AWS Certified Advanced Networking Study Guide

Introduction xxvii Assessment Test xxxi Part I Network Design 1 Chapter 1 Edge Networking 3 Content Distribution Networking 4 CloudFront 4 CloudFront Implementation 6 Caching and Object Retention 6 Invalidations 8 Protocol Support 9 CloudFront Encryption Using SSL/TLS and SNI 10 CloudFront Security 11 Billing 12 Lambda@edge 13 Geo- restriction and Geolocation 13 Global Accelerator 15 Global Accelerator Architecture 17 Custom Routing Accelerator 18 AWS Global Accelerator Pricing 18 Elastic Load Balancers 19 Load Balancer Architectures 19 Listeners 19 Target Groups 20 Health Checking 20 Sticky Connections 20 Proxy Connections 21 Load Balancing Across Different Availability Zones 22 Connection Draining 22 AWS Load Balancer Offerings 23 Application Load Balancers 27 Gateway Load Balancers 29 Network Load Balancer 31 Classic Load Balancers 32 Configuring Elastic Load Balancers 32 API Gateway 33 Rest Api 33 Http Api 34 WebSocket Protocol 34 API Gateway Configuration 34 API Gateway Caching 35 Endpoint Types 35 Security 37 Authentication and Authorization 37 CloudFront Design Considerations 38 Summary 39 Exam Essentials 39 Exercises 40 Written Lab 41 Written Lab 1.1: Create an HTTP API by Using the AWS Management Console 41 Review Questions 42 Chapter 2 Domain Name Services 47 DNS and Route 53 48 DNS Overview 49 Architecture 50 DNS Hierarchy 50 Zones 51 DNS Resolution Process 51 Resource Records 52 Timers 54 Delegations 54 DNSSEC Overview 54 DNS Logging and Monitoring 55 CloudTrail 55 CloudWatch 57 Artificial Intelligence and Machine Learning 57 Redshift 58 Route 53 Advanced Features and Policies 58 Alias Records 58 Resolvers 59 Route 53 Resolver DNS Firewall 60 Health Checks 60 Traffic Routing Policies 61 Simple Routing 61 Multivalue Responses 63 Latency- Based Routing 63 Failover Routing 65 Round- Robin Routing 65 Weighted Routing 66 Geo location 67 Geo- proximity 68 Route 53 Service Integrations 68 Vpc 69 CloudFront 69 Load Balancers 69 Route 53 Application Recovery Controller 70 Hybrid Route 53 70 Multi- account Route 53 71 Multi-Region Route 53 72 Using Route 53 Public Hosted Zones 72 Using Route 53 Private Hosted Zones 73 Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures 73 Using Route 53 for Global Traffic Management 74 Route 53 Failover 75 Domain Registration 75 Required Information to Register a Domain 76 Privacy Protection 78 Route 53 Registration Information 78 Renewing Your Domain 78 Summary 79 Exam Essentials 79 Exercises 80 Review Questions 82 Chapter 3 Hybrid and Multi- account DNS 87 Implementing Hybrid and Multi- account DNS Architectures 88 Route 53 Hosted Zones 88 Private Hosted Zones 89 Public Hosted Zones 89 Traffic Management 90 Latency 93 Geo location 94 Weighted 95 Failover 96 Multivalue 97 Health Checking 97 Domain Delegation and Forwarding 99 Delegating Domains 99 Forwarding Rules 100 Configuring Records in Route 53 100 A Record 101 AAAA Record 102 Cname 102 mx Record 104 SOA Record 104 TXT Record 106 PTR Record 106 Alias Record 106 SRV Record 107 SPF Record 107 NAPTR Record 109 CAA Record 109 Configuring DNSSEC 109 Multi- account Route 53 110 DNS Endpoints 111 Outbound Endpoints 112 Inbound Endpoints 113 Configuring Route 53 Monitoring and Logging 114 CloudTrail API Logging 115 CloudWatch Logging 116 DNS Query Logging 116 Resolver Query Logging 117 Hosted Zone Monitoring 117 Resolver Endpoints Monitoring 117 Domain Registration Monitoring 118 Summary 118 Exam Essentials 119 Written Labs 119 Written Lab 3.1: Configure Logging for DNS Queries 119 Written Lab 3.2: View DNS Query Metrics for a Public Hosted Zone in the CloudWatch Console 120 Review Questions 121                 Elastic Load Balancing 128 Network Load Balancing 129 Application Load Balancing 130 Gateway Load Balancing 131 Classic Load Balancing 132 Network Design 132 High Availability 133 Security 133 ELB Connectivity Patterns 134 Internal Load Balancers 134 External Load Balancers 135 Autoscaling 136 AWS Service Integrations 136 Config 137 Global Accelerator 137 CloudFront 138 Traffic Mirroring 138 VPC Endpoint Services (PrivateLink) 139 Web Application Firewall 139 Route 53 139 Amazon Elastic Kubernetes Service 139 AWS Certificate Manager 140 ELB Configuration Options 141 Proxy Protocol 141 X- Forwarded- For Protocol 142 Cross- Zone Load Balancing 142 Session Affinity and Sticky Sessions 143 Target Groups 145 Routing 146 Target Types 146 IP Address Type 146 Protocol Version 146 Registered Targets 147 Routing Algorithms 147 Deregistration and Connection Draining 147 Deletion Protection 147 Health Checking 149 Slow Start 149 The GENEVE Protocol 149 Encryption and Authentication 151 SSL/TLS Offload 151 TLS Passthrough 151 Summary 152 Exam Essentials 153 Exercises 154 Written Labs 154 Written Lab 4.1: Create a Network Load Balancer 154 Written Lab 4.2: Use the Console to Enable Deletion Protection 155 Written Lab 4.3: Use the Console to Disable Deletion Protection 156 Written Lab 4.4: Enable Application- Based Stickiness 156 Review Questions 157 Chapter 5 Logging and Monitoring 163 CloudWatch 164 Metrics 164 Monitoring Categories 165 Agents 166 Logging 167 Alarms 168 Metric Insights 170 Dashboards 170 Transit Gateway Network Manager 171 VPC Reachability Analyzer 171 Access Logs 173 Elastic Load Balancing 174 Route 53 Logs 175 CloudFront Logs 175 CloudTrail Logs 175 X- Ray 176 X- Ray Traces 176 X- Ray Insights 177 Flow Logs 178 Baseline Network Performance 180 Inspector 180 Application Insights 181 Config 181 Summary 182 Exam Essentials 183 Written Labs 184 Written Lab 5.1: Enable CloudWatch Detailed Monitoring for an Instance That Has Already Been Enabled 184 Written Lab 5.2: Enable CloudWatch Logging from the Web Console 185 Written Lab 5.3: Enable CloudWatch Alarms from the Web Console 185 Written Lab 5.4: Create a VPC Reachability Analyzer from the Web Console 186 Review Questions 187 Part II Network Implementation 191 Chapter 6 Hybrid Networking 193 Hybrid Connectivity 194 OSI Layer 1 194 Optics 196 OSI Layer 2 197 VLANs 198 Link Aggregation 199 Jumbo Frames 200 Encapsulation and Encryption 200 Overlay and Underlay Networks 200 VxLan 201 Generic Routing Encapsulation 202 IPSec 203 Geneve 205 Routing Fundamentals 205 Static Routing 206 Dynamic Routing 206 The BGP Routing Protocol 206 Direct Connect 211 Direct Connect Gateway 217 Virtual Private Gateway 219 Site- to- Site VPN 220 VPN CloudHub 221 AWS Account Resource Sharing 222 Summary 222 Exam Essentials 223 Exercises 223 Written Labs 224 Written Lab 6.1: Simulate Creating a Direct Connection 224 Written Lab 6.2: Simulate Creating a Site- to- Site VPN Connection 224 Review Questions 226 Chapter 7 Connecting On- Premises Networks 231 On- Premises Network Connectivity 232 VPNs 232 VPN Security 232 Accelerated Site- to- Site VPN Connections 233 Layer 1 and Types of Hardware to Use 235 Direct Connect 235 Direct Connect Locations 235 Letter of Authorization Documents 236 Layer 2 and Layer 3 236 Switching 236 Routing 237 Gateways 238 Software- Defined Networking 239 Transit Gateway 241 PrivateLink 241 Resource Access Manager 241 Testing and Validating Connectivity Between Environments 243 Route Analyzer 243 Reachability Analyzer 243 ICMP ping 243 traceroute 245 Summary 246 Exam Essentials 247 Written Labs 248 Written Lab 7.1: Create a VPN Attachment on a Transit Gateway Using the Console 248 Written Lab 7.2: Perform a traceroute 250 Written Lab 7.3: Use ping 250 Review Questions 251 Chapter 8 Inter- VPC and Multi- account Networking 255 Networking Services of VPCs 256 VPC Sharing 256 VPC Peering 257 Multi- account VPC Sharing 260 PrivateLink 260 Hub- and- Spoke VPC Architectures 261 Transit Gateway 262 Transit Gateway Connect 265 transit VPCs 266 Wide- Area Networking 266 Software- Defined Wide Area Networking 267 Multi Protocol Label Switching 268 Expanding AWS Networking Connectivity 270 Organizations 271 Resource Access Manager 273 Authentication and Authorization 274 Security Association Markup Language 275 Active Directory 275 Summary 278 Exam Essentials 279 Exercises 280 Review Questions 281 Chapter 9 Hybrid Network Routing and Connectivity 287 Industry- Standard Routing Protocols Used in AWS Hybrid Networks 288 Optimizing Routing 288 Optimizing Dynamic Routing 289 Optimizing Static Routing 290 Route Priorities and Administrative Distance 290 Route Summarization 291 Route Propagation 292 Overlapping Routes 292 BGP Over Direct Connect 294 Connectivity Methods for AWS and Hybrid Networks 294 Direct Connect and Direct Connect Gateway 295 Direct Connect Virtual Interfaces 295 Site- to- Site VPN 296 App Mesh 296 AWS Networking Limits and Quotas 297 Available Private and Public Access Methods for Custom Services 304 PrivateLink 305 VPC Peering 305 Available Inter- Regional and Intra- Regional Communication Patterns 306 Summary 307 Exam Essentials 307 Written Lab 308 Written Lab 9.1: Enable Route Propagation in a VPC 308 Exercises 308 Review Questions 309 Part III Network Management and Operations 315 Chapter 10 Network Automation 317 Network Automation 318 Infrastructure as Code 318 AWS Cloud Development Kit 319 AWS CloudFormation 320 EventBridge 322 AWS Command- Line Interface 322 AWS Software Development Kit 323 Application Programming Interfaces 326 Integrating Network Automation Using Infrastructure as Code 327 Event- Driven Network Automation 328 Automating the Process of Optimizing Cloud Network Resources with IaC 329 Common Problems When Using Hard- Coded Instructions in IaC Templates 330 Creating and Managing Repeatable Network Configurations 330 Integrating Event- Driven Networking Functions 331 Integrating Hybrid Network Automation Options with AWS Native IaC 332 Eliminating Risk and Achieving Efficiency in a Cloud Networking Environment 333 Summary 334 Exam Essentials 335 Exercises 336 Review Questions 337 Chapter 11 Monitor, Analyze, and Optimize Network Traffic 341 Monitoring, Analyzing, and Optimizing AWS Networks 342 Monitor and Analyze Network Traffic to Troubleshoot and Optimize Connectivity Patterns 342 Network Performance Metrics and Reachability Constraints 344 Appropriate Logs and Metrics to Assess Network Performance and Reachability Issues 345 AWS Tools to Collect and Analyze Logs and Metrics 345 AWS Tools to Analyze Routing Patterns and Issues 346 Analyzing Logging Output to Assess Network Performance and Troubleshoot Connectivity 347 Network Topology Mapping 348 Analyzing Packets to Identify Issues 349 Using the Reachability Analyzer for Troubleshooting, Validating, and Automating Connectivity Issues 350 Optimize AWS Networks for Performance, Reliability, and Cost- Effectiveness 351 VPC Peering vs. Transit Gateways 351 Reducing Bandwidth Utilization with Multicast 352 Implementing Multicast Capability Within a VPC and On- Premises Environments 352 Optimizing Route 53 354 Frame Size Optimization Across Different Connection Types 355 Jumbo Frame Support Across Different Connection Types 356 Optimizing Network Throughput 357 Selecting a Network Interface for Best Performance 357 Select Network Connectivity Services That Meet Requirements 358 VPC Subnet Optimization 359 Updating and Optimizing Subnets to Prevent the Depletion of Available IP Addresses in a VPC 360 Updating and Optimizing Subnets for Autoscaling 361 Optimizing Network Performance and Availability Using Caching and Compression 361 Summary 363 Exam Essentials 365 Written Labs 367 Written Lab 11.1: Create a VPC Flow Log 367 Written Lab 11.2: Add a New Subnet to a VPC 367 Written Lab 11.3: Change the MTU on a Linux EC 2 Interface 368 Exercises 368 Review Questions 370 Part IV Network Security, Compliance, and Governance 375 Chapter 12 Security, Compliance and Governance 377 Security, Compliance, and Governance 378                           Threat Models 380 Common Security Threats 384 Securing Application Flows 385 Network Architectures That Meet Security and Compliance Requirements 386 Securing Inbound Traffic Flows 388 Web Application Firewall 388 Network Firewall 389 Shield 390 Security Groups 391 Network Access Control Lists 391 Securing Outbound Traffic Flows 392 Network Firewall 393 Proxies 393 Gateway Load Balancers 394 Route 53 Resolvers 394 Virtual Private Networks 395 VPC Endpoint Services: PrivateLink 395 Securing Inter- VPC Traffic 396 Network ACLs 396 VPC Endpoint Policies 396 Security Groups 396 Transit Gateway 397 VPC Peering 397 Implementing an AWS Network Architecture to Meet Security and Compliance Requirements 397 Untrusted Networks 397 Perimeter VPC 398 Three- Tier Architecture 399 Hub- and- Spoke Architecture 399 Develop a Threat Model and Identify Mitigation Strategies 399 Compliance Testing 401 Automating Security Incident Reporting and Alerting 402 Summary 403 Exam Essentials 407 Exercises 408 Written Labs 409 Written Lab 12.1: Download an Artifact Report 409 Written Lab 12.2: Request a Public SSL/TLS Certificate from the AWS Console 409 Written Lab 12.3: Review a Security Group Configuration from the AWS Console 410 Review Questions 411 Chapter 13 Network Monitoring and Logging 417 Network Monitoring and Logging Services in AWS 418 AWS CloudTrail 419 VPC Traffic Mirroring 420 VPC Flow Logs 421 Transit Gateway Logging 423 Alerting Mechanisms 426 CloudWatch Alarms 426 Simple Notification Service 427 Log Creation with Different AWS Services 428 Load Balancer Access Logs 429 CloudFront Access Logs 430 Log Delivery Mechanisms 431 Kinesis 432 Route 53 433 CloudWatch 434 Mechanisms to Audit Network Security Configurations 435 Security Groups 436 Firewall Manager 437 Trusted Advisor 437 Traffic Mirroring and Flow Logs 438 Creating and Analyzing VPC Flow Logs 439 Creating and Analyzing Network Traffic Mirroring 441 CloudWatch 441 Implementing Automated Alarms Using CloudWatch 442 Implementing Customized Metrics Using CloudWatch 443 Correlating and Analyzing Information Across Single or Multiple AWS Log Sources 444 Implementing Log Delivery Solutions 445 Implementing a Network Audit Strategy 446 Summary 447 Exam Essentials 448 Exercises 450 Review Questions 452 Chapter 14 Confidentiality and Encryption 457 Confidentiality and Encryption 458 Network Encryption Options Available on AWS 459 VPN Connectivity Over Direct Connect 460 Encryption Methods for Data in Transit 461 Network Encryption and the AWS Shared Responsibility Model 462 Security Methods for DNS Communications 464 Implementing Network Encryption Methods to Meet Application Compliance Requirements 465 IPSec 466 Tls 468 Implementing Encryption Solutions to Secure Data in Transit 470 CloudFront 471 Application Load Balancers and Network Load Balancers 472 Securing AWS Managed Databases 472 Securing Amazon S3 Buckets 475 Securing EC2 Instances 476 Transit Gateway 477 Certificate Management Using a Certificate Authority 479 AWS Certificate Manager and Private Certificate Authority 480 Summary 481 Exam Essentials 483 Exercises 484 Review Questions 485 Appendix Answers to Review Questions 491 Chapter 1: Edge Networking 492 Chapter 2: Domain Name Services 494 Chapter 3: Hybrid and Multi- account DNS 497 Chapter 4: Load Balancing 499 Chapter 5: Logging and Monitoring 502 Chapter 6: Hybrid Networking 505 Chapter 7: Connecting On- Premises Networks 507 Chapter 8: Inter- VPC and Multi- account Networking 509 Chapter 9: Hybrid Network Routing and Connectivity 512 Chapter 10: Network Automation 515 Chapter 11: Monitor, Analyze, and Optimize Network Traffic 518 Chapter 12: Security, Compliance and Governance 520 Chapter 13: Network Monitoring and Logging 524 Chapter 14: Confidentiality and Encryption 527 Index 531