Yesterday I took and failed the SAP-C01 exam. You may have noticed I scribbled some preparation notes earlier.
Candidate score was 730 and I needed 750 to pass. So I was close, but it showed at least to me some gaps in my knowledge:
- How big is a Snowball: ~80TB and do consider you can have multiple (aka scale out)
- VM Import/Export - is this the way you export VMs to AWS from an on premise data center? I thought one used CloudEndure..
- Various AD configurations or rather migration strategies. If a client has an AD controller on premises, what is needed to move it to the AWS Cloud? Connector and then? https://tutorialsdojo.com/aws-directory-service/ https://www.youtube.com/watch?v=fO2t2yYbl7g
- Various Cloudformation questions. Like if you have an existing setup in one region, can you export the Cloudformation template and just run it with a changed region parameter?
- Even though I’ve used AWS ECS for years, some questions about the task roles and awsvpc versus
bridgeconfused me; Answer
- Routing wrt joining two VPCs that share the same private subnet range 10.0.0.1/24
- Little confused by inter VPC connectivity options. Transit? Gateway?
- A lot of weird regional ACM questions that threw me. This is undergoing change I believe at writing to Amazon Trust Services, so the questions will be extra confusing until updated. My confusion is that I generally only use the Global Cloudfront service where the ACM’s end up in us-east-1.
The 3 hour test is pretty gruelling. Not looking forward to retaking it in to two weeks on the 2nd of April, but I need it for my employer https://www.corexpert.net/ who are AWS partners.
VIRTUAL PRIVATE NETWORK (VPN)
An Amazon VPC VPN connection links your data center (or network) to your Amazon Virtual Private Cloud (VPC). A customer gateway device is the anchor on your side of that connection. It can be a physical or software appliance.
Virtual Private Gateways
The anchor on the AWS side of the VPN connection is called a virtual private gateway. Associate this with your VPC.
Site-to-Site VPN Connections
This is typically for on-premise network to an AWS VPC as redundancy to a Direct Connect.
If you want a connection between VPCs, say across regions, you want a Peering Connections instead. However if your region supports AWS Transit Gateway with Inter-Regional Peering, you want to use this for added flexibility. Track availability on the FAQ.
Client VPN Endpoints
This links customer gateway and virtual private. At time of writing mutual authentication via Public Key cryptography seems like the defacto way of doing it: https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html
The connection is done via Openvpn configuration called
downloaded-client-config.ovpn which you need to painfully
in an ID to the connection address and the keys generated via Mutual
process aka public/private keys instead of shared secret.
There is a cheatsheet but I find the AWS documentation clearer.
All at once Elastic Beanstalk option results in down time, so avoid it to minimise disruption.
Will I have enough capacity to scale?
You can make a On-Demand Capacity Reservation