AWS SOA : All you need to know about networking

2022.06.22

A couple of months ago I attempted the AWS Certified SOA examination and I passed it, hence I thought that sharing resources which I used for studying for the examination may help others who are planning on attempting the test. I follow a simple approach of following courses on sites such as udemy.com and make notes of all the things which I feel are important for the exam. Making notes not only lets me study for the exam in a structured way but also acts like a knowledge store which I can understand very easily and also lets me look for information related to specific topics whenever I need to.

I have gone through each networking concept one by one, I hope you like these and find them as helpful as they are for me.

DNS

Terminologies

Top Level Domain names : .com, .co.in, .edu, .org etc

Domain Registrars : Can assign domain names and register them to ICANN which is stored in the whois database.

Start Of Authority : Stores the following information:

  • Admin of the zone
  • Name of server that supplied data for that zone.
  • Current version of data file
  • Number of seconds a secondary name server should wait before checking for updates. 
  • The number of seconds a secondary server should wait before retrying failed zone transfer.
  • The max number of seconds a secondary server can use data before it expires and needs to be refreshed. 

Types of DNS Records

  • A record : DNS to IP in a single step
  • TTL record : The amount of time for which a DNS record is cached.
  • CName : One domain name to another
  • Alias records : Mapping DNS to DNS. Always use A-record for all your applications, in the inner layer you can use the same DNS for Cname.

Routing Policies

Simple Routing Policy

1 Record -> Multiple IPs. 

All the IPs serve the same content/application.

Weighted Routing Policy

Routing based on weights assigned to multiple resources based on user defined weights. 

Latency Based Routing

Data packets are routed to the nearest server or to the one which has lowest latency. 

Failover Routing Policy

Used to set a failover.

Geolocation Routing Policy

Routing based on the source location of the request, you can serve different types of content over different regions. 

Geoproximity Based Routing

Geolocation based routing with weighted biases letting you choose how much traffic is routed where.

Multivalue Answer Routing

Like simple routing but returns multiple values instead of just one.

NAT

Network Address Translation has both instances (soon to be phased out) and gateways.

Instances are in the community AMIs section on the console. 

The disadvantage of a NAT instance is that it is not scalable enough and to provision for availability we need to use a script to manage failovers.

All EC2 instances perform source and destination checks by default, that is, the instance must be a source or destination of the traffic which it is receiving, if it is not then it discards the network packets, to enable an instance to be a NAT instance we must turn off these checks.

The command is modify-instance-attributes on the AWS CLI.

This applies to Bastian hosts as well.

 

A NAT gateway must be provisioned in multiple AZs so that they are highly available in the region.

Unlike NAT instances, NAT gateways don’t sit behind a security group, the traffic is filtered by the security group's rules after it passes through the NAT gateway.

VPC Endpoints

Basically an internal gateway to AWS’ services.

These have 2 types

  • ENI : Elastic Network Interface
  • Gateways : highly available and available for multiple services at once.

You associate an endpoint with a route table.

Instances access other AWS services with their private IPs. i.e. source address is pvt IP of the instance.

VPC Flow logs

Captures IP traffic going through your VPC. Can be enabled on 3 levels: 

  • VPC
  • Subnets
  • Network interface level

These logs can be collected by CloudWatch logs. 

You must have a log group to stream these logs to.

You can stream these logs to AWS Lambda or ElasticSearch or export it to S3 then use Athena to query these logs.

Conclusion

Well, thats it. Short, isn't it? This is mainly because this information builds on top of the knowledge which we gain while preparing for AWS SAA examination. I hope you find these useful. Until next time!