Apologies for the lack of posts recently, however I’ve recently been studying for the AWS Advanced Networking Specialty Exam. Since re:Invent at the latter end of 2017 I’d made the decision to take a little time off of the studying but that changed when Sybex Published the AWS official study guide for the Advanced Networking Specialty. To date the book is still not available here in the UK as the release date seems to keep being delayed (perhaps due to distribution issues) but I was able to order it directly from Amazon.com in the US and get it shipped.
AWS Advanced Networking Official Study Guide
The book itself I thought was extremely good and covered the topics in pretty good detail and what I really liked was that it covered a number of the newer services such as PrivateLink and GuardDuty.
Continue reading “AWS Advanced Networking Specialty”
In this post I’m going to go into further detail regarding the varying Amazon VPC Architectural Options. When first deploying VPC it seems similar to a traditional Data Centre, however there are a variety of reasons to consider a multi-VPC strategy. These reasons include:
- Provide security configuration appropriate to VPC, improving overall security posture.
- De-risk changes by minimizing the blast radius, accelerate deployment of changes.
- VPC specific configurations, rather than multiple configurations within a single VPC.
- Simplifies operational viewpoint based on the segregation.
- Provides granular network control and integration, only connecct to relevant networks.
- Leverage multiple VPC constructs effectively, route tables, subnets, NACLs, Peering, DNS.
- Supports automated deployment of resources into segregated VPCs.
- VPC can become part of the automation fabric, removing Data Centre mindset.
- Mitigates limits for very large VPCs, e.g. maximum practical security groups and rule limits.
- Reduce risk of VPCs constraints, e.g. network, subnet size is fixed at creation time.
Continue reading “VPC Architectural Options”
An enterprise customer is starting their migration to the cloud, their main reason for migrating is agility, and they want to make their internal Microsoft Active Directory available to any applications running on AWS; this is so internal users only have to remember one set of credentials and as a central point of user control for leavers and joiners. How could they make their Active Directory secure, and highly available, with minimal on-premises infrastructure changes, in the most cost and time-efficient way? (Choose 1)
a. Using Amazon Elastic Cloud Compute (EC2), they could create a DMZ using a security group; within the security group they could provision two smaller Amazon EC2 instances that are running Openswan for resilient IPSEC tunnels, two larger instances that are domain controllers, they would use multiple availability zones.
b. Using VPC, they could create an extension to their data centre and make use of resilient hardware IPSEC tunnels; they could then have two domain controller instances that are joined to their existing domain and reside within different subnets, in different availability zones.
c. Within the customer’s existing infrastructure, they could provision new hardware to run Active Directory Federation Services; this would present Active Directory as a SAML2 endpoint on the internet; any new application on AWS could be written to authenticate using SAML2.
d. The customer could create a stand-alone VPC with its own Active Directory Domain Controllers; two domain controller instances could be configured, one in each availability zone; new applications would authenticate with those domain controllers.
This question is testing your understanding of how to extend your existing on-premises Active Directory Service into AWS as well as the varying options that AWS offers. There are a few fundamentals of Active Directory that are worth knowing in order to know how you might begin with answering this question.
Continue reading “AWS SA Professional – Practice Question 11”
You have been asked to virtually extend two existing data centres into AWS to support a highly available application that depends on existing, on-premises resources located in multiple data centres and static content that is served from an Amazon Simple Storage Service (S3) bucket. Your design currently includes a dual-tunnel VPN connection between your CGW and VGW. Which component of your architecture represents a potential single point of failure that you should consider changing to make the solution more highly available? (Choose 1)
a. No changes are necessary: the network architecture is currently highly available.
b. Add another CGW in a different data centre and create another dual-tunnel VPN connection.
c. Add another VGW in a different availability zone can create another dual-tunnel VPN connection.
d. Add a second VGW in a different availability zone, and a CGW in a different data centre, and create another dual-tunnel VPN connection.
This question is testing your understanding of VPN’s and the varying elements that go into the creation of establishing a VPN Connection with AWS.
Continue reading “AWS SA Professional – Practice Question 10”