The latest edition of the official study guide for the AWS Advanced Networking certification specialty exam

The newly revised second edition of the AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam delivers an expert review of Amazon Web Services Networking fundamentals as they relate to the ANS-C01 exam. You’ll find detailed explanations of critical exam topics combined with real-world scenarios that will help you build the robust knowledge base you need for the test—and to succeed in the field as an AWS Certified Networking specialist.

Learn about the design, implementation and deployment of AWS cloud-based Networking solutions, core services implementation, AWS service architecture design and maintenance (including architectural best practices), monitoring, Hybrid networks, security, compliance, governance, and network automation. The book also offers one year of free access to Sybex’s online interactive learning environment and expert study tools, featuring flashcards, a glossary of useful terms, chapter tests, practice exams, and a test bank to help you keep track of your progress and measure your exam readiness.

The coveted AWS Advanced Networking credential proves your skills with Amazon Web Services and hybrid IT network architectures at scale. It assesses your ability to apply deep technical knowledge to the design and implementation of AWS Networking services. This book provides you with comprehensive review and practice opportunities so you can succeed on the challenging ANS-C01 exam the first time around. It also offers:

• Coverage of all relevant exam domains and competencies
• Explanations of how to apply the AWS skills discussed within to the real world in the context of an AWS Certified Networking-related career
• Complimentary access to the practical Sybex online learning environment, complete with practice exams, flashcards, a glossary, and test bank

AWS certification proves to potential employers that you have the knowledge and practical skills you need to deliver forward-looking, resilient, cloud-based solutions. The AWS Certified Advanced Networking Study Guide: Specialty (ANS-C01) Exam, 2nd Edition, is your ticket to the next big step in your career.

Introduction xxvii

Assessment Test xxxi

Part I Network Design 1

Chapter 1 Edge Networking 3

Content Distribution Networking 4

CloudFront 4

CloudFront Implementation 6

Caching and Object Retention 6

Invalidations 8

Protocol Support 9

CloudFront Encryption Using SSL/TLS and SNI 10

CloudFront Security 11

Billing 12

Lambda@edge 13

Geo- restriction and Geolocation 13

Global Accelerator 15

Global Accelerator Architecture 17

Custom Routing Accelerator 18

AWS Global Accelerator Pricing 18

Elastic Load Balancers 19

Load Balancer Architectures 19

Listeners 19

Target Groups 20

Health Checking 20

Sticky Connections 20

Proxy Connections 21

Load Balancing Across Different Availability Zones 22

Connection Draining 22

AWS Load Balancer Offerings 23

Application Load Balancers 27

Gateway Load Balancers 29

Network Load Balancer 31

Classic Load Balancers 32

Configuring Elastic Load Balancers 32

API Gateway 33

Rest Api 33

Http Api 34

WebSocket Protocol 34

API Gateway Configuration 34

API Gateway Caching 35

Endpoint Types 35

Security 37

Authentication and Authorization 37

CloudFront Design Considerations 38

Summary 39

Exam Essentials 39

Exercises 40

Written Lab 41

Written Lab 1.1: Create an HTTP API by Using the AWS Management Console 41

Review Questions 42

Chapter 2 Domain Name Services 47

DNS and Route 53 48

DNS Overview 49

Architecture 50

DNS Hierarchy 50

Zones 51

DNS Resolution Process 51

Resource Records 52

Timers 54

Delegations 54

DNSSEC Overview 54

DNS Logging and Monitoring 55

CloudTrail 55

CloudWatch 57

Artificial Intelligence and Machine Learning 57

Redshift 58

Route 53 Advanced Features and Policies 58

Alias Records 58

Resolvers 59

Route 53 Resolver DNS Firewall 60

Health Checks 60

Traffic Routing Policies 61

Simple Routing 61

Multivalue Responses 63

Latency- Based Routing 63

Failover Routing 65

Round- Robin Routing 65

Weighted Routing 66

Geo location 67

Geo- proximity 68

Route 53 Service Integrations 68

Vpc 69

CloudFront 69

Load Balancers 69

Route 53 Application Recovery Controller 70

Hybrid Route 53 70

Multi- account Route 53 71

Multi-Region Route 53 72

Using Route 53 Public Hosted Zones 72

Using Route 53 Private Hosted Zones 73

Using Route 53 Resolver Endpoints in Hybrid and AWS Architectures 73

Using Route 53 for Global Traffic Management 74

Route 53 Failover 75

Domain Registration 75

Required Information to Register a Domain 76

Privacy Protection 78

Route 53 Registration Information 78

Renewing Your Domain 78

Summary 79

Exam Essentials 79

Exercises 80

Review Questions 82

Chapter 3 Hybrid and Multi- account DNS 87

Implementing Hybrid and Multi- account DNS Architectures 88

Route 53 Hosted Zones 88

Private Hosted Zones 89

Public Hosted Zones 89

Traffic Management 90

Latency 93

Geo location 94

Weighted 95

Failover 96

Multivalue 97

Health Checking 97

Domain Delegation and Forwarding 99

Delegating Domains 99

Forwarding Rules 100

Configuring Records in Route 53 100

A Record 101

AAAA Record 102

Cname 102

mx Record 104

SOA Record 104

TXT Record 106

PTR Record 106

Alias Record 106

SRV Record 107

SPF Record 107

NAPTR Record 109

CAA Record 109

Configuring DNSSEC 109

Multi- account Route 53 110

DNS Endpoints 111

Outbound Endpoints 112

Inbound Endpoints 113

Configuring Route 53 Monitoring and Logging 114

CloudTrail API Logging 115

CloudWatch Logging 116

DNS Query Logging 116

Resolver Query Logging 117

Hosted Zone Monitoring 117

Resolver Endpoints Monitoring 117

Domain Registration Monitoring 118

Summary 118

Exam Essentials 119

Written Labs 119

Written Lab 3.1: Configure Logging for DNS Queries 119

Written Lab 3.2: View DNS Query Metrics for a Public Hosted Zone in the CloudWatch Console 120

Review Questions 121

Elastic Load Balancing 128

Network Load Balancing 129

Application Load Balancing 130

Gateway Load Balancing 131

Classic Load Balancing 132

Network Design 132

High Availability 133

Security 133

ELB Connectivity Patterns 134

Internal Load Balancers 134

External Load Balancers 135

Autoscaling 136

AWS Service Integrations 136

Config 137

Global Accelerator 137

CloudFront 138

Traffic Mirroring 138

VPC Endpoint Services (PrivateLink) 139

Web Application Firewall 139

Route 53 139

Amazon Elastic Kubernetes Service 139

AWS Certificate Manager 140

ELB Configuration Options 141

Proxy Protocol 141

X- Forwarded- For Protocol 142

Cross- Zone Load Balancing 142

Session Affinity and Sticky Sessions 143

Target Groups 145

Routing 146

Target Types 146

IP Address Type 146

Protocol Version 146

Registered Targets 147

Routing Algorithms 147

Deregistration and Connection Draining 147

Deletion Protection 147

Health Checking 149

Slow Start 149

The GENEVE Protocol 149

Encryption and Authentication 151

SSL/TLS Offload 151

TLS Passthrough 151

Summary 152

Exam Essentials 153

Exercises 154

Written Labs 154

Written Lab 4.1: Create a Network Load Balancer 154

Written Lab 4.2: Use the Console to Enable Deletion Protection 155

Written Lab 4.3: Use the Console to Disable Deletion Protection 156

Written Lab 4.4: Enable Application- Based Stickiness 156

Review Questions 157

Chapter 5 Logging and Monitoring 163

CloudWatch 164

Metrics 164

Monitoring Categories 165

Agents 166

Logging 167

Alarms 168

Metric Insights 170

Dashboards 170

Transit Gateway Network Manager 171

VPC Reachability Analyzer 171

Access Logs 173

Elastic Load Balancing 174

Route 53 Logs 175

CloudFront Logs 175

CloudTrail Logs 175

X- Ray 176

X- Ray Traces 176

X- Ray Insights 177

Flow Logs 178

Baseline Network Performance 180

Inspector 180

Application Insights 181

Config 181

Summary 182

Exam Essentials 183

Written Labs 184

Written Lab 5.1: Enable CloudWatch Detailed Monitoring for an Instance That Has Already Been Enabled 184

Written Lab 5.2: Enable CloudWatch Logging from the Web Console 185

Written Lab 5.3: Enable CloudWatch Alarms from the Web Console 185

Written Lab 5.4: Create a VPC Reachability Analyzer from the Web Console 186

Review Questions 187

Part II Network Implementation 191

Chapter 6 Hybrid Networking 193

Hybrid Connectivity 194

OSI Layer 1 194

Optics 196

OSI Layer 2 197

VLANs 198

Link Aggregation 199

Jumbo Frames 200

Encapsulation and Encryption 200

Overlay and Underlay Networks 200

VxLan 201

Generic Routing Encapsulation 202

IPSec 203

Geneve 205

Routing Fundamentals 205

Static Routing 206

Dynamic Routing 206

The BGP Routing Protocol 206

Direct Connect 211

Direct Connect Gateway 217

Virtual Private Gateway 219

Site- to- Site VPN 220

VPN CloudHub 221

AWS Account Resource Sharing 222

Summary 222

Exam Essentials 223

Exercises 223

Written Labs 224

Written Lab 6.1: Simulate Creating a Direct Connection 224

Written Lab 6.2: Simulate Creating a Site- to- Site VPN Connection 224

Review Questions 226

Chapter 7 Connecting On- Premises Networks 231

On- Premises Network Connectivity 232

VPNs 232

VPN Security 232

Accelerated Site- to- Site VPN Connections 233

Layer 1 and Types of Hardware to Use 235

Direct Connect 235

Direct Connect Locations 235

Letter of Authorization Documents 236

Layer 2 and Layer 3 236

Switching 236

Routing 237

Gateways 238

Software- Defined Networking 239

Transit Gateway 241

PrivateLink 241

Resource Access Manager 241

Testing and Validating Connectivity Between Environments 243

Route Analyzer 243

Reachability Analyzer 243

ICMP ping 243
traceroute 245

Summary 246

Exam Essentials 247

Written Labs 248

Written Lab 7.1: Create a VPN Attachment on a Transit Gateway Using the Console 248

Written Lab 7.2: Perform a traceroute 250

Written Lab 7.3: Use ping 250

Review Questions 251

Chapter 8 Inter- VPC and Multi- account Networking 255

Networking Services of VPCs 256

VPC Sharing 256

VPC Peering 257

Multi- account VPC Sharing 260

PrivateLink 260

Hub- and- Spoke VPC Architectures 261

Transit Gateway 262

Transit Gateway Connect 265

transit VPCs 266

Wide- Area Networking 266

Software- Defined Wide Area Networking 267

Multi Protocol Label Switching 268

Expanding AWS Networking Connectivity 270

Organizations 271

Resource Access Manager 273

Authentication and Authorization 274

Security Association Markup Language 275

Active Directory 275

Summary 278

Exam Essentials 279

Exercises 280

Review Questions 281

Chapter 9 Hybrid Network Routing and Connectivity 287

Industry- Standard Routing Protocols Used in AWS Hybrid Networks 288

Optimizing Routing 288

Optimizing Dynamic Routing 289

Optimizing Static Routing 290

Route Priorities and Administrative Distance 290

Route Summarization 291

Route Propagation 292

Overlapping Routes 292

BGP Over Direct Connect 294

Connectivity Methods for AWS and Hybrid Networks 294

Direct Connect and Direct Connect Gateway 295

Direct Connect Virtual Interfaces 295

Site- to- Site VPN 296

App Mesh 296

AWS Networking Limits and Quotas 297

Available Private and Public Access Methods for Custom Services 304

PrivateLink 305

VPC Peering 305

Available Inter- Regional and Intra- Regional Communication Patterns 306

Summary 307

Exam Essentials 307

Written Lab 308

Written Lab 9.1: Enable Route Propagation in a VPC 308

Exercises 308

Review Questions 309

Part III Network Management and Operations 315

Chapter 10 Network Automation 317

Network Automation 318

Infrastructure as Code 318

AWS Cloud Development Kit 319

AWS CloudFormation 320

EventBridge 322

AWS Command- Line Interface 322

AWS Software Development Kit 323

Application Programming Interfaces 326

Integrating Network Automation Using Infrastructure as Code 327

Event- Driven Network Automation 328

Automating the Process of Optimizing Cloud Network Resources with IaC 329

Common Problems When Using Hard- Coded Instructions in IaC Templates 330

Creating and Managing Repeatable Network Configurations 330

Integrating Event- Driven Networking Functions 331

Integrating Hybrid Network Automation Options with AWS Native IaC 332

Eliminating Risk and Achieving Efficiency in a Cloud Networking Environment 333

Summary 334

Exam Essentials 335

Exercises 336

Review Questions 337

Chapter 11 Monitor, Analyze, and Optimize Network Traffic 341

Monitoring, Analyzing, and Optimizing AWS Networks 342

Monitor and Analyze Network Traffic to Troubleshoot and Optimize Connectivity Patterns 342

Network Performance Metrics and Reachability Constraints 344

Appropriate Logs and Metrics to Assess Network Performance and Reachability Issues 345

AWS Tools to Collect and Analyze Logs and Metrics 345

AWS Tools to Analyze Routing Patterns and Issues 346

Analyzing Logging Output to Assess Network Performance and Troubleshoot Connectivity 347

Network Topology Mapping 348

Analyzing Packets to Identify Issues 349

Using the Reachability Analyzer for Troubleshooting, Validating, and Automating Connectivity Issues 350

Optimize AWS Networks for Performance, Reliability, and Cost- Effectiveness 351

VPC Peering vs. Transit Gateways 351

Reducing Bandwidth Utilization with Multicast 352

Implementing Multicast Capability Within a VPC and On- Premises Environments 352

Optimizing Route 53 354

Frame Size Optimization Across Different Connection Types 355

Jumbo Frame Support Across Different Connection Types 356

Optimizing Network Throughput 357

Selecting a Network Interface for Best Performance 357

Select Network Connectivity Services That Meet Requirements 358

VPC Subnet Optimization 359

Updating and Optimizing Subnets to Prevent the Depletion of Available IP Addresses in a VPC 360

Updating and Optimizing Subnets for Autoscaling 361

Optimizing Network Performance and Availability Using Caching and Compression 361

Summary 363

Exam Essentials 365

Written Labs 367

Written Lab 11.1: Create a VPC Flow Log 367

Written Lab 11.2: Add a New Subnet to a VPC 367

Written Lab 11.3: Change the MTU on a Linux EC 2

Interface 368

Exercises 368

Review Questions 370

Part IV Network Security, Compliance, and Governance 375

Chapter 12 Security, Compliance and Governance 377

Security, Compliance, and Governance 378                          

Threat Models 380

Common Security Threats 384

Securing Application Flows 385

Network Architectures That Meet Security and Compliance Requirements 386

Securing Inbound Traffic Flows 388

Web Application Firewall 388

Network Firewall 389

Shield 390

Security Groups 391

Network Access Control Lists 391

Securing Outbound Traffic Flows 392

Network Firewall 393

Proxies 393

Gateway Load Balancers 394

Route 53 Resolvers 394

Virtual Private Networks 395

VPC Endpoint Services: PrivateLink 395

Securing Inter- VPC Traffic 396

Network ACLs 396

VPC Endpoint Policies 396

Security Groups 396

Transit Gateway 397

VPC Peering 397

Implementing an AWS Network Architecture to Meet Security and Compliance Requirements 397

Untrusted Networks 397

Perimeter VPC 398

Three- Tier Architecture 399

Hub- and- Spoke Architecture 399

Develop a Threat Model and Identify Mitigation Strategies 399

Compliance Testing 401

Automating Security Incident Reporting and Alerting 402

Summary 403

Exam Essentials 407

Exercises 408

Written Labs 409

Written Lab 12.1: Download an Artifact Report 409

Written Lab 12.2: Request a Public SSL/TLS Certificate from the AWS Console 409

Written Lab 12.3: Review a Security Group Configuration from the AWS Console 410

Review Questions 411

Chapter 13 Network Monitoring and Logging 417

Network Monitoring and Logging Services in AWS 418

AWS CloudTrail 419

VPC Traffic Mirroring 420

VPC Flow Logs 421

Transit Gateway Logging 423

Alerting Mechanisms 426

CloudWatch Alarms 426

Simple Notification Service 427

Log Creation with Different AWS Services 428

Load Balancer Access Logs 429

CloudFront Access Logs 430

Log Delivery Mechanisms 431

Kinesis 432

Route 53 433

CloudWatch 434

Mechanisms to Audit Network Security Configurations 435

Security Groups 436

Firewall Manager 437

Trusted Advisor 437

Traffic Mirroring and Flow Logs 438

Creating and Analyzing VPC Flow Logs 439

Creating and Analyzing Network Traffic Mirroring 441

CloudWatch 441

Implementing Automated Alarms Using CloudWatch 442

Implementing Customized Metrics Using CloudWatch 443

Correlating and Analyzing Information Across Single or Multiple AWS Log Sources 444

Implementing Log Delivery Solutions 445

Implementing a Network Audit Strategy 446

Summary 447

Exam Essentials 448

Exercises 450

Review Questions 452

Chapter 14 Confidentiality and Encryption 457

Confidentiality and Encryption 458

Network Encryption Options Available on AWS 459

VPN Connectivity Over Direct Connect 460

Encryption Methods for Data in Transit 461

Network Encryption and the AWS Shared Responsibility Model 462

Security Methods for DNS Communications 464

Implementing Network Encryption Methods to Meet Application Compliance Requirements 465

IPSec 466

Tls 468

Implementing Encryption Solutions to Secure Data in Transit 470

CloudFront 471

Application Load Balancers and Network Load Balancers 472

Securing AWS Managed Databases 472

Securing Amazon S3 Buckets 475

Securing EC2 Instances 476

Transit Gateway 477

Certificate Management Using a Certificate Authority 479

AWS Certificate Manager and Private Certificate Authority 480

Summary 481

Exam Essentials 483

Exercises 484

Review Questions 485

Appendix Answers to Review Questions 491

Chapter 1: Edge Networking 492

Chapter 2: Domain Name Services 494

Chapter 3: Hybrid and Multi- account DNS 497

Chapter 4: Load Balancing 499

Chapter 5: Logging and Monitoring 502

Chapter 6: Hybrid Networking 505

Chapter 7: Connecting On- Premises Networks 507

Chapter 8: Inter- VPC and Multi- account Networking 509

Chapter 9: Hybrid Network Routing and Connectivity 512

Chapter 10: Network Automation 515

Chapter 11: Monitor, Analyze, and Optimize Network Traffic 518

Chapter 12: Security, Compliance and Governance 520

Chapter 13: Network Monitoring and Logging 524

Chapter 14: Confidentiality and Encryption 527

Index 531