AWS Advanced Networking Specialty 考试心得
过了AWS的网络专项AWS Certified Advanced Networking -Specialty的考试,将学习过程中用到的资料罗列如下。
注: 本文不是完整的学习考试指导,只是记录了我在准备考试的过程中所用到的一些资料和心得。
考试说明
- 考试说明主页
- AWS官方考试步骤的说明网页-包含sample question,Guide的下载地址等
- AWS Certified Advanced Networking - Specialty Exam Guide
- 官方例题下载
- 官方教材购买地址
- 网上也能找得到pdf版本
一些参考资料
- Acloudguru上网络专项的视频教材,前7天免费,可随时取消。 - https://acloud.guru/learn/aws-certified-advanced-networking-specialty
- 练习题: whizlabs上网络专项的练习题 - https://www.whizlabs.com/aws-advanced-networking-speciality/
- 注意: whizlab上的题目仅仅是练习题,不是题库,是用来做考前练习,对知识点进行查漏补缺用的。我在实际考试中没有遇到一道和whizlab上一样的题目。
- 几篇中文的考试心得
- 几个老外的考试心得
- 学习AWS绕不开的一个博客–Jayendra的博客。他的这篇AWS Certified Advanced Networking – Speciality (ANS-C00) Exam Learning Path介绍了网络专项考试中会涉及到的大部分基础知识点,可以帮助理解考试知识点。
- 一个老外的考试心得, 和我一样也是用了AcloudGuru和Whizlabs的材料进行的复习, 文章中对whizlab习题中的知识点做了系统的总结。AWS Advanced Networking Specialty Exam Tips and Tricks
- 老外的考试心得2 AWS Certified Advanced Networking Specialty: Exam Notes and Observations
ACloudguru课程中部分知识点的摘录
DNS Basics
- DNS is a hierarchical and distributed system
- Generic top-level domains such as - .com .net .org .guru (gTLD)
- Country top-level domains - .uk .au .se (ccTLD)
- Sponsored top-level domains - .mil .gov .edu .int (STLD)
- ROOT Servers - 300+ Servers, Geographic Grouping
- 13 AnyCast IP’s -Operated by 12 organisations
- Root Zone - hosted by ROOT servers, holds the xTLD records
- Root Zone is CONTROLLED by IANA and HOSTED by operators
BGP Fundamentals
- BGP - Border Gateway Protocol
- Operater over tcp_179 - ensuring reliable inter-router comms
- Manual peering - no auto discovery - by design
- BGP is a path-vector - not link-state or distance-vector
- Path choice is political - can be flexibly changed
- BGP shares best path to a destination with peers - not every path
- Introduces the concept of AS - Autonomous System
- AS = A set of routers under a single technical administration
- EBGP - External BGP
- IBGP - Internal BGP
- …… dynamically shares routes between peers
MED - Multi-Exit Discriminator
- MOST SPECIFIC wins - 192.168.0.1/32 > 192.168.0.0/24
- FIRST VALID PATH = current best path
- WEIGHT - Local to router and vendor specific - Highest Wins
- LOCAL_PREF - Advertised Internally - Default 100 - Highest Wins
- LOCAL ORIGINATION - learned locally, or from another IGP
- AS_PATH - shortest is preferred.
- ORIGIN_CODE - IGP < EGP < INCOMPLETE >
- MED Metric Attribute - LOWEST PREFERED!!!
- Cisco BGP - https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
BGP资料
DesignImplementAWSNetwork
- Global and Regional Infrastructure
- VPC and Basic Networking design
- VPC Router
- ENI Elastic IP and Internet Gateway(IGW)
- Security Group and ACL
VPC Peering
- Placement Group can cross VPC Peering now. https://acloud.guru/forums/aws-certified-solutions-architect-professional/discussion/-KR4LfQOK1NBqtdk7hup/span_of_placement_group
VPC Endpoints
- VPC Endpoints Deep Dive
- Endpoints are a region service
- Endpoints aren’t extendable across VPC boundaries
- DNS Resolution is needed within the VPC
- Default VPCE policy is unrestricted - can be locked down
- Controlling access to VPCE via NACL is problematic
- Multiple VPCE’s within a VPC is fine - even for the same service
- VPC Endpoints Policy
- cann’t use “aws:sourceIp”: “X.X.X.X” in policy statement, it won’t match any record
- VPC Endpoints Deep Dive
Hybrid Connectivity Options
- Software VPN
- Widest compatibility - works with anything you can configure
- Can be configured quickly - no physical installation
- Aligns with any strict governance requirements
- You have to manage the instances it runs on - marketplace
- You may have to manage the OS and Product - self-created
- No default resilience
- Inconsistent network latency - public internet
- Inconsistent network performance - Instance or on-premise limit
- AWS Hardware VPN ( AWS VPC -VPN )
- Can be configured quickly - no physical installation
- Resilience by default - active/active active/passive
- Can be combined with Direct Connect (DX)
- No ongoing management required
- Can’t be used between AWS VPC’s - no region-to-region
- Has to be client side initiated
- Inconsistent network latency - public internet
- Inconsistent network performance - at the high end
- Software VPN
Design & Implement Hybrid Networks at scale
- 建立Direct Connect的路径和步骤
| CUSTOMER | AWS | Location Provider | Carrier/Partner | |||
|---|---|---|---|---|---|---|
| 1 | Select Region within AWS Account | N/A | X | |||
| 2 | Order Connection - Specifying 1 or 10GB and DX location | Depends | X | |||
| 3 | Arrange DX port on DX Router and Delver LOA CFA | 3 Days | X | |||
| 4 | Arrange Cross Connect - provide LOA and your Customer port details. OR, your carrier/partner handles | ~1-4 Days | X | X | O | |
| 5 | (optional) physical backhaul from carrier to customer | ~90 days | X | |||
| 6 | Port & Physical Integration | Depends | X | |||
| 7 | Interface creation, configuration, integration | Depends | X |
DX的优点
- Low latency - no public internet or excessive hops
- Consistent & controlled latency
- High performance vs VPNs
- Flexible - Trunks - Multiple VLANs
- Economic per hour port costs
- Reduced DX Data costs.. Vs internet costs (VPN/Public endpoint)
R53 Routing & Resolution Trees
RecordSets aren’t just A, CNAME or other traditional types
ALIAS RecordSets - reference an ALIAS TARGET
S3, ELB, CloudFront, etc.. also RECORDSET GROUPS
Individual RecordSets can have health checks
If they FAIL/UNHEALTHY the recordset is ‘disabled’
RecordSet Group Healthy, if 1…M of its RecordSets are healthy
ALIAS can evaluate its target health … uses ITS health status
Elastic Load Balancer (ELB)
- Defined within HTTPS or SSL listeners
- NO SNI - You can only have one certificate per listener
- Cypher - ELB Encryption Methods
- Custom security policy or Predefined Security Policy
- Certificates can be externally obtained and manually applied
- You own the cert, the purchase, the renewal and replacement
- or.. use ACM - renewal and replacement is automatic
- ELB Access Logs
- PROBLEM: Server Logs ELB, NOT Client IP
- TCP - Proxy Protocol, Application - X-Forwarded-* headers
- ELB Access Logs, Delivered to S3 Bucket & Can be prefixed
- Interval is 60 or 5 minutes - not realtime
- Attributes logged dependant on layer & protocol
- Common - Timestamp, ELB Name, client-ip & port, backend-ip & port, request_processing_time, backend_processing_time, response_processing_time, received bytes, sent bytes
- HTTP - ELB Status Code, Backend Status Code, Request, User Agent
- SSL & HTTPS Only - SSL Cypher, SSL Protocol
- Health Check
- InService or OutOfService
- Requests NOT routed to OutOfService Instances
- ASG - ELB health checks will terminate OutOfService Instances
- HealthCheck Definition, Interval, Healthy Threshold, UnHealthy Threshold
- Ping Protocol - TCP, HTTP, HTTPS, and SSL
- Ping Port
- Ping Path - ‘/index.html’
- Response Timeout
- Response timeout NEEDS to be <= Interval
CloudFront
- CloudFront Geo Restriction
- 3rd Party Geo Restriction
- Complex Restrictions
- Additional Granularity (Zip Code)
- Cross Boundary Restrictions
- Non country loactions (LAT/LONG)
- Combine with non GEO restrictions
- Behiviors
- Private Content - URLs and Cookies
- Web Distributions support Signed Cookies and URLs
- RTMP distributions only support URLs
- Use signed URLs to control access to individual files
- Embedded applications
- Signed URLs WILL change your URLs - this may be a problem
- Signed Cookies WONT change your URLs
- ..allow access control for groups of files
- HTTP Stack needs to support cookies
- SSL
- Access -> Behaviour, SSL Configuration is per distribution
- Viewwe <-> CloudFront
- Option #1 - Default CloudFront Certificate (*.cloudfront.net)
- .. devices need to support TLSv1 or later.
- Option #2 - Custom SSL Cert (acloud.guru)
- Trusted CA, AWS Certificate Manager, Self-Signed
- CloudFront -> Origin
- Origin Name MUST match cert - Custom Origins
- ELB - ACM or Trusted CA - NO Self-Signed
- Non ELB - Trusted CA - NO Self-Signed
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
- Cost
- Price Class
- 100 = United States (US) Canada (CA) and Europe (EU)
- 200 = 100 + Asia
- ALL = 200 + South America (SA) & Australia (AU)
- Balance locality/latency vs Cost\
- Forwarding Headers, Cookies and Query Strings reduces caching efficiency
- AWS Origin -> Edge (Origin Fetch) = FREE
- CF Edge -> Viewer = depends on price class/location
- CF Edge -> Viewer is often CHEAPER than S3 -> Internet
- CF has NO hourly fee/minimum fee
Amazon Workspaces
- Directory Service is associated with TWO subnets - in TWO AZs
- Multiple Directories can be associated with each subnet pair.
- A Workspace is linked to ONE directory
- 1 IP per Subnet
- A Workspace is in ONE subnet/AZ
- Simple AD (Small) 500 Users, 2,000 Objects
- Simple AD (Large) 5,00 Users, 20,000 Objects
- Enterprise AD Supports Trusts & Schema Extension
- AD Connector proxies authentication to a ‘real’ AD Source.
- Remember AD Sites & Services
- Usage
- WebApp - document management and document reviewing
- Mobile Applications - Native
- Workstation based synchronisation app - onedrive/dropbox like
- Browser extensions - web clippers
- Requires a directory service - simple, enterprise, AD Connector
- SSO is possible via setting on directory
- 50 GB free sync space for Workspace user
VPC Flow Logs
- Flow logs capture metadata of IP traffic
- It’s NOT IP DATA, its METADATA about that data.
- SRC Addr, DST Addr, SRC Port, DST Port, PROTOCOL
- Attached to ENI’s, Subnets or VPCs
- Logs - Ingress and Egress
- Logs - Accepted, Rejected or All Traffic
- NOT realtime - several minutes delay
- Logs Data to CloudWatch Logs - Needs IAM Role
- Each Flow = Log Group
- Each ENI = Log Stream
VPC Flow Logs limitation
- Traffic between instances and AWS DNS isn’t captured.
- License activation traffic between WIN and AWS isn’t captured.
- Metadata traffic isn’t captured - EC2 <-> 169.254.169.254
- DHCP traffic between the EC2 instance and AWS DHCP isn’t captured
- Traffic to the reserved IP of the VPC router isn’t captured..
Cost
Enhanced Networking
- Detail info Intel SR-IOV Explanation
- Elastic Network Adaptor (ENA)
- Started in X1 - Now additionally in P2 and M4.16xlarge
- R4, F1, C5 when updated
- 20Gbps Capability immediately
- ..can scale to 400Gbps - same interface/ same driver
- 8 request queues per device - will increase over time with cores
- Significantly improved debug features - custom designed by AWS
- 10 Gbps per TCP stream - inside placement group
- Some newer instances can do this in a region
- From now - placement group = higher single TCP flow rate
- Placement group 10 Gbps, otherwise 5 Gbps
Placement Group
- Limitation and implement
- Placement groups CANNOT span Availability Zones
- A placement groups name is unique.. in your account .. all regions
- Not all instance types are supported i.e the ‘t2.xx’ types
- Try and stick to the same instance type
- You cant move existing instances into a placement group
- .. and you cant merge placement groups .. delete and make new
- Transit TO and FROM external services - limited to 5Gbps
- Always use IPv4 or IPv6 PRIVATE addressing
- Ideally launch ALL instances at the start
- Placement groups CAN work over VPC Peers - but the speed is limited
- Limitation and implement
Aws Shield
- 基础服务免费,advance服务是收费的
- AWS Shield只防护简单普遍的攻击,3层和4层的DDoS攻击,比如UDP floods和TCP SYN floods。7层的攻击比如HTTP floods和DNS floods。复杂的应用层的防护,需要在AWS WAF中自己编写规则。
自己整理的一些知识点
同一个VPC内,使用默认DNS时,解析Public DNS时,会解析到私有地址。
DX: public virtual interface vs private virtual interface VS Hosted virtual interface VS Hosted Connection
- 官方博客What’s the difference between a hosted virtual interface (VIF) and a hosted connection?
- Direct connect中Direct connect Connection / private virtual interface / public virtual interface / Hosted virtual interface / Hosted connection几个概念的阐述
- Direct connect Connection是自己账号申请的connection,可以在connection上建立private virtual interface或者public virtual interface
- Hosted Virtual Interface是自己账号有direct connect Connection,但是可以建立Hosted Virtual Interface给其他account使用
- Hosted connection是Partner为某个account建立的sub-1G的connection,VLAN ID是由partner指定的,端口速度在50~500M之间
- AWS re:Invent 2017: Deep Dive: AWS Direct Connect and VPNs (NET403)中对这几个概念的说明截图如下:
Direct Connect gateway 是什么?
- 7 things you need to know about AWS Direct Connect Gateway
- 官方文档Direct Connect Gateways
- How can I set up a Direct Connect gateway?
- 要点:
- Remember: The VPCs to which you connect through a Direct Connect gateway cannot have overlapping CIDR blocks
- DX Gateway is a global service
- Cannot be used cross account. Cannot be used with public VIFs.
- Cannot be used to send traffic to other VPCs that are connected to the same Gateway. – VPC之间不能通过direct connect gateway来互通
- 连到同一个Direct connect gateway的多个private virtual interface之间不能通信
Route53 - private hosted zone是什么?
- Working with Private Hosted Zones
- In a private hosted zone, you can associate Route 53 health checks only with weighted and failover records
- You can use the following routing policies when you create records in a private hosted zone
- Simple Routing
- Failover Routing
- Multivalue Answer Routing
- Weighted Routing
多VPC之间的连接方式
VPN CloudHub
- AWS VPN CloudHub
- 用处: 各个site可以通过公告自己的路由,来达到互通的效果。
- 要点:
- The hub and spoke model involves creating multiple Customer Gateways, each with a public IP address
- The remote network prefixes for each spoke must have unique ASNs, and the sites must not have overlapping IP ranges
网上找的建立public VIF, private VIF时的截图
- private virtual interface用在direct connect gateway上的截图
- private virtual interface 用在Virtual Private Gateway上的截图
- public virtual interface 截图
- General VIF Creation Requirements
- Name
- Owner
- Connection
- VLAN ID
- BGP Information
- ASN
- BGP MD5 key
- Peer IP’s
- Public VIFs: Choose which prefixes to advertise
- Private VIFs: Jumbo Frame setting
- private virtual interface用在direct connect gateway上的截图
VPN sharing
其他资源
- AWS 知识中心
- Direct Connect相关知识
- aws官方视频如何通过 AWS Direct Connect 连接建立 AWS VPN?
- AWS官方说明-AWS Direct Connect 入门
- 页面下方的两个re:Invent的视频,强烈推荐看一下。
- 使用 AWS Direct Connect 将数据中心扩展到云中 – AWS re:Invent 2017: Extending Data Centers to the Cloud: Connectivity Options and Co (NET301)
- AWS Direct Connect 深入探究 – AWS re:Invent 2017: Deep Dive: AWS Direct Connect and VPNs (NET403)
- 页面下方的两个re:Invent的视频,强烈推荐看一下。
- How do I provision an AWS Direct Connect connection?
- 使用Unbound来解析On-Premise和AWS的DNS请求 – AWS BLOG - How to Set Up DNS Resolution Between On-Premises Networks and AWS by Using Unbound