Category: AWS

AWS Advanced Networking – Speciality Study Guide

I recently passed the AWS Certified Advanced Networking – Specialty exam and want to share my experiences with those of you working toward the certification.

Summary

The exam is 170 minutes with 65 questions and compared to the professional level exams, this felt like ample time leaving more than 45 minutes to review my (many) marked questions. The question length was manageable and felt less than the pro exams, which made it easier to consume the content and move through the exam at a good pace. The questions are a mix of scenario and Q&A with scenarios making up the larger proportion.

Going in with a good understanding of networking such as TCP/IP, subnetting, routing and data center structure will help a lot. I don’t have a ‘networking’ background so I took more time to prepare and students with little or no networking experience should consider spending some extra time studying network fundamentals.

In terms of the technology specifics, I have included a list of top topics the exam focuses on along with some tips and key information. The section is limited to the top 6 +/- areas to keep this article a consumable size.

Study Resources

1. The AWS Certified Advanced Networking Study Guide

You will not often find me recommending the official text books as a number one study resource simply because I often find them hard to consume and remember. I prefer consolidated information that I can remember on test day. This study guide is specifically focused on test takers and the authors have done a great job of structuring the information in to easily consumable sections, each with its own assessment test.

I recommend taking the video courses mentioned below first while having this book on hand as a reference. Once the video courses are completed, take the assessment test in the book’s introduction to give you an idea of your strengths and weaknesses. Use the output as a guide to further research. The practice exams included in the online study tools will also help highlight areas you need to brush up and these exams are by far the closest practice exams to the real test that I found – offering much more of a read world experience than the exams included with the video courses, for example.

The 138 flash cards included with the online content are also really useful – these are not the usual ways that I choose to study but I would not have passed without this resource so it is cash well spent.

2. Video courses from acloud.guru and Linux Academy

Both of these courses are highly valuable. For those of you that have read my previous article, you know that I’m a huge advocate of both training providers and they both deliver for this certification.

Derek Morgan’s course does a great job of breaking down the concepts – everything from the basics of IPv4 and subnetting through to BGP and MPLS specifics and processes. I found the breakdown between fundamentals and deep dive really helpful. The course really helped me understand the specifics and helped me understanding the ‘right’ choice on questions where you need to reason the answer.

Ryan Kroonenburg’s course is also outstanding. The course helped me ‘get it’ and fit everything together. I loved the flow and structure and focus on flow of each of the subject areas as this is something the exam really focuses on, BGP path selection and how to influence it etc.

3. Blogs and Articles

Yujun Liang’s article on LinkedIn: https://www.linkedin.com/pulse/how-did-i-prepare-aws-advanced-networking-specialty-yujun-liang-/
Jady Liu’s article on LinkedIn: https://www.linkedin.com/pulse/most-efficient-way-study-aws-certifications-specialty-jady-liu/
Michael Kelly’s blog: https://blog.ashiny.cloud/2018/07/29/aws-certified-advanced-networking-specialty/#vpn

4. AWS Re:Invent Videos

Jady Liu’s list is all you need: https://www.youtube.com/playlist?list=PLlkukGgpsXyvUbJ85RVD7qNJ1mcGKO4_w)

In summary, get the book to maximise your chances of passing with the best score.

Top Topics, Tips and Key Information

Notes covering what I feel are the top 6 focus areas for the exam.

Direct Connect (DX) and Border Gateway Protocol (BGP)

  • By far the most focused topic of the exam
  • DX allows you to connect your AWS resources to your on-premises resources privately
  • DX is typically more consistent and reliable than a normal internet connection
  • AWS provides 1Gbps or 10 Gbps Ethernet single mode fiber-optic
    • Sub 1Gbps connections can be ordered by a partner (min 50 Mbps)
  • Direct Connect locations allow you to connect to that specific region
  • Supports both IPv4 and IPv6
  • Reduced data-out rates. Data in to AWS is free (in almost all cases)
  • Virtual interface (VIF) needed for each VPC. Connected to Direct Connect
    • Public VIF: Used to connect to AWS resources not in a VPC
      • Used for a VPN to a VGW
    • Private VIF: Used to connect to resources within a VPC
  • One LOA-CFA per connection per data centre
    • LOA-CFA = Letter of Authorization Customer Facility Access
  • LAGs = Link Aggregation Groups
  • 100 BGP prefixs can be announced over a single private VIF (hard limit)
  • S3 endpoint cannot be accessed over DX
    • Public VIF used to access S3 over a direct connect (but not the endpoint)

DX Requirements

  • BGP
  • BGP MD5 auth
  • Single mode fibre 1000BASE-LX and 10GBASE- with 802.1q VLANs
  • Auto-negotiation for the port for direct connect needs to be disabled
  • You cannot change the port speed of an existing connection
  • Limit on BGP (dynamic) advertised routes per route table is 100
    • Static route limit is 50 (convert to dynamic/BGP to increase amount of possible routes)
  • Lowest bandwidth on DX partners is 50 Mbps

Elastic Load Balancers

  • Allows you to distribute application traffic across multiple EC2 instances
  • Can distribute traffic over multiple availability zones
    • Cross-zone load balancing MUST be enabled
  • Two network configurations of ELBs:
    • External: Routes traffic from the internet to EC2 instances
    • Internal: Routes traffic from internal resources to EC2 instances
  • Minimum IPv4 subnet size of /27, which differs from the VPC
  • Cannot use AWAS WAF with ELB classic
  • Terminate SSL on ELB for performance – be aware of requirements for end-to-end encryption
  • x-forwarded-for header needed to see client in access logs – ALB
  • Proxy protocol to enable connection information (including client IP) when using TCP or SSL for both front and back end on ELB Classic
  • Use alias Route53 record

Virtual Private Networks (VPN)

  • Site-to-site only using AWS VPN
  • Client-to-site would be third party software running on EC2 in a VPC
  • IPSec and Encapsulating Security Protocol
  • IP protocol 50, port 500 UDP for IPSec
  • Benefits:
    • Data encryption in transit across the internet and direct connect
    • Used to encrypt direct connect (use Public VIF for VPN termination)
  • Use monitoring software (keep alive) to keep tunnel up
  • Routing hard limit of 50 for static routes and 100 for dynamic routes (BGP)
  • VPN connection consists of two tunnels (configure to a single customer router for HA on the AWS end)
  • HA on the customer end requires two VPN connection (each provides two tunnels for mesh HA)

Route53

  • Route 53 is Amazon’s DNS service
  • Allows registration of domain names or use of domain names you own
  • Utilises health checks to monitor health of your instances
  • Public or private hosted zones
    • A public hosted zone is accessible from the internet
    • A hosted zone is named after a domain name that you own
    • A private hosted zone can be any domain you wish as it does not traverse the public internet
  • A reusable delegation set can be used to create a set of name servers to use for multiple domains
  • Record specific information:
    • CNAME: Not free for queries, points to records hosted anywhere
    • ALIAS: Not charge for queries, AWS resources online
  • To ensure name servers remain consistent across domains create a Reusable Delegation Set (through the CLI or API)

Elastic Network Interfaces (ENI)

  • You can associate multiple IPs to each network interface
    • Beware of instance specific limitations
  • An ENI can have IPv6 addresses if the VPC has IPv6 enabled
  • ENI can be moved between subnets but not AZs
    • Can be a good way of migrating network configurations where required
  • Attaching two ENIs to the same instance in the same subnet can cause networking issues
    • Use multiple IPs on the primary NIC, if required

Conclusion

The exam has a reputation for being the most difficult of the AWS certifications and it necessitates a good understanding of general networking with specific focuses on connectivity, routing, performance and troubleshooting. I managed to pass on first attempt with a score of 75%, which is not my highest score and demonstrates the challenge especially considering I spent more time preparing than I did for each of the SA and DevOps certifications.

I personally really enjoyed the experience and have learned a lot of practical and usable skills and experience that will help me succeed professionally. I hope this article has been useful, good luck with the exam!

AWS Professional Certification Guide

Following on from the earlier post covering my experiences taking the AWS associate level certifications, this post covers preparing for and taking the AWS Professional level certifications.

Given that I started studying for these certifications coming up to the Christmas break and there were no suitable exam slots until late January, I decided to study for both the SA and DevOps pro, before sitting either exam. I found it to be a good decision given that there is a good amount of content overlap and I felt more confident going in to the first pro-level exam. The task was daunting – 6 weeks to preparation time for both exams and towards the end, I felt that pace was pushing too hard (if repeated I would have give myself at least 6 weeks per exam). Overall preparation time is relative to the amount of previous experience you have in the subject area and the amount of time you can invest in a given period. I managed an intense amount of study per day which was made easier by a combination of public holidays and planned time off from my day job.

It is a huge relief to be successfully on the better side of the pro-level certifications, something that was far from certain going in to the process. My preparation focused on the same techniques as during the associate level . Firstly, video training from Linux Academy and acloud.guru, secondly, AWS documentation (some of the industry’s best documentation) and finally (most importantly) hands on practice with AWS (lots of this at the pro-level along with some real world experience if possible).

AWS Solution Architect – Professional

As mentioned before, I feel the SA certification has the most wide ranging content which makes for the most daunting preparation. That being said, I didn’t find it the most difficult of the two. Linux Academy is the most comprehensive video training and offers a high standard of content backed by labs and additional tailored documentation, which made preparation that much easier than it would have been otherwise. I also took the acloud.guru course, which is great at focusing on the exam specifics (take both courses if possible).

One of the key things to be aware of when it comes to the exam is the time available, it’s tight! There are approx. 80 questions (I had 77) which have to be completed in 2 hours 50 minutes (170 minutes). The questions are wordy and have multiple theoretically correct answers, the key is to look for what the question is looking for in terms of technologies used and best practices. Reading the questions and deciding on the right answer took me a surprisingly long time. Rather than trying to keep an eye on the number of questions answered vs. amount of time remaining, I set myself a 2 minute rule for each question  and for the questions that took too longer – I gave my first/best guess.

My thoughts on preparing for and taking the exam:

  • Pay particular attention to ElasticBeanstalk and OpsWorks. When do they work together? What are the different deployment types? How do you deploy and rollback? What languages are supported?
  • Get familiar with EC2 instance types. There are a lot of EC2 design related questions and knowing which instance to use in which scenario is essential.
  • Understand connectivity, how each type is setup, how it works, routing, propagation (VPNs, VPCs, VPC Peering, DirectConnect)
  • Understand how to optimise EC2 storage performance, when different instance types are beneficial and how to optimise EBS performance.
  • Do you know when to use different caching engines? When would you choose Memcache and when might you prefer Redis?
  • How do you loose couple services? Do you know how, when, and why to use SQS and SNS? Do you know the limitations and when it is not appropriate to use one or the other of these services?
  • Understand when and how to use AssumeRole,  AssumeRoleWithSAML and AssumeRoleWithWebIdentity.
  • Make sure you understand consolidated billing, how to set it up and what it offers. I got a few easy points questions on this topic.
  • All of the training material, documentation and hands on practice is important and this list isn’t an overall guide to the exam but some pointers that would have been useful to know prior to taking my exam.
  • I found the official practice test for the SA pro exam to be highly misleading, poorly worded and generally I felt that it did me more harm than good when preparing for this certification. AWS really need to get the practice test updated. I recommend using the tests provided by Linux Academy.

AWS DevOps Engineer – Professional

The DevOps experience was the most varied for me. I found studying for the exam to be one of the most enjoyable experiences and learned a lot about OpsWorks, CloudWatch, AutoScaling (lifecycle hooks, self healing) and the various APIs however, the exam was by far the toughest of all. Contrary to some of the articles/blogs that I’d read before sitting the exam, I found it was by far the most challenging on time. I had exactly 80 questions to cover in 2 hours 50 minutes. The questions felt as wordy as the SA pro exam and took me longer to answer – often exceeding my 2 minute rule. The situation got so bad by question 35 that I had to skim read and answer the next 5/6 questions to catch up on time. Definitely be weary of time with the DevOps exam!

In terms of my preparation, both Linux Academy and acloud.guru were equally valuable. The key for me, even more so than in all of the certifications, was the AWS documentation and hands on practice – it was a huge help to develop my understanding.  I recommend researching the topics in depth, I naturally found myself doing this more than in the other certifications because I felt weaker on some of the subject areas and really wanted to familiarise myself with the CLI, API and SDK’s.

My thoughts on preparing for and taking the exam:

  • CloudFormation is one of the main topics in this exam. Understand template structure, intrinsic functions, WaitConditions, Helper Scripts, Stack, Update and Deletion Policies – I strongly recommend hands on familiarity along with theory.
  • OpsWorks and ElasticBeanstalk are also covered in detail. Understand OpsWorks auto healing, stacks, layers, lifecycle events, instances, and EB ebextensions, use cases, SDKs, supported languages.
  • As in the SysOps certification, DevOps builds on CloudWatch so learn about metrics, logging and monitoring.
  • AutoScaling is also covered at an advanced level. Learn about lifecycle hooks, termination policies and API, CLI and SDK calls etc.
  • Deployment strategies. Blue/Green or A/B, All at once, Immutable, Rolling.
  • The official practice exam for the DevOps pro exam is much better than the SA pro and is relevant for exam prep.
  • In summary, study the theory but there is serious benefit in putting this in to action with hands on practice.

Conclusion

The AWS Professional level certifications are a big step up from the associate level certifications and do an excellent job of testing true understanding and hands on abilities. The time aspect is one of the most challenging aspects of both exams but particularly the DevOps exam. If choosing to the take the practice exams be weary of the SA pro exam but I do recommend the DevOps pro practice exam. The practice exams from Linux Academy are by far the best that I found during my pro-level studies.

Final thoughts:

  • Always read the exam blueprint and AWS exam guidance. This is easy to over look but provides great context, detail on expectations and generally gets you in to the mindset of what AWS are assessing with the certification exams.
  • Learn to read fast! What I mean here is concentrate on exam strategy and timing, when taking the Linux Academy practice exam, allow yourself no longer than 2 minutes per question and prepare yourself for the 2 hour 50 minutes of heavy read, consider and answer type scenario of the exam.
  • Practice and practice some more. At the associate level, you could get through with theory but I strongly believe that is not the case with at the professional level.

In addition to reading my blog, read blogs by Adrian Cantrill, Nick Triantafillou and Stephen Wilding (all linked here and below) which I found were a huge help during my preparation.

If you feel that I can help your studies in any way – get in touch! Good luck!

Resources

Blogs

http://cantrill.io/

https://hydrasit.com/blog/

http://ozaws.com/

Official Exam Links

https://aws.amazon.com/certification/certified-solutions-architect-professional/

https://aws.amazon.com/certification/certified-devops-engineer-professional/

** Unlike with the associate certs, I won’t link specific documentation here as there is a huge amount of content and particular focus areas will depend on your current level skills and experience **

AWS Associate Level Certification Guide

I’m happy to report that I now hold all three AWS associate level certifications and have written up my experiences to help you on your AWS certification journey. This guide covers the exam topics, resources used to prepare and my experience on exam day. 

I began my certification journey taking an instructor led and remotely delivered (Webex) version of the official Architecting on AWS course, which is designed to prepare students for the AWS Solution Architect – Associate certification exam. The course was ran by QA and served as a great introduction to AWS certification. On reflection, the course contained all of the content and labs required to pass the exam however, wanting to be extra prepared for the first exam, I purchased  acloud.guru’s all five certification bundle.

The three associate certifications provide a solid base and I found preparing for exams was manageable. I allowed up to two weeks to prepare for each and used a combination of acloud.guru, hands on practice with AWS using a free tier account and time spent reading the AWS documentation – particularly for topics that require more depth understanding.

AWS Solutions Architect – Associate 

The instructor led training gave me a good foundation, which gave me the confidence to book the exam immediately after taking the course – giving myself another week to review the acloud.guru content. I spent a lot of the time time running through the basics hands on – creating VPC’s, EC2 instances, Security Groups, NAT gateways, ACLs etc. using both the GUI and CLI.

I feel that the Solution Architect certification has the most wide ranging content, which made it the most daunting to prepare for (not helped by it being my first experience of AWS certification!) 

My thoughts and guidance after taking the exam:

  • Pay particular attention to VPC, IAM, Route 53 and S3
  • By all means, don’t miss any topics on the exam guide but I got the highest number of questions on the areas mentioned. Particularly:
    • Route 53 record types and appropriate usage (set these up, play, create health checks, understand the different record types etc.)
    • Process to create a VPC, difference between a NAT instance and a NAT gateway etc. (again, the best way to know this is to do it a few times)
    • When to use IAM roles, users, groups etc (tip always use Roles where possible, particularly for EC2 instances)
      • AWS recently enabled roles to be added to EC2 instances that are already online, this isn’t reflected in the exam yet
    • S3 storage types and appropriate use cases, difference between durability and availability (pay particular attention to the wording as the stats are different for each)
  • Learn how to calculate DynamoDB provisioned throughput
    • Tip: For reads the formula is (ITEM SIZE (rounded up to the next 4KB multiplier / 4KB) * # of items
    • Tip: For writes the formula is (ITEM SIZE (rounded up to the next 1KB multiplier / 1KB) * # of items
    • I personally got 1 or 2 of these in the SA exam but more in the Developer exam (more on that later)
  • If you only read one piece of documentation, make it the ‘AWS Well-Architected Framework’ whitepaper (link below). This document introduces the five pillars of the well-architected framework and will help develop your approach to architecting solutions and will greatly help (exam strategy here) with eliminating the obviously incorrect questions on the certification exams

AWS Developer – Associate

Many exam takers, blogs and even training providers indicate that the developer associate certification is the easiest of the associate level certifications however, I was quite the opposite and found the developer exam the hardest of the first three. For those of you that have already taken this exam or do in the future – I am interested to hear your experiences.

To prepare for the exam I gave myself two weeks and used acloud.guru as my primary training source along with hands on practice using my free tier account and a more than usual amount of time reading through the AWS documentation, which I found most important for the developer preparation. I’d recommend spinning up an Amazon Linux EC2 instance, getting the AWS CLI setup and interacting with things like S3 using roles / credentials / keys and understanding the differences.

My thoughts and guidance after taking the exam:

  • Know how to interact with the AWS CLI and API particularly common commands for interacting with S3
  • Learn about Simple Notification Service (SNS) particularly the different name/value pairs available in the message body and different notification options
  • How do you approach security in AWS (dev focus)? Important to know IAM roles, access keys, policies etc, S3 encryption, Security Token Service (at a high-level, this is covered in more detail at the professional level), VPC security (security groups (stateful), ACLs (stateless) etc.)
  • I personally had at least 4 DynamoDB provisioned throughput related questions – some easy marks to be gained here (see above)
  • What are S3’s different use cases? Particularly the different URL types for websites vs other objects as well as bucket versioning
  • What are the different deployment types? When and how to use CloudFormation, Elastic Beanstalk etc. and what can and can’t these services do? The focus was more on EB and CF in the developer exam for me (less on OpsWorks, where I saw more questions in the sysops and professional certification exams although this may not be the case for all)

AWS SysOps Administrator – Associate

Last but by no means least, the sysops admin certification. Out of the three so far, I was most nervous about the sysops exam as it is commonly believed to be the most difficult of the associate level certification exams but this didn’t turn out to be the case for me. I actually found that there was a lot of overlapping content (and concepts) from the Solution Architect and Developer certifications allowing me to score highest out of the first three.

Once again, I gave myself two weeks to prepare for the exam and used acloud.guru as the primary training material along with my free tier account and reading through the AWS documentation. The first thing that comes to my mind when I think of the sysops exam is CloudWatch, know how to use it, how to setup metrics and custom metrics and how different AWS services interact with CloudWatch. 

My thoughts and guidance after taking the exam:

  • Understand monitoring and healthchecks, monitoring EBS, RDS, ELB, EC2 etc.
  • What is consolidated billing is and how do you set it up? (I got a couple of questions here, easy marks)
  • How do you make a solution elastic and scalable? RDS read replicas, auto scalaing, HA for single hosts (auto scaling with min 1, max 1) etc.
  • Backup options within AWS? Snapshots, storing log files etc.
  • How do you build IAM policies and use MFA and what are the compliance options?
  • How are networks scalable? Particularly focus on Route53 (weighted, latency based, geolocation etc.), creating and scaling NAT instances, how to enable VPC flow logs etc.

Conclusion

Studying for the associate level exams was enjoyable and gave me a great insight in to the AWS world as well as preparing me with the necessary knowledge and skills not only to pass the certification exams but to be effective with AWS. At the associate level, I personally found that there was enough time in the exam to work through the questions without having to rush and that there was enough time remaining at the end to review any marked questions.

General thoughts on taking the exams:

  • Always read the exam blueprint (linked from the official AWS certification pages) as this document gives you complete list of items to study and helps identify areas of personal strength and weakness
  • At the associate level, acloud.guru is a great resource however, only toward the end did I discover the Linux Academy video series, which are excellent. Where I found that aclud.guru was great at preparing students with the knowledge required to pass the exam, I personally found that Linux Academy is much better at preparing students with the skills and knowledge not only to pass the exam but to really understand the topics and learn the necessary skills to be effective beyond the exam. I found Linux Academy essential at the professional level (more on that later)
  • Read the sample questions (also from the official AWS pages) – I personally found that in at least two of my exams, one of these questions popped up (word for word)
  • TIP: Go to the AWS Japanese site for the Solution Architect sample questions and the PDF has the sample question answers in the bottom right of each question http://media.amazonwebservices.com/jp/certification/AWS_certified_solutions_architect_professional_examsample0701_08_final.pdf
  • I personally opted not to do the official practice exams at associate level so I can’t comment on those
  • Read blogs (linked below and others) – I personally found that reading about the experiences of others helped with my preparation

Finally, if there is anything that I can do to help, any insights, examples, areas you would like to discuss then please do get in touch. Good Luck!

 

Resources

Video Training:

http://acloud.guru

https://linuxacademy.com/

Blogs:

http://cantrill.io/certification/aws/2016/03/27/how-to-pass-AWS-certifications.html

http://blog.rowanudell.com/how-to-get-your-aws-sysops-associate-certification/

https://devopsfolks.com/journey-get-aws-solution-architect-certification/

https://acloud.guru/forums/aws-certified-developer-associate/discussion/-KBkBPMHpN2ITSH1oDTO/passed_with_90%25_-_my_exam_tips

http://cloudacademy.com/blog/amazon-aws-certified-solutions-architect-what-to-study-tip

Official Certification Pages:

https://aws.amazon.com/it/certification/certified-solutions-architect-associate/

https://aws.amazon.com/it/certification/certified-developer-associate/

https://aws.amazon.com/certification/certified-sysops-admin-associate/

Most important AWS Documentation (from my experience):

http://d0.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

https://d0.awsstatic.com/whitepapers/aws-security-best-practices.pdf

https://d0.awsstatic.com/whitepapers/Storage/AWS%20Storage%20Services%20Whitepaper-v9.pdf

https://aws.amazon.com/blogs/aws/new-whitepaper-use-aws-for-disaster-recovery/

http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ProvisionedThroughput.html

http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/dynamodb-dg.pdf

http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/template-anatomy.html