Amazon AWS Certified Advanced Networking Specialty – Exam Preparation Section

1. Important Pointers for Exams – Part 01

Hey everyone, and welcome back. In today’s video, we will be discussing about some of the important pointers that you must remember before you sit for the exam. So basically, in today’s video, we will be focusing more on the routing as well as the direct current perspective. So this is where our focus would be and let’s look into some of the important things that you should be remembering. Now, the first pointer is you should should know the path selection. You should know the priority on which your routing path would be selected. So the first priority would always go to the local routes towards the VPC. Now, this cannot be overridden by any specific routes. So let’s assume that you have a local route of 192, 168, ten or 00:24. And then you have a very specific route of 190 to 168, ten, dot 532. So this is a very specific route. However, this route cannot override if this is not towards the local route towards the VPC, this cannot override the first priority. So local roots to the VPC is always the first priority. All right? Now, the second priority is the most specific IP prefix are preferred. Now, again, we’ll take the same example that 192, 168, ten, 532. This is a very specific IP prefix. So this will always be preferred over 192, 168, 1024.

So this is also some pointer that you need to remember. Third is that the static routes that you put are always preferred over the dynamic ones, because AWS assumes that if you have put a static route, it might have a great meaning. So static routes are always preferred over the dynamic ones. And after that, the fourth priority is that the dynamic routes which it receives via the BGP. Now, the fifth priority is routes that it learns via the static VPN. This is the fifth priority, and the last priority is the BGP routes from the VPN based on the shorter as path. So these are the remaining BJP routes that are not included in any of these. So these are the path selection. Now, second thing that you need to remember is the concept of direct connect and Wif. This is very important to remember that if you have a single AWS account, this is your AWS account. And within the AWS account, you have a direct connect connection. So it can be represented with Dxcon, Hyphen, whatever the ID is and the port speed. If it is through AWS, it can be one Gbps or ten Gbps.

Now, once you have the direct connect connection, you can have multiple virtual interfaces which can be created. In fact, it is not limited that you can just have two. You can have up to 50 virtual interfaces that you can create. Now, virtual interface that you create are associated with the VLAN. So this is VLAN 101, for which you can have a virtual interface. Then you can have one more VLAN for which you can have one more virtual interface. So virtual interface IDs like Dxvi XXX dxvi XXX so this is something that I’m sure that you already know. Now, next important part is the hosted virtual interface. This is quite important for the exams where let’s assume that you have your AWS account in which you have a direct connect connection. Now, it’s not always assume that the account in which you have direct connect connection associated you want VIFF in that account only you might want with in a completely different account that you have for production environment.

So in order for that to achieve, you can do that with the help of hosted with. So what hosted with basically means is that whenever you click on the wif creation process, you can specify the account ID where you want the wif to be associated. So when you specify the account ID on which the WiFi to be associated, that Whiff will be associated to that account ID provided the connection is accepted. So if you’ll see here you have a direct connect connection associated with the first account, however the WIFF is associated with the second account. So this is what is called as the hosted virtual interface. Now, the next thing that you need to remember is if you go through Dxvr partner.

So if you’re going with the DX via partner, so you have two accounts, one is the partner and second is the your AWS account. Now, the partner has already interconnect with the direct connect of AWS. So this again process is very similar to the hosted Whiff where since the connection is already established to the partner, you get the hosted connection which you have to accept from your console. Now, within this hosted connection you have this VLAN. Now you cannot really select this VLAN. This is given to you by the partner where you do not really have the control and the port speed is 50 Mbps. Now definitely you can have a virtual interface here as well. So you can have virtual interface depending upon how many hosted connections that you have. So if you have one more hosted connection, you can go ahead and with the much other virtual interface as well.

Remember, if you just have single hosted connection you can have only one virtual interface, you cannot have multiple version interface. So if you want one public, one private virtual interface, you need to have two hosted connections. So we already know that for hosted connections you have to click on the accept connection and your connections will be accepted. So next important thing that you need to remember is the direct connect billing. Now, DX billing occurs on two specific entities. One is port hours and second is data transfer out. Now, along with that, a very important point that you need to remember is that if your hosted VIP is in account two, let me actually give you an example of this. We’ll go back to the earlier slide. Now, if you have a hosted whip in account two then account two will be paying for the data transfer charges. Very important to understand. So because in the account two before this virtual interface can be associated, you have to click on that accept connection. Once you click on that accept connection, this hosted virtual interface is associated with account two and account two has to pay for the data transfer charges. This is one very important point that you must remember for the exam. So this is it about the direct connect billing. Next thing that we’ll be discussing about is the dual direct connect architectures.

So be ready for a few questions related to dual direct connect architecture. So we have already discussed that we can have multiple direct connect connection. In such scenario you need to have multiple virtual interfaces as well. So if you have multiple virtual interfaces, it can work based on Active or it can work based on Active passive. Now, Active can be achieved with the help of the multi part. So you can have multipart VGP multi path and the virtual gateway will follow the same approach. If you want active passive then you need to from the customer side, you need to have a local preference priority and you also need to have an as prepending so that the virtual gateway will work on the shortest path and it will send the traffic only to the active virtual interface side.

So this is one important aspect that you need to remember last. And the very important point is the Direct Connect and security. So remember that all the traffic which flows from the Direct Connect is not encrypted. It is not. Direct Connect is not an encrypted tunnel. It’s like a leased line, a dedicated line towards AWS which does not guarantee encryption. So if you need a complete encryption that you can set up IPsec terminals on top of the Direct Connect connections to make sure that the traffic would be encrypted.

2. Importance Pointers for Exams – Part 02

Hey everyone, and welcome to the second video of important pointers for exams. So let’s get started. Now, the primary focus on the pointers that we will be discussing today would be related to the virtual private cloud, which is VPC. So VPC includes various basic options. Like you have subnets, you have route tables, you have the Internet gateways, NAND gateways along with that. So these are quite basic things that we learn in the Associate Level certification itself. Now, along with that, you also have the DHCP option sets. You have the network ACLs. You have the virtual private networks which are the VPNs. You have the VPC endpoints. You have things like placement groups, VPC flow logs, as well as AWS DNS. So let’s go ahead and understand more about these. The first thing that we need to understand is the basics of the DHCP option sets. Now, do remember that I have assumed here that you already know on how to create a VPC, because this is something which is already covered in the Associate Level certification. So for the advanced networking, this is like a prerequisite. All right, so let’s start with DHCP option sets. So DHCP, as we have already discussed, is one of the standard protocols which is used for supplying the network configuration information to the host within the IP network. So a DHCP is something which is even part of your wireless devices. So whenever you connect to your WiFi, you get a specific IP address.

You can get a specific information related to the DNS server. So all of those are part of the DHCP server within your wireless device. Now, as far as the VPC is concerned, AWS automatically creates a certain DHCP option sets. Now, there are two DHCP option sets. One is the domain name server and the domain name. So these are the two default ones which are automatically created. Now, in fact, let me show you this. Now, within your DHCP option sets, if you can click on create a DHCP option set, you see that there are multiple DHCP option sets which are present. You have domain name, domain name servers. You can even supply the NTP servers, the net bias name and the node type as well. Now, among these, the two of them are the default one which gets created. So if you talk about the default DHCP option sets here you will see that there are two option sets which are configured.

One is the domain name, which is EC, two internal. And second is the domain name servers which is the Amazon provided DNS. Now, here you should remember that for every VPC, you must have a DHCP option sets associated with it. And each VPC can only have a most of one DHCP option sets which can be associated with it. Now, the second thing is the IGW and the Nat gateway. So the IGW, also referred as the Internet gateway, is basically a component in AWS which allows the communication between the VPC resources and the Internet. Now, this is the managed service offering from AWS. Now, the Internet gateway is completely managed and it is scaled horizontally and it is highly available. Now, IGW by itself does not really have a bandwidth constraints.

Now, as opposed to that, Nat gateways are generally used for private subnets. So earlier we used to have Nat instances which were basically easy to instances with Natting enabled. Now, AWS had later went ahead and released Nat gateway as well, which is a managed offering by AWS. So basically, Nat instance as well as Nat gateway allows outbound communication from the EC to instances within your private subnet towards the Internet. Now, do remember that as far as the Nat instances are concerned, nat instances are not highly available by default because it is based on easy to. So you have to create multiple Nat instances in a different availability zone if you want to achieve high availability. And also depending upon the EC two instance type that you might select, the bandwidth constraint might happen. Now, even for NAD gateway, lot of organizations, they have one NAD gateway per private subnet. So let’s say that you have two private subnets, then each private subnet will have an individual Nat gateway. In such cases you can have much more higher bandwidth. All right? So that’s the third point that it is recommended to launch an individual Nat gateway for an individual private subnet. Now, do remember that this specific one applies if you have a high amount of traffic which would be outgoing. If you have a small network, then a single Nat gateway for multiple private subnets should be suffice. Now, when you talk about the VPC subnet, subnet is basically a subsegment of VPC CIDs for isolation of resources. So there are three terminologies that you should remember. One is public subnet, then is private subnet, and third is VPN only subnet.

Public subnet, as expected, has the Internet gateway attached and every EC two instance which is launched in the public subnet must have either public IP or an elastic IP attached to that instance to be able to connect to the Internet. So if you launch a EC two instance in a public subnet and that instance does not have a public or elastic IP, then it will not be able to make a communication towards the Internet. Then you have the private subnet. Private subnet has a navigate way attached to it. So there is no direct inbound connections to the EC two instance in private subnets. The third thing is the VPN only subnet.

Now, if a subnet basically does not have a route towards the IGW or a Nat gateway, so you have IGW or a Nat gateway but has its traffic routed to a virtual gateway, then it is referred as the VPN only subnet. Now, the fourth important point that you should remember here is the VPC endpoints. Now, VPC endpoints basically allows the establishment of private connection between your VPC resources like EC Two instance and the AWS service or VPC through a private link without IGW net, VPN or even a direct connection. Now, we have already seen the theoretical as well as the practical aspect of VPC endpoints. So let’s say that you have an S three bucket and you want to transfer huge amount of data to that S three bucket. So typically it used to happen via the internet, so either IGW or a NAN gateway used to get involved. But when you have a VPC endpoint you don’t really need the IGW, you don’t really need a NAD gateway or nothing, just the VPC endpoint is good enough to be able to connect to the supported AWS services. Now, endpoints only support services within the local region. Now, for the exam perspective you should understand the design patterns to be able to access the VPC endpoints. Now, there are two major VPC endpoint types that you should remember.

One is the interface endpoints and second is the gateway endpoints. Now, the interface endpoints, from the name itself we can figure it out that this kind of end point has a specific interface. So it can be an elastic network interface. So basically this endpoint provides the eni which is the elastic network interface with which it serves as the entry point for the traffic distinct for the AWS services. Now, do remember for the interface endpoints it can be accessible over direct Connect but not over VPN or VPC Peering. Now, as opposed to that you also have gateway endpoints. Now, gateway endpoints basically it makes use of route tables to route the traffic which is distinct towards the AWS services. So here you do not really have an elastic network interface. Now, there are two supported services, one is the DynamoDB and second is AWS S Three.

Now, do remember that for gateway endpoints it cannot be directly accessible for the requests which are outside of your VPC. If you want to do that then you need to set up some kind of a proxy routing there. Now, along with that you have AWS service endpoints which are generally powered by the private link. So here we define a set of attributes and we also associate it with the network load balancer. So network load balancer acts as an entry point here. So make sure that you go through the practical if service endpoint is something that you have doubted. Now, along with that you should have a basic understanding on how you can secure your VPC endpoints. So we can add policies associated with the VPC endpoints to restrict the traffic there. Now, during the overall troubleshooting if you are using VPC endpoints then whatever VPC endpoint policies that you might have should also be checked. Now, the next important point that you should remember is the VPC Peering. So VPC peering allows the two VPCs to be able to communicate with each other. So whatever resources which are present within the VPC can communicate with each other when you have the VPC Peering enabled. Now, VPC Peering does not support transitive routing. This is one important point that you should remember. Along with that VPC peering now supports interregion. VPCs? So this third point was not supported earlier, but AWS has now enabled the interregion VPC Peering. And also you should remember that peers within the same region can share security group and DNS information. Now, the next point that you should remember is the difference between security group versus network ACL. Do remember that the security group is stateful where the network ACLs are stateless. So you should understand what stateful and stateless are.

Now, along with that, the traffic between the instances in the same subnets are not evaluated by the network ACL. Now, within the network ACL, rule ordering is important. So you should know on how to write rules within the network ACL as well as how the rule ordering plays an important role. Now the next important part here is the Elastic Network interface. Now, this is also referred as the Eni. So Eni is basically a virtual interface which can be attached to an EC two instance. Now, whatever security groups that you create and you attach it to the EC to instance, they’re actually associated with the Eni, which is in turn associated with that specific EC two instance.

Now, multiple eni can be attached to the EC two instance at a point of time, and thus it also allows functionality of multi Homing. Now, eni’s are portable, so the private IP address can be reserved. All right? So you can attach Eni to one EC Two instance, and later you can detach that eni and associate that eni with a different EC Two instance. Now, in that case, whatever IP address which was associated with the Eni will remain the same. Now, as far as the Elastic IP address is concerned, do remember that it is possible to reclaim, accidentally release Elastic IP only if the customers have not claimed it. So let’s say that you have an EIP and you have accidentally released it, so you can reclaim it back provided no other customers have claimed it. Now, along with that, you should understand what VPC flow logs are and also the format associated with the VPC flow log.

So you should know what each and every VPC flow lock fields are. So let’s say that this is a sample VPC flow log. You should know what each of these fields are. So here, the first field is the version, second is the account ID. Then you have the interface, you have a source, you have a destination, then you have the source port, you have the destination port, you have the protocol, and so on. So you should be able to know what each of these fields are within a specific VPC flow log. Now, along with that, you should also know about the AWS DNS. Basically, it provides resolution for both the internal EC two instances as well as the external DNS resolution. Now, this is accessible at VPC CID R plus two address. This is something that we already know. So let’s say if you have a CIDR of 10770 00:16, then the DNS would be 10770 two. So it is the plus two address here.

Now, whenever you create a route 53, it can be associated with the VPC. So you can have both public as well as the private hosted zones there. Now, you should also know about the egress only Internet gateways, which is the one which is typically used for IPV six. Now, AWS does not really provide the net for IPV six. So egress only Internet gateways allows instances in private subnet to initiate the outbound traffic to the Internet Internet. Now, it prevents the resources from Internet to directly initiate the connection with the EC two instances directly.

3. Importance Pointers for Exams – Part 03

Hey everyone, and welcome back. In today’s video of part three of Important pointers for exams, our primary focus would be over certain architectural decisions which would prove to be important while you are designing the VPC in EWS. Now, generally, whenever you create a VPC, you are free to select the IPV four range that you might intend. So you can have 1007, seven, one, 7723-119-2168, et cetera. However, this is only for the IPV four. For the IPV six range, AWS will provide you a fixed 56 CIDR block and you cannot choose the range of IP addresses there. All right? Now, the size of the IPV six CIDR block for your subnet would be fixed to 64. This is important. So for let’s say that for IPV four, you have 172 31 six. So for IPV six, you have a 56, which is a fixed cidi block that you will get from AWS. And from there you can create a 64 subnet block. All right? So you cannot really modify these things. So let’s do one thing. Let’s quickly create a VPC. I can show you that. So I’ll call it as. KP Labs hyphen IPV six. So within the IPV four block, let me put 10770 00:16. All right.

Now, within the IPV six, you see there are only two options. One is no IPV six CIDR block, and second is Amazon provided IPV six CIDR block. So when you choose the Amazon provided IPV six CIDR block, let’s go ahead and do a create. Let’s open this up. So within here, you will see that you got an IPV six CIDR with a range of 56. All right? So this is something which is automatically done by AWS. And as a customer, you don’t have any role there. And along with that, whenever you create a subnet, let’s create a subnet within the IPV six. So within the IPV six here, if you decide to assign an IPV six cidi block, you see it comes in the range of 64. And again, this is something that you cannot change.

The next important part here is that whatever easy to instances that might get launched in a VPC where you have IPV six enabled, that instance cannot just have an IPV six address. So if you just want an EC two instance which has one IPV six address, that is not really possible directly. So if you need an IPV six address, then the EC two will need to have both the IPV four plus IPV six. This is mandatory. Now, third important part to remember is that even though you have a lot of IPV six addresses, you are still limited by the CIDR block of the IPV four that you assign.

So let’s say that you have a CIDR block for a subnet which only has, let’s say, 256 IP addresses. So the maximum IPS that you can get for IPV six is also limited there because, as we have discussed, that you cannot really launch an EC two instance. Just with the IPV six address, you need to have both IPV four and then IPV six. All right? So along with that, you can also have multiple CIDR ranges per VPC. Now, few more important aspects that you should know. The first is that you can have a maximum of 16 for your CIDR, which basically will give you 65,536 IP address. And you can have a minimum of 28, which can have a maximum of 16 IP addresses here. So this is one important part to remember. So slash 16 and 28. Now, along with that, the first four IP addresses and the last IP address in every subnet is not available for us to use and it cannot be assigned to an instance.

So for example, let’s say a subnet block of 100 zero 00:24, the following five IP addresses will be reserved. First one would be the network address which is zero. Then dot one is reserved for AWS for VPC router. So whatever route tables that you create within your subnet, those route tables are typically accessed at this address. Then you have dot two, which is reserved for AWS DNS, you have dot three, which is reserved for future use. And you have dot 255, which is for network broadcast. Now again, broadcast is not really supported in AWS. So this address remains to be reserved. Now, there are certain important considerations that you need to take while you are designing a CIDR. So basically, the IETF has a specified exact IPV four ranges. For private networks, this is very important. However, we can create VPC with CIDs which falls outside of the private IPV four ranges. So basically there are public IPV four ranges which IETF assigns to various ISPs or various organizations. You can definitely use that for your VPC. There are no restrictions there.

But the problem that would come is that if you are using a public IPV four range for your VPC and you try to communicate with the Internet, and if there is a conflict, that will be an issue for you. So in one of the organizations that I have seen, they were not really using this private IPV four block, they were using a public IPV four block which was assigned to different ISP together. So at a later stage they had a lot of communication issues. So, very important, do not use public IPV four ranges, even though VPC will allow you to do that, but do not use that. So these are the allowed ranges. So you have 100 zero, zero to ten to 55 to 55 to 55. Same with 170 to 16 as well as 190 to 168. So this is clearly mentioned within the RFC. So if you open up the RFC 1918, and if you go a bit down, you see it is clearly mentioned what are the block of IP address space which can be used for private Internet. And you should only use that because other than this block, there are other blocks, but those are the ones which are used for public and could be assigned to an ISP or a different organization.

Now there are certain IPV six specific pointers that you should know. Now you have something called as a Global Unicorn address and a link local address. So linked local address is basically used for communication between the EC two instance and the router. Now link local address can also be used for internal communication between multiple EC two instances within the same network. We have already discussed about link local address with practical. So in case you just want to revise it, you can do that. You also have Global Unicast address as we have discussed, it is a fixed 56 range provided by AWS and for subnets that customer create they can make use of 64 which is not editable. Now for VPC DNS we can access it with the plus two address of the CID range that we have already discussed. For example 100 zero two.

Now however, this address can be changed depending upon the CID. So let’s say you have a different CID of 172 31 or 192 168, then the address would keep on changing and if you have ten different VPCs there can be ten different addresses as well. So to automate you can even use this address which is one 6925-416-9253, which is also that of the DNS server. So instead of two you can even make use of this address. Now, irrespective of your VPCC idea, this address will remain the same so that it becomes easier for you to automate things. And also do remember that you cannot have a DNS hostnames for IPV six similar to what you have for IPV four which is automatically created by AWS DNS.

Now, talking about the firewall section, do remember the security group is a state four firewall and it basically attaches itself to the network interface associated with the EC two instance. You also have a network ACL which is a stateless firewall. Now you can also tier security groups. So basically let’s say that you have two security group SG underscore backend and SG underscore front end.

Now there can be five EC two instances which will have the SG underscore backend security group and there can be five EC two instances which will have an SG underscore front end security group. Now what you want is that you have a MySQL server. So you want that any EC two instance which has the SG underscore backend security group attached should be able to connect to your MySQL instance. So in such cases you can whitelist by security group. So generally we whitelist by the CID arrange you can even whitelist by a security group here. So let’s do one thing, let me in fact show you this. So let’s open up a security group. Let me just take a random security group ID here. All right? So let’s create a security group. I call it as RDS Security Group. All right, so I’ll just select a default VPC and within the rule I’ll say 3306. And here if you see, you can put a CID arrange, you can put an IP or you can even put a security group. So here I can put a security group something like this. So let’s just give it a description. All right, so now the security group is created.

So I hope you understood what exactly that basically means. So this again is a great way and a lot of organizations, they use this because this is a much more better approach. Now, you should also know that the network ACLs are applied at a subnet level and rules are ordered based on rule numbers and are evaluated accordingly. So here you have a rule number of 150 where you have port 2049 and you are denying it from a specific source here. And then you have a rule number 200 where you are allowing port range 102-426-5535 from everyone. So in this case, since the above rule has a lower rule number, this one will always take the priority irrespective of what rules are present in the lower side. All right, so this rule number proved to be quite important here.

Now, we have already discussed that the CIDR plus one IP is generally reserved for the AWS router. Now, AWS router is basically whatever like subnets route table that you create. That AWS VPC router will have the configurations of that route table that you create. All right? So this is the reason why whenever you create an EC two instance and if you check the route, it basically goes to the dot one address, and dot one address is that of the VPC router. And this is exactly where whatever route tables that you create and associate with your subnet, this VPC router will have the route tables of that specific configuration. Now, speaking about the Nat gateway, do remember that Nat gateways are available and are zoned specific. So the availability of the Nat gateways are zone specific. So let’s say you have a Nat gateway here, so it is associated with Availability zone A.

Then you have a Nat gateway. It can be associated with the Availability zone B. All right, so do remember that Nat gateway still requires internet gateway and elastic IP address to be present. Now, Nat gateway does not have huge bandwidth, so it can automatically scale up to 45 Gbps. So if you need more than this, then you need to have multiple Nat gateways, something that we have already discussed in the earlier video as well, where let’s say that there are two availability zones. So you create a Nd gateway for easy one. You create a Nat gateway for easy two. So this Nat gateway can scale up to 45 Gbps, and the next net gateway can scale up to 45 Gbps. So this is something that you can do in case if you need a higher bandwidth. Now, this is not required as far as the Internet gateway is concerned because it scales horizontally.

Now, in case if you do not need the AWS Nat gateway, because AWS Nat gateway allows only specific functionality, you can even create your custom Nat that you might want to have. Now that custom Nat can also have things like IDs and IPS where you can define the custom rules. Now, in case if you have a custom Nat gateway, then you will have to modify the routing table to point to the network interface. All right? So let me actually show you this as well. So when you talk about the routing table, if you look into the routes generally within the target you can have multiple targets. So if I can quickly show you here, you can have multiple target here you can also have a target of a network interface and you can specify the network interface where your net is running. So this can also be done. So here you specify a custom network interface here. So this can be an easy to instance which is running a custom Nat solution with IDs and IPS functionality. So in case if you are using a custom Nat, then the routing architecture might differ a little. So let’s say that you have an easy to instance in private subnet. So first it will basically talk to the route table associated with that subnet. So here it sees that for the target is the eni. So this eni is can be for that custom net. So it basically connects to your custom net here. All right, so custom net is where all your filtering, all your IDs IPS rules will be present. So from custom net it basically now looks into the route table associated with it and it sees that there is an Internet gateway for and then it goes ahead and sends that traffic towards the Internet gateway. So for the private instance, let’s say you want to communicate with Google. com.

First request goes to the route table. So this is the plus one IP address. From here it discovers that the target is the network interface. The second request goes to the network interface. This is the custom that from here it basically can filter out again, it will look into the destination, say it’s Google. com, then it will look into the route. Now, the target here is Internet gateway and then it goes to the Internet gateway. So this is one of the architectures that can be done. Now, you can also omit this. Basically you can even because we were discussing here that year for destination you are specifying the plus one CID R and plus one CIDR is that of the AWS VPC router. So instead of the plus one CID R, you can directly put the IP address of the custom net.

That can also be possible if you want to omit the request going to the AWS route tables. And the last important point for today’s video is the essay bucket policy for VPC endpoints. So we were already discussing VPC endpoints, primarily the interface and the gateway endpoints. Now for the S three bucket, if you want to basically restrict access so that only the request coming from a specific VPC endpoint should be allowed, that can be done. So basically, if you look into this S three bucket policy so here for all the S three actions here, the effect is denied. And then we are having a condition which basically says that only if the string not equals to the source VPC endpoint and this is your VPC endpoint ID. So that basically means that any request which is not coming from a specific VPC endpoint will be blocked. So this is one of the ways in which you can block the hack.

• Category: Uncategorized