Exam Cram Sheet862 words
Exam Cram Sheet: Hybrid Cloud Connectivity & Routing (ANS-C01)
Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud
Exam Cram Sheet: Hybrid Cloud Connectivity & Routing
This sheet covers Domain 1.5 and 2.1 of the AWS Certified Advanced Networking - Specialty (ANS-C01) exam, focusing on designing and implementing routing between on-premises and AWS.
## Topic Weighting
| Domain Section | Exam Percentage | Importance |
|---|---|---|
| 1.5: Design Routing & Connectivity | ~12-15% | High (Architectural) |
| 2.1: Implement Hybrid Connectivity | ~10-12% | High (Configuration) |
| Total Hybrid Focus | ~25% | Critical |
## Key Concepts Summary
- AWS Direct Connect (DX): Physical 1Gbps, 10Gbps, or 100Gbps connection. BGP is required for dynamic routing.
- Private VIF: Connects to a single VPC (VGW) or DX Gateway (multi-VPC).
- Public VIF: Access public AWS services (S3, DynamoDB) over DX via BGP.
- Transit VIF: Required for AWS Transit Gateway (TGW) integration.
- AWS Site-to-Site VPN: IPsec tunnel over the public internet.
- Static vs. Dynamic: Dynamic uses BGP; Static uses policy-based or route-based entries.
- Accelerated VPN: Uses AWS Global Accelerator to route traffic to the nearest AWS edge location.
- AWS Transit Gateway (TGW): A hub-and-spoke router for VPCs and on-premises networks.
- TGW Connect: Uses GRE tunnels over DX or VPC attachments to integrate SD-WAN appliances.
- BGP (Border Gateway Protocol): The standard protocol for hybrid routing.
- ASN: Use Private ASNs (64512–65534) for internal routing.
## Visual Anchors
Hybrid Connectivity Architecture
Loading Diagram...
BGP Path Selection Logic
Compiling TikZ diagram…
⏳
Running TeX engine…
This may take a few seconds
## Common Pitfalls
- MTU Mismatches: Standard internet/VPN MTU is 1500 bytes. Direct Connect supports 9001 bytes (Jumbo Frames). Forgetting to adjust for IPsec overhead (approx. 1412-1460 MTU) leads to packet fragmentation.
- Overlapping CIDRs: AWS does not support routing between VPCs/On-premises with identical IP ranges without NAT or PrivateLink.
- Asymmetric Routing: Occurs when traffic enters AWS via DX but returns via VPN. Use AS-Path Prepending to ensure symmetrical flows.
- BGP Prefix Limits: Cloud Routers (VGW/TGW) have strict limits (e.g., 100 prefixes for VGW). Route summarization on-premises is mandatory.
## Mnemonics / Memory Triggers
- "VIF-T-P": Virtual Interface types: Transit (TGW), Private (VPC), Public (S3/Public endpoints).
- "W-L-A-O-M-E-I" (BGP Selection): Weight, Local Pref, AS-Path, Origin, MED, EBGP over IBGP, IGP metric.
- "LAG is for Physical": Link Aggregation Groups apply only to physical Direct Connect ports at the same router/location.
## Formula / Equation Sheet
| Feature | VPN | Direct Connect |
|---|---|---|
| Throughput | Max 1.25 Gbps per tunnel | 1, 10, 100 Gbps |
| Latency | Variable (Internet) | Low / Consistent |
| Encryption | IPsec (Mandatory) | Optional (MACsec or VPN-over-DX) |
| Max MTU | 1500 (usually 1412-1460) | 9001 (Jumbo) |
| Protocol | BGP or Static | BGP Only |
## Practice Set
- Scenario: A company needs 10 Gbps throughput with low latency and encryption for sensitive data.
- Solution: Direct Connect (10G Dedicated) with MACsec (for L2 encryption) or a VPN tunnel established over a Private VIF.
- Scenario: You have two DX connections in different locations. How do you make the connection in
us-east-1the primary andus-west-2the backup?- Solution: Use AS-Path Prepending on the
us-west-2router to make its path appear longer to AWS.
- Solution: Use AS-Path Prepending on the
- Scenario: You need to connect 50 VPCs across 3 AWS Regions to an on-premises data center.
- Solution: Use Direct Connect Gateway (DXGW) associated with a Transit Gateway (TGW) in each region via a Transit VIF.
## Fact Recall Blanks
- The maximum number of active links in a Direct Connect LAG is ________. (Answer: 4)
- To access S3 over Direct Connect without a proxy, you must create a ________ VIF. (Answer: Public)
- The BGP keep-alive timer for AWS is ________ seconds, and the hold-down timer is ________ seconds. (Answer: 30 / 90)
- The default MTU for a VPN tunnel is ________ bytes. (Answer: 1500)
## Worked Examples
Example 1: Calculating VPN Throughput
Problem: A customer needs 5 Gbps of bandwidth between on-premises and a VPC. They want to use VPN for cost reasons. Step-by-Step:
- A single AWS VPN tunnel is capped at 1.25 Gbps.
- To reach 5 Gbps, you must enable Equal-Cost Multi-Path (ECMP) on the Transit Gateway.
- Requirement: Deploy at least 4 VPN tunnels (4 * 1.25 = 5.0) and ensure the on-premises device supports ECMP.
Example 2: BGP Path Influencing
Problem: AWS is receiving two routes for 10.0.0.0/8. Path A has AS-Path (65000) and Path B has AS-Path (65000, 65000). Which path does AWS choose?
Result: AWS chooses Path A.
Reason: Path B uses AS-Path prepending, making the route appear "further away" (2 hops vs 1 hop). Shortest AS-Path wins.