AWS Transit Gateway – TGW is a highly available and scalable service to consolidate the AWS VPC routing configuration for a region with a hub-and-spoke architecture.
acts as a Regional virtual router and is a network transit hub that can be used to interconnect VPCs and on-premises networks.
traffic always stays on the global AWS backbone, data is automatically encrypted, and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
is a Regional resource and can connect VPCs within the same AWS Region.
TGWs across different regions can peer with each other to enable VPC communications across regions.
Each spoke VPC only needs to connect to the TGW to gain access to other connected VPCs.
provides simpler VPC-to-VPC communication management over VPC Peering with a large number of VPCs.
scales elastically based on the volume of network traffic.
TGW routing operates at layer 3, where the packets are sent to a specific next-hop attachment, based on their destination IP addresses.
AWS Resource Access Manager – RAM can be used to share the TGW with other accounts.
Transit Gateway Attachments
Transit Gateway attachment is the connection between resources like VPC, VPN, Direct Connect, and the TGW.
YGW attachment is both a source and a destination of packets.
One of more Connect SD-WAN/third-party network appliance
Transit Gateway Routing
Transit Gateway routes IPv4 and IPv6 packets between attachments using transit gateway route tables.
Route tables can be configured to propagate routes from the route tables for the attached VPCs, VPN connections, and Direct Connect gateways.
When a packet comes from one attachment, it is routed to another attachment using the route that matches the destination IP address.
VPC attached to a TGW must be added a route to the subnet route table in order for traffic to route through the TGW.
Transit Gateway Peering
Transit Gateway supports the ability to establish peering connections between TGWs in the same and different AWS Regions.
Inter-region Transit Gateway peering
enables customers to extend this connectivity and build global networks spanning multiple AWS Regions.
simplifies routing and inter-connectivity between VPCs and on-premises networks that are serviced and managed via separate TGWs
encrypts inter-region traffic with no single point of failure.
ensures the traffic always stays on the AWS global network and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
Transit Gateway High Availability
Transit Gateway must be enabled with multiple AZs to ensure availability and to route traffic to the resources in the VPC subnets.
AZ can be enabled by specifying exactly one subnet within the AZ
TGW places a network interface in that subnet using one IP address from the subnet.
TGW can route traffic to all the subnets and not just the specified subnet within the enabled AZ.
Resources that reside in AZs where there is no TGW attachment cannot reach the TGW.
Transit Gateway Appliance Mode
For stateful network appliances in the VPC, appliance mode support for the VPC attachment can be enabled in which the appliance is located.
Appliance Mode ensures that network flows are symmetrically routed to the same AZ and network appliance
Appliance Mode ensures that the same AZ for that VPC attachment is used for the lifetime of a flow of traffic between source and destination.
Appliance Mode also allows the TGW to send traffic to any AZ in the VPC, as long as there is a subnet association in that zone.
Transit Gateway Connect Attachment
Transit Gateway Connect attachment can help establish a connection between a TGW and third-party virtual appliances (such as SD-WAN appliances) running in a VPC.
A Connect attachment supports the Generic Routing Encapsulation (GRE) tunnel protocol for high performance and Border Gateway Protocol (BGP) for dynamic routing.
Transit Gateway Network Manager
AWS Transit Gateway Network Manager provides a single global view of the private network.
includes events and metrics to monitor the quality of the global network, both in AWS and on-premises.
Event alerts specify changes in the topology, routing, and connection status. Usage metrics provide information on up/down connection, bytes in/out, packets in/out, and packets dropped.
seamlessly integrates with SD-WAN solutions
Transit Gateway Best Practices
Use a separate subnet for each transit gateway VPC attachment.
Create one network ACL and associate it with all of the subnets that are associated with the TGW. Keep the network ACL open in both the inbound and outbound directions.
Associate the same VPC route table with all of the subnets that are associated with the YGW, unless your network design requires multiple VPC route tables (for example, a middle-box VPC that routes traffic through multiple NAT gateways).
Use BGP Site-to-Site VPN connections, if the customer gateway device or firewall for the connection supports multipath, enable the feature.
Enable route propagation for AWS Direct Connect gateway attachments and BGP Site-to-Site VPN attachments.
are highly available by design and do not need additional TGWs for high availability,
Limit the number of TGW route tables unless the design requires multiple TGW route tables.
For redundancy, use a single TGW in each Region for disaster recovery.
For deployments with multiple TGWs, it is recommended to use a unique ASN for each of them.
supports intra-Region peering.
Transit Gateway vs Transit VPC vs VPC Peering
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
A company is using a VPC peering strategy to connect its VPCs in a single Region to allow for cross-communication. A recent increase in account creations and VPCs has made it difficult to maintain the VPC peering strategy, and the company expects to grow to hundreds of VPCs. There are also new requests to create site-to-site VPNs with some of the VPCs.
A solutions architect has been tasked with creating a centrally managed networking setup for multiple accounts, VPCs, and VPNs.Which networking solution meets these requirements?
Configure shared VPCs and VPNs and share with each other.
Configure a hub-and-spoke VPC and route all traffic through VPC peering.
Configure an AWS Direct Connect connection between all VPCs and VPNs.
Configure a transit gateway with AWS Transit Gateway and connect all VPCs and VPNs
A company hosts its core network services, including directory services and DNS, in its on-premises data center. The data center is connected to the AWS Cloud using AWS Direct Connect (DX). Additional AWS accounts are planned that will require quick, cost-effective, and consistent access to these network services. What should a solutions architect implement to meet these requirements with the LEAST amount of operational overhead?
Create a DX connection in each new account. Route the network traffic to the on-premises servers.
Configure VPC endpoints in the DX VPC for all required services. Route the network traffic to the on-premises servers.
Create a VPN connection between each new account and the DX VPC. Route the network traffic to the on-premises servers.
Configure AWS Transit Gateway between the accounts. Assign DX to the transit gateway and route network traffic to the on-premises servers.
Amazon Inspector is a vulnerability management service that continuously scans the AWS workloads for vulnerabilities.
automatically discovers and scans EC2 instances and container images in ECR for software vulnerabilities and unintended network exposure.
creates a finding, when a software vulnerability or network issue is discovered, that describes the vulnerability, rates its severity, identifies the affected resource and provides remediation guidance.
is a Regional service and configurations needs to be repeated across each region.
requires Systems Manager (SSM) agent to be installed and activated for Common Vulnerabilities and Exposures (CVE) data.
SSM agents can be set up as VPC Interface endpoints to avoid sending any information over the internet.
uses an IAM AWSServiceRoleForAmazonInspector2 service-linked-role linked directly to Inspector with all the permissions required to call other AWS services on your behalf.
has multi-account management through AWS Organizations integration, which allows delegating an administrator account for the organization.
integrates with AWS Security Hub which collects and centralizes the security data from across the AWS accounts, services, and other supported products to assess the security state of the environment according to industry standards and best practices.
AWS Inspector Features
Continuously scan environments for vulnerabilities and network exposure
automatically discovers and begins scanning the eligible resources without the need to manually schedule or configure assessment scans.
Assess vulnerabilities accurately with the Inspector Risk score
Inspector collects information about the environment through scans, it provides severity scores specifically tailored to the environment.
Identify high-impact findings with the Inspector dashboard
The dashboard offers a high-level view of findings from across your environment.
Manage your findings using customizable views
Inspector console offers a Findings view
Users can use filters and suppression rules to generate customized finding reports
Monitor and process findings with other services and systems
publishes findings to
EventBridge, which can then be monitored and processed in near-real time as part of the existing security and compliance workflows or routed to SNS, Lambda, etc.
AWS Security Hub.
Inspector Finding Types
Package Vulnerability
Package vulnerability findings identify software packages in the environment that are exposed to common vulnerabilities and exposures (CVEs).
Package vulnerability findings are generated for both EC2 instances, ECR container images and Lambda functions.
Network Vulnerability
Network reachability findings indicate that there are allowed network paths to EC2 instances in the environment.
Network reachability findings are only generated for EC2 resources.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Which of the following services allows you to analyze EC2 Instances against pre-defined security templates to check for vulnerabilities?
AWS Trusted Advisor
AWS Inspector
AWS WAF
AWS Shield
Your company has a set of AWS resources which consists of EC2 Instances. The Security departments need to run vulnerability analysis on these machines to ensure that the Instances comply with the latest security standards. Which of the following would you implement for this requirement?
Viewer Request: after CloudFront receives the request from the Viewer
Viewer Response: before CloudFront forwards the response to the Viewer
Origin Request: before CloudFront forwards the request to the Origin
Origin Response: after CloudFront receives the response from the Origin
supports longer execution time, 5 seconds for viewer triggers and 30 seconds for origin triggers
scales to 1000s of requests/second
has network and file system access
can access the request body
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You’ve been given the requirement to customize the content which is distributed to users via a CloudFront Distribution. The content origin is an S3 bucket and the customization attribute exists in the request body. How could you achieve this?
Add an event to the S3 bucket. Make the event invoke a Lambda function to customize the content before rendering
Use CloudFront Functions
Use Lambda@Edge
Use a separate application on an EC2 Instance for this purpose.
a single private VIF can connect to a single Direct Connect Gateway
a single Direct Connect Gateway can connect to 10 VGWs
Direct Connect Gateway Limitations
supports 10 VGWs (VPC) connections.
supports a Single Transit VIF per Direct Connect.
does not support overlapping CIDRs.
does not support transitive routing i.e. does not allow gateway associations to send traffic to each other (for example, a VGW to another VGW or VPC to VPC)
allows a maximum of 100 prefixes. You can summarize the prefixes into a larger range to reduce the number of prefixes.
Direct Connect Gateway + Transit Gateway
AWS Direct Connect Gateway does not support transitive routing and has limits on the number of VGWs that can be connected.
AWS DX Gateway can be combined with AWS Transit Gateway using transit VIF attachment which enables your network to connect up to three regional centralized routers over a private dedicated connection
Each AWS Transit Gateway is a regional resource and acts as a network transit hub to interconnect VPCs in the same region, consolidating VPC routing configuration in one place.
This solution simplifies the management of connections between a VPC and the on-premises networks over a private connection that can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
With AWS Transit Gateway connected to VPCs, full or partial mesh connectivity can be achieved between the VPCs.
Cross-VPC and Cross-Region VPC communication facilitated by AWS Transit Gateway peering.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Your company currently has set up an AWS Direct Connect connection between their on-premise data center and a VPC in the us-east-1 region. They now want to connect their data center to a VPC in the us-west-1 region. They need to ensure latency is low and maximum bandwidth for the connection. How could they accomplish this in a cost-effective manner?
Create an AWS Direct Connect connection between the VPC in the us-west-1 region and the on-premise data center
Setup an AWS Direct Connect Gateway
Create an AWS VPN managed connection between the VPC in the us-west-1 region and the on-premise data center
AWS VPN Connection utilizes IPSec to establish encrypted network connectivity between the intranet and VPC over the Internet.
AWS Direct Connect provides dedicated, private network connections between the intranet and VPC.
Setup time
VPN Connections can be configured in minutes and are a good solution for immediate needs, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.
Direct Connect can take anywhere from 4 to 12 weeks
Routing
VPN traffic is still routed through the Internet.
Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between the intranet and VPC. The network traffic remains on the AWS global network and never touches the public internet. This reduces the chance of hitting bottlenecks or unexpected increases in latency
Cost
VPN connections are very cheap ($37.20/month as of now)
Direct Connect connection as it requires actual hardware and infrastructure and might go in thousands.
Encryption in Transit
VPN connections encrypt the data in transit.
Direct Connect data transfer can now be encrypted using MACsec, however, comes with limitations in terms of supported speed and locations.
Direct Connect vs VPN Comparison
AWS Direct Connect + VPN
AWS Direct Connect + VPN combines the benefits of the end-to-end secure IPSec connection with low latency and increased bandwidth of the AWS Direct Connect to provide a more consistent network experience than internet-based VPN connections.
AWS Direct Connect public VIF establishes a dedicated network connection between the on-premises network to public AWS resources, such as an Amazon virtual private gateway IPsec endpoint.
A BGP connection is established between the AWS Direct Connect and your router on the public VIF.
Another BGP session or a static router will be established between the virtual private gateway and your router on the IPSec VPN tunnel.
Direct Connect + VPN as Backup
VPN can be selected to provide a quick and cost-effective, backup hybrid network connection to an AWS Direct Connect. However, it provides a lower level of reliability and indeterministic performance over the internet
Be sure that you use the same virtual private gateway for both Direct Connect and the VPN connection to the VPC.
If you are configuring a Border Gateway Protocol (BGP) VPN, advertise the same prefix for Direct Connect and the VPN.
If you are configuring a static VPN, add the same static prefixes to the VPN connection that you are announcing with the Direct Connect virtual interface.
If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always preferred, regardless of AS path prepending.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You work as an AWS Architect for a company that has an on-premise data center. They want to connect their on-premise infra to the AWS Cloud. Note that this connection must have the maximum throughput and be dedicated to the company. How can this be achieved?
Use AWS Express Route
Use AWS Direct Connect
Use AWS VPC Peering
Use AWS VPN
A company wants to set up a hybrid connection between their AWS VPC and their on-premise network. They need to have high bandwidth and less latency because they need to transfer their current database workloads to AWS. Which of the following would you use for this purpose?
AWS Managed software VPN
AWS Managed hardware VPN
AWS Direct Connect
AWS VPC Peering
An organization has established an Internet-based VPN connection between their on-premises data center and AWS. They are considering migrating from VPN to AWS Direct Connect. Which operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS Direct Connect?
AWS Direct Connect provides greater redundancy than an Internet-based VPN connection.
AWS Direct Connect provides greater resiliency than an Internet-based VPN connection.
AWS Direct Connect provides greater bandwidth than an Internet-based VPN connection.
AWS Direct Connect provides greater control of network provider selection than an Internet-based VPN connection.
AWS Network Firewall vs WAF vs Security Groups vs NACLs
AWS Network Firewall is stateful, fully managed, network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
AWS WAF is a web application firewall that helps protect web applications from attacks by allowing rules configuration that allow, block, or monitor (count) web requests based on defined conditions.
Security groups act as a virtual firewall for associated instances, controlling both inbound and outbound traffic at the instance level
Network access control lists (NACLs) act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
AWS Network Firewall is stateful, fully managed, network firewall and intrusion detection and prevention service (IDS/IPS) for VPCs.
Network Firewall scales automatically with the network traffic, without the need for deploying and managing any infrastructure.
AWS Network Firewall
can filter traffic at the perimeter of the VPC. This includes filtering traffic going to and coming from an internet gateway, NAT gateway, or over VPN or AWS Direct Connect.
protects the subnets within the VPC by filtering traffic going between the subnets and locations outside of the VPC
flexible rules engine allows defining firewall rules that give fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity.
supports importing rules already written in common open source rule formats as well as enables integrations with managed intelligence feeds sourced by AWS partners.
works together with AWS Firewall Manager to build policies based on AWS Network Firewall rules and then centrally apply those policies across the VPCs and accounts.
helps provide protection from common network threats.
can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing the VPCs from accessing domains using an unauthorized protocol.
supports intrusion prevention system (IPS) to provide active traffic flow inspection to help identify and block vulnerability exploits using signature-based detection.
uses the open source intrusion prevention system (IPS), Suricata, for stateful inspection and supports Suricata compatible rules.
supports web filtering that can stop traffic to known bad URLs and monitor fully qualified domain names.
AWS Network Firewall Components
Rule Group
Holds a reusable collection of criteria for inspecting traffic and for handling packets and traffic flows that match the inspection criteria.
Rule groups are either stateless or stateful.
Rules configuration includes 5-tuple and domain name filtering.
Firewall policy
Defines a reusable set of stateless and stateful rule groups, along with some policy-level behaviour settings.
Firewall policy provides the network traffic filtering behaviour for a firewall.
A single firewall policy can be used in multiple firewalls.
Firewall
Connects the inspection rules in the firewall policy to the VPC that the rules protect.
Each firewall requires one firewall policy.
The firewall additionally defines settings like how to log information about the network traffic and the firewall’s stateful traffic filtering.
Stateless and Stateful Rules Engines
AWS Network Firewall uses two rules engines to inspect packets according to the rules that you provide in your firewall policy.
Stateless Rules Engine
First, the Stateless engine inspects the packet against the configured stateless rules.
Each packet inspection happens in isolation, without regard to factors such as the direction of traffic, or whether the packet is part of an existing, approved connection.
This engine prioritizes the speed of evaluation and it takes rules with standard 5-tuple connection criteria.
The engine processes the rules in the defined priority order and stops processing when it finds a match.
Depending on the packet settings, the stateless inspection criteria, and the firewall policy settings, the stateless engine might
drop a packet,
pass it through to its destination, or
forward it to the stateful rules engine.
Stateful Rules Engine
Stateful engine inspects packets in the context of their traffic flow, using the configured stateful rules.
Packets are inspected in the context of their traffic flow.
Stateful rules consider traffic direction. The stateful rules engine might delay packet delivery in order to group packets for inspection.
By default, the stateful rules engine processes the rules in the order of their action setting, with pass rules processed first, then drop, and then alert. The engine stops processing when it finds a match.
The stateful engine either
drops packets or
passes them to their destination.
Stateful engine activities send flow and alert logs to the firewall’s logs if logging is configured.
Stateful engine sends alerts for dropped packets and can optionally send them for passed packets.
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
AWS Certified Solutions Architect – Professional (SAP-C01) exam is the upgraded pattern of the previous Solution Architect – Professional exam which was released in the year (2018) and would be upgraded this year (Nov. 2022).
I recently recertified the existing pattern and the difference is quite a lot between the previous pattern and the latest pattern. The amount of overlap between the associates and professional exams and even the Solutions Architect and DevOps has drastically reduced.
AWS Certified Solutions Architect – Professional (SAP-C01) exam basically validates
Design and deploy dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
Select appropriate AWS services to design and deploy an application based on given requirements
Migrate complex, multi-tier applications on AWS
Design and deploy enterprise-wide scalable operations on AWS
AWS Certified Solutions Architect – Professional (SAP-C01) Exam Summary
AWS Certified Solutions Architect – Professional (SAP-C01) exam was for a total of 170 minutes and it had 75 questions.
AWS Certified Solutions Architect – Professional (SAP-C01) focuses a lot on concepts and services related to Architecture & Design, Scalability, High Availability, Disaster Recovery, Migration, Security and Cost Control.
Each question mainly touches multiple AWS services.
Questions and answers options have a lot of prose and a lot of reading that needs to be done, so be sure you are prepared and manage your time well.
As always, mark the questions for review and move on and come back to them after you are done with all.
As always, having a rough architecture or mental picture of the setup helps focus on the areas that you need to improve. Trust me, you will be able to eliminate 2 answers for sure and then need to focus on only the other two. Read the other 2 answers to check the difference area and that would help you reach the right answer or at least have a 50% chance of getting it right.
AWS Certified Solutions Architect – Professional (SAP-C01) Exam Topics
Aurora Global Database consists of one primary AWS Region where the data is mastered, and up to five read-only, secondary AWS Regions. It is a multi-master setup but can be used for disaster recovery.
enables quick and secure data migration with minimal to zero downtime
supports Full and Change Data Capture – CDC migration to support continuous replication for zero downtime migration.
homogeneous migrations such as Oracle to Oracle, as well as heterogeneous migrations (using SCT) between different database platforms, such as Oracle or Microsoft SQL Server to Aurora.
Hint: Elasticsearch is not supported as a target by DMS
Agent ones can be used for hyper-v and physical services
Agentless can be used for VMware but does not track processes.
Disaster Recovery
Disaster Recovery whitepaper, although outdated, make sure you understand the difference between each type esp. pilot light, warm standby w.r.t RTO and RPO.
Compute
Make components available in an alternate region,
either as AMIs that can be restored
CloudFormation to create infra as needed
partial which can be scaled once the failover happens
or fully running compute in active-active confirmation with health checks.
Storage
S3 and EFS support cross-region replication
DynamoDB supports Global tables for multi-master, active-active inter-region storage needs.
Aurora Global Database provides a multi-master setup but can be used for disaster recovery.
RDS supports cross-region read replicas which can be promoted to master in case of a disaster. This can be done using Route 53, CloudWatch and lambda functions.
Network
Route 53 failover routing with health checks to failover across regions.
Understand VPC Peering to enable communication between VPCs within the same or different regions. (hint: VPC peering does not support transitive routing)
VPN can provide a cost-effective, quick failover for Direct Connect.
VPN over Direct Connect provides a secure dedicated connection and requires a public virtual interface.
Direct Connect Gateway is a global network device that helps establish connectivity that spans VPCs spread across multiple AWS Regions with a single Direct Connect connection.
protects from common attack techniques like SQL injection and Cross-Site Scripting (XSS), Conditions based include IP addresses, HTTP headers, HTTP body, and URI strings.
integrates with CloudFront, ALB, and API Gateway.
supports Web ACLs and can block traffic based on IPs, Rate limits, and specific countries as well.
AWS Systems Manager and its various services like parameter store, patch manager
Parameter Store provides secure, scalable, centralized, hierarchical storage for configuration data and secret management. Does not support secrets rotation. Use Secrets Manager.
Session Manager helps manage EC2 instances through an interactive one-click browser-based shell or through the AWS CLI without opening ports or creating bastion hosts.
Patch Manager helps automate the process of patching managed instances with both security-related and other types of updates.
Handle disaster Recovery by automating the infra to replicate the environment across regions.
Deletion Policy to prevent, retain or backup RDS, EBS Volumes
Stack policy can prevent stack resources from being unintentionally updated or deleted during a stack update. Stack Policy only applies for Stack updates and not stack deletion.
StackSets helps to create, update, or delete stacks across multiple accounts and Regions with a single operation.
helps with cost optimization and service limits in addition to security, performance and fault tolerance.
Compute Optimizer recommends optimal AWS resources for the workloads to reduce costs and improve performance by using machine learning to analyze historical utilization metrics.
AWS Budgets to see usage-to-date and current estimated charges from AWS, set limits and provide alerts or notifications.
Cost Allocation Tags can be used to organize AWS resources, and cost allocation tags to track the AWS costs on a detailed level.
Cost Explorer helps visualize, understand, manage and forecast the AWS costs and usage over time.
Application Load Balancer operates at layer 7 (application layer) and allows defining routing rules based on content across multiple services or containers running on one or more EC2 instances.
scales the load balancer as traffic to the application changes over time.
can scale to the vast majority of workloads automatically.
supports health checks, used to monitor the health of registered targets so that the load balancer can send requests only to the healthy targets.
Application Load Balancer Components
A load balancer
serves as the single point of contact for clients.
distributes incoming application traffic across multiple targets, such as EC2 instances, in multiple AZs, which increases the availability of the application.
one or more listeners can be added to the load balancer.
A listener
checks for connection requests from clients, using the configured protocol and port
rules defined determine, how the load balancer routes request to its registered targets.
each rule consists of a priority, one or more actions, and one or more conditions.
supported actions are
forward,
redirect,
fixed-response
supported rule conditions are
host-header
http-request-method
path-pattern
source-ip
http-header
query-string
when the conditions for a rule are met, its actions are performed.
a default rule for each listener must be defined, and optionally additional rules can be defined
Target group
routes requests to one or more registered targets, such as EC2 instances, using the specified protocol and port number
a target can be registered with multiple target groups.
health checks can be configured on a per target group basis.
health checks are performed on all targets registered to a target group that is specified in a listener rule for the load balancer.
target group supports
EC2 instances (can be managed as a part of the ASG)
ECS tasks
Lambda functions
Private IP Addresses on AWS or On-premises over VPN or DX.
supports weighted target group routing
enables routing of the traffic forwarded by a rule to multiple target groups.
enables use cases like blue-green, canary and hybrid deployments without the need for multiple load balancers.
also enables zero-downtime migration between on-premises and cloud or between different compute types like EC2 and Lambda.
When a load balancer receives a request, it evaluates the listener rules in priority order to determine which rule to apply and then selects a target from the target group for the rule action.
Listener rules can be configured to route requests to different target groups based on the content of the application traffic.
Routing is performed independently for each target group, even when a target is registered with multiple target groups.
Routing algorithm used can be configured at the target group level.
Default routing algorithm is round-robin; alternatively, the least outstanding requests routing algorithm can also be specified
Classic Load Balancer vs Application Load Balancer vs Network Load Balancer
Support for Path-based routing, where listener rules can be configured to forward requests based on the URL in the request. This enables structuring applications as smaller services (microservices), and route requests to the correct service based on the content of the URL.
Support for routing requests to multiple services on a single EC2 instance by registering the instance using multiple ports using Dynamic Port mapping.
Support for containerized applications. EC2 Container Service (ECS) can select an unused port when scheduling a task and register the task with a target group using this port, enabling efficient use of the clusters.
Support for monitoring the health of each service independently, as health checks are defined at the target group level and many CloudWatch metrics are reported at the target group level.
Attaching a target group to an Auto Scaling group enables scaling each service dynamically based on demand.
Application Load Balancer Features
supports load balancing of applications using HTTP and HTTPS (Secure HTTP) protocols
supports HTTP/2, which is enabled natively. Clients that support HTTP/2 can connect over TLS
supports WebSockets and Secure WebSockets natively
supports Request tracing, by default.
request tracing can be used to track HTTP requests from clients to targets or other services.
Load balancer upon receiving a request from a client, adds or updates the X-Amzn-Trace-Id header before sending the request to the target
Any services or applications between the load balancer and the target can also add or update this header.
supports Sticky Sessions (Session Affinity) using load balancer generated cookies, to route requests from the same client to the same target
supports SSL termination, to decrypt the request on ALB before sending it to the underlying targets.
an SSL certificate can be installed on the load balancer.
the load balancer uses this certificate to terminate the connection and then decrypt requests from clients before sending them to targets.
supports layer 7 specific features like X-Forwarded-For headers to help determine the actual client IP, port and protocol
automatically scales its request handling capacity in response to incoming application traffic.
supports hybrid load balancing,
If an application runs on targets distributed between a VPC and an on-premises location, they can be added to the same target group using their IP addresses
provides High Availability, by allowing you to specify more than one AZ and distribution of incoming traffic across multiple AZs.
integrates with ACM to provision and bind an SSL/TLS certificate to the load balancer thereby making the entire SSL offload process very easy
supports multiple certificates for the same domain to a secure listener
supports IPv6 addressing, for an Internet-facing load balancer
supports Cross-zone load balancing, by default
supports Security Groups to control the traffic allowed to and from the load balancer.
provides Access Logs, to record all requests sent to the load balancer, and store the logs in S3 for later analysis in compressed format
provides Delete Protection, to prevent the ALB from accidental deletion
supports Connection Idle Timeout – ALB maintains two connections for each request one with the Client (front end) and one with the target instance (back end). If no data has been sent or received by the time that the idle timeout period elapses, ALB closes the front-end connection
integrates with CloudWatch to provide metrics, such as request counts, error counts, error types, and request latency
integrates with AWS WAF, a web application firewall that helps protect web applications from attacks by allowing rules configuration based on IP addresses, HTTP headers, and custom URI strings
integrates with CloudTrail to receive a history of ALB API calls made on the AWS account
back-end server authentication (MTLS) is NOT supported
Application Load Balancer Listeners
A listener is a process that checks for connection requests, using the configured protocol and port
Listener supports HTTP & HTTPS protocol with Ports from 1-65535
ALB supports SSL Termination for HTTPS listeners, which helps to offload the work of encryption and decryption so that the targets can focus on their main work.
HTTPS listener supports exactly one SSL server certificate on the listener.
HTTPS listener must have at least one SSL server certificate on the listener
WebSockets with both HTTP and HTTPS listeners (Secure WebSockets)
Supports HTTP/2 with HTTPS listeners
128 requests can be sent in parallel using one HTTP/2 connection.
ALB converts these to individual HTTP/1.1 requests and distributes them across the healthy targets in the target group using the round-robin routing algorithm.
HTTP/2 uses front-end connections more efficiently resulting in fewer connections between clients and the load balancer.
Server-push feature of HTTP/2 is not supported
Each listener has a default rule, and can optionally define additional rules.
Each rule consists of a priority, action, optional host condition, and optional path condition.
Priority – Rules are evaluated in priority order, from the lowest value to the highest value. The default rule has the lowest priority
Action – Each rule action has a type and a target group. Currently, the only supported type is forward, which forwards requests to the target group. You can change the target group for a rule at any time.
Condition – There are two types of rule conditions: host and path. When the conditions for a rule are met, then its action is taken
Host Condition or Host-based routing
Host conditions can be used to define rules that forward requests to different target groups based on the hostname in the host header
This enables support for multiple domains using a single ALB for e.g. orders.example.com, images.example.com, registration.example.com
Each host condition has one hostname. If the hostname in
Path Condition or path-based routing
Path conditions can be used to define rules that forward requests to different target groups based on the URL in the request
Each path condition has one path pattern for e.g. example.com/orders, example.com/images, example.com/registration
If the URL in a request matches the path pattern in a listener rule exactly, the request is routed using that rule.
Advantages over Classic Load Balancer
Support for path-based routing, where rules can be configured for the listener to forward requests based on the content of the URL
Support for host-based routing, where rules can be configured for the listener to forward requests based on the host field in the HTTP header.
Support for routing based on fields in the request, such as standard and custom HTTP headers and methods, query parameters, and source IP address
Support for routing requests to multiple applications on a single EC2 instance. Each instance or IP address can be registered with the same target group using multiple ports
Support for registering targets by IP address, including targets outside the VPC for the load balancer.
Support for redirecting requests from one URL to another.
Support for returning a custom HTTP response.
Support for registering Lambda functions as targets.
Support for the load balancer to authenticate users of the applications through their corporate or social identities before routing requests.
Support containerized applications with ECS using Dynamic port mapping
Support monitoring the health of each service independently, as health checks and many CloudWatch metrics are defined at the target group level
Attaching the target group to an Auto Scaling group enables scaling of each service dynamically based on demand
Access logs contain additional information & stored in compressed format
Improved load balancer performance.
Application Load Balancer Pricing
charged for each hour or partial hour that an ALB is running and the number of Load Balancer Capacity Units (LCU) used per hour.
An LCU is a new metric for determining ALB pricing
An LCU defines the maximum resource consumed in any one of the dimensions (new connections, active connections, bandwidth and rule evaluations) the Application Load Balancer processes the traffic.
AWS Certification Exam Practice Questions
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
You are designing an application which requires websockets support, to exchange real-time messages with end-users without the end users having to request (or poll) the server for an update? Which ELB option should you choose?
Use Application Load Balancer and enable comet support
Use Classic Load Balancer which supports WebSockets
Use Application Load Balancer which supports WebSockets
Use Classic Load Balancer and enable comet support
Which of the following Internet protocols does an AWS Application Load Balancer Support? Choose 2 answers
A. ICMP
B. UDP
C. HTTP
D. SNTP
E. Websocket
Your organization has configured an application behind ALB. However, Clients are complaining that they cannot connect to an Internet-facing load balancer. What cannot be the issue?
Internet-facing load balancer is attached to a private subnet
ALB Security Groups does not allow the traffic
Subnet NACLs do not allow the traffic
ALB was not assigned an EIP
To protect your ALB from accidental deletion, you should
ALB does not provide any feature to prevent accidental deletion
Your organization is using ALB for servicing requests. One of the API request is facing consistent performance issues. Upon checking the flow, you find that the request flows through multiple services. How can you track the performance or timing issues in the application stack at the granularity of an individual request?
Track the request using “X-Amzn-Trace-Id” HTTP header
Track the request using “X-Amzn-Track-Id” HTTP header
Track the request using “X-Aws-Track-Id” HTTP header
Track the request using “X-Aws-Trace-Id” HTTP header
Route 53 is a highly available and scalable Domain Name System (DNS) web service.
Route 53 provides three main functions:
Domain registration
allows domain names registration
Domain Name System (DNS) service
translates friendly domains names like www.example.com into IP addresses like 192.0.2.1
responds to DNS queries using a global network of authoritative DNS servers, which reduces latency
can route Internet traffic to CloudFront, Elastic Beanstalk, ELB, or S3. There’s no charge for DNS queries to these resources
Health Checking
can monitor the health of resources such as web and email servers.
sends automated requests over the Internet to the application to verify that it’s reachable, available, and functional
CloudWatch alarms can be configured for the health checks to send notifications when a resource becomes unavailable.
can be configured to route Internet traffic away from resources that are unavailable
Security
supports both DNSSEC for domain registration and DNSSEC signing
Supported DNS Resource Record Types
A (Address) Format
is an IPv4 address in dotted decimal notation for e.g. 192.0.2.1
AAAA Format
is an IPv6 address in colon-separated hexadecimal format
CNAME Format
is the same format as a domain name
DNS protocol does not allow creation of a CNAME record for the top node of a DNS namespace, also known as the zone apexfor e.g. the DNS name example.com registration, the zone apex is example.com, a CNAME record for example.com cannot be created, but CNAME records can be created for www.example.com, newproduct.example.com etc.
If a CNAME record is created for a subdomain, any other resource record sets for that subdomain cannot be created for e.g. if a CNAME created for www.example.com, no other resource record sets for which the value of the Name field is www.example.com can be created
MX (Mail Xchange) Format
contains a decimal number that represents the priority of the MX record, and the domain name of an email server
NS (Name Server) Format
An NS record identifies the name servers for the hosted zone. The value for an NS record is the domain name of a name server.
PTR Format
A PTR record Value element is the same format as a domain name.
SOA (Start of Authority) Format
SOA record provides information about a domain and the corresponding Amazon Route 53 hosted zone
SPF (Sender Policy Framework) Format
SPF records were formerly used to verify the identity of the sender of email messages, however is not recommended
Instead of an SPF record, a TXT record that contains the applicable value is recommended
SRV Format
An SRV record Value element consists of four space-separated values.The first three values are decimal numbers representing priority, weight, and port. The fourth value is a domain name for e.g. 10 5 80 hostname.example.com
TXT (Text) Format
A TXT record contains a space-separated list of double-quoted strings. A single string include a maximum of 255 characters. In addition to the characters that are permitted unescaped in domain names, space is allowed in TXT strings
Alias Resource Record Sets
Route 53 supports alias resource record sets, which enables routing of queries to a CloudFront distribution, Elastic Beanstalk, ELB, an S3 bucket configured as a static website, or another Route 53 resource record set
Alias records are not standard for DNS RFC and are a Route 53 extension to DNS functionality
Alias record is similar to a CNAME record and is always of type A or AAAA
Alias record can be created both for the root domain or apex zone, such as example.com, and for subdomains, such as www.example.com. CNAME records can be used only for subdomains.
Route 53 automatically recognizes changes in the resource record sets that the alias resource record set refers to for e.g. for a site pointing to an load balancer, if the IP of the load balancer changes, it will reflect those changes automatically in the DNS answers without any changes to the hosted zone that contains resource record sets
Alias resource record set does not support TTL or Time to Time if it points to a CloudFront distribution, an ELB, or an S3 bucket. Underlying CloudFront, load balancer, or S3 TTLs are used.
Alias records are free to query and do not incur any charges.
Hosted Zone is a container for records, which include information about how to route traffic for a domain (such as example.com) and all of its subdomains (such as www.example.com, retail.example.com, and seattle.accounting.example.com).
A hosted zone has the same name as the corresponding domain.
Routing Traffic to the Resources
Create a hosted zone with either a public hosted zone or a private hosted zone:
Public Hosted Zone – for routing internet traffic to the resources for a specific domain and its subdomains
Private hosted zone – for routing traffic within a VPC
Create records in the hosted zone
Records define where to route traffic for each domain name or subdomain name.
Name of each record in a hosted zone must end with the name of the hosted zone.
For public/private and private Hosted Zones that have overlapping namespaces, Route 53 Resolvers routes traffic to the most specific match.
IAM permissions apply only at the Hosted Zone level
Route 53 Health Checks
Route 53 health checks monitor the health and performance of the underlying resources.
Health check types
Health checks that monitor an endpoint, such as a web server.
Health checkers are located in locations around the world.
The health checker location and interval can be specified.
Health checker evaluates the health of the endpoint based
Response time
Specified failure threshold – Whether the endpoint responds to a number of consecutive health checks
The endpoint is considered healthy if more than 18% of health checkers report that an endpoint is healthy.
Health check is considered healthy if
HTTP and HTTPS health checks
TCP connection can be established within four seconds.
Returns 2xx or 3xx within two seconds after connecting.
TCP health checks
TCP connection can be established within ten seconds.
HTTP and HTTPS health checks with string matching
TCP connection can be established within four seconds.
Returns 2xx or 3xx within two seconds after connecting.
Route 53 searches the response body for the specified string which must appear entirely in the first 5,120 bytes of the response body or the endpoint fails the health check.
Calculated health checks – Health checks that monitor the status of other health checks.
Health check that does the monitoring is the parent health check, and the health checks that are monitored are child health checks.
One parent health check can monitor the health of up to 255 child health checks
Health checks that monitor the status of a CloudWatch alarm.
Route 53 monitors the data stream for the corresponding alarm instead of monitoring the alarm state.
Route 53 checks the health of an endpoint by sending an HTTP, HTTPS, or TCP request to the specified IP address and port.
For a health check to succeed, the router and firewall rules must allow inbound traffic from the IP addresses that the health checkers use.
Route 53 Split-view (Split-horizon) DNS helps access an internal version of the website using the same domain name that is used publicly.
Both a private and public hosted zone can be maintained with the same domain name for split-view DNS.
Ensure that DNS resolution and DNS hostnames are enabled on the source VPC.
DNS queries will respond with answers based on the source of the request.
From within the VPC, answers will come from the private hosted zone, while public queries will return answers from the public hosted zone.
Route 53 DNSSEC
DNSSEC – Domain Name System Security Extensions, a protocol for securing DNS traffic, helps protect a domain from DNS spoofing man-in-the-middle attacks.
DNSSEC works only for public hosted zones.
Route 53 supports DNSSEC signing as well as DNSSEC for domain registration.
With DNSSEC enabled for a domain, the DNS resolver establishes a chain of trust for responses from intermediate resolvers.
The chain of trust begins with the TLD registry for the domain (your domain’s parent zone) and ends with the authoritative name servers at your DNS service provider.
With DNSSEC enabled, Route 53 creates a key-signing key (KSK) using customer managed key in AWS KMS that supports DNSSEC. The customer-managed key must meet the following requirements
must be in the US East (N. Virginia) Region
must be an asymmetric customer managed key with an ECC_NIST_P256 key spec.
Route 53 Resolver DNS Firewall
Route 53 Resolver DNS Firewall provides protection for outbound DNS requests from the VPCs and can monitor and control the domains that the applications can query.
DNS Firewall can filter and regulate outbound DNS traffic for the VPC.
Reusable collections of filtering rules can be created in DNS Firewall rule groups and be associated with the VPC, with the activity monitored in DNS Firewall logs and metrics.
A primary use of DNS Firewall protections is to help prevent DNS exfiltration of the data. DNS exfiltration can happen when a bad actor compromises an application instance in the VPC and then uses DNS lookup to send data out of the VPC to a domain that they control.
DNS Firewall can be configured to
deny access to the domains that you know to be bad and allow all other queries to pass through OR
deny access to all domains except for the ones that you explicitly trust.
DNS Firewall is a feature of Route 53 Resolver and doesn’t require any additional Resolver setup to use.
Firewall Manager can be used to centrally configure and manage the DNS Firewall rule group associations for the VPCs across the accounts in an Organization. Firewall Manager automatically adds associations for VPCs that come into the scope of the Firewall Manager DNS Firewall policy
Route 53 Logging
DNS Query Logging
DNS Query logs contain information like
Domain or subdomain that was requested
Date and time of the request
DNS record type (such as A or AAAA)
Route 53 edge location that responded to the DNS query
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
Open to further feedback, discussion and correction.
What does Amazon Route53 provide?
A global Content Delivery Network.
None of these.
A scalable Domain Name System
An SSH endpoint for Amazon EC2.
Does Amazon Route 53 support NS Records?
Yes, it supports Name Service records.
No
It supports only MX records.
Yes, it supports Name Server records.
Does Route 53 support MX Records?
Yes
It supports CNAME records, but not MX records.
No
Only Primary MX records. Secondary MX records are not supported.
Which of the following statements are true about Amazon Route 53 resource records? Choose 2 answers
An Alias record can map one DNS name to another Amazon Route 53 DNS name.
A CNAME record can be created for your zone apex.
An Amazon Route 53 CNAME record can point to any DNS record hosted anywhere.
TTL can be set for an Alias record in Amazon Route 53.
An Amazon Route 53 Alias record can point to any DNS record hosted anywhere.
Which statements are true about Amazon Route 53? (Choose 2 answers)
Amazon Route 53 is a region-level service
You can register your domain name
Amazon Route 53 can perform health checks and failovers to a backup site in the even of the primary site failure
Amazon Route 53 only supports Latency-based routing
A customer is hosting their company website on a cluster of web servers that are behind a public-facing load balancer. The customer also uses Amazon Route 53 to manage their public DNS. How should the customer configure the DNS zone apex record to point to the load balancer?
Create an A record pointing to the IP address of the load balancer
Create a CNAME record pointing to the load balancer DNS name.
Create a CNAME record aliased to the load balancer DNS name.
Create an A record aliased to the load balancer DNS name
A user has configured ELB with three instances. The user wants to achieve High Availability as well as redundancy with ELB. Which of the below mentioned AWS services helps the user achieve this for ELB?
Route 53
AWS Mechanical Turk
Auto Scaling
AWS EMR
How can the domain’s zone apex for example “myzoneapexdomain com” be pointed towards an Elastic Load Balancer?
By using an AAAA record
By using an A record
By using an Amazon Route 53 CNAME record
By using an Amazon Route 53 Alias record
You need to create a simple, holistic check for your system’s general availability and uptime. Your system presents itself as an HTTP-speaking API. What is the simplest tool on AWS to achieve this with?
Your organization’s corporate website must be available on www.acme.com and acme.com. How should you configure Amazon Route 53 to meet this requirement?
Configure acme.com with an ALIAS record targeting the ELB. www.acme.com with an ALIAS record targeting the ELB.
Configure acme.com with an A record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
Configure acme.com with a CNAME record targeting the ELB. www.acme.com with a CNAME record targeting the acme.com record.
Configure acme.com using a second ALIAS record with the ELB target. www.acme.com using a PTR record with the acme.com record target.