Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Advanced Search Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • AWS Certified Advanced Networking – Specialty (ANS-C01) Certification Guide
  • Toc
  • feedback
AWS Certified Advanced Networking – Specialty (ANS-C01) Certification Guide

AWS Certified Advanced Networking – Specialty (ANS-C01) Certification Guide

By : Tim McConnaughy, Steve McNutt, Christopher Miles
close
AWS Certified Advanced Networking – Specialty (ANS-C01) Certification Guide

AWS Certified Advanced Networking – Specialty (ANS-C01) Certification Guide

By: Tim McConnaughy, Steve McNutt, Christopher Miles

Overview of this book

The AWS Certified Advanced Networking – Specialty certification exam focuses on leveraging AWS services alongside industry standards to create secure, resilient, and scalable cloud networks. Written by industry experts with decades of experience in the field, this comprehensive exam guide will enable you to transform into an AWS networking expert, going beyond the ANS-C01 exam blueprint to maximize your impact in the field. You’ll learn all about intricate AWS networking options and services with clear explanations, detailed diagrams, and practice questions in each chapter. The chapters help you gain hands-on experience with essential components, such as VPC networking, AWS Direct Connect, Route 53, security frameworks, and infrastructure as code. With access to mock exams, interactive flashcards, and invaluable exam tips, you have everything you need to excel in the AWS ANS-C01 exam. This book not only prepares you to confidently take the exam, but also deepens your understanding and provides practical insights that are vital for a successful career in AWS cloud networking. By the end of this exam guide, you’ll be thoroughly trained to take the AWS ANS-C01 exam and efficiently design and maintain network architectures across a wide range of AWS services.
Table of Contents (22 chapters)
close
close
Preface
Preface
Who This Book Is For
Networking and AWS Constructs You Should Already Know
AWS Certified Advanced Networking – Specialty Exam Outline
What This Book Covers
Authors’ Assumptions
Use of Example Organization: Trailcats
Online Practice Resources
Conventions Used
Accessing the Code Files and Colored Images
Get in Touch
Share Your Thoughts
Download a Free PDF Copy of This Book
Free Chapter
1
Chapter 1: Advanced VPC Networking
chevron up
Chapter 1: Advanced VPC Networking
Making the Most of This Book – Your Certification and Beyond
Elastic Network Interfaces (ENIs)
Elastic IP Addresses
Subnet Configuration and Optimization
Prefix Lists
Connectivity between AWS VPCs
IP Address Overlap Management
Service Quotas Quick Reference
Summary
Exam Readiness Drill – Chapter Review Questions
2
Chapter 2: VPC Traffic and Performance Monitoring
Chapter 2: VPC Traffic and Performance Monitoring
Potential Cloud Network Problems
Metrics and Logging
AWS Performance Monitoring Services
Monitoring and Troubleshooting
Troubleshooting Packet Size Issues
Summary
Exam Readiness Drill – Chapter Review Questions
3
Chapter 3: Networking Across Multiple AWS Accounts
Chapter 3: Networking Across Multiple AWS Accounts
AWS Organizations
AWS Resource Access Manager
AWS PrivateLink
Third-Party Network Appliance Connectivity
Summary
Exam Readiness Drill – Chapter Review Questions
4
Chapter 4: AWS Direct Connect
Chapter 4: AWS Direct Connect
Direct Connect Overview
Creating a DX Connection
Layer 2 and Direct Connect
Direct Connect Gateways
Border Gateway Protocol
Summary
Exam Readiness Drill – Chapter Review Questions
5
Chapter 5: Hybrid Networking with AWS Transit Gateway
Chapter 5: Hybrid Networking with AWS Transit Gateway
AWS TGW Basics
AWS TGW Components
TGW Attachment Types
TGW Route Table Overview
TGW and DX Gateway Design
TGW Inspection VPC Design
Summary
Exam Readiness Drill – Chapter Review Questions
6
Chapter 6: Connecting Third-Party Networks to AWS
Chapter 6: Connecting Third-Party Networks to AWS
Defining Third-Party Networks
Third-Party Connectivity Options
Redundant Connectivity to Third-Party Networks
Route Optimization for Redundant Connections
Summary
Exam Readiness Drill – Chapter Review Questions
7
Chapter 7: AWS Route 53: Basics
Chapter 7: AWS Route 53: Basics
History of DNS
DNS Fundamentals
Amazon Route 53
Domain Registration
Routing Traffic to Your Domain
Route 53 Resolver
Conditional Forwarding
Health Checks
Summary
Exam Readiness Drill – Chapter Review Questions
8
Chapter 8: AWS Route 53: Advanced
Chapter 8: AWS Route 53: Advanced
Conditional Forwarding
Route 53 Routing Policies
Sharing DNS Services between Accounts
DNSSEC
Summary
Exam Readiness Drill – Chapter Review Questions
9
Chapter 9: AWS Elastic Load Balancing
Chapter 9: AWS Elastic Load Balancing
Load Balancing Fundamentals
Load Balancing in AWS
AWS Load Balancer Types
Summary
Exam Readiness Drill – Chapter Review Questions
10
Chapter 10: AWS CDN and Global Traffic Management
Chapter 10: AWS CDN and Global Traffic Management
Amazon CloudFront
AWS Global Accelerator
Service Quotas
Summary
Exam Readiness Drill – Chapter Review Questions
11
Chapter 11: Security Framework
Chapter 11: Security Framework
The Cloud Shared Responsibility Model
Network Segmentation
Threat Modeling
Common Attacks
Encryption Methods for Data in Transit
Security Methods for DNS Communications
Summary
Exam Readiness Drill – Chapter Review Questions
12
Chapter 12: AWS Security Services
Chapter 12: AWS Security Services
Controlling Traffic
Observability and Monitoring
Securing Traffic
Managing and Auditing Security Configurations
Summary
Exam Readiness Drill – Chapter Review Questions
13
Chapter 13: Infrastructure as Code
Chapter 13: Infrastructure as Code
DevOps
Infrastructure as Code
AWS CloudFormation
AWS Cloud Development Kit
Summary
Exam Readiness Drill – Chapter Review Questions
14
Chapter 14: Data Analytics and Optimization
Chapter 14: Data Analytics and Optimization
Optimizing AWS Networks via Traffic Reduction
Choosing Network Services by Requirements
Network Topology Mapping
CloudWatch Configuration
Log Ingestion and Delivery
Correlating and Analyzing Multiple Data Sources in Network Troubleshooting
Summary
Exam Readiness Drill – Chapter Review Questions
15
Chapter 15: Conclusion
Chapter 15: Conclusion
Registering for the Exam
Reviewing for the Exam
Revising the Review Plan
Passing the Exam
Summary
16
Chapter 16: Accessing the Online Practice Resources
Chapter 16: Accessing the Online Practice Resources
How to Access These Materials
Troubleshooting Tips
Back to the Book
17
Other Books You May Enjoy
Other Books You May Enjoy
Share Your Thoughts
Download a Free PDF Copy of This Book
Appendix 1: Network Fundamentals
Appendix 1: Network Fundamentals
The OSI Model
IP Addressing
Classless Inter-Domain Routing
Basic Subnetting
IPv6
Summary
Appendix 2: IP Routing Fundamentals
Appendix 2: IP Routing Fundamentals
Routing Concepts
Basic BGP
Summary
Appendix 3: VPC Networking Basics
Appendix 3: VPC Networking Basics
VPC Basics
IP Addressing in VPCs
Subnets in VPCs
Route Tables
Summary
Appendix 4: VPC Security and External Connectivity
Appendix 4: VPC Security and External Connectivity
Network Security in Amazon VPC
Internet, NAT, and Egress-Only Gateways
Summary
Why Subscribe?

Elastic Network Interfaces (ENIs)

All Amazon EC2 instances are connected to a specific VPC. This is done using ENIs. Within a VPC, an ENI is a construct that represents a virtual network interface card. Just as with any computer, server, or even mobile device, a network interface card is responsible for processing network traffic in and out of that instance. Network interface cards, often referred to as NICs, are also responsible for owning both the IP address (layer 3) and MAC address (layer 2) for the infrastructure they are attached to. ENIs connect AWS virtual machines and services to a VPC at the network layer and are commonly just referred to as network interfaces. For the sake of this certification guide, any time you hear a reference to a network interface, you can understand that to be an ENI.

ENIs are created and attached to instances. In turn, ENIs are bound to a single Availability Zone (AZ) and belong to a single subnet. When creating an ENI, you are required to specify the VPC and subnet where the ENI will reside. In addition, you can configure any IP setting, such as dynamic/static addressing, as well as settings such as TCP/UDP idle timeout tracking.

Note

Idle timeout is the amount of time it takes for a tracked TCP or UDP session on a specific ENI to time out after the last packet was received.

Primary Network Interfaces

All EC2 instances deployed require a primary network interface. An EC2 instance must always have a primary network interface attached, and the interface cannot be detached or deleted. You can attach additional ENIs to each EC2 instance. The maximum number of permitted network interfaces is defined per EC2 instance type.

Figure 1.2 shows EC2 instances with multiple ENIs attached to separate subnets. Keep in mind that since EC2 instances cannot span AZs, this means that all attached ENIs must also belong to a single AZ.

Figure 1.2: EC2 with dual ENI

Figure 1.2: EC2 with dual ENI

As shown in the preceding diagram, Amazon EC2 instances can have multiple ENIs attached to them and these interfaces can be in different VPC subnets.

Note

An exhaustive list of EC2 instance types and their maximum number of supported network interfaces can be found here: https://docs.aws.amazon.com/ec2/latest/instancetypes/ec2-instance-type-specifications.html

Configuration of Network Interfaces

The configuration of an ENI can support several ways of assigning an IP address for the instance, but the configuration also controls certain behaviors for that network interface as well. The following sections will cover the assignment of IPv4 and IPv6 addresses and configurations for ENIs.

Auto-Assigned Public IPv4 Addresses

ENIs are attached to subnets within VPCs. Therefore, IP address on the ENI will belong to one of the CIDR blocks assigned to the VPC – more specifically, the subnet in which it resides. The IP address can be dynamically or statically assigned.

VPCs are commonly deployed with private, RFC 1918-based IPv4 address. However, subnets allow for the auto-assignment of public IPv4 addresses, as well. If an instance is deployed into a subnet that has this enabled, then a public IPv4 address is automatically associated with that instance. This public IPv4 address is automatically pulled from Amazon’s pool of public IP addresses. While this public IPv4 address is associated with the instance, it is technically set up with a one-to-one network address translation (NAT) to the address on the primary ENI.

It is important to understand that these auto-assigned addresses are not specifically allocated to your AWS account. They are somewhat ephemeral in nature and purely active based on the state of the instance. These addresses will automatically be released if the instance is stopped, hibernated, or terminated. Once an auto-assigned public IPv4 address is released, you will not be able to retrieve it.

For use cases that require persistent usage of public IPv4 addresses, it is recommended to use EIPs, which will be covered later in this chapter – for example, if you have an app server that requires a consistent public IP address to be used so that you can associate a DNS entry or have a single IP to whitelist on your own network for this application.

Auto-Assigned Private IPv4 and IPv6 Addresses

When instances are deployed, the residing subnet may also have enabled auto-assignment of IPv4 and IPv6 addresses. This means that when the primary ENI is launched into that subnet, it will automatically be assigned an IPv4 and/or an IPv6 address from the associated CIDR block. The subnet configuration settings that automatically provision new public IPv4 or IPv6 addresses when an ENI is created in the subnet are shown in Figure 1.3:

Figure 1.3: Subnet auto-assign IP settings

Figure 1.3: Subnet auto-assign IP settings

If the boxes in Figure 1.3 remain unchecked, no resources created within this subnet will receive automatic assignment of IPv6 addresses or IPv4 public addresses. Conversely, if every resource in this subnet should have one or both of these addresses, this setting can automate that process.

Note

The auto-assign IP address settings can be overridden when deploying an EC2 instance into the subnet if desired. During the launch, you can specify any specific IPv4 and IPv6 addresses you would prefer to use on the instance, assuming it is an address that belongs to the assigned CIDR blocks. You are also able to configure secondary IPs at the time of launch.

Termination Behavior

Once an ENI has been attached to an EC2 instance, you can change its termination behavior. This setting allows you to adjust whether the ENI will be terminated once the attached instance has been terminated. This can sometimes assist with ensuring resources are properly cleaned up if they are not needed after the parent instance is decommissioned. Refer to Figure 1.4 for a screenshot of this setting in the AWS Management console where this setting can be configured under the VPC | Network Interfaces | Actions menu:

Figure 1.4: ENI termination behavior

Figure 1.4: ENI termination behavior

The termination behavior affects whether the ENI will be deleted if its attached EC2 instance is deleted.

Source/Destination Check

By default, all ENIs have a setting enabled that performs a source/destination check. When this setting is enabled, the ENI will ensure that any packets processed by the ENI have the ENI’s IP address in either the source or destination field of the IP header. This applies to both IPv4 and IPv6 traffic.

This setting must be disabled if the instance in question is performing any kind of process such as IP routing, NAT, or even firewall functions. This is common for things such as network virtual appliances (NVAs) because when performing a task such as IP routing or NAT, the traffic is rarely destined to go to that device, but through that device. This means that NVA devices are primarily focused on moving packets from endpoint to endpoint and are rarely the target device for data traffic. Refer to Figure 1.5 for a look at this setting in the AWS console:

Figure 1.5: ENI source/destination check

Figure 1.5: ENI source/destination check

Attaching and Detaching ENIs

As the name suggests, ENIs are elastic and hence are able to scale up or down as demand requires, allowing them to exist outside the EC2 instances to which they are assigned, and able to move between them with ease. ENIs support attachment in three different scenarios, which are classified as hot, warm, and cold attachments:

  • Hot attachment: Attachment while the instance is in the running state
  • Warm attachment: Attachment while the instance is stopped
  • Cold attachment: Attachment when the instance is initially being launched

Note

Hot and warm attachments are automatically recognized by instances running Amazon Linux or Windows Server. However, other operating systems may require secondary ENIs to be configured manually.

While you can attach multiple ENIs to an instance within the same subnet, it is important to note that this does not increase the network bandwidth to or from the instance. These limits are still bound to those of the EC2 instance type. As an example, a t2.micro EC2 instance can only have two total ENIs, while an m5.4xlarge instance can support up to eight.

Secondary ENIs can be detached in the same fashion, regardless of whether the instance is running or stopped. As noted before, the primary ENI cannot be detached.

Configuring ENIs

To configure a network interface, you can simply navigate to the EC2 dashboard of the AWS console, select Network Interfaces, and choose the Create network interface option. As shown in Figure 1.6, you must give the ENI a name and assign the subnet in which to create the interface:

Figure 1.6: Create network interface details

Figure 1.6: Create network interface details

Creating an ENI is independent of an EC2 instance, but the specific capabilities of an ENI must be configured. These settings will persist with the ENI regardless of what instance or service it is attached to from the time of creation.

The ENI will be detached from any EC2 instance until it is attached and can only be attached to EC2 instances that can be deployed in that subnet.

An ENI can be created using the AWS CLI create-network-interface command.

For example, the following command will create an ENI using the AWS CLI:

aws ec2 create-network-interface \
  --subnet-id subnet-12345678 \
  --description "My ENI" \
  --groups sg-12345678 sg-87654321 \
  --private-ip-address 10.0.1.10

AWS gives you multiple ways to create and configure resources. The AWS console is fully click-based, while the AWS CLI allows resource creation via commands or automation. The result is the same.

End of Section 3
Next Section
bookmark search playlist download
font-size

Change the font size

margin-width

Change margin width

day-mode

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Delete Bookmark

Modal Close icon
Are you sure you want to delete it?
Cancel
Yes, Delete