advanced networking Flashcards
network layer
switches routes based on mac address
Datalink layer
MAC address
Network layer
IP address, where we are going to send it to . Where it is begin sent
Transport layer
How it is being sent. is about how it is going to tbe sent. TCP UDP
overhead of tcp
web browzer
TCP,
DDos attacks
Protection at multiple layers
Load balancers protect at
layer 3-4 Ddos attacks
Class A, B , C
8, 16, 24
Unicast only in AWS
no broadcast and multicast
Why create multiple subnet within aws vpc
security isolation
network addres vs host address
10.0 is the network address. . Last address we cannot used
network addres vs host address
10.0 is the network address. . Last address we cannot used for broadcast although there is no broadcast in aws.
range of address in aws
/16 to /28
Can VPC have the same network as subnet
yes
IPVC addresses are automtically assigned by AWS
It is all public. You don’t want to communicate via public?
IPV6 addresses are automtically assigned by AWS
It is all public. You don’t want to communicate via public?
::/0 equivalent to all
link local prefix fe80::/64 not routable( 169.254 on IPV4)
secondary CIDR blocks
You can add additional CIDR block to
You can add 4 additional
Total 5 CIDR.
To extend CIDR what you have
it has to be continuous
DHCP options
EC2 gets gw, ip, Dynamic host configuration protocol.
setup a DNCP option set to get control on the IP and other configuration
security group when created
does not allow anything in and everything is allowed out
security groups is linked to a resource
it is an instance level firewall but is is not the complete descrition. Seucurity groups is attached to the network adapter.. You can have multiple security groups to EIN
When do you use security group
always
NACL when
You use it when you need deny. You have to open up a wide range of ports in outbound
ephemeral ports
1024 and above till 65000.
Every subnet has a route table inside
initial route table comes from the VPC.
Main route table everything
internet gateway
0-1 per vpc.
How do you create a public subnet
create a internet gw, modify the route table to point to intetnet gateway
NAT gateway
resource in private subnet to communicate to internet. NAT GW should be in public subnet. One way door.
How do you create a public subnet
create a internet gw, modify the route table to point to intetnet gateway
VPC peering
done by creating the route. Choose the VPC and owners of the VPC should accept it, modify the route table.
VPC’s can be any region for peering. But inter-region traffic can generate cross-regioon traffic cost.
Requestors DNS vs acceptors DNS.
How does the DNS work in peering.
VPC endpoints
Providing local(non-internet) access to services . Problem with internet performance and security
2 typs of endpoints
gateways end points and interface end points
Gateway endpoint
Amazon S3 and Amazon Db.
Interface( powered by AWS PrivateLink)
Unlike a GW EP
An elastic network interface with a private IP address that serves as an entry point for traffic destines to a supported AWS service
GW EP
Pick S3 or dynamo, link it to VPC and also target specific subnets, GW end point relies on route table.
Just chaging the route. Control the flow of traffic.
How do you secure GW connection. Resource policy
GW also have polices attached. Policy in GW ep comes with no restrictions.
Policies govern what speicic activity do you want to allow like API’s get vs put. Can restrict the resource that you can connect to .
If you are routing
Interface based EP
Kinesis, drops and Network table that .
Use the name for the interface.
Since it is an interface you can secure by attaching a security group
No route table updates are necessary for interface base EP. Private DNS gets automatically craeted.
PrivateLink
it is fronted with a network load balancer
PrivateLink
it is fronted with a network load balancer
An instance can be multihome and attached to two different VPC subnet as long as
the VPC’s is in same AZ
EBS volumes
same AZ
EC2 Networking( optimized for EBS)
Had dedicated throughput. A portion of bandwidth is dedicated. Lots of instances are dedicated
Network performance
25Gig to 10Gig( Note lately it has gone upto 100G)
Enhanced networking( we want better netk performance)
When you enable EN on a instance SR-IOV allows to bypass the hypervisor and gets direct access to the host network adapter.
Elastic Network Adapter(ENA) gives hiher network speeds
Device pass-through
Intel Data Place Development Kit(DPDK)
EC2 networking: Placement group
AZ is a cluster of data centers( 3 DC)
3 types of PG
cluster PG( get physically close to each other for high speed networking) Partition PG
Amazon EC2 netowrking
Jumbo frame
MTU( maximum transmission Unit) 1500 per data portion of
Jumbo Frame(9001 MTU) increase teh data payload into your packets. It makes it more efficient. Fewer packets
Site-2-Site VPN
datacenter to AWS
You can attach only one VGW to a VPC
Route table decides when to route to IGW vs VGW
VGW
On customer side of hte house you have a routing device called customer GW, You have 2 tonnes on VGW. there is auto. Reduntant connection does not give 2 times of bandwidth. Because traffic
dynamic vs static
static is not
Test isusually related to dynamic routing
BGP: dynamic routing.
Border GW protocol
It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .
Distance vector protocol tries to use shortest path.
Border GW protocol
It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .
Distance vector protocol tries to use shortest path.
BGP makes decision on how to route the traffic
as soon as multiple paths from A to B. BGP you define ASN( autonomous system number )
Best PAthc Selection.
Local_PREF: You modify route table in BGP
AS_PATH: if local_PREF is awaiting
MED: Multi exit discriminator
asssimitric routing
trust is hte problem. request goes in one path and resonse comes from another. Router will not trust by default
Local_PREF is not good for assymitric routing
Prepend AS_PATH or use MED
Prepend AS_PATH can create a fake extension on path
AWS VPN cloudhub
needs BGP, Each GW needs a AN
VGW does not initiate IP sec negotiation
the customer starts the connection.
VGW only supports only IPSec
You can use EC2 and install the VPN software and .
Different protocol and low level control
AWS on-demand dead peer detection(DPD) mechanism
Function o a router to listen for. Enable it on custoerm gateway.
Bidirectional forwarding detection, Dead peer detection
both needed for automation failover
client2site VPN
it is not asked in the test
Client VPN may now be known as AWS VPN
AWS director connect
bandwidth, security,
private connection , dedicated fibre channel, not encrypted by default.. Limit is 10Gig. If you go only below 1Gig you can do only one subinterface.
Gives physical connectivity. .
Setup itself may take a lot of time to run the physical cable.
with direct connect you are not using static routes
You can only use BGP
setup multiple direct connect for redundance
yes. You can route to a particular Directo connect using BGP
Private VIF
You can connect to a VPC in the same regioon
Direct Connect gW is an add on component
Aloows connections from VPC to another region
PUblic VIF
AWS advertises theprevius list of all the services that yoy can get access to
BGP communities
tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propogated
BGP communities
tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propagated
diirect is not encrypted by default
Create DX. use aws managed VPN over public VIF. it does not get routed through the public router though.
VPN to VGW over public VIF
VPN to EC2 instance over private VIF( VPC IP)
full control on connection and different protocol.
VPN to EC2 instances overpblic VIF(Elastics IP addres)
if you are going public make sure the IP address is reserved
direct connect you could use with a single gw
currently DX allows multiple account. But for test puposes it is tied back to a single account.
Trasitive routing: direct connect
Direct connect gets access to interface endpoints
Edge2Edge via proxy
Proxy route table
vpce
vpc endpoint
Trasit VPC
Transit VPC architecture allows you to connec to any remote network wile transiting all traffic through a pair of EC2 instances. Spokes VPC connect via VPN to Trnsit VPC. There is no boundary on where Spoke VPC is located
use VGW in spoke
Detached VPW
if you have 1Gig or lowe connection to keep your cost down. There is a different pricing
To recover from failure
use CFD, DPD, BGP timers
enableDNsHostnames=true
enableDnsSupport=true
enables private zones. enable friendly names
How can you queyr private zone in VPC from corporte network
Hybrid DNS
Provide DNS integration between on-remises and AWWS
tThe ability to
classic vs network
Layer4
where does AWS WAF run by default
it runs on all the edge locations. Like cloud front and route 53
How WAF is also available on the ALB
What is targeted for each target group
health check. LB are per target groups
Cloudfront is a CDN
caching at edge locations
Regional edge caches
cache of the cache.
cloudTrail is on by default
one per region. take aways the logs from the owners . Get it to another bucket
VPC flows logs
clear show
AWS config service
1) record config changes
2) time serial view of resource changes
3) archive and compare
AWS config rules( lambda functions)
Assess changes against your security policy( none of hte s3 buckets are public. example)
enforce best practice
Can be hooked onto to SNS( There is some automatic remediation built in in the latest version)
ALB configuration
listener, listener-rules
You can connect VPC over internet or VPC peering
VPC peerign should be accepted, and route table updated on both sides
VPC peering with another regioon is possible and across multiple AWS accounts
must not have overhapping ip address
VPC peering- things to know
can referece nsecurity gorups from
Connecting to on-premises network
Site2Site VPN - VGW
Virtual private gateway and give a ASN number to it. Either you can give one ASN(custom) or AWS can generate one
When you provision VPG it creates two different endpoints on AWS for resiliency.
1xVPN connection = 2x VPN tunnels
AWS direct connect
physical connection 1G to 10G
Three types of VIF’s
Private, Transit and Public
Private VIF
Used to connect to Amazon
Route propagation
Enable propagation of route table or you will have to speicify it manually
AWS Transit VIF
VPC peering cannot be handles at scale. AWS transit gateway addresses this problem
Route 53 resolver
VPC+2 resolver
enableDnsHostnames
enableDnsSupport
DNS hostnames( fully qualified domain names), if you have a public
Route 53 resolver end points
Inbound ENI( requires forwarding rule in corporate DNS server) Route 53 outbound end point and define a rule to forward to corporate DNS servers
DNS
if you have to share between account you need resource access manager
AWS managed VPC’s
RDS runs on it and publishes a ENI in your subnet
Lambda service VPC
VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC
Lambda service VPC
VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC