0% found this document useful (0 votes)

65 views455 pages

AWS Certified Advanced Networking Specialty Course Slides

aws

Uploaded by

Manny

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

65 views455 pages

AWS Certified Advanced Networking Specialty Course Slides

aws

Uploaded by

Manny

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 455

SECTION 1

Let's Get Started!

© Digital Cloud Training | https://digitalcloud.training

The ANS-C00 / C01 Exam

© Digital Cloud Training | https://digitalcloud.training

The ANS-C00/C01 Exam

Level: Specialty
Length: 170 minutes
Format: 65 questions (ANS-C00)
Cost: $300 USD
Delivery Method: Testing center or online
Scoring:
• Scaled score between 100 – 1000
• Minimum passing score of 750

© Digital Cloud Training | https://digitalcloud.training

The ANS-C00/C01 Exam

Question format:
• Multiple-choice: Has one correct response and three
incorrect responses
• Multiple-response: Has two or more correct responses
out of five or more options

© Digital Cloud Training | https://digitalcloud.training

The ANS-C00/C01 Exam
AWS recommends that candidates have the following knowledge:
• Professional experience using AWS technology, AWS security best practices, AWS storage
options and their underlying consistency models, and AWS networking nuances and how
they relate to the integration of AWS services
• Knowledge of advanced networking architectures and interconnectivity options [e.g., IP
VPN, multiprotocol label switching (MPLS), virtual private LAN service (VPLS)]
• Familiarity with the development of automation scripts and tools. This should include the
design, implementation, and optimization of the following: Routing architectures
(including static and dynamic); multi-region solutions for a global enterprise; highly
available connectivity solutions (e.g., AWS Direct Connect, VPN)
• Knowledge of CIDR and sub-netting (IPv4 and IPv6); IPv6 transition challenges; and generic
solutions for network security features, including AWS WAF, intrusion detection systems
(IDS), intrusion prevention systems (IPS), DDoS protection, and economic denial of
service/sustainability (EDoS)

© Digital Cloud Training | https://digitalcloud.training

Mapping ANS-C00 to ANS-C01
There are 6 domains for the ANS-C00 exam vs 4 domains for the
ANS-C01

ANS-C00 Domain ANS-C01 Domain

Domain 1: Design and implement hybrid IT network Domain 1: Network Design

architectures at scale
Domain 2: Design and implement AWS networks Domain 1: Network Design
Domain 3: Automate AWS tasks Domain 2: Network Implementation
Domain 4: Configure network integration with Domain 2: Network Implementation
application services
Domain 5: Design and implement for security and Domain 4: Network Security, Compliance, and
compliance Governance
Domain 6: Manage, optimize, and troubleshoot the Domain 3: Network Management and Operation
network

© Digital Cloud Training | https://digitalcloud.training

Advice for ANS-C00 Students
Subjects you can avoid if taking the ANS-C00 exam (though some could come up):
• AWS Outposts
• Local Zones
• Accelerated S2S VPN
• Provider Independent IPs (PI) / BYOIP
• Route 53 Resolver - more coverage and DNSSEC
• AWS Network Firewall and DNS Firewall
• Centralized / shared services VPCs - lots more scenarios
• IGMP multicast domains
• Traffic mirroring
• IPv6 – more coverage
• Gateway Load Balancer
• SD-WAN scenarios with transit gateway, VXLAN, GRE with BGP, VRF, ECMP
• Amazon EKS + Kubernetes Autoscaler, Horizontal Pod Autoscaler
• Self-signed certificates with ACM
• AWS Organizations

© Digital Cloud Training | https://digitalcloud.training

SECTION 2

Getting Started - AWS Accounts

© Digital Cloud Training | https://digitalcloud.training

AWS Account Overview

© Digital Cloud Training | https://digitalcloud.training

AWS Account Overview

IAM can be used to

AWS Account
create users, groups,
roles and policies
Unique email
address required

AWS IAM

User Group Role Policy

It’s an IAM best practice to

Account Root User create individual users and
to not use the Root account
The Root user
has full control
over the account
© Digital Cloud Training | https://digitalcloud.training
AWS Account Overview Authentication: IAM
principals authenticate to
IAM using the console,
API, or CLI
AWS Account
AWS Management
Authorization: IAM Console
principals can then
create resources AWS IAM
across AWS Regions
us-west-1 us-east-1 ap-southeast-2

EC2 RDS EC2 RDS EC2 RDS

S3 ALB S3 ALB S3 ALB

All AWS identities and

resources are created
© Digital Cloud Training | https://digitalcloud.training within the AWS account
Create Your
AWS Free Tier Account

© Digital Cloud Training | https://digitalcloud.training

What you need…

Credit card for setting up the account and

paying any bills

Unique email address for this account Check if you can use a
dynamic alias with an
[email protected] existing email address

[email protected]
[email protected]
AWS account name / alias

Phone to receive an SMS verification code

© Digital Cloud Training | https://digitalcloud.training
Configure Account
and Create a Billing Alarm

© Digital Cloud Training | https://digitalcloud.training

Account Configuration
• Configure Account Alias

• Enable access to billing for IAM users

• Update billing preferences

• Create a billing alarm

• Confirm SNS subscription

© Digital Cloud Training | https://digitalcloud.training

Install Tools
(AWS CLI, VS Code, CloudShell)

© Digital Cloud Training | https://digitalcloud.training

Install Tools
• Install the AWS Command Line Interface (CLI)

• Install Visual Studio Code

• Launch AWS CloudShell

© Digital Cloud Training | https://digitalcloud.training

SECTION 3

Networking Fundamentals

© Digital Cloud Training | https://digitalcloud.training

Networking in the Cloud

© Digital Cloud Training | https://digitalcloud.training

Clients and Servers
Cloud Computing
Client devices are
connected via the Internet
Client devices
require connectivity
via wired, wireless
or cellular networks

Servers

Cloud Networking

Servers running in the cloud Client Devices

offer services which include
the application, processing
and data storage

© Digital Cloud Training | https://digitalcloud.training

Connecting to Services
The client application finds
the server by IP address

Port: 80 Protocol: HTTP

Web Server A port is like a door

into the server

Port: 445 Protocol: SMB

File Server SMB/CIFS is used by

Microsoft file servers
and clients

Port: 25 Protocol: SMTP

Email Server
© Digital Cloud Training | https://digitalcloud.training
Server to Server Connectivity

Port: 3306
Protocol: MySQL

Application Servers Database Server

© Digital Cloud Training | https://digitalcloud.training

Site to Site Connectivity
Company office

Cloud

Company office

© Digital Cloud Training | https://digitalcloud.training

Bandwidth and Latency

© Digital Cloud Training | https://digitalcloud.training

Bandwidth and Latency

Bandwidth is the rate

of data transfer for a Bandwidth can be
fixed period of time 1.5 Gbps considered the width of
measured in Gbps the communication band

< distance >

Latency is the amount of time it

takes to send data from one
point to another measured in
microseconds or milliseconds

© Digital Cloud Training | https://digitalcloud.training

Bandwidth and Latency

Within a data Between data

center (metres) centers (miles/KMs)

< microseconds >

< milliseconds >

© Digital Cloud Training | https://digitalcloud.training

Bandwidth and Latency

Greater distance =
higher latency

© Digital Cloud Training | https://digitalcloud.training

IP Addressing Basics (IPv4)

© Digital Cloud Training | https://digitalcloud.training

IP Addressing Basics
User enters website
address in browser

Name Type Value

mycompany.local A 192.168.0.1

emailserver.local A 192.168.0.2

DNS Server

Domain name is resolved

to the IP address of the
webserver

Computer connects to
Web Server
192.168.0.1
© Digital Cloud Training | https://digitalcloud.training
IP Addressing Basics
Each part of the
address is a
binary octet

An IPv4 address has a

network and host ID 11111111 00000000
Host ID

192 168 0 1 255 255

. . . . . 255 . 0

Network ID
The subnet mask is
used to define the
network and host ID

© Digital Cloud Training | https://digitalcloud.training

IP Addressing Basics

11000000 10101000 11111111 00000000

192 168 0 1 255 255

. . . . . 255 . 0

00000001

Most significant bit 1 1 1 1 1 1 1 1 Least significant bit

128 64 32 16 8 4 2 1

Binary Values

© Digital Cloud Training | https://digitalcloud.training

IP Addressing Basics

A network and subnet

mask can also be written in
Network
this format (CIDR notation)

192 168 0 0
. . .
= 192.168.0.0/24
255 255
. . 255 . 0

Subnet Mask

© Digital Cloud Training | https://digitalcloud.training

IP Addressing Basics

First address = 10.0.0.1

Last address = 10.255.255.255
8 bits 8 bits 8 bits 8 bits
Total addresses = 16777214

Class A 10 0 0 0
. . . First address = 172.16.0.1
Class B 172 16 0 0 Last address = 172.16.255.255
. . . Total addresses = 65534
Class C 192 168 0 0
. . .
First address = 192.168.0.1
Last address = 192.168.0.255
Total addresses = 255

© Digital Cloud Training | https://digitalcloud.training

Private IP Addresses
• There are several ranges of addresses reserved for private usage as
defined in RFC 1918
• These are:
CIDR First Address Last Address
10.0.0.0/8 10.0.0.0 10.255.255.255
172.16.0.0/12 172.16.0.0 172.31.255.255
192.168.0.0/16 192.168.0.0 192.168.255.255

• Private addresses are NOT routable on the Internet

© Digital Cloud Training | https://digitalcloud.training

The OSI Model

© Digital Cloud Training | https://digitalcloud.training

The OSI Model
Network services to
end user applications

Application Layer Data HTTP, FTP, SSH, DNS

Data representation
Presentation Layer Data SSL, FTP, SSH, HTML and encryption

Interhost
Session Layer Data TCP, RPC
communication

Transport Layer Segments TCP, UDP, TLS End-to-end connections

and reliability
Network Layer Packets IP, IPSec, ICMP Path determination
(e.g. routing)
Data Link Layer Frames Ethernet, 802.11 MAC
Physical addressing
(e.g. MAC and LLC)
Physical Layer Bits Coax, Fiber, Wireless

Media, signal, binary

transmission
© Digital Cloud Training | https://digitalcloud.training
The OSI Model
OSI Model TCP/IP Model
Application Layer

Presentation Layer Application Layer

Session Layer

Transport Layer Transport Layer

Network Layer Internet Layer

Data Link Layer

Network Access Layer
Physical Layer

© Digital Cloud Training | https://digitalcloud.training

Routing and Switching

© Digital Cloud Training | https://digitalcloud.training

Routers and Switches
Destination Interface

192.168.0.0/24 eth0

IP Subnet A: 192.168.0.0/24 10.0.0.0/24 eth1 IP Subnet B: 10.0.0.0/24

192.168.0.1 Route Table 10.0.0.1

192.168.0.6 192.168.0.2 eth0 eth1 10.0.0.6 10.0.0.2

Switch Switch
Router

192.168.0.5
10.0.0.5 10.0.0.3
192.168.0.3

192.168.0.4 10.0.0.4

© Digital Cloud Training | https://digitalcloud.training

Route Tables
192.168.3.1 192.168.4.1
192.168.3.0/24 eth1 eth2 192.168.4.0/24

eth0 192.168.2.2

192.168.2.1
eth1
192.168.1.1 192.168.1.2
eth1 eth0

192.168.0.1 eth0
Destination Interface/Next Hop
192.168.1.0/24 eth0
192.168.0.0/24 via 192.168.1.1
192.168.2.0/24 eth1
192.168.0.0/24
192.168.3.0/24 via 192.168.2.2
192.168.4.0/24 via 192.168.2.2
© Digital Cloud Training | https://digitalcloud.training
Network Address Translation

© Digital Cloud Training | https://digitalcloud.training

Without Network Address Translation (NAT)
Company office
Private IP addresses
are used within the
company office / data Public IP addresses are
center used on the Internet

192.168.0.1 192.168.0.2

192.168.0.200 54.200.168.152

Switch
Router The Internet

192.168.0.3 192.168.0.4
In this configuration computers
with private addresses cannot
Private IP addresses communicate on the Internet
are not routable on
the Internet
© Digital Cloud Training | https://digitalcloud.training
Without Network Address Translation (NAT)
Company office

Src: 192.168.0.2 Dest: 54.23.86.101

Web Server

192.168.0.1 192.168.0.2 Src: 54.23.86.101 Dest: 192.168.0.2

192.168.0.200 54.200.168.152

Source IP address
cannot be routed so
Switch
return traffic fails The Internet
Router

192.168.0.3 192.168.0.4

© Digital Cloud Training | https://digitalcloud.training

With Network Address Translation (NAT)
Source IP address is swapped
Company office for public IP address

Src: 54.200.168.152 Dest: 54.23.86.101

Web Server

192.168.0.1 192.168.0.2 Dest: 192.168.0.2 Src: 54.23.86.101 Dest: 54.200.168.152

192.168.0.200 54.200.168.152
The NAT service takes
care of translating back
Switch to private IPs internally
Router + NAT The Internet

192.168.0.3 192.168.0.4

© Digital Cloud Training | https://digitalcloud.training

Firewalls

© Digital Cloud Training | https://digitalcloud.training

Firewalls
POLICY PROTOCOL PORT DESTINATION SOURCE
ALLOW HTTP 80 INTERNAL ANY
ALLOW HTTPS 443 INTERNAL ANY
DENY ANY ANY INTERNAL ANY
Firewall Rules
IP Subnet A IP Subnet B

Database Server Application Server Web Server

Firewall Firewall Firewall

The Internet

Database Server Application Server Web Server

© Digital Cloud Training | https://digitalcloud.training

SECTION 4

Amazon VPC Fundamentals

© Digital Cloud Training | https://digitalcloud.training

Amazon VPC Overview

© Digital Cloud Training | https://digitalcloud.training

Amazon Virtual Private Cloud (VPC)
A VPC is a logically
isolated portion of the
Region AWS cloud within a region

VPC The VPC router takes

care of routing within
Availability Zone
the VPC and outside of
Subnets are Public subnet
the VPC Main Route Table
created
Destination Target
within AZs
EC2 Instance
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Availability Zone
Router Internet
Private subnet gateway
The route table is
You can launch EC2 instances used to configure
EC2 Instance the VPC router
into your VPC subnets An Internet Gateway
is attached to a VPC
and used to connect
to the Internet

© Digital Cloud Training | https://digitalcloud.training

Amazon VPC
Each VPC has a different CIDR stands for Classless
Region block of IP addresses Interdomain Routing

VPC VPC
CIDR 10.0.0.0/16 CIDR 10.1.0.0/16

Availability Zone Availability Zone Availability Zone Availability Zone

Public subnet Public subnet Public subnet Public subnet

10.0.0.0/24 10.0.1.0/24 10.1.0.0/24 10.1.2.0/24

Private subnet Private subnet Private subnet Private subnet

10.0.2.0/24 10.0.3.0/24 10.1.3.0/24 10.1.4.0/24

Each subnet has a

block of IP addresses
from the CIDR block You can create multiple
VPCs within each region

© Digital Cloud Training | https://digitalcloud.training

Amazon VPC Components
VPC Component What it is
Virtual Private Cloud (VPC) A logically isolated virtual network in the AWS cloud

Subnet A segment of a VPC’s IP address range where you can place groups

of isolated resources
Internet Gateway/Egress- The Amazon VPC side of a connection to the public Internet for IPv4/IPv6
only Internet Gateway
Router Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways,
NAT gateways, and subnets
Peering Connection Direct connection between two VPCs
VPC Endpoints Private connection to public AWS services
NAT Instance Enables Internet access for EC2 instances in private subnets managed by you)
NAT Gateway Enables Internet access for EC2 instances in private subnets (managed by AWS)
Virtual Private Gateway The Amazon VPC side of a Virtual Private Network (VPN) connection
Customer Gateway Customer side of a VPN connection
AWS Direct Connect High speed, high bandwidth, private network connection from customer to aws
Security Group Instance-level firewall
Network ACL Subnet-level firewall

© Digital Cloud Training | https://digitalcloud.training

Amazon VPC Core Knowledge
• A virtual private cloud (VPC) is a virtual network dedicated to your AWS
account

• Analogous to having your own data center inside AWS

• It is logically isolated from other virtual networks in the AWS Cloud

• Provides complete control over the virtual networking environment

including selection of IP ranges, creation of subnets, and configuration of
route tables and gateways

• You can launch your AWS resources, such as Amazon EC2 instances, into
your VPC

© Digital Cloud Training | https://digitalcloud.training

Amazon VPC Core Knowledge
• When you create a VPC, you must specify a range of IPv4
addresses for the VPC in the form of a Classless Inter-Domain
Routing (CIDR) block; for example, 10.0.0.0/16
• A VPC spans all the Availability Zones in the region
• You have full control over who has access to the AWS resources
inside your VPC
• By default you can create up to 5 VPCs per region
• A default VPC is created in each region with a subnet in each AZ

© Digital Cloud Training | https://digitalcloud.training

Defining VPC CIDR Blocks

© Digital Cloud Training | https://digitalcloud.training

Rules and Guidelines
• CIDR block size can be between /16 and /28
• The CIDR block must not overlap with any existing CIDR block
that's associated with the VPC
• You cannot increase or decrease the size of an existing CIDR
block
• The first four and last IP address are not available for use
• AWS recommend you use CIDR blocks from the RFC 1918
ranges:
RFC 1918 Range Example CIDR Block
10.0.0.0 - 10.255.255.255 (10/8 prefix) Your VPC must be /16 or smaller, for example, 10.0.0.0/16
172.16.0.0 - 172.31.255.255 (172.16/12 prefix) Your VPC must be /16 or smaller, for example, 172.31.0.0/16
192.168.0.0 - 192.168.255.255 (192.168/16 prefix) Your VPC can be smaller, for example 192.168.0.0/20

© Digital Cloud Training | https://digitalcloud.training

VPC CIDR Blocks and Subnets

VPC CIDR Block 10 0 0 0

10.0.0.0/16
/16 Subnet Mask 255 255 0 0

VPC subnets have a longer

subnet mask than the CIDR
Subnets: block by using additional bits
from the host portion
10.0.1.0/24

10.0.2.0/24 255 255 255 0

10.0.3.0/24

© Digital Cloud Training | https://digitalcloud.training

Additional Considerations
• Ensure you have enough networks and hosts
• Bigger CIDR blocks are typically better (more
flexibility)
• Smaller subnets are OK for most use cases
• Consider deploying application tiers per subnet
• Split your HA resources across subnets in different
AZs
• VPC Peering requires non-overlapping CIDR blocks
• This is across all VPCs in all Regions / accounts you want
to connect
• Avoid overlapping CIDR blocks as much as possible!

© Digital Cloud Training | https://digitalcloud.training

Example VPC CIDR Block and Subnets

VPC CIDR Block 10 0 0 0

/16 Subnet Mask 255 255 0 0

Subnet Name IPv4 CIDR block Availability Zone Route Table Auto-assign Public IP v4
private-1a 10.0.0.0/24 us-east-1a Private-RT No
private-1b 10.0.1.0/24 us-east-1b Private-RT No
private-1c 10.0.2.0/24 us-east-1c Private-RT No
public-1a 10.0.3.0/24 us-east-1a MAIN Yes
public-1b 10.0.4.0/24 us-east-1b MAIN Yes
public-1c 10.0.5.0/24 us-east-1c MAIN Yes

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks
and Prefix Lists

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks
• You cannot increase/decrease the size of existing CIDR
blocks
• A local route is added to the VPC route tables for each
CIDR block added
• The secondary CIDR blocks must adhere to VPC rules for
allowed ranges
• Make sure the secondary CIDR block does not overlap with
existing CIDR blocks
• There are specific permitted/restricted CIDR block
associations depending on the primary VPC CIDR block
used
• Exam tip: you cannot associate RFC 1918 ranges if the
primary CIDR block is a non-RFC 1918 address range

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks
If the primary CIDR is from a non-RFC 1918 range, you
cannot add secondary CIDRs from RFC 1918 ranges
VPC RFC 1918 address
Primary CIDR 22.240.0.0/16
Non-RFC 1918 address
Private subnet Public subnet
Main Route Table
22.240.48.0/20 22.240.0.0/20
Destination Target
22.240.0.0/16 Local
Secondary CIDR 22.250.0.0/16
22.250.0.0/16 Local
Private subnet Public subnet
0.0.0.0/0 igw-id
22.250.48.0/20 22.250.0.0/20
This is a permitted
Secondary CIDR 192.168.0.0/16 association

Private subnet Public subnet

192.168.48.0/20 192.168.0.0/20 This is a restricted

association

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks
If the primary CIDR is from an RFC 1918 range, you can add
secondary CIDRs the same RFC 1918 range and non-RFC ranges
VPC RFC 1918 address
Primary CIDR 10.0.0.0/16
Non-RFC 1918 address
Private subnet Public subnet
Main Route Table
10.0.48.0/20 10.0.0.0/20
Destination Target
10.0.0.0/16 Local
Secondary CIDR 22.250.0.0/16
22.250.0.0/16 Local
Private subnet Public subnet
10.1.0.0/16 Local
22.250.48.0/20 22.250.0.0/20 0.0.0.0/0 igw-id

Secondary CIDR 10.1.0.0/16 This is a permitted

association
Private subnet Public subnet

10.1.48.0/20 10.1.0.0/20 This is a permitted

association

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks

Primary CIDR Restricted Associations Permitted Associations

10.0.0.0/8 CIDR blocks from other RFC 1918 ranges Any other CIDR block from the 10.0.0.0/8
range that's not restricted
If your primary CIDR block is from the
10.0.0.0/15 range (10.0.0.0 to 10.1.255.255), Any publicly routable IPv4 CIDR block (non-
you cannot add a CIDR block from the RFC 1918), or a CIDR block from the
10.0.0.0/16 range (10.0.0.0 to 10.0.255.255) 100.64.0.0/10 range

CIDR blocks from the 198.19.0.0/16 range

172.16.0.0/12 CIDR blocks from other RFC 1918 ranges Any other CIDR block from the
(10.0.0.0/8 and 192.168.0.0/16) 172.16.0.0/12 range that's not restricted

CIDR blocks from the 172.31.0.0/16 range Any publicly routable IPv4 CIDR block (non-
RFC 1918), or a CIDR block from the
CIDR blocks from the 198.19.0.0/16 range 100.64.0.0/10 range

© Digital Cloud Training | https://digitalcloud.training

Secondary CIDR Blocks

Primary CIDR Restricted Associations Permitted Associations

192.168.0.0/16 CIDR blocks from other RFC 1918 ranges Any other CIDR block from the
(10.0.0.0/8 and 172.16.0.0/12) 192.168.0.0/16 range

CIDR blocks from the 198.19.0.0/16 Any publicly routable IPv4 CIDR block
range or a CIDR block from the 100.64.0.0/10
range

198.19.0.0/16 CIDR blocks from the RFC 1918 ranges Any publicly routable IPv4 CIDR block
or a CIDR block from the 100.64.0.0/10
range

Publicly routable CIDR blocks from the RFC 1918 ranges Any other publicly routable IPv4 CIDR
CIDR block or a block, or a CIDR block from the
CIDR block from CIDR blocks from the 198.19.0.0/16 100.64.0.0/10 range
the 100.64.0.0/10 range
range

© Digital Cloud Training | https://digitalcloud.training

Prefix Lists
• Set of one or more CIDR blocks
• Simplifies configuration and maintenance
• Can be referenced in security group rules and
routes
• There are two types of prefix lists:
• Customer-managed prefix lists — Sets of IP address
ranges that you define and manage.
• AWS-managed prefix lists — Sets of IP address ranges
for AWS services. You cannot create, modify, share, or
delete an AWS-managed prefix list

© Digital Cloud Training | https://digitalcloud.training

Prefix Lists
• AWS-Managed Prefix lists:
Prefix list name AWS service
com.amazonaws.region.dynamodb DynamoDB

com.amazonaws.region.s3 Amazon S3

com.amazonaws.global.cloudfront.origin-facing Amazon CloudFront

Prefix list entries

18.34.0.0/19
18.34.232.0/21
3.5.0.0/19
52.216.0.0/15
© Digital Cloud Training | https://digitalcloud.training
Secondary CIDRs
and Prefix Lists

© Digital Cloud Training | https://digitalcloud.training

Public and Private Subnets

© Digital Cloud Training | https://digitalcloud.training

Public and Private Subnets
A public subnet typically has
Region “Enable auto-assign public A public subnet has a route
IPv4 address” configured to an internet gateway
VPC (and optionally IPv6)
Public Subnet Route Table
Availability Zone Destination Target
Public subnet 172.31.0.0/16 Local
Public-IP
0.0.0.0/0 igw-id
NAT gateway Private-IP

Private subnet
Private-IP Internet
gateway Public Internet

Private subnet instances do Private Subnet Route Table

not have a public IP or a Destination Target
route to an internet gateway
172.31.0.0/16 Local
and must use a NAT gateway
for internet access 0.0.0.0/0 nat-gateway-id
NAT = Network Address Translation

© Digital Cloud Training | https://digitalcloud.training

Create a Custom VPC with
Subnets

© Digital Cloud Training | https://digitalcloud.training

VPC CIDR Block and Subnets
VPC CIDR Block 10 0 0 0

/16 Subnet Mask 255 255 0 0

Subnet Name IPv4 CIDR block Availability Zone Route Table Auto-assign Public IPv4
private-1a 10.0.3.0/24 us-east-1a Private-RT No
private-1b 10.0.4.0/24 us-east-1b Private-RT No
public-1a 10.0.1.0/24 us-east-1a MAIN Yes
public-1b 10.0.2.0/24 us-east-1b MAIN Yes

Automatically assign
Has a route to an
IPv4 Public
Internet Gateway
addresses

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive
Region

VPC CIDR 10.0.0.0/16

Main Route Table

Private subnet Public subnet
Destination Target
10.0.48.0/20 10.0.0.0/20 10.0.0.0/16 Local
0.0.0.0/0 igw-id

Private subnet Public subnet

10.0.64.0/20 10.0.16.0/20 Internet

Main Route table gateway

Main route table is implicitly

Private subnet Public subnet
associated with subnets that
10.0.80.0/20 10.0.32.0/20 haven’t been explicitly
associated with a route table

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive
Region

VPC CIDR 10.0.0.0/16

Main Route Table

Private subnet Public subnet
Destination Target
10.0.48.0/20 10.0.0.0/20 10.0.0.0/16 Local
0.0.0.0/0 igw-id

Private subnet Public subnet

10.0.64.0/20 10.0.16.0/20 Internet

Private Route table Main Route table gateway

Private Route Table

Destination Target
Private subnet Public subnet
10.0.0.0/16 Local
10.0.80.0/20 10.0.32.0/20

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive
Each subnet can only
Region be associated with
one route table
VPC CIDR 10.0.0.0/16

Main Route Table

Private subnet Public subnet
Destination Target
10.0.48.0/20 10.0.0.0/20 10.0.0.0/16 Local
0.0.0.0/0 igw-id

Private subnet Public subnet

10.0.64.0/20 10.0.16.0/20 Internet

Private Route table Main Route table gateway

Private Route Table

Destination Target
Private subnet Public subnet
10.0.0.0/16 Local
10.0.80.0/20 10.0.32.0/20

Subnets are explicitly

associated the private
route table
© Digital Cloud Training | https://digitalcloud.training
VPC Routing Deep Dive
Region
Longest prefix wins so
VPC CIDR 10.0.0.0/16 traffic to 10.0.0.0/16 is
routed locally, all other
Main Route Table
traffic goes out the IGW
Private subnet Public subnet
Destination Target
10.0.0.0/16 Local
0.0.0.0/0 igw-id

Private subnet Public subnet

Internet
gateway
Private Route Table

Destination Target
Private subnet Public subnet
Outbound data is 10.0.0.0/16 Local
routed to the NAT 0.0.0.0/0 nat-gw-id
Gateway

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive
Destination Target
Longest prefix wins so VPC CIDR 172.16.0.0/16
all 172.16.0.0 traffic 10.0.0.0/16 Local
goes via peer 1 except 172.16.0.0/16 vpc-peer-1 Private subnet
traffic to 172.16.0.15 172.16.0.0/16
172.16.0.15/32 vpc-peer-2
172.16.0.30
which goes via peer 2

VPC CIDR 10.0.0.0/16

Private subnet

VPC
CIDR 172.16.0.0/16

Private subnet

172.16.0.15

© Digital Cloud Training | https://digitalcloud.training

VPC Routing Deep Dive
Destination Target
Static routes are 10.0.0.0/16 Local
VPC CIDR 172.16.0.0/16

preferred over
172.16.0.0/16 vpc-peer-1 Private subnet
propagated routes
172.16.0.0/16 vgw-conn-1
172.16.0.20

VPC CIDR 10.0.0.0/16

Private subnet Traffic to 172.16.0.20 gets

routed to EC2 instance

DC CIDR 172.16.0.0/16
VGW

172.16.0.20
Routes learned and
CGW
propagated by BGP
to route table

© Digital Cloud Training | https://digitalcloud.training

Gateway Route Tables
Destination Target Destination Target
0.0.0.0/0 points to 10.0.0.0/16 Local 10.0.0.0/16 Local
the ENI ID of the 0.0.0.0/0 eni-id-sec 10.0.1.0/24 eni-id-sec
security appliance
A Gateway route
table is attached to
VPC
SN 10.0.1.0/24 SN 10.0.2.0/24 an IGW or VGW
Applications Security

Internet
Security Appliance gateway

All outbound traffic Destination Target

forwarded to IGW 10.0.0.0/16 Local
0.0.0.0/0 igw-id

© Digital Cloud Training | https://digitalcloud.training

IPv4 and IPv6 Routing

Destination Target IPv4 traffic within

IPv6 traffic within the VPC is routed
the VPC is routed 10.0.0.0/16 Local locally
locally 2001:db8:1234:1a00::/56 Local
172.31.0.0/16 pcx-11223344556677889 IPv4 traffic for
0.0.0.0/0 igw-12345678901234567 172.31.0.0/16 network
goes via a peering
Traffic that doesn’t ::/0 eigw-aabbccddee1122334 connection
match a more
specific route goes IPv6 traffic that
via the IGW doesn’t match a
more specific route
goes via the EIGW

© Digital Cloud Training | https://digitalcloud.training

Launch Instances and Test
VPC

© Digital Cloud Training | https://digitalcloud.training

Security Groups and Network
ACLs

© Digital Cloud Training | https://digitalcloud.training

Security Groups and Network ACLs
VPC

Availability Zone

Private subnet Public subnet

Security Security
Group B Group A
NACLs apply at the
Security Groups subnet level
can be applied
Network ACL Network ACL
to instances in
any subnet

Availability Zone
Router
Private subnet Public subnet
Security Security NACLs apply only to
Group B Group A
traffic entering /
Security
Group A exiting the subnet
Network ACL Network ACL

Security Groups
apply at the
Instance level
© Digital Cloud Training | https://digitalcloud.training
Security Group Rules

Security groups support

allow rules only

Separate rules
are defined for
outbound traffic

A source can be an IP
address or security
group ID
© Digital Cloud Training | https://digitalcloud.training
Security Groups Best Practice
Public subnet(s)

Security group – PublicALB

Inbound: Protocol/Port HTTP/80 Source: 0.0.0.0/0
Outbound: Protocol/Port HTTP:80 Destination: PublicEC2 Internet-facing
ALB

Security group – PublicEC2

Inbound: Protocol/Port HTTP/80 Source: PublicALB

Outbound: Protocol/Port HTTP/8080 Destination: PrivateALB Web Front-End

Private subnet(s)

Security group – PrivateALB

Inbound: Protocol/Port HTTP/8080 Source: PublicEC2
Outbound: Protocol/Port HTTP/8080 Destination: PrivateEC2 Internal ALB

Security group – PrivateEC2

Inbound: Protocol/Port HTTP/8080 Source: PrivateALB
Application
Layer

© Digital Cloud Training | https://digitalcloud.training

Network ACLs

Inbound Rules

Outbound Rules NACLs have an

explicit deny

Rules are processed

in order
© Digital Cloud Training | https://digitalcloud.training
Configuration Management
AWS Config evaluates the
configuration of resources against
desired configurations

Security
Groups Send notifications
with SNS
AWS Managed Rule:
AWS Config Amazon Simple
• Check for unrestricted SSH
• Check for unrestricted common ports Notification Service
• Check for unattached SG

Network ACL Automatic

remediation CloudWatch Events
AWS Managed Rules:
• Check for unrestricted SSH/RDP
• Check for unattached NACL Alert via CW Events
when changes occur
Systems Manager
Automation
© Digital Cloud Training | https://digitalcloud.training
Audit Security Group Changes

Event Source Rule Send SNS

AuthorizeSecurityGroupIngress notification
API used

AWS EventBridge Amazon SNS

CloudTrail event bus

Event Target

© Digital Cloud Training | https://digitalcloud.training

Configure Security Groups
and NACLs

© Digital Cloud Training | https://digitalcloud.training

NAT Gateways and NAT
Instances

© Digital Cloud Training | https://digitalcloud.training

NAT Gateways

Region The NAT gateway is created

in the public subnet
VPC
Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Private-IP

Private Route Table

Private subnet Internet
Private-IP
gateway Destination Target
10.0.0.0/16 Local
0.0.0.0/0 nat-gateway-id
EC2 Instance

The NAT gateway ID must

be specified in the private
subnet RT

© Digital Cloud Training | https://digitalcloud.training

NAT Instances

Region Must disable

source/destination checks
VPC
Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT Instance Elastic-IP
Uses a special AMI with 0.0.0.0/0 igw-id
the string “amzn-ami- Private-IP

vpc-nat” in the name Private Route Table

Private subnet Destination Target

Private-IP
Internet
10.0.0.0/16 Local
gateway
0.0.0.0/0 nat-instance-id
EC2 Instance

The NAT instance ID must

be specified in the private
subnet RT

© Digital Cloud Training | https://digitalcloud.training

NAT Instance vs NAT Gateway
NAT Instance NAT Gateway
Managed by you (e.g. software updates) Managed by AWS
Scale up (instance type) manually and use Elastic scalability up to 45 Gbps
enhanced networking
No high availability – scripted/auto-scaled Provides automatic high availability within an AZ
HA possible using multiple NATs in multiple and can be placed in multiple AZs
subnets
Need to assign Security Group No Security Groups
Can use as a bastion host Cannot access through SSH
Use an Elastic IP address or a public IP Choose the Elastic IP address to associate with a
address with a NAT instance NAT gateway at creation
Can implement port forwarding through Does not support port forwarding
manual customisation

© Digital Cloud Training | https://digitalcloud.training

Create NAT Gateway

© Digital Cloud Training | https://digitalcloud.training

NAT Gateways

Region

VPC
Main Route Table
Availability Zone Destination Target
Public subnet 10.0.0.0/16 Local
NAT gateway Elastic-IP
0.0.0.0/0 igw-id
Jump host / Private-IP

bastion host EC2 Instance

Private Route Table
Private subnet Internet
Private-IP
gateway Destination Target
10.0.0.0/16 Local
0.0.0.0/0 nat-gateway-id
EC2 Instance

© Digital Cloud Training | https://digitalcloud.training

AWS Local Zones

© Digital Cloud Training | https://digitalcloud.training

AWS Local Zones Local Zones are close to large
population centers and provide
single-digit millisecond latency
VPCs are extended
into Local Zones
Region Seamless connectivity to all
AWS services within the Region
VPC

us-west-2 us-west-2-lax-1
Amazon S3
Availability Zone Availability Zone Availability Zone Availability Zone

Private Private Private Private

subnet subnet subnet subnet

Public subnet Public subnet Public subnet Public subnet

Internet gateway Internet gateway DX Gateway

© Digital Cloud Training | https://digitalcloud.training

AWS Local Zones
• Places compute, storage, database and other select
services close to population, industry, and IT centers
• Pay only for the services you consume in the Local Zone
(increased rates)
• VPCs are extended into Local Zones, and you can use
Security Groups, Network ACLs etc.
• Local Zones have local internet ingress and egress
• You can also use AWS Direct Connect for private
networking
• Can access all AWS services in the AWS Region via the
AWS global network backbone

© Digital Cloud Training | https://digitalcloud.training

Exam Cram

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
• A VPC is a logically isolated portion of the AWS cloud within a region
• The VPC router takes care of routing within the VPC and outside of the
VPC
• Subnets are created within Availability Zones (AZs)
• An Internet Gateway is attached to a VPC and used to connect to the
Internet
• The route table is used to configure the VPC router
• Each VPC has a different block of IP addresses (CIDR block)
• Each subnet has a block of IP addresses from the CIDR block
• You can create multiple VPCs within each region
• A VPC spans all the Availability Zones in the region
• By default, you can create up to 5 VPCs per region

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
VPC Component What it is
Virtual Private Cloud (VPC) A logically isolated virtual network in the AWS cloud

Subnet A segment of a VPC’s IP address range where you can place groups

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
CIDR block rules and guidelines:
• CIDR block size can be between /16 and /28
• The CIDR block must not overlap with any existing CIDR block
that's associated with the VPC
• You cannot increase or decrease the size of an existing CIDR
block
• The first four and last IP address are not available for use
• AWS recommend you use CIDR blocks from the RFC 1918
ranges

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
Secondary CIDR blocks:
• You cannot increase/decrease the size of existing CIDR blocks
• A local route is added to the VPC route tables for each CIDR block
added
• The secondary CIDR blocks must adhere to VPC rules for allowed
ranges
• Make sure the secondary CIDR block does not overlap with
existing CIDR blocks
• There are specific permitted/restricted CIDR block associations
depending on the primary VPC CIDR block used
• Exam tip: you cannot associate RFC 1918 ranges if the primary
CIDR block is a non-RFC 1918 address range

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
Prefix Lists:
• Set of one or more CIDR blocks
• Simplifies configuration and maintenance
• Can be referenced in security group rules and routes
• There are two types of prefix lists:
• Customer-managed prefix lists — Sets of IP address ranges that
you define and manage.
• AWS-managed prefix lists — Sets of IP address ranges for AWS
services. You cannot create, modify, share, or delete an AWS-
managed prefix list

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
VPC routing:
• Main route table is implicitly associated with subnets that
haven’t been explicitly associated with a route table
• Each subnet can only be associated with one route table
• The longest prefix wins when making routing decisions
• Static routes are preferred over propagated routes
• A Gateway route table is attached to an IGW or VGW

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
Security Groups:
• Security Groups apply at the Instance level
• Security Groups can be applied to instances in any subnet
• Security groups support allow rules only
• A source can be an IP address or security group ID
Network Access Control Lists:
• NACLs apply at the subnet level
• NACLs apply only to traffic entering / exiting the subnet
• Rules are processed in order
• NACLs have an explicit deny

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
NAT Gateways:
• NAT gateways are used to enable internet access for EC2 instances in
private subnets
• The NAT gateway is created in the public subnet
• The NAT gateway ID must be specified in the private subnet route table
• AWS managed and highly available within an AZ
NAT Instances:
• An Amazon EC2 instance configured to enable NAT for instances in
private subnets
• Uses a special AMI with the string “amzn-ami-vpc-nat” in the name
• Must disable source/destination checks
• Customer managed and not highly available by default

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Amazon VPC Fundamentals
AWS Local Zones:
• Places compute, storage, database and other select services
close to population, industry, and IT centers
• Pay only for the services you consume in the Local Zone
(increased rates)
• VPCs are extended into Local Zones, and you can use Security
Groups, Network ACLs etc.
• Local Zones have local internet ingress and egress
• You can also use AWS Direct Connect for private networking
• Can access all AWS services in the AWS Region via the AWS
global network backbone

© Digital Cloud Training | https://digitalcloud.training

SECTION 5

Compute and Elastic Load Balancing

© Digital Cloud Training | https://digitalcloud.training

EC2 Networking

© Digital Cloud Training | https://digitalcloud.training

EC2 Network Interfaces

Availability Zone

Private subnet Public subnet

172.31.15.89
Additional ENIs can be 52.63.195.113
attached from subnets eth1 eth0
within the same AZ EC2 Instance
The primary network
Availability Zone interface has a private IP
Private subnet Public subnet and optionally a public IP

You cannot attach

ENIs from subnets in
different AZs

© Digital Cloud Training | https://digitalcloud.training

EC2 Network Interfaces

Elastic network Elastic network Elastic Fabric

interface adapter Adapter

• Basic adapter type for when you • Enhanced networking • Use with High Performance
don’t have any high-performance performance Computing and MPI and ML use
requirements • Higher bandwidth and lower cases
• Can use with all instance types inter-instance latency • Tightly coupled applications
• Must choose supported instance • Can use with all instance types
type

© Digital Cloud Training | https://digitalcloud.training

MTU and Jumbo Frames
• MTU is the maximum transmission unit
• This is the maximum size, in bytes, of the largest
permissible packet
• The larger the MTU, the more data can be passed
in a single packet
• Ethernet v2 supports an MTU of 1500 bytes
• Some instance types support an MTU of 9001
which is known as jumbo frames
• Jumbo frames are enabled within a VPC by
default

© Digital Cloud Training | https://digitalcloud.training

MTU and Jumbo Frames
• Jumbo frames are not support for the following
use cases (MTU of 1500 applies):
• Traffic over an internet gateway
• Traffic over an inter-region VPC peering connection
• Traffic over VPN connections
• Traffic outside of a given AWS Region for EC2-Classic
• Jumbo frames helps achieve max throughput for
instances in cluster placement groups

© Digital Cloud Training | https://digitalcloud.training

EC2 Placement Groups

• Cluster – packs instances close together inside an Availability Zone. This

strategy enables workloads to achieve the low-latency network performance
necessary for tightly-coupled node-to-node communication that is typical of
HPC applications

• Partition – spreads your instances across logical partitions such that groups
of instances in one partition do not share the underlying hardware with
groups of instances in different partitions. This strategy is typically used by
large distributed and replicated workloads, such as Hadoop, Cassandra, and
Kafka

• Spread – strictly places a small group of instances across distinct underlying

hardware to reduce correlated failures

© Digital Cloud Training | https://digitalcloud.training

Cluster Placement Group

Region

VPC

Availability Zone

Cluster Placement Group

Uses enhanced networking,

EC2 Instances low network latency and
high throughput for inter-
instance traffic

© Digital Cloud Training | https://digitalcloud.training

Partition Placement Group

Region

VPC
Each partition is located on
Availability Zone Availability Zone
a separate AWS rack

Partition 1 Partition 2 Partition 3

Partitions can be
in multiple AZs
(up to 7 per AZ)
EC2 Instances EC2 Instances EC2 Instances

© Digital Cloud Training | https://digitalcloud.training

Spread Placement Group

Region

VPC

Availability Zone
Each instance is located on Availability Zone
a separate AWS rack

© Digital Cloud Training | https://digitalcloud.training

EC2 Placement Group Use Cases

Tightly-coupled application that

requires low-latency, high
throughput network traffic
between instances
Cluster
Distributed and replicated
Partition NoSQL database; requires
separate hardware for node
groups
Spread

Small number of critical

instances that should be kept
separate from each other

© Digital Cloud Training | https://digitalcloud.training

Working with ENIs

© Digital Cloud Training | https://digitalcloud.training

Public, Private and Elastic IP
Addresses

© Digital Cloud Training | https://digitalcloud.training

Public, Private and Elastic IP Addresses
AWS Account

Availability Zone

Public subnet Public subnet

172.31.15.89
172.31.55.108
54.66.202.9 52.63.195.113
eth1 eth0
EC2 Instance
A public IP address is a
dynamic address

An Elastic IP address is
Elastic IP a static address

© Digital Cloud Training | https://digitalcloud.training

Public, Private and Elastic IP Addresses
AWS Account

Availability Zone

Public subnet Public subnet

172.31.15.89
172.31.55.108
54.66.202.9 52.63.195.113
eth1 eth0
EC2 Instance

eth0
EC2 Instance

Both ENIs and EIPs can

be remapped to a
different instance

© Digital Cloud Training | https://digitalcloud.training

Public, Private and Elastic IP Addresses
AWS Account

Availability Zone

Public subnet Public subnet

172.31.55.108
54.66.202.9 eth1 eth0
EC2 Instance

Availability Zone

Public subnet Public subnet

eth1 eth0
EC2 Instance
EIPs can be remapped
across AZs
© Digital Cloud Training | https://digitalcloud.training
Public, Private and Elastic IP addresses
Name Description
Public IP address Lost when the instance is stopped

Used in Public Subnets

No charge

Associated with a private IP address on the instance

Cannot be moved between instances

Private IP address Retained when the instance is stopped

Used in Public and Private Subnets

Elastic IP address Static Public IP address

You are charged if not used

Associated with a private IP address on the instance

Can be moved between instances and Elastic Network Adapters

© Digital Cloud Training | https://digitalcloud.training

NAT for Public Addresses

© Digital Cloud Training | https://digitalcloud.training

NAT for Public Addresses

Src: 3.104.75.244 Dest: 54.23.86.101

Src: 54.23.86.101 Dest: 3.104.75.244

Src: 172.31.32.63 Dest: 54.23.86.101

Src: 54.23.86.101 Dest: 172.31.32.63

172.31.32.63
IGW performs
1:1 NAT
3.104.75.244

eth0 Public / Elastic Internet

Association gateway
The Internet Gateway
performs NAT
© Digital Cloud Training | https://digitalcloud.training
Working with EC2 IP
addresses

© Digital Cloud Training | https://digitalcloud.training

Types of Elastic Load Balancer
(ELB)

© Digital Cloud Training | https://digitalcloud.training

Types of Elastic Load Balancer (ELB)

Application Load Balancer

• Operates at the request level

Instance Protocol: Load Balancer Protocol: • Routes based on the content of the request (layer 7)
HTTP, HTTPS HTTP, HTTPS
• Supports path-based routing, host-based routing, query string
parameter-based routing, and source IP address-based
routing
Internet Client
Application Load Balancer • Supports instances, IP addresses, Lambda functions and
containers as targets

Network Load Balancer

Instance Protocol: Load Balancer Protocol: • Operates at the connection level
TCP, TCP_UDP TCP, TLS, UDP, TCP_UDP • Routes connections based on IP protocol data (layer 4)
• Offers ultra high performance, low latency and TLS offloading
at scale
Network Load Balancer Internet Client • Can have a static IP / Elastic IP
• Supports UDP and static IP addresses as targets

© Digital Cloud Training | https://digitalcloud.training

Types of Elastic Load Balancer (ELB)
Old and shouldn’t be
in the exam anymore
Classic Load Balancer
Instance Protocol: Load Balancer Protocol:
TCP, SSL, HTTP, HTTPS TCP, SSL, HTTP, HTTPS • Old generation; not recommended for new applications
• Performs routing at Layer 4 and Layer 7
• Use for existing applications running in EC2-Classic
Classic Load Balancer Internet Client

Gateway Load Balancer

Appliance Protocol: Load Balancer Protocol:
GENEVE All packets on all ports • Used in front of virtual appliances such as firewalls, IDS/IPS,
and deep packet inspection systems.
• Operates at Layer 3 – listens for all packets on all ports
Virtual Appliance Gateway Load Balancer VPC Endpoint • Forwards traffic to the TG specified in the listener rules
• Exchanges traffic with appliances using the GENEVE
protocol on port 6081

New and starting to

appear in the exam

© Digital Cloud Training | https://digitalcloud.training

ELB Features
Feature ALB NLB
OSI Layer 7 4
Target Type IP, Instance, Lambda, ECS IP, Instance

Protocol Listeners HTTP, HTTPS, gRPC TCP, UDP, TLS

PrivateLink support No (TCP, TLS)

Static IP address No Yes
HTTP header based Yes No
routing
Source IP x-forwarded-for Native
preservation
SSL termination Load Balancer Load Balancer or target

© Digital Cloud Training | https://digitalcloud.training

ELB Use Cases
Application Load Balancer
• Web applications with L7 routing (HTTP/HTTPS)
• Microservices architectures (e.g. Docker containers)
• Lambda targets
Network Load Balancer
• TCP and UDP based applications
• Ultra-low latency
• Static IP addresses
• VPC endpoint services

© Digital Cloud Training | https://digitalcloud.training

ELB Use Cases
Gateway Load Balancer
• Load balance virtual appliances such as:
• Intrusion detection systems (IDS)
• Intrusion prevention systems (IPS)
• Next generation firewalls (NGFW)
• Web application firewalls (WAF)
• Distributed denial of service protection systems (DDoS)
• Integrate with Auto Scaling groups for elasticity
• Apply network monitoring and logging for analytics

© Digital Cloud Training | https://digitalcloud.training

Routing and Session
Management

© Digital Cloud Training | https://digitalcloud.training

Application Load Balancer (ALB)
Application Load Requests can also be routed based
Balancer (ALB) on the host field in the HTTP header

A rule is
configured on
the listener – Target groups are used
Requests can be TG1 TG2 TG3
ALBs listen on to route requests to
routed based on
HTTP/HTTPS Subnet registered targets
the path in the URL

Path-based
routing

Subnet
https://example.com/specials
Targets can be EC2
instances, IP addresses,
https://example.com/orders Lambda functions or
containers
https://members.example.com/ Subnet

Host-based routing
© Digital Cloud Training | https://digitalcloud.training
Network Load Balancer (NLB)
Network Load
Requests are routed based
Balancer (NLB)
on IP protocol data
NLBs listen on
TCP, TLS, UDP
or TCP_UDP
NLB nodes can TG1 TG2
54.22.182.2
have elastic IPs in
Subnet
each subnet
Targets can be
EC2 instances or
IP addresses
54.239.28.85
Subnet
https://example.com
Targets can be
outside a VPC
https://example.com:8080
(e.g. on-premises)
54.12.10.212
A separate listener on a Subnet
unique port is required
for routing
© Digital Cloud Training | https://digitalcloud.training
Storing Session State

Session data such as Availability Zone

authentication details Public subnet
stored in DynamoDB Table

ElastiCache is also a
popular solution for
storing session-state data

Availability Zone
Elastic Load Balancer
DynamoDB Table Public subnet
User does not need to
Session data retrieved re-authenticate
from DynamoDB Table

© Digital Cloud Training | https://digitalcloud.training

Sticky Sessions

Availability Zone
Public subnet

Session data such as Cookie is generated and

authentication details client bound to instance
stored locally for cookie lifetime

If an instance fails, session state

is lost – use with session state
store for more resiliency Availability Zone
Elastic Load Balancer
Public subnet

Client is directed to
another instance

© Digital Cloud Training | https://digitalcloud.training

ALB and NLB Access Control
and SSL/TLS

© Digital Cloud Training | https://digitalcloud.training

Access Control with ALB and NLB
Connections Connections Connections

NACL NACL NACL

NLB
ALB SG ALB SG

SG SG

NACL NACL NACL

ALB SG SG NLB

SG SG

© Digital Cloud Training | https://digitalcloud.training

What’s the Source IP Address the App sees?
Note: X-forwarded-for can be used with ALB to capture client IP
AWS ALB AWS NLB AWS NLB
IP=A IP=A IP=A

IP=B SG IP=B IP=B

Instance Instance Applicable to TCP
SG
specified by specified by IP and TLS – for UDP
Instance ID SG Address SG and TCP_UDP
should be IP=A
CLB and ALB use
private IP of their ENIs
as source address Source Protocol Port Source Protocol Port
IP=A TCP 80 IP=B TCP 80

Source Protocol Port When using an NLB with a VPC

IP=B TCP 80 Endpoint or AWS GA source IPs are
private IPs of NLB nodes
© Digital Cloud Training | https://digitalcloud.training
SSL/TLS Termination

AWS ALB AWS ALB

Encrypted Encrypted

SSL/TLS CERT SSL/TLS CERT

Unencrypted ACM certificate or Encrypted

certificate imported
With a L7 ELB a into ACM or IAM SSL/TLS CERT
new connection
is established Self-signed certificate
with the instance can be used

© Digital Cloud Training | https://digitalcloud.training

SSL/TLS Termination

AWS NLB AWS NLB

Encrypted
Single encrypted
connection
SSL/TLS CERT
Encrypted
Encrypted

SSL/TLS CERT SSL/TLS CERT

Public certificate must

be used

© Digital Cloud Training | https://digitalcloud.training

Create EC2 Auto Scaling
Group for ELB HOL

© Digital Cloud Training | https://digitalcloud.training

Amazon EC2 Auto Scaling
Auto Scaling
launches extra
instance

Availability Zone Availability Zone

Public subnet Public subnet

EC2 Status
EC2 Instances Auto Scaling group EC2 Instances
Checks fail

CloudWatch
notifies Auto
Scaling to scale
ASG replaces
failed instance

Metric reports Metrics Metrics

CPU > 80% Amazon CloudWatch

© Digital Cloud Training | https://digitalcloud.training

Create Application Load
Balancer

© Digital Cloud Training | https://digitalcloud.training

Create Network Load
Balancer

© Digital Cloud Training | https://digitalcloud.training

Gateway Load Balancer
Deployments

© Digital Cloud Training | https://digitalcloud.training

Gateway Load Balancer Deployments

VPC
GLB endpoint is a target
in the subnet route table

Application Subnet Appliance Subnet

10.0.1.0/24 10.0.2.0/24
Inbound traffic
for the app
subnet is routed
GWLBE GWLB Internet
via the GWLBE
EC2 Instances IDS Appliances
gateway

Destination Target Destination Target Destination Target

10.0.0.0/16 Local 10.0.0.0/16 Local 10.0.0.0/16 Local
0.0.0.0/0 gwlbe-xxx 0.0.0.0/0 igw-xxx 10.0.1.0/24 gwlbe-xxx

© Digital Cloud Training | https://digitalcloud.training

Gateway Load Balancer Deployments
• Gateway Load Balancer works with AWS Auto Scaling
groups so you scale virtual appliances
• Can be used with third-party virtual appliances such as:
• Next generation firewalls (NGFW)
• Web application firewalls (WAF)
• Intrusion detection systems (IDS)
• Intrusion prevention systems (IPS)
• Enables high availability by routing traffic to healthy
appliances
• Can use Gateway Load Balancer endpoints which are
powered by PrivateLink

© Digital Cloud Training | https://digitalcloud.training

Gateway Load Balancer Deployments
• When creating a target group choose the GENEVE
protocol:

• Target type can be instances or IP addresses:

© Digital Cloud Training | https://digitalcloud.training

Gateway Load Balancer Monitoring
• CloudWatch Metrics – The AWS/GatewayELB namespace
includes several metrics
• VPC Flow Logs – Create a flow log for each network
interface for the GLB (one per subnet)
• CloudTrail Logs – Capture API actions related to the GLB

© Digital Cloud Training | https://digitalcloud.training

Amazon ECS

© Digital Cloud Training | https://digitalcloud.training

Amazon ECS
ECS Services are
used to maintain
Amazon Elastic Container Service
a desired count An Amazon ECS
of tasks Cluster is a logical
Availability Zone Availability Zone
An ECS Task is grouping of tasks or
created from a ECS Cluster services
Task Definition ECS Service

Task Definition
Auto Scaling group
{
"containerDefinitions": [
{ ECS Container ECS Container Amazon Elastic Container
"name": "wordpress",
"links": [ instance instance Registry
"mysql"
],
"image": "wordpress",
"essential": true,
Registry
"portMappings": [
{
"containerPort": 80,
Task Task Task Task
"hostPort": 80
}
],
"memory": 500, An ECS Task is a
"cpu": 10
running Docker Image Image
}
Docker images can be
container
stored in Amazon ECR

© Digital Cloud Training | https://digitalcloud.training

Amazon ECS

Elastic Container Service (ECS) Description

Cluster Logical grouping of EC2 instances

Container instance EC2 instance running the the ECS agent

Task Definition Blueprint that describes how a docker container

should launch
Task A running container using settings in a Task
Definition
Service Defines long running tasks – can control task
count with Auto Scaling and attach an ELB

© Digital Cloud Training | https://digitalcloud.training

Launch Types – EC2 and Fargate
Registry: Registry:
ECR, Docker Hub, Self-hosted ECR, Docker Hub

ECS EC2 Cluster ECS Fargate Cluster

ECS Service ECS Service

ECS Container ECS Container

instance instance

Task Task Task Task Task Task Task Task

EC2 Launch Type Fargate Launch Type

• You explicitly provision EC2 instances • Fargate automatically provisions resources
• You’re responsible for managing EC2 instances • Fargate provisions and manages compute
• Charged per running EC2 instance • Charged for running tasks
• EFS and EBS integration • No EBS integration
• You handle cluster optimization • Fargate handles cluster optimization
• More granular control over infrastructure • Limited control, infrastructure is automated
© Digital Cloud Training | https://digitalcloud.training
ECS and IAM Roles
ECS EC2 Cluster

ECS Service
AmazonEC2ContainerServiceforEC2Role
ECS Container instance The container instance
IAM role provides
permissions to the host
IAM Instance Role

Task

IAM Task Role

The ECS task IAM role

provides permissions
to the container

NOTE: container instances have access to all of the

permissions that are supplied to the container
instance role through instance metadata

© Digital Cloud Training | https://digitalcloud.training

ECS and IAM Roles

ECS Fargate Cluster

ECS Service

With the Fargate launch

type only IAM task roles
can be applied

Task

IAM Task Role

© Digital Cloud Training | https://digitalcloud.training

Auto Scaling for ECS
Two types of scaling:
1. Service auto scaling
2. Cluster auto scaling

• Service auto scaling automatically adjusts the desired task

count up or down using the Application Auto Scaling service

• Service auto scaling supports target tracking, step, and

scheduled scaling policies

• Cluster auto scaling uses a Capacity Provider to scale the

number of EC2 cluster instances using EC2 Auto Scaling

© Digital Cloud Training | https://digitalcloud.training

ECS Networking modes
• awsvpc — The task is allocated its own elastic network
interface (ENI) and a primary private IPv4 address. This
gives the task the same networking properties as Amazon
EC2 instances
• bridge — The task utilizes Docker's built-in virtual
network which runs inside each Amazon EC2 instance
hosting the task
• host — The task bypasses Docker's built-in virtual
network and maps container ports directly to the ENI of
the Amazon EC2 instance hosting the task
• none — The task has no external network connectivity

© Digital Cloud Training | https://digitalcloud.training

Dynamic Port Mapping with ALB

Private subnet ECS Service ECS Service NAT gateway

Public subnet
required for tasks in
private subnets to
access the internet

nginx Apache A dynamic port is

Container port: 80 Container port: 80 allocated on the host
NAT gateway

Host port: 32612 Host port: 32600

Application Load Balancer

Listener: HTTP (80)

Private subnet

Host port: 32668 Host port: 32669 Public subnet

All connections to The host and awsvpc

Container port: 80 Container port: 80 web services coming network modes do
into HTTP listener not support dynamic
(port 80) host port mapping
nginx Apache Each task is running a
web service on port 80

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS
• Amazon Elastic Kubernetes Service (Amazon EKS) is a managed service
• Use when you need to standardize container orchestration across multiple
environments using a managed Kubernetes implementation
• Hybrid Deployment - manage Kubernetes clusters and applications across
hybrid environments (AWS + On-premises)
• Batch Processing - run sequential or parallel batch workloads on your EKS
cluster using the Kubernetes Jobs API. Plan, schedule and execute batch
workloads
• Machine Learning - use Kubeflow with EKS to model your machine learning
workflows and efficiently run distributed training jobs using the latest EC2
GPU-powered instances, including Inferentia
• Web Applications - build web applications that automatically scale up and
down and run in a highly available configuration across multiple Availability
Zones

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS
Region

VPC
Availability Zone Availability Zone Availability Zone

Public subnet Public subnet Private subnet

EKS Cluster Managed Kubernetes

service – runs on EC2 /
EKS Control Plane
Fargate and also AWS
Outposts

EKS supports load

balancing with ALB,
NLB, CLB
Worker Nodes Amazon Kubernetes
Service

Groups of containers
are known as Pods
in Kubernetes

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS Auto Scaling
Cluster Auto Scaling:
• Vertical Pod Autoscaler - automatically adjusts the CPU and memory
reservations for your pods to help "right size" your applications
• Horizontal Pod Autoscaler - automatically scales the number of pods in a
deployment, replication controller, or replica set based on that
resource's CPU utilization
Workload Auto Scaling:
• Amazon EKS supports two autoscaling products:
• Kubernetes Cluster Autoscaler
• Karpenter open source autoscaling project.
• The cluster autoscaler uses AWS scaling groups, while Karpenter works
directly with the Amazon EC2 fleet

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS Pod Networking

• Amazon EKS supports native VPC networking with the Amazon VPC
Container Network Interface (CNI) plugin for Kubernetes
• This plugin assigns a private IPv4 or IPv6 address from your VPC to each
pod
• The VPC CNI plugin for Kubernetes is deployed with each of your
Amazon EC2 nodes in a Daemonset with the name aws-node
• The plugin consists of two components:
• L-IPAM daemon – Responsible for creating network interfaces and
attaching the network interfaces to Amazon EC2 instances, assigning
secondary IP addresses to network interfaces, and maintaining a
warm pool of IP addresses on each node for assignment to
Kubernetes pods when they are scheduled
• CNI plugin – Responsible for wiring the host network (for example,
configuring the network interfaces and virtual Ethernet pairs) and
adding the correct network interface to the pod namespace

© Digital Cloud Training | https://digitalcloud.training

Amazon EKS and Elastic Load Balancing

• Amazon EKS supports Network Load Balancers and Application Load

Balancers
• The AWS Load Balancer Controller manages AWS Elastic Load Balancers
for a Kubernetes cluster
• Install the AWS Load Balancer Controller using Helm V3 or later or by
applying a Kubernetes manifest
• The controller provisions the following resources:
• An AWS Application Load Balancer (ALB) when you create a
Kubernetes Ingress
• An AWS Network Load Balancer (NLB) when you create a
Kubernetes service of type LoadBalancer
• In the past, the Kubernetes network load balancer was used for instance
targets, but the AWS Load balancer Controller was used for IP targets
• With the AWS Load Balancer Controller version 2.3.0 or later, you can
create NLBs using either target type

© Digital Cloud Training | https://digitalcloud.training

Amazon API Gateway
Deployments

© Digital Cloud Training | https://digitalcloud.training

Amazon API Gateway Overview
Region
VPC

Private subnet

Mobile AWS Lambda

client Lambda function
REST API over
HTTPS
EC2 Instance

Service Public subnet

Amazon API Gateway

Can import Swagger / Application Load Balancer

Open API 3.0 definitions
Website
(YAML/JSON)
EC2 Instance

Any other AWS service

Any public endpoint

© Digital Cloud Training | https://digitalcloud.training
Amazon API Gateway API Types
Amazon API Gateway supports:
• REST APIs - support OIDC and OAuth 2.0 authorization, and
come with built-in support for CORS and automatic
deployments
• HTTP APIs - designed for low-latency, cost-effective
integrations with AWS services, including AWS Lambda, and
HTTP endpoints
• WebSocket APIs – deployed as a stateful frontend for an AWS
service (such as Lambda or DynamoDB) or for an HTTP
endpoint
• REST APIs and HTTP APIs support authorizers for AWS Lambda,
IAM, and Amazon Cognito
• WebSocket APIs support IAM authorization and Lambda
authorizers

© Digital Cloud Training | https://digitalcloud.training

Amazon API Gateway Deployment Types
AWS Cloud

Key benefits:
Edge-optimized • Reduced latency for requests
endpoint from around the world
Amazon CloudFront Amazon API Gateway

Region Key benefits:

• Reduced latency for requests
Regional endpoint that originate in the same
region
Services in
Amazon API Gateway • Can also configure your own
same region
CDN and protect with WAF

VPC
Key benefits:
• Securely expose your REST APIs
Private endpoint only to other services within
Services in your VPC or connect via Direct
Amazon API Gateway
same VPC Connect

© Digital Cloud Training | https://digitalcloud.training

API Gateway Private REST APIs
• Private REST APIs can only be accessed from within a VPC using
an interface VPC endpoint

Customer VPC API Gateway Service

VPC VPC

Public subnet

EC2 Instance

Lambda function
Amazon API
Private subnet
Gateway
EC2 Instance

EC2 Instance Endpoint Network

Interface

© Digital Cloud Training | https://digitalcloud.training

Private API Development Considerations
• You can convert an existing public API (Regional or edge-
optimized) to a private API
• You can convert a private API to a Regional API
• You cannot convert a private API to an edge-optimized API
• To grant access to your private API to VPCs and VPC endpoint,
you need to create a resource policy and attach it to the API
• Custom domain names are not supported for private APIs
• You can use a single VPC endpoint to access multiple private
APIs
• You can associate or disassociate a VPC endpoint to a REST API,
which gives a Route 53 alias DNS record and simplifies invoking
your private API

© Digital Cloud Training | https://digitalcloud.training

Amazon API Gateway – Structure of an API

arn:aws:execute-api:ap-southeast- Map the request parameters of

2:515148227241:fk49ji8iff/*/GET/ method request to the format
required by the backend

ANY
DELETE HTTP
GET HTTP_PROXY
HEAD LAMBDA
OPTIONS
PATCH LAMBDA_PROXY
Endpoint
Users Published API POST MOCK
PUT
Integration Request Lambda function, HTTP
Method Request
endpoint, EC2 instance,
AWS service etc.
HTTP STATUS
CODES CONVERT
RESPONSE PASSTHROUGH
BODIES
Map the status codes, headers,
Method Response Integration Response
and payload received from
backend into format for client

© Digital Cloud Training | https://digitalcloud.training

API Gateway - Caching
• You can add caching to API calls by provisioning an Amazon API Gateway
cache and specifying its size in gigabytes

• Caching allows you to cache the endpoint's response

• Caching can reduce number of calls to the backend and improve latency of
requests to the API If not in the cache
(cache miss), go to
2 backend
1

API Cache Endpoint

Users
MyAPI
Production Stage

Check cache first

CACHE: ENABLED
SIZE: 0.5GB
ENCRYPTION: ON
TTL: 900

© Digital Cloud Training | https://digitalcloud.training

API Gateway - Throttling
• API Gateway sets a limit on a steady-state rate and a burst of request submissions
against all APIs in your account

• Limits:
• By default, API Gateway limits the steady-state request rate to 10,000
requests per second
• The maximum concurrent requests is 5,000 requests across all APIs within an
AWS account
• If you go over 10,000 requests per second or 5,000 concurrent requests, you
will receive a 429 Too Many Requests error response

• Upon catching such exceptions, the client can resubmit the failed requests in a
way that is rate limiting, while complying with the API Gateway throttling limits

© Digital Cloud Training | https://digitalcloud.training

Exam Cram

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
EC2 networking:
• Each EC2 instance has a primary elastic network interface (ENI)
• The primary network interface has a private IP and optionally a
public IP
• Additional ENIs can be attached from subnets within the same AZ
• You cannot attach ENIs from subnets in different Azs
• Elastic network interface (ENI) is a basic adapter for common use
cases
• Elastic network adapter (ENA) provides enhanced networking
and low inter-instance latency for supported instance types
• Elastic Fabric Adapter (EFA) for use with MPI and ML use cases –
think tightly coupled applications

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
MTU and jumbo frames:
• MTU is the maximum transmission unit
• This is the maximum size, in bytes, of the largest permissible
packet
• The larger the MTU, the more data can be passed in a single
packet
• Ethernet v2 supports an MTU of 1500 bytes
• Some instance types support an MTU of 9001 which is
known as jumbo frames
• Jumbo frames are enabled within a VPC by default

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
MTU and jumbo frames:
• Jumbo frames are not supported for the following use cases
(MTU of 1500 applies):
• Traffic over an internet gateway
• Traffic over an inter-region VPC peering connection
• Traffic over VPN connections
• Traffic outside of a given AWS Region for EC2-Classic
• Jumbo frames helps achieve max throughput for instances in
cluster placement groups

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
EC2 placement groups:
• Cluster – packs instances close together inside an Availability
Zone. Use with tightly-coupled applications such as HPC
• Partition – spreads your instances across logical partitions.
Use with distributed and replicated workloads, such as
Hadoop, Cassandra, and Kafka
• Spread – strictly places a small group of instances across
distinct underlying hardware to reduce correlated failures

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
EC2 IP addresses:
• Public IP address is a dynamic public IP address and is lost
when the instance is stopped
• Private IP address is a dynamic private IP address from the
CIDR block and is lost when the instance is stopped
• Elastic IP address is a static public IP address and you’re
charged if it’s not used

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Elastic Load Balancer (ELB) use cases:
• Use an Application Load Balancer for L7 routing
(HTTP/HTTPS) and microservices or Lambda targets
• Use a Network Load Balancer for ultra-low latency TCP and
UDP applications. Operates at L4 and can have a static public
IP address
• Use Gateway Load Balancer for load balancing to virtual
appliances such as IDS/IPS/NGFW/WAF

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Identifying the source IP addresses of clients:
• With ALB the source address of connections shows as the private
IP of the ALB ENIs
• With ALB you can use the x-forwarded-for header to capture the
client IP
• With NLB the source address of connections depends on how
targets are specified:
• Instance specified by instance ID = IP address of client shown
• Instance specified by IP address – IP address of load balancer nodes
shown (if using TCP / TLS)
• Instance specified by IP address – IP address of client shown (if using
UDP or TCP_UDP)
• When using an NLB with a VPC Endpoint or AWS GA source IPs
are private IPs of NLB nodes

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
SSL/TLS termination for ELB:
• Application Load Balancer:
• ACM certificate or certificate imported into ACM or IAM can be
used
• A separate connection is made from the ELB to the instance
• You can use a self-signed certificate if you need encryption
between the ELB and instance
• Network Load Balancer:
• Single encrypted connection can be made using a public certificate
on the EC2 instance
• Alternatively, you can terminate on the ELB and use a separate
certificate for encrypting to the back-end instance

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Amazon ECS scaling:
• Service auto scaling automatically adjusts the desired task count up or down using the
Application Auto Scaling service
• Service auto scaling supports target tracking, step, and scheduled scaling policies
• Cluster auto scaling uses a Capacity Provider to scale the number of EC2 cluster instances
using EC2 Auto Scaling
ECS networking modes:
• awsvpc — The task is allocated its own elastic network interface (ENI) and a primary
private IPv4 address
• bridge — The task utilizes Docker's built-in virtual network which runs inside each
Amazon EC2 instance hosting the task
• host — The task bypasses Docker's built-in virtual network and maps container ports
directly to the ENI of the Amazon EC2 instance hosting the task
• none — The task has no external network connectivity

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Amazon EKS auto scaling:
Cluster Auto Scaling:
• Vertical Pod Autoscaler - automatically adjusts the CPU and memory reservations for
your pods to help "right size" your applications
• Horizontal Pod Autoscaler - automatically scales the number of pods in a deployment,
replication controller, or replica set based on that resource's CPU utilization
Workload Auto Scaling:
• Amazon EKS supports two autoscaling products:
• Kubernetes Cluster Autoscaler
• Karpenter open source autoscaling project.
• The cluster autoscaler uses AWS scaling groups, while Karpenter works directly with the
Amazon EC2 fleet

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Amazon EKS pod networking:
• Amazon EKS supports native VPC networking with the Amazon VPC Container Network
Interface (CNI) plugin for Kubernetes
• This plugin assigns a private IPv4 or IPv6 address from your VPC to each pod
• The VPC CNI plugin for Kubernetes is deployed with each of your Amazon EC2 nodes in a
Daemonset with the name aws-node
Amazon EKS pod load balancing:
• Amazon EKS supports Network Load Balancers and Application Load Balancers
• The AWS Load Balancer Controller manages AWS Elastic Load Balancers for a Kubernetes
cluster
• Install the AWS Load Balancer Controller using Helm V3 or later or by applying a
Kubernetes manifest

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Compute and Elastic Load Balancing
Amazon API Gateway:
• REST APIs - support OIDC and OAuth 2.0 authorization, and come with built-in support
for CORS and automatic deployments
• HTTP APIs - designed for low-latency, cost-effective integrations with AWS services,
including AWS Lambda, and HTTP endpoints
• WebSocket APIs – deployed as a stateful frontend for an AWS service (such as Lambda or
DynamoDB) or for an HTTP endpoint
• You can convert an existing public API (Regional or edge-optimized) to a private API
• You can convert a private API to a Regional API but you cannot convert a private API to an
edge-optimized API
• To grant access to your private API to VPCs and VPC endpoint, you need to create a
resource policy and attach it to the API
• Custom domain names are not supported for private APIs
• You can add caching to API calls by provisioning an Amazon API Gateway cache

© Digital Cloud Training | https://digitalcloud.training

SECTION 6

Advanced VPC, DNS, and Edge

© Digital Cloud Training | https://digitalcloud.training

AWS Organizations

© Digital Cloud Training | https://digitalcloud.training

AWS Organizations
• AWS organizations allows you to consolidate multiple AWS accounts into
an organization that you create and centrally manage

• Available in two feature sets:

• Consolidated Billing
• All features

• Includes root accounts and organizational units

• Policies are applied to root accounts or OUs

• Consolidated billing includes:

• Paying Account – independent and cannot access resources of other
accounts
• Linked Accounts – all linked accounts are independent

© Digital Cloud Training | https://digitalcloud.training

AWS Organizations Enable AWS SSO
using on-prem
directory
AWS Organization

Enable CloudTrail in Receive a Create accounts

management account consolidated bill programmatically using the
Management Account
and apply to members Organizations API
You can group accounts
into Organizational Units
(OUs)

Service Control Policies

Production Development Test
(SCPs) can control
tagging and the
available API actions

© Digital Cloud Training | https://digitalcloud.training

Create AWS Organization and
Add Account

© Digital Cloud Training | https://digitalcloud.training

Account Configuration
AWS Organization

Create a Service
Control Policy (SCP)
and attach to OU

Management Account Production

Role has full

permissions
Production (OU) in the account
AWS Organizations
Use the AWS Management
Console to create an
Role can be assumed by any
Organization OrganizationAccountAccessRole
user with the sts:AssumeRole
permissions

© Digital Cloud Training | https://digitalcloud.training

VPC Peering

© Digital Cloud Training | https://digitalcloud.training

VPC Peering
VPC Peering
enables routing
using private IPv4
VPC A or IPv6 addresses VPC B

10.1.0.0/16 10.2.0.0/16 CIDR blocks

cannot overlap

VPCs can be in
different accounts
and Regions

VPC C VPC D

10.3.0.0/16 10.4.0.0/16

VPC Peering
connections are
NOT transitive –
full mesh required
© Digital Cloud Training | https://digitalcloud.training
VPC Peering
Management Account Production Account

VPC CIDR: 10.0.0.0/16 VPC CIDR: 10.1.0.0/16

Public subnet Public subnet

EC2 Instance EC2 Instance

Security group (VPCPEER-MGMT) Security group (VPCPEER-PROD)

Protocol Port Source Protocol Port Source

ICMP All 10.1.0.0/16 ICMP All 10.0.0.0/16
TCP 22 0.0.0.0/0 TCP 22 0.0.0.0/0

Route Table Route Table

Destination Target Destination Target
10.1.0.0/16 peering-id 10.0.0.0/16 peering-id

© Digital Cloud Training | https://digitalcloud.training

Configure VPC Peering

© Digital Cloud Training | https://digitalcloud.training

VPC Peering
Management Account Production Account

VPC CIDR: 10.0.0.0/16 VPC CIDR: 10.1.0.0/16

Public subnet Public subnet

EC2 Instance EC2 Instance

Security group (VPCPEER-MGMT) Security group (VPCPEER-PROD)

Protocol Port Source Protocol Port Source

ICMP All 10.1.0.0/16 ICMP All 10.0.0.0/16
TCP 22 0.0.0.0/0 TCP 22 0.0.0.0/0

Route Table Route Table

Destination Target Destination Target
10.1.0.0/16 peering-id 10.0.0.0/16 peering-id

© Digital Cloud Training | https://digitalcloud.training

VPC Endpoints

© Digital Cloud Training | https://digitalcloud.training

VPC Interface Endpoints

An ENI is created in
the subnet
Each interface endpoint
VPC
can connect to one of
Private subnet AWS CloudFormation many AWS services

EC2 Instance Endpoint ENI AWS CodeDeploy

EC2 instance connects

to public AWS service Or you can connect to
using a private IP an AWS PrivateLink
AWS PrivateLink
powered service

© Digital Cloud Training | https://digitalcloud.training

VPC Gateway Endpoints

EC2 instance connects

to S3 using a private IAM policies
VPC
IP can be applied
Private subnet
to endpoints

Bucket policies
can limit access to
EC2 Instance S3 Gateway Amazon S3 endpoint source
Endpoint

Route Table
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID

A route table entry is

required with the prefix
list for S3 and the
gateway ID

© Digital Cloud Training | https://digitalcloud.training

VPC Endpoints

Interface Endpoint Gateway Endpoint

What Elastic Network Interface with a Private IP A gateway that is a target for a specific route

How Uses DNS entries to redirect traffic Uses prefix lists in the route table to redirect
traffic
Which API Gateway, CloudFormation, Amazon S3, DynamoDB
services CloudWatch etc.
Security Security Groups VPC Endpoint Policies

© Digital Cloud Training | https://digitalcloud.training

Service Provider Model

Consumer VPC Service Provider VPC

VPC VPC

Public subnet Public subnet

EC2 Instance
Endpoint

Private subnet Private subnet

Web Server
Network Load
Balancer

Endpoint Service

© Digital Cloud Training | https://digitalcloud.training

Create VPC Endpoint

© Digital Cloud Training | https://digitalcloud.training

VPC Gateway Endpoints

VPC Endpoint Policy Bucket Policy

Public subnet

EC2 Instance S3 Gateway S3 Bucket

Endpoint

Route Table
Destination Target
pl-6ca54005 (com.amazonaws.ap-southeast-2.s3, 54.231.248.0/22, 54.231.252.0/24, 52.95.128.0/21) vpce-ID

© Digital Cloud Training | https://digitalcloud.training

DNS Resolution with
Amazon Route 53

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 Hosted Zones
This is an example of a
Name Type Value TTL public hosted zone
example.com A 8.1.2.1 60

dev.example.com A 8.1.2.2 60 Amazon Route 53

A hosted zone represents
a set of records belonging
What’s the address for to a domain
example.com? example.com

Region

VPC
Address is 8.1.2.1
Availability Zone

Public subnet

HTTP GET to 8.1.2.1 Web Server:

8.1.2.1

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 Hosted Zones
This is an example of a
Name Type Value TTL private hosted zone
db.mycompany.local A 10.0.0.10 60

app.mycompany.local A 10.0.0.11 60 Amazon Route 53

Enable DNS Hostnames = Enabled

Association with VPC
DNS Resolution = Enabled
mycompany.local

What’s the address for

VPC db.mycompany.local?
Address is 10.0.0.10
Public subnet Private subnet

Connection to 10.0.0.10 DB Server:

10.0.0.10

© Digital Cloud Training | https://digitalcloud.training

VPC Settings for DNS Resolution

Attribute Description
enableDnsHostnames Determines whether the VPC supports assigning public DNS hostnames to
instances with public IP addresses.

If both DNS attributes are true, instances in the VPC get public DNS hostnames.

The default for this attribute is false unless the VPC is a default VPC or the VPC
was created using the VPC console wizard.
enableDnsSupport Determines whether the VPC supports DNS resolution through the Amazon
provided DNS server.

If this attribute is true, queries to the Amazon provided DNS server succeed.

The default for this attribute is true, no matter how the VPC is created.

© Digital Cloud Training | https://digitalcloud.training

VPC Settings for DNS Resolution
• If both enableDnsHostnames and enableDnsSupport are set to true, the
following occurs:
• Instances with public IP addresses receive corresponding public DNS
hostnames
• The Amazon Route 53 Resolver server can resolve Amazon-provided private
DNS hostnames
• If at least one of the attributes is set to false, the following occurs:
• Instances with public IP addresses do not receive corresponding public DNS
hostnames
• The Amazon Route 53 Resolver cannot resolve Amazon-provided private
DNS hostnames
• Instances receive custom private DNS hostnames if there is a custom
domain name in the DHCP options set
• If you use custom DNS domain names defined in a private hosted zone in
Amazon Route 53, or use private DNS with interface VPC endpoints, you
must set both attributes to true
• The Route 53 Resolver listens on the .2 address of the subnet (e.g. 10.0.0.2) and
169.254.169.253

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 Routing Policies

Routing Policy What it does

Simple Simple DNS response providing the IP address associated with a name
Failover If primary is down (based on health checks), routes to secondary destination
Geolocation Uses geographic location you’re in (e.g. Europe) to route you to the closest
region
Geoproximity Routes you to the closest region within a geographic area
Latency Directs you based on the lowest latency route to resources
Multivalue answer Returns several IP addresses and functions as a basic load balancer
Weighted Uses the relative weights assigned to resources to determine which to route to

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Simple Routing Policy
Name Type Value TTL

simple.dctlabs.com A 1.1.1.1 60

2.2.2.2
simple2.dctlabs.com A 3.3.3.3 60
Amazon Route 53

2
Region

DNS query

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Weighted Routing Policy
Name Type Value Health Weight

weighted.dctlabs.com A 1.1.1.1 ID 60 Optional Health

Checks
weighted.dctlabs.com A 2.2.2.2 ID 20
Region
weighted.dctlabs.com A 3.3.3.3 ID 20
Amazon Route 53

Simplified values - actually 1.1.1.1

uses an integer between 0 60%
1
and 255
2
Region

20%
3
2.2.2.2
20%

DNS query 3.3.3.3

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Latency Routing Policy
Name Type Value Health Region

latency.dctlabs.com A 1.1.1.1 ID ap-southeast-1

latency.dctlabs.com A 2.2.2.2 ID us-east-1

latency.dctlabs.com A alb-id ID ap-southeast-2 Amazon Route 53

Optional Health
Checks
Region – ap-southeast-1
Singapore

Region – us-east-1

DNS query
1.1.1.1
2.2.2.2

Region – ap-southeast-2
New York
Sydney

DNS query
ALB
DNS query

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Failover Routing Policy
Name Type Value Health Record Type

failover.dctlabs.com A 1.1.1.1 ID Primary

failover.dctlabs.com A alb-id Secondary

Amazon Route 53 Health check is

required on Primary

Region – us-east-1

DNS query 1.1.1.1

Region – ap-southeast-2

ap-southeast-2 is the
secondary Region

ALB

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Geolocation Routing Policy
Name Type Value Health Geolocation

geolocation.dctlabs.com A 1.1.1.1 ID Singapore Optional Health

Checks
geolocation.dctlabs.com A 2.2.2.2 ID Default

geolocation.dctlabs.com A alb-id ID Oceania Amazon Route 53

Region – us-east-1

Mexico
2.2.2.2

DNS query

Region – ap-southeast-2
New Zealand

ALB
DNS query

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 – Multivalue Routing Policy
Name Type Value Health Multi Value

multivalue.dctlabs.com A 1.1.1.1 ID Yes

multivalue.dctlabs.com A 2.2.2.2 ID Yes

multivalue.dctlabs.com A 3.3.3.3 ID Yes Amazon Route 53

Health Checks:
returns healthy
records only

2
Region

DNS query

© Digital Cloud Training | https://digitalcloud.training

DNS Security Extensions (DNSSEC)
• Prevents hijackers from intercepting DNS queries
and returning their own IPs to DNS resolvers
• DNSSEC establishes a chain of trust for response from
intermediate resolvers
• The registry for the TLD must support DNSSEC
• Route 53 supports DNSSEC signing and DNSSEC for
domain registration
• Understand the process for enabling DNSSEC:
• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/do
main-configure-dnssec.html

© Digital Cloud Training | https://digitalcloud.training

DHCP Option Sets

© Digital Cloud Training | https://digitalcloud.training

DHCP Overview
• The Dynamic Host Configuration Protocol (DHCP) is used to
automatically assign IP addresses and related settings to
network connected devices

DHCP Options Set is

IP address and other associated with a VPC
parameters returned
DHCP Service

Domain name: ec2.internal

Domain name servers:
EC2 Instance EC2 Instance AmazonProvidedDNS
Launch
DNS queries to
IP: 10.0.1.134 AmazonProvidedDNS
VPC Settings
DNS: 10.0.1.2,
169.254.269.253 Enable DNS Hostnames = Enabled
DNS: 10.0.1.2 DNS Resolution = Enabled

Route 53
Resolver
© Digital Cloud Training | https://digitalcloud.training
DHCP Option Sets
DHCP Options sets support the following options:
• domain-name-servers –
• The IP addresses of up to four IPv4 domain name servers (or up to three
IPv4 domain name servers and "AmazonProvidedDNS") and four IPv6
domain name servers.
• The IPv4 address of the Amazon provided DNS server is 169.254.169.253 (or
the .2 subnet address) and the IPv6 address is fd00:ec2::253
• domain-name - the custom domain name for your instances
• ntp-servers - the IP addresses of up to eight Network Time
Protocol (NTP) servers
• netbios-name-servers - the IP addresses of up to four NetBIOS
name servers
• netbios-node-type - the NetBIOS node type (1, 2, 4, or 8)

© Digital Cloud Training | https://digitalcloud.training

DHCP Option Sets
The default DHCP options set for your VPC includes two options:
• domain-name-servers=AmazonProvidedDNS
• domain-name=domain-name-for-your-region
• AmazonProvidedDNS is an Amazon Route 53 Resolver server
• When you launch an instance into a VPC the instance will be
assigned a private DNS hostname
• A public DNS hostname is assigned if the instance is configured
with a public IPv4 address and the VPC DNS attributes are enabled

© Digital Cloud Training | https://digitalcloud.training

Modifying DHCP Option Sets
• DHCP option sets cannot be modified once created. You must
create a new DHCP options set and associate with the VPC
• After you associate a new set of DHCP options with a VPC, any
existing instances and all new instances that you launch in the VPC
use the new options
• You do not need to restart or relaunch your instances
• Instances automatically pick up the changes within a few hours,
depending on how frequently they renew their DHCP leases

© Digital Cloud Training | https://digitalcloud.training

Viewing and Creating
DHCP Options Sets

© Digital Cloud Training | https://digitalcloud.training

Using Route 53 Routing
Policies

© Digital Cloud Training | https://digitalcloud.training

Amazon Route 53 Resolver

© Digital Cloud Training | https://digitalcloud.training

Route 53 Resolver – Outbound Endpoints

VPC
1
Amazon Route 53
Public subnet
2

3 Corporate data center

EC2 Instance Outbound
Endpoint

DNS server
Private subnet VPN gateway VPN connection Customer
gateway

DNS server responds to

EC2 Instance Outbound query via Outbound
Endpoint
Endpoint/Route 53

© Digital Cloud Training | https://digitalcloud.training

Route 53 Resolver – Inbound Endpoints

VPC

Amazon Route 53
Public subnet
3

2 Corporate data center

EC2 Instance Inbound
Endpoint
1
DNS server
Private subnet VPN gateway VPN connection Customer
gateway

Inbound Client
EC2 Instance
Endpoint
Result is returned by
Route 53 via the Inbound
Endpoint

© Digital Cloud Training | https://digitalcloud.training

Resolver Endpoints and Forwarding Rules
• Inbound endpoint - DNS resolvers on your network can
forward DNS queries to Route 53 Resolver via this endpoint
• Outbound endpoint - Resolver conditionally forwards queries
to resolvers on your network via this endpoint
• Forwarding rules can be created to forward queries for
specified domains to an on-premises network
• One forwarding rule must be created for each domain name

© Digital Cloud Training | https://digitalcloud.training

Secure Content Delivery
with CloudFront

© Digital Cloud Training | https://digitalcloud.training

Amazon CloudFront Caching

Region
There are 12+ Global
Regional Edge Caches Users
CloudFront Origins
Edge location

Amazon EC2 Regional

Edge Cache

Amazon S3 Edge location Global

Users
Regional
Edge Cache
CloudFront improves
performance for Edge location
global users
There are 210+ Global
Edge locations Users

© Digital Cloud Training | https://digitalcloud.training

CloudFront Signed URLs
• Signed URLs provide more
control over access to content
• Can specify beginning and Mobile app uses signed
URL to access distribution
expiration date and time, IP
addresses/ranges of users 3
Amazon CloudFront

4
Signed URLs should be used for Signed URL returned
individual files and clients that
don’t support cookies 2

1
Serverless
Mobile app authenticates to Application
application and requests
signed URL
© Digital Cloud Training | https://digitalcloud.training
CloudFront Signed Cookies
• Similar to Signed URLs
• Use signed cookies when you don’t want to change
URLs
• Can also be used when you want to provide access to
multiple restricted files (Signed URLs are for individual
files)

© Digital Cloud Training | https://digitalcloud.training

Restrict Access to S3 Bucket

Policy restricts access

to the OAI

HTTP GET https://d1schtd9zdwrm1.cloudfront.net

Custom Origin

Origin Access Identity (OAI)

S3 Bucket configured Bucket Policy

as static website
Users
Amazon CloudFront

Blocked by bucket policy

GET https://mybucket.s3.amazonaws.com/beach.jpg

© Digital Cloud Training | https://digitalcloud.training

Restrict Access to an ALB
Add custom header in
CloudFront origin settings

Custom Header

ALB Amazon CloudFront

Add conditional rule
that requires
custom header
AWS Certificate
Manager

© Digital Cloud Training | https://digitalcloud.training

Additional Security Features
• AWS WAF web ACLs can be attached to
CloudFront distributions
• Custom errors can be returned for blocked
requests
• Field-level encryption protects sensitive data
through the entire application stack
• Geo restriction / blocking can be used to prevent
users in specific geographic locations from
accessing content

© Digital Cloud Training | https://digitalcloud.training

Configure Distribution
Settings

© Digital Cloud Training | https://digitalcloud.training

CloudFront SSL/TLS and SNI

© Digital Cloud Training | https://digitalcloud.training

CloudFront SSL/TLS

Viewer Protocol
For CloudFront
certificate must be
issued in us-east-1
Certificate can be ACM or a
trusted third-party CA Default CF domain
name can be AWS Certificate
changed using Manager
CNAMES
S3 has its own certificate
Certificate can be ACM
(can’t be changed)
(ALB) or third-party (EC2)
Origin Protocol

Origin certificates
S3 Origin must be public
certificates Custom Origin

© Digital Cloud Training | https://digitalcloud.training

CloudFront Server Name Indication (SNI)
HTTP GET: https://mypublicdomain.com

HTTP GET: https://myotherdomain.com Request URL includes

domain name which
matches certificate

Name: myotherdomain.com Name: mypublicdomain.com

Multiple certificates
share the same IP
Note: SNI works with
with SNI
browsers/clients released
after 2010 – otherwise
need dedicated IP

S3 Origin
Custom Origin

© Digital Cloud Training | https://digitalcloud.training

AWS Global Accelerator

© Digital Cloud Training | https://digitalcloud.training

AWS Global Accelerator User traffic ingresses
using the closest Edge
Location
Resolve dctlabs.com
Addresses:
51.45.2.12
53.58.31.89 Static anycast
Answer:
Users in US Edge location Global Accelerator IP addresses
51.45.2.12 Amazon Route 53
53.58.31.89 Connect via Edge Location

Users are
Requests are redirected to
routed to the another endpoint
optimal endpoint
AWS Global Network

us-east-1 Traffic ap-southeast-2

traverses the
AWS global
network

© Digital Cloud Training | https://digitalcloud.training

Create a Global Accelerator

© Digital Cloud Training | https://digitalcloud.training

AWS Global Accelerator

Resolve dctlabs.com
Addresses:
51.45.2.12
53.58.31.89
Answer:
Users in US Edge location Global Accelerator
51.45.2.12 Amazon Route 53
53.58.31.89 Connect via Edge Location

AWS Global Network

us-east-1 ap-southeast-2

© Digital Cloud Training | https://digitalcloud.training

Bring your own IP addresses
(BYOIP)

© Digital Cloud Training | https://digitalcloud.training

Bring your own IP Addresses (BYOIP)
• A Provider Independent address space (PI) is a block
of addresses assigned by a Regional Internet
Authority (RIR) to an organization
• You can bring part or all of your publicly routable
IPv4 or IPv6 address range from your on-premises
network to your AWS account
• You continue to control the address range, but by
default, AWS advertises it on the internet
• After you bring the address range to AWS, it appears
in your AWS account as an address pool
• You get to maintain your IP reputation
• This enables moving applications without modifying
their public IP addresses

© Digital Cloud Training | https://digitalcloud.training

Bring your own IP Addresses (BYOIP)
• Can be used for many AWS services including Amazon
EC2, NAT gateways, Network Load Balancers, and
AWS Global Accelerator
• Removes the need to update IP address whitelists
(e.g. for VoIP)
• Steps include preparing your range, provisioning,
advertising, and allocating Elastic IP addresses
• You can bring a total of five IPv4 and IPv6 address
ranges per Region
• More info here on the migration process can be
found here:
https://docs.aws.amazon.com/AWSEC2/latest/UserG
uide/ec2-byoip.html

© Digital Cloud Training | https://digitalcloud.training

Using IPv6 in a VPC

© Digital Cloud Training | https://digitalcloud.training

Using IPv6 in a VPC
An IPv4 address is 32 bits long

11000000 10101000 00000000 00000001

Public IPv4 addresses are

192 168 0 1
close to being exhausted . . .
and NAT must be used
extensively

IPv4 provides approximately 4.3 billon addresses

© Digital Cloud Training | https://digitalcloud.training

Using IPv6 in a VPC

An IPv6 address is 128 bits long

2020 : 0001 : 9d32 : 5bc2 : 1c48 : 32c1 : a93b : b12c

Network Part Node Part

An IPv6 addresses use That’s enough to assign more than

hexadecimal whereas IPv4
addresses use dotted decimal 100 IPv6 addresses to every atom
on earth!!!

IPv6 provides 340,282,366,920,938,463,463,374,607,431,768,211,456

addresses

© Digital Cloud Training | https://digitalcloud.training

Using IPv6 in a VPC

AWS assign a /56 IPv6

VPC address range to your VPC
IPv4 CIDR 10.0.0.0/16

Subnets receive a IPv6 CIDR 2406:da1c:f7b:ae00::/56

Route Table
/64 address range Public subnet Public subnet
allowing 18 million Destination Target
trillion addresses 10.0.0.0/20 10.0.16.0/20 10.0.0.0/16 Local
2406:da1c:f7b:ae00::/56 Local
2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64
0.0.0.0/0 igw-id
::/0 igw-id

Route table has an entry to

send all external IPv6
traffic to the IGW
All IPv6 addresses are A hexadecimal pair is assigned
publicly routable (no NAT) for each subnet – values from 00
– FF = 256 /64 subnets

© Digital Cloud Training | https://digitalcloud.training

Using IPv6 in a VPC

VPC
IPv4 CIDR 172.31.0.0/16

IPv6 CIDR 2406:da1c:f7b:ae00::/56

Route Table
Public subnet Public subnet
Destination Target
172.31.0.0/20 172.31.16.0/20 172.31.0.0/16 Local
0.0.0.0/0 igw-id
2406:da1c:f7b:ae11::/64 2406:da1c:f7b:ae10::/64
::/0 eo-igw-id

An Egress-only Internet
Gateway allows IPv6 traffic
All IPv6 addresses are
outbound but not inbound
publicly routable (no NAT)

© Digital Cloud Training | https://digitalcloud.training

Configure IPv6

© Digital Cloud Training | https://digitalcloud.training

Exam Cram

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
VPC Peering:
• VPC Peering enables routing using private IPv4 or IPv6 addresses
• VPC Peering connections are NOT transitive – full mesh required
• VPCs can be in different accounts and Regions
• VPC CIDR blocks cannot overlap
• Cannot used for edge-to-edge routing through a gateway or
private connection
• You cannot use an internet gateway or NAT gateway that’s in a
peered VPC (as per the previous point)
• You cannot access Amazon S3 or DynamoDB through a VPC
endpoint in a peered VPC

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
VPC Endpoints:
• Enable connectivity to public AWS services using private IP
addresses (avoiding the internet gateway / internet)
• VPC interface endpoints:
• An ENI is created in the subnet
• EC2 instance connects to public AWS service using a private IP
• Connect to AWS PrivateLink powered services or AWS public services
• Control access using security groups
• VPC gateway endpoints:
• Used for Amazon S3 and DynamoDB
• Must add an entry to the route table
• IAM policy can be applied to the endpoint to control access

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Amazon Route 53:
• Intelligent DNS service
• Can create public or private hosted zones
• Hosted zones represent the set of records for a domain
• For private hosted zones make sure the following VPC
settings are enabled:
• Enable DNS hostnames (enableDnsHostnames)
• DNS Resolution (enableDnsSupport)
• Routing policies can be used to direct traffic to different
endpoints based on the location of the DNS client or health
of endpoint

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
DNS Security Extensions (DNSSEC):
• Prevents hijackers from intercepting DNS queries and
returning their own IPs to DNS resolvers
• DNSSEC establishes a chain of trust for response from
intermediate resolvers
• The registry for the TLD must support DNSSEC
• Route 53 supports DNSSEC signing and DNSSEC for domain
registration

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
DHCP option sets:
• DHCP is used to automatically assign IP addresses and related
settings to network connected devices
• A DHCP Options Set is associated with a VPC
• Can specify DNS servers, domain name, NTP server, netbios
name servers, and netbios node type
• By default, the AmazonProvidedDNS is used for resolution which
points to the Route 53 resolver server
• DHCP option sets cannot be modified – you must create a new
DHCP option set and associated with the VPC
• You don’t need to restart instances after associating a new DHCP
option set, they will pick up the new settings within a few hours

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Route 53 Resolver:
• Used for controlling DNS resolution for VPC resources and
on-premises resources
• Two types of resolver endpoint:
• Inbound endpoint - DNS resolvers on your network can forward
DNS queries to Route 53 Resolver via this endpoint
• Outbound endpoint - Resolver conditionally forwards queries to
resolvers on your network via this endpoint
• Forwarding rules can be created to forward queries for
specified domains to an on-premises network
• One forwarding rule must be created for each domain name

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Securing content with CloudFront:
• Signed URLs:
• Signed URLs provide more control over access to content
• Can specify beginning and expiration date and time, IP
addresses/ranges of users
• Signed cookies:
• Similar to Signed URLs
• Use signed cookies when you don’t want to change URLs
• Can also be used when you want to provide access to multiple
restricted files (Signed URLs are for individual files)

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Additional CloudFront security features:
• AWS WAF web ACLs can be attached to CloudFront distributions
• Custom errors can be returned for blocked requests
• Field-level encryption protects sensitive data through the entire
application stack
• Geo restriction / blocking can be used to prevent users in specific
geographic locations from accessing content
• Can use a certificate from ACM or a trusted third-party CA
• Supports HTTP/HTTPS, redirection to HTTPS, or HTTPS only (viewer
protocol policy)
• Supports server name indication (SNI)

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
AWS Global Accelerator:
• Accelerates access to AWS resources such as NLBs
• Uses CloudFront edge network and the AWS global network
• Uses static anycast IP addresses (2)
• Customers can whitelist the IP addresses in firewalls
• Requests are routed to optimal endpoints (e.g. across
Regions)

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Bring your own IP address (BYOIP):
• A Provider Independent address space (PI) is a block of addresses
assigned by a Regional Internet Authority (RIR) to an organization
• You can bring part or all of your publicly routable IPv4 or IPv6
address range from your on-premises network to your AWS
account
• You continue to control the address range, but by default, AWS
advertises it on the internet
• After you bring the address range to AWS, it appears in your AWS
account as an address pool
• You get to maintain your IP reputation
• This enables moving applications without modifying their public
IP addresses

© Digital Cloud Training | https://digitalcloud.training

Exam Cram: Advanced VPC, DNS, and Edge
Bring your own IP address (BYOIP):
• Can be used for many AWS services including Amazon EC2,
NAT gateways, Network Load Balancers, and AWS Global
Accelerator
• Removes the need to update IP address whitelists (e.g. for
VoIP)
• Steps include preparing your range, provisioning, advertising,
and allocating Elastic IP addresses
• You can bring a total of five IPv4 and IPv6 address ranges per
Region

© Digital Cloud Training | https://digitalcloud.training

SECTION 7

Network Design and Implementation

© Digital Cloud Training | https://digitalcloud.training

Border Gateway Protocol
(BGP)

© Digital Cloud Training | https://digitalcloud.training

Border Gateway Protocol (BGP)
• BGP is an exterior gateway protocol designed to
exchange routing information on the internet
• Autonomous systems (ASs) are collections of IP routing
prefixes under the control of one or more operators
• BGP is built on a system of trust in which routes are
advertised and accepted between peers
• BGP is classified as a path-vector routing protocol and
exchanges the best path to a peer (called the ASPATH)
• Autonomous System Numbers (ASNs) range from 0-
65535 and 64512-65534 are private and reserved

© Digital Cloud Training | https://digitalcloud.training

Border Gateway Protocol (BGP)
There are two implementations of BGP:
• Interior Border Gateway Protocol (iBGP) - used for
routing within an AS
• Exterior Border Gateway Protocol (eBGP) - used for
routing between ASs

© Digital Cloud Training | https://digitalcloud.training

Border Gateway Protocol (BGP)
The BGP Best Path Selection
Algorithm selects the
shortest path to a destination
AS100 AS200
20.0.1.0/24 20.0.2.0/24
There are many more potential Destination ASPATH
Destination ASPATH
paths than shown here! 20.0.1.0/24 100 i
20.0.2.0/24 200 i
20.0.3.0/24 300 i
20.0.3.0/24 300 i
20.0.4.0/24 400 i
20.0.4.0/24 200 400 i
20.0.4.0/24 300 400 i

AS400
AS300
20.0.4.0/24
20.0.3.0/24
Destination ASPATH
20.0.1.0/24 100 i
Destination ASPATH
20.0.2.0/24 200 i
20.0.3.0/24 300 i
20.0.4.0/24 400 i
20.0.2.0/24 200 i
20.0.1.0/24 300 100 i
© Digital Cloud Training | https://digitalcloud.training
Border Gateway Protocol (BGP)

AS100 AS200
20.0.1.0/24 20.0.2.0/24
Destination ASPATH
Destination ASPATH
20.0.1.0/24 100 i
20.0.2.0/24 200 i
20.0.3.0/24 300 i
20.0.3.0/24 200 300 i
20.0.3.0/24 300 300 300 i

AS Path Prepending is used

to artificially lengthen the AS300
least preferred path 20.0.3.0/24
Destination ASPATH
20.0.1.0/24 100 i
20.0.2.0/24 200 i

© Digital Cloud Training | https://digitalcloud.training

BGP Selection Attributes
• Depending on router there are several additional attributes
considered in path selection decisions
• These include:
• Local Preference – used within an AS and highest local
preference is preferred (default is 100)
• AS Path Length – shortest AS path length preferred (e.g.
100 200 300 over 100 200 201 300)
• Multi-Exit Discriminator (MED) – path with lowest MED
preferred
• eBGP over iBGP – prefer eBGP over iBGP

© Digital Cloud Training | https://digitalcloud.training

Route Priority in a VPC

© Digital Cloud Training | https://digitalcloud.training

Route Priority in a VPC
• Typically, the most specific route is preferred
• If a route table has overlapping or matching
routes, additional rules apply
• For example:
• Longest prefix match
• Local vs propagated vs static routes
• Prefix lists

© Digital Cloud Training | https://digitalcloud.training

Longest Prefix Match
• Routes to IPv4 and IPv6 addresses or CIDR blocks are
independent of each other
• AWS uses the most specific route that matches either IPv4
traffic or IPv6 traffic to determine how to route the traffic

Longest prefix wins so Destination Target

traffic to 10.0.0.0/16 is 10.0.0.0/16 Local
routed locally, all other
0.0.0.0/0 igw-id
traffic goes via the IGW

© Digital Cloud Training | https://digitalcloud.training

Longest Prefix Match
• If propagated routes from a S2S VPN connection or AWS DX
connection overlap with the local route for a VPC, the local
route is most preferred even if the propagated routes are
more specific
• If propagated routes from a S2S VPN connection or AWS DX
connection have the same destination CIDR block as other
existing static routes AWS prioritizes the static routes whose
targets are an IGW, VGW, ENI, instance ID, VPC peering
connection, NAT gateway, transit gateway, or gateway VPC
endpoint
all traffic destined for Destination Target
172.31.0.0/24 is routed to 10.0.0.0/16 Local
the IGW as it’s a static route
172.31.0.0/24 vgw-11223344556677889 (propagated)
and takes priority over the
propagated route 172.31.0.0/24 igw-12345678901234567 (static)

© Digital Cloud Training | https://digitalcloud.training

Longest Prefix Match
Destination Target
Longest prefix wins so VPC CIDR 172.16.0.0/16
all 172.16.0.0 traffic 10.0.0.0/16 Local
goes via peer 1 except 172.16.0.0/16 vpc-peer-1 Private subnet
traffic to 172.16.0.15 172.16.0.0/16
172.16.0.15/32 vpc-peer-2
172.16.0.30
which goes via peer 2

VPC CIDR 10.0.0.0/16

Private subnet

VPC
CIDR 172.16.0.0/16

Private subnet

172.16.0.15

© Digital Cloud Training | https://digitalcloud.training

Local vs Propagated vs Static Routes
• Routes from S2S VPN connections can be
dynamically added to route tables (propagated
routes)
• The following rules apply:
• If the destination of a propagated route overlaps the
local route, the local route takes priority even if the
propagated route is more specific
• If the destination of a propagated route overlaps a
static route, the static route takes priority

© Digital Cloud Training | https://digitalcloud.training

Local vs Propagated vs Static Routes
• If the destination of a propagated route is identical to
the destination of a static route, the static route
takes priority if the target is one of the following:
• Internet gateway
• NAT gateway
• Network interface
• Instance ID
• Gateway VPC endpoint
• Transit gateway
• VPC peering connection
• Gateway Load Balancer endpoint

© Digital Cloud Training | https://digitalcloud.training

Prefix Lists
If your route table references a prefix list, the following rules
apply:
• If a route table contains a static route with a destination
CIDR block that overlaps a static route with a prefix list, the
static route with the CIDR block takes priority
• If a route table contains a propagated route that overlaps a
route with a prefix list, the route that references the prefix
list takes priority
• If a route table references multiple prefix lists that have
overlapping CIDR blocks to different targets, AWS randomly
chooses which route takes priority. Thereafter, the same
route always takes priority
• If the CIDR block in a prefix list entry is not valid for the
route table, that CIDR block is ignored

© Digital Cloud Training | https://digitalcloud.training

Reachability Analyzer

© Digital Cloud Training | https://digitalcloud.training

AWS Client VPN

© Digital Cloud Training | https://digitalcloud.training

AWS Client VPN
Local route of associated
subnet is added to client Region
route table
VPC – CIDR 10.0.0.0/16
Destination Gateway
Public subnet – 10.0.1.0/24
10.0.0.0/16 10.1.1.X
Assoc.
10.0.1.15 Client VPN
network interfaces
created in subnet
Assoc.
Private subnet – 10.0.5.0/24

VPN VPN
Endpoint
10.0.5.12
EC2 Instance
CIDR 10.1.0.0/22
VPN client connects – performs SNAT
over SSL/TLS (443) to 10.0.0.0/16

© Digital Cloud Training | https://digitalcloud.training

Deploy AWS Client VPN

© Digital Cloud Training | https://digitalcloud.training

AWS Client VPN – Hands-On

Region

VPC – CIDR 10.0.0.0/16

Region Public subnet – 10.0.1.0/24

Assoc.
10.0.1.15
Amazon Workspaces

Assoc.
Private subnet – 10.0.5.0/24

VPN VPN
Endpoint
10.0.5.12
EC2 Instance

© Digital Cloud Training | https://digitalcloud.training

AWS Site-to-Site VPN

© Digital Cloud Training | https://digitalcloud.training

AWS Site-to-Site VPN
AWS VPN is a managed
IPSec VPN

VPC
CIDR: 10.0.0.0/16

Public subnet
A VGW is deployed on Supports static routes
the AWS side of the or BGP peering/routing Corporate data center
connection

CIDR: 192.168.0.0/16

Private subnet Virtual Private VPN connection Customer

Gateway (VGW) gateway
Route Table

Destination Target A customer gateway device

192.168.0.0/16 vgw-id is a physical device deployed
on the customer side

Route table points

to the VGW

© Digital Cloud Training | https://digitalcloud.training

AWS Site-to-Site VPN Components
• A Site-to-Site VPN connection offers two VPN tunnels (for
redundancy) between:
• A virtual private gateway or a transit gateway on the AWS side
• A customer gateway (which represents a VPN device) on the
remote (on-premises) side
• A virtual private gateway is the VPN concentrator on the Amazon
side of the Site-to-Site VPN connection
• A customer gateway device is a physical device or software
application on the customer (on-premises) side of the Site-to-Site
VPN connection
• A customer gateway is a resource that you create in AWS that
represents the customer gateway device in your on-premises
network

© Digital Cloud Training | https://digitalcloud.training

AWS S2S VPN Tunnel Options
Tunnel options include:
• Dead peer detection (DPD) timeout - the duration, in seconds, after
which DPD timeout occurs (default is 30)
• IKE versions - the IKE versions that are permitted for the VPN tunnel
• Inside tunnel IPv4/IPv6 CIDR - the range of inside (internal) IP addresses
for the VPN tunnel
• Local IPv4/IPv6 Network CIDR - the IP CIDR range on the customer
gateway (on-premises) side
• Remote IPv4/IPv6 Network CIDR - The IP CIDR range on the AWS side
• Encryption algorithms – various encryption algorithms for each phase of
the negotiation
• Pre-shared key (PSK) - the pre-shared key (PSK) to establish the initial
IKE security association between the VGW/CGW (default; or you can use
a private certificate from ACM)

© Digital Cloud Training | https://digitalcloud.training

AWS S2S VPN Routing Options
• Routing can be static or dynamic
• The Border Gateway Protocol (BGP) is used for dynamic routing
• Your customer gateway device must support BGP advertising for
dynamic routing
• You must add a route to the remote network and specify the virtual
private gateway as the target
• You can enable route propagation for your route table to automatically
propagate your network routes to the table for you
• Only IP prefixes that are known to the virtual private gateway, whether
through BGP advertisements or a static route entry, can receive traffic
from your VPC

© Digital Cloud Training | https://digitalcloud.training

AWS S2S VPN Routing Options
• The virtual private gateway does not route any other traffic destined
outside of received BGP advertisements, static route entries, or its
attached VPC CIDR
• When a virtual private gateway receives routing information, it uses path
selection to determine how to route traffic and longest prefix match
applies
• If the prefixes are the same, then the virtual private gateway prioritizes
routes as follows, from most preferred to least preferred:
• BGP propagated routes from an AWS Direct Connect connection
• Manually added static routes for a Site-to-Site VPN connection
• BGP propagated routes from a Site-to-Site VPN connection
• For matching prefixes where each Site-to-Site VPN connection uses
BGP, the AS PATH is compared and the prefix with the shortest AS
PATH is preferred

© Digital Cloud Training | https://digitalcloud.training

Deploy AWS Site-to-Site VPN

© Digital Cloud Training | https://digitalcloud.training

AWS Site-to-Site VPN – Hands-On
Use the MANAGEMENT
account for the AWS Use the PRODUCTION
VPC account for the on-
premises DC
Ping Instance in AWS VPC
VPC CIDR: 10.0.0.0/16 from internal server using On-Premises DC CIDR: 172.31.0.0/16
its private IP
Public subnet

EC2 Instance
Virtual Private VPN connection OpenSwan / Internal Server
Gateway (VGW) CGW
Route Table Route Table
Virtual Private Gateway Propagate Destination Target
vgw-id Yes 10.0.0.0/16 openswan-instance-id

© Digital Cloud Training | https://digitalcloud.training

AWS VPN CloudHub

© Digital Cloud Training | https://digitalcloud.training

AWS VPN CloudHub
Network traffic may
go between a VPC
and a remote office
Customer office

Customer gateway
Network traffic ASN: 6500
A VGW is
VPC
deployed on
Remote offices
Public subnet the AWS site
connect to the
Customer office VGW in a hub-and-
Customer gateway spoke model
ASN: 6501
Private subnet Virtual Private Network traffic
Gateway (VGW)

Customer office Each office must use

a unique BGP ASN
Network traffic Customer gateway
between offices can ASN: 6502
also be routed over
the IPSec VPN

© Digital Cloud Training | https://digitalcloud.training

AWS Direct Connect (DX)
Deep Dive

© Digital Cloud Training | https://digitalcloud.training

AWS Direct Connect (DX)
A cross-connect between
the AWS DX router and the
customer/partner DX
AWS Cloud
router
Region DX is a physical fibre Corporate data center
AWS Direct Connect location
connection to AWS running
VPC
at 1Gbps, 10Gbps, or
Public subnet
100Gbps (limited) AWS cage Customer /
partner cage

Private subnet AWS Direct Customer / Customer

Connect partner router
endpoint
Router

The customer
A DX port (1000-Base-LX or router is connected
10GBASE-LR) must be to the DX router in
allocated in a DX location the DX location

© Digital Cloud Training | https://digitalcloud.training

AWS Direct Connect Benefits
• Private connectivity between AWS and your
data center / office
• Consistent network experience:
• Increased speed
• Lower latency
• High bandwidth/throughput
• Lower costs for organizations that transfer
large volumes of data

© Digital Cloud Training | https://digitalcloud.training

AWS Direct Connect (DX)
A VIF is a virtual interface
(802.1Q VLAN) and a BGP
AWS Cloud
session
A Private VIF connects to a
Region Corporate data center
single VPC in the same AWS AWS Direct Connect location
VPC Region using a VGW
AWS cage Customer /
Public subnet partner cage
Private VIF

VGW Public VIF

Private subnet AWS Direct Customer / Customer
Connect partner router
endpoint
Router

A Public VIF can be used to

connect to AWS Public services in
any Region (but not the Internet)

Amazon DynamoDB Amazon S3 Amazon CloudFront

AWS Direct Connect (DX)
AWS Cloud Multiple Private
VIFs can be used to
Region connect to multiple
VPCs in the Region
VPC
Corporate data center
AWS Direct Connect location
VGW
AWS cage Customer /
partner cage
VPC

VGW
AWS Direct Customer / Customer
Connect partner router
endpoint
Router
VPC

VGW
VIFs can also be shared with
other AWS accounts –
known as hosted VIFs

AWS Direct Connect (DX)
• Speeds from 50Mbps to 500Mbps can also be
accessed via an APN partner (uses hosted VIFs or
hosted connections):
• A hosted VIF is a single VIF that is shared with other
customers (shared bandwidth)
• A hosted connection is a DX connection with a single
VIF dedicated to you
• DX Connections are NOT encrypted by default
• Use an IPSec S2S VPN connection over a public VIF
or MACsec to add encryption in transit
• Link aggregation groups (LAGs) can be used to
combine multiple physical connections into a
single logical connection using LACP – provides
improved speed

DX - Native High Availability
DX Locations are
connected by
Region redundant
connections AWS Direct Connect location Corporate data center

Cables may share

the same pathways

AWS Direct Connect location Corporate data center

= Single Point of Failure Multiple DX Locations exist in

metropolitan areas where
© Digital Cloud Training | https://digitalcloud.training AWS has Regions
VPN Backup for Direct Connect
Requirements:
• Use the same VGW for both DX and the VPN connection to the VPC
• For a BGP VPN, advertise the same prefix for Direct Connect and the VPN
• For a static VPN, add the same static prefixes to the VPN connection that you are
announcing with the DX virtual interface
The DX connection
Region is the primary AWS Direct Connect location Corporate data center
active path

This architecture is NOT

recommended for
speeds above 1Gbps DX

VGW
An IPSec S2S VPN is
the backup path
Multiple SPOFs exist in Internet
this architecture, add
redundancy to eliminate
© Digital Cloud Training | https://digitalcloud.training
VPN Backup for Direct Connect
• If the same prefixes are being advertised for DX and
the S2S VPN, the VGW makes routing decisions as
follows (most preferred to least preferred):
• BGP propagated routes from an AWS Direct Connect
connection
• Manually added static routes for a Site-to-Site VPN
connection
• BGP propagated routes from a Site-to-Site VPN
connection
• For matching prefixes where each Site-to-Site VPN
connection uses BGP, the AS PATH is compared and the
prefix with the shortest AS PATH is preferred
• When the AS PATHs are the same length and if the first AS
in the AS_SEQUENCE is the same across multiple paths,
multi-exit discriminators (MEDs) are compared. The path
with the lowest MED value is preferred

MACsec for Encrypting Direct Connect
• MACsec is the IEEE 802.1AE MAC Security Standard
• MACsec can be used for encrypting part of the AWS
Direct Connect connection
• MACsec runs at L2 and uses GCM-AES-128 to offer
integrity and confidentiality
• MACsec can be used to enable encryption for 10
Gbps and 100 Gbps DX connections at some
locations
• Offers near line-rate encryption for high throughput
• MACsec protects links between your customer
router/switch and the DX device

MACsec for Encrypting Direct Connect
MACsec provides near line-rate
encryption for maximum
throughput

Region
AWS Direct Connect location

AWS cage Customer / Corporate data center

partner cage
MACsec MACsec

VGW DX AWS Direct Customer /

Connect partner router MACsec is configured between
endpoint the customer router or switch
and the DX device

AWS provide a MACsec

enabled port on the DX router
Layer 2 traffic that travels over the
dedicated connection to or from the
data center is encrypted

IPSec VPN for Encrypting Direct Connect
This solution encrypts from
the data center to the VGW

Region

AWS Direct Connect location Corporate data center

VGW DX
An IPSec S2S VPN is
VGW is required for established over a public VIF
terminating the VPN across the DX connection

Virtual Interfaces (VIFs)
There are three types of virtual interface (VIF):
• Private virtual interface - used to access an Amazon VPC
using private IP addresses
• Public virtual interface - can access all AWS public services
using public IP addresses
• Transit virtual interface - used to access one or more Amazon
VPC Transit Gateways associated with Direct Connect
gateways
• For public VIFs you can access all AWS prefixes through the
connection such as Amazon EC2, Amazon S3, and
Amazon.com

Customer Router Requirements
AWS state that your network must meet the following conditions:
• Your network must use single-mode fiber with a 1000BASE-LX (1310 nm)
transceiver for 1 gigabit Ethernet, a 10GBASE-LR (1310 nm) transceiver
for 10 gigabit, or a 100GBASE-LR4 for 100 gigabit Ethernet
• Auto-negotiation for a port must be disabled for a connection with a port
speed of more than 1 Gbps. However, depending on the AWS Direct
Connect endpoint serving your connection, auto-negotiation might need
to be enabled or disabled for 1 Gbps connections
• 802.1Q VLAN encapsulation must be supported across the entire
connection, including intermediate devices
• Your device must support Border Gateway Protocol (BGP) and BGP MD5
authentication
• (Optional) You can configure Bidirectional Forwarding Detection (BFD) on
your network. Asynchronous BFD is automatically enabled for AWS Direct
Connect virtual interfaces but does not take effect until you configure it
on your router

Bidirectional Forwarding Detection (BFD)
• BFD is a detection protocol that provides fast forwarding path
failure detection times for faster reconvergence times
• Without BFD, BGP waits for three keep-alives to fail at a hold-
down time of 90 seconds
• It's a best practice to enable BFD when connecting to AWS
services over Direct Connect connections or VPNs
• Asynchronous BFD is automatically enabled for Direct
Connect virtual interfaces on the AWS side
• You must configure your router to enable asynchronous BFD
for your connection
• The default AWS BFD liveness detection minimum interval is
300 ms. The default BFD liveness detection multiplier is three

Create Direct Connect
Connection

Direct Connect Connection Scenarios

Scenario Method
Connect directly at an AWS Connect directly to an AWS device from your router at an
Direct Connect location AWS Direct Connect location using 1 Gbps, 10 Gbps, or 100
Gbps connection

Connect from your premises Work with a partner in the AWS Partner Network (APN) or
a network provider that will help you connect a router
from your data center, office, or colocation environment to
an AWS Direct Connect location. The network provider
does not have to be a member of the APN to connect you

Connection hosted by an AWS Work with a partner in the AWS Partner Network (APN)
Direct Connect Partner who will create a hosted connection for you. Sign up for
AWS, and then follow the instructions to accept your
hosted connection

Connection Request Process
• Decide on an AWS Direct Connect location, how many connections you
would like to use, and the port size. Multiple ports can be used
simultaneously for increased bandwidth or redundancy
• Use the AWS Management Console to create your connection request(s)
• Once your request is confirmed, you will be able to download your Letter
of Authorization – Connecting Facility Assignment (LOA-CFA) from the
AWS Management Console and request a cross connect to AWS Direct
Connect
• If you are connecting from your premises, you can work with an APN
Partner supporting Direct Connect or a network carrier of your choice
• Provide the LOA-CFA to an APN Partner or your service provider who will
establish the connection on your behalf
• Once the connection is up, use the AWS Management Console to
configure one or more virtual interfaces to establish network connectivity

AWS Direct Connect Gateway

Direct Connect Gateway
• Use AWS Direct Connect gateway to connect your VPCs
• A Direct Connect gateway is a globally available resource
• You can create the Direct Connect gateway in any Region
and access it from all other Regions
• You associate an AWS Direct Connect gateway with
either of the following gateways:
• A transit gateway when you have multiple VPCs in
the same Region
• A virtual private gateway

Direct Connect - Multiple Regions
Example architecture without AWS
Direct Connect Gateway
AWS Cloud
DX Location - US Corporate office
Region – us-west-1
Private VIF

VGW

A Private VIF connects to a

single VPC in the same
AWS Region using a VGW DX is a regional service so multiple
DX locations must be used
Requires regional
DX Location - Europe offices or long distance
Region eu-central-1 (expensive) links
Private VIF

VGW

Direct Connect - Multiple Regions
Example architecture with AWS Direct
Connect Gateway
AWS Cloud

Region – us-west-1

The DX Gateway is
associated with a VGW
VGW
DX Location - US Corporate office

Private VIF
DX Gateway

Region eu-central-1 A Private VIF is BGP advertises a

associated with route to all VPCs via
the DX Gateway the DX Gateway

VGW

Direct Connect - Multiple Regions
Example architecture with AWS Direct
Connect Gateway
AWS Cloud

Region – us-west-1

DX Gateway does VGW

not allow VGWs DX Location - US Corporate office
to send traffic to
each other
Private VIF
DX Gateway

Network traffic
Region eu-central-1 Network traffic can be
routed from on-
premises to any VPC

VGW

Virtual Private Gateway Associations
• The Direct Connect gateway is associated with the virtual
private gateway (VGW) for the VPC
• Private virtual interfaces (VIFs) are then used to connect
to the Direct Connect gateway
• You can attach multiple private virtual interfaces to your
Direct Connect gateway
• VPCs must not have overlapping CIDR blocks
• You cannot create a public virtual interface to a Direct
Connect gateway

Virtual Private Gateway Associations
The following traffic flows are not supported:
• Direct communication between the VPCs that are
associated with a single DX gateway
• Direct communication between the virtual interfaces
that are attached to a single DX gateway
• Direct communication between the virtual interfaces
that are attached to a single DX gateway and a VPN
connection on a virtual private gateway that's associated
with the same DX gateway
• You cannot associate a virtual private gateway with more
than one DX gateway, and you cannot attach a private
virtual interface to more than one DX gateway

AWS Transit Gateway

AWS Transit Gateway
• Acts as a cloud router simplifying network
architecture
• Supports dynamic and static layer 3 routing
between Amazon VPCs and VPN
• Supports Equal Cost Multipath (ECMP) between
multiple VPN connections
• Transit gateway is a Regional service
• Peering connections can be established between
transit gateways in the same AWS region or across
regions

AWS Transit Gateway
Example full mesh architecture without
IPSec VPN AWS Transit Gateway

VPC A VPC B IPSec VPN

VGW VGW

6 VPC Peering Corporate office

connections

CGW

VPC C VPC D To make this

4 S2S VPN architecture redundant
connections add another CGW and
VGW VGW
IPSec VPN double the number of
S2S VPN connections!

IPSec VPN
© Digital Cloud Training | https://digitalcloud.training
AWS Transit Gateway
Specify one subnet Example full mesh architecture with
from each AZ to AWS Transit Gateway
enable routing
VPC A within the AZ VPC B

Subnet Subnet

Subnet Subnet
Corporate office

VPC A VPC B

Subnet Subnet

Subnet Subnet
Corporate office
AWS cage Customer /
partner cage
Transit VIF

DX Gateway is
associated with the TGW
DX Gateway AWS Direct Customer / Customer
Connect partner router
endpoint
Router
VPC C VPC D

Subnet Subnet
A Transit VIF is used
when attaching via a DX
Subnet Subnet Gateway to a TGW

Transit Gateway Connect
• Transit gateway connect can be used to connect
to SD-WAN appliances running in a VPC
• Connect attachments support Generic Routing
Encapsulation (GRE) and BGP
• Can establish one or more GRE tunnels
• You establish two BGP sessions over the GRE
tunnel to exchange routing information

Multicast Routing
• Transit gateway supports multicast routing between
subnets of attached VPCs
• TGW routes traffic for instances sending to multiple
receiving instances
• Multicast domain membership is defined at the subnet
level
• Multicast groups identify hosts that send and receive
multicast traffic by groups of IP addresses
• Multicast group membership is defined by individual ENI
• Internet Group Management Protocol (IGMP) is used for
managing multicast group membership
• Multicast routing is not supported over AWS Direct
Connect, Site-to-Site VPN, or peering attachments

Transit Gateway Monitoring
• You can monitor with Amazon CloudWatch:
• Transit gateway metrics (AWS/TransitGateway)
• Attachment-level metrics
• Amazon VPC Flow Logs to capture information on
the IP traffic routed through the TGW
• AWS Transit Gateway Network Manager enables
global monitoring for AWS and on-premises
• Centralized Network Monitoring – including alerting on
changes to topology, routing, and connection status
• Global Network Visibility – visualize your entire global
network
• SD-WAN Integration – seamless integration with SD-WAN
solutions from from Cisco, Aruba, Silver Peak, Aviatrix,
and Versa Networks

Isolated VPCs and Shared Services Architecture
The route tables for
VPC A Route Table VPC A, B, C, and D will
have similar routes
Destination Target
10.1.0.0/16 local VPC D TGW RT1 – Associated with VPC A, B, and C
(shared services)
0.0.0.0/0 tgw-id
10.4.0.0/16 Destination Target Route type
VPC A 10.99.99.0/24 VPN attachment propagated
10.4.0.0/16 VPC D attachment propagated
10.1.0.0/16
Data Center
Transit GW functions as
10.99.99.0/24
VPC B VPC A, B, C, can multiple isolated routers
S2S VPN
communicate with
10.2.0.0/16 VPC D but not with
TGW RT2 - Associated with VPN and VPC D Customer
each other
Gateway
Destination Target Route type
VPC C 10.1.0.0/16 VPC A attachment propagated
10.3.0.0/16 10.2.0.0/16 VPC B attachment propagated
10.3.0.0/16 VPC C attachment propagated
10.4.0.0/16 VPC D attachment propagated
© Digital Cloud Training | https://digitalcloud.training
Isolated VPCs and Shared Services Architecture
Attachments associated with one isolated router can route
VPC A Route Table packets to each other, but cannot route packets to or receive
packets from the attachments for another isolated router
Destination Target
10.1.0.0/16 local VPC D TGW RT1 – Associated with VPC A, B, and C
(shared services)
0.0.0.0/0 tgw-id
10.4.0.0/16 Destination Target Route type
VPC A 10.99.99.0/24 VPN attachment propagated
10.4.0.0/16 VPC D attachment propagated
10.1.0.0/16
Data Center
Transit GW functions as
10.99.99.0/24
VPC B VPC A, B, C, can multiple isolated routers
S2S VPN
communicate with
10.2.0.0/16 VPC D but not with
TGW RT2 - Associated with VPN and VPC D Customer
each other
Gateway
Destination Target Route type
VPC C 10.1.0.0/16 VPC A attachment propagated
10.3.0.0/16 10.2.0.0/16 VPC B attachment propagated
10.3.0.0/16 VPC C attachment propagated
10.4.0.0/16 VPC D attachment propagated
© Digital Cloud Training | https://digitalcloud.training
Transit Gateway Best Practices
• Use a separate subnet for each transit gateway VPC
attachment
• Create one network ACL and associate it with all of the
subnets that are associated with the transit gateway
• Associate the same VPC route table with all subnets that
are associated with the transit gateway, unless your
network design requires multiple VPC route tables
• Use Border Gateway Protocol (BGP) Site-to-Site VPN
connections
• Enable route propagation for AWS Direct Connect gateway
attachments and BGP Site-to-Site VPN attachments
• More here:
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-
design-practices.html

VPC Sharing

Sharing VPCs with AWS Organizations and RAM
• VPCs sharing allows sharing of subnets with
other accounts
• Uses AWS Resource Access Manager (AWS
RAM)
• Integrates with AWS Organizations
• RAM can be used to share many other
resources including:
• Transit gateways
• AWS Network Firewalls firewalls
• Amazon Route 53 Resolver rules
• AWS Cloud WAN

Sharing VPCs with AWS Organizations and RAM

Management Account Production Account

Subnet is shared
Public subnet into production
account

EC2 Instance EC2 Instance

Participants can
Participants cannot view or create, modify, and
modify resources of other delete their own
participants or the VPC resources
owner

Share Subnet
using RAM

Sharing VPCs with AWS Organizations and RAM

Management Account Production Account

Public subnet

EC2 Instance EC2 Instance

AWS Outposts

AWS Outposts
• Hybrid cloud with AWS infrastructure deployed on-premises
and at the edge
• Some local services and connectivity to Regions for other
services AWS Outposts rack AWS Outposts servers
• Use for workloads that require low
latency access to on-premises systems
and data
• Extend compute, networking, security
and more to your data center
• Same APIs, tools, and management
controls as in the cloud

AWS Outposts - Networking
• VPC components extended to the Outpost include:
• Internet gateways
• Virtual private gateways
• Amazon VPC Transit Gateways
• VPC endpoints
• The Outpost is an extension of an Availability Zone in a
Region
• A service link is a network route for communication between
an Outpost and its associated Region
• You can use custom-owned IP address pools
• Local gateway is deployed for Outpost racks
• A local network interface is deployed for Outpost servers

AWS Outposts - Networking

A service link enables

communication between Corporate data center

the Outpost and Region Customer local network

devices
Region A local gateway provides
connectivity to an on-
VPC LAG LAG premises network
Service link
Outpost network devices
Public subnet

DX / VPN AWS Outposts

VGW Customer
Router
Outpost subnet
VPC

Public subnet

Instances

AWS Outposts - Networking
• The local gateway performs NAT of the Outpost
instance’s IPs to Elastic IPs from a pool
• A target in the VPC route table should be created for
traffic destined to on-premises resources
• The local gateway enables connectivity from the Outpost
subnets to all AWS services in the parent Region

AWS CloudFormation Core
Knowledge

AWS CloudFormation

CloudFormation builds
Infrastructure patterns are VPC
your infrastructure
defined in a template file
according to the template
using code
Public subnet

Auto Scaling
AWS CloudFormation group

Public subnet

AWS CloudFormation - Benefits
➢ Infrastructure is provisioned consistently, with fewer mistakes
(human error)
➢ Less time and effort than configuring resources manually
➢ You can use version control and peer review for your
CloudFormation templates
➢ Free to use (you're only charged for the resources provisioned)
➢ Can be used to manage updates and dependencies
➢ Can be used to rollback and delete the entire stack as well

AWS CloudFormation

Component Description
Templates The JSON or YAML text file that contains the instructions for building out
the AWS environment
Stacks The entire environment described by the template and created, updated,
and deleted as a single unit
StackSets AWS CloudFormation StackSets extends the functionality of stacks by
enabling you to create, update, or delete stacks across multiple accounts
and regions with a single operation
Change Sets A summary of proposed changes to your stack that will allow you to see
how those changes might impact your existing resources before
implementing them

AWS CloudFormation - Templates
• A template is a YAML or JSON template used to describe the end-state of
the infrastructure you are either provisioning or changing

• After creating the template, you upload it to CloudFormation directly or

using Amazon S3

• CloudFormation reads the template and makes the API calls on your
behalf.

• The resulting resources are called a "Stack"

• Logical IDs are used to reference resources within the template

• Physical IDs identify resources outside of AWS CloudFormation

templates, but only after the resources have been created

AWS CloudFormation - Stacks
• Deployed resources based on templates

• Create, update and delete stacks using templates

• Deployed through the Management Console, CLI or APIs

• Stack creation errors:

• Automatic rollback on error is enabled by default

• You will be charged for resources provisioned even if there is an error

AWS CloudFormation - Stacks
• AWS CloudFormation StackSets extends the functionality of stacks by enabling you
to create, update, or delete stacks across multiple accounts and regions with a
single operation

• Using an administrator account, you define and manage an AWS CloudFormation

template, and use the template as the basis for provisioning stacks into selected
target accounts across specified regions

• An administrator account is the AWS account in which you create stack sets

• A stack set is managed by signing in to the AWS administrator account in which it

was created

• A target account is the account into which you create, update, or delete one or
more stacks in your stack set

AWS CloudFormation - NestedStacks
• Nested stacks allow re-use of CloudFormation code for
common use cases

• For example standard configuration for a load balancer,

web server, application server etc.

• Instead of copying out the code each time, create a

standard template for each common use case and
reference from within your CloudFormation template

AWS CloudFormation - Change Sets
• AWS CloudFormation provides two methods for updating stacks:
direct update or creating and executing change sets

• When you directly update a stack, you submit changes and AWS
CloudFormation immediately deploys them

• Use direct updates when you want to quickly deploy your updates

• With change sets, you can preview the changes AWS CloudFormation
will make to your stack, and then decide whether to apply those
changes

Create Amazon VPC with
CloudFormation

Exam Cram

Exam Cram: Network Design and Implementation
Border Gateway Protocol (BGP):
• BGP is an exterior gateway protocol designed to exchange
routing information on the internet
• Autonomous systems (ASs) are collections of IP routing
prefixes under the control of one or more operators
• BGP is built on a system of trust in which routes are
advertised and accepted between peers
• BGP is classified as a path-vector routing protocol and
exchanges the best path to a peer (called the ASPATH)
• Autonomous System Numbers (ASNs) range from 0-65535
and 64512-65534 are private and reserved

Exam Cram: Network Design and Implementation
Border Gateway Protocol (BGP):
There are two implementations of BGP:
• Interior Border Gateway Protocol (iBGP) - used for routing within an AS
• Exterior Border Gateway Protocol (eBGP) - used for routing between
AS’s
• Depending on router there are several additional attributes considered in path
selection decisions
• These include:
• Local Preference – used within an AS and highest local preference is preferred
(default is 100)
• AS Path Length – shortest AS path length preferred (e.g. 100 200 300 over
100 200 201 300)
• Multi-Exit Discriminator (MED) – path with lowest MED preferred
• eBGP over iBGP – prefer eBGP over iBGP

Exam Cram: Network Design and Implementation
Route priority in a VPC:
• Typically, the most specific route is preferred
• If a route table has overlapping or matching routes, additional
rules apply
• For example:
• Longest prefix match
• Local vs propagated vs static routes
• Prefix lists
• Longest prefix match:
• Routes to IPv4 and IPv6 addresses or CIDR blocks are independent of
each other
• AWS uses the most specific route that matches either IPv4 traffic or
IPv6 traffic to determine how to route the traffic

Exam Cram: Network Design and Implementation
Local vs propagated vs static routes:
• Routes from S2S VPN connections can be dynamically added
to route tables (propagated routes)
• The following rules apply:
• If the destination of a propagated route overlaps the local route,
the local route takes priority even if the propagated route is more
specific
• If the destination of a propagated route overlaps a static route, the
static route takes priority

Exam Cram: Network Design and Implementation
Local vs propagated vs static routes:
• If the destination of a propagated route is identical to the
destination of a static route, the static route takes priority if the
target is one of the following:
• Internet gateway
• NAT gateway
• Network interface
• Instance ID
• Gateway VPC endpoint
• Transit gateway
• VPC peering connection
• Gateway Load Balancer endpoint

Exam Cram: Network Design and Implementation
Prefix lists:
• If your route table references a prefix list, the following rules apply:
• If a route table contains a static route with a destination CIDR block that
overlaps a static route with a prefix list, the static route with the CIDR
block takes priority
• If a route table contains a propagated route that overlaps a route with a
prefix list, the route that references the prefix list takes priority
• If a route table references multiple prefix lists that have overlapping
CIDR blocks to different targets, AWS randomly chooses which route
takes priority. Thereafter, the same route always takes priority
• If the CIDR block in a prefix list entry is not valid for the route table, that
CIDR block is ignored

Exam Cram: Network Design and Implementation
AWS Site-to-Site VPN:
• AWS VPN is a managed IPSec VPN
• A Virtual Private Gateway (VGW) is deployed on the AWS side of the
connection
• Supports static routes or BGP peering/routing
• A customer gateway device is a physical device deployed on the customer side
• A customer gateway is a virtual element in the VPC that represents the
customer gateway device
• Two VPN tunnels are created between VGW/transit gateway and customer
gateway
• From on-premises you can access public AWS services across the VPN but
cannot access the internet via an internet gateway or NAT gateway, or access
VPC resources in a peered VPC
• From on-premises you can access the internet via a NAT instance

Exam Cram: Network Design and Implementation
Direct Connect:
• Private connectivity between AWS and your data center / office
• Consistent network experience:
• Increased speed
• Lower latency
• High bandwidth/throughput
• Lower costs for organizations that transfer large volumes of data
• A VIF is a virtual interface (802.1Q VLAN) and a BGP session

Exam Cram: Network Design and Implementation
Direct Connect:
• A Private VIF connects to a single VPC in the same AWS Region using a VGW
• A Public VIF can be used to connect to AWS Public services in any Region (but
not the Internet)
• A Transit VIF is used to access one or more transit gateways associated with
DX gateways
• Multiple Private VIFs can be used to connect to multiple VPCs in the Region
• VIFs can also be shared with other AWS accounts – known as hosted VIFs
• DX connections are not encrypted by default (encryption supported between
on-premises and DX POP using MACsec for 100/10 Gbps)
• Use an IPSec S2S VPN connection over a VIF to add encryption in transit (on-
premises to VGW)
• BFD is a detection protocol that provides fast forwarding path failure
detection times for faster reconvergence times

Exam Cram: Network Design and Implementation
Direct Connect Gateway:
• Use AWS Direct Connect gateway to connect your VPCs
• A Direct Connect gateway is a globally available resource
• You can create the Direct Connect gateway in any Region and
access it from all other Regions
• You associate an AWS Direct Connect gateway with either of the
following gateways:
• A transit gateway when you have multiple VPCs in the same Region
• A virtual private gateway
• Private virtual interfaces (VIFs) are used to connect to the Direct
Connect gateway

Exam Cram: Network Design and Implementation
AWS Transit Gateway:
• Acts as a cloud router simplifying network architecture
• Supports dynamic and static layer 3 routing between Amazon VPCs and VPN
• Supports Equal Cost Multipath (ECMP) between multiple VPN connections
• Transit gateway is a Regional service
• Peering connections can be established between transit gateways in the same
AWS region or across regions
• Transit gateway connect can be used to connect to SD-WAN appliances
running in a VPC
• Connect attachments support Generic Routing Encapsulation (GRE) and BGP
• Transit gateway supports multicast routing between subnets of attached VPCs
• TGW routes traffic for instances sending to multiple receiving instances

Exam Cram: Network Design and Implementation
AWS Transit Gateway best practices:
• Use a separate subnet for each transit gateway VPC attachment
• Create one network ACL and associate it with all of the subnets that
are associated with the transit gateway
• Associate the same VPC route table with all subnets that are
associated with the transit gateway, unless your network design
requires multiple VPC route tables
• Use Border Gateway Protocol (BGP) Site-to-Site VPN connections
• Enable route propagation for AWS Direct Connect gateway
attachments and BGP Site-to-Site VPN attachments

Exam Cram: Network Design and Implementation
AWS Outposts:
• Hybrid cloud with AWS infrastructure deployed on-premises
and at the edge
• Some local services and connectivity to Regions for other
services
• Use for workloads that require low latency access to on-
premises systems and data
• Extend compute, networking, security and more to your data
center
• Same APIs, tools, and management controls as in the cloud

Exam Cram: Network Design and Implementation
AWS Outposts:
• VPC components extended to the Outpost include:
• Internet gateways
• Virtual private gateways
• Amazon VPC Transit Gateways
• VPC endpoints
• The Outpost is an extension of an Availability Zone in a Region
• A service link is a network route for communication between an
Outpost and its associated Region
• You can use custom-owned IP address pools
• Local gateway is deployed for Outpost racks
• A local network interface is deployed for Outpost servers

Exam Cram: Network Design and Implementation
AWS Outposts:
• The local gateway performs NAT of the Outpost instance’s IPs to
Elastic IPs from a pool
• A target in the VPC route table should be created for traffic destined
to on-premises resources
• The local gateway enables connectivity from the Outpost subnets to
all AWS services in the parent Region

SECTION 8

Network Security

Traffic Capture, Mirroring,
and Logging

Traffic Mirroring
• Traffic mirroring copies network traffic from an ENI and
sends it to an out-of-band security/monitoring appliance
• Used for:
• Content inspection
• Threat monitoring
A Filter is a rule that can
• Troubleshooting be applied to determine
A Source is an ENI the traffic to be copied
with the type
instance
VXLAN Original Packet

Mirror Source UDP Packet (UDP 4789) NLB

• A traffic mirror session is

A Target can be
established between a A VXLAN ID is used
ENIs or NLBs
to identify a session Mirror Targets
source and target

Traffic Mirroring
• The traffic mirror source and traffic mirror targets can be
in the same VPC or different VPCs
• When using multiple VPCs you must use intra-Region
VPC peering or transit gateway
• Targets can be in different AWS accounts

Source owner Source VPC Target owner Target VPC Connectivity option

Account A VPC 1 Account A VPC 1 No additional configuration

Account A VPC 1 Account A VPC 2 Intra-Region peering or transit gateway

Account A VPC 1 Account B VPC 2 Cross-account intra-Region peering or a transit gateway

Account A VPC 1 Account B VPC 1 VPC sharing

VPC Flow Logs
• Capture information about the IP
traffic going to and from network
interfaces in a VPC VPC
Public subnet

• Flow log data is stored using Amazon

CloudWatch Logs or S3 Flow logs

• Flow logs can be created at the

Private subnet Flow logs
following levels:
• VPC Flow logs
EC2 Instance

• Subnet
• Network interface

Traffic Mirroring and VPC Flow Logs
• You can use Traffic Mirroring and VPC Flow Logs to
monitor your VPC traffic
• You can collect, store, and analyze network flow logs
• The Flow Logs capture information about the following:
• Allowed and denied traffic
• Source and destination IP addresses
• Ports
• Protocol number
• Packet and byte counts
• Action taken (accept or reject)

Access Logs for an ALB
• Logs detailed info about requests sent to an ALB
• Sent to an Amazon S3 bucket every 5 minutes
• Information logged includes:
• The time the request was received
• The client's IP address
• Latencies
• Request paths
• Server responses

Access Logs vs Flow Logs

VPC Flow Log

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 52933 22 6 1 401599… 1599… ACCEPT OK
2 55112233445eni-0f5… 10.0.1.15 11.200.185.200 22 52933 6 1 401599… 1599… ACCEPT OK
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 3624 80 6 1 441599… 1599… REJECT OK
2 55112233445eni-0f5… 11.200.185.200 10.0.1.15 3624 80 6 1 441599… 1599… REJECT OK

ELB Access Log

Create VPC Flow Log

Compliance with AWS Config

AWS Config
AWS Config evaluates the
configuration against
desired configurations
Example Services:

Send notifications
with SNS
Amazon EC2 AWS Config Amazon Simple
Notification Service

Elastic Load Balancing

CloudWatch Events
Amazon S3

Alert via CW Events

Configuration changes when changes occur
Amazon RDS occur and information is
sent to AWS Config
© Digital Cloud Training | https://digitalcloud.training
AWS Config

Example Rule Description

nacl-no-unrestricted-ssh-rdp Checks if default ports for SSH/RDP ingress traffic for

network access control lists (NACLs) is unrestricted

restricted-ssh Checks whether security groups that are in use disallow

unrestricted incoming SSH traffic

vpc-flow-logs-enabled Checks whether Amazon Virtual Private Cloud flow logs are
found and enabled for Amazon VPC

vpc-vpn-2-tunnels-up Checks that both VPN tunnels provided by AWS Site-to-Site

VPN are in UP status

service-vpc-endpoint-enabled Checks whether Service Endpoint for the service provided

in rule parameter is created for each Amazon VPC

Monitor Security
Group Compliance

Network Firewall
and DNS Firewall

AWS Network Firewall
Flexible rules engine
provides fine-grained
control over network Firewall Subnet RT
VPC
traffic Destination Target
AWS Firewall
Manager Firewall Subnet
10.0.0.0/16 Local
0.0.0.0/0 igw-id
Firewall Endpoint
IGW Ingress RT
10.0.3.0/28 Destination Target
AWS Organizations
Internet
Protected Subnet gateway 10.0.0.0/16 Local
10.0.0.0/24 vpce-id-az-a
Manage multiple Protected Subnet RT
AWS Network 10.0.0.0/24 EC2 Instance Destination Target
Firewall
deployments 10.0.0.0/16 Local
Traffic for resources in
protected subnets is 0.0.0.0/0 vpce-id-az-a
routed via firewall subnets

AWS Network Firewall
• Managed service for VPC network protection
• Includes:
• Stateful & Stateless firewall
• Intrusion Prevention System (IPS)
• Web filtering
• Works with AWS Network Firewall manager for centrally
applying policies across VPCs / accounts
• Uses a VPC endpoint and Gateway Load Balancer
• Do not deploy resources in the firewall subnet
• For HA, allocate a subnet per AZ
• Check the deployment models article here:
https://aws.amazon.com/blogs/networking-and-content-
delivery/deployment-models-for-aws-network-firewall/

Route 53 Resolver DNS Firewall
• Filter and regulate outbound DNS traffic for VPCs
• Requests route through Route 53 Resolver for DNS
• Helps prevent DNS exfiltration of data
• Monitor and control the domains applications can query
• Can use AWS Firewall Manager to centrally configure and
manage DNS Firewall
• Central management can span VPCs and accounts in AWS
Organizations

AWS
Firewall Manager

AWS Web Application
Firewall (WAF)

AWS WAF

• AWS WAF is a web application firewall

• WAF lets you create rules to filter web traffic based on

conditions that include IP addresses, HTTP headers and
body, or custom URIs

• WAF makes it easy to create rules that block common

web exploits like SQL injection and cross site scripting

AWS WAF

AWS WAF Amazon CloudFront

AWS WAF ALB Amazon EC2

AWS WAF Amazon API Gateway

AWS WAF AWS AppSync

AWS WAF
• Web ACLs – You use a web access control list (ACL) to protect a set
of AWS resources
• Rules – Each rule contains a statement that defines the inspection
criteria, and an action to take if a web request meets the criteria
• Rule groups – You can use rules individually or in reusable rule
groups

AWS WAF
• IP Sets - An IP set provides a collection of IP addresses and IP
address ranges that you want to use together in a rule statement
• Regex pattern set - A regex pattern set provides a collection of
regular expressions that you want to use together in a rule
statement

AWS WAF
A rule action tells AWS WAF what to do with a web request when it
matches the criteria defined in the rule:

• Count – AWS WAF counts the request but doesn't determine

whether to allow it or block it. With this action, AWS WAF
continues processing the remaining rules in the web ACL

• Allow – AWS WAF allows the request to be forwarded to the AWS

resource for processing and response

• Block – AWS WAF blocks the request and the AWS resource
responds with an HTTP 403 (Forbidden) status code

AWS WAF
Match statements compare the web request or its origin against
conditions that you provide
Match Statement Description
Geographic match Inspects the request's country of origin

IP set match Inspects the request against a set of IP addresses and address ranges

Regex pattern set Compares regex patterns against a specified request component

Size constraint Checks size constraints against a specified request component

SQLi attack Inspects for malicious SQL code in a specified request component

String match Compares a string to a specified request component

XSS scripting attack Inspects for cross-site scripting attacks in a specified request component

AWS Shield

AWS Shield
• AWS Shield is a managed Distributed Denial of Service
(DDoS) protection service
• Safeguards web application running on AWS with always-on
detection and automatic inline mitigations
• Helps to minimize application downtime and latency
• Two tiers –
• Standard – no cost
• Advanced - $3k USD per month and 1 year commitment
• Integrated with Amazon CloudFront (standard included by
default)

Encryption Primer

Encryption In Transit vs At Rest
Encryption In Transit
Data is protected by
SSL/TLS in transit

HTTPS Connection

User ALB

Encryption At Rest

Amazon S3 encrypts the

object as it is written to
Data encryption key
the bucket it

Unencrypted Encryption process Encrypted

Object bucket

Asymmetric Encryption
• Asymmetric encryption is also known as public key cryptography
• Messages encrypted with the public key can only be decrypted with
the private key
• Messages encrypted with the private key can be decrypted with the
public key
• Examples include SSL/TLS and SSH
Public key Private key

Encryption Decryption
Encrypted
Plaintext data Plaintext data
data

Symmetric Encryption
Encryption

Data encryption key

Encryption process Encrypted

Plaintext data
data

Decryption
The same key is used
for both encryption
and decryption
Data encryption key

Encrypted Encryption process Plaintext data

data
© Digital Cloud Training | https://digitalcloud.training
Network Encryption

Amazon VPC/EC2 Encryption
• All data flowing across AWS Regions over the
AWS global network is automatically encrypted
• All traffic between AZs is encrypted
• Cross-Region traffic using VPC and Transit
Gateway peering is encrypted
• Some Nitro instance types automatically encrypt
in-transit traffic between instances
• AWS Outposts service links are encrypted

Amazon EBS Encryption
EBS encryption affects:

• Data at rest inside the volume Availability Zone

• All data moving between the

Snapshots of
EBS Volume EBS Volume Snapshot
volume and the instance encrypted volumes
are encrypted
• All snapshots created from the
volume Data is encrypted
in-transit and at-rest
• All volumes created from those
snapshots

Traffic between EC2 Instance EC2 Instance

AZs is encrypted

Traffic between instances is

encrypted in transit for
some instances types
© Digital Cloud Training | https://digitalcloud.training
Amazon EFS Encryption
• EFS is the Amazon Elastic File
System

• File systems are mounted using the

Encryption at-rest can be
VPC
NFS protocol enabled when the file
system is created
• Many instances can mount a file EFS File system
system within and across VPCs

• You can also mount file systems

from on-premises servers over DX /efs-mnt /efs-mnt
or VPN
Encryption in-transit is
enabled when mounting
EC2 Instance EC2 Instance
the file system (TLS)

MACsec for Encrypting Direct Connect
MACsec provides near line-rate
encryption for maximum
throughput

Region
AWS Direct Connect location

AWS cage Customer / Corporate data center

partner cage
MACsec MACsec

VGW DX AWS Direct Customer /

Connect partner router MACsec is configured between
endpoint the customer router or switch
and the DX device

AWS provide a MACsec

enabled port on the DX router
Layer 2 traffic that travels over the
dedicated connection to or from the
data center is encrypted

IPSec VPN for Encrypting Direct Connect
This solution encrypts from
the data center to the VGW

Region

AWS Direct Connect location Corporate data center

VGW DX
An IPSec S2S VPN is
VGW is required for established over a public VIF
terminating the VPN across the DX connection

Encryption In-Transit
• Many AWS services use secure channels with:
• HTTPS protocol
• SSL/TLS certificates
• Some customer-managed infrastructure support
termination of TLS with your own certificates. E.g.
ALB/NLB, Amazon CloudFront, Amazon API
Gateway
• Some services such as API Gateway only expose
HTTPS endpoints
• AWS is updating all Federal Information
Processing Standard (FIPS) endpoints to a
minimum of TLS 1.2
© Digital Cloud Training | https://digitalcloud.training
AWS Key Management
Service (KMS)

AWS Key Management Service (KMS)
• Create and managed symmetric and asymmetric encryption keys
• The KMS keys are protected by hardware security modules (HSMs)

AWS KMS

Customer Managed Keys

Developer creates customer

Key Key Key Key managed KMS keys in AWS KMS
Developer

AWS Managed Keys

aws/sqs aws/acm aws/ebs aws/fsx

KMS Keys
• KMS keys are the primary resources in AWS KMS
• Used to be known as “customer master keys” or CMKs
• The KMS key also contains the key material used to encrypt
and decrypt data
• By default, AWS KMS creates the key material for a KMS key
• You can also import your own key material
• A KMS key can encrypt data up to 4KB in size
• A KMS key can generate, encrypt and decrypt Data Encryption
Keys (DEKs)

Alternative Key Stores
External Key Store
• Keys can be stored outside of AWS to meet regulatory requirements
• You can create a KMS key in an AWS KMS external key store (XKS)
• All keys are generated and stored in an external key manager
• When using an XKS, key material never leaves your HSM
Custom Key Store
• You can create KMS keys in an AWS CloudHSM custom key store
• All keys are generated and stored in an AWS CloudHSM cluster that you own and manage
• Cryptographic operations are performed solely in the AWS CloudHSM cluster you own
and manage
• Custom key stores are not available for asymmetric KMS keys

AWS Managed KMS Keys
• Created, managed, and used on your behalf
by an AWS service that is integrated with
AWS KMS
• You cannot manage these KMS keys, rotate
them, or change their key policies
• You also cannot use AWS managed KMS keys
in cryptographic operations directly; the
service that creates them uses them on your
behalf

Data Encryption Keys
• Data keys are encryption keys that you can use to encrypt AWS KMS

large amounts of data

Key
• You can use AWS KMS keys to generate, encrypt, and
decrypt data keys

• AWS KMS does not store, manage, or track your data keys,
Plaintext data key
Encryption
or perform cryptographic operations with data keys Algorithm

• You must use and manage data keys outside of AWS KMS
Encrypted data key

KMS Keys and Automatic Rotation

Type of KMS Key Can view Can manage Used only for my AWS account Automatic rotation
Customer managed key Yes Yes Yes Optional. Every 365 days

AWS managed key Yes No Yes Required. Every 365 days

AWS owned key No No No Varies

• You cannot enable or disable key rotation for AWS owned keys
• Automatic key rotation is supported only on symmetric encryption KMS keys
with key material that AWS KMS generates (Origin = AWS_KMS)

KMS Keys and Automatic Rotation
• Automatic rotation generates new key material every year
(optional for customer managed keys)

Rotation only changes the

key material used for
encryption, the KMS key
remains the same

KMS Keys and Automatic Rotation
With automatic key rotation:
• The properties of the KMS key, including its key ID, key ARN, region, policies, and
permissions, do not change when the key is rotated
• You do not need to change applications or aliases that refer to the key ID or key ARN
of the KMS key
• After you enable key rotation, AWS KMS rotates the KMS key automatically every
year
Automatic key rotation is not supported on the following types of KMS keys:
• Asymmetric KMS keys
• HMAC KMS keys Note: You can rotate these
• KMS keys in custom key stores KMS keys manually
• KMS keys with imported key material

Manual Rotation
• Manual rotation is creating a new KMS key with a different key ID

• You must then update your applications with the new key ID

• You can use an alias to represent a KMS key so you don’t need to modify your
application code

The alias is associated

Application with the new KMS key
Alias

Old Key New Key

KMS Key Policies
• Key policies define management and usage permissions for KMS
keys

This key policy defines the

administrative actions that are
permitted for a key administrator

KMS Key Policies
• Multiple policy statements can be combined to specify separate
administrative and usage permissions

This key policy defines the cryptographic

actions for encrypting and decrypting data
with the KMS key

KMS Key Policies
• Permissions can be specified for delegating use of the key to AWS
services

Grants are useful for temporary permissions

as they can be used without modifying key
policies or IAM policies

Additional Exam Tips
• To share snapshots with another account you must specify Decrypt
and CreateGrant permissions

• The kms:ViaService condition key can be used to limit key usage to

specific AWS services

• For example:

Additional Exam Tips
• Cryptographic erasure means removing the ability to decrypt data
and can be achieved when using imported key material and
deleting that key material

• You must use the DeletelmportedKeyMaterial API to remove the key

material

• An InvalidKeyId exception when using SSM Parameter Store indicates

the KMS key is not enabled

• Make sure you know the differences between AWS managed and
customer managed KMS keys and automatic vs manual rotation

SSL/TLS Certificates

AWS Certificate Manager (ACM)
• Create, store and renew SSL/TLS X.509 certificates
• Single domains, multiple domain names and
wildcards
• Integrates with several AWS services including:
• Elastic Load Balancing
• Amazon CloudFront
• AWS Elastic Beanstalk
• AWS Nitro Enclaves
• AWS CloudFormation

AWS Certificate Manager (ACM)
• Public certificates are signed by the AWS public
Certificate Authority
• You can also create a Private CA with ACM
• Can then issue private certificates

AWS Certificate Manager (ACM)
• You can also import certificates obtained outside
of AWS
• This includes self-signed SSL/TLS certificates
• These can be used with any AWS service that is
integrated with ACM
• You must include the private key, public key, and
certificate chain
• There are additional prerequisites:
https://docs.aws.amazon.com/acm/latest/userguide/impo
rt-certificate-prerequisites.html

Amazon CloudWatch
Features and Use Cases

Amazon CloudWatch
• CloudWatch Metrics – services send time-ordered data
points to CloudWatch

• CloudWatch Alarms – monitor metrics and initiate actions

• CloudWatch Logs – centralized collection of system and

application logs

• CloudWatch Events – stream of system events describing

changes to AWS resources and can trigger actions

Amazon CloudWatch Metrics
• Metrics are sent to CloudWatch for many AWS services
• EC2 metrics are sent every 5 minutes by default (free)
• Detailed EC2 monitoring sends every 1 minute (chargeable)
• Unified CloudWatch Agent sends system-level metrics for EC2 and
on-premises servers
• System-level metrics include memory and disk usage

CloudWatch Agent sends

Memory, Disk Usage
system-level metrics
CPUUtilization, DiskReadOps,
NetworkIn, StatusCheckFailed

Amazon EC2 Amazon CloudWatch

Standard every 5 minutes;
detailed every 1 minute

Amazon CloudWatch Metrics
• Can publish custom metrics using CLI or API
• Custom metrics are one of the following resolutions:
• Standard resolution – data having a one-minute granularity
• High resolution – data at a granularity of one second
• AWS metrics are standard resolution by default

CloudWatch Agent sends

Memory, Disk Usage
system-level metrics
CPUUtilization, DiskReadOps,
NetworkIn, StatusCheckFailed

Amazon EC2 Amazon CloudWatch

Standard every 5 minutes;
detailed every 1 minute

Amazon CloudWatch Alarms
Two types of alarms
• Metric alarm – performs one or more actions based on a single
metric
• Composite alarm – uses a rule expression and takes into account
multiple alarms
• Metric alarm states:
• OK – Metric is within a threshold
• ALARM – Metric is outside a threshold
• INSUFFICIENT_DATA – not enough data Metrics:
CPU Utilization

Amazon CloudWatch
ec2:RunInstances

Amazon EC2 EC2 Auto Scaling

ALARM
© Digital Cloud Training | https://digitalcloud.training
Amazon CloudWatch Events / EventBridge

EventBridge used to be
known as CloudWatch
Events
Event Sources Rules

AWS Services

Custom Apps

SaaS Apps EventBridge

event bus

Events
Targets

Amazon CloudWatch Logs
• Gather application and system logs in CloudWatch
• Defined expiration policies and KMS encryption
• Send to:
• Amazon S3 (export) Unified CloudWatch Agent
• Kinesis Data Streams installed on EC2 and on-
• Kinesis Data Firehose premises servers

Application logs Application logs

System logs System logs Real-time log
processing with
subscription filters
Amazon EC2 Amazon CloudWatch On-premises
servers

Function requires
Amazon Elasticsearch
permissions to
Service
CloudWatch Logs
AWS Lambda AWS Lambda
© Digital Cloud Training | https://digitalcloud.training
Cross-Account Log Data Sharing
• Share CloudWatch Logs across accounts
• Kinesis Data Streams is the only supported destination
• Log data sender – sends log data to the recipient
• Log data recipient – sends data to a Kinesis Data stream
Account A

Region

Account C

Subscription
CloudWatch filter

Account B
Amazon Kinesis
Region
Data Stream

Subscription
CloudWatch filter

CloudWatch
Contributor Insights
for VPC Flow Logs

AWS CloudTrail Use Cases

AWS CloudTrail
Notifications can be sent to SNS
when CloudTrail publishes log files

SNS Topic
Create a Trail for Metric filter used to
indefinite retention trigger CW Alarm

AWS CloudTrail S3 Bucket CloudWatch Logs CloudWatch Alarm

Can enable log file

CloudTrail logs API integrity validation
actions (90 days)

Lambda SNS Topic

Function
CloudWatch API event triggers
Events Lambda function
© Digital Cloud Training | https://digitalcloud.training
AWS CloudTrail
• CloudTrail logs API activity for auditing
• By default, management events are logged and
retained for 90 days
• A CloudTrail Trail logs any events to S3 for
indefinite retention
• Trail can be within Region or all Regions
• CloudWatch Events can triggered based on API
calls in CloudTrail
• Events can be streamed to CloudWatch Logs

CloudTrail – Management and Data Events
• Management events provide information about
management operations that are performed on
resources in your AWS account
• Data events provide information about the
resource operations performed on or in a
resource

CloudTrail – Multi Account and Region

Account A

Region

Account C

AWS CloudTrail Region

Account B
Region S3 Bucket

Bucket policy required for

cross-account permissions
AWS CloudTrail

Configure logging to
bucket in Account C

EventBridge Alert
for API Action

Exam Cram

Exam Cram: Network Security
Traffic Mirroring:
• Traffic mirroring copies network traffic from an ENI and sends it to an out-of-band
security/monitoring appliance
• Used for:
• Content inspection
• Threat monitoring
• Troubleshooting
• A traffic mirror session is established between a source and target
• A Source is an ENI with the type instance
• A Target can be ENIs or NLBs
• A Filter is a rule that can be applied to determine the traffic to be copied
• A VXLAN ID is used to identify a session

Exam Cram: Network Security
VPC Flow Logs:
• Capture information about the IP traffic going to and from network interfaces
in a VPC
• Flow log data is stored using Amazon CloudWatch Logs or S3
• Flow logs can be created at the VPC, subnet, or network interface level
• The following types of traffic are not logged:
• Traffic to the Amazon DNS server
• Traffic generated by a Windows instance for Amazon Windows license activation
• Traffic to and from 169.254.169.254 for instance metadata
• Traffic to and from 169.254.169.123 for the Amazon Time Sync Service
• DHCP traffic
• Mirrored traffic
• Traffic to the reserved IP address for the default VPC router
• Traffic between an endpoint network interface and a Network Load Balancer
network interface

Exam Cram: Network Security
AWS Network Firewall:
• Managed service for VPC network protection
• Includes:
• Stateful & Stateless firewall
• Intrusion Prevention System (IPS)
• Web filtering
• Works with AWS Network Firewall manager for centrally
applying policies across VPCs / accounts
• Uses a VPC endpoint and Gateway Load Balancer

Exam Cram: Network Security
DNS Firewall:
• Filter and regulate outbound DNS traffic for VPCs
• Requests route through Route 53 Resolver for DNS
• Helps prevent DNS exfiltration of data
• Monitor and control the domains applications can query
• Can use AWS Firewall Manager to centrally configure and
manage DNS Firewall

Exam Cram: Network Security
AWS WAF:
• AWS WAF is a web application firewall
• WAF makes it easy to create rules that block common web exploits like
SQL injection and cross site scripting
• Web ACLs – You use a web access control list (ACL) to protect a set of
AWS resources
• Rules – Each rule contains a statement that defines the inspection
criteria, and an action to take if a web request meets the criteria
• Rule groups – You can use rules individually or in reusable rule groups

Exam Cram: Network Security
AWS Shield:
• AWS Shield is a managed Distributed Denial of Service (DDoS)
protection service
• Safeguards web application running on AWS with always-on
detection and automatic inline mitigations
• Helps to minimize application downtime and latency
• Two tiers:
• Standard – no cost
• Advanced - $3k USD per month and 1 year commitment
• Integrated with Amazon CloudFront (standard included by
default)

Exam Cram: Network Security
Amazon VPC/EC2 Encryption:
• All data flowing across AWS Regions over the AWS global
network is automatically encrypted
• All traffic between AZs is encrypted
• Cross-Region traffic using VPC and Transit Gateway peering is
encrypted
• Some Nitro instance types automatically encrypt in-transit
traffic between instances
• AWS Outposts service links are encrypted

Exam Cram: Network Security
AWS Key Management Service (KMS):
• Create and managed symmetric and asymmetric encryption keys
• The KMS keys are protected by hardware security modules (HSMs)
• KMS keys are the primary resources in AWS KMS
• Used to be known as “customer master keys” or CMKs
• The KMS key also contains the key material used to encrypt and decrypt
data
• By default, AWS KMS creates the key material for a KMS key
• You can also import your own key material
• A KMS key can encrypt data up to 4KB in size
• A KMS key can generate, encrypt and decrypt Data Encryption Keys
(DEKs)

Exam Cram: Network Security
AWS Key Management Service (KMS):

Type of KMS Key Can view Can manage Used only for my AWS account Automatic rotation
Customer managed key Yes Yes Yes Optional. Every 365 days

AWS managed key Yes No Yes Required. Every 1095 days

AWS owned key No No No Varies

Exam Cram: Network Security
AWS Certificate Manager (ACM):
• Create, store and renew SSL/TLS X.509 certificates
• Single domains, multiple domain names and wildcards
• Public certificates are signed by the AWS public Certificate
Authority
• You can also create a Private CA with ACM
• Can then issue private certificates
• You can also import certificates obtained outside of AWS
• This includes self-signed SSL/TLS certificates
• These can be used with any AWS service that is integrated with
ACM
• You must include the private key, public key, and certificate chain

Exam Cram: Network Security
Amazon CloudWatch:
• Used for performance monitoring, alarms, logs, and events
• CloudWatch Metrics – services send time-ordered data
points to CloudWatch
• CloudWatch Alarms – monitor metrics and initiate actions
• CloudWatch Logs – centralized collection of system and
application logs
• CloudWatch Events – stream of system events describing
changes to AWS resources and can trigger actions

Exam Cram: Network Security
AWS CloudTrail:
• CloudTrail logs API activity for auditing
• By default, management events are logged and retained for
90 days
• A CloudTrail Trail logs any events to S3 for indefinite
retention
• Trail can be within Region or all Regions
• CloudWatch Events can be triggered based on API calls in
CloudTrail
• Events can be streamed to CloudWatch Logs

CLF-C02 Exam Guide Slides
No ratings yet
CLF-C02 Exam Guide Slides
1,113 pages
Introduction To Cloud Course Slides
No ratings yet
Introduction To Cloud Course Slides
327 pages
Python Programming For AWS Slides
100% (2)
Python Programming For AWS Slides
141 pages
Digital Cloud SAA
No ratings yet
Digital Cloud SAA
861 pages
AWS Certified Solutions Architect Associate Slides
100% (1)
AWS Certified Solutions Architect Associate Slides
900 pages
AWS Course
No ratings yet
AWS Course
123 pages
AWS Certified Cloud Practitioner Slides
No ratings yet
AWS Certified Cloud Practitioner Slides
579 pages
AWS Cloud Practitioner Exam Cram
100% (5)
AWS Cloud Practitioner Exam Cram
142 pages
10 01 Chapter+Material
No ratings yet
10 01 Chapter+Material
181 pages
Mod 4
No ratings yet
Mod 4
70 pages
Google Cloud Professional: Cloud Network Engineer Exam
No ratings yet
Google Cloud Professional: Cloud Network Engineer Exam
12 pages
Presentation 1
No ratings yet
Presentation 1
184 pages
AWS CCP Practice Exam 1 - Digital Cloud Training
No ratings yet
AWS CCP Practice Exam 1 - Digital Cloud Training
87 pages
Lesson 4 - Compute Services and Networking
No ratings yet
Lesson 4 - Compute Services and Networking
104 pages
AWS CCP Practice Exam 4 - Digital Cloud Training
No ratings yet
AWS CCP Practice Exam 4 - Digital Cloud Training
82 pages
Cloud Computing QT Preparation
No ratings yet
Cloud Computing QT Preparation
42 pages
Week 3 AcademyCloudFoundations - Module - 05 - Networking
No ratings yet
Week 3 AcademyCloudFoundations - Module - 05 - Networking
110 pages
Aws
No ratings yet
Aws
91 pages
Week 3
No ratings yet
Week 3
48 pages
AWS Certified Solutions Architect Associate SAA-C02
No ratings yet
AWS Certified Solutions Architect Associate SAA-C02
5 pages
Cloud Computing - DR ManishJain
No ratings yet
Cloud Computing - DR ManishJain
55 pages
Mod4 sp24v3
No ratings yet
Mod4 sp24v3
54 pages
AWS Academy Cloud Foundations Extended Notes Modules 1 10 PDF
No ratings yet
AWS Academy Cloud Foundations Extended Notes Modules 1 10 PDF
73 pages
Palo Vm-Series-Deployment
No ratings yet
Palo Vm-Series-Deployment
1,094 pages
Lesson 5 - DNS PowerPoint
No ratings yet
Lesson 5 - DNS PowerPoint
19 pages
Cloud Computings - II
No ratings yet
Cloud Computings - II
33 pages
CC Unit-1
No ratings yet
CC Unit-1
40 pages
Cloud Computing Master Program
No ratings yet
Cloud Computing Master Program
34 pages
Aws Solution Architect Preparation Guide
100% (3)
Aws Solution Architect Preparation Guide
201 pages
AWS Classes Notes
No ratings yet
AWS Classes Notes
31 pages
Cloud Practitioner Part1
No ratings yet
Cloud Practitioner Part1
15 pages
Cloud Computing
No ratings yet
Cloud Computing
39 pages
Aws VPC
No ratings yet
Aws VPC
53 pages
VPC Networking
No ratings yet
VPC Networking
13 pages
CC Major Syllabus
No ratings yet
CC Major Syllabus
25 pages
AWS Solution Architect and Security Specialist Course Content
No ratings yet
AWS Solution Architect and Security Specialist Course Content
22 pages
Google Cloud Network Engineer Exam Prep Sheet
No ratings yet
Google Cloud Network Engineer Exam Prep Sheet
16 pages
Google Cloud Network Engineer Exam Prep Sheet
No ratings yet
Google Cloud Network Engineer Exam Prep Sheet
15 pages
Solutions Architect Associate Exam Cheat Sheet
No ratings yet
Solutions Architect Associate Exam Cheat Sheet
32 pages
AWS Certified Developer - Associate
No ratings yet
AWS Certified Developer - Associate
7 pages
AmazonWebService Course Content
100% (1)
AmazonWebService Course Content
16 pages
AWS Certified Advanced Networking Training by Hemu Sir Course Content
No ratings yet
AWS Certified Advanced Networking Training by Hemu Sir Course Content
14 pages
A Seminar Repor1
No ratings yet
A Seminar Repor1
17 pages
Designing Deploying Carrier Grade Cloud Native Infrastructure
No ratings yet
Designing Deploying Carrier Grade Cloud Native Infrastructure
293 pages
Aws Certified Advanced Networking
No ratings yet
Aws Certified Advanced Networking
3 pages
Screenshot 2025-04-20 at 1.29.01 AM
No ratings yet
Screenshot 2025-04-20 at 1.29.01 AM
1 page
Ammett Williams Google Cloud Network
No ratings yet
Ammett Williams Google Cloud Network
12 pages
Cisco Cloud Onramp For Multi-Cloud Azure Version2
No ratings yet
Cisco Cloud Onramp For Multi-Cloud Azure Version2
178 pages
Final Exam IN Sample Questions
No ratings yet
Final Exam IN Sample Questions
32 pages
P9 Feeder To ME2-A4-TRX-01 Relay Settings
No ratings yet
P9 Feeder To ME2-A4-TRX-01 Relay Settings
47 pages
CSS 9 - Q2 W4 5 Mod3 - Set Network Configuration
No ratings yet
CSS 9 - Q2 W4 5 Mod3 - Set Network Configuration
25 pages
Cloud Computing File - 2319185
No ratings yet
Cloud Computing File - 2319185
132 pages
Support - TCP Et Routage IP (Séance 3)
No ratings yet
Support - TCP Et Routage IP (Séance 3)
95 pages
Data Communication and Computer Network MCQ Based On Learning Outcome
No ratings yet
Data Communication and Computer Network MCQ Based On Learning Outcome
24 pages
Information Technology Unit 2 Notes
No ratings yet
Information Technology Unit 2 Notes
25 pages
Meridian Setup
No ratings yet
Meridian Setup
29 pages
6-3 Lab Manual - Computer Networks
No ratings yet
6-3 Lab Manual - Computer Networks
65 pages
10.4.4 Packet Tracer - Build A Switch and Router Network - Physical Mode
No ratings yet
10.4.4 Packet Tracer - Build A Switch and Router Network - Physical Mode
12 pages
DCN Practical 3
100% (1)
DCN Practical 3
25 pages
Subnet - Wikipedia
No ratings yet
Subnet - Wikipedia
31 pages
FortiGate Deployment Guide - Microsoft Entra ID - Microsoft Learn
No ratings yet
FortiGate Deployment Guide - Microsoft Entra ID - Microsoft Learn
13 pages
Introduction To The Check Point Management API
No ratings yet
Introduction To The Check Point Management API
15 pages
Cisco ACI With Fortinet
No ratings yet
Cisco ACI With Fortinet
44 pages
IRM4721-TL102-0-2023 Assig 04
No ratings yet
IRM4721-TL102-0-2023 Assig 04
18 pages
Field Care
No ratings yet
Field Care
32 pages
DCC Chapter 5 Notes - Ur Engineering Friend (1st) Dsad
No ratings yet
DCC Chapter 5 Notes - Ur Engineering Friend (1st) Dsad
15 pages
VSA - Final Assignment
No ratings yet
VSA - Final Assignment
18 pages
What Are The Default Passwords (Passcodes) For ADTRAN Products
No ratings yet
What Are The Default Passwords (Passcodes) For ADTRAN Products
2 pages
Introduction To Networking
No ratings yet
Introduction To Networking
10 pages
12-Factor App Methodology - Developing Applications Using Cisco Core Platforms and APIs
No ratings yet
12-Factor App Methodology - Developing Applications Using Cisco Core Platforms and APIs
3 pages
Allure EC Smart Air Series - IG
No ratings yet
Allure EC Smart Air Series - IG
10 pages
AWS Vulnerability Top Ten Executive Report
No ratings yet
AWS Vulnerability Top Ten Executive Report
7 pages
Nptel GCC W6
No ratings yet
Nptel GCC W6
4 pages
11.5.5-Packet-Tracer - Subnet-An-Ipv4-Network
No ratings yet
11.5.5-Packet-Tracer - Subnet-An-Ipv4-Network
8 pages
11.7.5 Packet Tracer - Subnetting Scenario - TechAcad Help
No ratings yet
11.7.5 Packet Tracer - Subnetting Scenario - TechAcad Help
4 pages
CN - Lab Report 1
No ratings yet
CN - Lab Report 1
5 pages
IP Forwarding - How To Make Windows XP As A Router
No ratings yet
IP Forwarding - How To Make Windows XP As A Router
4 pages
CS310 Assignment 2
No ratings yet
CS310 Assignment 2
3 pages
AWS Certified Security – Specialty (SCS-C02) Exam Guide: Get all the guidance you need to pass the AWS (SCS-C02) exam on your first attempt
From Everand
AWS Certified Security – Specialty (SCS-C02) Exam Guide: Get all the guidance you need to pass the AWS (SCS-C02) exam on your first attempt
Adam Book
No ratings yet
AWS DevOps Engineer Professional Certification Guide: Hands-on guide to understand, analyze, and solve 150 scenario-based questions (English Edition)
From Everand
AWS DevOps Engineer Professional Certification Guide: Hands-on guide to understand, analyze, and solve 150 scenario-based questions (English Edition)
Sumit Kapoor
No ratings yet
AWS Certified Cloud Practitioner Practice Tests
From Everand
AWS Certified Cloud Practitioner Practice Tests
iCertify Training
No ratings yet
Mastering Amazon Web Services: Essential AWS Techniques
From Everand
Mastering Amazon Web Services: Essential AWS Techniques
Ed A Norex
No ratings yet
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
From Everand
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
Poonam Devi
No ratings yet
AWS Cloud Practitioner Study Guide & Practice Tests
From Everand
AWS Cloud Practitioner Study Guide & Practice Tests
SUJAN
No ratings yet
AWS SysOps Administrator Associate: From basic to advanced
From Everand
AWS SysOps Administrator Associate: From basic to advanced
Alex Carvalho
No ratings yet
AWS Cloud Practitioner: From Basic to Advanced
From Everand
AWS Cloud Practitioner: From Basic to Advanced
Alex Carvalho
No ratings yet
AWS CLI Essentials: A Beginner's Guide to Cloud Automation
From Everand
AWS CLI Essentials: A Beginner's Guide to Cloud Automation
Robert Johnson
No ratings yet
AWS for Beginners: A Step-by-Step Guide to Cloud Computing
From Everand
AWS for Beginners: A Step-by-Step Guide to Cloud Computing
Sankar Srinivasan
No ratings yet
AWS Certified Solutions Architect - Associate Exam Prep kit
From Everand
AWS Certified Solutions Architect - Associate Exam Prep kit
SUJAN
No ratings yet
AWS Associate Architect: From basic to advanced
From Everand
AWS Associate Architect: From basic to advanced
Alex Carvalho
No ratings yet
AWS for Beginners
From Everand
AWS for Beginners
Sankar Srinivasan
No ratings yet
AWS Certified Cloud Practitioner - Practice Paper 3: AWS Certified Cloud Practitioner, #3
From Everand
AWS Certified Cloud Practitioner - Practice Paper 3: AWS Certified Cloud Practitioner, #3
Tech Interviews
5/5 (1)
AWS Certified Cloud Practitioner - Practice Paper 4: AWS Certified Cloud Practitioner, #4
From Everand
AWS Certified Cloud Practitioner - Practice Paper 4: AWS Certified Cloud Practitioner, #4
Tech Interviews
No ratings yet
AWS Certified Cloud Practitioner - Practice Paper 2: AWS Certified Cloud Practitioner, #2
From Everand
AWS Certified Cloud Practitioner - Practice Paper 2: AWS Certified Cloud Practitioner, #2
Tech Interviews
5/5 (2)