Exam Cram Sheet822 words
ANS-C01 Exam Cram: Multi-Account & Multi-Region Connectivity
Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns
ANS-C01 Exam Cram: Multi-Account & Multi-Region Connectivity
This sheet covers Domain 1.6 and 2.2 of the AWS Certified Advanced Networking - Specialty (ANS-C01) exam. It focuses on architecting and implementing scalable connectivity across VPC boundaries, accounts, and regions.
Topic Weighting
| Domain | Task Statement | Estimated Exam Weight |
|---|---|---|
| Domain 1: Network Design | 1.6: Design multi-account/region routing | 12% - 15% |
| Domain 2: Network Implementation | 2.2: Implement multi-account/region connectivity | 10% - 12% |
| Total Focus Area | Inter-VPC & Multi-Account Patterns | ~25% |
Key Concepts Summary
1. VPC Peering
- Nature: One-to-one relationship. Low latency, uses AWS backbone.
- Constraint: Non-transitive. If VPC A is peered with B, and B with C, A cannot talk to C through B.
- CIDRs: Cannot have overlapping IPv4 CIDR blocks.
- Scope: Intra-region or Inter-region (Inter-region peering has no MTU 9001 support; max 1500).
2. AWS Transit Gateway (TGW)
- Nature: A regional network hub (Hub-and-Spoke).
- Transitive: Supports transitive routing across thousands of VPCs and on-premises.
- Multi-Account: Shared via AWS Resource Access Manager (RAM).
- Inter-Region: TGWs can be peered across regions. Traffic is encrypted on the global backbone.
3. AWS PrivateLink
- Use Case: Exposing a service (NLB-backed) to other VPCs without full network routing.
- IP Overlap: The only solution that natively allows connectivity between VPCs with overlapping CIDR blocks.
- Direction: Unidirectional (Consumer to Provider).
4. VPC Sharing
- Mechanism: One account (Owner) shares subnets with others (Participants) via RAM.
- Benefit: Simplifies network topology; all participants reside in the same VPC but different accounts.
Visual Anchors
Connectivity Topology Comparison
Loading Diagram...
Transit Gateway Routing Logic
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, fill=blue!10, text centered, minimum height=1cm, minimum width=2cm}] \node (tgw) [fill=orange!20] {Transit Gateway}; \node (rt1) [below left of=tgw, xshift=-1cm] {RT: Spoke 1}; \node (rt2) [below right of=tgw, xshift=1cm] {RT: Spoke 2}; \node (v1) [below of=rt1] {VPC A}; \node (v2) [below of=rt2] {VPC B};
code
\draw [<->, thick] (tgw) -- (rt1);
\draw [<->, thick] (tgw) -- (rt2);
\draw [<->, thick] (rt1) -- (v1);
\draw [<->, thick] (rt2) -- (v2);
\node[draw=none, fill=none, anchor=west] at (1,-1) {Propagation: Automatic};
\node[draw=none, fill=none, anchor=west] at (1,-1.5) {Association: 1-to-1};\end{tikzpicture}
Common Pitfalls
- The Transitive Peering Trap: Never choose VPC Peering if the requirement mentions "centralized transit" or "extensible mesh" for >10 VPCs.
- Security Group Referencing: You can reference Security Groups across VPC Peers only within the same region. This does not work for Inter-region peering or TGW.
- MTU Mismatch: Inter-region peering and TGW peering support a maximum MTU of 1500 bytes. Jumbo frames (9001) are for intra-region only.
- Edge-to-Edge Routing: You cannot use a VPC's VPN or Direct Connect to reach a Peered VPC (unless using TGW).
Mnemonics / Memory Triggers
- P.P.P. (Peering is Point-to-Point): No jumping through middle VPCs.
- RAM for TGW: Always remember Resource Access Manager is required to share a TGW or Subnet across accounts.
- PrivateLink = Interface: PrivateLink creates an Interface VPC Endpoint, not a Gateway Endpoint (S3/DynamoDB).
Formula / Equation Sheet
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Transitive? | No | Yes | N/A (Service-based) |
| Overlapping CIDRs? | Forbidden | Forbidden | Allowed |
| Throughput | No Aggregate Limit | 50 Gbps per VPC attach | 10-40 Gbps per AZ |
| Cross-Account | Acceptance handshake | AWS RAM | Service Permissions |
Worked Examples
Scenario: The Overlapping Merger
Problem: Company A (10.0.0.0/16) acquires Company B (10.0.0.0/16). They need to share a specific Database service in Company B with Company A.
Solution:
- In Company B, place the DB behind a Network Load Balancer (NLB).
- Create an Endpoint Service in Company B.
- In Company A, create an Interface VPC Endpoint (PrivateLink) pointing to Company B's service.
- Result: Overlapping IPs are irrelevant because traffic is handled via the Endpoint's local IP in Company A.
Practice Set
- Which service is required to share a Transit Gateway with another account in an AWS Organization? (Answer: AWS Resource Access Manager/RAM).
- True/False: A VPC in US-East-1 can use a VPC Peer to access a Direct Connect gateway attached to a VPC in US-West-2. (Answer: False - Peering does not support edge-to-edge routing).
- What is the maximum MTU for Inter-region Transit Gateway peering? (Answer: 1500 bytes).
- How do you prevent two VPCs attached to the same TGW from communicating? (Answer: Use separate TGW Route Tables and do not create associations/propagations between them).
Fact Recall Blanks
- To support IPv6 over VPC Peering, you must manually add the ______ to the route tables. (Answer: IPv6 CIDR routes).
- A TGW ______ is used to link a VPC, VPN, or DX Gateway to the hub. (Answer: Attachment).
- VPC ______ allows multiple AWS accounts to create resources in the same centrally managed subnets. (Answer: Sharing).
- Transit Gateway ______ allows for high-performance integration of SD-WAN appliances using GRE. (Answer: Connect).