AWS Certified Advanced Networking - Specialty Exam Guide: Build your knowledge and technical expertise as an AWS-certified networking specialist

AWS Certified Advanced Networking - Specialty Exam Guide

Build your knowledge and technical expertise as an AWS-certified networking specialist

Marko Sluga

BIRMINGHAM - MUMBAI

AWS Certified Advanced Networking - Specialty Exam Guide

Copyright © 2019 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Commissioning Editor: Vijin Boricha

Acquisition Editor: Heramb Bhavsar

Content Development Editor: Abhishek Jadhav

Technical Editor: Prachi Sawant

Copy Editor: Safis Editing

Project Coordinator: Jagdish Prabhu

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Graphics: Jisha Chirayil

Production Coordinator: Jayalaxmi Raja

First published:  May 2019

Production reference: 1240519

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-78995-231-5

www.packtpub.com

mapt.io

Mapt is an online digital library that gives you full access to over 5,000 books and videos, as well as industry leading tools to help you plan your personal development and advance your career. For more information, please visit our website.

Why subscribe?

Spend less time learning and more time coding with practical eBooks and Videos from over 4,000 industry professionals

Improve your learning with Skill Plans built especially for you

Get a free eBook or video every month

Mapt is fully searchable

Copy and paste, print, and bookmark content

Packt.com

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.packt.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.packt.com, you can also read a collection of free technical articles, sign up for a range of free newsletters, and receive exclusive discounts and offers on Packt books and eBooks. 

Contributors

About the author

Marko Sluga has had the opportunity to work in computing at a very exciting time and has been privileged enough to witness the rise of cloud computing in the last 20 years. Beginning his career as a service technician, he excelled at solving difficult problems. He worked his way up the IT food chain to work on servers, operating systems, virtualization, and the cloud. In the past, Marko has architected numerous cloud computing solutions, and today works as a cloud technology consultant and an Authorized Amazon Instructor. He is AWS-certified, holding the Architect, SysOps, and Developer Associate AWS certifications, the DevOps and Architect Professional AWS certification, and the Security, Advanced Networking, and Big Data Specialty AWS certifications.

About the reviewer

Zubin Ghafari is an AWS cloud certified professional and a consultant in cloud engineering and architecture. He currently holds over 8 AWS certifications at the Associate, Professional, and Specialty levels. With a passion for consulting and the cloud, Zubin enjoys spending his time experimenting and developing customized solutions for the AWS Cloud Computing platform. He has immense gratitude for his peers at Slalom who have supported him in his career.

Packt is searching for authors like you

If you're interested in becoming an author for Packt, please visit authors.packtpub.com and apply today. We have worked with thousands of developers and tech professionals, just like you, to help them share their insight with the global tech community. You can make a general application, apply for a specific hot topic that we are recruiting an author for, or submit your own idea.

Table of Contents

Title Page

Copyright and Credits

AWS Certified Advanced Networking - Specialty Exam Guide

About Packt

Why subscribe?

Packt.com

Contributors

About the author

About the reviewer

Packt is searching for authors like you

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Reviews

Section 1: Introduction

Overview of AWS Certified Advanced Networking - Specialty Certification

Technical requirements

The exam blueprint

The exam requirements

The exam structure

Scoring

Knowledge domains

Taking the exam

Summary

Section 2: Managing Networks in AWS

Networking with the Virtual Private Cloud

Technical requirements

Introduction to the VPC

VPC networks

Private and public subnets

Public, elastic, and private IPs

Working with VPCs

Creating a VPC

Configuring DHCP options

VPC networking components

ENI

Routing, NAT, and internet access

Connecting public subnets to the internet

Connecting private subnets to the internet

VPC endpoints and PrivateLink

Gateway endpoint

Interface endpoint – powered by AWS PrivateLink

Configuring an endpoint 

VPC peering

Limitations of VPC peering

Best practices

Network and VPC sizing 

High availability

Routing

VPC peering recommendations

VPC limitations

Summary

Questions

Further reading

VPC Network Security

Technical requirements

An overview of network security

Understanding network security vulnerabilities

Network layer attacks

Service layer attacks

Exploiting vulnerabilities

Application layer attacks

Security in the OSI model

Layer 2

Layer 3

Layer 4

Layer 7

WAN to LAN access patterns

Controlling port-based traffic

Controlling access to applications

Securing the VPC

Security groups

NACLs

Controlling access

VPC Flow Logs

VPC Flow Log examples

Securing EC2 instance operating systems

EC2 network adapter characteristics

Controlling traffic to and from EC2 instances

Controlling access with the OS firewall

Advanced EC2 operating system security

Delivering advanced network security in AWS

Threats to modern applications

AWS WAF concepts

DDoS mitigation

Packet security

Advanced network security patterns

Summary

Questions

Further reading

Connecting On-Premises and AWS

Technical requirements

An overview of on-premises connectivity

Connecting VPCs and private networks

Connectivity across networks

Public IPv4 and IPv6 traffic patterns

IPv4

IPv6

Public routing and BGP

VPN with the virtual private gateway

Working with VPN

The VGW service limits

Securing VPNs

Connecting with Direct Connect

Working with Direct Connect

Direct Connect requirements

Securing Direct Connect

Designing highly available and secure WAN links

Reliability

Routing

Encryption

Summary

Questions

Further reading

Section 3: Managing and Securing Network-Attached Platform Services in AWS

Managing and Securing Servers with ELB

Technical requirements

Introduction to ELB

Types of ELB

Classic Load Balancer (CLB)

Application Load Balancer (ALB)

Network Load Balancing (NLB)

Working with the ELB

Cross-zone load balancing

Securing traffic on the ELB

Security controls on the ELB

Security of the traffic contents with encryption

Protection against DoS attacks

Summary

Questions

Further reading

Managing and Securing Content Distribution with CloudFront

Technical requirements

Introducing CloudFront

Working with CloudFront

Securing content delivery

Encryption

DDoS mitigation

Summary

Questions

Further reading

Managing and Securing the Route 53 Domain Name System

Technical requirements

Introduction to Route 53

DNS resource record types

Routing policies

Simple routing

Multi-value response

Latency-based routing

Failover routing

Weighted routing

Geo-location routing

Geo-proximity routing

Health checking

Registering a domain name

Best practices

Summary

Questions

Further reading

Managing and Securing API Gateway

Technical requirements

Introduction to API Gateway

How API Gateway works

Pricing

Securing API Gateway

Authentication and authorization

Cognito and IAM

Resource policies

Lambda authorizers

Usage plans

Encryption

DoS mitigation and enhanced security

Summary

Questions

Further reading

Section 4: Monitoring and Operating the AWS Networks

Monitoring and Troubleshooting Networks in AWS

Technical requirements

Introducing CloudWatch

How CloudWatch works

Metrics, logs, and alarms

Metrics

Logs

Alarms

Monitoring types – standard and detailed

Creating a CloudWatch alarm

AWS CloudTrail

Working with VPC Flow Logs

Flow logs recommendations and limitations

Monitoring network components

Monitoring ELB

Monitoring CloudFront

Monitoring the API gateway

Monitoring Route 53

Troubleshooting

EC2 instance not accessible

ELB not responding or responding with 503

CloudFront connectivity issues

Route 53 issues

 Summary

Questions

Further reading

Section 5: Network automation in AWS

Network Automation with CloudFormation

Technical requirements

Introduction to CloudFormation

IaC versus the traditional approach

Benefits of IaC

CloudFormation basic elements

Templates

Template sections

Template policies

CreationPolicy

DeletionPolicy

UpdatePolicy and UpdateReplacePolicy

DependsOn

Stacks

Change sets

How CloudFormation works

Creating network services with CloudFormation

The VPC

Public subnets

Private subnets

Network access control lists

Trying out the template

Best practices

Summary

Questions

Further reading

Section 6: The Exam

Exam Tips and Tricks

Technical requirements

Introduction to the exam

Domain 1 – Design and implement hybrid IT network architectures at scale

Domain 2 – Design and implement AWS networks

Domain 3 – Automate AWS tasks

Domain 4 – Configure network integration with application services

Domain 5 – Design and implement for security and compliance

Domain 6 – Manage, optimize, and troubleshoot the network

Summary

Further reading

Mock Tests

Mock Test 1

Mock Test 2

Assessments

Chapter 2 – Networking with the Virtual Private Cloud

Chapter 3 – VPC Network Security

Chapter 4 – Connecting On-Premises and AWS

Chapter 5 – Managing and Securing Servers with ELB

Chapter 6 – Managing and Securing Content Distribution with CloudFront

Chapter 7 – Managing and Securing the Route 53 Domain Name System

Chapter 8 –  Managing and Securing API Gateways

Chapter 9 – Monitoring and Troubleshooting Networks in AWS

Chapter 10 – Network Automation with CloudFormation

Mock test 1

Mock test 2

Other Books You May Enjoy

Leave a review - let other readers know what you think

Preface

Before we begin, let me thank you for choosing this book as your guide to the AWS Certified Advanced Networking - Specialty exam.  The intention of this book is to provide you with a tool that will help you to gauge your AWS and general networking knowledge in order to determine your confidence level for passing the AWS Certified Advanced Networking - Specialty exam.

The goal of the book is to focus exclusively on the networking components of AWS. We will be discussing the networking services and their features in great detail and a lot of depth. This does, however, come with a caveat—I will be assuming the reader has previous experience of working as a networking engineer and is familiar with AWS services and concepts. This assumption will come at the expense of explaining basic networking concepts such as how the OSI model works, how the IP protocol operates, how we calculate IP addresses, and so on.

Furthermore, the assumption implies that the reader is familiar with AWS and the services AWS provides to run applications. The assumption will mean that some AWS services mentioned in this book will need to be read up on outside of the context of this book. If you cannot determine how comfortable you are with AWS services, I recommend picking up a copy of AWS Certified SysOps Administrator - Associate Guide or the AWS Certified Solutions Architect - Associate Guide, both available from Packt Publishing, because both of these books are great tools to get you started with AWS.

Who this book is for

If you are a system administrator or a network engineer interested in getting certified with an advanced cloud networking certification, then this book is for you. Prior experience of cloud administration and networking is necessary.

What this book covers

Chapter 1, Overview of AWS Certified Advanced Networking – Specialty Certification, outlines the AWS Certified Advanced Networking – Specialty exam and highlights the critical aspects, knowledge areas, and services covered in the official blueprint published by Amazon.

Chapter 2, Networking with VPC, describes how you can create a Virtual Private Cloud (VPC) and start building a secure network with a number of components of AWS networking services.

Chapter 3, VPC Network Security, describes how you can secure a VPC with a number of security features of the VPC and other AWS security services.

Chapter 4, Connecting On-Premise and AWS, provides an overview of the connectivity services available in AWS and the security features and controls provided for these AWS features.

Chapter 5, Managing and Securing Servers with ELB, describes the way to secure the ELB and elaborates on the critical aspects of the ELB service.

Chapter 6, Managing and Securing Content Distribution with CloudFront, provides an overview of some of the critical features of CloudFront to help you manage and secure it.

Chapter 7, Managing and Securing the Route 53 Domain Name System, introduces you to the Route 53 service and describes various components of the service.

Chapter 8, Managing and Securing the API Gateway, takes a look at how to maintain security and the highest possible uptime of the content being delivered through the API gateway.

Chapter 9, Monitoring and Troubleshooting Networks in AWS, describes how you can use  CloudWatch, CloudTrail, and the VPC Flow Logs Services to collect and track network state and metrics, collect and monitor log files, set alarms, and automatically react to changes in your AWS resources.

Chapter 10, Network Automation with CloudFormation, provides an overview of the CloudFormation service as it relates to network services.

Chapter 11, Exam Tips and Tricks, provides elaborate guidance on how to prepare for the exam, and provides tips and tricks on the topics covered in the book.

Chapter 12, Mock Tests, consists of two mock tests for readers to test their knowledge. It tries to cover all the topics from the exam and challenges your understanding of the topics. Each mock test contains 60 questions. You should try to complete a mock test in 90 minutes.

To get the most out of this book

The knowledge that is required by readers in order to benefit from this book is as follows:

A basic understanding of general cloud computing terminology and

environments

A basic understanding of networking, the OSI layers, and the IP stack

A basic understanding of network function devices, such as routers, firewalls, load balancers, and content delivery networks

A basic understanding of virtualization and server operating systems

A basic understanding of user and security management

A basic understanding of storage concepts (for example, object storage, block

storage, and file storage)

A basic understanding of database services

A basic understanding of messaging in applications

A basic understanding of serverless computing

A basic understanding of automation and orchestration

In addition, a more in-depth understanding of the following topics will be beneficial:

Designing applications for high availability and resilience

Operating system scripting languages

Database structures

The JSON data format

Programming languages and application design

Download the example code files

You can download the example code files for this book from your account at www.packt.com. If you purchased this book elsewhere, you can visit www.packt.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register at www.packt.com.

Select the SUPPORT tab.

Click on Code Downloads & Errata.

Enter the name of the book in the Search box and follow the onscreen instructions.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR/7-Zip for Windows

Zipeg/iZip/UnRarX for Mac

7-Zip/PeaZip for Linux

The code bundle for the book is also hosted on GitHub at https://github.com/PacktPublishing/AWS-Certified-Advanced-Networking-Specialty-Exam-Guide. In case there's an update to the code, it will be updated on the existing GitHub repository.

We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: http://www.packtpub.com/sites/default/files/downloads/9781789952315_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: To perform this, we can add WaitCondition to CreationPolicy.

A block of code is set as follows:

{

Transform : {

Name : AWS::Include,

Parameters : {

Location : s3://cftemplatebucket/simple-network-stack.json

}

}

Bold: Indicates a new term, an important word, or words that you see onscreen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: Open the CloudFormation console and click on Create stack.

Warnings or important notes appear like this.

Tips and tricks appear like this.

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the Internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Reviews

Please leave a review. Once you have read and used this book, why not leave a review on the site that you purchased it from? Potential readers can then see and use your unbiased opinion to make purchase decisions, we at Packt can understand what you think about our products, and our authors can see your feedback on their book. Thank you!

For more information about Packt, please visit packt.com.

Section 1: Introduction

Amazon publishes an official blueprint for each certification exam. The blueprint elaborates the scope of the exam, prerequisites to attend the exam, and the knowledge required to successfully complete the exam. This section outlines the AWS Certified Advanced Networking – Specialty exam and highlights the critical aspects, knowledge area, and services covered in the blueprint.

In this section, we will cover the following chapter:

Chapter 1, Overview of AWS Certified Advanced Networking - Specialty Certification

Overview of AWS Certified Advanced Networking - Specialty Certification

In this chapter, we will be taking a look at the characteristics and structure of the AWS Certified Advanced Networking – Specialty certification exam. This chapter is intended to provide a baseline understanding of the approach to taking the exam and the type and depth of knowledge you will need to be able to successfully pass the exam. 

The following topics will be covered in this chapter:

The exam blueprint

The exam requirements

The exam structure

Scoring

Knowledge domains

Taking the exam

Technical requirements

There are no special technical requirements to follow through and understand in regards to this chapter; however, familiarity with general networking concepts will help you get a better grasp of the concepts that will be discussed. The chapters that follow will require deeper knowledge of different aspects of networking, from IP to the OSI layer to security. Additionally, topics covering network connectivity with AWS will require that you have a broad understanding of WAN connectivity types and routing protocols, especially the Border Gateway Protocol (BGP) routing mechanism.

The exam blueprint

As with all the AWS certifications, the Certified Advanced Networking – Specialty certification will follow the AWS outlined blueprint. This blueprint will provide an overview of the objectives and requirements of the exam. According to the blueprint, for the AWS Certified Advanced Networking – Specialty exam, taking and passing the exam will prove the exam taker's experience and ability to design and implement network architectures of any scale within AWS and connect them to hybrid environments.

The exam blueprint outlines that the following skills will be tested:

An understanding of the AWS network concepts

An understanding of hybrid IT network architectures

An understanding of network automation tools provided in AWS

The ability to configure network services and integrate them with applications

The ability to design and implement network security

The ability to optimize and troubleshoot networking issues

The exam requirements

AWS outlines several different requirements as prerequisites so that you're able to pass the exam. These include both the understanding of the networking components and services within AWS, as well as general networking concepts. Alongside theoretical knowledge, practical experience