Failed the AWS Certified Solutions Architect professional exam

Wednesday, Mar 18, 2020

Yesterday I took and failed the SAP-C01 exam. You may have noticed I scribbled some preparation notes earlier.

Candidate score was 730 and I needed 750 to pass. So I was close, but it showed at least to me some gaps in my knowledge:

The 3 hour test is pretty gruelling. Not looking forward to retaking it in to two weeks on the 2nd of April, but I need it for my employer who are AWS partners.


Customer Gateways

An Amazon VPC VPN connection links your data center (or network) to your Amazon Virtual Private Cloud (VPC). A customer gateway device is the anchor on your side of that connection. It can be a physical or software appliance.

Virtual Private Gateways

The anchor on the AWS side of the VPN connection is called a virtual private gateway. Associate this with your VPC.

Site-to-Site VPN Connections

This is typically for on-premise network to an AWS VPC as redundancy to a Direct Connect.

If you want a connection between VPCs, say across regions, you want a Peering Connections instead. However if your region supports AWS Transit Gateway with Inter-Regional Peering, you want to use this for added flexibility. Track availability on the FAQ.

Client VPN Endpoints

This links customer gateway and virtual private. At time of writing mutual authentication via Public Key cryptography seems like the defacto way of doing it:

The connection is done via Openvpn configuration called downloaded-client-config.ovpn which you need to painfully edit in an ID to the connection address and the keys generated via Mutual Authentication process aka public/private keys instead of shared secret.

Deployment options

There is a cheatsheet but I find the AWS documentation clearer.

All at once Elastic Beanstalk option results in down time, so avoid it to minimise disruption.

Will I have enough capacity to scale?

You can make a On-Demand Capacity Reservation