AWS-ANS-C01 & AWS CERTIFICATION | Tricky Distinctions & Common Pitfalls (Networking Focus) - AWS Certified Advanced Networking

6.2.6. Tricky Distinctions & Common Pitfalls (Networking Focus)

Nuanced understanding of seemingly similar networking concepts and AWS services, and anticipating common misconfigurations, are critical for designing robust network architectures and avoiding errors.

Scenario: You are presented with an exam question that asks for the best way to connect 50 VPCs for transitive routing and then another about troubleshooting a problem where only return traffic is failing over a VPN connection.

The AWS ANS-C01 exam tests deep understanding, often through distinguishing between similar networking concepts or AWS services and identifying common pitfalls.

Common Areas of Confusion (Networking Focus):

VPC Peering vs. Transit Gateway (TGW): VPC Peering for few VPCs, non-transitive. TGW for many VPCs, transitive routing.
AWS Site-to-Site VPN vs. AWS Direct Connect (DX): VPN over public internet (flexible, cheaper for low volume); DX private dedicated connection (consistent, expensive for low volume, cheaper for high volume).
ALB vs. NLB vs. GLB: ALB Layer 7 (HTTP/S); NLB Layer 4 (TCP/UDP); GLB for virtual appliances.
Security Groups (SGs) vs. Network ACLs (NACLs): SGs instance-level, stateful, allow-only; NACLs subnet-level, stateless, allow/deny, rule order matters.
VPC Endpoints (Interface) vs. Gateway: Interface endpoints for most services (PrivateLink, billed by hour/data); Gateway endpoints for S3 and DynamoDB (route table entry, free).
CloudFront vs. Global Accelerator: CloudFront for HTTP/S content caching; Global Accelerator for any protocol, optimizes routing over AWS backbone.
Common Pitfalls:
- Overlapping CIDRs: Prevents VPC peering or requires TGW NAT.
- Asymmetric Routing: Traffic takes different paths in and out, causing firewall issues.
- Ignoring BGP AS_PATH prepending: For influencing return traffic routing.
- Not monitoring VPN tunnel states: Missing outages.
- Incorrect DNS resolution in hybrid setups: Route 53 Resolver rules are crucial.

⚠️ Common Pitfall: Confusing services that operate at different layers of the OSI model, such as choosing an NLB (Layer 4) when you need to route traffic based on the URL path (a Layer 7 function).

Key Trade-Offs:

Purpose-Built vs. General-Purpose: Understanding these distinctions allows you to choose the most efficient and effective service instead of trying to force a general-purpose service to perform a specialized task.

Reflection Question: Based on the tricky distinctions, what are the two main architectural flaws in this proposed solution, and what alternative AWS services or strategies would you recommend to address them?