The newly revised second edition of the AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam delivers an expert review of Amazon Web Services Networking fundamentals as they relate to the ANS-C01 exam. You’ll find detailed explanations of critical exam topics combined with real-world scenarios that will help you build the robust knowledge base you need for the test - and to succeed in the field as an AWS Certified Networking specialist.
Learn about the design, implementation and deployment of AWS cloud-based Networking solutions, core services implementation, AWS service architecture design and maintenance (including architectural best practices), monitoring, Hybrid networks, security, compliance, governance, and network automation. The book also offers one year of free access to Sybex’s online interactive learning environment and expert study tools, featuring flashcards, a glossary of useful terms, chapter tests, practice exams, and a test bank to help you keep track of your progress and measure your exam readiness.
The coveted AWS Advanced Networking credential proves your skills with Amazon Web Services and hybrid IT network architectures at scale. It assesses your ability to apply deep technical knowledge to the design and implementation of AWS Networking services. This book provides you with comprehensive review and practice opportunities so you can succeed on the challenging ANS-C01 exam the first time around. It also offers: - Coverage of all relevant exam domains and competencies - Explanations of how to apply the AWS skills discussed within to the real world in the context of an AWS Certified Networking-related career - Complimentary access to the practical Sybex online learning environment, complete with practice exams, flashcards, a glossary, and test bank
AWS certification proves to potential employers that you have the knowledge and practical skills you need to deliver forward-looking, resilient, cloud-based solutions. The AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam, 2nd Edition, is your ticket to the next big step in your career.
Table of Contents
Introduction xxvii
Assessment Test xxxi
Part I Network Design 1
Chapter 1 Edge Networking 3
Content Distribution Networking 4
CloudFront 4
CloudFront Implementation 6
Caching and Object Retention 6
Invalidations 8
Protocol Support 9
CloudFront Encryption Using SSL/TLS and SNI 10
CloudFront Security 11
Billing 12
Lambda@edge 13
Geo- restriction and Geolocation 13
Global Accelerator 15
Global Accelerator Architecture 17
Custom Routing Accelerator 18
AWS Global Accelerator Pricing 18
Elastic Load Balancers 19
Load Balancer Architectures 19
Listeners 19
Target Groups 20
Health Checking 20
Sticky Connections 20
Proxy Connections 21
Load Balancing Across Different Availability Zones 22
Connection Draining 22
AWS Load Balancer Offerings 23
Application Load Balancers 27
Gateway Load Balancers 29
Network Load Balancer 31
Classic Load Balancers 32
Configuring Elastic Load Balancers 32
API Gateway 33
Rest Api 33
Http Api 34
WebSocket Protocol 34
API Gateway Configuration 34
API Gateway Caching 35
Endpoint Types 35
Security 37
Authentication and Authorization 37
CloudFront Design Considerations 38
Summary 39
Exam Essentials 39
Exercises 40
Written Lab 41
Written Lab 1.1: Create an HTTP API by Using the AWS Management Console 41
Review Questions 42
Chapter 2 Domain Name Services 47
DNS and Route 53 48
DNS Overview 49
Architecture 50
DNS Hierarchy 50
Zones 51
DNS Resolution Process 51
Resource Records 52
Timers 54
Delegations 54
DNSSEC Overview 54
DNS Logging and Monitoring 55
CloudTrail 55
CloudWatch 57
Artificial Intelligence and Machine Learning 57
Redshift 58
Route 53 Advanced Features and Policies 58
Alias Records 58
Resolvers 59
Route 53 Resolver DNS Firewall 60
Health Checks 60
Traffic Routing Policies 61
Simple Routing 61
Multivalue Responses 63
Latency- Based Routing 63
Failover Routing 65
Round- Robin Routing 65
Weighted Routing 66
Geo location 67
Geo- proximity 68
Route 53 Service Integrations 68
Vpc 69
CloudFront 69
Load Balancers 69
Route 53 Application Recovery Controller 70
Hybrid Route 53 70
Multi- account Route 53 71
Multi-Region Route 53 72
Using Route 53 Public Hosted Zones 72
Using Route 53 Private Hosted Zones 73
Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures 73
Using Route 53 for Global Traffic Management 74
Route 53 Failover 75
Domain Registration 75
Required Information to Register a Domain 76
Privacy Protection 78
Route 53 Registration Information 78
Renewing Your Domain 78
Summary 79
Exam Essentials 79
Exercises 80
Review Questions 82
Chapter 3 Hybrid and Multi- account DNS 87
Implementing Hybrid and Multi- account DNS Architectures 88
Route 53 Hosted Zones 88
Private Hosted Zones 89
Public Hosted Zones 89
Traffic Management 90
Latency 93
Geo location 94
Weighted 95
Failover 96
Multivalue 97
Health Checking 97
Domain Delegation and Forwarding 99
Delegating Domains 99
Forwarding Rules 100
Configuring Records in Route 53 100
A Record 101
AAAA Record 102
Cname 102
mx Record 104
SOA Record 104
TXT Record 106
PTR Record 106
Alias Record 106
SRV Record 107
SPF Record 107
NAPTR Record 109
CAA Record 109
Configuring DNSSEC 109
Multi- account Route 53 110
DNS Endpoints 111
Outbound Endpoints 112
Inbound Endpoints 113
Configuring Route 53 Monitoring and Logging 114
CloudTrail API Logging 115
CloudWatch Logging 116
DNS Query Logging 116
Resolver Query Logging 117
Hosted Zone Monitoring 117
Resolver Endpoints Monitoring 117
Domain Registration Monitoring 118
Summary 118
Exam Essentials 119
Written Labs 119
Written Lab 3.1: Configure Logging for DNS Queries 119
Written Lab 3.2: View DNS Query Metrics for a Public Hosted Zone in the CloudWatch Console 120
Review Questions 121
Elastic Load Balancing 128
Network Load Balancing 129
Application Load Balancing 130
Gateway Load Balancing 131
Classic Load Balancing 132
Network Design 132
High Availability 133
Security 133
ELB Connectivity Patterns 134
Internal Load Balancers 134
External Load Balancers 135
Autoscaling 136
AWS Service Integrations 136
Config 137
Global Accelerator 137
CloudFront 138
Traffic Mirroring 138
VPC Endpoint Services (PrivateLink) 139
Web Application Firewall 139
Route 53 139
Amazon Elastic Kubernetes Service 139
AWS Certificate Manager 140
ELB Configuration Options 141
Proxy Protocol 141
X- Forwarded- For Protocol 142
Cross- Zone Load Balancing 142
Session Affinity and Sticky Sessions 143
Target Groups 145
Routing 146
Target Types 146
IP Address Type 146
Protocol Version 146
Registered Targets 147
Routing Algorithms 147
Deregistration and Connection Draining 147
Deletion Protection 147
Health Checking 149
Slow Start 149
The GENEVE Protocol 149
Encryption and Authentication 151
SSL/TLS Offload 151
TLS Passthrough 151
Summary 152
Exam Essentials 153
Exercises 154
Written Labs 154
Written Lab 4.1: Create a Network Load Balancer 154
Written Lab 4.2: Use the Console to Enable Deletion Protection 155
Written Lab 4.3: Use the Console to Disable Deletion Protection 156
Written Lab 4.4: Enable Application- Based Stickiness 156
Review Questions 157
Chapter 5 Logging and Monitoring 163
CloudWatch 164
Metrics 164
Monitoring Categories 165
Agents 166
Logging 167
Alarms 168
Metric Insights 170
Dashboards 170
Transit Gateway Network Manager 171
VPC Reachability Analyzer 171
Access Logs 173
Elastic Load Balancing 174
Route 53 Logs 175
CloudFront Logs 175
CloudTrail Logs 175
X- Ray 176
X- Ray Traces 176
X- Ray Insights 177
Flow Logs 178
Baseline Network Performance 180
Inspector 180
Application Insights 181
Config 181
Summary 182
Exam Essentials 183
Written Labs 184
Written Lab 5.1: Enable CloudWatch Detailed Monitoring for an Instance That Has Already Been Enabled 184
Written Lab 5.2: Enable CloudWatch Logging from the Web Console 185
Written Lab 5.3: Enable CloudWatch Alarms from the Web Console 185
Written Lab 5.4: Create a VPC Reachability Analyzer from the Web Console 186
Review Questions 187
Part II Network Implementation 191
Chapter 6 Hybrid Networking 193
Hybrid Connectivity 194
OSI Layer 1 194
Optics 196
OSI Layer 2 197
VLANs 198
Link Aggregation 199
Jumbo Frames 200
Encapsulation and Encryption 200
Overlay and Underlay Networks 200
VxLan 201
Generic Routing Encapsulation 202
IPSec 203
Geneve 205
Routing Fundamentals 205
Static Routing 206
Dynamic Routing 206
The BGP Routing Protocol 206
Direct Connect 211
Direct Connect Gateway 217
Virtual Private Gateway 219
Site- to- Site VPN 220
VPN CloudHub 221
AWS Account Resource Sharing 222
Summary 222
Exam Essentials 223
Exercises 223
Written Labs 224
Written Lab 6.1: Simulate Creating a Direct Connection 224
Written Lab 6.2: Simulate Creating a Site- to- Site VPN Connection 224
Review Questions 226
Chapter 7 Connecting On- Premises Networks 231
On- Premises Network Connectivity 232
VPNs 232
VPN Security 232
Accelerated Site- to- Site VPN Connections 233
Layer 1 and Types of Hardware to Use 235
Direct Connect 235
Direct Connect Locations 235
Letter of Authorization Documents 236
Layer 2 and Layer 3 236
Switching 236
Routing 237
Gateways 238
Software- Defined Networking 239
Transit Gateway 241
PrivateLink 241
Resource Access Manager 241
Testing and Validating Connectivity Between Environments 243
Route Analyzer 243
Reachability Analyzer 243
ICMP ping 243
traceroute 245
Summary 246
Exam Essentials 247
Written Labs 248
Written Lab 7.1: Create a VPN Attachment on a Transit Gateway Using the Console 248
Written Lab 7.2: Perform a traceroute 250
Written Lab 7.3: Use ping 250
Review Questions 251
Chapter 8 Inter- VPC and Multi- account Networking 255
Networking Services of VPCs 256
VPC Sharing 256
VPC Peering 257
Multi- account VPC Sharing 260
PrivateLink 260
Hub- and- Spoke VPC Architectures 261
Transit Gateway 262
Transit Gateway Connect 265
transit VPCs 266
Wide- Area Networking 266
Software- Defined Wide Area Networking 267
Multi Protocol Label Switching 268
Expanding AWS Networking Connectivity 270
Organizations 271
Resource Access Manager 273
Authentication and Authorization 274
Security Association Markup Language 275
Active Directory 275
Summary 278
Exam Essentials 279
Exercises 280
Review Questions 281
Chapter 9 Hybrid Network Routing and Connectivity 287
Industry- Standard Routing Protocols Used in AWS Hybrid Networks 288
Optimizing Routing 288
Optimizing Dynamic Routing 289
Optimizing Static Routing 290
Route Priorities and Administrative Distance 290
Route Summarization 291
Route Propagation 292
Overlapping Routes 292
BGP Over Direct Connect 294
Connectivity Methods for AWS and Hybrid Networks 294
Direct Connect and Direct Connect Gateway 295
Direct Connect Virtual Interfaces 295
Site- to- Site VPN 296
App Mesh 296
AWS Networking Limits and Quotas 297
Available Private and Public Access Methods for Custom Services 304
PrivateLink 305
VPC Peering 305
Available Inter- Regional and Intra- Regional Communication Patterns 306
Summary 307
Exam Essentials 307
Written Lab 308
Written Lab 9.1: Enable Route Propagation in a VPC 308
Exercises 308
Review Questions 309
Part III Network Management and Operations 315
Chapter 10 Network Automation 317
Network Automation 318
Infrastructure as Code 318
AWS Cloud Development Kit 319
AWS CloudFormation 320
EventBridge 322
AWS Command- Line Interface 322
AWS Software Development Kit 323
Application Programming Interfaces 326
Integrating Network Automation Using Infrastructure as Code 327
Event- Driven Network Automation 328
Automating the Process of Optimizing Cloud Network Resources with IaC 329
Common Problems When Using Hard- Coded Instructions in IaC Templates 330
Creating and Managing Repeatable Network Configurations 330
Integrating Event- Driven Networking Functions 331
Integrating Hybrid Network Automation Options with AWS Native IaC 332
Eliminating Risk and Achieving Efficiency in a Cloud Networking Environment 333
Summary 334
Exam Essentials 335
Exercises 336
Review Questions 337
Chapter 11 Monitor, Analyze, and Optimize Network Traffic 341
Monitoring, Analyzing, and Optimizing AWS Networks 342
Monitor and Analyze Network Traffic to Troubleshoot and Optimize Connectivity Patterns 342
Network Performance Metrics and Reachability Constraints 344
Appropriate Logs and Metrics to Assess Network Performance and Reachability Issues 345
AWS Tools to Collect and Analyze Logs and Metrics 345
AWS Tools to Analyze Routing Patterns and Issues 346
Analyzing Logging Output to Assess Network Performance and Troubleshoot Connectivity 347
Network Topology Mapping 348
Analyzing Packets to Identify Issues 349
Using the Reachability Analyzer for Troubleshooting, Validating, and Automating Connectivity Issues 350
Optimize AWS Networks for Performance, Reliability, and Cost- Effectiveness 351
VPC Peering vs. Transit Gateways 351
Reducing Bandwidth Utilization with Multicast 352
Implementing Multicast Capability Within a VPC and On- Premises Environments 352
Optimizing Route 53 354
Frame Size Optimization Across Different Connection Types 355
Jumbo Frame Support Across Different Connection Types 356
Optimizing Network Throughput 357
Selecting a Network Interface for Best Performance 357
Select Network Connectivity Services That Meet Requirements 358
VPC Subnet Optimization 359
Updating and Optimizing Subnets to Prevent the Depletion of Available IP Addresses in a VPC 360
Updating and Optimizing Subnets for Autoscaling 361
Optimizing Network Performance and Availability Using Caching and Compression 361
Summary 363
Exam Essentials 365
Written Labs 367
Written Lab 11.1: Create a VPC Flow Log 367
Written Lab 11.2: Add a New Subnet to a VPC 367
Written Lab 11.3: Change the MTU on a Linux EC 2
Interface 368
Exercises 368
Review Questions 370
Part IV Network Security, Compliance, and Governance 375
Chapter 12 Security, Compliance and Governance 377
Security, Compliance, and Governance 378
Threat Models 380
Common Security Threats 384
Securing Application Flows 385
Network Architectures That Meet Security and Compliance Requirements 386
Securing Inbound Traffic Flows 388
Web Application Firewall 388
Network Firewall 389
Shield 390
Security Groups 391
Network Access Control Lists 391
Securing Outbound Traffic Flows 392
Network Firewall 393
Proxies 393
Gateway Load Balancers 394
Route 53 Resolvers 394
Virtual Private Networks 395
VPC Endpoint Services: PrivateLink 395
Securing Inter- VPC Traffic 396
Network ACLs 396
VPC Endpoint Policies 396
Security Groups 396
Transit Gateway 397
VPC Peering 397
Implementing an AWS Network Architecture to Meet Security and Compliance Requirements 397
Untrusted Networks 397
Perimeter VPC 398
Three- Tier Architecture 399
Hub- and- Spoke Architecture 399
Develop a Threat Model and Identify Mitigation Strategies 399
Compliance Testing 401
Automating Security Incident Reporting and Alerting 402
Summary 403
Exam Essentials 407
Exercises 408
Written Labs 409
Written Lab 12.1: Download an Artifact Report 409
Written Lab 12.2: Request a Public SSL/TLS Certificate from the AWS Console 409
Written Lab 12.3: Review a Security Group Configuration from the AWS Console 410
Review Questions 411
Chapter 13 Network Monitoring and Logging 417
Network Monitoring and Logging Services in AWS 418
AWS CloudTrail 419
VPC Traffic Mirroring 420
VPC Flow Logs 421
Transit Gateway Logging 423
Alerting Mechanisms 426
CloudWatch Alarms 426
Simple Notification Service 427
Log Creation with Different AWS Services 428
Load Balancer Access Logs 429
CloudFront Access Logs 430
Log Delivery Mechanisms 431
Kinesis 432
Route 53 433
CloudWatch 434
Mechanisms to Audit Network Security Configurations 435
Security Groups 436
Firewall Manager 437
Trusted Advisor 437
Traffic Mirroring and Flow Logs 438
Creating and Analyzing VPC Flow Logs 439
Creating and Analyzing Network Traffic Mirroring 441
CloudWatch 441
Implementing Automated Alarms Using CloudWatch 442
Implementing Customized Metrics Using CloudWatch 443
Correlating and Analyzing Information Across Single or Multiple AWS Log Sources 444
Implementing Log Delivery Solutions 445
Implementing a Network Audit Strategy 446
Summary 447
Exam Essentials 448
Exercises 450
Review Questions 452
Chapter 14 Confidentiality and Encryption 457
Confidentiality and Encryption 458
Network Encryption Options Available on AWS 459
VPN Connectivity Over Direct Connect 460
Encryption Methods for Data in Transit 461
Network Encryption and the AWS Shared Responsibility Model 462
Security Methods for DNS Communications 464
Implementing Network Encryption Methods to Meet Application Compliance Requirements 465
IPSec 466
Tls 468
Implementing Encryption Solutions to Secure Data in Transit 470
CloudFront 471
Application Load Balancers and Network Load Balancers 472
Securing AWS Managed Databases 472
Securing Amazon S3 Buckets 475
Securing EC2 Instances 476
Transit Gateway 477
Certificate Management Using a Certificate Authority 479
AWS Certificate Manager and Private Certificate Authority 480
Summary 481
Exam Essentials 483
Exercises 484
Review Questions 485
Appendix Answers to Review Questions 491
Chapter 1: Edge Networking 492
Chapter 2: Domain Name Services 494
Chapter 3: Hybrid and Multi- account DNS 497
Chapter 4: Load Balancing 499
Chapter 5: Logging and Monitoring 502
Chapter 6: Hybrid Networking 505
Chapter 7: Connecting On- Premises Networks 507
Chapter 8: Inter- VPC and Multi- account Networking 509
Chapter 9: Hybrid Network Routing and Connectivity 512
Chapter 10: Network Automation 515
Chapter 11: Monitor, Analyze, and Optimize Network Traffic 518
Chapter 12: Security, Compliance and Governance 520
Chapter 13: Network Monitoring and Logging 524
Chapter 14: Confidentiality and Encryption 527
Index 531