AWS Advanced Networking Specialty 考试心得

过了AWS的网络专项AWS Certified Advanced Networking -Specialty的考试，将学习过程中用到的资料罗列如下。
注: 本文不是完整的学习考试指导，只是记录了我在准备考试的过程中所用到的一些资料和心得。

考试说明

考试说明主页
AWS官方考试步骤的说明网页-包含sample question，Guide的下载地址等
AWS Certified Advanced Networking - Specialty Exam Guide
官方例题下载
官方教材购买地址
- 网上也能找得到pdf版本

一些参考资料

Acloudguru上网络专项的视频教材,前7天免费，可随时取消。 - https://acloud.guru/learn/aws-certified-advanced-networking-specialty
练习题: whizlabs上网络专项的练习题 - https://www.whizlabs.com/aws-advanced-networking-speciality/
- 注意: whizlab上的题目仅仅是练习题，不是题库，是用来做考前练习，对知识点进行查漏补缺用的。我在实际考试中没有遇到一道和whizlab上一样的题目。
几篇中文的考试心得
- IT茶馆的博客顺利通过AWS Certified Advanced Networking – Specialty考试
- 经验分享: 成功通过AWS Advanced Networking Specialty认证考试
几个老外的考试心得
- 学习AWS绕不开的一个博客–Jayendra的博客。他的这篇AWS Certified Advanced Networking – Speciality (ANS-C00) Exam Learning Path介绍了网络专项考试中会涉及到的大部分基础知识点，可以帮助理解考试知识点。
- 一个老外的考试心得, 和我一样也是用了AcloudGuru和Whizlabs的材料进行的复习, 文章中对whizlab习题中的知识点做了系统的总结。AWS Advanced Networking Specialty Exam Tips and Tricks
- 老外的考试心得2 AWS Certified Advanced Networking Specialty: Exam Notes and Observations

ACloudguru课程中部分知识点的摘录

DNS Basics
- DNS is a hierarchical and distributed system
- Generic top-level domains such as - .com .net .org .guru (gTLD)
- Country top-level domains - .uk .au .se (ccTLD)
- Sponsored top-level domains - .mil .gov .edu .int (STLD)
- ROOT Servers - 300+ Servers, Geographic Grouping
- 13 AnyCast IP’s -Operated by 12 organisations
- Root Zone - hosted by ROOT servers, holds the xTLD records
- Root Zone is CONTROLLED by IANA and HOSTED by operators
BGP Fundamentals
- BGP - Border Gateway Protocol
- Operater over tcp_179 - ensuring reliable inter-router comms
- Manual peering - no auto discovery - by design
- BGP is a path-vector - not link-state or distance-vector
- Path choice is political - can be flexibly changed
- BGP shares best path to a destination with peers - not every path
- Introduces the concept of AS - Autonomous System
- AS = A set of routers under a single technical administration
- EBGP - External BGP
- IBGP - Internal BGP
- …… dynamically shares routes between peers

MED - Multi-Exit Discriminator
- MOST SPECIFIC wins - 192.168.0.1/32 > 192.168.0.0/24
- FIRST VALID PATH = current best path
- WEIGHT - Local to router and vendor specific - Highest Wins
- LOCAL_PREF - Advertised Internally - Default 100 - Highest Wins
- LOCAL ORIGINATION - learned locally, or from another IGP
- AS_PATH - shortest is preferred.
- ORIGIN_CODE - IGP < EGP < INCOMPLETE >
- MED Metric Attribute - LOWEST PREFERED!!!
- Cisco BGP - https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13753-25.html
BGP资料
DesignImplementAWSNetwork
- Global and Regional Infrastructure
- VPC and Basic Networking design
- VPC Router
- ENI Elastic IP and Internet Gateway(IGW)
- Security Group and ACL

VPC Peering
- Placement Group can cross VPC Peering now. https://acloud.guru/forums/aws-certified-solutions-architect-professional/discussion/-KR4LfQOK1NBqtdk7hup/span_of_placement_group
VPC Endpoints
- VPC Endpoints Deep Dive
  - Endpoints are a region service
  - Endpoints aren’t extendable across VPC boundaries
  - DNS Resolution is needed within the VPC
  - Default VPCE policy is unrestricted - can be locked down
  - Controlling access to VPCE via NACL is problematic
  - Multiple VPCE’s within a VPC is fine - even for the same service
- VPC Endpoints Policy
  - cann’t use “aws:sourceIp”: “X.X.X.X” in policy statement, it won’t match any record

Hybrid Connectivity Options
- Software VPN
  - Widest compatibility - works with anything you can configure
  - Can be configured quickly - no physical installation
  - Aligns with any strict governance requirements
  - You have to manage the instances it runs on - marketplace
  - You may have to manage the OS and Product - self-created
  - No default resilience
  - Inconsistent network latency - public internet
  - Inconsistent network performance - Instance or on-premise limit
- AWS Hardware VPN ( AWS VPC -VPN )
  - Can be configured quickly - no physical installation
  - Resilience by default - active/active active/passive
  - Can be combined with Direct Connect (DX)
  - No ongoing management required
  - Can’t be used between AWS VPC’s - no region-to-region
  - Has to be client side initiated
  - Inconsistent network latency - public internet
  - Inconsistent network performance - at the high end
Design & Implement Hybrid Networks at scale
- 建立Direct Connect的路径和步骤

			CUSTOMER	AWS	Location Provider	Carrier/Partner
1	Select Region within AWS Account	N/A	X
2	Order Connection - Specifying 1 or 10GB and DX location	Depends	X
3	Arrange DX port on DX Router and Delver LOA CFA	3 Days		X
4	Arrange Cross Connect - provide LOA and your Customer port details. OR, your carrier/partner handles	~1-4 Days	X		X	O
5	(optional) physical backhaul from carrier to customer	~90 days				X
6	Port & Physical Integration	Depends	X
7	Interface creation, configuration, integration	Depends	X

DX的优点
- Low latency - no public internet or excessive hops
- Consistent & controlled latency
- High performance vs VPNs
- Flexible - Trunks - Multiple VLANs
- Economic per hour port costs
- Reduced DX Data costs.. Vs internet costs (VPN/Public endpoint)

R53 Routing & Resolution Trees
- RecordSets aren’t just A, CNAME or other traditional types
- ALIAS RecordSets - reference an ALIAS TARGET
- S3, ELB, CloudFront, etc.. also RECORDSET GROUPS
- Individual RecordSets can have health checks
- If they FAIL/UNHEALTHY the recordset is ‘disabled’
- RecordSet Group Healthy, if 1…M of its RecordSets are healthy
- ALIAS can evaluate its target health … uses ITS health status

Elastic Load Balancer (ELB)
- Defined within HTTPS or SSL listeners
- NO SNI - You can only have one certificate per listener
- Cypher - ELB Encryption Methods
- Custom security policy or Predefined Security Policy
- Certificates can be externally obtained and manually applied
- You own the cert, the purchase, the renewal and replacement
- or.. use ACM - renewal and replacement is automatic
- ELB Access Logs
  - PROBLEM: Server Logs ELB, NOT Client IP
  - TCP - Proxy Protocol, Application - X-Forwarded-* headers
  - ELB Access Logs, Delivered to S3 Bucket & Can be prefixed
  - Interval is 60 or 5 minutes - not realtime
  - Attributes logged dependant on layer & protocol
  - Common - Timestamp, ELB Name, client-ip & port, backend-ip & port, request_processing_time, backend_processing_time, response_processing_time, received bytes, sent bytes
  - HTTP - ELB Status Code, Backend Status Code, Request, User Agent
  - SSL & HTTPS Only - SSL Cypher, SSL Protocol
- Health Check
  - InService or OutOfService
  - Requests NOT routed to OutOfService Instances
  - ASG - ELB health checks will terminate OutOfService Instances
  - HealthCheck Definition, Interval, Healthy Threshold, UnHealthy Threshold
  - Ping Protocol - TCP, HTTP, HTTPS, and SSL
  - Ping Port
  - Ping Path - ‘/index.html’
  - Response Timeout
  - Response timeout NEEDS to be <= Interval
CloudFront
- CloudFront Geo Restriction
- 3rd Party Geo Restriction
  - Complex Restrictions
  - Additional Granularity (Zip Code)
  - Cross Boundary Restrictions
  - Non country loactions (LAT/LONG)
  - Combine with non GEO restrictions
- Behiviors
  - Header caching
    - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html
- Private Content - URLs and Cookies
  - Web Distributions support Signed Cookies and URLs
  - RTMP distributions only support URLs
  - Use signed URLs to control access to individual files
  - Embedded applications
  - Signed URLs WILL change your URLs - this may be a problem
  - Signed Cookies WONT change your URLs
  - ..allow access control for groups of files
  - HTTP Stack needs to support cookies
- SSL
  - Access -> Behaviour, SSL Configuration is per distribution
  - Viewwe <-> CloudFront
  - Option #1 - Default CloudFront Certificate (*.cloudfront.net)
  - .. devices need to support TLSv1 or later.
  - Option #2 - Custom SSL Cert (acloud.guru)
  - Trusted CA, AWS Certificate Manager, Self-Signed
  - CloudFront -> Origin
  - Origin Name MUST match cert - Custom Origins
  - ELB - ACM or Trusted CA - NO Self-Signed
  - Non ELB - Trusted CA - NO Self-Signed
  - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-requirements.html
- Cost
  - Price Class
  - 100 = United States (US) Canada (CA) and Europe (EU)
  - 200 = 100 + Asia
  - ALL = 200 + South America (SA) & Australia (AU)
  - Balance locality/latency vs Cost\
  - Forwarding Headers, Cookies and Query Strings reduces caching efficiency
  - AWS Origin -> Edge (Origin Fetch) = FREE
  - CF Edge -> Viewer = depends on price class/location
  - CF Edge -> Viewer is often CHEAPER than S3 -> Internet
  - CF has NO hourly fee/minimum fee
Amazon Workspaces
- Directory Service is associated with TWO subnets - in TWO AZs
- Multiple Directories can be associated with each subnet pair.
- A Workspace is linked to ONE directory
- 1 IP per Subnet
- A Workspace is in ONE subnet/AZ
- Simple AD (Small) 500 Users, 2,000 Objects
- Simple AD (Large) 5,00 Users, 20,000 Objects
- Enterprise AD Supports Trusts & Schema Extension
- AD Connector proxies authentication to a ‘real’ AD Source.
- Remember AD Sites & Services
- Usage
  - WebApp - document management and document reviewing
  - Mobile Applications - Native
  - Workstation based synchronisation app - onedrive/dropbox like
  - Browser extensions - web clippers
  - Requires a directory service - simple, enterprise, AD Connector
  - SSO is possible via setting on directory
  - 50 GB free sync space for Workspace user
VPC Flow Logs
- Flow logs capture metadata of IP traffic
- It’s NOT IP DATA, its METADATA about that data.
- SRC Addr, DST Addr, SRC Port, DST Port, PROTOCOL
- Attached to ENI’s, Subnets or VPCs
- Logs - Ingress and Egress
- Logs - Accepted, Rejected or All Traffic
- NOT realtime - several minutes delay
- Logs Data to CloudWatch Logs - Needs IAM Role
- Each Flow = Log Group
- Each ENI = Log Stream
VPC Flow Logs limitation
- Traffic between instances and AWS DNS isn’t captured.
- License activation traffic between WIN and AWS isn’t captured.
- Metadata traffic isn’t captured - EC2 <-> 169.254.169.254
- DHCP traffic between the EC2 instance and AWS DHCP isn’t captured
- Traffic to the reserved IP of the VPC router isn’t captured..
Cost
- https://github.com/open-guides/og-aws#aws-data-transfer-costs
Enhanced Networking
- Detail info Intel SR-IOV Explanation
- Elastic Network Adaptor (ENA)
- Started in X1 - Now additionally in P2 and M4.16xlarge
- R4, F1, C5 when updated
- 20Gbps Capability immediately
- ..can scale to 400Gbps - same interface/ same driver
- 8 request queues per device - will increase over time with cores
- Significantly improved debug features - custom designed by AWS
- 10 Gbps per TCP stream - inside placement group
- Some newer instances can do this in a region
- From now - placement group = higher single TCP flow rate
- Placement group 10 Gbps, otherwise 5 Gbps
Placement Group
- Limitation and implement
  - Placement groups CANNOT span Availability Zones
  - A placement groups name is unique.. in your account .. all regions
  - Not all instance types are supported i.e the ‘t2.xx’ types
  - Try and stick to the same instance type
  - You cant move existing instances into a placement group
  - .. and you cant merge placement groups .. delete and make new
  - Transit TO and FROM external services - limited to 5Gbps
  - Always use IPv4 or IPv6 PRIVATE addressing
  - Ideally launch ALL instances at the start
  - Placement groups CAN work over VPC Peers - but the speed is limited
Aws Shield
- 基础服务免费，advance服务是收费的
- AWS Shield只防护简单普遍的攻击，3层和4层的DDoS攻击，比如UDP floods和TCP SYN floods。7层的攻击比如HTTP floods和DNS floods。复杂的应用层的防护，需要在AWS WAF中自己编写规则。

自己整理的一些知识点

同一个VPC内，使用默认DNS时，解析Public DNS时，会解析到私有地址。
DX: public virtual interface vs private virtual interface VS Hosted virtual interface VS Hosted Connection
- 官方博客What’s the difference between a hosted virtual interface (VIF) and a hosted connection?
- Direct connect中Direct connect Connection / private virtual interface / public virtual interface / Hosted virtual interface / Hosted connection几个概念的阐述
  - Direct connect Connection是自己账号申请的connection，可以在connection上建立private virtual interface或者public virtual interface
  - Hosted Virtual Interface是自己账号有direct connect Connection，但是可以建立Hosted Virtual Interface给其他account使用
  - Hosted connection是Partner为某个account建立的sub-1G的connection，VLAN ID是由partner指定的，端口速度在50~500M之间
  - AWS re:Invent 2017: Deep Dive: AWS Direct Connect and VPNs (NET403)中对这几个概念的说明截图如下:
Direct Connect gateway 是什么?
- 7 things you need to know about AWS Direct Connect Gateway
- 官方文档Direct Connect Gateways
- How can I set up a Direct Connect gateway?
- 要点:
  - Remember: The VPCs to which you connect through a Direct Connect gateway cannot have overlapping CIDR blocks
  - DX Gateway is a global service
  - Cannot be used cross account. Cannot be used with public VIFs.
  - Cannot be used to send traffic to other VPCs that are connected to the same Gateway. – VPC之间不能通过direct connect gateway来互通
  - 连到同一个Direct connect gateway的多个private virtual interface之间不能通信
Route53 - private hosted zone是什么?
- Working with Private Hosted Zones
- In a private hosted zone, you can associate Route 53 health checks only with weighted and failover records
- You can use the following routing policies when you create records in a private hosted zone
  - Simple Routing
  - Failover Routing
  - Multivalue Answer Routing
  - Weighted Routing
多VPC之间的连接方式
- How do I connect multiple VPCs within the same AWS Region?
- How do I connect multiple VPCs in different AWS Regions?
VPN CloudHub
- AWS VPN CloudHub
- 用处: 各个site可以通过公告自己的路由，来达到互通的效果。
- 要点:
  - The hub and spoke model involves creating multiple Customer Gateways, each with a public IP address
  - The remote network prefixes for each spoke must have unique ASNs, and the sites must not have overlapping IP ranges
网上找的建立public VIF, private VIF时的截图
- private virtual interface用在direct connect gateway上的截图
- private virtual interface 用在Virtual Private Gateway上的截图
- public virtual interface 截图
- General VIF Creation Requirements
  - Name
  - Owner
  - Connection
  - VLAN ID
  - BGP Information
    - ASN
    - BGP MD5 key
  - Peer IP’s
  - Public VIFs: Choose which prefixes to advertise
  - Private VIFs: Jumbo Frame setting
VPN sharing
- Multiple-VPC VPN Connection Sharing - How do I share a single VPN connection with multiple VPCs?