03 Networking Flashcards

1
Q

Describe the two types of AWS services based on network connectivity.

A

AWS services can be grouped into public services, which are accessed via a public endpoint (e.g., S3), and private services, which run within a VPC (e.g., EFS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can private services be accessed from on-premises environments?

A

A VPN or Direct Connect is required to access private services from on-premises.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain how EC2 instances handle their public IPv4 addresses.

A

EC2 instances do not know their own public IPv4 address; this is managed at the gateway, such as the internet gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the limitation of NAT regarding IPv6?

A

NAT does not support IPv6.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define the purpose of Egress-only Internet Gateways.

A

Egress-only Internet Gateways allow instances to connect to the internet while preventing inbound connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

How many Internet Gateways can be attached to a VPC?

A

Only one Internet Gateway can be attached to a VPC, but both an Internet Gateway and an Egress-only Internet Gateway can be added.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the most cost-effective strategy for achieving high availability in AWS?

A

The most cost-effective way to achieve high availability is to deploy across as many Availability Zones (AZs) as possible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Describe the function of route tables in a VPC.

A

Route tables direct traffic within a VPC, with separate rules for IPv4 and IPv6 traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How does precedence work in route tables?

A

Precedence in route tables is based on selecting the most specific route first, and as a tie breaker, preferring static routes over propagated routes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are gateway route tables used for?

A

Gateway route tables are assigned to gateways (e.g., Internet Gateways) to control the routing of ingress traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Explain the encryption of inter-region traffic between peered VPCs.

A

Inter-region traffic between peered VPCs is encrypted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the role of Dynamic Host Configuration Protocol (DHCP) in a VPC?

A

DHCP allows auto-configuration of network resources, including IP, subnet mask, default gateway, DNS server, hostname, NTP, and NetBios settings.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How are DHCP option sets configured in a VPC?

A

DHCP option sets are configured to control DNS servers, domain names, NTP servers, NetBIOS name server, and IPv6 Preferred Lease Time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What happens when a DHCP option set is associated with a VPC?

A

Associating a DHCP option set takes effect immediately, but changes will only occur when the targets (e.g., EC2 instances) perform a DHCP renew.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define PrivateLink and its purpose in AWS.

A

PrivateLink allows secure connectivity to AWS services and marketplace services, preventing data from transiting over the public internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do VPC endpoints provide access to AWS services?

A

VPC endpoints provide private access to AWS services, with Gateway Endpoints used specifically for DynamoDB and S3.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the function of the prefix list in Gateway Endpoints?

A

The prefix list of the Gateway Endpoint is added to the route table of the VPC to direct traffic to the Gateway Endpoint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Describe the relationship between Gateway Endpoints and VPCs.

A

Gateway Endpoints are associated with a VPC but do not go into a particular subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe the purpose of endpoint policies in AWS.

A

Endpoint policies restrict access to specific resources, such as S3 buckets, and define who can use the endpoint and what resources they can access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How do Interface Endpoints ensure high availability in AWS services?

A

Interface Endpoints are launched in multiple subnets to ensure high availability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define VPC Flow Logs and their function.

A

VPC Flow Logs monitor traffic flow between interfaces in a VPC, capturing only packet metadata and storing logs in S3 or CloudWatch Logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Explain the difference between stateful and stateless firewalls in AWS.

A

Stateful firewalls, like security group rules, automatically allow responses to requests, while stateless firewalls, like NACLs, require explicit rules for both inbound and outbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How do NACLs manage traffic in a subnet?

A

NACLs control traffic into and out of a subnet with numbered rules, applying lower numbered rules first and denying traffic if no rules match.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Describe the role of WAF in AWS.

A

WAF is a managed application-layer firewall that inspects decrypted HTTPS content and controls traffic through Web ACLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is a Web ACL in the context of AWS WAF?

A

A Web ACL is a unit of configuration in WAF that is attached to resources like ALBs or CloudFront distributions, with default actions set to ALLOW or BLOCK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How are rules processed in a Web ACL?

A

Rules and Rule Groups added to a Web ACL are processed in order, and each consumes Web ACL Capacity Units (WCU).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the maximum number of Web ACL Capacity Units (WCU) allowed per Web ACL?

A

The default maximum is 1500 WCUs per Web ACL, but this can be increased.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Explain how rules in a Web ACL can be defined.

A

Rules can be based on the source of the request, its content, or request volume, with actions that can be Allow, Block, Captcha, or Custom.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

How does a security group differ from a NACL in AWS?

A

Security groups are stateful and attached to ENIs, allowing automatic responses, while NACLs are stateless and control traffic at the subnet level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What happens to traffic if no NACL rules are matched?

A

If no NACL rules are matched, traffic is denied by default.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Describe the significance of ephemeral ports in server connections.

A

Ephemeral ports are used by clients to make requests to servers, and responses are sent back to these ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

How does a Route53 private hosted zone relate to Interface Endpoints?

A

A Route53 private hosted zone is created automatically to override public records of the service when using Interface Endpoints.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is the default action for a Web ACL in AWS WAF?

A

The default action for a Web ACL is set to ALLOW or BLOCK.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How many bytes of the body are inspected by WAF rules?

A

Only the first 8192 bytes of the body are inspected by WAF rules.

35
Q

Describe the purpose of the x-amzn-waf header in requests.

A

This header can be added to requests forwarded to backends

36
Q

How can logs from WAF be stored in AWS?

A

Logs can be stored in S3, CloudWatch Logs, and Kinesis, with Kinesis recommended for rapidly responding to traffic.

37
Q

Define Local Zones in the context of AWS infrastructure.

A

Local Zones are extensions of regions that allow for edge computing and are associated with a parent region.

38
Q

What is the role of Direct Connect in relation to Local Zones?

A

Direct Connect allows connectivity from on-premises to the Local Zone.

39
Q

How do subnets function in Local Zones?

A

Subnets can be created in Local Zones, extending VPCs into the Local Zone.

40
Q

Explain how BGP determines the best route.

A

BGP uses the shortest connection, or least hops, by default to determine the best route.

41
Q

What workaround can be used in BGP to influence route selection?

A

Dummy hops can be added to make a route appear slower, influencing BGP to select it.

42
Q

How does Global Accelerator rote traffic to the nearest edge location?

A

Global Accelerator improves network performance for users far from the host by routing traffic to the closest edge location using any-cast IP addresses.

43
Q

How does Global Accelerator differ from CloudFront?

A

Global Accelerator moves the connection to the edge for all TCP/UDP traffic, while CloudFront caches content at the edge for HTTP content only.

44
Q

What is the purpose of a Transit Gateway in AWS networking?

A

A Transit Gateway is a networking hub that connects VPCs together and to on-premises networks using Site-to-Site VPNs and Direct Connect.

45
Q

How are Transit Gateways configured?

A

Transit Gateways are configured by creating attachments to VPCs, Site-to-Site VPNs, or Direct Connect.

46
Q

Explain the advantage of using Transit Gateways over manual VPC connections.

A

Transit Gateways simplify networking by avoiding the need for non-transitive peering connections, which would require many routes.

47
Q

What is the default routing behavior of a Transit Gateway?

A

Each Transit Gateway has a default routing table that includes all attachments, allowing every attachment to connect with each other.

48
Q

What limitations exist regarding route propagation in Transit Gateways?

A

Route propagation and DNS sharing are not supported across Peering Attachments in Transit Gateways.

49
Q

Define Client VPN in the context of hybrid networking.

A

Client VPN allows end-users to connect to private networking in a VPN and is a managed implementation of OpenVPN.

50
Q

How does the split tunnel option work in Client VPN?

A

The split tunnel option allows only internal traffic to use the VPN, leaving connections from the client to the internet unaffected.

51
Q

What is IPSec and its primary function?

A

IPSec is a set of protocols used to establish a secure tunnel across insecure networks, ensuring all traffic is encrypted in transit.

52
Q

Describe the encryption process used in IPSec.

A

IPSec uses asymmetric encryption to securely establish a shared key, which is then used for faster symmetric encryption.

53
Q

What are the two phases of IPSec?

A

The two phases of IPSec are IKE Phase 1, which authenticates the connection and establishes a shared key, and IKE Phase 2, which agrees on the encryption method and keys for bulk data transfer.

54
Q

Describe the purpose of a Phase 2 tunnel in AWS Site-to-Site VPN.

A

A Phase 2 tunnel is established much quicker than a Phase 1 tunnel and is commonly used while the Phase 1 tunnel remains active as needed.

55
Q

Define the role of the Virtual Private Gateway (VGW) in AWS.

A

The Virtual Private Gateway (VGW) serves as the mounting point for the VPN within the VPC.

56
Q

How is high availability achieved in AWS Site-to-Site VPN?

A

High availability is achieved by having two endpoints in two availability zones, although both tunnels terminate at a single customer router, which does not provide full HA on the customer side.

57
Q

Explain the function of the Customer Gateway (CGW) in AWS networking.

A

The Customer Gateway (CGW) refers to the target in the customer’s network for the VPN connection.

58
Q

What is the maximum throughput for a VPN with two tunnels in AWS?

A

The maximum throughput for a VPN with two tunnels is 1.25 Gbps.

59
Q

Describe the use of Dynamic VPNs in AWS.

A

Dynamic VPNs use BGP to route between AWS and the customer router, allowing for failover and are required when using Direct Connect.

60
Q

How does the Accelerated Site-to-Site VPN improve network performance?

A

The Accelerated Site-to-Site VPN uses Global Accelerator to enhance network performance.

61
Q

Define Hybrid DNS in the context of AWS.

A

Hybrid DNS is implemented using Route53 endpoints, which include inbound and outbound endpoints for managing DNS queries.

62
Q

What is the significance of the .2 IP address in AWS subnets?

A

The .2 IP address of every subnet is reserved for the Route53 resolver.

63
Q

Explain the function of NS records in DNS.

A

NS (name server) records delegate authority to other registries, such as delegating amazon.com to Amazon’s DNS servers.

64
Q

What are Alias Records in Route53, and how do they differ from CNAME records?

A

Alias Records are a Route53-specific record type that map a name to an AWS record and can be set at the apex domain without incurring charges, unlike CNAME records.

65
Q

How can a domain registered with a third-party provider be used in Route53?

A

To use a domain registered with a third-party provider in Route53, NS records must be added through that provider, pointing to the Route53 name servers.

66
Q

Describe the concept of private hosted zones in AWS.

A

Private hosted zones can only be accessed from VPCs they are attached to, and they can replace public hosted zones with the same name in a split-view configuration.

67
Q

What is the role of Route53 in AWS?

A

Route53 is a managed DNS service that handles both private and public DNS records.

68
Q

How does latency affect AWS Site-to-Site VPN connections?

A

Latency may be higher in AWS Site-to-Site VPN connections due to the use of the public internet and the number of hops involved.

69
Q

What is the purpose of TTL in DNS records?

A

TTL (time to live) indicates when DNS records expire, helping to manage caching and refresh intervals.

70
Q

How many Transit Gateways can one Direct Connect gateway connect with?

A

One Direct Connect gateway can connect with up to 3 Transit Gateways.

71
Q

Describe the purpose of health checks in VPC endpoints.

A

Health checks monitor the health and performance of a target, ensuring that the service is operational and responsive.

72
Q

How often are Route53 health checks performed by default, and what is the alternative configuration?

A

By default, health checks are performed every 30 seconds, but they can be configured to occur every 10 seconds for an additional charge.

73
Q

Define the types of checks that can be performed in Route53 health checks.

A

Checks can be performed to an endpoint, for a CloudWatch Alarm, or calculated checks (checks of checks).

74
Q

What are the criteria for Route53 HTTP/HTTPS health checks?

A

HTTP/HTTPS checks confirm that the status code is between 200-399 and can ensure that a certain string is present in the response body.

75
Q

Explain the Simple routing type in VPC endpoints.

A

Simple routing creates one record per name, which can have multiple values (IP addresses) returned in random order, but it does not support health checks.

76
Q

Describe the Failover routing type and its functionality.

A

Failover routing directs all queries to the primary resource unless it fails its health checks, in which case the secondary resource is used, allowing for automated active-passive failover.

77
Q

What is the Multi-value routing type in VPC endpoints?

A

Multi-value routing returns up to eight healthy records in a random order.

78
Q

How does Weighted routing work in VPC endpoints?

A

Weighted routing assigns a weight to each record, controlling the likelihood of that record being returned, which can be used for load balancing and canary testing.

79
Q

Define Latency routing and its purpose.

A

Latency routing adds one record per region and returns the record from the region the client can reach with the lowest latency, optimizing for performance and user experience.

80
Q

What is the Geolocation routing type in VPC endpoints?

A

Geolocation routing assigns records to specific continents, countries, and U.S. states, returning relevant records while preferring specificity.

81
Q

Explain the Geoproximity routing type.

A

Geoproximity routing assigns records to locations and returns the closest record(s) to the client, with a bias that can increase or decrease the influence of a location.

82
Q

What roles can Route53 serve in DNS management?

A

Route53 can act as a registrar-only or DNS host only, meaning its name servers can host the zone for a domain registered elsewhere.

83
Q

Define DNSSEC and its purpose in DNS records.

A

DNSSEC adds signatures to DNS records, allowing clients to verify that the records were not tampered with in transit.

84
Q

How is DNSSEC implemented in VPC endpoints?

A

An asymmetric key pair in KMS is used for signing, and a delegated signer record is added to the next level down, continuing a hash of the zone’s public key.