🌐AWS Advanced Networking Specialty Flash Cards

Minimum: /28 (16 IP addresses, but 5 are reserved by AWS). Maximum: /16 (65,536 IP addresses). AWS reserves the first four IP addresses and the last IP address in each subnet for internal networking purposes.

Network address (first IP), VPC router (network + 1), DNS resolver (network + 2), Reserved for future use (network + 3), Broadcast address (last IP). For example, in 10.0.0.0/24: 10.0.0.0, 10.0.0.1, 10.0.0.2, 10.0.0.3, and 10.0.0.255 are reserved.

Security Groups are stateful (return traffic automatically allowed), instance-level (attached to ENI), only have ALLOW rules, and evaluate all rules before deciding. NACLs are stateless (must configure return traffic), subnet-level, have both ALLOW and DENY rules, and process rules in numerical order.

VPC Flow Logs capture metadata about IP traffic including source and destination IP addresses, source and destination ports, protocol, number of packets and bytes, time window, and action (ACCEPT or REJECT). Note that Flow Logs only capture metadata, not packet content.

VPC Traffic Mirroring copies network traffic from ENIs to monitoring appliances using VXLAN encapsulation over Layer 3. Data is sent over UDP port 4789, can mirror between same/different VPCs, accounts, or regions, with mirror targets being ENI or NLB.

NAT Gateway is a managed service for outbound internet connectivity from private subnets. It's highly available within an AZ, scales automatically up to 45 Gbps, supports IPv4 only (use Egress-Only IGW for IPv6), cannot span multiple AZs, and cannot be used as a bastion host.

VPC Peering provides private connectivity between two VPCs. Limitations include no transitive routing, CIDR blocks cannot overlap, one peering connection per VPC pair, and no edge-to-edge routing. Cross-region peering is supported.

VPC Endpoints provide private connections to AWS services. Interface Endpoints use PrivateLink, create ENI in subnet, support most AWS services, and charge per hour + data transfer. Gateway Endpoints are free, only support S3 and DynamoDB, and use route table entries.

Simple (single resource, no health checks), Weighted (traffic distribution by percentage), Latency (route to lowest latency endpoint), Failover (primary/secondary with health checks), Geolocation (route based on user location), Geoproximity (route based on proximity + bias), and Multivalue Answer (multiple healthy resources up to 8).

Geolocation routes based on user's location using ISO2 country codes and does NOT return closest record. Geoproximity routes based on calculated distance, returns closest record to user, supports bias adjustment (+/- 99), and can use AWS regions or lat/long coordinates.

Route 53 Resolver is a DNS resolution service at VPC+2 IP. Inbound endpoints allow on-premises to resolve R53 private zones, Outbound endpoints allow VPC to resolve on-premises DNS. Both handle ~10k queries per second per endpoint and enable hybrid DNS resolution.

Health Check types include Endpoint (monitor IP/domain), Calculated (based on other health checks), and CloudWatch Alarm (based on alarm state). Configuration includes protocol (HTTP/HTTPS/TCP), interval (30 or 10 seconds), failure threshold (3 consecutive), and string matching for HTTP/HTTPS.

Alias Record is AWS proprietary, maps to AWS resources, can be used at zone apex, has no charges for queries, and automatic health checks. CNAME is standard DNS, cannot be at zone apex, charges for queries, points to any DNS record, and has no automatic health checks.

Transit Gateway is a network hub connecting VPCs and on-premises networks. It supports VPC Attachments, VPN Connections, Direct Connect Gateway, Peering Connections (cross-region), and Connect Attachments (SD-WAN). It's highly available, scalable, and reduces network complexity.

Each TGW has a default route table where attachments can be associated with one route table and propagate to multiple tables. Default behavior creates full mesh connectivity with all attachments using and propagating to the default table. Use separate route tables for network segmentation.

TGW Connect enables native SD-WAN integration using GRE tunnel connectivity with BGP over GRE. It provides higher bandwidth than VPN (up to 5 Gbps per connection), supports 4 Connect peers per attachment, and is ideal for SD-WAN appliances and third-party network appliances.

Up to 50 Gbps per AZ and per attachment, VPN at 1.25 Gbps per tunnel, Connect at 5 Gbps per connection, and Direct Connect up to 100 Gbps. Bandwidth is per AZ, not per TGW, with burst capability of 50 Gbps.

TGW Peering connects Transit Gateways across regions/accounts with cross-region connectivity, cross-account support, static routes only (no BGP), encrypted traffic, and no single point of failure. Limited to 50 peering connections with no transitive routing.

Private VIF connects to VPC via Virtual Gateway for private IP access using BGP. Public VIF accesses AWS public services using public IPs without traversing internet. Transit VIF connects to Transit Gateway for multiple VPC access, supporting up to 3 Transit Gateways per VIF.

Direct Connect Gateway is a global resource connecting DX to multiple VPCs across regions. It provides central connection point and simplifies network architecture. VPCs cannot communicate with each other through DX Gateway, each must have unique CIDR blocks, with maximum 10 VPCs per DX Gateway.

Dedicated Connection offers 1 Gbps, 10 Gbps, 100 Gbps with physical port dedicated to you. Hosted Connection provides 50 Mbps to 10 Gbps through AWS Partner with shared physical connection and more flexible capacity. Lead times vary from days to weeks.

LAG combines multiple DX connections into single logical connection. Requires same bandwidth per connection, same DX location, maximum 4 connections per LAG. Benefits include increased bandwidth, redundancy, simplified management, and automatic failover.

MACsec provides Layer 2 encryption for DX connections using 802.1AE IEEE standard with line-rate encryption and point-to-point security. Requires 10 Gbps or 100 Gbps dedicated connections at specific DX locations. Not available for hosted connections.

Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) with content-based routing and WebSocket support. Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP/TLS) with ultra-high performance and static IPs. Gateway Load Balancer (GWLB) combines Layer 3 Gateway + Layer 4 Load Balancer for third-party appliances using GENEVE protocol.

Gateway Load Balancer combines transparent network gateway and load balancer for third-party appliances. It uses GENEVE encapsulation over UDP 6081, maintains flow stickiness (5-tuple hash), integrates with AWS PrivateLink, and is transparent to applications. Used for firewalls, IDS, and deep packet inspection.

Request routing includes host-based, path-based, HTTP headers/methods, query strings, and source IP CIDR. Target groups support EC2 instances, IP addresses (including on-premises), Lambda functions, and ALB (for chaining). Health checks use HTTP/HTTPS with custom settings.

Connection Draining gracefully handles deregistering targets by stopping new requests while allowing in-flight requests to complete. Default is 300 seconds (range 0-3600). States include draining (in progress) and unused (complete).

AWS Network Firewall is a managed network firewall service for VPC protection featuring stateful and stateless rule groups, domain filtering, IPS, and TLS inspection. Deployed in firewall subnets using Gateway Load Balancer endpoints, supports centralized or distributed architecture.

AWS WAF is a Web Application Firewall deployable on CloudFront, Application Load Balancer, API Gateway, and AWS AppSync. It provides SQL injection protection, XSS protection, geographic blocking, rate limiting, and custom rules with managed rule groups.

AWS Shield Standard provides free DDoS protection with Layer 3/4 protection for CloudFront and Route 53. Shield Advanced ($3,000/month) offers advanced DDoS protection, DDoS Response Team access, cost protection, Layer 7 protection, real-time metrics, and Global Threat Environment dashboard.

GuardDuty is an intelligent threat detection service using VPC Flow Logs, DNS logs, CloudTrail events, and Kubernetes audit logs. It detects cryptocurrency mining, unauthorized access, malicious IPs, compromised instances, and port scanning, integrating with EventBridge, Security Hub, and Lambda.

CloudFront is a global CDN service with 450+ edge locations, regional edge caches, origins (S3, ALB, EC2, custom), distributions, and behaviors. Features include SSL/TLS termination, compression, HTTP/2 and HTTP/3, and WebSocket support.

Origin Access Control (OAC) is the new recommended method supporting S3 with SSE-KMS, all S3 regions, and HTTP/HTTPS requests. Origin Access Identity (OAI) is the legacy method for S3 only being deprecated. Both restrict S3 access to CloudFront only.

Signed URLs provide individual file access with RTMP and custom origin support. Signed Cookies enable multiple file access without RTMP support but maintain current URLs. Both support expiration, optional IP restrictions, and trusted signers.

Site-to-Site VPN connects on-premises to VPC via VGW/TGW using IPSec tunnels up to 1.25 Gbps per tunnel. Client VPN provides individual client connections using OpenVPN protocol as a managed service. Accelerated VPN uses Global Accelerator for improved performance.

Client VPN is a managed VPN service with components including Client VPN endpoint, target network associations, authorization rules, route tables, and client certificates. Authentication supports Active Directory, mutual authentication (certificates), and SAML 2.0 federated authentication.

Static routing uses manual route configuration with fixed routes, simple setup but no automatic failover. Dynamic routing (BGP) provides automatic route exchange, adapts to network changes, automatic failover, and route prioritization - better for complex networks.

PrivateLink provides private connectivity between VPCs and services without internet gateway or NAT device. Traffic stays on AWS network with simplified architecture. Components include interface endpoints (consumer), endpoint services (provider), and requires Network Load Balancer.

PrivateLink offers unidirectional access, service-specific exposure, no CIDR overlap issues, scales to thousands of VPCs, requires NLB. VPC Peering provides bidirectional access, full VPC-to-VPC connectivity, no overlapping CIDRs allowed, one-to-one relationship, no additional components.

Service Provider creates Network Load Balancer, creates endpoint service, configures acceptance settings, adds permissions, shares service name. Service Consumer creates interface endpoint, selects service name, chooses subnets, configures security groups, accesses via endpoint DNS.

Jumbo Frames (9000 MTU) is supported on EC2 instances within VPC, Direct Connect all VIF types, Transit Gateway, same-region VPC Peering, and Network Load Balancer. NOT supported on Internet Gateway, VPN connections, inter-region peering, or NAT Gateway. Benefits include 6x fewer packets and reduced CPU overhead.

Enhanced Networking provides higher PPS, 25-50% lower latency, lower jitter, and reduced CPU utilization. Intel 82599 VF supports up to 10 Gbps while Elastic Network Adapter (ENA) supports up to 100 Gbps. Requires supported instance types, HVM AMI, and VPC.

Cloud WAN is a managed wide area network service for building global networks. Core components include Core Network (managed network spanning regions), Attachments (VPCs, VPNs, Transit Gateways, Direct Connect), Policy Document (JSON configuration), Segments (isolated routing domains), and Network Function Groups (third-party appliances).

Segments are logical isolation boundaries with separate routing tables per segment, controlled inter-segment communication, and policy-based routing. Common segments include Production (critical workloads), Development (test environments), Shared Services (common resources), and Inspection (security appliances). No communication by default between segments.

IPv6 uses /56 CIDR block per VPC from Amazon pool with fixed /64 subnet size. All IPv6 addresses are public with no NAT needed. Uses Egress-only IGW for outbound-only traffic. No private ranges, no Elastic IPs support, and separate route table entries needed for dual-stack.

Egress-Only IGW handles IPv6 traffic only, is stateful, prevents unsolicited inbound, allows return traffic, no additional charges, and is horizontally scaled. NAT Gateway handles IPv4, has hourly charges, performs NAT translation, 45 Gbps limit, and is AZ-specific.