AWS Advanced Networking Specialty: Hybrid Connectivity, Routing, and Network Security

Advanced VPC design for ANS-C01. Shared VPC: centralise networking in a host account — service accounts attach subnets from the host VPC. Eliminates per-account VPC sprawl, centralises security group and routing management. VPC peering constraints: non-transitive, no overlapping CIDRs, no edge-to-edge routing (cannot use a peered VPC as a gateway to the internet, Direct Connect, or VPN). Transit Gateway (TGW): hub-and-spoke model — each VPC or VPN attaches as a TGW attachment, TGW route tables control inter-attachment routing. Route table isolation: segment prod VPCs from dev VPCs by using separate TGW route tables with selective route propagation. TGW Network Manager: global view of TGW topology including on-premises SD-WAN connections. AWS PrivateLink (VPC Endpoint Services): expose your service to other VPCs or accounts without VPC peering — service provider deploys NLB, creates endpoint service, consumers create interface VPC endpoints. Traffic stays on AWS backbone, never crosses internet. Gateway Load Balancer (GWLB): transparent insertion of network virtual appliances (firewalls, IDS) into traffic path — GWLB distributes traffic to appliance fleet, traffic is returned to original path after inspection. GENEVE protocol encapsulation preserves source/destination for stateful inspection.

BGP is the routing protocol for all AWS hybrid connectivity — the ANS exam tests it at depth. BGP attributes for path selection (in order of preference): Weight (Cisco-proprietary, local to router, highest preferred), LOCAL_PREF (within AS, highest preferred — control outbound path from on-premises), AS_PATH (series of AS numbers, shorter preferred — control inbound to on-premises), MED (Multi-Exit Discriminator, hint to neighbour, lower preferred). Direct Connect (DX): private connection — Public VIF (access AWS public endpoints: S3, SQS), Private VIF (access VPC via VGW), Transit VIF (access TGW). DX Gateway: associate one DX with multiple VGWs in different regions. Resilient DX: two DX connections from different DX locations (different physical paths to AWS), add VPN as last-resort backup. Site-to-Site VPN: IKEv2 preferred, BGP routing via VGW or TGW (dynamic — routes exchanged automatically), static routing (no BGP — specify prefixes manually). VPN ECMP on TGW: multiple VPN tunnels with ECMP (Equal Cost Multi-Path) — aggregate bandwidth across tunnels. Accelerated VPN: uses Global Accelerator to route VPN traffic through AWS global network instead of public internet — lower latency for geographically distant sites.

Enterprise DNS with Route 53 for ANS-C01. Routing policies: Simple (one record, one or more values), Weighted (A/B testing, blue/green — split by percentage), Latency (route to lowest latency region — based on AWS latency data), Failover (primary/secondary with health check), Geolocation (route by country/continent — compliance, localisation), Geoproximity (route based on geographic distance with bias dial — Traffic Flow required), Multi-value (up to 8 healthy records returned — basic load distribution with health checks). Health checks: endpoint health checks (HTTP/HTTPS/TCP, interval 10-30 seconds, evaluated by Route 53 health checkers globally), calculated health checks (AND/OR logic across multiple health checks), CloudWatch alarm health checks (alarm state determines health). Route 53 Resolver: hybrid DNS resolution — Resolver Inbound Endpoint (on-premises DNS forwards to Route 53 — resolves private hosted zones from on-premises), Resolver Outbound Endpoint (VPC DNS forwards to on-premises DNS servers — resolves corporate domains from VPC). DNS Firewall: block or allow queries to specific domains — protects against DNS tunnelling and C2 domain queries.

ANS-C01 network security at depth. Security groups vs NACLs: security groups are stateful (return traffic automatically allowed), instance-attached, allow-only (no explicit deny); NACLs are stateless (must explicitly allow both directions), subnet-attached, both allow and deny. AWS Network Firewall: stateful managed firewall within the VPC using Suricata-compatible IPS rules — deploy in a dedicated inspection VPC, route traffic through Gateway Load Balancer or direct route to firewall endpoint. Traffic Mirroring: copy network traffic from ENI to monitoring appliance — packet-level visibility for forensics and IDS. AWS Firewall Manager: centrally manage WAF, Shield Advanced, Security Groups, and Network Firewall policies across accounts in AWS Organizations — enforce minimum security rules organisation-wide. Network automation: VPC Flow Logs analysis with Athena (query terabytes of flow data with SQL), Route 53 resolver query logs (visibility into all DNS queries from VPC), CloudWatch Network Monitor (active/passive monitoring of hybrid network latency and packet loss — BGP prefix monitoring).