Millward2000 · September 21, 2022 16:42
diff --git a/aws_network_notes.txt b/aws_network_notes.txt
 Networking Notes
 ================

 VPC Basics
  - dualstack for v4 and v6
    - v6 bounded by v4 (number of v6 addresses)
  - Dedicated or default tenancy
  - 5 Addresses reserved per subnet
    - number of tiers and AZs affect subnet design
    - implicit router uses the .1 address
    - dns uses .2 (in reality the .2 address of the CIDR block is used, but this address is reserved per subnet)
    - future proofing/testing - .3
  - main route tables vs custom route tables
  - local, static and dynamic routes
  - route priority is implicit
    - longest prefix match
    - route priority and propagated routes
      - static takes priority if overlap with progagated route or is identical
      - priority and prefix lists
        - propagated routes that reference a prefix-list take priority (unless there is a longest match)
        - multiple prefix lists with overlapping CIDR blocks to different targets have a random route priority chosen and remembered(sticky)
  - route-types
    - AWS Outposts local gateway - lgw-xxx
    - Peering connection - pcx-xxx
    - VGW
    - IGW
    - NAT Device
      - Nat Gateway - (natgatewayid)
      - longest prefix match to direct specific traffic away from NAT Gateway
    - VPCE
      - route is automatically inserted based on a prefix-list (pl-xxx)
    - Egress-Only gateway (IPv6) - eigw-id
    - Transit-Gateway (tgw-id)
      - tgw-attach-xxxx is used for VPC attachments in TGW Route Tables
      - tgw-id is used in VPC to route to TGW
    - Prefix-List
      - good for referencing common sets of CIDR blocks
      - destination would be a pl-xxxx with an appropriate target
  - VPN Routing
    - BGP Propagated from Direct Connect
    - manually added static routes for a s2s VPN
    - BGP propagated routes for s2s VPN
    - matching prefixes - AS Path length
    - same AS Path length and first AS same - MED
  - MiddleBox Routing
    - specific prefix routed to ENI of appliance - eni-....
        - with the middlebox routing wizard, tags will be created for you with an Origin Key and value of "Middlebox wizard"
    - Use a GWLB
      - specific route pointing to vpc-endpoint-id will be used to forward traffic to the GWLB
      - GWLB configured as a service with a VPC Endpoint service configuration
        - you then create a GWLB endpoint in your VPC to connect your VPC to the service
    - Multiple middleboxes addressed with multiple nat-gateway appliances
  - ENI
    - primary IPv4 address, primary IPv6 address
    - cannot detach primary ENI from a resource
    - multiple ENIs for dual-homed (subnet connection) entities
    - can attach/detach additional ENIs as hot or cold operations
    - SGs are associated with ENIs
    - ENI must be in the same AZ as Instance
    - NIC Teaming not supported (but you could do ENI trunking in awsvpc mode)
  - ENA
    - 100Gbps for supported instance types
  - EFA
    - HPC and MPI for single subnet optimized hardware bypass
    - NCCL can be used for accessing GPUs across a single node or multiple nodes
  - EIPs
    - can be reserved (up to 5)
    - charged when not using it
    - you own the EIP until you explicitly release it
  - SGs
    - can associate up to 5 (default quota and can be increased up to 16)
    - 60 rules per SG(default can be increased)
    - Cannot exceed 1000 when multiplying number of SGs and number of rules
    - allow rules only
    - stateful
  - NACLs
    - subnet must be associated with a NACL (and only 1 at a time)
  - NAT Instances
    - HA - use ASG for steady state (min/max/dedicated=1)
    - disable source/destination check
  - NAT Gateway
    - fully managed and associated with AZs
    - can create separate NAT Gateways in separate subnets
    - can now be private (and will not allow routing to an IGW)
    - Supports NAT64
      - 64:ff9b::/96 prefix
      - Allows your v6 only services to communicate with v4 only services across subnets, connected VPCs, on-premises networks of over the Internet
    - Supports DNS64
      - enabled per subnet
      - allows your v6 workload to query Route53
        - If a record contains an IPv6 address, this is returned
        - If there is not IPv6 address, one is synthesized with the 64:ff9b::/96 prefix
        - client then sends packets to the synthesized address
  - VPC Endpoints
    - gateway
      - prefix-list and route table hack
      - S3
        - add VPC ID and VPC endpoint to the S3 bucket policy
      - Cheaper than interface (for S3)
    - interface
      - dns hack
  - VPC Peering
  - VPC Flow Logs
    - some delay
    - not capture (metadata)
    - secondary IP address will be reflected as primary
    - only see private IP addresses
  - HPC
    - enhanced networking
    - cluster placement
    - enhanced networking and jumbo frames
      - 9001 MTU (will be fragmented if traversing Internet Gateways or other regions)
      - MTU can also be set on private VIFs for scenarios where you connect to on-premises using DX


 X-Ray
  - can read the x_forwarded___ headers automatically

 CloudHSM
  - provides SSL offload
    - CloudHSM controls and has access to the Private Key
    - Public Key (in the pub cert) is sent from the Server to the Client and the encrypted session key is sent to the HSM

 VPC Peering Scenario
  - Two overlapping VPCs as spokes
  - Two different EC2 instances in hub VPC need access to each
  - Isolated subnets with appropriate routes to required peers will work

 VPN CloudHub
  - Supports VPN communication between branches, with or without a VPC requirement

 BGP
  - cannot use EBGP-Multihop
  - Path prepending and local preference for primary/secondary
  - 7224:7300 is a high preference
    - 7224:7200 is medium preference
    - 7224:7100 is low preference
  - 100 Prefix limit, use summaries to keep within the limit
    - by default session will reset

 CloudFront with Lambda@Edge gives edge computing features and low-latency benefits

 WAF
  - supports geo match conditions to block blacklisted countries

 S2S VPN Configuration Options
  - PSK/DPD/DH
  - NO SUPPORT FOR PMTUD

 DHCP Options Set
  - To force new settings create a new option set and associate it with your VPC
  - Can force a lease renewal to speed up the process of receiving the options

 DX
  - Public VIF
    - can connect to non-VPC services
    - can access public AWS resources in any region
    - can receive Amazon's global IP routes
  - Private VIF
    - connect to VPC services
    - connect to a DX Gateway, and then associate the DX gateway with one or more VGWs in any region
    - connect to multiple Amazon VPCs in any AWS region
    - MTU of 1500 or 9001
  - Transit VIF
    - MTU of 1500 or 8500
      - update can be disruptive
    - connect multiple VPCs in the same or different AWS accounts using DX
    - Associate up to three Transit Gateways in any AWS region when connected to a DX Gateway
    - Attach VPCs in the same Region to the transit gateway, then access multiple VPCs in different accounts in the same region
  - Hosted VIF
    - has a different virtual interface owner (account id)
    - APN can provision this for their customers
    - Like a private vif, associated with a VLAN and BGP ASN

 DX-Gateway use-case
  - Access public AWS services and multiple regional VPCs
    - public VIF for AWS services
    - DX Gateway and multiple private VIFs for VPC related access

 Transit Gateway and third party SD-WAN
  - uses GRE tunnel as the high performance attachment point
  - uses BGP for dynamic routing
    - two BGP peers for redundancy
  - Create a connect attachment
    - create one or more GRE Tunnels (Transit Gateway connect peers)
    - establish BGP over both tunnels for redundancy
      - inside CIDR blocks from 169.254.0-5.0/29 and 169.254.169.248/29
      - first address on the appliance side
      - addresses must be unique
      - ebgp
        - ebgp multihop with a ttl of 2
      - ibgp
        - will only install routes originated outside the common ASN
      - MP-BGP
        - v4/v6
          - peering only over v4, v6 prefixes can be exchanged
      - keep-alive 30 seconds, hold-timer 90 seconds
    - can use an existing VPC or DX attachment as the underlying transport
    - traffic is verified with required source and destination addresses
      - any other traffic is considered to be part of the transport attachment
    
 VPC Endpoint with KMS
  - KMS supports interface endpoints
  - private DNS hostnames and AmazonProvidedDNS allow you to connect without an endpoint URL
  - Supports condition keys, to match on aws:sourceVpce

 DNS and Conditional Forwarders
  - on-prem AD needs access to AWS resolved private resources
  - create a trust relationship between on-prem AD and AWS managed AD
  - set the domain-name-servers field in a new DHCP Options set to AWS-based domain controllers
    OR
  - Statically assign the AD DNS servers on windows instances
  - Create a conditional forwarder so that requests for the Route 53 private hosted zone are sent to the VPC-provided DNS
    - CIDR address and second IP (for example CIDR 10.10.0.0/16 would use 10.10.0.2)
    - you can also add a forwarder on the AWS AD to point to the on-prem DNS Server

 DNS on-premises BIND
  - configure conditional forwarder to forward requests to VPCDNS
  - Setup a private hosted zone in Route53
    - ensure that you enableDnsHostnames and EnableDnsSupport in VPC Settings

 EKS Load-Balancer Controller
  - Supports ALB or NLB
  - ALB with Ingress
  - NLB with service-type Load-Balancer

 MTU Notes
  - AWS Managed VPN MTU uses 1500
  - if both DX and Managed VPN have the same route advertised, 1500 will be used
  - JUMBO frames only apply to propagated routes from DX, static routes added to a route table pointing to a VGW use 1500 MTU
  - Two VIFs advertising the same route, but using different MTUs result in 1500 MTU

 DX LAG
  - logical interface created with the help of LACP to aggregate multiple connections at a single DX endpoint
  - Create a LAG from existing or new connections
  - Associate the individual links with the LAG
  - Can enforce number of active links required for the LAG to be operational (0 by default)
  - Rules
    - same bandwidth
    - max of four connections
    - all connections must terminate at the same DX Endpoint

 DX MACsec
  - uses a secret key (PSK) to establish connectivity between on-premises router and DX connection port
    - CKN/CAK - Connection Key Name and Connectivity Association Key used to generate the MACsec key
  - Can define policies
    - should_encrypt (optional)
    - must_encrypt
    - no_encrypt

 Storage Gateway and DX Connectivity
  - Uses public endpoints
  - use a public VIF
  - can be in different regions

 NLB subtleties
  - Instance Target - client source IP address will be preserved
  - IP Target 
    - if the target group is TCP and TLS the source will be the load balancer nodes
      - use Proxy_Protocol in order to preserve the customer source IP addresses
    - however if the target is UDP and TCP_UDP the source IP address is the original client IP
  
 X-Forwarded-For
  - is a header containing the sequence of IP addresses a connection has been processed through
    - first IP address is the original Client
  - good for identifying a user's geolocation
  - nginx and other web-servers typically extract this detail using a variable such as $remote_addr
    - normally appended to the existing x_forwarded_for headers
    - also note a new standard that pulls multivalues for x_forwarded_x headers - Forwarded (RFC 7239)

 LAMBDA in a VPC
  - creates ENIs
    - requires Subnet ID and SG ID
    - can attach to multiple subnets
    - hyperplane ENIs
      - multiple execution environments can use a Hyperplane ENI
      - NATs the original execution environment IP to the Hyperplane ENI Private IP (from your private VPC CIDR Block)
    - each unique Subnet and SG ID uses a different ENI
    - functions will be in a pending state during creation (and invocations will fail) until the interface is ready
    - if interfaces are not used for a few weeks, the unused Hyperplane ENIs are reclaimed
    - removing the VPC configuration can take up to 20 minutes...
    - utility called Lambda ENI finder to fine functions (or function versions) using a particular ENI
  - Grant secure outgoing only Internet access with a NAT Gateway
  - deploy in a private subnet
  - Can use VPC Endpoints as an alternative to NAT Gateway for accessing other AWS Services
  - Can enforce the usage of VPCs and restrict/require subnet/vpc/sg ids with IAM condition keys

 CloudFront
  - Origin Protocol Policy options
    - Match Viewer
    - HTTP
    - HTTPS

 Route53 and DNSSEC
  - Uses public key provided to domain registrar, which in turn is forwarded to TLD
  - signature can be validated based on the private key, by using the shared public key
  - up to 13 keys for .com and .net and 4 keys for other TLDs
  - keys can be rotated
    - wait for up to 3 days before deleting keys after adding new keys

 RDS Encryption for MS SQL Server
  - supports Transparent Data Encryption (TDE)
  - encrypts data before writing to storage, decrypts when read
  - Defined as part of an option group setting

 Network Access Analyzer
  - identify unintended access to your resources
  - Three step process:
    - Create a network access scope
      - can include and exclude paths (VPC, IGW, vpce, tgw-X)
      - you will be given a "nis-xxxxx' resource handle
    - Analyze a scope
      - takes a few minutes
    - get the results of the analysis

 ECS Bridge and awsvpc modes
  - bridge uses the built-in docker network
  - awsvpc will ensure that each task gets its own ENI and private IP address

 Public VIF with BGP over DX
  - Requires the following inputs:
    - List of IP prefix CIDRs that will be advertised to AWS
    - VLAN ID
    - BGP ASN
    - Router peer IP
    - Amazon router peer IP
  - all routes advertised to customers are tagged with NO_EXPORT
  - outbound routing policies (set by customer)
    - SCOPE to set where you want your prefixes to be sent
      - 7224:9100, 9200, 9300 - local, regional, global
        - set this as a customer when advertising routes to AWS
      - global by default!
      - 8100,8200 for its advertised routes (8100 is same region ,8200 is same continent, no tag is global)
        - customer can filter routes to only match on the required tags

 On-Prem to DX Location requirements
  - Must use single-mode-fiber
  - port speed and duplex configured manually
  - dot1q
  - BGP and MD5 Authentication
  - Optional BFD

 Route Propagation
  - Checkbox associated with a VGW in a route table
  - With overlapping or matching routes the following rules apply:
    - local route most prefereed over routes from on-prem S2S or DX connection, even if propagated prefixes are longer
    - static routes with the same destination CIDR block as propagated are prioritized if their targtet is:
      - IGW, VGW, ENI, instance-id, pcx, NATGW, TGW, gateway VPCE

 Active/Passive setup with DX
  - Public ASN
    - prepend and local-preference
  - Private ASN
    - NO PREPENDING!
    - use longer match for active path
  
 VPC Flow Logs
  - custom-format - can specify the fields and order in which you want records to be generated
  - aggregation level (1 or 10 minutes)
  - cloudwatch or s3 as destination

 Private Link
  - You can create your own endpoint
  - It can be accessed via third parties
  - Private DNS names can be customised
    - Add a TXT record to your DNS server to validate your ownership
  - You can associate either a NLB or GWLB
  - Use a GWLB if you want to provision multiple security appliances to offload traffic inspection to
    - traffic will be intercepted in the consumer VPC by a GWLB endpoint, sent to the provider GWLB and appliances, and then forwarded back to the consumer

 DX LOA Process
  - request a DX
  - configure it to go through a DX Partner
  - Wait for AWS to send LOA-CFA and send it to the telco provider

 Amazon Inspector
  - supports network assessments (network reachability)
  - also has host rules to identify vulnerabilities

 CloudFront Geo-Restrictions
  - You can identify specific countries to blacklist/whitelist
  - Origin shield provides centralized caching, with a particular region selected.
    - Can be combined with Lambda@Edge to enable advanced serverless logic

 BYOIP
  - Uses a Route Origin Authorization
    - created through your RIR (AFRINIC)
    - identifies which ASNs can advertise address range
  - Also requires you to publish a self-signed x509 certificate in the RDAP 

 CFN
  - Fn::Cidr
    - ipBlock, count(number of CIDRs), cidrBits(number of Subnet Bits (inverse of subnet Mask))
      - 192.168.0.0/24 into 6 CIDRs with a /27 mask i.e. 5 subnet bits
        !Cidr [ "192.168.0.0/24",6,5 ]

 EKS CNI Plugin Variables
  - MINIMUM_IP_TARGET - minimum number of IP addresses assigned to a node - set this to the number of pods you expect per node
  - WARM_ENI_TARGET - how many network interfaces the L_IPAMD keeps available (15 IPs per interface, good for expected rapid scaling)
  - WARM_IP_TARGET - number of IP addresses in L-IPAMDs warm pool (good for conserving IP addresses)
  - WARM_PREFIX_TARGET - number of /28 prefixes added to the instance's network interface (can be used to limit the number of allocated prefixes in smaller subnets)
  - MAX_ENI - max number of ENIs

 Wildcards with AWS Listener Rules
  - *
  - ?
  - a-z/A-Z/0-9/-.

 S3 Bucket Policy
  - can reference aws:sourceVpc to limit access to a bucket
    - will only work with VPC Endpoints configured tho
  - alternatively for a specific endpoint
    - aws:sourceVpce

 SES endpoint for TLS
  - email-smtp.region.amazonaws.com:587 (STARTTLS)
  - email-smtp.region.amazonaws.com:465 (TLS Wrapper)

 169.254.169.123 - Time Sync Service (NTP on port 123)

 Route 53 split-view DNS
  - use the same domain name for internal and external usage
  - create public and private hosted zones with the same name
    - associate one or more VPCs with the private hosted zone (the AWS provided DNS resolver will use the private-hosted zone for lookups)
    - create records in each hosted zone

 NAT Gateway limitations
  - no port forwarding
  - no bastion servers
  - cannot associate with SGs
  - 45Gbps
  - only sends an RST (no FIN)
  - ip fragmented packets for UDP
  - no fragmentation of TCP and ICMP
  - Supports up to 55000 simultaneous connections

 CFN VPC Peering
  - Create the resource in the requester account
  - Requires a Role to be defined in the accepter account (PeerRoleArn property to reference it)
  - Region must match (PeerRegion property)

 Route 53 Private Hosted Zone Failover
  - health checkers require public IP access
  - alternatively you could use a CW metric/alarm combination, and create a health check based on the data stream for hte alarm

 EKS VPC FlowLog
  - Pod to Pod traffic
    - use the sourceaddress and destinationaddress for Node IP filtering
    - use the packetsourceaddress and packet destination address for Pod to Pod (client to server)
    - also note that the sender will see the client node ip as the sourceaddress and the packetsourceaddress as the client pod ip
      - however the server side would see the client pod ip as both the sourceaddress and packetsourceaddress
      - likewise, the client would see both the destinationaddress and packetdestinationaddress as the server pod ip

 VPC CIDR Blocks
  - if you have a primary CIDR block that is non-RFC 1918, you cannot add RFC 1918 ranges to it

 DX Billing
  - Port Hours
  - Outbound Data Transfer

 Track Public IP address changes with SNS
  - just subscribe to the topic ARN arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged subscription

 Cloud-Map
  - provides an API-based service discovery mechanism with faster change propagation and the ability to use attributes to narrow down the set of discovered resources
  - updates existing Route 53 auto naming resources
  - can integrate with EKS through ExternalDNS

 VPN over DX
  - requires a public VIF
  - allows multiple VGWs to be created to terminate managed VPNs
    - alternatively you could use a transit virtual interface on the DX location to connect it to a TGW with VPNs

 Route 53 Private hosted zone
  - can associate with a VPC in a different account
    - use the API call CreateVPCAssociationAuthorization action
	Networking Notes
	================

	VPC Basics
	- dualstack for v4 and v6
	- v6 bounded by v4 (number of v6 addresses)
	- Dedicated or default tenancy
	- 5 Addresses reserved per subnet
	- number of tiers and AZs affect subnet design
	- implicit router uses the .1 address
	- dns uses .2 (in reality the .2 address of the CIDR block is used, but this address is reserved per subnet)
	- future proofing/testing - .3
	- main route tables vs custom route tables
	- local, static and dynamic routes
	- route priority is implicit
	- longest prefix match
	- route priority and propagated routes
	- static takes priority if overlap with progagated route or is identical
	- priority and prefix lists
	- propagated routes that reference a prefix-list take priority (unless there is a longest match)
	- multiple prefix lists with overlapping CIDR blocks to different targets have a random route priority chosen and remembered(sticky)
	- route-types
	- AWS Outposts local gateway - lgw-xxx
	- Peering connection - pcx-xxx
	- VGW
	- IGW
	- NAT Device
	- Nat Gateway - (natgatewayid)
	- longest prefix match to direct specific traffic away from NAT Gateway
	- VPCE
	- route is automatically inserted based on a prefix-list (pl-xxx)
	- Egress-Only gateway (IPv6) - eigw-id
	- Transit-Gateway (tgw-id)
	- tgw-attach-xxxx is used for VPC attachments in TGW Route Tables
	- tgw-id is used in VPC to route to TGW
	- Prefix-List
	- good for referencing common sets of CIDR blocks
	- destination would be a pl-xxxx with an appropriate target
	- VPN Routing
	- BGP Propagated from Direct Connect
	- manually added static routes for a s2s VPN
	- BGP propagated routes for s2s VPN
	- matching prefixes - AS Path length
	- same AS Path length and first AS same - MED
	- MiddleBox Routing
	- specific prefix routed to ENI of appliance - eni-....
	- with the middlebox routing wizard, tags will be created for you with an Origin Key and value of "Middlebox wizard"
	- Use a GWLB
	- specific route pointing to vpc-endpoint-id will be used to forward traffic to the GWLB
	- GWLB configured as a service with a VPC Endpoint service configuration
	- you then create a GWLB endpoint in your VPC to connect your VPC to the service
	- Multiple middleboxes addressed with multiple nat-gateway appliances
	- ENI
	- primary IPv4 address, primary IPv6 address
	- cannot detach primary ENI from a resource
	- multiple ENIs for dual-homed (subnet connection) entities
	- can attach/detach additional ENIs as hot or cold operations
	- SGs are associated with ENIs
	- ENI must be in the same AZ as Instance
	- NIC Teaming not supported (but you could do ENI trunking in awsvpc mode)
	- ENA
	- 100Gbps for supported instance types
	- EFA
	- HPC and MPI for single subnet optimized hardware bypass
	- NCCL can be used for accessing GPUs across a single node or multiple nodes
	- EIPs
	- can be reserved (up to 5)
	- charged when not using it
	- you own the EIP until you explicitly release it
	- SGs
	- can associate up to 5 (default quota and can be increased up to 16)
	- 60 rules per SG(default can be increased)
	- Cannot exceed 1000 when multiplying number of SGs and number of rules
	- allow rules only
	- stateful
	- NACLs
	- subnet must be associated with a NACL (and only 1 at a time)
	- NAT Instances
	- HA - use ASG for steady state (min/max/dedicated=1)
	- disable source/destination check
	- NAT Gateway
	- fully managed and associated with AZs
	- can create separate NAT Gateways in separate subnets
	- can now be private (and will not allow routing to an IGW)
	- Supports NAT64
	- 64:ff9b::/96 prefix
	- Allows your v6 only services to communicate with v4 only services across subnets, connected VPCs, on-premises networks of over the Internet
	- Supports DNS64
	- enabled per subnet
	- allows your v6 workload to query Route53
	- If a record contains an IPv6 address, this is returned
	- If there is not IPv6 address, one is synthesized with the 64:ff9b::/96 prefix
	- client then sends packets to the synthesized address
	- VPC Endpoints
	- gateway
	- prefix-list and route table hack
	- S3
	- add VPC ID and VPC endpoint to the S3 bucket policy
	- Cheaper than interface (for S3)
	- interface
	- dns hack
	- VPC Peering
	- VPC Flow Logs
	- some delay
	- not capture (metadata)
	- secondary IP address will be reflected as primary
	- only see private IP addresses
	- HPC
	- enhanced networking
	- cluster placement
	- enhanced networking and jumbo frames
	- 9001 MTU (will be fragmented if traversing Internet Gateways or other regions)
	- MTU can also be set on private VIFs for scenarios where you connect to on-premises using DX


	X-Ray
	- can read the x_forwarded___ headers automatically

	CloudHSM
	- provides SSL offload
	- CloudHSM controls and has access to the Private Key
	- Public Key (in the pub cert) is sent from the Server to the Client and the encrypted session key is sent to the HSM

	VPC Peering Scenario
	- Two overlapping VPCs as spokes
	- Two different EC2 instances in hub VPC need access to each
	- Isolated subnets with appropriate routes to required peers will work

	VPN CloudHub
	- Supports VPN communication between branches, with or without a VPC requirement

	BGP
	- cannot use EBGP-Multihop
	- Path prepending and local preference for primary/secondary
	- 7224:7300 is a high preference
	- 7224:7200 is medium preference
	- 7224:7100 is low preference
	- 100 Prefix limit, use summaries to keep within the limit
	- by default session will reset

	CloudFront with Lambda@Edge gives edge computing features and low-latency benefits

	WAF
	- supports geo match conditions to block blacklisted countries

	S2S VPN Configuration Options
	- PSK/DPD/DH
	- NO SUPPORT FOR PMTUD

	DHCP Options Set
	- To force new settings create a new option set and associate it with your VPC
	- Can force a lease renewal to speed up the process of receiving the options

	DX
	- Public VIF
	- can connect to non-VPC services
	- can access public AWS resources in any region
	- can receive Amazon's global IP routes
	- Private VIF
	- connect to VPC services
	- connect to a DX Gateway, and then associate the DX gateway with one or more VGWs in any region
	- connect to multiple Amazon VPCs in any AWS region
	- MTU of 1500 or 9001
	- Transit VIF
	- MTU of 1500 or 8500
	- update can be disruptive
	- connect multiple VPCs in the same or different AWS accounts using DX
	- Associate up to three Transit Gateways in any AWS region when connected to a DX Gateway
	- Attach VPCs in the same Region to the transit gateway, then access multiple VPCs in different accounts in the same region
	- Hosted VIF
	- has a different virtual interface owner (account id)
	- APN can provision this for their customers
	- Like a private vif, associated with a VLAN and BGP ASN

	DX-Gateway use-case
	- Access public AWS services and multiple regional VPCs
	- public VIF for AWS services
	- DX Gateway and multiple private VIFs for VPC related access

	Transit Gateway and third party SD-WAN
	- uses GRE tunnel as the high performance attachment point
	- uses BGP for dynamic routing
	- two BGP peers for redundancy
	- Create a connect attachment
	- create one or more GRE Tunnels (Transit Gateway connect peers)
	- establish BGP over both tunnels for redundancy
	- inside CIDR blocks from 169.254.0-5.0/29 and 169.254.169.248/29
	- first address on the appliance side
	- addresses must be unique
	- ebgp
	- ebgp multihop with a ttl of 2
	- ibgp
	- will only install routes originated outside the common ASN
	- MP-BGP
	- v4/v6
	- peering only over v4, v6 prefixes can be exchanged
	- keep-alive 30 seconds, hold-timer 90 seconds
	- can use an existing VPC or DX attachment as the underlying transport
	- traffic is verified with required source and destination addresses
	- any other traffic is considered to be part of the transport attachment

	VPC Endpoint with KMS
	- KMS supports interface endpoints
	- private DNS hostnames and AmazonProvidedDNS allow you to connect without an endpoint URL
	- Supports condition keys, to match on aws:sourceVpce

	DNS and Conditional Forwarders
	- on-prem AD needs access to AWS resolved private resources
	- create a trust relationship between on-prem AD and AWS managed AD
	- set the domain-name-servers field in a new DHCP Options set to AWS-based domain controllers
	OR
	- Statically assign the AD DNS servers on windows instances
	- Create a conditional forwarder so that requests for the Route 53 private hosted zone are sent to the VPC-provided DNS
	- CIDR address and second IP (for example CIDR 10.10.0.0/16 would use 10.10.0.2)
	- you can also add a forwarder on the AWS AD to point to the on-prem DNS Server

	DNS on-premises BIND
	- configure conditional forwarder to forward requests to VPCDNS
	- Setup a private hosted zone in Route53
	- ensure that you enableDnsHostnames and EnableDnsSupport in VPC Settings

	EKS Load-Balancer Controller
	- Supports ALB or NLB
	- ALB with Ingress
	- NLB with service-type Load-Balancer

	MTU Notes
	- AWS Managed VPN MTU uses 1500
	- if both DX and Managed VPN have the same route advertised, 1500 will be used
	- JUMBO frames only apply to propagated routes from DX, static routes added to a route table pointing to a VGW use 1500 MTU
	- Two VIFs advertising the same route, but using different MTUs result in 1500 MTU

	DX LAG
	- logical interface created with the help of LACP to aggregate multiple connections at a single DX endpoint
	- Create a LAG from existing or new connections
	- Associate the individual links with the LAG
	- Can enforce number of active links required for the LAG to be operational (0 by default)
	- Rules
	- same bandwidth
	- max of four connections
	- all connections must terminate at the same DX Endpoint

	DX MACsec
	- uses a secret key (PSK) to establish connectivity between on-premises router and DX connection port
	- CKN/CAK - Connection Key Name and Connectivity Association Key used to generate the MACsec key
	- Can define policies
	- should_encrypt (optional)
	- must_encrypt
	- no_encrypt

	Storage Gateway and DX Connectivity
	- Uses public endpoints
	- use a public VIF
	- can be in different regions

	NLB subtleties
	- Instance Target - client source IP address will be preserved
	- IP Target
	- if the target group is TCP and TLS the source will be the load balancer nodes
	- use Proxy_Protocol in order to preserve the customer source IP addresses
	- however if the target is UDP and TCP_UDP the source IP address is the original client IP

	X-Forwarded-For
	- is a header containing the sequence of IP addresses a connection has been processed through
	- first IP address is the original Client
	- good for identifying a user's geolocation
	- nginx and other web-servers typically extract this detail using a variable such as $remote_addr
	- normally appended to the existing x_forwarded_for headers
	- also note a new standard that pulls multivalues for x_forwarded_x headers - Forwarded (RFC 7239)

	LAMBDA in a VPC
	- creates ENIs
	- requires Subnet ID and SG ID
	- can attach to multiple subnets
	- hyperplane ENIs
	- multiple execution environments can use a Hyperplane ENI
	- NATs the original execution environment IP to the Hyperplane ENI Private IP (from your private VPC CIDR Block)
	- each unique Subnet and SG ID uses a different ENI
	- functions will be in a pending state during creation (and invocations will fail) until the interface is ready
	- if interfaces are not used for a few weeks, the unused Hyperplane ENIs are reclaimed
	- removing the VPC configuration can take up to 20 minutes...
	- utility called Lambda ENI finder to fine functions (or function versions) using a particular ENI
	- Grant secure outgoing only Internet access with a NAT Gateway
	- deploy in a private subnet
	- Can use VPC Endpoints as an alternative to NAT Gateway for accessing other AWS Services
	- Can enforce the usage of VPCs and restrict/require subnet/vpc/sg ids with IAM condition keys

	CloudFront
	- Origin Protocol Policy options
	- Match Viewer
	- HTTP
	- HTTPS

	Route53 and DNSSEC
	- Uses public key provided to domain registrar, which in turn is forwarded to TLD
	- signature can be validated based on the private key, by using the shared public key
	- up to 13 keys for .com and .net and 4 keys for other TLDs
	- keys can be rotated
	- wait for up to 3 days before deleting keys after adding new keys

	RDS Encryption for MS SQL Server
	- supports Transparent Data Encryption (TDE)
	- encrypts data before writing to storage, decrypts when read
	- Defined as part of an option group setting

	Network Access Analyzer
	- identify unintended access to your resources
	- Three step process:
	- Create a network access scope
	- can include and exclude paths (VPC, IGW, vpce, tgw-X)
	- you will be given a "nis-xxxxx' resource handle
	- Analyze a scope
	- takes a few minutes
	- get the results of the analysis

	ECS Bridge and awsvpc modes
	- bridge uses the built-in docker network
	- awsvpc will ensure that each task gets its own ENI and private IP address

	Public VIF with BGP over DX
	- Requires the following inputs:
	- List of IP prefix CIDRs that will be advertised to AWS
	- VLAN ID
	- BGP ASN
	- Router peer IP
	- Amazon router peer IP
	- all routes advertised to customers are tagged with NO_EXPORT
	- outbound routing policies (set by customer)
	- SCOPE to set where you want your prefixes to be sent
	- 7224:9100, 9200, 9300 - local, regional, global
	- set this as a customer when advertising routes to AWS
	- global by default!
	- 8100,8200 for its advertised routes (8100 is same region ,8200 is same continent, no tag is global)
	- customer can filter routes to only match on the required tags

	On-Prem to DX Location requirements
	- Must use single-mode-fiber
	- port speed and duplex configured manually
	- dot1q
	- BGP and MD5 Authentication
	- Optional BFD

	Route Propagation
	- Checkbox associated with a VGW in a route table
	- With overlapping or matching routes the following rules apply:
	- local route most prefereed over routes from on-prem S2S or DX connection, even if propagated prefixes are longer
	- static routes with the same destination CIDR block as propagated are prioritized if their targtet is:
	- IGW, VGW, ENI, instance-id, pcx, NATGW, TGW, gateway VPCE

	Active/Passive setup with DX
	- Public ASN
	- prepend and local-preference
	- Private ASN
	- NO PREPENDING!
	- use longer match for active path

	VPC Flow Logs
	- custom-format - can specify the fields and order in which you want records to be generated
	- aggregation level (1 or 10 minutes)
	- cloudwatch or s3 as destination

	Private Link
	- You can create your own endpoint
	- It can be accessed via third parties
	- Private DNS names can be customised
	- Add a TXT record to your DNS server to validate your ownership
	- You can associate either a NLB or GWLB
	- Use a GWLB if you want to provision multiple security appliances to offload traffic inspection to
	- traffic will be intercepted in the consumer VPC by a GWLB endpoint, sent to the provider GWLB and appliances, and then forwarded back to the consumer

	DX LOA Process
	- request a DX
	- configure it to go through a DX Partner
	- Wait for AWS to send LOA-CFA and send it to the telco provider

	Amazon Inspector
	- supports network assessments (network reachability)
	- also has host rules to identify vulnerabilities

	CloudFront Geo-Restrictions
	- You can identify specific countries to blacklist/whitelist
	- Origin shield provides centralized caching, with a particular region selected.
	- Can be combined with Lambda@Edge to enable advanced serverless logic

	BYOIP
	- Uses a Route Origin Authorization
	- created through your RIR (AFRINIC)
	- identifies which ASNs can advertise address range
	- Also requires you to publish a self-signed x509 certificate in the RDAP

	CFN
	- Fn::Cidr
	- ipBlock, count(number of CIDRs), cidrBits(number of Subnet Bits (inverse of subnet Mask))
	- 192.168.0.0/24 into 6 CIDRs with a /27 mask i.e. 5 subnet bits
	!Cidr [ "192.168.0.0/24",6,5 ]

	EKS CNI Plugin Variables
	- MINIMUM_IP_TARGET - minimum number of IP addresses assigned to a node - set this to the number of pods you expect per node
	- WARM_ENI_TARGET - how many network interfaces the L_IPAMD keeps available (15 IPs per interface, good for expected rapid scaling)
	- WARM_IP_TARGET - number of IP addresses in L-IPAMDs warm pool (good for conserving IP addresses)
	- WARM_PREFIX_TARGET - number of /28 prefixes added to the instance's network interface (can be used to limit the number of allocated prefixes in smaller subnets)
	- MAX_ENI - max number of ENIs

	Wildcards with AWS Listener Rules
	- *
	- ?
	- a-z/A-Z/0-9/-.

	S3 Bucket Policy
	- can reference aws:sourceVpc to limit access to a bucket
	- will only work with VPC Endpoints configured tho
	- alternatively for a specific endpoint
	- aws:sourceVpce

	SES endpoint for TLS
	- email-smtp.region.amazonaws.com:587 (STARTTLS)
	- email-smtp.region.amazonaws.com:465 (TLS Wrapper)

	169.254.169.123 - Time Sync Service (NTP on port 123)

	Route 53 split-view DNS
	- use the same domain name for internal and external usage
	- create public and private hosted zones with the same name
	- associate one or more VPCs with the private hosted zone (the AWS provided DNS resolver will use the private-hosted zone for lookups)
	- create records in each hosted zone

	NAT Gateway limitations
	- no port forwarding
	- no bastion servers
	- cannot associate with SGs
	- 45Gbps
	- only sends an RST (no FIN)
	- ip fragmented packets for UDP
	- no fragmentation of TCP and ICMP
	- Supports up to 55000 simultaneous connections

	CFN VPC Peering
	- Create the resource in the requester account
	- Requires a Role to be defined in the accepter account (PeerRoleArn property to reference it)
	- Region must match (PeerRegion property)

	Route 53 Private Hosted Zone Failover
	- health checkers require public IP access
	- alternatively you could use a CW metric/alarm combination, and create a health check based on the data stream for hte alarm

	EKS VPC FlowLog
	- Pod to Pod traffic
	- use the sourceaddress and destinationaddress for Node IP filtering
	- use the packetsourceaddress and packet destination address for Pod to Pod (client to server)
	- also note that the sender will see the client node ip as the sourceaddress and the packetsourceaddress as the client pod ip
	- however the server side would see the client pod ip as both the sourceaddress and packetsourceaddress
	- likewise, the client would see both the destinationaddress and packetdestinationaddress as the server pod ip

	VPC CIDR Blocks
	- if you have a primary CIDR block that is non-RFC 1918, you cannot add RFC 1918 ranges to it

	DX Billing
	- Port Hours
	- Outbound Data Transfer

	Track Public IP address changes with SNS
	- just subscribe to the topic ARN arn:aws:sns:us-east-1:806199016981:AmazonIpSpaceChanged subscription

	Cloud-Map
	- provides an API-based service discovery mechanism with faster change propagation and the ability to use attributes to narrow down the set of discovered resources
	- updates existing Route 53 auto naming resources
	- can integrate with EKS through ExternalDNS

	VPN over DX
	- requires a public VIF
	- allows multiple VGWs to be created to terminate managed VPNs
	- alternatively you could use a transit virtual interface on the DX location to connect it to a TGW with VPNs

	Route 53 Private hosted zone
	- can associate with a VPC in a different account
	- use the API call CreateVPCAssociationAuthorization action