03 Networking Flashcards
Describe the two types of AWS services based on network connectivity.
AWS services can be grouped into public services, which are accessed via a public endpoint (e.g., S3), and private services, which run within a VPC (e.g., EFS).
How can private services be accessed from on-premises environments?
A VPN or Direct Connect is required to access private services from on-premises.
Explain how EC2 instances handle their public IPv4 addresses.
EC2 instances do not know their own public IPv4 address; this is managed at the gateway, such as the internet gateway.
What is the limitation of NAT regarding IPv6?
NAT does not support IPv6.
Define the purpose of Egress-only Internet Gateways.
Egress-only Internet Gateways allow instances to connect to the internet while preventing inbound connections.
How many Internet Gateways can be attached to a VPC?
Only one Internet Gateway can be attached to a VPC, but both an Internet Gateway and an Egress-only Internet Gateway can be added.
What is the most cost-effective strategy for achieving high availability in AWS?
The most cost-effective way to achieve high availability is to deploy across as many Availability Zones (AZs) as possible.
Describe the function of route tables in a VPC.
Route tables direct traffic within a VPC, with separate rules for IPv4 and IPv6 traffic.
How does precedence work in route tables?
Precedence in route tables is based on selecting the most specific route first, and as a tie breaker, preferring static routes over propagated routes.
What are gateway route tables used for?
Gateway route tables are assigned to gateways (e.g., Internet Gateways) to control the routing of ingress traffic.
Explain the encryption of inter-region traffic between peered VPCs.
Inter-region traffic between peered VPCs is encrypted.
What is the role of Dynamic Host Configuration Protocol (DHCP) in a VPC?
DHCP allows auto-configuration of network resources, including IP, subnet mask, default gateway, DNS server, hostname, NTP, and NetBios settings.
How are DHCP option sets configured in a VPC?
DHCP option sets are configured to control DNS servers, domain names, NTP servers, NetBIOS name server, and IPv6 Preferred Lease Time.
What happens when a DHCP option set is associated with a VPC?
Associating a DHCP option set takes effect immediately, but changes will only occur when the targets (e.g., EC2 instances) perform a DHCP renew.
Define PrivateLink and its purpose in AWS.
PrivateLink allows secure connectivity to AWS services and marketplace services, preventing data from transiting over the public internet.
How do VPC endpoints provide access to AWS services?
VPC endpoints provide private access to AWS services, with Gateway Endpoints used specifically for DynamoDB and S3.
What is the function of the prefix list in Gateway Endpoints?
The prefix list of the Gateway Endpoint is added to the route table of the VPC to direct traffic to the Gateway Endpoint.
Describe the relationship between Gateway Endpoints and VPCs.
Gateway Endpoints are associated with a VPC but do not go into a particular subnet.
Describe the purpose of endpoint policies in AWS.
Endpoint policies restrict access to specific resources, such as S3 buckets, and define who can use the endpoint and what resources they can access.
How do Interface Endpoints ensure high availability in AWS services?
Interface Endpoints are launched in multiple subnets to ensure high availability.
Define VPC Flow Logs and their function.
VPC Flow Logs monitor traffic flow between interfaces in a VPC, capturing only packet metadata and storing logs in S3 or CloudWatch Logs.
Explain the difference between stateful and stateless firewalls in AWS.
Stateful firewalls, like security group rules, automatically allow responses to requests, while stateless firewalls, like NACLs, require explicit rules for both inbound and outbound traffic.
How do NACLs manage traffic in a subnet?
NACLs control traffic into and out of a subnet with numbered rules, applying lower numbered rules first and denying traffic if no rules match.
Describe the role of WAF in AWS.
WAF is a managed application-layer firewall that inspects decrypted HTTPS content and controls traffic through Web ACLs.
What is a Web ACL in the context of AWS WAF?
A Web ACL is a unit of configuration in WAF that is attached to resources like ALBs or CloudFront distributions, with default actions set to ALLOW or BLOCK.
How are rules processed in a Web ACL?
Rules and Rule Groups added to a Web ACL are processed in order, and each consumes Web ACL Capacity Units (WCU).
What is the maximum number of Web ACL Capacity Units (WCU) allowed per Web ACL?
The default maximum is 1500 WCUs per Web ACL, but this can be increased.
Explain how rules in a Web ACL can be defined.
Rules can be based on the source of the request, its content, or request volume, with actions that can be Allow, Block, Captcha, or Custom.
How does a security group differ from a NACL in AWS?
Security groups are stateful and attached to ENIs, allowing automatic responses, while NACLs are stateless and control traffic at the subnet level.
What happens to traffic if no NACL rules are matched?
If no NACL rules are matched, traffic is denied by default.
Describe the significance of ephemeral ports in server connections.
Ephemeral ports are used by clients to make requests to servers, and responses are sent back to these ports.
How does a Route53 private hosted zone relate to Interface Endpoints?
A Route53 private hosted zone is created automatically to override public records of the service when using Interface Endpoints.
What is the default action for a Web ACL in AWS WAF?
The default action for a Web ACL is set to ALLOW or BLOCK.