This chapter on inter-VPC and multi-account networking was a continuation of the previous chapter on hybrid networks. You learned about how to interconnect and access VPCs both inside and between accounts including VPC sharing, peering, and PrivateLink.
Common VPC network architectures were presented including the Transit Gateway, Transit Gateway Connect, and transit VPCs.
WAN was included as a refresher for the exam, and the specific topics of SD-WAN and MPLS were presented as network access technologies into the AWS cloud.
There are many higher-level issues that must be addressed beyond just interconnecting VPCs in your cloud deployment. To create, manage, and monitor inter-VPC and multi-account networks in AWS, management tools such as AWS Organizations and the Resource Access Manager are used. You learned about these services, their architecture, and how they can be used to manage your interconnected AWS networks.
Securing and controlling who can access your accounts is a critical concern in all networks, including multi-account networks where external entities may be allowed to access your VPC resources. The two primary methods used for access control are authentication and authorization, and you learned the differences and the functions they deliver. Specific authentication and authorization implementations were introduced, including the Security Association Markup Language, which is used to authenticate with an identity provider one time using a single set of credentials to enable single sign-on. The most prominent access control application is Active Directory services from Microsoft. AD is a database and service used to connect users to network services and resources. Active Directory stores data about your environment including usernames and authentication and authorization credentials that manage user access and rights.
Understand in detail the networking services options that are available for interconnecting VPCs. One of the most critical topics to understand for the Advanced Networking exam is how to access, interconnect, and manage VPCs. Know the topics presented in this chapter including how to share and peer VPCs and manage multi-accounts. Know that VPC sharing connects resources from multiple accounts and groups them into a common, shared network. Sharing VPCs uses internal AWS network links for added security and sharing of resources. VPC peering enables two or more VPCs to access resources in each VPC from the other. The AWS VPC peering service has no bandwidth limitations, and there is no single failure point.
Know the AWS services available for VPC sharing and managing multi-VPC deployments. VPCs can be shared between accounts by sharing management between accounts with AWS Organizations and the Resource Access Manager.
Be able to explain hub-and-spoke architectures. The Transit Gateway is a regional service that is scalable and highly available and enables VPCs and on-premises networks to connect through a central hub over either site-to-site VPNs or Direct Connect. The hub-and-spoke design allows any services connected to the gateway to talk to each other, which allows VPC-to-VPC routing in a region.
The transit VPC is used to create a global network transit hub that interconnects geographically separated remote networks and your VPCs. transit VPCs reduce the number of connections needed when interconnecting VPCs and remote networks by eliminating the need to create mesh connections between VPCs.
transit VPCs and Transit Gateways have a lot in common with the difference being that Transit Gateways are an AWS service and the transit VPC is a network architecture.
Know the details of WANs. Know what software-defined wide-area networking is and how it is used in modern wide-area networks. Understand that the SD-WAN provides a single point of management, security monitoring, and visibility for your complete network that may comprise multiple WANs from different carriers.
While MPLS is not an AWS service, you may see this WAN technology as part of a network access question. Know that MPLS is a networking architecture that replaces traditional IP routing. Labels, or tags, are used to create a predefined path through the carrier’s network instead of IP next-hop routing that uses protocols such as OSPF, IS-IS, or BGP. Data is switched node to node through the carrier’s network from your source to destination using MPLS labels.
Understand what authentication and authorization is and how it is implemented. Authentication and authorization are critical components in AWS. Understand at a deep level that they are used to grant users access to network resources. Know that SAML is used for single sign-on, and learn the different AWS implementations of Active Directory.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
