AWS Solutions Architect Associate (SAA) 2018 – V

Topics covered:
 
 

 

VPC

Currently, you can create 200 subnets per VPC
 
The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4. Subnets cannot be larger than the VPC in which they are created.
 
There are no additional charges for creating and using the VPC itself. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources, including data transfer charges. If you connect your VPC to your corporate datacenter using the optional hardware VPN connection, pricing is per VPN connection-hour (the amount of time you have a VPN connection in the “available” state.) Partial hours are billed as full hours. Data transferred over VPN connections will be charged at standard AWS Data Transfer rates. 
 
In AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC .
 
0 is the network address
1 aws vpc router
2 is reserved by AWS
3 future use of AWS
255 broadcast 
 
How many hosts are available in the range of /27?
 
1. Subtract 32 with the mask number : 
 
(32 – 27) = 5
 
2. Raise the number 2 to the power of the answer in Step #1 : 
 
2^ 5 = (2 * 2 * 2 * 2 * 2)
 
= 32
 
CIDR block of 172.0.0.0/27, with a netmask of /27, has an equivalent of 27 usable IP addresses. Take note that a netmask of /27 originally provides you with 32 IP addresses but in AWS, there are 5 IP addresses that are reserved which you cannot use. The first 4 IP addresses and the last IP address in each subnet CIDR block are not available in your VPC which means that you have to always subtract 5 IP addresses, hence 32 – 5 = 27. 
 
Am I charged for network bandwidth between instances in different subnets?
 
If the instances reside in subnets in different Availability Zones, you will be charged $0.01 per GB for data transfer.
 
Can I attach or detach one or more network interfaces to an EC2 instance while it’s running?
 
Yes.
 
 
Can I attach a network interface in one Availability Zone to an instance in another Availability Zone?
 
Network interfaces can only be attached to instances residing in the same Availability Zone.
 
Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?
 
Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed
 
How much do VPC peering connections cost?
 
There is no charge for creating VPC peering connections, however, data transfer across peering connections is charged.

Components

 
  • Subnet
  • Internet Gateway
    • An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. 
  • Nat Gateway
    • You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
  • Egress Only Gateway
    • An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances. 
  • Nat Instance
    • You can use a network address translation (NAT) instance in a public subnet in your VPC to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the internet.
  • Customer Gateway
    • An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
  • Virtual private gateway
    • The anchor on the AWS side of the VPN connection is called a virtual private gateway
  • Access Control List
  • SecurityGroups

ACL

aws vpc acl tips

ACLs process strictly by rule number and processes the rules until a matching one is found
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.

Network Firewall

With AWS Network Firewall, you can implement customized rules to prevent your VPCs from accessing unauthorized domains, to block thousands of known-bad IP addresses, or identify malicious activity using signature-based detection. AWS Network Firewall makes firewall activity visible in real-time via CloudWatch metrics and offers increased visibility of network traffic by sending logs to S3, CloudWatch, and Kinesis Firehose. Network Firewall is integrated with AWS Firewall Manager, giving customers who use AWS Organizations a single place to enable and monitor firewall activity across all your VPCs and AWS accounts. Network Firewall is interoperable with your existing security ecosystem, including AWS partners such as CrowdStrike, Palo Alto Networks, and Splunk. You can also import existing rules from community maintained Suricata rulesets.

https://aws.amazon.com/es/blogs/aws/aws-network-firewall-new-managed-firewall-service-in-vpc/

Nat Gateway vs Nat Instance

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

Peering

A VPC peering connection is a one to one relationship between two VPCs. You can create multiple VPC peering connections for each VPC that you own, but transitive peering relationships are not supported.

https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

Ranges

Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range. 
 
Currently, Amazon VPC supports five (5) IP address ranges, one (1) primary and four (4) secondary for IPv4. Each of these ranges can be between /28 (in CIDR notation) and /16 in size. The IP address ranges of your VPC should not overlap with the IP address ranges of your existing network.
 
For IPv6, the VPC is a fixed size of /56 (in CIDR notation). A VPC can have both IPv4 and IPv6 CIDR blocks associated with it.

Difference between EC2-Classic and EC2-VPC

  • EC2-Classic: AWS releases the public and private IPv4 addresses for the instance when you stop the instance and assign new ones when you restart it.
  • EC2-VPC: The instance retains its private IPv4 addresses and any IPv6 addresses when stop and restart. AWS releases the public IPv4 address and assigns a new one when you restart it.
  • EC2-Classic: AWS disassociates any Elastic IP address that’s associated with the instance. You’re charged for Elastic IP addresses that aren’t associated with an instance. When you restart the instance, you must associate the Elastic IP address with the instance; AWS doesn’t do this automatically.
  • EC2-VPC: The instance retains its associated Elastic IP addresses. You’re charged for any Elastic IP addresses associated with a stopped instance

ClassicLink

What is ClassicLink?
 
Amazon Virtual Private Cloud (VPC) ClassicLink allows EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses. To use ClassicLink, enable it for a VPC in your account, and associate a Security Group from that VPC with an instance in EC2-Classic. All the rules of your VPC Security Group will apply to communications between instances in EC2-Classic and instances in the VPC. 

ENI vs ENA vs EFA

ENI

It’s basically a virtual network card

  • A primary private IPv4 address
  • One or more secondary IPv4 address
  • One Elastic IP address
  • One or more IPv6 addresses
  • One or more Security Groups
  • a Mac address
  • a source/destination check flag
  • a description

EN

  • Single root IO Virtualization (SR-IOV)
  • High IO performance and low CPU utilization
  • Higher bandwidth
  • Higher PPS
  • No additional charge
  • Used when you need a good performance
  • Can be enabled by
    • Elastic Network Adapter
      • Up to 100 Gbps
    • Intel 82599 VirtualFunction
      • Up to 10 Gbps
      • Old instances

EFA

  • Used to HPC or machine learning applications
  • Allows bypass os kernel and talk directly with EFA device
  • Lower and consistent latency and high throughput
  • Only Linux

Elastic IP Addresses

 
You can have one Elastic IP (EIP) address associated with a running instance at no charge. If you associate additional EIPs with that instance, you will be charged for each additional EIP associated with that instance per hour on a pro-rata basis. Additional EIPs are only available in Amazon VPC.
 
To ensure efficient use of Elastic IP addresses, we impose a small hourly charge when these IP addresses are not associated with a running instance or when they are associated with a stopped instance or unattached network interface. 

VPN SITE-TO-SITE

is a network connection that allows your VPC to communicate with your on-premises network.

 

vpc vpn diagram

You can create additional VPN connections to other VPCs using the same customer gateway device. You can reuse the same customer gateway IP address for each of those VPN connections.
 
When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. AWS VPN endpoints support rekey and can start renegotiations when phase 1 is about to expire if the customer gateway hasn’t sent any renegotiation traffic.
 
 

Flow LOGs

Allow you to capture information out of your VPC.

  • You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
  • You can tag it
  • After creation, you can’t create the configuration
  • Not all traffic generated is monitored
    • Traffic generated when instances contact their Amazon DNS server. It works if you use your own DNS server
    • Traffic generated by a Windows instance for Amazon Windows license activation
    • Traffic to and from 169.254.169.254
    • DHCP traffic
    • Traffic to the reserved IP address for the default router

Global Accelerator

Is a service in which you create accelerators to improve the availability and performance of your applications for local and global users

Provides you two static IP addresses to associate with your accelerator.

 

  • Static IP address
  • Accelerator
  • DNS Name
  • Network Zone
  • Listener
  • Endpoint Group
  • Endpoint

UPDATE

2019

  • VPC Traffic Mirroring: you can now capture and inspect traffic network traffic using this feature. You can detect and filter an unusual pattern of behavior that could indicate an intrusion in your VPC. Monitor packets transmit between source and destination and you can even monitor network packets exchange by resources between different AWS accounts.
  • Shared VPC Supports new services: is a VPC allows other AWS accounts to create applications like ec2 instances, lambda functions into a shared centralized managed VPC. Is ok for companies that segregate into different accounts like production or development. AWS Glue, AWS ElasticMapReduce, or Aurora Serverless Database Cluster. 
  • SITE-TO-SITE supports digital certificates: you can ACM to manage and deploy the certificates.
  • VPC FLOWS: now you can include additional metadata like VPC-ID,subnet-ID,subnet-MASK,etc

2018

  •  NLB layer 4 accepts connection coming from AWS VPN
  • On-premises can access Private Link  by AWS VPN (before just with Direct Connect)
  • Now supports VPC peering inter-region
  • VPCs can now be shared across AWS Accounts (you can allow other AWS accounts to create resources like ec2, RDS in a managed and centralized VPC only in the subnets that they will need. Great for customers with multiple accounts, users of other AWS accounts can access VPC and create resources without managing its own VPC)
  • New Client VPN enables you secure access to on-premises or AWS with open VPN client installed on your local machine. Fully managed, highly available, pay as you go service, supports AD as well.
  • The best way to expose a service VPC to tens, hundreds, or thousands of customers VPCS
  •  Does not require VPC peering, NAT, gateways, etc
  • It does require a Network Load Balancer on service VPC and an ENI on the customer VPC
It’s similar to the AWS Direct Connect service in that it establishes private connections to the AWS cloud, except Direct Connect links users’ on-premises environments to AWS. PrivateLink, on the other hand, secures traffic from users’ VPC environments, which are already in AWS.
 
AWS PrivateLink enables customers to access services hosted on AWS in a highly available and scalable manner while keeping all the network traffic within the AWS network. Service users can use this to privately access services powered by PrivateLink from their Amazon Virtual Private Cloud (VPC) or their on-premises, without using public IPs, and without requiring the traffic to traverse across the Internet. Service owners can register their Network Load Balancers to PrivateLink services and provide the services to other AWS customers.
 
 
aws privatelink network diagram
 

VPC endpoints

Allow communication between instances in your VPC and services without availability risks or bandwidth constraints.

 

There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.

Endpoints are virtual devices. Horizontally scaled, redundant and highly available.

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.

A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Supported services:

  • Amazon S3
  • DynamoDB
 

AWS vpc without transit gwAWS VPC transit GW

  • Allows you to have transitive peering between thousands of VPCs and on-premises data centers
  • Regional basis but possible to use it across multiple regions
  • You can use it across multiple AWS accounts with RAM
  • You can use route tables to limit which VPCs talk to other ones
  • Works with DirectConnect and VPN connections as well
  • Supports IP multicast

 

VPN CloudHub

aws vpn cloudhub

  • If you have multiple sites , each with its own VPN connection you can use CloudHub to connect those sites together
  • Low cost, easy manage
  • Operates over public Internet but traffic is encrypted

CLIENT VPN

UPDATE

2019

  • Now supports MFA for AD: you can now enable MFA for your users using AWS Client VPN and Active Directory. The second layer of defense by prompting the user for additional factors, such as verifying a push notification or an email OTP.

 

Direct Connect

 
VPN is a great connectivity option for businesses that are just getting started with AWS. It is quick and easy to setup. Keep in mind, however, that VPN connectivity utilizes the public Internet, which can have unpredictable performance and despite being encrypted, can present security concerns.
 
AWS Direct Connect bypasses the public Internet and establishes a secure, dedicated connection from your infrastructure into AWS. This dedicated connection occurs over a standard 1 GB or 10 GB Ethernet fiber-optic cable with one end of the cable connected to your router and the other to an AWS Direct Connect router. AWS has established these Direct Connect routers in large colocation facilities across the world, providing access to all AWS regions. With established connectivity via AWS Direct Connect, you can access your Amazon VPC and all AWS services.
 
vpn vs directconnect

 

Direct Connect Gateway

You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different regions. You associate a Direct Connect gateway with the virtual private gateway for the VPC and then create a private virtual interface for your AWS Direct Connect connection to the Direct Connect gateway. You can attach multiple private virtual interfaces to your Direct Connect gateway. A Direct Connect gateway is a globally available resource. You can create the Direct Connect gateway in any public region and access it from all other public regions.

Example:

A leading insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.

As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?

aws direct connect gatewayAnswer will be: Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions.

 

UPDATE

2019

  • Resource-based authorization, Tag-Based Authorization and Tag on Resource Creation
    • You can now define IAM policies to specify fine-grained permissions for AWS Direct Connect and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces improving the security through these two granular access control features.
    • With resource-level authorization, you can configure IAM policies that reference AWS Direct Connect Dedicated and Hosted connections, Interconnects, Link Aggregation Groups, virtual interfaces specifying the users and actions that are permitted on the resources.
    • Using tag-based permission you can tag a Dedicated connection based on business units and limit control over those resources to the members of that business unit.
    • Tag on resource creation. When new resources are created with tags, the corresponding IAM permissions are automatically applied.

ROUTE53

A brief explanation about SOA

  • The name of the server that supplied the data for the zone.
  • The administrator of the zone.
  • The current version of the data file.
  • The number of seconds a secondary name server should wait before checking for updates.
  • The number of seconds a secondary name server should wait before retrying a failed zone transfer.
  • The maximum number of seconds that a secondary name server can use data before it must either be refreshed or expire.
  • The default number of seconds for the time-to-live file on resource records.

ns-1695.awsdns-19.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400

Types of policies in Route53

  • Simple
  • Weighted
  • Latency
  • Failover
  • Geolocation
  • Geoproximity routing (Traffic Flow)
  • Multi Answer routing

Weighted Policy

Lets you split your traffic based on different weights assigned previously.

Latency

  • Allows you to route traffic based on the lowest network latency for your end-user.
  • Does not garantee however that users in the same geographic region will be served from the same location
  • To use latency-based routing you will have to create latency records for your resources in multiple AWS Regions.
  • Use Latency record when you resources in multiple AWS regions and you want to route the traffic to the region that provides best latency

Geolocation

  • Serves traffic based on the geographic location of your users, meaning the location that DNS queries originate from
  • Works by mapping IP addresses to locations. Some IP addresesses aren’t mapped to geographic locations, so AWS Route53 will receive some DNS queries from locations that can’t identify.
  • Use it when you want to route traffic based on the location of your users
    • localize your content
    • restrict distributions of content only locations in which you have rights
    • useful for balancing load across endpoints in a predictable, easy-to-manage way

GeoProximity

  • Route traffic to your resources based on the geographic location of your users and resources.
  • You can route more or less traffic by specifying a value, known as bias.
  • To use geoproximity routing, you must use Route53 traffic flow.
    • if you want to route traffic to AWS services, you can set the AWS Region where your resource was created
    • if you want to route traffic to non-AWS services, you can enter latitude and longitud of the resource

Failover Policy

Are used when you want to create an active-passive setup. You should create a health check for your different endpoints.

 

Type of Healtchek

Health checks that monitor an endpoint.

Health checks that monitor an endpoint. You can configure a health check that monitors an endpoint that you specify either by IP address or by domain name. At regular intervals that you specify, Route 53 submits automated requests over the internet to your application, server, or other resource to verify that it’s reachable, available, and functional. Optionally, you can configure the health check to make requests similar to those that your users make, such as requesting a web page from a specific URL.

Health checks that monitor other health checks

Health checks that monitor other health checks (calculated health checks). You can create a health check that monitors whether Route 53 considers other health checks healthy or unhealthy. One situation where this might be useful is when you have multiple resources that perform the same function, such as multiple web servers, and your chief concern is whether some minimum number of your resources are healthy. You can create a health check for each resource without configuring notification for those health checks. Then you can create a health check that monitors the status of the other health checks and that notifies you only when the number of available web resources drops below a specified threshold.

Health checks that monitor CloudWatch alarms.

Health checks that monitor CloudWatch alarms. You can create CloudWatch alarms that monitor the status of CloudWatch metrics, such as the number of throttled read events for an Amazon DynamoDB database or the number of Elastic Load Balancing hosts that are considered healthy. After you create an alarm, you can create a health check that monitors the same data stream that CloudWatch monitors for the alarm.

https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-types.html

 

Alias

Route53’s DNS implementation connects user requests to infrastructure running inside (and outside) of Amazon Web Services (AWS). For example, if you have multiple web servers running on Amazon Elastic Compute Cloud (Amazon EC2) instances behind an Elastic Load Balancing load balancer, Route53 will route all traffic addressed to your website (e.g. www.example.com) to the load balancer DNS name (e.g. elb1234.elb.amazonaws.com).

Additionally, Route53 supports the alias resource record set, which lets you map your zone apex (e.g. example.com) DNS name to your load balancer DNS name. IP addresses associated with Elastic Load Balancing can change at any time due to scaling or software updates. Route53 responds to each request for an alias resource record set with one IP address for the load balancer.

 

ROA

You can bring part or all of your public IPv4 address range from your on-premises network to your AWS account. You continue to own the address range, but AWS advertises it on the Internet. After you bring the address range to AWS, it appears in your account as an address pool. You can create an Elastic IP address from your address pool and use it with your AWS resources, such as EC2 instances, NAT gateways, and Network Load Balancers. This is also called “Bring Your Own IP Addresses (BYOIP)”.

To ensure that only you can bring your address range to your AWS account, you must authorize Amazon to advertise the address range and provide proof that you own the address range.

IAM

  • Centralised control of your AWS account
    • IAM is universal. It does not apply to regions.
    • New users has no permissions when first created
    • New users are assigned Access Key ID & Secret Access Key when first created
    • Its different from the password
    • You only see Secret Access Key this time.
  • Granular permissions
  • Identity Federation (Including active directory, Facebook, etc)
  • MFA
  • Provide temporary acces to users/devices and services where necessary
  • Allows you to set up your own password rotation policy
  • Integrated with many AWS services
  • Supports PCI DSS Compliance
  • IAM has
    • Users
    • Groups
      • Group cannot be specified as a principal. Group is not considered an identity and used merely for managing users.
    • Policies
    • Roles

Service Linked Role

servicelinked role is a unique type of IAM role that is linked directly to an AWS serviceServicelinked roles are predefined by the service and include all the permissions that the service requires to call other AWS services on your behalf. … Or it might require that you use IAM to create or delete the role

https://docs.aws.amazon.com/IAM/latest/UserGuide/using-service-linked-roles.html

Active Directory Services compatibles with Microsoft AD

AWS Managed Microfot AD

  • AD Domain Controllers (DCs) running Windows Server
  • Reachable by your applications in your VPC
  • You can add extra DCs for more performance
  • You have exclusive access to DCs. No other AWS users will share this DCs.
  • You can extend your current AD to on-premises using AD Trust

Share model responsability

  • AWS
    • will do backups
    • enforce HA
    • Instance rotation
    • patch, monitor, recover
  • User
    • you need to create users, groups, GPos
    • standard AD tools
    • Scale out DCs
    • Trust
    • Certificate authorities (LDAP)
    • Federation

Simple AD

Baby brother of AD

  • Standalone directory in the cloud
  • Basic AD features
  • Types
    • Small = < 500 users
    • Large = < 5000 users
  • For Linux workloads that need LDAP
  • Does not support trust (can’t join on premises AD)

AD connector

  • Best choice when you want to use your current on premises AD with compatible AWS services. Think of it like a Directory Gateway or proxy.
  • Avoid caching information in the cloud
  • Allow on premises users to log in AWS using AD
  • Allow join EC2 instances to your existing AD domain
  • Scale accross multiple AD connectors

Active Directory Services NON compatibles with Microsoft AD

Cloud Directory

  • Directory store intented for developers
  • Multiple heararchies with millions of objects
  • Use cases: org charts, course catalogs, device registries
  • Full managed service

Amazon Cognito User pools

  • Managed user directory for SasS applications
  • Used for sign-in or signed-up for web or mobile
  • Works with social media identities

One Reply to “AWS Solutions Architect Associate (SAA) 2018 – V”

Leave a Reply

Your email address will not be published. Required fields are marked *