Limit

Peering #

VPC Peering: 125

Routing #

MTU (159) #

Bandwidth #

• Quotas for your TGW
• Aggregated throughput limit for VGW
• NAT gateways

VPC (180) #

TGW #

• 1 VPN can have 2 tunnels

VPN Tunnel #

1.25Gbps

EC2 #

• 100G networking in AWS, a network performance deep dive

EC2 network performance rules:

• single flow limit
• within regions and other

Single Flow #

Aggregated #

• General Purpose Network Performance