[AWS Certified networking] Syllabus ôn tập

Buổi 0.1 – 0.5: Ôn tập các dịch vụ

Application Integration:

• Amazon EventBridge

• Amazon Simple Notification Service (Amazon SNS)

• Amazon Simple Queue Service (Amazon SQS)

Compute:

• Amazon EC2

• Amazon EC2 Auto Scaling

• AWS Lambda

Containers:

• Amazon Elastic Container Registry (Amazon ECR)

• Amazon Elastic Container Service (Amazon ECS)

• Amazon Elastic Kubernetes Service (Amazon EKS)

• AWS Fargate

Cost Management:

• AWS Cost Explorer

Front-End Web and Mobile:

• Amazon API Gateway

Management and Governance:

• AWS Auto Scaling

• AWS CLI

• AWS CloudFormation

• AWS CloudTrail

• Amazon CloudWatch

• AWS Config

• AWS Control Tower

• AWS Health Dashboard

• AWS Management Console

• AWS Organizations

• AWS Trusted Advisor

• AWS Well-Architected Tool

Networking and Content Delivery:

• Amazon API Gateway

• AWS App Mesh

• AWS Client VPN

• AWS Cloud Map

• Amazon CloudFront

• AWS Direct Connect

• Elastic Load Balancing (ELB)

• AWS Global Accelerator

• AWS PrivateLink

• Amazon Route 53

• AWS Site-to-Site VPN

• AWS Transit Gateway

• Amazon VPC

Security, Identity, and Compliance:

• AWS Firewall Manager

• AWS Identity and Access Management (IAM)

• AWS Network Firewall

• AWS Resource Access Manager (AWS RAM)

• AWS Shield

• AWS WAF

Serverless:

• Amazon API Gateway

• Amazon EventBridge

• AWS Fargate

• AWS Lambda

• Amazon Simple Notification Service (Amazon SNS)

• Amazon Simple Queue Service (Amazon SQS)

• Amazon Simple Storage Service (Amazon S3)

Storage:

• Amazon S3

Buổi 0.1: Compute Mastery

• Amazon EC2 (15 min)

  • Deep dive into instance types (purpose-built, recent releases)

  • Advanced use cases: Spot Instances for cost optimization, high-performance computing

  • Custom AMIs and bootstrapping

• Auto Scaling (15 min)

  • Beyond simple scaling: Predictive scaling, scheduled scaling, lifecycle hooks

  • Designing highly resilient architectures that leverage auto-scaling groups

• AWS Lambda (15 min)

  • Event-driven architectures, triggers, integration patterns

  • Performance optimization: Layers, concurrency, provisioned concurrency

Buổi 0.2: Conquer Containers & Serverless

• Containers Orchestrators (15 min)

  • ECS vs. EKS: Choosing the right tool, hybrid deployments

  • Fargate: Use cases, trade-offs vs. managing your own compute

• Serverless Deep Dive (15 min)

  • API Gateway: Authorizers, caching, integration best practices

  • EventBridge: Filtering, event routing, and complex architectures

• SQS & SNS (15 min)

  • SQS: Long polling, visibility timeouts, dead letter queues

  • SNS: Fanout patterns, message filtering, cross-region replication

Buổi 0.3: Networking Power-Up

• Route 53 (15 min)

  • Weighted, Latency-based, Geolocation routing – complex scenarios

  • Private hosted zones, DNSSEC, and hybrid DNS patterns

• Load Balancing (15 min)

  • Layer 4 vs. Layer 7, ALB path-based routing, sticky sessions

  • Global Accelerator: Use cases, performance optimization

• VPNs & Transit Gateway (15 min)

  • Site-to-Site VPN advanced configurations, troubleshooting

  • Transit Gateway: Hub-and-spoke architectures, multi-region deployments

Buổi 0.4: Security & Governance Extravaganza

• IAM (15 min)

  • Custom policies, conditions, best practices for least privilege

  • Cross-account access with roles, resource-level permissions

• CloudWatch & CloudTrail (15 min)

  • Custom metrics, alarms, dashboards for application monitoring

  • CloudTrail insights, security event analysis

• Shields, WAF, Firewall Manager (15 min)

  • DDoS protection strategies, rule customization techniques

  • Centralized firewall management across accounts

Buổi 0.5: Optimization & Beyond

• Cost Management (15 min)

  • Cost Explorer deep dive, budget alerts, reserved instances/savings plans

  • Architecture design for cost optimization

• CloudFormation & CDK (15 min)

  • Advanced templating: Nested stacks, cross-stack references, custom resources

  • Choosing between CloudFormation and CDK for infrastructure as code

• Well-Architected Framework (15 min)

  • Reviewing your architecture through the lens of the framework

  • Prioritizing improvements leveraging the Well-Architected Tool

Instructor Notes:

• Demos: Each section should involve short, practical demos.

• Real-world examples: Share stories and use cases for context.

Domain 1: Network Design

Buổi 1: Design a High-Performance, Globally Scalable Solution with Edge Network Services

Learning Objectives:

• Master advanced concepts of AWS edge network services to optimize user performance and traffic management for global architectures.

• Delve into design patterns and integration techniques for Content Delivery Networks (CDNs) and Global Traffic Management (GTM) with other AWS services.

• Sharpen skills in evaluating global inbound and outbound traffic requirements to design an appropriate content distribution solution.

Syllabus Overview:

1. Advanced Introduction to AWS Edge Network Services (10 minutes)

• Explore key edge network services: CloudFront, Global Accelerator, Route 53

• Uncover advanced benefits: Optimize performance for mobile and IoT applications, enhance security and DDoS protection, support complex use cases like live video streaming

2. Advanced CDN Design Patterns (20 minutes)

• Dynamic Content Delivery: Utilize CloudFront Functions to process dynamic content at the edge

• Media Content Delivery: Optimize live video and streaming with CloudFront

• Global Content Delivery: Configure CloudFront for efficient worldwide content distribution

• Integration with Other AWS Services: CloudFront with S3, ELB, API Gateway

3. Advanced GTM Design Patterns (10 minutes)

• Custom Rule-based Traffic Management: Use GTM to route traffic based on factors like user agent, HTTP headers, and more.

• Ratio-based Traffic Splitting: Configure GTM to distribute traffic across different endpoints.

• Advanced Failover Activation: Utilize GTM to switch traffic in case of errors or outages.

• Integration with Other AWS Services: GTM with CloudFront, ELB, Lambda

4. Advanced Solution Evaluation and Design (5 minutes)

• In-depth Analysis: Identify detailed traffic requirements, including content type, user location, access patterns, and more.

• Appropriate Service Selection: Determine the most suitable AWS edge network service based on specific needs.

• Architecture Design: Diagram the edge network architecture, including endpoints, connection points, routing configurations, and integrations.

• Cost Optimization: Identify strategies to optimize edge network service costs.

Instructor Notes:

• Demos: Incorporate short, practical demonstrations throughout each section.

• Real-world Examples: Share stories and use cases for context.

Buổi 2: Design DNS solutions that meet public, private, and hybrid requirements.

Title: Mastering DNS Architectures with Amazon Route 53

Learning Objectives:

• Dive into advanced DNS concepts and the intricacies of Route 53 for flexible architectures.

• Demystify private hosted zones and hybrid DNS solutions.

• Build expertise in traffic management techniques using Route 53.

• Develop skills to architect DNS for multi-account, multi-Region, and domain registration scenarios.

Syllabus Breakdown

Review: DNS Fundamentals (5 minutes)

• Quick Recap: DNS records (A, AAAA, CNAME, MX, SRV, etc.), TTL, DNSSEC, delegation.

• Emphasize: Importance of DNS in network architecture, not just domain resolution.

Amazon Route 53 Deep Dive (15 minutes)

• Beyond Basic Zones: Private hosted zones, traffic flow policies (geolocation, latency-based, weighted, failover), health checks for endpoint monitoring.

• Route 53 Resolver: Outbound and inbound resolver endpoints, conditional forwarding, cross-account/cross-VPC DNS resolution.

Hybrid DNS Architectures (10 minutes)

• Bridging the Gap: Integrate Route 53 private hosted zones with on-premises DNS using conditional forwarding.

• Scenarios: Extending private namespaces to AWS, hybrid failover.

• Security: DNSSEC considerations in hybrid setups.

Global Traffic Management with Route 53 (10 minutes)

• Advanced Routing: Geo-proximity routing, performance-based routing.

• Cross-Region Failover: Leveraging health checks for highly-available global architectures.

• Weighted Round Robin: Introduce traffic distribution strategies beyond simple round-robin.

Multi-Account & Domain Management (5 minutes)

• Account Strategies: Route 53 for shared domains across AWS accounts, delegation approaches.

• Domain Registration: Route 53 as a registrar, domain transfer, renewals.

Important Considerations

• Interactivity: Encourage scenarios/questions from the audience for real-world applicability.

• Complexity: Some sections are inherently dense. Focus on high-level concepts & use-cases if time is short.

• Practicality: If feasible, short demos (e.g., setting up private zones, hybrid forwarding) will significantly enhance the learning experience.

Additional Notes

• Prerequisites: AWS VPC knowledge is essential, as Route 53 builds heavily upon it.

• Beyond the Syllabus: Route 53 has even more features! Mention them as ‘further exploration’ if time permits (Traffic Flow visual editor, etc.)

Buổi 3: Design solutions that integrate load balancing to meet high availability, scalability, and security requirements.

Title: Architecting High-Performance Load Balancing Solutions with AWS

Learning Objectives

• Understand load balancing across OSI layers and advanced load balancer selection criteria.

• Design load-balancing solutions that integrate security, scaling, and high availability best practices.

• Recognize how different load balancing patterns and configurations meet complex use cases.

• Develop the ability to integrate load balancers with a diverse range of AWS services.

Syllabus Breakdown

OSI Model Load Balancing Review (5 minutes)

• L3/L4 Balancing: Network-level (IP/port), fast, hardware-accelerated (Classic Load Balancer).

• L7 Balancing: Application layer (HTTP/HTTPS), feature-rich (Application Load Balancer, Network Load Balancer).

Deep Dive: AWS Load Balancers (10 minutes)

• Classic Load Balancer (CLB): Legacy option, consider its limitations with modern protocols.

• Application Load Balancer (ALB): Content-based routing, redirects, path/host-based routing, integrated WAF support.

• Network Load Balancer (NLB): Extreme performance for TCP/UDP, static IPs, good for non-HTTP/S traffic.

Designing for High Availability, Scalability, & Security (10 minutes)

• Availability Zones (AZs): Distributing load balancers and targets across AZs for fault tolerance.

• Auto Scaling Groups (ASGs): Dynamically adding/removing backend instances based on load

• Security: Integrating with AWS WAF (Web Application Firewall), controlling access with security groups.

• Certificate Management: TLS termination & management with AWS Certificate Manager (ACM)

Connectivity Patterns (8 Minutes)

• Internal Load Balancing: Private-facing load balancers within VPCs for service-to-service traffic.

• External Load Balancing: Public-facing load balancers for internet traffic.

• Hybrid Patterns: Combining internal/external balancers for complex architectures.

Advanced Load Balancer Configuration (10 minutes)

• Health Checks: Customizing checks, fine-tuning failover behavior

• Routing Algorithms: Round-robin, least-outstanding requests, hash-based (sticky sessions).

• Target Groups: IP-based targets, Lambda targets, advanced health checks

• Special Protocols: Proxy Protocol, cross-zone load balancing

Integration with Other AWS Services (2 minutes)

• Route 53 (DNS): Integrating for traffic management, failover

• CloudFront: Global load balancing, content caching in conjunction with ALBs/NLBs.

• Global Accelerator: Enhance NLB performance, static anycast IPs for global apps.

• EKS: Kubernetes load balancing with the AWS Load Balancer Controller

Important Considerations

• Hands-On Focus: Demos will be far more effective than just talking about these concepts. Prepare simple architectural examples.

• Real-World Scenarios: Frame the discussion around use cases (e.g., scaling web apps, failover, microservices)

• Complexity: Be prepared to scale back the depth if the audience struggles.

Areas for Further Exploration

• AWS Gateway Load Balancer: For third-party network appliances in the traffic path.

• Fine-grained Load Balancing Controls: Advanced routing & header manipulation (especially with ALB)

• Monitoring & Logging: Load balancer metrics, access logs

Buổi 4: Define logging and monitoring requirements across AWS and hybrid networks.

Syllabus tham khảo

Title: Comprehensive Logging & Monitoring Strategies for AWS & Hybrid Networks

Learning Objectives

• Grasp the fundamental tools and techniques for effective monitoring in AWS and hybrid environments.

• Identify critical logging sources and metrics for network visibility.

• Develop the ability to recommend suitable monitoring solutions tailored to specific requirements.

• Understand how to baseline network performance for proactive issue detection.

Syllabus

AWS CloudWatch: Fundamentals (10 minutes)

• Metrics: Pre-defined AWS service metrics (EC2 CPU, S3 requests, etc.), custom metrics.

• Logs: Ingesting application logs, VPC flow logs, CloudTrail, CloudFront access logs.

• Alarms: Triggering notifications based on thresholds or anomalies.

• Dashboards: Visualizing metrics and logs in a consolidated view.

• CloudWatch Insights: Powerful query language for complex log analysis

Specialized Monitoring Tools (15 minutes)

• Transit Gateway Network Manager: Centralized monitoring for connectivity, topology, and performance across Transit Gateways.

• VPC Reachability Analyzer: Troubleshooting network reachability issues within VPCs (identifying blocked paths)

• Flow Logs & Traffic Mirroring: Capturing packet-level network traffic data for in-depth analysis (troubleshooting, security investigations).

Access Logging (5 Minutes)

• Importance: Understanding traffic patterns, audit trails, identifying anomalies.

• Load Balancer Logs: Detailed connection and request data.

• CloudFront Access Logs: Caching behavior, traffic origin, error analysis.

Determining Requirements & Metrics (10 minutes)

• Requirement Gathering: Network performance, resource health (instances, databases), security posture

• KPI Alignment: Map monitoring metrics back to business or performance goals.

• Key Metrics: CPU/Memory, error rates, traffic volume/patterns, latency, security events.

Baselining Network Performance (5 minutes)

• Why Baseline: Detecting deviations and anomalies.

• Establishing Historical Norms: Identifying typical traffic patterns, load fluctuations.

• Tools: CloudWatch, 3rd-party monitoring solutions.

Important Notes

• Prioritize: Start with foundational metrics & tools, then layer in more advanced techniques

• Hybrid Complexity: Correlating logs from diverse on-premises/cloud sources can be a challenge (consider SIEM solutions).

• Demos: Seeing CloudWatch dashboards, TGW Network Manager, or flow log analysis will be far more impactful than just descriptions.

Further Exploration

• CloudWatch Logs Insights: Deep dive into complex queries.

• Integrating 3rd-Party Monitoring: Many tools (Datadog, Splunk, etc.) integrate with AWS for wider visibility.

• Security-Focused Monitoring: AWS GuardDuty, intrusion detection systems.

• Cost Optimization: Understanding monitoring costs, especially with large volumes of log data.

Buổi 5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.

Title: Architecting Robust Hybrid Networks with AWS: Advanced Routing & Connectivity

Learning Objectives

• Master routing considerations, dynamic routing protocols, and physical connectivity factors.

• Learn about redundancy and design choices for resilient hybrid networking.

• Grasp how to integrate SD-WAN solutions and optimize traffic through BGP manipulation.

• Develop skills to design hybrid connectivity models that align with specific requirements.

Syllabus Breakdown

Routing Fundamentals Review (5 minutes)

• Static vs. Dynamic: When to use each, pros/cons (especially for hybrid)

• BGP Focus: Key path attributes (AS Path, weight, MED, Local Preference), route propagation principles

Layer 1/2 Physical Connectivity (5 minutes)

• Direct Connect Considerations: Physical ports, cross-connects, colocation options.

• Concepts: VLANs, LAGs, jumbo frames (when they matter for AWS connectivity)

Hybrid Connectivity & Redundancy (10 minutes)

• Combining DX with VPN: Primary/Failover patterns, performance concerns

• Multiple DX connections: Across different locations, diverse paths

• VPN Tunnel Redundancy: Active/Active vs. Active/Passive, failover timing

• BGP for Traffic Control: Influencing and prioritizing traffic paths with BGP attributes

Encapsulation & Encryption (5 minutes)

• Why they matter: Especially for extending your network over untrusted links (the internet)

• IPsec: Authentication, encryption modes. Considerations for performance impact.

• GRE Tunneling: Use cases with overlay networks.

Overlay Networks & SD-WAN Integration (15 Minutes)

• Overlays 101: Encapsulation for flexible topologies & logical segmentation

• AWS Transit Gateway as the Hub: TGW as a central aggregation point for hybrid connections.

• SD-WAN Integration: Using Transit Gateway Connect, intelligent path selection, traffic optimization options.

• Routing Overlay Networks: Managing BGP advertisements and path preferences within your overlay.

Design Considerations (5 minutes)

• Bandwidth Requirements: Assessing and sizing links appropriately

• Compliance & Security: Regulatory limitations, encryption standards.

• Multi-Account Architectures: AWS Resource Access Manager (RAM), VPC sharing strategies

• Cost Optimization: Understanding DX vs. VPN pricing models.

Important Notes

• Visuals: Diagrams will be your best friend for explaining complex scenarios.

• Practical Emphasis: If possible, show simple demo configs (BGP, VPN tunnel setup on AWS).

• Complexity Warning: This is inherently complex. Focus on high-level design paradigms if your audience lacks extensive networking experience.

Further Exploration

• Advanced BGP Techniques: Route reflectors, communities, more complex path manipulation.

• SD-WAN Vendor Specifics: How different SD-WAN solutions integrate with AWS in detail.

• Hybrid Network Automation: Infrastructure-as-Code for provisioning & managing hybrid connections.

Buổi 6: Design a routing strategy and connectivity architecture that include multiple AWS accounts, AWS Regions, and VPCs to support different connectivity patterns.

Title: Mastering Multi-Account, Multi-Region Network Architectures on AWS

Learning Objectives

• Evaluate various connectivity patterns and technologies for complex AWS environments.

• Design solutions that accommodate IP address overlaps.

• Develop the ability to recommend suitable services for multi-VPC routing.

• Explore efficient & secure ways to share resources across accounts.

Syllabus

Connectivity Patterns Review (5 minutes)

• VPC Peering: Direct, 1:1 connection between VPCs (within or across Regions). Limitations: transitive routing challenges, cost can grow with many VPCs.

• AWS Transit Gateway: Centralized hub for VPCs, supports transitive routing, simplifies large-scale connectivity.

• AWS PrivateLink: Private connectivity to AWS services (SaaS offerings) without leaving AWS networks. Enhances security & simplifies VPC design.

Designing for Multi-Region Connectivity (10 minutes)

• Use Cases: Global reach, disaster recovery, low-latency access for distributed users.

• Routing Table Considerations: Advertising routes across VPCs, TGWs, Regions

• Failover and Load Balancing: Distributing traffic across Regions, using health checks

• Hybrid Connectivity: Factoring in connectivity from on-premises into multi-Region AWS architectures.

VPC Sharing (10 minutes)

• Beyond Account Boundaries: Allowing resources in one VPC to be used by instances in another.

• AWS Resource Access Manager (RAM): Key tool to manage and control VPC sharing across accounts.

• Use Cases: Centralized service deployment, simplified application architectures, collaboration.

• Security Considerations: IAM permissions, security groups to control access to shared resources.

Managing IP Address Overlap (10 minutes)

• The Common Challenge: Using the same IP space in different VPCs creates routing conflicts.

• Solutions:

  • NAT: Translating private IPs when accessing resources across VPC boundaries.

  • AWS PrivateLink: Avoids private IP exposure for certain AWS services.

  • Transit Gateway with Route Tables: Intelligent routing between overlapping subnets.

  • Unique CIDRs: Planning and meticulous IP address management.

Design Considerations & Service Selection (5 minutes)

• Scalability: How many VPCs/Regions over time? Peering vs. TGW

• Traffic Patterns: Heavy cross-VPC traffic, external access, specific service requirements.

• Cost: Pricing differences between peering, TGW attachments, VPNs, etc.

• Security: Granular control of traffic flows, encryption in transit.

Important Notes

• Diagrams Are Vital: Visualize the different connectivity patterns, especially for IP overlap scenarios.

• Practice-Focused: If possible, set up a small multi-VPC lab to experiment with routing and sharing.

• Real-World Examples: Discuss scenarios like DR or centralization for services.

Areas for Further Exploration

• Advanced Routing with TGW: Route domains, static routing for complex control.

• Multi-Account Best Practices: Using AWS Organizations, centralized security management.

• IPAM: Using AWS IP Address Manager (IPAM) for better address planning when overlaps are unavoidable.

Domain 2: Network Implementation

Buổi 7: Implement routing and connectivity between on-premises networks and the AWS Cloud.

Title: Fortifying Your Cloud: Advanced Security Strategies for AWS

Learning Objectives

• Master the principles of defense in depth and layered security for AWS environments.

• Learn about advanced security techniques for protecting data, identities, and infrastructure.

• Develop the ability to implement and configure robust security controls in AWS.

• Understand the importance of security automation and incident response.

Syllabus Breakdown

Defense in Depth and Layered Security (10 minutes)

• The Defense in Depth Approach: Multiple layers of security to protect against multiple threats.

• Layered Security Model: Network, application, data, and infrastructure security layers.

• Benefits of Layered Security: Resiliency, redundancy, and reduced attack surface.

Advanced Security Techniques (20 minutes)

• Data Protection: Encryption (at rest and in transit), key management, data loss prevention (DLP).

• Identity and Access Management (IAM): Fine-grained access control, multi-factor authentication (MFA), IAM best practices.

• Infrastructure Security: Security hardening of EC2 instances, network security groups, bastion hosts.

• Security Automation: Using tools like CloudWatch Events, AWS Lambda, and Amazon Inspector for automated security tasks.

Comprehensive Security Controls (10 minutes)

• Security Groups and Network Security: Protecting network traffic with security groups, VPC flow logs.

• AWS WAF (Web Application Firewall): Protecting web applications from common attacks.

• AWS CloudTrail: Auditing and logging all API calls in AWS.

• AWS Config: Enforcing security configurations across your AWS resources.

Security Automation and Incident Response (5 minutes)

• Security Automation Use Cases: Vulnerability scanning, patching, threat detection, incident response.

• Incident Response Plan: Having a plan to identify, contain, and remediate security incidents.

• Benefits of Security Automation: Improved efficiency, reduced risk, faster response times.

Important Notes

• Real-World Scenarios: Use examples of security breaches and discuss how to prevent them.

• Hands-on Demo: Show examples of security configuration and automation tools.

• Continuous Learning: Emphasize the importance of staying up-to-date with evolving security threats and best practices.

Areas for Further Exploration

• AWS Security Hub: Centralized view of your security posture and recommendations.

• AWS CloudTrail Insights: Using CloudTrail logs for advanced security analysis.

• AWS Network Firewall: Managed network firewall service for VPC protection.

• AWS Security Automation: Managed security automation service for threat detection and response.

Buổi 8: Implement routing and connectivity across multiple AWS accounts, Regions, and VPCs to support different connectivity patterns.

Title: Advanced AWS Connectivity: Routing, Multi-Account Architectures, Security

Prerequisites:

• Strong understanding of VPCs, subnets, route tables

• Familiarity with network security concepts (firewalls, network ACLs)

• Basic experience with AWS services such as EC2.

Learning Objectives:

1. Understand various AWS networking connectivity models for complex architectures.

2. Design and implement a Transit Gateway-based hub-and-spoke network.

3. Configure secure inter-VPC and hybrid connectivity using VPC Peering, VPN, and PrivateLink.

4. Troubleshoot connectivity issues using Route Analyzer and Reachability Analyzer.

Syllabus Breakdown

1. Introduction (5 Minutes)

• Brief review of VPC fundamentals

• Complexity challenges with multiple accounts and regions

• Key AWS services for advanced connectivity (Transit Gateway, VPN, PrivateLink)

2. Multi-Account and Hybrid Connectivity Patterns (10 Minutes)

• VPC Peering: Direct VPC-to-VPC connections

  • Use cases and limitations

• Transit Gateway: Centralized connectivity hub

  • Hub-and-spoke model benefits

• Hybrid Connectivity: Integrating on-premises with AWS

  • VPN, Direct Connect

• AWS PrivateLink: Secure private connectivity to AWS services and SaaS

3. Hands-On Lab: Transit Gateway Implementation (20 minutes)

• Scenario: Design a Transit Gateway network with spoke VPCs in different regions.

• Step-by-Step:

  1. Create Transit Gateway, attachments

  2. Configure route tables for propagation

  3. Test connectivity between spoke VPCs

4. Security Considerations (5 Minutes)

• Security groups & Network ACLs in hybrid/multi-account setups

• AWS Network Firewall

• Encryption and authentication (consider SAML, AD integration)

5. Troubleshooting & Best Practices (5 Minutes)

• Common connectivity issues

• Route Analyzer and Reachability Analyzer

• Network optimization tips

Instructor Notes:

• Demo-Focused: Provide a visual walkthrough of each concept and service configuration.

• Lab Access: Have pre-configured AWS accounts with basic VPCs ready for the lab.

• Challenges: Include troubleshooting scenarios in the lab to reinforce learning.

Additional Considerations (If time permits):

• AWS Organizations and Resource Access Manager (RAM) for governance

• DNS for hybrid architectures

Troubleshooting Scenarios:

• Scenario 1: Inter-VPC communication failure:

  • Symptom: Instances in one VPC cannot reach instances in another VPC.

  • Troubleshooting Steps:

    1. Verify VPC Peering configuration and ensure it’s active.

    2. Check route tables for proper route propagation between VPCs.

    3. Validate security group rules to ensure traffic is allowed.

• Scenario 2: Transit Gateway connectivity issues:

  • Symptom: Instances in spoke VPCs cannot reach resources in the Transit Gateway hub.

  • Troubleshooting Steps:

    1. Verify Transit Gateway attachments and route table configurations.

    2. Check BGP peering status between Transit Gateway and spoke VGWs.

    3. Validate security groups and network ACLs for Transit Gateway traffic.

• Scenario 3: Hybrid VPN connectivity problems:

  • Symptom: On-premises devices cannot connect to AWS resources or vice versa.

  • Troubleshooting Steps:

    1. Verify VPN tunnel configuration and ensure it’s active.

    2. Check route tables for proper routing between on-premises and AWS networks.

    3. Validate security groups and firewall rules for VPN traffic.

Additional Tips:

• Leverage AWS troubleshooting tools like Route Analyzer, Reachability Analyzer, and VPC Flow Logs.

• Enable CloudWatch alarms to be notified of connectivity issues promptly.

• Implement a consistent naming convention for network resources to simplify troubleshooting.

Buổi 9: Implement complex hybrid and multi-account DNS architectures.

Title: Mastering Hybrid DNS: Architectures and Traffic Management with AWS Route 53

Prerequisites:

• Familiarity with basic DNS concepts (record types, zones)

• Understanding of AWS Route 53

• Knowledge from the previous session (Buổi 8) on multi-account connectivity

Learning Objectives:

1. Differentiate between public and private hosted zones and apply them strategically in hybrid setups.

2. Implement advanced traffic management using weighted, latency-based, and geolocation-based routing policies.

3. Configure DNS delegation and forwarding to enable seamless connectivity in complex network environments.

4. Secure DNS with DNSSEC.

Syllabus Breakdown

1. Introduction (5 Minutes)

• Recap of DNS fundamentals and Route 53.

• The need for advanced DNS in hybrid and multi-account scenarios.

2. Public vs. Private Hosted Zones (10 minutes)

• Private Hosted Zones: Internal DNS resolution

  • Use cases within VPCs and hybrid networks

• Public Hosted Zones: Global, internet-facing resolution

• Hybrid Strategies: Combining private and public zones for optimal control

3. Advanced Traffic Management (10 minutes)

• Weighted Routing: Distributing traffic based on proportions.

• Latency-Based Routing: Routing to the closest endpoint for performance.

• Geolocation Routing: Targeting users based on geographic location.

4. Hands-On Lab: Hybrid DNS Configuration (15 Minutes)

• Scenario: A multi-region application with internal services requiring private DNS resolution and public-facing endpoints.

• Step-by-Step:

  1. Create private and public hosted zones

  2. Set up delegation or conditional forwarding between zones

  3. Implement a traffic management policy (e.g., latency or weighted)

5. DNSSEC (5 Minutes)

• Importance of securing DNS

• Enabling DNSSEC on Route 53

Instructor Notes:

• Visuals: Use diagrams to illustrate zone types and traffic flows.

• Live Demo: Walk through the lab configuration step-by-step.

• Real-World Examples: Provide scenarios where specific traffic policies are useful.

Troubleshooting Scenarios:

• Scenario 1: DNS resolution failures:

  • Symptom: Users cannot access internal or external resources by domain name.

  • Troubleshooting Steps:

    1. Verify DNS configuration (zone records, delegation, forwarding).

    2. Check DNS servers’ health and connectivity.

    3. Validate DNSSEC settings if enabled.

• Scenario 2: DNS traffic routing issues:

  • Symptom: Users experience slow or inconsistent response times.

  • Troubleshooting Steps:

    1. Analyze traffic management configurations (weighted, latency-based).

    2. Check DNS health metrics and identify potential bottlenecks.

    3. Validate DNS record types and aliases for resource resolution.

• Scenario 3: Hybrid DNS integration problems:

  • Symptom: On-premises devices cannot resolve internal AWS resources.

  • Troubleshooting Steps:

    1. Verify conditional forwarding rules between on-premises and AWS DNS.

    2. Check route tables for proper routing between on-premises and AWS networks.

    3. Validate DNSSEC configurations for secure resolution.

Additional Tips:

• Utilize Route 53 Health Checks to monitor DNS servers and endpoints.

• Enable DNS logging to track DNS queries and responses.

• Consider using 3rd party DNS monitoring tools for advanced insights.

Buổi 10: Automate and configure network infrastructure.

Title: Network Automation on AWS: Infrastructure as Code and Beyond

Prerequisites:

• Basic understanding of cloud networking concepts (VPCs, subnets, etc.)

• Some familiarity with programming/scripting concepts would be beneficial

Learning Objectives:

1. Understand the principles and benefits of Infrastructure as Code (IaC) for networking.

2. Implement network automation using AWS CloudFormation and/or AWS CDK.

3. Explore event-driven network automation with AWS services.

4. Integrate IaC with network optimization for cost and performance benefits.

Syllabus Breakdown

1. Introduction: From Manual to Automated (5 minutes)

• Challenges of manual network configuration (error-prone, slow)

• Benefits of IaC: Consistency, repeatability, versioning, reduced risk

2. AWS Tools for IaC (10 minutes)

• CloudFormation: Declarative templating language

• AWS CDK: Power of programming languages for infrastructure

• Brief Overview: AWS CLI, SDKs (for finer control)

3. Hands-On Lab: Automating VPC Creation (15 minutes)

• Scenario: Define and deploy a basic VPC infrastructure with subnets and route tables.

• Step-by-Step

  1. Write a CloudFormation template OR CDK script

  2. Deploy the network stack

  3. (Optional): Modify and redeploy to demonstrate change management

4. Event-Driven Automation (8 minutes)

• Concepts: Triggers and actions

• AWS Lambda for custom network logic in response to events

• Example: Auto-scale network resources based on traffic

5. IaC for Optimization (7 minutes)

• Cost-optimization: Right-sizing resources based on usage patterns

• Performance: Automatic adjustments to routing, DNS for best user experience

Instructor Notes:

• Choice of Tool: Focus on CloudFormation or CDK depending on audience comfort.

• Practical Examples: Emphasize real-world use cases of automation.

• Beyond the Basics: Briefly mention 3rd party IaC tools (Terraform, etc.) if time allows

Troubleshooting Scenarios:

• Scenario 1: IaC deployment failures:

  • Symptom: CloudFormation or CDK deployments fail with errors.

  • Troubleshooting Steps:

    1. Review IaC templates for syntax errors or configuration issues.

    2. Check AWS CloudFormation or CDK logs for detailed error messages.

    3. Validate resource permissions and quotas.

• Scenario 2: Event-driven automation issues:

  • Symptom: Network automation workflows fail to execute or produce unexpected results.

  • Troubleshooting Steps:

    1. Review Lambda function code for errors or logical mistakes.

    2. Check CloudWatch logs for Lambda function invocations and errors.

    3. Validate event sources and configuration for correct triggering.

• Scenario 3: IaC-based optimization problems:

  • Symptom: Network resources are not optimized for cost or performance.

  • Troubleshooting Steps:

    1. Analyze CloudWatch metrics for resource utilization and identify underutilized or overprovisioned resources.

    2. Review IaC templates for resource sizing and configuration.

    3. Consider using AWS cost optimization tools and recommendations.

Additional Tips:

• Implement unit tests for IaC templates to ensure consistent behavior.

• Utilize IaC linting tools to identify potential issues in template code.

Domain 3: Network Management and Operation

Buổi 11: Maintain routing and connectivity on AWS and hybrid networks.

Title: Mastering Network Routing and Connectivity: AWS and Hybrid Environments

Prerequisites:

• Strong understanding of networking fundamentals (IP addressing, routing protocols)

• Experience with AWS networking services from previous sessions (VPCs, Transit Gateway, Direct Connect, VPN)

Learning Objectives:

1. Understand routing protocols within AWS and hybrid connectivity scenarios.

2. Configure and maintain routing for private and public access across networks.

3. Troubleshoot and optimize routing configurations to ensure network health.

Syllabus Breakdown

1. Routing Fundamentals in AWS (10 minutes)

• Route Tables: How AWS manages routing decisions.

• Static vs. Dynamic Routing: Use cases within AWS

• BGP in Hybrid Environments: Integrating with Direct Connect

2. Deep Dive: Connectivity & Routing (15 Minutes)

• VPC Peering: Route propagation, inter-VPC traffic flows.

• Transit Gateway: Centralized routing and advanced features (route filtering).

• Direct Connect Gateways: Associating with VPCs, managing BGP for on-premises connectivity.

• Network Address Translation (NAT) Gateways: Enabling internet access for private subnets.

3. Hands-On Lab: Troubleshooting Routing (15 minutes)

• Scenario: A multi-VPC, hybrid environment with intermittent connectivity issues.

• Tools:

  • Route tables analysis

  • Route 53 Resolver for internal DNS issues

  • Route Analyzer / Reachability Analyzer

• Focus: Identifying misconfigurations, failed routes, black holes.

4. Optimization and Best Practices (5 minutes)

• Route Summarization: Reducing route table entries

• Redundancy: Designing for high availability with multiple paths

• Monitoring: Tools and metrics for proactive network health

Instructor Notes

• Visuals: Use network diagrams extensively during explanations

• Demos: Show route table configurations, and demonstrate troubleshooting steps.

• Real-world emphasis: Share common routing pitfalls and how to avoid them in production environments.

Additional Considerations (If time allows)

• IPsec VPN tunnels and routing considerations

• Advanced BGP configuration for traffic engineering

Troubleshooting Scenarios:

• Scenario 1: Routing loop:

  • Symptom: Network traffic gets stuck in a loop, causing connectivity issues.

  • Troubleshooting Steps:

    1. Identify the loop using tools like traceroute or Route Analyzer.

    2. Analyze route tables and routing protocols (e.g., BGP) for misconfigurations.

    3. Implement loop prevention mechanisms (e.g., split horizon, route blackholing).

• Scenario 2: Routing flapping:

  • Symptom: Network connectivity intermittently drops and recovers.

  • Troubleshooting Steps:

    1. Check BGP peering sessions and identify potential instability.

    2. Analyze route table changes and identify frequent updates.

    3. Validate network device configurations and cabling for physical issues.

• Scenario 3: Hybrid routing misconfigurations:

  • Symptom: On-premises devices cannot reach specific AWS resources or vice versa.

  • Troubleshooting Steps:

    1. Verify route table configurations on both on-premises and AWS routers.

    2. Check VPN tunnel status and routing configuration for hybrid connectivity.

    3. Validate security groups, firewall rules, and ACLs for traffic filtering.

Additional Tips:

• Enable route table logging to track route changes and identify potential issues.

• Utilize network monitoring tools to detect anomalies in traffic patterns and routing behavior.

• Implement a change management process to track and review network configuration changes.

Buổi 12: Monitor and analyze network traffic to troubleshoot and optimize connectivity patterns.

Title: Demystifying Network Traffic: Monitoring, Analysis, and Troubleshooting on AWS

Prerequisites:

• Familiarity with core AWS networking concepts (covered in previous sessions)

• Basic understanding of network performance metrics (latency, packet loss, throughput)

Learning Objectives:

1. Utilize AWS tools for comprehensive network monitoring and logging.

2. Analyze logs and metrics to identify the root causes of connectivity issues.

3. Master troubleshooting strategies for common network problems.

4. Implement proactive monitoring for optimized network performance.

Syllabus Breakdown

1. Introduction: The Power of Network Visibility (5 minutes)

• Why monitoring matters: Performance, security, and user experience

• Types of network data: Logs, metrics, packet captures

2. AWS Toolkit for Monitoring (10 minutes)

• VPC Flow Logs: Detailed traffic visibility (accepted/rejected flows)

• CloudWatch: Metrics (bandwidth, latency, errors) and custom dashboards

• VPC Traffic Mirroring: Deep packet inspection

• Route Analyzer & Reachability Analyzer: Troubleshooting route configurations

3. Hands-On Lab: Troubleshooting with Network Data (20 minutes)

• Scenarios:

  • Connectivity failures between VPCs

  • Performance degradation on a hybrid link

• Methodology:

  1. Identify symptoms (tools: CloudWatch, user reports)

  2. Analyze logs/metrics to pinpoint the problem (VPC Flow Logs, Reachability Analyzer)

  3. Resolve the issue (e.g., modify route table, adjust security group)

4. Proactive Monitoring & Best Practices (5 minutes)

• Setting CloudWatch alarms for critical metrics

• Baselining normal network behavior for anomaly detection

Instructor Notes

• Real-World Focus: Provide examples of how different network issues manifest in logs/metrics.

• Visuals: Use screenshots and diagrams to illustrate data analysis.

• Advanced: Briefly touch upon integrating 3rd party monitoring solutions with AWS.

Optional

• If time permits, add a brief section on network traffic optimization based on analysis findings.

Troubleshooting Scenarios:

• Scenario 1: High packet loss:

  • Symptom: Users experience frequent network disconnections or slow performance.

  • Troubleshooting Steps:

    1. Identify the source of packet loss (network devices, links, applications).

    2. Check network congestion and identify bottlenecks using traffic monitoring tools.

    3. Validate network device configurations (e.g., queuing, buffers) for optimal packet handling.

• Scenario 2: Excessive latency:

  • Symptom: Users experience delays in accessing resources or applications.

  • Troubleshooting Steps:

    1. Analyze network latency metrics (ping, traceroute) to identify high-latency segments.

    2. Check network path and identify potential routing issues or congestion points.

    3. Validate network device performance and ensure adequate capacity.

• Scenario 3: Packet size mismatches:

  • Symptom: Network traffic fails to transmit or causes connectivity issues.

  • Troubleshooting Steps:

    1. Identify the source of packet size mismatches (applications, network devices).

    2. Check network device configurations (MTU, fragmentation) for compatibility.

    3. Validate application compatibility with network MTU settings.

Additional Tips:

• Establish baseline network performance metrics for normal operation.

• Implement network traffic anomaly detection to identify sudden changes in traffic patterns.

• Utilize network simulation tools to test network behavior under different traffic conditions.

Buổi 13 & 14: Optimize AWS networks for performance, reliability, and cost- effectiveness.

Buổi 13: Optimizing AWS Networks – Part 1: Performance & Reliability

Prerequisites:

• Thorough understanding of core AWS networking components (previous sessions)

• Basic knowledge of network performance metrics (latency, throughput)

Learning Objectives:

1. Optimize network throughput for maximum performance within AWS.

2. Design highly available network architectures using Route 53.

3. Master load balancing strategies for traffic distribution.

4. Enhance performance through network interface selection.

Syllabus Breakdown

1. Network Throughput Optimization (15 minutes)

• Understanding Bottlenecks: Identifying network, instance, and application limitations on throughput.

• Network Interface Selection: ENA vs. EFA, instance type considerations for maximum network performance.

• Jumbo Frames: Enabling and optimizing for specific workloads (if applicable).

• AWS Global Accelerator: When and how to use it for performance-sensitive applications.

2. Route 53 for Resiliency (15 minutes)

• Health Checks: Proactive monitoring and automatic failover.

• Latency-Based Routing: Ensuring traffic flows to the nearest healthy region for optimal user experience.

• Geolocation Routing: Targeting users based on location.

• Multi-AZ Architectures: Leveraging DNS to distribute traffic across availability zones for high availability.

3. Hands-On Lab: Load Balancing and Failover (15 minutes)

• Scenario: Deploy a multi-region application, implement weighted routing with health checks for automatic failover.

• Tools: EC2, Route 53, consider incorporating CloudFormation or CDK for part of the setup.

Buổi 14: Optimizing AWS Networks – Part 2: Cost-Effectiveness & Advanced Topics

Learning Objectives

1. Design cost-optimized network connectivity solutions.

2. Maximize bandwidth utilization efficiency in AWS.

3. Optimize VPC Subnet designs to conserve IP address space

4. Implement Multicast where appropriate

Syllabus Breakdown

1. Cost-Optimized Network Architectures (15 minutes)

• VPC Peering vs. Transit Gateway: Analyzing use cases and cost implications.

• Hybrid Connectivity Cost Factors: Understanding Direct Connect vs. VPN pricing models.

• Data Transfer Costs: Utilizing AWS services (e.g., CloudFront) and network paths to minimize egress costs.

2. Bandwidth Efficiency (10 minutes)

• Unicast vs. Multicast: Scenarios and use cases.

• Bandwidth Caching: CloudFront distributions to reduce origin server load.

• Compression: When and how to compress data in transit (if applicable to relevant workloads)

3. VPC Subnet Optimization (10 minutes)

• CIDR Strategies: Efficient subnet allocation to prevent IP exhaustion.

• Dynamic Scaling: Subnet adjustments in response to elastic workloads.

4. Advanced Topic: Multicast in AWS (10 minutes)

• When to Use Multicast: Specialized use cases (e.g., real-time streaming, financial data distribution).

• Implementation: Configuring multicast within a VPC and considerations for hybrid connectivity.

Instructor Notes

• Real-World Examples: Share cost comparisons between different networking choices.

• Visuals: Use diagrams to illustrate bandwidth-saving techniques.

• Lab Focus: If time allows, include a brief cost optimization exercise within the lab.

Một số troubleshooting scenario

Buổi 13: Optimizing AWS Networks – Part 1: Performance & Reliability

Troubleshooting Scenarios:

Scenario 1: Performance Degradation

• Symptoms: Users experience slow application response times, increased latency, or network congestion.

• Troubleshooting Steps:

  1. Identify the bottleneck: Use network monitoring tools to pinpoint the source of the slowdown (e.g., network interface, instance, application).

  2. Scale up resources: If the bottleneck is on the instance side, consider increasing the instance type or adding more instances.

  3. Optimize network configuration: Check for misconfigured network settings (e.g., security groups, route tables) that could be impacting performance.

Scenario 2: DNS Resolution Issues

• Symptoms: Users cannot access applications or websites, or they experience intermittent connectivity.

• Troubleshooting Steps:

  1. Verify DNS configuration: Check Route 53 records, health checks, and delegation settings.

  2. Validate DNS servers: Ensure DNS servers are healthy and responding to queries promptly.

  3. Test DNS resolution: Use tools like dig or nslookup to test DNS resolution from different locations.

Scenario 3: Load Balancing Failures

• Symptoms: Applications are unavailable or unresponsive, or traffic is not being distributed evenly among instances.

• Troubleshooting Steps:

  1. Check load balancer configuration: Verify load balancer type, health checks, and routing rules.

  2. Monitor instance health: Ensure instances are healthy and registered with the load balancer.

  3. Analyze traffic patterns: Identify any unusual traffic spikes or patterns that could be overwhelming the load balancer.

Buổi 14: Optimizing AWS Networks – Part 2: Cost-Effectiveness & Advanced Topics

Troubleshooting Scenarios:

Scenario 1: Excessive Network Costs

• Symptoms: AWS network costs are higher than expected or exceed budget limits.

• Troubleshooting Steps:

  1. Identify cost drivers: Analyze network usage patterns (e.g., data transfer, instance types) to identify the main cost contributors.

  2. Optimize resource usage: Consider right-sizing instances, utilizing reserved instances, or leveraging services like CloudFront to reduce data transfer costs.

  3. Review network architecture: Evaluate the use of VPC peering, Transit Gateway, and hybrid connectivity options for cost-efficiency.

Scenario 2: Subnet IP Exhaustion

• Symptoms: Instances cannot be launched or network errors occur due to lack of available IP addresses.

• Troubleshooting Steps:

  1. Identify subnet utilization: Check subnet CIDR usage and identify subnets with high utilization.

  2. Restructure subnets: Consider splitting subnets or using secondary CIDRs to expand IP address space.

  3. Implement subnet monitoring: Set up alerts to notify when subnet IP utilization reaches a certain threshold.

Scenario 3: Multicast Issues

• Symptoms: Multicast applications experience packet loss, delays, or incomplete data delivery.

• Troubleshooting Steps:

  1. Verify multicast configuration: Check multicast routing protocols (e.g., PIM), IGMP snooping, and multicast group membership.

  2. Validate network infrastructure: Ensure network devices support multicast and are properly configured for multicast traffic.

  3. Test multicast connectivity: Use tools like ping or mcast to test multicast connectivity across the network.

Additional Tips:

• Leverage AWS network monitoring tools like CloudWatch, VPC Flow Logs, and Route 53 Resolver for proactive troubleshooting.

• Implement a change management process to track and review network configuration changes.

• Utilize network simulation tools to test network behavior under different traffic conditions.

Domain 4: Network Security, Compliance, and Governance

Buổi 15: Implement and maintain network features to meet security and compliance needs and requirements.

Title: Defense in Depth: Securing AWS Networks for Compliance

Prerequisites:

• Strong grasp of AWS networking foundations (VPCs, security groups, etc.)

• Basic familiarity with security concepts (threat vectors, attack types)

Learning Objectives:

1. Understand network-level threat models and apply them to AWS architectures.

2. Implement security controls for inbound, outbound, and inter-VPC traffic.

3. Design AWS network architectures with security and compliance as core principles.

4. Automate security monitoring and incident response on AWS.

Syllabus Breakdown

1. Threat Modeling for AWS (10 minutes)

• Common Attack Vectors: DDoS, data exfiltration, unauthorized access, etc.

• Mapping Threats to AWS: How attackers might exploit AWS networking weaknesses.

• Risk Assessment: Prioritizing areas of your network to protect

2. Securing Network Flows (15 minutes)

• Inbound Defense: AWS WAF, Shield, Network Firewall (deep dive into configuration, rulesets).

• Outbound Control: Network Firewall, proxies, Gateway Load Balancers (use cases and security features).

• Inter-VPC Defense: Security groups, Network ACLs, VPC endpoint policies.

3. Hands-On Lab: Building a Secure Perimeter (15 minutes)

• Scenario: Create a multi-tier application architecture with isolated VPCs, DMZs, and defense-in-depth principles.

• Tools: Security Groups, Network ACLs, AWS WAF (if applicable), bastion hosts.

• Focus: Implementing granular network segmentation and applying least-privilege access concepts.

4. Compliance-Driven Architectures (10 minutes)

• Security Zones: Untrusted, perimeter, trusted, etc.

• Industry Standards: Mapping AWS services to compliance needs (e.g., PCI-DSS, HIPAA)

• Designing for Auditability: Logging and traceability

5. Automation for Security (5 minutes)

• AWS GuardDuty: Understanding its role for threat detection

• CloudWatch Alarms: Configuring security-related alerts

• Lambda for Response: Examples of automated remediation actions

Instructor Notes

• Real-World Examples: Share case studies of breaches and how AWS security could have prevented them.

• Active Defense Demo: If time allows, simulate an attack and demonstrate how AWS services react.

• Beyond the Basics: Briefly touch upon intrusion detection (IDS)/Intrusion Prevention Systems (IPS) for advanced security.

Expanded Section: Attack Scenarios and Mitigation

Here’s how we can expand the Buổi 15 syllabus to incorporate more in-depth attack scenarios, making the session even more practical and engaging:

Part A: Understanding Attacker Methodology (10 minutes)

• Attacker Goals: Recon, data exfiltration, service disruption, etc.

• Common Attack Techniques: DDoS, port scanning, SQL injection, credential theft, social engineering.

• Mapping Attacks to the Network: How attacks manifest at different network layers (e.g., network-layer DDoS; application-layer injection attacks).

Part B: Hands-On Lab – Defending Against Attacks (20 minutes)

• Scenario 1: DDoS Attack

  • Utilize AWS Shield, WAF, and auto-scaling to mitigate a simulated volumetric attack.

  • Focus on configuring rate-limiting rules and integrating with CloudWatch for monitoring.

• Scenario 2: Web Application Attack

  • Set up a vulnerable web application (intentionally!).

  • Use WAF to detect and block common injection attacks (SQLi, XSS).

  • Demonstrate custom WAF rule creation.

• Scenario 3: Unauthorized Access

  • Simulate credential compromise or leaked keys.

  • Demonstrate how strong IAM policies, network segmentation, and security groups can limit the blast radius.

Part C: Proactive Defense (5 minutes)

• Vulnerability Scanning: Discuss AWS and 3rd party tools for regular vulnerability assessment.

• Penetration Testing: When and how to conduct pen-tests on your AWS network.

Additional Instructor Notes:

• Pre-Built Environments: Prepare lab scenarios in advance or use an AWS sandbox environment for quick setup.

• Live Attack Tools: Use CAUTION with attack simulation tools. Have a controlled environment to prevent unintended consequences.

• Beyond The Tech: Emphasize the importance of user awareness and social engineering prevention.

Variations

• Industry-Specific Attacks: Tailor scenarios to healthcare, finance, or other sectors depending on audience background.

• Incident Response Playbook: Discuss how to assemble an incident response plan alongside these technical mitigations.

Buổi 16: Validate and audit security by using network monitoring and logging services.

Title: Achieving Visibility: Auditing and Monitoring Your AWS Network for Security

Prerequisites

• Solid understanding of AWS networking concepts

• Familiarity with security principles and best practices

• Basic experience of working with AWS console and/or CLI

Learning Objectives

1. Master AWS tools for comprehensive network logging and monitoring.

2. Implement proactive security alerting mechanisms using CloudWatch.

3. Analyze network logs to identify security anomalies and vulnerabilities.

4. Develop and execute a robust network auditing strategy on AWS.

Syllabus Breakdown

1. Introduction: The Importance of Visibility (5 minutes)

• Why network logging matters for security

• Compliance requirements and logging

• Proactive threat detection vs. reactive forensics

2. AWS Toolkit for Logging (15 minutes)

• VPC Flow Logs: Deep dive into flow log fields, enabling, and analysis

• AWS CloudTrail: Tracking API activity with network implications

• VPC Traffic Mirroring: Packet-level inspection for advanced analysis

• CloudWatch: Centralised log aggregation and metrics

• Other Services: Briefly mention load balancer logs, CloudFront logs, etc.

3. Hands-On Lab: Analyzing Network Logs (15 minutes)

• Scenario 1: Identifying Unauthorized Traffic: Use VPC Flow Logs to detect suspicious connections and potential data exfiltration.

• Scenario 2: Traffic Mirroring Analysis: Utilize packet captures to investigate potential malicious activity.

• Tool Demo: Use tools (built-in or 3rd party) for log analysis and visualization

4. Alerting and Automation with CloudWatch (10 minutes)

• Metrics-Based Alarms: Setting thresholds for traffic anomalies, security group changes, etc.

• Custom Metrics: For granular monitoring specific to your application

• Event-Driven Responses: Using Lambda to trigger automatic remediation actions

5. Auditing for Security (5 Minutes)

• AWS Config: Tracking configuration changes over time

• Trusted Advisor: Automated security checks

• Firewall Manager: Centralized policy management

Instructor Notes

• Practical Focus: Emphasize hands-on log analysis during the lab.

• Beyond the Basics: Touch upon log centralization with services like Kinesis, S3 for long-term archiving

• Compliance Tie-In: Briefly discuss how this relates to frameworks like PCI-DSS or SOC 2.

Additional Considerations

• Log Retention: Cost, security, and compliance implications

• Integrating with SIEM: For larger enterprise security operations

Extended Buổi 16 Syllabus: Advanced Log Analysis and Auditing

Section A: Advanced Log Analysis Scenarios (20 minutes)

• Scenario 1: Detecting Malicious User Activity

  • Analyze CloudTrail logs to identify unusual user logins, API calls, or access patterns.

  • Correlate with VPC Flow Logs to identify network traffic associated with suspicious activity.

  • Leverage CloudWatch alarms to trigger notifications when anomalies are detected.

• Scenario 2: Investigating Application-Level Attacks

  • Utilize load balancer logs to identify spikes in error rates or unusual traffic patterns.

  • Correlate with CloudFront logs to track access patterns and potential attacks.

  • Analyze application-specific logs (e.g., web server logs) to identify specific attack methods.

• Scenario 3: Troubleshooting Network Performance Issues

  • Analyze VPC Flow Logs to identify bottlenecks, congestion, or unusual traffic patterns.

  • Correlate with CloudWatch metrics for CPU, memory, and network utilization.

  • Identify potential misconfigurations or resource constraints causing performance degradation.

Section B: Deep Dive into AWS Auditing Tools (20 minutes)

• AWS Config:

  • Advanced configuration tracking features, including detailed resource configurations, changes over time, and cross-account monitoring.

  • Utilizing Config Rules for automated compliance checks and remediation.

  • Integrating Config with CloudWatch for continuous monitoring and alerting.

• AWS Firewall Manager:

  • Centralized management of security group and network ACL policies across multiple VPCs and accounts.

  • Automated policy enforcement and compliance checks.

  • Leveraging Firewall Manager to implement least privilege principles and reduce security risks.

• AWS Trusted Advisor:

  • In-depth security checks covering a wide range of areas, including IAM, networking, and data storage.

  • Identifying potential misconfigurations, security vulnerabilities, and optimization opportunities.

  • Customizing Trusted Advisor checks to align with specific security requirements.

Additional Considerations:

• Log Correlation and Visualization: Discuss tools like Splunk, Sumo Logic, or Amazon Elasticsearch Service for advanced log correlation and visualization.

• Threat Intelligence Integration: Enriching log analysis with threat intelligence feeds to identify known malicious IP addresses or patterns.

• Continuous Security Monitoring: Emphasize the importance of establishing a continuous security monitoring process to proactively detect and respond to threats.

Buổi 17: Implement and maintain confidentiality of data and communications of the network.

Title: Protecting Data in Motion: Encryption and Secure Networking on AWS

Prerequisites

• Basic understanding of encryption concepts (symmetric vs. asymmetric, ciphers)

• Familiarity with AWS networking and IAM concepts

Learning Objectives

1. Understand network encryption fundamentals and AWS-specific options.

2. Implement encryption at different layers to secure data in transit.

3. Manage encryption keys and certificates effectively within the AWS environment.

4. Secure DNS communications for enhanced network integrity.

Syllabus Breakdown

1. Encryption for Network Security (10 minutes)

• Data in Transit vs. Data at Rest: Clarify the focus of this session

• Types of Encryption: Symmetric, asymmetric (brief overview)

• The Shared Responsibility Model: Where AWS handles encryption and where you do

2. AWS Encryption in Action (20 minutes)

• Transport Layer Security (TLS): HTTPS for web applications, load balancers, and API endpoints

• IPsec: Securing VPN connections (both site-to-site and over Direct Connect)

• Encryption within Managed Services: S3 (server-side), RDS (optional: KMS integration)

• Custom Encryption on EC2: Scenario-driven discussion on when this is needed

3. Hands-On Lab: Certificate Management & Secure Deployment (10 minutes)

• Scenario: Launch a web application with HTTPS using ACM for a domain you own.

• AWS Certificate Manager: Understand the issuance & lifecycle of certificates

• Optional: If time allows, briefly explore ACM Private CA for internal certificates

4. Securing DNS with DNSSEC (5 minutes)

• Why DNS Security Matters: Preventing spoofing and man-in-the-middle attacks

• DNSSEC on Route 53: Enabling it, understanding key management

• Limitations: DNSSEC adoption isn’t universal

5. Best Practices (5 minutes)

• Key Management: Emphasize the security importance; discuss KMS

• Least Privilege: Apply this principle to network encryption choices

Instructor Notes

• Demo-Focused: Show the process of enabling encryption on various services, obtaining certificates, and setting up IPsec options if possible.

• Tie to Compliance: Mention how these techniques map to standards like PCI-DSS or HIPAA

• Avoid Jargon: If possible, explain encryption concepts in plain language

Extended Buổi 17 Syllabus: Advanced Encryption and Key Management

Section A: Advanced IPsec Configurations (15 minutes)

• Site-to-Site VPN:

  • Pre-shared keys (PSK) vs. certificates for authentication

  • Advanced options like routing protocols (BGP) and traffic filtering

  • Troubleshooting common IPsec connectivity issues

• VPN over Direct Connect:

  • Benefits over traditional site-to-site VPNs

  • Configuring Direct Connect and establishing a secure VPN tunnel

  • Integrating IPsec with Direct Connect for enhanced security

Section B: Custom Encryption Scenarios (15 minutes)

• Encrypting Traffic between EC2 Instances:

  • Utilizing SSH tunneling or VPN gateways for private communication

  • Considerations for secure data exchange in internal networks

  • Best practices for managing encryption keys in these scenarios

• Protecting Data at Rest on EC2:

  • Disk encryption options (EBS encryption, file system encryption)

  • Key management strategies for encrypted EC2 instances

  • Considerations for data recovery and backup procedures

Section C: Broader Key Management Strategies (10 minutes)

• AWS Key Management Service (KMS):

  • Centralized key storage and management for all AWS services

  • Creating, rotating, and auditing encryption keys securely

  • Integrating KMS with other AWS services and custom applications

• External Key Management Solutions:

  • When to consider using external key managers (e.g., Thales, HSMs)

  • Integrating external key managers with AWS for hybrid encryption

  • Compliance considerations for external key management

Additional Considerations:

• Automation and Orchestration: Discuss using tools like CloudFormation, Ansible, or Terraform to automate encryption configurations.

• Threat Modeling: Emphasize the importance of identifying potential threats and designing encryption strategies accordingly.

• Security Audits: Regularly review encryption configurations and key management practices to ensure compliance and security.