This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.1 Implement networking features and connectivity
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. What are some of the options to connect an on-premises datacenter to an AWS VPC?
2. Which VPN option requires the deployment of an EC2 instance?
1. Answer: AWS Managed VPN, AWS Direct Connect, AWS Direct Connect + VPN, and Software Site-to-Site VPN
2. Answer: Software Site-to-Site VPN
Hybrid cloud computing environments involve the use of physical datacenters and cloud computing services together. You might be using the cloud as a disaster recovery (DR) location. Or you might be using it to provide additional resources during periods of peak workloads (cloud bursting).
Regardless of the use case, it is vital to have a well-designed network that connects your datacenter to the AWS VPC. You may also need to connect VPCs in different regions or different AWS accounts to each other as well. The choices that you make can have a profound impact on how secure and performant these solutions are.
An AWS-managed VPN is an IPsec VPN connection between your datacenter and an AWS VPC. The VPN terminates on a virtual private gateway in the AWS VPC. The virtual private gateway is a managed service and includes automated failover and the ability to support multiple connections. The maximum aggregate bandwidth supported by the VGW for VPN connections is 1.25 Gbps.
Figure 11.16 illustrates this concept. The customer-premises equipment (CPE) can be any hardware in your datacenter that supports an IPsec VPN. This component is referred to as the customer gateway (CGW) in the AWS Management Console and AWS documentation. Border Gateway Protocol (BGP) and static routes can be used to route traffic over the VPN. Encrypted traffic flows over the public Internet. You can configure a private Autonomous System Number (ASN) for BGP. If you do not specify an ASN, Amazon provides an ASN of 64512.
FIGURE 11.16 AWS-managed VPN
Each VPC has its own built-in DNS resolution. DHCP option sets can be used to forward certain DNS requests to an on-premises DNS instance. To assign your own domain name to your instances, you must create a custom DHCP option set. You then specify the domain name that exists on-premises, along with the addresses of the DNS servers to forward the requests to. This is important if you want to forward certain DNS requests to the on-premises DNS servers over the VPN.
A software site-to-site VPN might be a requirement in regulatory environments that require full administrative control of both ends of the VPN connection. A software VPN appliance (such as OpenVPN) runs on an EC2 instance in the AWS VPC. There are many software VPN partner solutions in the AWS Marketplace. You must manage the configuration and availability of the VPN appliance because EC2 is not a managed service.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
