Written Labs – Connecting On-Premises Networks – ANS-C01 Study Guide

Written Labs

Written Lab 7.1: Create a VPN Attachment on a Transit Gateway Using the Console

  1. Using a web browser, open the Amazon VPC console at https://console.aws.amazon.com/vpc.
  2. Select Transit Gateway on the right.
  3. Select Create Transit Gateway in the AWS VPC console.
  4. Fill in the name tag and description and use AS number 65000 for the autonomous system number (ASN).
  5. Click Create Transit Gateway.
  6. Select Site-to-Site VPN Connections on the right.
  7. Click Create VPN Connection.
  8. In the Name Tag box, enter a name for your site-to-site VPN connection. Doing so creates a tag with a key of Name and the value that you specify.
  9. For Target Gateway Type, choose Transit Gateway, and choose the Transit Gateway instance just created to create the attachment.
  10. For Customer Gateway, do one of the following:
    1. To use an existing customer gateway, choose Existing, and then select the gateway to use in the pull-down menu. If your customer gateway sits behind a NAT device that’s enabled for NAT traversal, use the public IP address of your NAT device, and adjust your firewall rules to unblock UDP port 4500. If you do not have a public IP to use in this step, leave it blank and follow this lab until the end, but do not create the VPN as a public IP is required.
    1. To create a customer gateway, choose New.
  11. For IP Address, enter a static public IP address of your device’s outside interface. If you do not have a public IP to use in this step, leave it blank and follow this lab until the end, but do not create the VPN as a public IP is required.
  12. For Certificate ARN, if you are using certificate-based authentication, choose the ARN of your private certificate. For the BGP ASN, enter the BGP ASN of your customer network. Reference https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-options.html for additional information.
  13. For Routing Options, choose whether to use Dynamic.
  14. For Tunnel Inside IP Version, select IPv4. For Local IPv4 network CIDR, specify the IPv4 CIDR range on the on-premises customer gateway to specify which subnets are allowed to communicate over the VPN tunnels. Or open it to all networks by leaving this at the default of 0.0.0.0/0.
  15. In the Remote IPv4 Network CIDR dialog box, specify the IPv4 CIDR range on the AWS side that is allowed to communicate over the VPN tunnels. Or open it to all networks by leaving this at the default of 0.0.0.0/0.
  16. For the Tunnel 1 options, fill in the inside IPv4 CIDR range, which allows AWS to generate the pre-shared key for the tunnel, and review the tunnel options.
  17. Review the advanced tunnel information, which includes the following:
    1. Encryption algorithms for phases 1 and 2 of the IKE negotiations
    1. Integrity algorithms for phases 1 and 2 of the IKE negotiations
    1. Diffie-Hellman groups for phases 1 and 2 of the IKE negotiations
    1. IKE version 1 or 2
    1. Phase 1 and 2 lifetimes in seconds
    1. Re-key margin time
    1. Re-key fuzz
    1. Replay window size
    1. Dead peer detection interval
    1. Dead peer detection timeout action
    1. Startup action

For more information about these options, see https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html.

  1. Choose Create VPN Connection. Note that if you do not have a public IP address to terminate the VPN connection, the connection will not be created.
  2. When completed, delete the site-to-site VPN and the Transit Gateway instance.

Written Lab 7.2: Perform a traceroute

  1. Open a command console on a client computer; it can be either Windows or Linux.
  2. Enter traceroute aws.amazon.com (Linux) or tracert aws.amazon.com (Windows).
  3. Observe the text output of the network route taken from your computer to aws.amazon.com using DNS.
  4. Enter traceroute 18.154.211.6 (Linux) or tracert 18.154.211.67 (Windows).
  5. Observe the text output of the network route taken from your computer to aws.amazon.com using its IPv4 address.
  6. Explore the traceroute utility options using tracert /? for Windows or man traceroute for Linux.

Written Lab 7.3: Use ping

  1. Open a command console on a client computer; it can be either Windows, Linux, or macOS.
  2. Enter ping aws.amazon.com on either Linux, macOS, or Windows.
  3. Observe the text output of the ping responses from aws.amazon.com using DNS.
  4. Enter ping 18.154.211.6 on your local computer.
  5. Observe the text output of the network ping replies received from aws.amazon.com using its IPv4 address.
  6. Explore the ping utility options using ping /? for windows or man ping for Linux.