Route53Amazon Route 53 stripes its Name Servers across four TLD servers to mitigate the impact of a TLD failure.

A record – Name to IP address.

CNAMES – Resolve one domain to another ie. m.google.com is the domain and you may want mobile.google.com to resolve to the same domain.

Alias – AWS specific type used to map to AWS resources. Targets –

CloudFront Distributions

Elastic Beanstalk environments that have regionalised subdomains

Ie. my-environment.us-west-2.elasticbeanstalk.com

ELB Load Balancers

Amazon S3 Buckets

Records in the Hosted Zone.

Alias works like CNAME you map http://google.com to elb1234.elb.amazonaws.com

Alias can be used for naked domain name records ie. google.com. CNAMES cannot.

Alias record automatically update changes ie. IPs changing for ELBs.

Alias records differ from CNAMES in that resolvers can’t see Alias records. They only see the resulting A record and IP answer.

Alias records can also be used to map sub domains like www.example.com and pictures.example.com etc to ELBs and S3 buckets etc.

Alias records use the TTL of the resource they are pointed to. You cannot manually set a TTL for an alias.

If choice is given always use Alias over a CNAME.

SOA Records – Each zone contains a single SOA record. Info about the Zone and other DNS records.

NS Record - NS stands for Name Server records and are used by Top Level Domain servers to direct traffic to the content DNS server which contains the authoritative DNS records.

Route53 has no default TTL for any record type.

DNS records are organised into “Hosted Zones” that you configure in the console or via the API.

Accounts are limited to 50 managed domains through Route53 but can be raised on request. The default hosted zones limit is 500 and 10,000 resource record sets per hosted zone. Can be raised by request.

Route53 can respond with multiple IPs for an A record. Leaving the querying device to choose which one to use.

Route53 will propagate changes to its worldwide network of authoritative DNS servers within 60 seconds.

Note that caching DNS resolvers are outside the control of the Amazon Route 53 service and will cache your resource record sets according to their time to live (TTL).

A change is successfully propagated world-wide when the API call returns an INSYNC status listing. The INSYNC or PENDING status of a change refers only to the state of Route53’s authoritative DNS servers.

Health checks allow for Route 53 to only serve answers for healthy parts of your application. Checks can be over HTTP, HTTPS or TCP. Health checks can be set up for string matching. So, the web server serves up or contains a given string or a dedicated status page contains the string.

Any record type can be associated with a health check except for SOA and NS.

Health checks can be set up against on prem services as well.

Default for a failed endpoint is 3 observations with the default time between observations being 30 seconds. Health check observations continue on failed endpoints. The endpoint comes back after 3 successful observations.

The values can be changed –

Observation Threshold for Successful/Failed – 1 to 10

Observation interval – Either default 30 seconds or fast interval 10 seconds.

For load generated on an endpoint from health checks –

Default value – Every 2 to 3 seconds.

Fast Interval – One or more requests a second.

CloudWatch alarms can be set up to alert on failing endpoints.

Failover can also be done based on any metric available to CloudWatch. The endpoint is marked unhealthy as soon as the metric enters an alarm state. This is also useful for any endpoint that isn’t accessible via Route 53 health checks such as an instance in a private subnet in a VPC.

Keep in mind when you have an alias point to a static website in S3 the health check is on the actual status of S3 in the region. It will only fail over if S3 fails.

Each Amazon Route 53 hosted zone is associated with four name servers, known collectively as a delegation set.

Routing Policies -

Simple routing – Provides a single answer to a request.

Failover routing – Used for active/passive, send to one if health check passes then send to another if not. AWS recommend 60 second or lower TTL for failover. TTL doesn’t need to be adjusted for alias records. If both endpoints are down AWS fails open and answers requests as if both were up.

Geolocation routing policy – Provides 3 levels of granularity.

Continent

Country

State

Then a global record is stored to be handled if the user location doesn’t match any of the above or if the IP address is not recognised by Route 53’s Geo IP database.

Then Route53 will return a “No Answer” response if no global record is set and no answer is found in their IP database.

The locations can overlap. In this case Route 53 gives the most specific location ie. State over Country over Continent and finally Global record.

Geoproximity routing policy – Traffic Flow Only

Latency routing policy – Using the 50 Edge locations AWS has, it works out what the lowest latency answer for where a user is, if your app is over multiple locations.

Multi value answer routing – Can return up to 8 healthy IP answers.

Weighted routing policy – Set a weight to bias how many times an answer is given over one or more others.

The DNS protocol “edns-client-subnet” passes the originating IP to the site you are querying. This is how Geo proximity for example, would work even if you use a public resolver like OpenDNS. Where all the actual queries are done by OpenDNS.

You cannot create an alias to point to a DNS name being managed by traffic flow.

Private DNS allows a private hosted zone where only hosts within the associated VPCs can get results from Route 53 for the private zone. Multiple VPCs can be associated globally in multiple regions.

You can resolve private names without the need for internet access and will be the same across multiple regions.

To enable DNS within a VPC both of the following must be enabled –

1. enableDnsHostnames – indicates whether the instances launched in the VPC get public DNS hostnames.

2. enableDnsSupport – indicates whether the DNS resolution is supported for the VPC.

These options must be enabled to use private hosted zones with a VPC.

Route53 can be enabled to log –

Domain or sub domain requested

Date and time of request

DNS record type ie. A or AAAA or CNAME etc

Edge location which responded to the query

Response code ie. NoError or ServFail etc

In VPC on the NACL you should allow both UDP and TCP port 53. It can be sent over TCP for truncated messages.

Hybrid DNSThe Amazon DNS server (AmazonProvidedDNS), responds to DNS queries for public records, Amazon VPC resources, and Amazon Route 53 private hosted zones.

DHCP options sets allow up to 4 DNS servers to be specified. These are applied one per VPC. Meaning no AZ level split of DNS.

Each ENI in a VPC has a limit of 1024 packets per second sent to Aws provided DNS address. This is a hard limit.

Private Zones can only use simple, failover and weighted policies.

A VPC can be associated with an unlimited number of private zones as long as the name space doesn’t overlap ie. example.com and acme.example.com .

If you want to associate a VPC that you created with one AWS account with a private hosted zone that you created with a different account, you must programmatically authorize it.

You can delete a private hosted zone only if there are no records other than the default SOA and NS records.

Private hostname resolution is not supported over Inter Region VPC peerings. If you need to resolve private DNS names for EC2 instances (ip-10-90-211-18.ec2.internal etc) you should use a private hosted zone.

DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Amazon Route 53Simple AD provides redundant and managed DNS services across AZs. If you provision a Simple AD directory domain ie. example.net, any DNS request outside of that domain name (ie. aws.example.com) is forward to the gateway +2. If it is for example.net it responds back to the requester on premise. This is because Simple AD DNS service integrates DNS resolution across Simple AD resources, VPC-provided DNS, and Route 53 private hosted zones.

Note that the VPC needs to have DNS resolution and DNS hostnames enabled.

Simple AD gets split across 2 AZs so has an IP address to use in each subnet. Any request sent to these IP addresses is forwarded to the VPC-provided DNS service and Route 53. If the domain names are the same or if the Route 53 domain is a subdomain of the Simple AD domain, Simple AD does not forward the request.

As Route53 is global you can use the solution with multiple VPCs globally and have a centralized record set.

To resolve from AWS to on prem config DNS to point to an on prem server, with forwarders configured for the zones hosted on Simple AD.

DNS Resolution Between On-Premises Networks and AWS Using AWS Directory Service and Microsoft Active DirectoryMicrosoft Active Directory–provided DNS won’t automatically forward requests to the VPC-provided DNS. Instead, you need to configure a DNS forwarder so that requests destined for the Route 53 private hosted zone are sent to the VPC-provided DNS. This is done with the Windows DNS Server Tools feature. This is the same for resolution to on prem services.

DNS Resolution Between On-Premises Networks and AWS by Using UnboundUnbound allows resolution of requests originating from AWS by forwarding them to your on-premises environment—and vice versa.

Request originating from AWS –

All instances should have the DNS IP being the IP of Unbound.

Unbound is config’d with a domain name and IP for the on-premise domain and everything else is forward to VPC provided DNS.

VPC provided DNS handles internal requests and send external requests to Route 53.

Request for on prem are sent to on prem DNS and returned to Unbound and it can cache results.

Requests originating on prem –

For AWS resources the on prem server still needs a conditional forward for the VPC domains.

Request comes through to Unbound and it forwards it to the VPC DNS.

VPC DNS resolves and sends it back to Unbound which in turn passes it back to on prem.

ELBWhen you would use classic instead of application:

Support for EC2-Classic

Support for TCP and SSL listeners

Support for sticky sessions using application-generated cookies

When you would use application instead of classic:

Support for path-based routing (You can create a listener with rules to forward requests based on the URL path.)

Support for host-based routing (Requests to api.example.com can be sent to one target group, requests to mobile.example.com to another, and all others (by way of a default rule) can be sent to a third.)

Support for routing requests to multiple applications on a single EC2 instance.

Support for registering targets by IP address, including targets outside the VPC for the load balancer.

Support for containerized applications.

Support for monitoring the health of each service independently, as health checks are defined at the target group level and many CloudWatch metrics are reported at the target group level.

Access logs contain additional information and are stored in compressed format.

Improved load balancer performance.

When you would use network instead of classic:

Ability to handle volatile workloads and scale to millions of requests per second.

Support for static IP addresses for the load balancer.

Support for registering targets by IP address, including targets outside the VPC for the load balancer.

Support for routing requests to multiple applications on a single EC2 instance.

Support for containerized applications.

Support for monitoring the health of each service independently, as health checks are defined at the target group level and many Amazon CloudWatch metrics are reported at the target group level.

NLB – TCP Only (Not UDP)

ALB – HTTP/S Only

CLB - Both

ELB Access logs can be enabled (disabled by default) and log to an S3 bucket. They contain information such as the time the request was received, the client's IP address, latencies, request paths, and server responses.

Duration Based Stickiness

The load balancer uses a special cookie to track the instance for each request to each listener.

Application-Controlled Session Stickiness

The load balancer uses a special cookie (called AWSELB) to associate the session with the instance that handled the initial request but follows the lifetime of the application cookie specified in the policy configuration. The load balancer only inserts a new stickiness cookie if the application response includes a new application cookie.

Proxy Protocol V1 for classic load balancer used to forward the source IP address, destination IP address, and port numbers. Only need for SSL frontend to TCP backend. Wont work with SSL end to end ie. SSL front end and SSL backend.

Proxy Protocol is not needed if front and back end listeners are TCP. In this case headers are sent unaltered.

If the NLB is used and the target is an IP addresses, the IP addresses provided to your applications are the private IP addresses of the load balancer nodes. Proxy Protocol V2 is required for this.

In NLB, if you specify targets by instance ID, the source IP addresses provided to your applications are the client IP addresses.

Proxy Protocol V1 can only be enabled via the CLI V2 can be enabled via the Console and CLI.

X-Forwarded-For is used to find the source IP when you are using a HTTP/S Listener ELB.

X-Amzn-Trace-Id is used to trace a session through components of your app. Can be used for performance troubleshooting.

Remember if you delete an ELB the registered instance keeping running as normal. It is Auto Scaling groups where the instances are terminated.

Connection draining specifies a max time the ELB will keep connections alive before reporting the instance as de-registered. Max timeout is between 1 and 3600 seconds (the default is 300 seconds).

ELB Security Policies are made up of –

The supported SSL protocols ie. TLS SSL etc.

SSL Options, the option here is server order preference. This means the ELB dictates the order of ciphers used not the client.

SSL Ciphers ie. ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-GCM-SHA256 etc

In ALB –

Host Based routing is based on domain name like google.com.

Path is based on a path ie /mobile.

These can be used in conjunction within rules ie. if host is api.example.com and path is /sandbox, send to a given group.

NLBs can have one EIP in each AZ.

Health checks can use HTTP response codes from 200 to 299.

When you use an IP as a target it can be only from 1918 space and from 100.64.0.0/10 (RFC6598) space. Can’t be public space.

To register instances with an ELB that reside in private subnets, if you have more than one private subnet in the same Availability Zone that contains instances that need to be registered with the load

balancer, you only need to create one public subnet. You need only one public subnet per Availability Zone; you can add the private instances in all the private subnets that reside in that Availability Zone.

To use ACM generated certs with ELB you have to import the cert and validate in every region you want to use the cert.

Even when your Application Load Balancer is in dual-stack mode supporting IPv4 and IPv6, requests from the load balancer to your VPC resources are made over IPv4.

CloudfrontOptimised to work with S3, EC2, ELB and Route 53. Also works with non-AWS origin servers.

To remove an object from edge-server caches before it expires either invalidate the object or use versioning to serve a different version.

Invalidations should be a last resort and won’t help with browser caches or intermediary caches.

With CloudFront, you can securely serve private content by using signed URLs, signed cookies (trusted signers), and use Origin Access Identity (OAIs) to restrict access to your Amazon S3 bucket.

Signed URLs add a signature to the URL, so the URL changes each time the signed URL expires. Use it for restricting access to individual files, client doesn’t support cookies or your using a RTMP distribution.

Signed Cookies adds a signature to a cookie, so your URL doesn’t change. Use it to restrict multiple files and when you don’t want the URL to change.

Use OAI if the origin is an S3 bucket. If it is a custom origin whitelist only the CloudFront IPs from the IP-ranges.json doc. This can be done automatically if it’s a custom origin in AWS, secured by security groups. AWS has a solution where when the AWS IP Ranges change it sends an SNS message to Lambda which can be setup to automatically update your security group.

Using the “Restrict Bucket Access” option in Cloudfront you can restrict users from accessing S3 URLs directly for content served by Cloudfront.

Origin Access Identity is the ID Cloudfront uses to request objects from S3 when restricting access to Cloudfront URLs. During creation, you can select to update bucket policy and it will add the required permissions to the bucket policy for your distribution.

Users are routed to edge-locations based on latency.

Data transferred from the Origin to the edge location is free of charge.

Costs can be reduced using the price classes to serve content to only specific regions. Users outside the regions still get routed to the least latent endpoint which does serve the content.

HTTP/HTTPS Behaviors –

Redirect HTTP to HTTPS – HTTP returns status code 301 (Moved Permanently) along with the new HTTPS URL.

HTTPS – HTTP returns status code 403 (Forbidden) and does not return the object.

To use a cert from ACM with CloudFront they must be requested or imported into US-East-1. From there when it is associated to a distribution it is sent to all endpoints associated with the distribution.

CloudFront doesn't redirect DELETE, OPTIONS, PATCH, POST, or PUT requests from HTTP to HTTPS. If you configure a cache behavior to redirect to HTTPS, CloudFront responds to HTTP DELETE, OPTIONS, PATCH, POST, or PUT requests for that cache behavior with HTTP status code 403 (Forbidden).

Apart from the GET method all other methods will be sent directly back to the origin server. GET requests first poll the edge locations for content. Only if the content is not available does it go back.

Link mysite.com to your distribution using CNAME if non Route53 DNS and Alias if using Route53.

If you distribute media files on demand using the Adobe RTMP protocol, your origin server is always an Amazon S3 bucket.

Regional Edge Caches work with for custom origins. Amazon S3 origins are, however, accessed directly from the edge locations.

Some web applications use query strings to send information to the origin. A query string is the part of a web request that appears after a ? character; the string can contain one or more parameters, separated by & characters. In the following example, the query string includes two parameters, color=red and size=large:

http://d111111abcdef8.cloudfront.net/images/image.jpg? color=red&size=large

For web distributions, you can choose whether you want CloudFront to forward query strings to your origin and, if so, whether to cache your content based on all parameters or on selected parameters. For example, if a site is to be displayed in different languages CloudFront could forward a query string like ?language=de .

RTMP distributions can’t forward query strings.

When serving HTTP Live Streaming (HLS), HTTP Dynamic Streaming (HDS), Smooth Streaming, and MPEG DASH formats, Amazon CloudFront will break video into smaller chunks that are cached in the Amazon Cloud-Front network for improved performance and scalability.

When you add alternate domain names, you can use the wildcard * at the beginning of a domain name instead of specifying subdomains individually.

Directory ServicesAD Connector is a proxy which links service into existing on prem AD setups ie. WorkSpaces and Amazon QuickSight, and Amazon EC2 for Windows Server instances. Needs one AD service account but no federation.

SimpleAD comes in 2 sizes Small (500 users and 200 objects) and large (5000 users and 20000 objects).

AWS Microsoft AD (Standard Edition) – 1GB object store for 5,000 users or 30,000 directory objects.

Microsoft AD (Enterprise Edition) - 17 GB object store for 100,000 users or 500,000 objects.

Directory service is deployed over 2 AZs, auto replaces failed instances and auto replicates data and preforms daily backups. Is also linked into CloudTrail for auditing.

You can add additional domain controllers to your managed domain using the AWS Directory Service console or API.

AWS Microsoft AD supports Lightweight Directory Access Protocol (LDAP) over Secure Socket Layer (SSL) on port 636, and LDAP over Transport Layer Security (TLS) on port 389, also known as LDAPS.

WorkSpacesEach workspace has 2 interfaces. One for management which the PCoIP traffic runs on to the streaming gateway. The second to access internet, VPC or on prem.

No internet by default needs public subnet, NAT gateway or routing back to on prem for corp internet lines.

Multiple directories can be associated with each AZ pair. A workspace is linked to one directory meaning users can only have one workspace. If a user needs a second workplace it need to be on a different directory.

TCP-4172 - Streaming connection establishment, UDP-4172- User input, TCP-8200 - Management of the workspace and UDP-55002 - PC over IP streaming.

The user volume (D:) on the WorkSpace is backed up every 12 hours. In the case of a WorkSpace failure, AWS can restore this volume from the backup.

Workspaces directory needs to be set up by the console. Once setup then the API can be used to perform tasks.

Requires a directory, can be Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory (Enterprise Edition), also known as Microsoft AD.

Use security groups to limit Workspace’s access. A default can be set for all Workspaces interfaces.

IP access control group can be used to limit access to your workspaces. A group can be associated with more than one directory. You can associate up to 25 to a single directory. Each group can have 10 rules. Rule takes an IP address or IP address range and description.

Latency best sub 100ms recommended no more than 250ms. Recommended bandwidth is a 1Mb for day to day and 3Mb for graphically intense workloads.

To provide QOS for workspaces mark on UDP port 4172 just below voice if possible.

You can use IPv6 addresses for Amazon WorkSpaces Value, Standard, and Power bundles.

VPCFor IPv6, the VPC largest subnet is /56 and smallest is /64. A VPC can have both IPv4 and IPv6 CIDR blocks associated to it and you cannot however change the size of the IPv6 address range of your VPC.

All IPv6 addresses are globally unique and routable from anywhere. To limit to internet access only and no outside initiated connections use Egress-Only Internet Gateway.

NAT Gateway scales and resides inside one availability zone. For DR you need one per AZ. Can’t use security groups with NAT Gateways.

1 IGW and VGW per VPC.

Elastic IP Address attached to an instance remains attached when you stop and start the EC2 instance. Public IP Address changes when you stop and start the instance.

Ephemeral ports 1024-65535. Use NACL to deny ports in this range.

All subnets in a VPC have direct access to one another, unless they are filtered in the host or in security groups or network ACLs.

You cannot override the local route ie. can’t be overridden with a more specific route.

FW, router or proxy instances must have source dest check disabled.

No DSCP in a VPC. Typically, larger instances mean more bandwidth and better forwarding performance.

Always use a private IP to route to inside a VPC or over a VPC peering etc.

Data transfer charges are not incurred when accessing Amazon Web Services, such as Amazon S3, via your VPC’s Internet gateway.

Add routes to IPv4 addresses and IPv6 in the routing table for example a default is needed for both.

Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes.

You can attach a network interface in one subnet to an instance in another subnet in the same VPC; however, both the network interface and the instance must reside in the same Availability Zone.

Non-primary ENIs can be detached when an instance is running.

An AMI of an instance can be moved directly between one subnet to another. As long as they are in the same AZ, the ENI will remain the same.

A requester-managed network interface is a network interface that an AWS service creates in your VPC. This network interface can represent an instance for another service, such as an Amazon RDS instance, or it can enable you to access another service or resource, such as an AWS PrivateLink service, or an Amazon ECS task. You can’t modify or delete these, but you can tag them. They are removed automatically when the service they are used for is deleted.

In AWS there is no concept of tradition IDS/IPS, no promiscuous ports etc. Vendors have AMIs that run as NAT instances or another Instances traffic is routed through.

Direct Connect and VPNAn Internet gateway is not required to establish a hardware VPN connection.

Customer VPN devices for static VPNs must support PSKs, Tunnel Mode, 128 or 256 encryption, SHA1 or SHA2 hashing, Diffie-Hellman PFS Group 2 or higher and fragmentation must be done before the VPN device.

In addition to do dynamically-routed VPNs they must support BGP, bind tunnels to logical interfaces (route-based VPN) and Dead Peer Detection.

Customer side is the initiator. Will go down after idle, typically 10 seconds. AWS recommend something like IP SLA to keep sending ping traffic to keep the tunnel up.

Over a VPN you cannot access NLBs, EFS, VPC Endpoints, PrivateLink Endpoints, VPC DNS IP and AWS Public IP Ranges.

VGW supports IPSEC VPN throughput up to 1.25 Gbps. Multiple VPN connections to the same VPC are cumulatively bound by the VGW throughput of 1.25 Gbps.

To use NAT, you will need to enable NAT-T and open UDP port 4500 on your NAT device.

CloudWatch can monitor Tunnel State, Data in and Data Out.

VPNs are two tunnels for redundancy. Should run on two customer gateways bringing the total to four.

For VPNs such as transitive VPN, instance can forward at 1 – 3 gbps and the VGW is limited to 1.25 gbps.

Firewall rules for the VPN allow UDP 500 and IP Protocol 50.

You can run a VPN over DX using a public VIF, you could use this to secure access to DynamoDB for example.

For CloudHub, you create a VGW with multiple customer gateways, each customer must have a unique BGP ASN, each customer must have non-overlapping IP space, customers advertise their prefix over the VPN and the VGW advertises these prefixes to all other customers. Customers can now route between each other through the VGW.

When requesting a DX connection, you will be asked to select the AWS Direct Connect location you wish to use, the number of ports, and the port speed. You don’t have to have equipment in the location, providers can extend MPLS etc into the colo.

1Gbps and 10Gbps ports are available. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners supporting AWS Direct Connect.

A sub-1G connection only supports one virtual interface.

AWS Direct Connect supports 1000BASE-LX or 10GBASE-LR connections over single mode fiber using Ethernet transport. Your device must support 802.1Q VLANs. VLANs are utilized in AWS Direct Connect only to separate traffic between virtual interfaces.

Additional DX links requested at the same colo will be put on a separate AWS router for redundancy. Can be verified from the console.

Enable BFD for fast failover. If DX fails traffic is routed over backup VPN automatically, traffic to/from public resources (S3 etc) will route over the internet and if no backup VPN or DX all VPC traffic is dropped.

LAG is only available for dedicated 1G and 10G connections and not for hosted connections through partners. Max of 4 links and BFD runs on the LAG. You can set a threshold for healthy ports where the lag stays up or goes down. Min number for a LAG is 1.

You are limited to 50 VIFs per DX port connection. If you create a 4 port LAG this counts as 4 x 50 VIFs giving you a total of 200.

AWS Direct Connect supports both single and dual stack configurations on public and private VIFs. You can add IPv6 to IPv4 and vice versa. Done on 2 separate VIFs and the IPv6 IPs are provided by default by AWS as a /125 and /30 allocated by the customer for IPv4.

For public VIFs you must advertise at least one prefix up to a max of 1000. For IPv6: Specify a prefix length of /64 or shorter.

VIFs can use public or private ASNs, private ASN must be in range 64512 to 65535 range or you can also provide 32-bit ASNs between 4200000000 and 4294967294. Autonomous System (AS) prepending does not work if you use a private ASN for a public virtual interface.

On the AWS side you assign ASN for each VGW, not each VIF. VIF inherits the ASN of the attached VGW.

You can configure the Amazon side of the BGP session with a private ASN and your side with a public ASN.

Hosted interfaces are VIFs in another account from where the DX was created.

AWS advertises public blocks with a min AS path of 3 and community NO_EXPORT. Use communities to control what prefixes you receive and how far yours propagate.

How far your prefixes are advertised –

7224:9100 – Local AWS Region

7224:9200 – All regions in the continent (ie. North America)

7224:9300 – Global all public regions

Prefixes you want to accept –

7224:8100 – Routes from the region the DX is located.

7224:8200 – Routes from same continent as DX region.

No Tag - Global all public regions

In North America you receive the prefixes for all US regions.

You can only have 50 static routes in the table. Use dynamic BGP routing to up this to 100 routes. AWS actively tear down connections with more than 100 routes advertised to them.

IPv4 advertisements must be /30 or smaller.

Routing preference in AWS –

1 – Local routes to the VPC (you can’t override with more specific routes).

2 – Longest prefix match.

3 – Static route table entries.

4 – Dynamic Routes –

a) Prefix DX BGP Routes

a. Shortest AS Patch

b. Consider equivalent and will balance traffic per flow.

b) VPN static routes (defined on VPN connection).

c) BGP routes from VPN

a. Shorter AS Path

You can use communities to influence routing from AWS back to your network –

7224:7100 – Low preference

7224:7200 – Medium preference

7224:7300 – High preference

To load balance, advertise prefixes with the same community and to go active passive advertise one with a higher community. These are evaluated before AS_Path, meaning it should override it.

To access public resources in a remote region, you must set up a public virtual interface and establish a Border Gateway Protocol (BGP) session. After you have created a public virtual interface and established a BGP session to it, your router learns the routes of the other public AWS regions.

You cannot create a public virtual interface to a Direct Connect gateway.

A Direct Connect gateway supports communication between attached private virtual interfaces and associated virtual private gateways only. The following traffic flows are not supported:

Direct communication between the VPCs that are associated with the Direct Connect gateway.

Direct communication between the virtual interfaces that are attached to the Direct Connect gateway.

Direct communication between a virtual interface attached to a Direct Connect gateway and a VPN connection on a virtual private gateway that's associated with the same Direct Connect gateway.

You cannot associate a virtual private gateway with more than one Direct Connect gateway and you cannot attach a private virtual interface to more than one Direct Connect gateway.

A virtual private gateway that you associate with a Direct Connect gateway must be attached to a VPC.

DX Gateway currently only supports VPCs in your own account.

Remember AWS will choose DX over VPN. So you can advertise the same routes on both and AWS will ensure the DX is the active link.

PeeringsMax of 125.

VPC peering connections do not require an Internet Gateway.

There is no single point of failure for communication or a bandwidth bottleneck.

If an Inter-Region peering connection does go down, the traffic will not be routed over the internet.

Inter-region VPC peering traffic is encrypted. This is handled by AWS. In region peering is not.

Inter-Region VPC Peering does not support IPv6.

Network Load Balancers, AWS PrivateLink and Elastic File System cannot be used over Inter- Region VPC Peering.

Remember you can have multiple routing tables in an VPC and one per subnet. This allows routing configs to support peerings to VPCs with overlapping ranges using the routing tables in separate subnets. Detailed example in the web notes doc if you forget.

A placement group can span peered VPCs; however, you will not get full bisection bandwidth between instances in peered VPCs.

You can reference security groups over a VPC peering but not over an inter region peering. If peering with another account, the group is the account number and the name ie.123456789012/sg-1a2b3c4d.

To reference DNS hostnames over a peering you have to enable it in the peering options. Both VPCs must be enabled for DNS hostnames and DNS resolution. You can also reference DNS cross account over a peering. You cannot enable DNS resolution support for an inter-region VPC peering connection.

You cannot create a VPC peering connection between VPCs with matching or overlapping IPv4 CIDR blocks. If the VPCs have multiple IPv4 CIDR blocks, you cannot create a VPC peering connection if any of the CIDR blocks overlap.

The above is true even if you plan to use IPv6 but the VPC has overlapping IPv4 address space.

Communication over IPv6 is not supported for an inter-region VPC peering connection.

AWS VPN CloudHub is not to be used a VPC Peering tech.

EndpointsEndpoints are a regional service and are not extendable across VPC boundaries (including VPC Peers, VPN connections).

Amazon VPC offers two different types of endpoints: gateway type endpoints and interface type endpoints.

Gateway type endpoints are available only for AWS services including S3 and DynamoDB. These endpoints will add an entry to your route table and go over the AWS backbone.

Interface type endpoints add an ENI to your VPC. You can get to it over DX.

Interface endpoints get a regional, zonal and public DNS host names you can use to connect and you can also connect directly to the IP addresses.

VPC endpoints for Amazon S3 provides two ways to control access to your Amazon S3 data:

You can control the requests, users, or groups that are allowed through a specific VPC endpoint.

You can control which VPCs or VPC endpoints have access to your S3 buckets by using S3 bucket policies.

Example allow only traffic from VPC Endpoint vpce-1a2b3c4d to example bucket –

"Action": "s3:*",

"Effect": "Deny",

"Resource": ["arn:aws:s3:::examplebucket", "arn:aws:s3:::examplebucket/*"],

"Condition": {"StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d"}}

Example blocking all traffic except VPC with ID vpc-111bbb22 –

"Action": "s3:*",

"Effect": "Deny",

"Resource": ["arn:aws:s3:::examplebucket","arn:aws:s3:::examplebucket/*"],

"Condition": {"StringNotEquals": {"aws:sourceVpc": "vpc-111bbb22"}}

MTUMax MTU 9001 depending on instance type.

In a VPC or a in region VPC peering you can get 9001 packets. VPNs, DX and Internet Gateway are all 1500. If packets are over 1500 bytes, they are fragmented, or they are dropped if the Don't Fragment flag is set in the IP header.

You can configure the MTU size by route or use multiple elastic network interfaces with different MTU sizes and different routes.

To use Path MTU, add a custom ICMP Rule with the Destination Unreachable protocol to the inbound security group rules for your instance.

You can check the path MTU between two hosts using the tracepath command on the Amazon Linux AMI.

PrivateLinkInterface endpoints show as ENIs in your VPC and have IPs in the subnet.

You register a service behind an NLB. Customers establish endpoints to your service after you whitelist accounts and IAM roles.

The application in your on-premises can connect to the service endpoints in Amazon VPC over AWS Direct Connect.

You can create up to 100 VPC endpoints per VPC.

Each VPC endpoint can support 10Gbps continuous bandwidth per Availability Zone.

A VPC endpoint connects directly to a single service.

DHCPYou can create custom DHCP option sets with parameters - Name Tag, Domain Name, Domain Name Servers (Allows you to set custom DNS servers such as on prem for hybrid DNS setups or use the value AmazonProvidedDNS to use AWS DNS servers), NTP Servers, NetBIOS Servers and NetBIOS Node Type

Add multiple values to fields using comma separated values.

You can not edit a created DHCP option set.

VPC can only have one attached but one can be attached to many VPCs.

When changing, an option set it will be instant for newly launched instances but will only update for running instances when its current lease expires.

FlowlogsMetadata log of IP traffic. Not a packet capture.

Src addr, Dst addr, Src port, Dst port, Protocol

Can attach to ENIs, Subnets or VPCs. Logs Ingress and Egress. Can be set for Accepted, Rejected or all traffic. These settings can't be changed afterwards.

Not real-time can take up to 7 minutes to add to the log.

Logs the data to CloudWatch and it needs an IAM Role.

Each flow uses a log group. Each ENI is a log stream.

Flow logs can be inherited from a VPC so past to subnets in the VPC.

Each log is for a traffic flow in a given capture window. Packets and bytes are the amount during this window.

Flow logs always show the instances primary private IP address. Even if the traffic is going to a public IP of an instance or a secondary IP on an ENI.

If there is an accept, accept and then a deny for the same flow, this could be caused by a NACL allowing traffic in (stateless), a security group allowing it in (stateful, means it will be allowed out as well) and the ACL doesn’t allow the traffic outbound (stateless).

Doesn’t capture AWS DNS, license activations to AWS, Metadata to 169.254.169.254, AWS DHCP and traffic destined for the VPC router IP.

Placement GroupsYou can’t merge placement groups. Instead, you must terminate the instance in one placement group and then relaunch those instances into the other placement group.

A placement group can span peered VPCs, however you will not get full bidirectional bandwidth between instances.

A placement group are of two types –

Cluster Placement Groups – A cluster placement group can’t span AZs.

Spread Placement Groups – A spread placement group can span AZs.

You can’t move instance in a placement group. You can create an AMI from an existing instance and then launch from them into a placement group.

A cluster placement group is a logical grouping of instances within a single Availability Zone.

A spread placement group can span multiple Availability Zones, and you can have a maximum of seven running instances per Availability Zone per group. They can also span VPC peerings.

Instances with a tenancy of host cannot be launched in placement groups.

Enhanced NetworkingLaunch the instance from an HVM AMI using Linux kernel version of 3.2 or later. If not, drivers can be added manually.

To check if a Linux instances is using enhanced networking use "ethtool -I " followed by the interface name. If the driver is 'vif' then it isn't if it is 'ixgbevf' or 'ena' then it is.

The ENA within in a placement group to another ENA can have a max TCP stream of 10Gbps. Newer instances can achieve this within region. For now, placement groups still have value. Otherwise the max is 5Gbps.

The Intel 82599 Virtual Function interface supports network speeds of up to 10 Gbps for supported instance types.

The Elastic Network Adapter (ENA) supports network speeds of up to 25 Gbps for supported instance types.

To increase performance and scale, distribute flows across many instances to ensure that the bandwidth of any given flow or instance does not limit overall performance.

WAFAWS WAF works with ALB and CloudFront.

AWS WAF helps protect applications and can inspect web requests transmitted over HTTP or HTTPS.

WAF for CloudFront runs at edge locations to block traffic from reaching web servers. Also works on non-AWS origins.

For ALB it runs in region and operates on public facing ALBs.

Works with both IPv4 and v6.

AWS WAF charges based on the number of web access control lists (web ACLs) that you create, the number of rules that you add per web ACL, and the number of web requests that you receive.

Rate based rules allow you to limit request from an IP measured in a 5-minute window. When rate falls below configured value the IP is unblocked.

Can run with managed rules from AWS Marketplace vendors. You can add your own rules in parallel with a managed rule.

Can count the number of hits for rules in a managed rule set before you enable the rule set and block traffic.

You can configure CloudFront to present a custom error page when requests are blocked.

There are six condition types Cross-Site Scripting, IP addresses, size constraint, SQL Injection, geographic match and string match.

When you evaluate the body of a request, only the first 8,192 bytes are inspected.

BillingInbound data transfers are always free. You pay outbound.

VPN – Charged per active hour and data transfer outbound. These costs go to the account of the VPC and CGW the VPN terminates on.

Direct Connect itself has two charges associated with it, the hourly port charge and data transfer.

The hourly port charge is for the physical connection between your router and the DX router. It is billed to the account where the Direct Connect interface is added (the physical connection, not the VIF). Partial port-hours consumed are billed as full hours.

Data transfer charges are for data from the VPC going OUT of AWS, measured in GB/month. The account where the virtual interface appears is the account that is charged for the data traversing the interface.

Classic ELBs are charged on the time the ELB is up and the amount of data per Gbs it processes. App and Net ELBS are charged for each hour or partial hour that a Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used per hour.

For network bandwidth between instances in different subnets, if the instances reside in subnets in different Availability Zones, you will be charged $0.01 per GB for data transfer.

VPN connection-hours are billed for any time your VPN connections are in the "available" state. If you access AWS resources via your VPN connection, you will incur Internet data transfer charges.

VPC Peering carries a $0.01 per-GB charge for traffic leaving or entering a VPC; therefore, a single flow would cost $0.02 in each direction. Being in the same Availability Zone does not affect pricing.

Data transfer from Amazon S3 to Amazon CloudFront is not charged.

CloudFormationCloudFormation Template can be specified in JSON or YAML format.

Use the optional Parameters section to customise your templates. Parameters enable you to input custom values to your template each time you create or update a stack.

CloudFormation does not check for account limits. So, it is possible that your stack creation may fail if it exceeds account limits.

Example of adding a security group to an ec2 instance during creation –

“SecurityGroups”:{“Ref”:”WebServerSG”}

You can use FN:GetAtt function to query the value of an attribute from a resource in the template.

By default, CloudFormation ensures all or nothing deployment.

Each AWS CloudFormation account is limited to a maximum of 200 stacks. Can be raised on request.

You can include up to 60 parameters and 60 outputs in a template.

AWS CloudFormation provides a WaitCondition resource that acts as a barrier, blocking the creation of other resources until a completion signal is received from an external source such as your application, or management system.

You can add a depends on attribute for example a route being added after a VGW has been created and added to the VPC or a EC2 instance being created after a DB is created.

"Ec2Instance" : {

"Type" : "AWS::EC2::Instance",

"Properties" : {"ImageId" : {"Fn::FindInMap" : [ "RegionMap", { "Ref" : "AWS::Region" }, "AMI"]}},

"DependsOn" : "myDB"},

"myDB" : {"Type" : "AWS::RDS::DBInstance","Properties" : {"AllocatedStorage" : "5",

"DBInstanceClass" : "db.m1.

CloudFront can manage Elastic Beanstalk as one of its resources.

With parameters, you can customize aspects of your template at run time when the stack is built ie. the Amazon RDS database size, Amazon EC2 instance types, database and web server port numbers. Has a “No Echo” option.

AWS CloudFormation allows you to define deletion policies for resources in the template. You can specify that snapshots be created for Amazon EBS volumes or Amazon RDS database instances before they are deleted. You can also specify that a resource should be preserved and not deleted when the stack is deleted. This is useful for preserving Amazon S3 buckets when the stack is deleted.

The Fn::GetAtt intrinsic function returns the value of an attribute from a resource in the template.

Declaration

JSON

{ "Fn::GetAtt" : [ "logicalNameOfResource", "attributeName" ] }

YAML

Fn::GetAtt: [ logicalNameOfResource, attributeName ]

logicalNameOfResource - The logical name (also called logical ID) of the resource that contains the attribute that you want.

attributeName - The name of the resource-specific attribute whose value you want.

This example snippet returns a string containing the DNS name of the load balancer with the logical name myELB.

JSON

"Fn::GetAtt" : [ "myELB" , "DNSName" ]

YAML

!GetAtt myELB.DNSName

Example to pull the Security Group name assigned to the ELB myELB

JSON

"SourceSecurityGroupName": {"Fn::GetAtt":["myELB","SourceSecurityGroup","GroupName"]}

YAML

SourceSecurityGroupName: !GetAtt myELB.SourceSecurityGroup.GroupName

Misc ServicesAWS Service CatalogAllows companies to create a curated list of products people can deploy. These can be specific software, servers or complete multi-tier architectures. Allows your org to assert deployment consistency and governance.

AWS Certificate ManagerAWS Certificate Manager is supported on Amazon CloudFront, Elastic Load Balancing, AWS Elastic Beanstalk (using Elastic Load Balancing), and Amazon API Gateway.

ACM can generate certs for you or you can import your own certs.

Generated certs are RSA-2048, Secure Hash Algorithm (SHA)-256 certificate that is valid for 13 months. They are auto renewed 30 days before the expire if the certificate is internet accessible to the service.

The certificate must include at least one Fully Qualified Domain Name (FQDN), and you can add additional names. You may also request wildcard names (such as *.example.aws).

AWS Certificate Manager uses AWS KMS to help protect the private key.

AWS ShieldAWS Shield provides protection against DDoS attacks.

Shield standard offers a managed ruleset from AWS with limited detail on the attacks.

Shield Advanced, provides additional DDoS attack protection for Amazon Route 53 hosted zones, Amazon CloudFront distributions, Elastic Load Balancing load balancers, and resources attached to Elastic IP addresses, like Amazon EC2 instances. In addition to network layer (Layer 3) and transport layer (Layer 4) detection and mitigation, AWS Shield Advanced also provides intelligent DDoS attack detection and mitigation for application layer (Layer 7) attacks.

With Advanced you also get access to a 24x7 DDoS response team for assistance during attacks.

GuardDutyAnalyzes billions of events from AWS CloudTrail, VPC Flow Logs, and DNS Logs.

For example, GuardDuty can detect compromised EC2 instances serving malware or mining Bitcoins. It can detect attackers scanning your web servers for known application vulnerabilities, or accessing AWS resources from an unusual geolocation. It also monitors AWS account access behavior for signs of compromise, such as unauthorized infrastructure deployments, like instances deployed in a region that has never been used, or unusual API calls, like a password policy change to reduce password strength.

Detected threats can be sent to CloudWatch Alerts.

Amazon InspectorAmazon Inspector is a security service that allows you to analyze your VPC environment to identify potential security issues. With Amazon Inspector, you create assessment targets using Amazon EC2 instance tags, create an assessment template with a selected rules package, and then run the assessment. At the end of the assessment period, Amazon Inspector produces a set of findings and recommended steps to resolve potential security issues.

Amazon Inspector supports evaluation durations between 15 minutes and 24 hours.

Amazon MacieAmazon Macie is a security service that uses machine learning to discover, classify, and protect sensitive data in AWS automatically. Amazon Macie recognizes sensitive data such as Personally Identifiable

Information (PII) or intellectual property and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.

Amazon Macie can alert you when AWS API credentials or SSH keys appear in your Amazon S3 buckets.

Amazon AppStream 2.0Amazon AppStream 2.0 is a fully managed application streaming service. You centrally manage your desktop applications on AppStream 2.0 and securely deliver them to a browser on any computer.

Misc You can schedule CloudWatch to call Lambda. This could come up in one of the automating services questions.

AWS Lambda requires NAT to connect to the Internet. Public IP addresses cannot be assigned to an AWS Lambda function.

Internet connectivity is not a requirement for Amazon EMR; however, Amazon S3 connectivity, DNS hostnames, and private IP addresses are required.

Amazon Redshift requires an IP for each node in the cluster, plus one additional IP for the leader node. So, for 10 nodes you need 11 IPs.

Authorization for penetration test, may be requested for a maximum of 90 days per request.