Exam Cram Sheet: AWS Multi-Account & Multi-Region Connectivity (ANS-C01)
Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns
Exam Cram Sheet: AWS Multi-Account & Multi-Region Connectivity
This guide focuses on the implementation and design of complex AWS networking architectures, specifically targeting the AWS Certified Advanced Networking – Specialty (ANS-C01) exam objectives for Domain 1 and 2.
## Topic Weighting
| Domain | Task Statement | Estimated Exam Weight |
|---|---|---|
| Domain 1: Network Design | 1.6: Design multi-account/region/VPC architecture | 10-14% |
| Domain 2: Network Implementation | 2.2: Implement routing/connectivity patterns | 12-16% |
| Domain 3: Management & Ops | 3.1: Maintain routing and connectivity | 8-10% |
## Key Concepts Summary
1. VPC Peering
- Type: Point-to-point connection between two VPCs.
- Scope: Intra-region or Inter-region; Cross-account support.
- Routing: No Transitive Routing. If A is peered to B, and B to C, A cannot talk to C through B.
- Performance: No bandwidth bottlenecks (uses AWS backbone); supports MTU 1500 (Inter-region) or 9001 (Intra-region).
- Constraint: CIDR blocks cannot overlap.
2. AWS Transit Gateway (TGW)
- Type: Regional network hub (Hub-and-Spoke).
- Transitive Routing: Supported. Centralizes connectivity for thousands of VPCs and on-premises environments.
- Sharing: Shared across accounts via AWS Resource Access Manager (RAM).
- Inter-Region: TGWs can be peered across regions.
3. AWS PrivateLink
- Type: Interface VPC Endpoints.
- Function: Exposes a service (behind an NLB) to another VPC privately.
- Key Benefit: Solves Overlapping CIDR issues because traffic is handled via an Elastic Network Interface (ENI) in the consumer VPC.
4. VPC Sharing
- Mechanism: Using RAM to share subnets from a central "Owner" account to "Participant" accounts.
- Benefits: Simplifies IP management; participants can share a single VPC/Gateway/Security Group architecture while maintaining billing isolation.
## Visual Anchors
Connectivity Topology Comparison
Shared VPC Architecture (RAM)
## Formula / Equation Sheet
| Feature | VPC Peering | Transit Gateway | PrivateLink |
|---|---|---|---|
| Routing | Static/Propagated (Direct) | Route Tables (Transitive) | DNS / Interface ENI |
| Max Bandwidth | No fixed limit (EC2 limits) | 50 Gbps per VPC attachment | 10 Gbps per AZ |
| Overlapping CIDR | Not Supported | Not Supported (Native) | Supported |
| Encryption | Layer 4 (AWS Backbone) | Layer 4 (AWS Backbone) | Layer 4 (AWS Backbone) |
| Protocols | All IP Protocols | All IP Protocols | TCP/UDP Only |
## Common Pitfalls
[!WARNING] Don't Forget Transitive Limitations: VPC Peering never supports transitive routing. If you see a question asking to connect a "chain" of VPCs without a Hub-and-Spoke, look for Transit Gateway.
[!IMPORTANT] MTU Mismatch: Inter-region Peering and Transit Gateway Peering support a maximum MTU of 1500 bytes. Jumbo frames (9001 bytes) are only for intra-region traffic.
[!NOTE] Security Group Referencing: You can reference Security Groups across VPC Peering connections, but NOT across Transit Gateway or Inter-region Peering.
## Mnemonics / Memory Triggers
- RAM for the Fam: Use Resource Access Manager to share VPC subnets or Transit Gateways with other accounts in your AWS Organization.
- PrivateLink = ProblemLink (for IPs): Use PrivateLink when you have a "problem" with overlapping IP addresses.
- TGW = The Grand Warehouse: Centralize all your shipping (packets) in one hub to move them between any spoke.
## Worked Examples
Example 1: Resolving Overlapping CIDRs
Scenario: Company A (10.0.0.0/16) acquires Company B (10.0.0.0/16). They need to access a specific reporting service in Company B's VPC.
- Incorrect Solution: VPC Peering (will fail due to CIDR overlap).
- Correct Solution: Create a Network Load Balancer (NLB) in Company B's VPC for the service. Create a VPC Endpoint Service (PrivateLink). Company A creates an Interface Endpoint to connect to the service using Company A's local IP space.
Example 2: High-Bandwidth Inter-Region Connectivity
Scenario: You need to connect 50 VPCs in us-east-1 to 50 VPCs in eu-west-1 with centralized inspection.
- Solution: Deploy a Transit Gateway in each region. Connect local VPCs to their respective regional TGW. Create a TGW Peering Attachment between the two TGWs. Update TGW route tables to point cross-region traffic to the peering attachment.
## Practice Set
- Which service allows multiple AWS accounts to create resources in the same centrally managed subnets?
- Answer: VPC Sharing via AWS RAM.
- A Transit Gateway attachment is limited to how much bandwidth per VPC attachment?
- Answer: 50 Gbps.
- True/False: You can use BGP to propagate routes across a VPC Peering connection.
- Answer: False. Peering uses static routes in the VPC Route Table.
- Which tool would you use to verify if a security group is blocking a specific path between two VPCs?
- Answer: VPC Reachability Analyzer.
- What is the maximum MTU for traffic traveling over an Inter-Region VPC Peering connection?
- Answer: 1500 bytes.
## Fact Recall Blanks
- To share a Transit Gateway with another account, you must use ________.
- VPC Peering does NOT support ________ routing.
- The service used to expose a service to thousands of VPCs without peering is ________.
- To connect a Direct Connect to multiple VPCs via a Transit Gateway, you must use a ________.
(Answers: AWS RAM, Transitive, PrivateLink, Direct Connect Gateway)