Network Engineer Partner Learning Plan

Prévia do material em texto

Network Engineer Partner Learning Plan
Configure and Deploy AWS PrivateLink
AWS PrivateLink is best suited for scenarios where you want to share a single service to many VPCs when connecting them to supported services: AWS Marketplace applications, AWS services, and your own VPCs. 
Each EC2 instance can send 1024 packets per second per network interface to Route 53 Resolver (specifically the .2 address, such as 10.0.0.2 and 169.254.169.253). This quota cannot be increased. The number of DNS queries per second supported by Route 53 Resolver varies by the type of query, the size of the response, and the protocol in use.
Gateway Load Balancer
Gateway Load Balancer in a service provider VPC uses 5-tuple (Source IP, Destination IP, Source Port, Destination Porto and Protocol) of incoming packet for TCP/UDP traffic or 3-tuple (Source IP, Destination IP and Protocol).
Encapsulates the original packet using a Geneve header and embeds the metadata as typle, length, TLVs.
Geneve: https://datatracker.ietf.org/doc/rfc8926/
Listener: A listener is a process that checks for connection requests. Listeners for Gateway Load Balancers listen for all IP packets across all ports. You cannot specify a protocol or port when you create a listener for a Gateway Load Balancer.
Target group: This is used to route requests to one or more registered targets. Traffic is forwarded to the target group that is specified in the listener rule.
Target type: This determines the type of target in a target group (a possible target type is Geneve).
Health check: The health check mechanism of the Gateway Load Balancer determines the status of a target in a target group by performing a Layer 4 or Layer 7 health check.
Availability Zone: These are multiple isolated locations within an AWS Region. You can increase the fault tolerance of your applications by configuring multiple Availability Zones for your load balancer.
Cross zone: If cross-zone load balancing is turned on, each load balancer node distributes traffic across the registered targets in all configured Availability Zones. If cross-zone load balancing is turned off, each node distributes traffic across the registered targets in its Availability Zone only.
Application Load Balancer is best suited for load balancing of HTTP and HTTPS traffic and provides advanced request routing targeted at the delivery of modern application architectures, including microservices and containers.
Network Load Balancer is best suited for load balancing of TCP traffic where extreme performance is required. It is capable of handling millions of requests per second while maintaining ultra-low latencies, and it is optimized to handle sudden and volatile traffic patterns.
ELB provides integrated certificate management and SSL/TLS decryption, providing the flexibility to centrally manage the SSL settings of the load balancer and offload CPU intensive work from your workload.
https://aws.amazon.com/pt/elasticloadbalancing/features/#compare
Troubleshooting: Amazon Virtual Private Cloud (Amazon VPC)
You can route all traffic flowing from an internet gateway or virtual private gateway (VGW) to a middlebox appliance. Middlebox (or network) appliances can include an Amazon Elastic Compute Cloud (Amazon EC2) instance, network firewall, Gateway Load Balancer endpoint, or an ENI.
By using a security group, you can allow types of traffic, IP addresses, and destination ports on both ingress and egress.
Security groups have the following characteristics:
 Security groups are stateful, meaning that every connection that a security group evaluates is saved. This is done by using connection-tracking concepts. 
 Because security groups are stateful, return and response traffic is automatically allowed.
 You cannot configure explicit denies on a security group.
 All rules are evaluated whether or not they are matched.
A network access control list (ACL) is a type of firewall, which is configured at the subnet level inside of the VPC. 
Network ACLs are stateless, meaning that all request and response traffic is treated as fresh connections. Therefore, it is important to configure both ingress and egress rules to allow both request and response traffic.
You can configure explicit deny rules on a network ACL. These rules are evaluated in order, starting from the lowest rule number to the highest. When a rule matches, no more rules are evaluated.
Local subnet routes always take precedence irrespective of more specific routes to targets (except for NAT gateways, network interfaces, or Gateway Load Balancer endpoints).
Of the three types of Amazon VPC endpoints, interface and gateway endpoints connect to AWS services.
An interface endpoint is an ENI with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a service that is owned by AWS or by an AWS customer or partner. For a list of AWS services that integrate with AWS PrivateLink, see AWS services that integrate with AWS PrivateLink.
A gateway endpoint is a gateway that is a target for a route in your route table used for traffic destined to either Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB.
The third type is a Gateway Load Balancer endpoint, which is an ENI with a private IP address from the IP address range of your subnet. It serves as an entry point to intercept traffic and route it to a network or security service that you've configured using a Gateway Load Balancer. You specify a Gateway Load Balancer endpoint as a target for a route in a route table. Gateway Load Balancer endpoints are supported only for endpoint services that are configured using a Gateway Load Balancer.
VPC peering is a type of connection that allows two VPCs in the same or different Regions or accounts to communicate privately over the Amazon network.
VPC peering has the following characteristics:
 Peering does not support overlapping Classless Inter-Domain Routing (CIDR) blocks of two VPCs.
 Peering does not support transitive routing. For example, you cannot route to on-premise by peering over a VGW. For examples, and to learn more, see Transitive Peering.
 The maximum transmission unit (MTU) for cross-Region peering is 1500.
 For successful communication, the source and destination VPC route tables must have routes pointing to each other's CIDR through the peering connection.
 Turning on DNS resolution on the peering connection only resolves the public IPv4 DNS hostnames to private IPv4 addresses. It will not resolve the private domain name attached to just the destination VPC. Further, you must turn on DNS hostname and DNS resolution for DNS to work.
VPC Reachability Analyzer is a tool that performs connectivity tests between the source and destination in a VPC. 
The tool does not send packets to test connectivity. Instead, it builds a connectivity model by using an existing configuration. The tool does not support cross-account or cross-Region resources.
Troubleshooting: AWS VPN
Phase 1 supported VPN parameters
IKEv1 Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
IKEv1 Data Integrity: SHA-1, SHA-256, SHA2-384, SHA2-512
IKEv1 DH Groups: 2, and 14-24
Lifetime: 28800 seconds
Dead Peer Detection: Enabled
DPD Interval : 10
DPD Retries : 3
Phase 2 supported VPN parameters
Encryption: AES-128, AES-256, AES128-GCM-16, AES256-GCM-16
Data Integrity: SHA-1, SHA2-256, SHA2-384, SHA2-512
DH groups: 2, 5, and 14-24
Lifetime: 3600 seconds
Perfect Forward Secrecy: Enabled
AWS Billing and Cost Management
Cost Explorer is a Cost Management feature you can use to visualize and better understand your costs and usage. After activating this service, you can review historical cost data spanning the last 12 months, and Cost Explorer can use that data to forecast how much you're likely to spend for the next 12 months. You can view this data at a higher, overall level, or apply a diverse range of filters that empower you to dive deeper for detailed analysis.
AWS Budgets is a Cost Management featureyou can use to track and manage your AWS costs. When you create a budget, you effectively create an upper boundary you would like your costs to remain within for a configured time period. You can track cost in depth by adding filters related to AWS services, member accounts, AWS Regions, tags, and more. For example, you might want to monitor the monthly spending for a development environment that has a specific tag attached to each resource.
AWS Network - Monitoring and Troubleshooting
AWS has a monitoring service called CloudWatch, which is covered in more depth in an upcoming lesson. CloudWatch is a monitoring service for AWS Cloud resources and the workloads that run on AWS. CloudWatch can:
 Collect and track metrics, collect and monitor log files, and set alarms. 
 Monitor AWS resources such as Amazon EC2 instances and Amazon Relational Database Service (Amazon RDS) database instances, along with custom metrics that your workloads and services generate. CloudWatch also logs files your applications generate. 
 Give system-wide visibility into resource usage, application performance, and operational health. 
 React quickly and keep your network and workloads running smoothly.
 Automate common workflows to minimize human error and to reduce the time it takes to fix problems.
 Plan for game days, where simulations are conducted in the production environment, to test your alarm solution and ensure that it correctly recognizes issues.
https://docs.aws.amazon.com/wellarchitected/latest/performance-efficiency-pillar/network-architecture-selection.html
https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-network-performance.html
Security monitoring refers to security information monitoring (SIM) and security event monitoring (SEM). It is a process of collecting and analyzing information to detect suspicious behavior or unauthorized system changes on your network. To provide real-time analysis of security alerts generated by applications and network hardware:
 Implement metrics to define which type of behavior will initiate an alert and what action to take.
 Protect your network and environment from hackers, malware, disgruntled employees, careless employees, outdated devices and operating systems.
 Set up continuous security monitoring to act and automate the monitoring of vulnerabilities, cyber threats, and your organization's risk-management decisions.
 Implement real-time visibility in your environment to alert on compromises of security, misconfigurations, and vulnerabilities.
Compliance focuses on the kind of data handled and stored, and studies an organization’s security processes. It can have many parts and is based on data type and security processes. Compliance details the security at a single moment in time and compares it to a specific set of regulatory requirements and frameworks from legislation, industry regulations, and standards created from data protection best practices. An organization might have to align with multiple frameworks to ensure compliance to the minimum of the security-related requirements. 
Security is a set of technical systems, tools, and processes to protect and defend the information and technology assets of an organization. Security can include physical controls and who has access controls to a network. Standardized methods and tools provided by vendors can make security simpler than compliance. Compliance is not the primary concern of a security.
Security and compliance are different components of a system. Knowing how each relates to data protection on your network is essential.
o monitor your system’s performance over time, use related metrics to identify which components are impacting overall performance and efficiency. Using the Performance Efficiency Pillar of the AWS Well-Architected Framework ensures that the resources are performing as expected.
TOOLS:
Amazon CloudWatch is a core supporting service within AWS that provides metrics, logs, and event management services. It is used through other AWS services for health and performance monitoring, log management, and architectures.
VPC Flow Logs is a feature that lets you to capture information about the IP traffic going to and from network interfaces in your VPC.
You can use Traffic Mirroring to copy network traffic from an elastic network interface of an Amazon EC2 instance. In addition, you can send the traffic to out-of-band security and monitoring appliances for:
 Content inspection
 Threat monitoring
 Troubleshooting
The VPC Reachability Analyzer is a network diagnostics tool that troubleshoots reachability between two endpoints in an Amazon VPC, or within multiple Amazon VPCs. 
The AWS Transit Gateway Network Manager lets you to centrally manage your networks that are built around transit gateways. You can visualize and monitor your global network across Regions and on-premises locations.
AWS CloudTrail is an AWS service that logs all API actions in your account. CloudTrail maintains the audit logs of changes to the AWS account.
There are two types of CloudTrail Events that CloudTrail logs.
 Management Events: By default, CloudTrail only logs management events such as creating an Amazon EC2 instance and an Amazon VPC. It provides information about management operations.
 Data Events: By default, CloudTrail only logs management events because data events occur more often. Data events are the resource operations in a resource such as AWS Lambda functions or objects uploaded to Amazon S3.
CloudWatch metrics need a CloudWatch agent installed to collect metrics for your Amazon EC2 instances and your on-premises servers.
CloudWatch Logs Insights supports all types of logs. 
For every log sent to CloudWatch Logs, five system fields are automatically generated:
 @message contains the raw unparsed log event. This is equivalent to the message field in InputLogevent.
 @timestamp contains the event timestamp contained in the log event's timestamp field. This is equivalent to the timestamp field in InputLogevent.
 @ingestionTime contains the time when the log event was received by CloudWatch Logs.
 @logStream contains the name of the log stream that the log event was added to. Log streams are used to group logs by the same process that generated them.
 @log is a log group identifier in the form of account-id:log-group-name. This can be useful in queries of multiple log groups, to identify which log group a particular event belongs to.
A CloudWatch query supports:
 One or more query commands separated by Unix-style pipe characters (|).
 Six query commands, along with many supporting functions and operations (including regular expressions, arithmetic operations, comparison operations, numeric functions, datetime functions, string functions, and generic functions).
 Comments. 
 Ignoring lines in a query that start with the # character.
 Fields that start with the @ symbol are generated by CloudWatch Logs Insights.
Queries time out after five minutes of execution. If your queries are timing out, reduce the time range being searched or partition your query into several queries.
Having ruled out issues on the client-side, you determine that the spillover is happening because the instance is rejecting incoming requests that it cannot handle. Amazon EC2 elastic network interfaces are limited to servicing 1,024 requests simultaneously. Any requests beyond 1,024 are reported as spillover.
Metric alarm states
When you create a CloudWatch alarm that watches a single CloudWatch metric, an alarm invokes actions only when the alarm changes state.
The alarm can be in one of three states:
 OK means the metric is within the defined threshold.
 ALARM means the metric is outside the defined threshold.
 INSUFFICIENT_DATA means enough information has yet to be gathered that can determine whether the metric is within or outside of the threshold range.
VPC Flow Logs is a service that provides visibility in your Amazon VPC by capturinginformation about the internet protocol (IP) traffic going to and from network interfaces.
VPC Flow Logs collect metadata for all Amazon VPC networks that are used by your workload. Flow log data can be published to Amazon CloudWatch Logs or Amazon Simple Storage Service (Amazon S3). After you've created a flow log, you can retrieve and view its data in the chosen destination.
VPC Flow Logs basics
Flow log data for a monitored network interface is recorded as a flow log record, which are log events consisting of fields that describe the traffic flow. They can monitor all activity at three different levels:
 VPC level monitors all the activity of your operations within your cloud environment.
 Subnet level monitors all activity for a specific subnet. 
 Network interface level monitors specific interfaces on Amazon Elastic Compute Cloud (Amazon EC2) instances and capture flow logs from that interface.
You can also create flow logs for network interfaces such as Elastic Load Balancing, NAT gateways, and Transit gateways. If you launch more resources into your subnet after you've created a flow log for your subnet or VPC, a new log stream (for CloudWatch Logs) or log file object (for Amazon S3) is created for each new network interface. This occurs as soon as any network traffic is recorded for that network interface.
https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
VPC Traffic Mirroring:
 Copies each IP packet, sent or received, by an elastic network interface (ENI) on an Amazon EC2 instance to a traffic mirror target. A traffic mirror target is an out-of-band security appliance, monitoring appliance, or Network Load balancer.
 Captures and inspects network traffic at scale and provides data for troubleshooting and intrusion detection, along with other types of threat monitoring and content inspection.
https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-targets.html
AWS Network Connectivity Options
Multi-tier architecture
A multi-tier architecture is a grouping of different software components by function, into tiers or layers. There is no limit to the number of tiers, but the most common models use three:
 Presentation tier (user interface)
 Application or logic tier
 Data tier
A VPC endpoint lets you privately connect your VPC to supported AWS services and VPC endpoint services. With VPC endpoints, resources inside a VPC do not require public IP addresses to communicate with resources outside the VPC. Traffic between Amazon Virtual Private Cloud (Amazon VPC) and a service does not leave the Amazon network.
VPC endpoints are a security product first and a connectivity product second. VPC endpoints do not allow traffic between your VPC and the other services to leave the Amazon network.
A VPC endpoint does not require an internet gateway, virtual private gateway, network address translation (NAT) device, virtual private network (VPN) connection, or Direct Connect connection. Instances in your VPC do not require a public IP address to connect to services presented through a VPC endpoint.
A gateway VPC endpoint targets specific IP routes in a VPC route table in the form of a prefix list. This is used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3).
A gateway VPC endpoint targets specific IP routes in a VPC route table in the form of a prefix list. This is used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3).
Powered by AWS PrivateLink, an interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service.
AWS PrivateLink considerations
 AWS PrivateLink does not support IPv6.
 Traffic will be sourced from the Network Load Balancer inside the service provider VPC. From the perspective of the service provider application, all IP traffic will originate from the Network Load Balancer. All IP addresses logged by the application will be the private IP addresses of the Network Load Balancer. The service provider application will never see the IP addresses of the customer or service consumer.
 You can activate Proxy Protocol v2 to gain insight into the network traffic. Network Load Balancers use Proxy Protocol v2 to send additional connection information such as the source and destination. This might require changes to the application.
 Endpoint services cannot be tagged.
 The private Domain Name System (DNS) of the endpoint does not resolve outside of the VPC. Private DNS hostnames can be configured to point directly to endpoint network interface IP addresses. Endpoint services are available in the AWS Region in which they are created and can be accessed in remote AWS Regions using inter-Region VPC peering.
 Availability Zone names in a customer account might not map to the same locations as Availability Zone names in another account. For example, the Availability Zone US-East-1A might not be the same Availability Zone as US-East-1A for another account. An endpoint service is configured in Availability Zones according to their mapping in a customer’s account.
VPC endpoints do not allow traffic between your VPC and the other services to leave the Amazon network.
A gateway VPC endpoint targets specific IP routes in a VPC route table in the form of a prefix list. This is used for traffic destined to Amazon DynamoDB or Amazon Simple Storage Service (Amazon S3).
AWS PrivateLink provides a private connection between your VPCs and supported AWS services. This AWS service provides secure usage within the AWS network and avoids exposing traffic to the public internet. With AWS PrivateLink, services establish a Transmission Control Protocol (TCP) connection between the service provider's VPC and the service consumer's VPC. This provides a secure and scalable solution.
In the following diagram, traffic from Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets is routed to a Network Load Balancer. The Network Load Balancer is connected to instances in public subnets that communicate with the internet. This architecture permits backend EC2 instances to communicate with the front-end instances through the AWS PrivateLink endpoint. And it avoids the security and cost implications of data traveling through the public internet.
WS PrivateLink does not support IPv6.
Traffic will be sourced from the Network Load Balancer inside the service provider VPC. From the perspective of the service provider application, all IP traffic will originate from the Network Load Balancer. All IP addresses logged by the application will be the private IP addresses of the Network Load Balancer. The service provider application will never see the IP addresses of the customer or service consumer.
You can activate Proxy Protocol v2 to gain insight into the network traffic. Network Load Balancers use Proxy Protocol v2 to send additional connection information such as the source and destination. This might require changes to the application.
Endpoint services cannot be tagged.
The private Domain Name System (DNS) of the endpoint does not resolve outside of the VPC. Private DNS hostnames can be configured to point directly to endpoint network interface IP addresses. Endpoint services are available in the AWS Region in which they are created and can be accessed in remote AWS Regions using inter-Region VPC peering.
Availability Zone names in a customer account might not map to the same locations as Availability Zone names in another account. For example, the Availability Zone US-East-1A might not be the same Availability Zone as US-East-1A for another account. An endpoint service is configured in Availability Zones according to their mapping in a customer’s account.
Zonal DNS hostnames support cross-zone load balancing to distribute traffic across registered targets in all activated Availability Zones. With this configuration, beaware that regional data transfer charges might apply for any data that is transferred between Availability Zones.
You have a VPC peering connection between VPC A and VPC B, and between VPC A and VPC C. There is no VPC peering connection between VPC B and VPC C. You cannot route packets directly from VPC B to VPC C through VPC A.
To route packets directly between VPC B and VPC C, you can create a separate VPC peering connection between them, provided they do not have overlapping CIDR blocks.
Direct Connect offers physical connections of 1, 10, and 100 Gbps to support your private connectivity needs to the cloud. Direct Connect supports the Link Aggregation Control Protocol (LACP), facilitating multiple dedicated physical connections to be grouped into link aggregation groups (LAGs). When you group connections into LAGs, you can stream the multiple connections as a single, managed connection. 
Available only in select locations, the 100-Gbps connection is particularly beneficial for applications that transfer large-scale datasets. Such applications include broadcast media distribution, advanced driver assistance systems for autonomous vehicles, and financial services trading and market information systems.
You can have a maximum of two 100-Gbps connections in a LAG, or four connections with a port speed less than 100 Gbps. Each connection in the LAG counts toward your overall connection limit for the Region.
All connections in the LAG must terminate at the same Direct Connect endpoint.
Your network must use single-mode fiber with one of the following:
 1000BASE-LX (1,310 nm) transceiver for 1-gigabit Ethernet
 10GBASE-LR (1,310 nm) transceiver for 10-gigabit Ethernet
 100GBASE-LR4 for 100-gigabit Ethernet
Auto-negotiation for the port must be deactivated. Port speed and full-duplex mode must be configured manually. 
802.1Q VLAN encapsulation must be supported across the entire connection, including intermediate devices. 
 Your device must support Border Gateway Protocol (BGP) and BGP MD5 authentication.
Direct Connect supports three different virtual interfaces:
 A private virtual interface permits traffic to be routed to any VPC resource in the same private IP space as the virtual interface.
 A public virtual interface permits traffic to be routed to any VPC or AWS regional resource with a public IP address in the same Region.
 A transit virtual interface permits traffic to be routed to any VPC or AWS regional resource routable through an AWS Transit Gateway in the same Region.
One AWS Site-to-Site VPN connection consists of two tunnels. Each tunnel terminates in a different Availability Zone on the AWS side, but it must terminate on the same customer gateway on the customer side.
A virtual private gateway is the VPN concentrator on the Amazon side of the AWS Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.
A transit gateway is a transit hub that can be used to interconnect your VPCs and on-premises networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the AWS Site-to-Site VPN connection.
IPv6 traffic is partially supported. AWS Site-to-Site VPN supports IPv4/IPv6-Dualstack through separate tunnels for inner traffic. IPv6 for outer tunnel connection not supported.
AWS Site-to-Site VPN does not support Path MTU Discovery. The greatest Maximum Transmission Unit (MTU) available on the inside tunnel interface is 1,399 bytes.
Throughput of AWS Site-to-Site VPN connections is limited. When terminating on a virtual private gateway, only one tunnel out of the pair can be active and carry a maximum of 1.25 Gbps. However, real-life throughput will be about 1 Gbps. When terminating on AWS Transit Gateway, both tunnels in the pair can be active and carry an aggregate maximum of 2.5 Gbps. However, real-life throughput will be 2 Gbps. Each flow (for example, TCP stream) will still be limited to a maximum of 1.25 Gbps, with a real-life value of about 1 Gbps.
AWS Site-to-Site VPN terminating on AWS Transit Gateway supports equal-cost multi-path routing (ECMP) and multi-exit discriminator (MED) across tunnels in the same and different connection. ECMP is only supported for Site-to-Site VPN connections activated on an AWS Transit Gateway. MED is used to identify the primary tunnel for Site-to-Site VPN conncetions that use BGP.
Client VPN supports IPv4 traffic only. IPv6 is not supported.
Security Assertion Markup Language (SAML) 2.0-based federated authentication only works with an AWS provided client v1.2.0 or later.
SAML integration with AWS Single Sign-On requires a workaround. Better integration is being worked on. 
Client CIDR ranges must have a block size of at least /22 and must not be greater than /12.
A Client VPN endpoint does not support subnet associations in a dedicated tenancy VPC.
A portion of the addresses in the client CIDR range is used to support the availability model of the Client VPN endpoint and cannot be assigned to clients. Therefore, we recommend that you assign a CIDR block that contains twice the number of required IP addresses. This will ensure the maximum number of concurrent connections that you plan to support on the Client VPN endpoint.
The client CIDR range cannot be changed after you create the Client VPN endpoint. 
The subnets associated with a Client VPN endpoint must be in the same VPC.
You cannot associate multiple subnets from the same Availability Zone with a Client VPN endpoint.
AWS Transit Gateway supports the following connections: 
 One or more VPCs
 A compatible Software-Defined Wide Area Network (SD-WAN) appliance
 A Direct Connect gateway
 A peering connection with another transit gateway
 A VPN connection to a transit Gateway
AWS Transit Gateway supports an MTU of 8,500 bytes for:
 VPC connections
 Direct Connect connections
 Connections to other transit gateways
 Peering connections
AWS Transit Gateway supports an MTU of 1,500 bytes for VPN connections.
A VPC, VPN connection, or Direct Connect gateway can dynamically propagate routes to a transit gateway route table. With a Direct Connect attachment, the routes are propagated to a transit gateway route table by default.
With a VPC, you must create static routes to send traffic to the transit gateway.
With a VPN connection or a Direct Connect gateway, routes are propagated from the transit gateway to your on-premises router using BGP.
With a peering attachment, you must create a static route in the transit gateway route table to point to the peering attachment.
AWS offers two types of peering connections for routing traffic between VPCs in different Regions: VPC peering and transit gateway peering. Both peering types are one-to-one, but transit gateway peering connections have a simpler network design and more consolidated management.
AWS Security Best Practices: Network Infrastructure
Note: When leveraging a default VPC, your default VPC CIDR is 172.31. 0.0/1, and your default subnets will be created as /20 subnets.
 Private IP blocks are only reachable by the virtual private gateway (covered in the next lesson) and cannot be accessed over the internet through the internet gateway.
 AWS does not advertise customer-owned IP address blocks to the internet by default.
 You can allocate an Amazon-provided IPv6 CIDR block to a VPC.
VPC peering is point-to-point connectivity, and it does not support transitive routing.
VPC peering is best for situations where:
 Resources in one VPC must communicate with resources in another VPC.
 The environment of both VPCs is controlled and secured.
 The number of VPCs to be connected is less than 10.
 VPC peering offers the lowest overall cost compared to other options for inter-VPC connectivity.
A VPC endpoint makes connections between a VPC and supported services without requiring that you use an internet gateway, NAT device, VPN connection, Direct Connect connection,or public infrastructure. VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components. 
There are different types of VPC endpoints used to connect to supported AWS services: interface endpoints, Gateway Load Balancer Endpoints, and gateway endpoints.
A gateway endpoint is a gateway that is a target for a route in your route table used for traffic destined to either Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB. There is no charge for using gateway endpoints, and Amazon S3 supports both gateway endpoints and interface endpoints.
https://docs.aws.amazon.com/vpc/latest/tgw/tgw-best-design-practices.html
AWS Cloud WAN simplifies building and operating VPCs and wide area networks that connect your data centers and branch offices. AWS Cloud WAN is a great way to unify your AWS and on-premises networks to reduce complexity. You can also increase security with traffic policies, segmentation, and visibility over your entire network on a single dashboard.
Cloud WAN is a good choice if you are building VPCs across multiple Regions (either for disaster recovery or multi-Region applications). Or if you are planning to extend SD-WAN to AWS, or you want to replace or augment part of your existing network with the AWS backbone.
The Amazon provided DNS server is at the 169.254.169.253 IPv4 address (or the reserved IP address at the base of the VPC IPv4 network range plus two).
 If you need be able to allow traffic from the internet to find your AWS resources, but you do not want to manage your own DNS, you can use a public hosted zone.
 If you need to use DNS names within your various VPCs to refer to resources (but these DNS names will not be reachable from the internet), you can use a private hosted zone.
Know the limitations of applying network ACLs before configuring them. For example, there is a default limit of 20 rules per list for both inbound and outbound network ACLs. AWS can provide additional rules on request, but the absolute maximum is 40.
Default security group (default state):
 Permits inbound traffic from network interfaces and instances that are assigned to the same security group. (rule present)
 Permits all outbound traffic (rule present)
Custom security group (default state):
 Permits no inbound traffic (no rule present)
 Permits all outbound traffic (rule present)
Security groups only support "ALLOW":
 Many firewall systems (including AWS network ACLs) will have “DENY” rules or options; security groups block everything unless there is a rule specifically allowing it to go through.
AWS Network Firewall is a managed network protection service that provides the following:
 Stateful firewall
 Web filtering
 Intrusion protection
 Central management and visibility
 Rule management and customization
 Partner integrations
AWS Network - Practical Approaches
To apply traffic-filtering logic in an Amazon VPC, you can route traffic symmetrically to a firewall endpoint. This firewall endpoint is similar to a PrivateLink VPC interface endpoint. The key difference is that the firewall can be a route table target. The firewall endpoint is deployed into a dedicated subnet of an Amazon VPC. For high availability and to scale this design, you can allocate a subnet per Availability Zone with the firewall inside. 
The transit gateway is a prerequisite and will act as a network hub to simplify the connectivity between the Amazon VPCs and on premises. For the return traffic from the firewall endpoint, a single Amazon VPC route table is configured for a default route towards AWS Transit Gateway. Traffic is returned to the transit gateway in the same Availability Zone after it has been inspected by the firewall.
Getting Started with Network Load Balancer
Network Load Balancers function at Layer 4 of the Open Systems Interconnection (OSI) model. They are ideal for both TCP and UDP load balancing. Network Load Balancer targets can be Amazon EC2 instances, microservices, containers, Application Load Balancers, or any servers on an on-premises network.
Certificate selection is based on the following criteria in the following order:
 Public key algorithm: Prefer Elliptic Curve Digital Signature Algorithm (ECDSA) over Rivest–Shamir–Adleman (RSA)
 Hashing algorithm: Prefer Secure Hash Algorithm (SHA) over Message Digest Algorithm 5 (MD5)
 Key length: Prefer the largest
 Validity period
Sticky sessions (source IP address affinity) are a mechanism to route requests from the same client to the same target.
Exam Prep Standard Course: AWS Certified Advanced Network Engineer Partner
image2.jpeg
image3.png
image4.png
image5.png
image6.png
image7.png
image8.png
image9.png
image10.png
image1.emf
Quota.pdf
Quota.pdf
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
1 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
2 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
3 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
4 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
5 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
6 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
7 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
8 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
9 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
10 of 13 25/08/2023, 10:40
DescribeSecurityGroups DescribeSubnets
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
11 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
12 of 13 25/08/2023, 10:40
Amazon VPC quotas - Amazon Virtual Private Cloud https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
13 of 13 25/08/2023, 10:40