advanced networking

Question 1

network layer

Answer 1

switches routes based on mac address

Question 2

Datalink layer

Answer 2

MAC address

Question 3

Network layer

Answer 3

IP address, where we are going to send it to . Where it is begin sent

Question 4

Transport layer

Answer 4

How it is being sent. is about how it is going to tbe sent. TCP UDP
overhead of tcp

Question 5

web browzer

Answer 5

TCP,

Question 6

DDos attacks

Answer 6

Protection at multiple layers

Question 7

Load balancers protect at

Answer 7

layer 3-4 Ddos attacks

Question 8

Class A, B , C

Answer 8

8, 16, 24

Question 9

Unicast only in AWS

Answer 9

no broadcast and multicast

Question 10

Why create multiple subnet within aws vpc

Answer 10

security isolation

Question 11

network addres vs host address

Answer 11

10.0 is the network address. . Last address we cannot used

Question 12

network addres vs host address

Answer 12

10.0 is the network address. . Last address we cannot used for broadcast although there is no broadcast in aws.

Question 13

range of address in aws

Answer 13

/16 to /28

Question 14

Can VPC have the same network as subnet

Answer 14

yes

Question 15

IPVC addresses are automtically assigned by AWS

Answer 15

It is all public. You don’t want to communicate via public?

Question 16

IPV6 addresses are automtically assigned by AWS

Answer 16

It is all public. You don’t want to communicate via public?
::/0 equivalent to all
link local prefix fe80::/64 not routable( 169.254 on IPV4)

Question 17

secondary CIDR blocks

Answer 17

You can add additional CIDR block to
You can add 4 additional
Total 5 CIDR.

Question 18

To extend CIDR what you have

Answer 18

it has to be continuous

Question 19

DHCP options

Answer 19

EC2 gets gw, ip, Dynamic host configuration protocol.

setup a DNCP option set to get control on the IP and other configuration

Question 20

security group when created

Answer 20

does not allow anything in and everything is allowed out

Question 21

security groups is linked to a resource

Answer 21

it is an instance level firewall but is is not the complete descrition. Seucurity groups is attached to the network adapter.. You can have multiple security groups to EIN

Question 22

When do you use security group

Answer 22

always

Question 23

NACL when

Answer 23

You use it when you need deny. You have to open up a wide range of ports in outbound

Question 24

ephemeral ports

Answer 24

1024 and above till 65000.

Question 25

Every subnet has a route table inside

Answer 25

initial route table comes from the VPC.

Main route table everything

Question 26

internet gateway

Answer 26

0-1 per vpc.

Question 27

How do you create a public subnet

Answer 27

create a internet gw, modify the route table to point to intetnet gateway

Question 28

NAT gateway

Answer 28

resource in private subnet to communicate to internet. NAT GW should be in public subnet. One way door.

Question 29

How do you create a public subnet

Answer 29

create a internet gw, modify the route table to point to intetnet gateway

Question 30

VPC peering

Answer 30

done by creating the route. Choose the VPC and owners of the VPC should accept it, modify the route table.
VPC’s can be any region for peering. But inter-region traffic can generate cross-regioon traffic cost.

Requestors DNS vs acceptors DNS.
How does the DNS work in peering.

Question 31

VPC endpoints

Answer 31

Providing local(non-internet) access to services . Problem with internet performance and security

Question 32

2 typs of endpoints

Answer 32

gateways end points and interface end points

Question 33

Gateway endpoint

Answer 33

Amazon S3 and Amazon Db.

Question 34

Interface( powered by AWS PrivateLink)

Answer 34

Unlike a GW EP

An elastic network interface with a private IP address that serves as an entry point for traffic destines to a supported AWS service

Question 35

GW EP

Answer 35

Pick S3 or dynamo, link it to VPC and also target specific subnets, GW end point relies on route table.
Just chaging the route. Control the flow of traffic.
How do you secure GW connection. Resource policy
GW also have polices attached. Policy in GW ep comes with no restrictions.
Policies govern what speicic activity do you want to allow like API’s get vs put. Can restrict the resource that you can connect to .
If you are routing

Question 36

Interface based EP

Answer 36

Kinesis, drops and Network table that .
Use the name for the interface.
Since it is an interface you can secure by attaching a security group
No route table updates are necessary for interface base EP. Private DNS gets automatically craeted.

Question 37

PrivateLink

Answer 37

it is fronted with a network load balancer

Question 38

PrivateLink

Answer 38

it is fronted with a network load balancer

Question 39

An instance can be multihome and attached to two different VPC subnet as long as

Answer 39

the VPC’s is in same AZ

Question 40

EBS volumes

Answer 40

same AZ

Question 41

EC2 Networking( optimized for EBS)

Answer 41

Had dedicated throughput. A portion of bandwidth is dedicated. Lots of instances are dedicated

Question 42

Network performance

Answer 42

25Gig to 10Gig( Note lately it has gone upto 100G)

Question 43

Enhanced networking( we want better netk performance)

Answer 43

When you enable EN on a instance SR-IOV allows to bypass the hypervisor and gets direct access to the host network adapter.

Elastic Network Adapter(ENA) gives hiher network speeds

Device pass-through
Intel Data Place Development Kit(DPDK)

Question 44

EC2 networking: Placement group

Answer 44

AZ is a cluster of data centers( 3 DC)

Question 45

3 types of PG

Answer 45

cluster PG( get physically close to each other for high speed networking)
Partition PG

Question 46

Amazon EC2 netowrking

Answer 46

Jumbo frame
MTU( maximum transmission Unit) 1500 per data portion of
Jumbo Frame(9001 MTU) increase teh data payload into your packets. It makes it more efficient. Fewer packets

Question 47

Site-2-Site VPN

Answer 47

datacenter to AWS

Question 48

You can attach only one VGW to a VPC

Answer 48

Route table decides when to route to IGW vs VGW

Question 49

VGW

Answer 49

On customer side of hte house you have a routing device called customer GW, You have 2 tonnes on VGW. there is auto. Reduntant connection does not give 2 times of bandwidth. Because traffic

Question 50

dynamic vs static

Answer 50

static is not

Question 51

Test isusually related to dynamic routing

Answer 51

BGP: dynamic routing.

Question 52

Border GW protocol

Answer 52

It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .

Distance vector protocol tries to use shortest path.

Question 53

Border GW protocol

Answer 53

It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .

Distance vector protocol tries to use shortest path.

Question 54

BGP makes decision on how to route the traffic

Answer 54

as soon as multiple paths from A to B. BGP you define ASN( autonomous system number )
Best PAthc Selection.

Local_PREF: You modify route table in BGP
AS_PATH: if local_PREF is awaiting
MED: Multi exit discriminator

Question 55

asssimitric routing

Answer 55

trust is hte problem. request goes in one path and resonse comes from another. Router will not trust by default
Local_PREF is not good for assymitric routing

Question 56

Prepend AS_PATH or use MED

Answer 56

Prepend AS_PATH can create a fake extension on path

Question 57

AWS VPN cloudhub

Answer 57

needs BGP, Each GW needs a AN

Question 58

VGW does not initiate IP sec negotiation

Answer 58

the customer starts the connection.

Question 59

VGW only supports only IPSec

Answer 59

You can use EC2 and install the VPN software and .

Different protocol and low level control

Question 60

AWS on-demand dead peer detection(DPD) mechanism

Answer 60

Function o a router to listen for. Enable it on custoerm gateway.

Question 61

Bidirectional forwarding detection, Dead peer detection

Answer 61

both needed for automation failover

Question 62

client2site VPN

Answer 62

it is not asked in the test

Client VPN may now be known as AWS VPN

Question 63

AWS director connect

Answer 63

bandwidth, security,
private connection , dedicated fibre channel, not encrypted by default.. Limit is 10Gig. If you go only below 1Gig you can do only one subinterface.

Gives physical connectivity. .
Setup itself may take a lot of time to run the physical cable.

Question 64

with direct connect you are not using static routes

Answer 64

You can only use BGP

Question 65

setup multiple direct connect for redundance

Answer 65

yes. You can route to a particular Directo connect using BGP

Question 66

Private VIF

Answer 66

You can connect to a VPC in the same regioon

Question 67

Direct Connect gW is an add on component

Answer 67

Aloows connections from VPC to another region

Question 68

PUblic VIF

Answer 68

AWS advertises theprevius list of all the services that yoy can get access to

Question 69

BGP communities

Answer 69

tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propogated

Question 70

BGP communities

Answer 70

tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propagated

Question 71

diirect is not encrypted by default

Answer 71

Create DX. use aws managed VPN over public VIF. it does not get routed through the public router though.

VPN to VGW over public VIF

Question 72

VPN to EC2 instance over private VIF( VPC IP)

Answer 72

full control on connection and different protocol.

Question 73

VPN to EC2 instances overpblic VIF(Elastics IP addres)

Answer 73

if you are going public make sure the IP address is reserved

Question 74

direct connect you could use with a single gw

Answer 74

currently DX allows multiple account. But for test puposes it is tied back to a single account.

Question 75

Trasitive routing: direct connect

Answer 75

Direct connect gets access to interface endpoints

Question 76

Edge2Edge via proxy

Answer 76

Proxy route table

Question 77

vpce

Answer 77

vpc endpoint

Question 78

Trasit VPC

Answer 78

Transit VPC architecture allows you to connec to any remote network wile transiting all traffic through a pair of EC2 instances. Spokes VPC connect via VPN to Trnsit VPC. There is no boundary on where Spoke VPC is located
use VGW in spoke

Question 79

Detached VPW

Answer 79

if you have 1Gig or lowe connection to keep your cost down. There is a different pricing

Question 80

To recover from failure

Answer 80

use CFD, DPD, BGP timers

Question 81

enableDNsHostnames=true

enableDnsSupport=true

Answer 81

enables private zones. enable friendly names

How can you queyr private zone in VPC from corporte network

Question 82

Hybrid DNS

Answer 82

Provide DNS integration between on-remises and AWWS

tThe ability to

Question 83

classic vs network

Answer 83

Layer4

Question 84

where does AWS WAF run by default

Answer 84

it runs on all the edge locations. Like cloud front and route 53
How WAF is also available on the ALB

Question 85

What is targeted for each target group

Answer 85

health check. LB are per target groups

Question 86

Cloudfront is a CDN

Answer 86

caching at edge locations

Question 87

Regional edge caches

Answer 87

cache of the cache.

Question 88

cloudTrail is on by default

Answer 88

one per region. take aways the logs from the owners . Get it to another bucket

Question 89

VPC flows logs

Answer 89

clear show

Question 90

AWS config service

Answer 90

1) record config changes
2) time serial view of resource changes
3) archive and compare

Question 91

AWS config rules( lambda functions)

Answer 91

Assess changes against your security policy( none of hte s3 buckets are public. example)
enforce best practice
Can be hooked onto to SNS( There is some automatic remediation built in in the latest version)

Question 92

ALB configuration

Answer 92

listener, listener-rules

Question 93

You can connect VPC over internet or VPC peering

Answer 93

VPC peerign should be accepted, and route table updated on both sides

Question 94

VPC peering with another regioon is possible and across multiple AWS accounts

Answer 94

must not have overhapping ip address

Question 95

VPC peering- things to know

Answer 95

can referece nsecurity gorups from

Question 96

Connecting to on-premises network

Answer 96

Site2Site VPN - VGW

Virtual private gateway and give a ASN number to it. Either you can give one ASN(custom) or AWS can generate one

Question 97

When you provision VPG it creates two different endpoints on AWS for resiliency.

Answer 97

1xVPN connection = 2x VPN tunnels

Question 98

AWS direct connect

Answer 98

physical connection 1G to 10G

Question 99

Three types of VIF’s

Answer 99

Private, Transit and Public

Question 100

Private VIF

Answer 100

Used to connect to Amazon

Question 101

Route propagation

Answer 101

Enable propagation of route table or you will have to speicify it manually

Question 102

AWS Transit VIF

Answer 102

VPC peering cannot be handles at scale. AWS transit gateway addresses this problem

Question 103

Route 53 resolver

Answer 103

VPC+2 resolver
enableDnsHostnames
enableDnsSupport
DNS hostnames( fully qualified domain names), if you have a public

Question 104

Route 53 resolver end points

Answer 104

Inbound ENI( requires forwarding rule in corporate DNS server)
Route 53 outbound end point and define a rule to forward to corporate DNS servers

Question 105

DNS

Answer 105

if you have to share between account you need resource access manager

Question 106

AWS managed VPC’s

Answer 106

RDS runs on it and publishes a ENI in your subnet

Question 107

Lambda service VPC

Answer 107

VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC

Question 108

Lambda service VPC

Answer 108

VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC