03 Networking

Question 1

Describe the two types of AWS services based on accessibility.

Answer 1

AWS services can be grouped into public services, which are accessed via a public endpoint (e.g., S3), and private services, which run within a VPC (e.g., EFS).

Question 2

How can private services be accessed from on-premises environments?

Answer 2

A VPN or Direct Connect is required to access private services from on-premises.

Question 3

Explain how EC2 instances handle their public IPv4 addresses.

Answer 3

EC2 instances do not know their own public IPv4 address; this is managed at the gateway, such as the internet gateway.

Question 4

What is the limitation of NAT regarding IPv6?

Answer 4

NAT does not support IPv6.

Question 5

Define the purpose of Egress-only Internet Gateways.

Answer 5

Egress-only Internet Gateways allow instances to connect to the internet while preventing inbound connections.

Question 6

How many Internet Gateways can be attached to a VPC?

Answer 6

Only one Internet Gateway can be attached to a VPC, but both an Internet Gateway and an Egress-only Internet Gateway can be added.

Question 7

What is the most cost-effective strategy for achieving high availability in AWS?

Answer 7

The most cost-effective way to achieve high availability is to deploy across as many Availability Zones (AZs) as possible.

Question 8

Describe the function of route tables in a VPC.

Answer 8

Route tables direct traffic within a VPC, with separate rules for IPv4 and IPv6 traffic.

Question 9

How does precedence work in route tables?

Answer 9

Precedence in route tables is based on selecting the most specific route first, and as a tie breaker, preferring static routes over propagated routes.

Question 10

What are gateway route tables used for?

Answer 10

Gateway route tables are assigned to gateways (e.g., Internet Gateways) to control the routing of ingress traffic.

Question 11

Explain the encryption of inter-region traffic between peered VPCs.

Answer 11

Inter-region traffic between peered VPCs is encrypted.

Question 12

What is the role of Dynamic Host Configuration Protocol (DHCP) in a VPC?

Answer 12

DHCP allows auto-configuration of network resources, including IP, subnet mask, default gateway, DNS server, hostname, NTP, and NetBios settings.

Question 13

How are DHCP option sets configured in a VPC?

Answer 13

DHCP option sets are configured to control DNS servers, domain names, NTP servers, NetBIOS name server, and IPv6 Preferred Lease Time.

Question 14

What happens when a DHCP option set is associated with a VPC?

Answer 14

Associating a DHCP option set takes effect immediately, but changes will only occur when the targets (e.g., EC2 instances) perform a DHCP renew.

Question 15

Define PrivateLink and its purpose in AWS.

Answer 15

PrivateLink allows secure connectivity to AWS services and marketplace services, preventing data from transiting over the public internet.

Question 16

How do VPC endpoints provide access to AWS services?

Answer 16

VPC endpoints provide private access to AWS services, with Gateway Endpoints used specifically for DynamoDB and S3.

Question 17

What is the function of the prefix list in Gateway Endpoints?

Answer 17

The prefix list of the Gateway Endpoint is added to the route table of the VPC to direct traffic to the Gateway Endpoint.

Question 18

Describe the relationship between Gateway Endpoints and VPCs.

Answer 18

Gateway Endpoints are associated with a VPC but do not go into a particular subnet.

Question 19

Describe the purpose of endpoint policies in AWS.

Answer 19

Endpoint policies restrict access to specific resources, such as S3 buckets, and define who can use the endpoint and what resources they can access.

Question 20

How do Interface Endpoints ensure high availability in AWS services?

Answer 20

Interface Endpoints are launched in multiple subnets to ensure high availability.

Question 21

Define VPC Flow Logs and their function.

Answer 21

VPC Flow Logs monitor traffic flow between interfaces in a VPC, capturing only packet metadata and storing logs in S3 or CloudWatch Logs.

Question 22

Explain the difference between stateful and stateless firewalls in AWS.

Answer 22

Stateful firewalls, like security group rules, automatically allow responses to requests, while stateless firewalls, like NACLs, require explicit rules for both inbound and outbound traffic.

Question 23

How do NACLs manage traffic in a subnet?

Answer 23

NACLs control traffic into and out of a subnet with numbered rules, applying lower numbered rules first and denying traffic if no rules match.

Question 24

Describe the role of WAF in AWS.

Answer 24

WAF is a managed application-layer firewall that inspects decrypted HTTPS content and controls traffic through Web ACLs.

Question 25

What is a Web ACL in the context of AWS WAF?

Answer 25

A Web ACL is a unit of configuration in WAF that is attached to resources like ALBs or CloudFront distributions, with default actions set to ALLOW or BLOCK.

Question 26

How are rules processed in a Web ACL?

Answer 26

Rules and Rule Groups added to a Web ACL are processed in order, and each consumes Web ACL Capacity Units (WCU).

Question 27

What is the maximum number of Web ACL Capacity Units (WCU) allowed per Web ACL?

Answer 27

The default maximum is 1500 WCUs per Web ACL, but this can be increased.

Question 28

Explain how rules in a Web ACL can be defined.

Answer 28

Rules can be based on the source of the request, its content, or request volume, with actions that can be Allow, Block, Captcha, or Custom.

Question 29

How does a security group differ from a NACL in AWS?

Answer 29

Security groups are stateful and attached to ENIs, allowing automatic responses, while NACLs are stateless and control traffic at the subnet level.

Question 30

What happens to traffic if no NACL rules are matched?

Answer 30

If no NACL rules are matched, traffic is denied by default.

Question 31

Describe the significance of ephemeral ports in server connections.

Answer 31

Ephemeral ports are used by clients to make requests to servers, and responses are sent back to these ports.

Question 32

How does a Route53 private hosted zone relate to Interface Endpoints?

Answer 32

A Route53 private hosted zone is created automatically to override public records of the service when using Interface Endpoints.

Question 33

What is the default action for a Web ACL in AWS WAF?

Answer 33

The default action for a Web ACL is set to ALLOW or BLOCK.

Question 34

How many bytes of the body are inspected by WAF rules?

Answer 34

Only the first 8192 bytes of the body are inspected by WAF rules.

Question 35

Describe the purpose of the x-amzn-waf header in requests.

Answer 35

The x-amzn-waf header is added to requests to influence other rules within the same WebACL.

Question 36

How can logs be stored in AWS for traffic management?

Answer 36

Logs can be stored in S3, CloudWatch Logs, and Kinesis, with Kinesis recommended for rapidly responding to traffic.

Question 37

Define Local Zones in the context of AWS infrastructure.

Answer 37

Local Zones are extensions of regions that allow for edge computing and are associated with a parent region.

Question 38

What is the role of Direct Connect in relation to Local Zones?

Answer 38

Direct Connect allows connectivity from on-premises to the Local Zone.

Question 39

How do subnets function in Local Zones?

Answer 39

Subnets can be created in Local Zones, extending VPCs into the Local Zone.

Question 40

Explain how BGP determines the best route.

Answer 40

BGP uses the shortest connection, or least hops, by default to determine the best route.

Question 41

What workaround can be used in BGP to influence route selection?

Answer 41

Dummy hops can be added to make a route appear slower, influencing BGP to select it.

Question 42

Describe the function of Global Accelerator in network performance.

Answer 42

Global Accelerator improves network performance for users far from the host by routing traffic to the closest edge location using any-cast IP addresses.

Question 43

How does Global Accelerator differ from CloudFront?

Answer 43

Global Accelerator moves the connection to the edge for all TCP/UDP traffic, while CloudFront caches content at the edge for HTTP content only.

Question 44

What is the purpose of a Transit Gateway in AWS networking?

Answer 44

A Transit Gateway is a networking hub that connects VPCs together and to on-premises networks using Site-to-Site VPNs and Direct Connect.

Question 45

How are Transit Gateways configured?

Answer 45

Transit Gateways are configured by creating attachments to VPCs, Site-to-Site VPNs, or Direct Connect.

Question 46

Explain the advantage of using Transit Gateways over manual VPC connections.

Answer 46

Transit Gateways simplify networking by avoiding the need for non-transitive peering connections, which would require many routes.

Question 47

What is the default routing behavior of a Transit Gateway?

Answer 47

Each Transit Gateway has a default routing table that includes all attachments, allowing every attachment to connect with each other.

Question 48

What limitations exist regarding route propagation in Transit Gateways?

Answer 48

Route propagation and DNS sharing are not supported across Peering Attachments in Transit Gateways.

Question 49

Define Client VPN in the context of hybrid networking.

Answer 49

Client VPN allows end-users to connect to private networking in a VPN and is a managed implementation of OpenVPN.

Question 50

How does the split tunnel option work in Client VPN?

Answer 50

The split tunnel option allows only internal traffic to use the VPN, leaving connections from the client to the internet unaffected.

Question 51

What is IPSec and its primary function?

Answer 51

IPSec is a set of protocols used to establish a secure tunnel across insecure networks, ensuring all traffic is encrypted in transit.

Question 52

Describe the encryption process used in IPSec.

Answer 52

IPSec uses asymmetric encryption to securely establish a shared key, which is then used for faster symmetric encryption.

Question 53

What are the two phases of IPSec?

Answer 53

The two phases of IPSec are IKE Phase 1, which authenticates the connection and establishes a shared key, and IKE Phase 2, which agrees on the encryption method and keys for bulk data transfer.

Question 54

Describe the purpose of a Phase 2 tunnel in AWS Site-to-Site VPN.

Answer 54

A Phase 2 tunnel is established much quicker than a Phase 1 tunnel and is commonly used while the Phase 1 tunnel remains active as needed.

Question 55

Define the role of the Virtual Private Gateway (VGW) in AWS.

Answer 55

The Virtual Private Gateway (VGW) serves as the mounting point for the VPN within the VPC.

Question 56

How is high availability achieved in AWS Site-to-Site VPN?

Answer 56

High availability is achieved by having two endpoints in two availability zones, although both tunnels terminate at a single customer router, which does not provide full HA on the customer side.

Question 57

Explain the function of the Customer Gateway (CGW) in AWS networking.

Answer 57

The Customer Gateway (CGW) refers to the target in the customer’s network for the VPN connection.

Question 58

What is the maximum throughput for a VPN with two tunnels in AWS?

Answer 58

The maximum throughput for a VPN with two tunnels is 1.25 Gbps.

Question 59

Describe the use of Dynamic VPNs in AWS.

Answer 59

Dynamic VPNs use BGP to route between AWS and the customer router, allowing for failover and are required when using Direct Connect.

Question 60

How does the Accelerated Site-to-Site VPN improve network performance?

Answer 60

The Accelerated Site-to-Site VPN uses Global Accelerator to enhance network performance.

Question 61

Define Hybrid DNS in the context of AWS.

Answer 61

Hybrid DNS is implemented using Route53 endpoints, which include inbound and outbound endpoints for managing DNS queries.

Question 62

What is the significance of the .2 IP address in AWS subnets?

Answer 62

The .2 IP address of every subnet is reserved for the Route53 resolver.

Question 63

Explain the function of NS records in DNS.

Answer 63

NS (name server) records delegate authority to other registries, such as delegating amazon.com to Amazon’s DNS servers.

Question 64

What are Alias Records in Route53, and how do they differ from CNAME records?

Answer 64

Alias Records are a Route53-specific record type that map a name to an AWS record and can be set at the apex domain without incurring charges, unlike CNAME records.

Question 65

How can a domain registered with a third-party provider be used in Route53?

Answer 65

To use a domain registered with a third-party provider in Route53, NS records must be added through that provider, pointing to the Route53 name servers.

Question 66

Describe the concept of private hosted zones in AWS.

Answer 66

Private hosted zones can only be accessed from VPCs they are attached to, and they can replace public hosted zones with the same name in a split-view configuration.

Question 67

What is the role of Route53 in AWS?

Answer 67

Route53 is a managed DNS service that handles both private and public DNS records.

Question 68

How does latency affect AWS Site-to-Site VPN connections?

Answer 68

Latency may be higher in AWS Site-to-Site VPN connections due to the use of the public internet and the number of hops involved.

Question 69

What is the purpose of TTL in DNS records?

Answer 69

TTL (time to live) indicates when DNS records expire, helping to manage caching and refresh intervals.

Question 70

How many Transit Gateways can one Direct Connect gateway connect with?

Answer 70

One Direct Connect gateway can connect with up to 3 Transit Gateways.

Question 71

Describe the purpose of health checks in VPC endpoints.

Answer 71

Health checks monitor the health and performance of a target, ensuring that the service is operational and responsive.

Question 72

How often are health checks performed by default, and what is the alternative configuration?

Answer 72

By default, health checks are performed every 30 seconds, but they can be configured to occur every 10 seconds for an additional charge.

Question 73

Define the types of checks that can be performed in health checks.

Answer 73

Checks can be performed to an endpoint, for a CloudWatch Alarm, or calculated checks (checks of checks).

Question 74

What are the criteria for HTTP/HTTPS health checks?

Answer 74

HTTP/HTTPS checks confirm that the status code is between 200-399 and can ensure that a certain string is present in the response body.

Question 75

Explain the Simple routing type in VPC endpoints.

Answer 75

Simple routing creates one record per name, which can have multiple values (IP addresses) returned in random order, but it does not support health checks.

Question 76

Describe the Failover routing type and its functionality.

Answer 76

Failover routing directs all queries to the primary resource unless it fails its health checks, in which case the secondary resource is used, allowing for automated active-passive failover.

Question 77

What is the Multi-value routing type in VPC endpoints?

Answer 77

Multi-value routing returns up to eight healthy records in a random order.

Question 78

How does Weighted routing work in VPC endpoints?

Answer 78

Weighted routing assigns a weight to each record, controlling the likelihood of that record being returned, which can be used for load balancing and canary testing.

Question 79

Define Latency routing and its purpose.

Answer 79

Latency routing adds one record per region and returns the record from the region the client can reach with the lowest latency, optimizing for performance and user experience.

Question 80

What is the Geolocation routing type in VPC endpoints?

Answer 80

Geolocation routing assigns records to specific continents, countries, and U.S. states, returning relevant records while preferring specificity.

Question 81

Explain the Geoproximity routing type.

Answer 81

Geoproximity routing assigns records to locations and returns the closest record(s) to the client, with a bias that can increase or decrease the influence of a location.

Question 82

What roles can Route53 serve in DNS management?

Answer 82

Route53 can act as a registrar-only or DNS host only, meaning its name servers can host the zone for a domain registered elsewhere.

Question 83

Define DNSSEC and its purpose in DNS records.

Answer 83

DNSSEC adds signatures to DNS records, allowing clients to verify that the records were not tampered with in transit.

Question 84

How is DNSSEC implemented in VPC endpoints?

Answer 84

An asymmetric key pair in KMS is used for signing, and a delegated signer record is added to the next level down, continuing a hash of the zone’s public key.