Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS Advanced Networking > All cards > Flashcards

All cards Flashcards

1
Q

How many bytes of the body part of a request does AWS WAF consider?

A

It depends on the entity being protected by WAF.
- CloudFront distributions: up to 64 KB (default: 16 KB)
- Others: 8 KB
Exam questions will likely ask for the 8 KB limit only.

Last review: 2023-07-28
Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you run multiple types of Layer 3 (IP) networks over a single DX connection?

A

Using separate VLANs between Customer and AWS Router in the DX location and separate VIFs between the AWS Router and AWS Region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What’s the maximum number of VIFs on a single (dedicated) DX connection?

A

50 public/private VIFs + 1 transit VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the maximum number of VIFs on a single hosted DX connection?

A

1 VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What’s layer 2 adjacency?

A

It means that two routers can communicate directly with each other, i.e. exchange frames directly with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does BGP use for authentication?

A

MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you extend a VLAN/BGP session to a customer site when using a service (COMS) provider?

A

Using Q-in-Q

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What’s the networking standard for VLAN?

A

802.1Q

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which ASN range is reserved for private usage?

A

16 bit: 64.512 - 65.534
32 bit: 4.200.000.000 - 4.294.967.294

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What’s VLAN 0 reserved for?

A

It stands for “NO VLAN”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What’s VLAN 1 often used for?

A

For the management VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What problem does QinQ (802.1AD) solve?

A

That COMS provider that provide one single physical connection for multiple clients may have clients that are using the same VLAN numbers. QinQ solves that by adding an additional header in the ethernet frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s an C-TAG and what is it used for?

A

It stands for customer tag and refers to the 802.1Q header.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What’s an S-TAG and what is it used for?

A

It stands for service tag and refers to the 802.1AD header that service providers use to isolate customer traffic from each other (Q-in-Q).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is happening when traffic in a Q-in-Q scenario arrives at the service provider (COMS provider) network?

A

The COMS provider adds the S-TAG to ensure traffic from different customers is isolated against each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is happening when traffic in a Q-in-Q scenario leaves the service provider (COMS provider) network?

A

The COMS provider strips away the S-TAG to ensure customers only see their own VLAN IDs (via the 802.1Q header), but not the VLAN IDs of other customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What two type of ports exist on a switch in the context of 802.1Q?

A

Access ports and trunk ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What’s a trunk port used for on a switch in the context of 802.1Q?

A

It’s a connection between two 802.1Q capable devices, able to transport and by that exchange the VLAN IDs when traffic is flowing between those devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In the context of 802.1Q, does an access port on a switch use VLAN tagging when sending data to a client?

A

No. Access ports use “regular” ethernet frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the main criteria to consider when choosing between dynamic vs static routing in a site-to-site VPN connection?

A

Whether the router supports BGP advertising - if so, choose dynamic routing, otherwise choose static routing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What’s a single IPsec tunnel’s maximum throughput in Gbps?

A

1.25 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can you scale a VPN tunnel beyond the maximum limit of 1.25 Gbps?

A

By using Transit Gateway with equal cost multi-path (ECMP) routing enabled over multiple VPN tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s the maximum throughput of Transit Gateway?

A

50 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Can you access an S3 bucket that is located in eu-central-1 via a public VIF that is connected to us-east-1?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How is information on BGP communities exchanged between systems?

A

Via labels/tags that are attached to advertised prefixes (so essentially, metadata)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which well-known BGP community tag is used to instruct that no advertisement shall be done to any peers?

A

NO_ADVERTISE

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which format has a regular BGP community label/tag?

A

AS_NUMBER : OPERATOR_ASSIGNED_VALUE
(32 bit value, split into 2x16 bit)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What does the BGP community tag “7224:9100” stand for?

A

Instructs AWS to advertise the prefix that this tag is attached to only in the local AWS region

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which well-known BGP community tag is used by AWS on public prefixes to instruct that advertisements are not shared with external peers?

A

NO_EXPORT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What does the BGP community tag “7224:9200” stand for?

A

Instructs AWS to advertise the prefix that this tag is attached to only on the current continent

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What does the BGP community tag “7224:9300” stand for?

A

Instructs AWS to advertise the prefix that this tag is attached to globally

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

If no BGP community tag is attached to an advertised prefix, how far (local region, continent, globally) is the prefix advertised?

A

Globally

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What does the BGP community tag “7224:7100” stand for?

A

Indicates a “low preference”, i.e. low priority, for traffic

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What does the BGP community tag “7224:8100” stand for?

A

Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is AS Number 7224 used for?

A

It’s the AS Number owned by Amazon.com, used to advertise prefixes and BGP communities for Direct Connect.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is BFD and where is it enabled?

A

Bidirectional Forwarding Detection - protocol for detecting failed routing paths, allowing quick recovery. Enabled by default on the AWS side, but needs to be enabled on the on-prem router (if not already done) to benefit from quicker recovery times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What does the BGP community tag 7224:7300 indicate?

A

“High preference” of the associated path for returning traffic. For example, would be preferred over a path that has 7224:7200 (medium preference) as a tag.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Can you attach multiple VGWs to a VPC at the same time?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What VPN connectivity type does AWS VPN CloudHub support? (site-to-site VPN, client VPN, etc.)?

A

Site-to-site VPN, i.e. connectivity between multiple VPCs and remote networks. But NOT client VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

How can you configure an EC2 instance to use jumbo frames?

A

Either by shell command (sudo ip link set dev eth0 mtu 1500) or by modifying the ethernet interface’s configuration file (different per Linux distribution).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is the private CIDR range for a class A network?

A

10.0.0.0 - 10.255.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What is the IP address range for a class B network?

A

172.16.0.0 - 172.31.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What is the private CIDR range for a class C network?

A

192.168.0.0 - 192.168.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Does Auto-negotiation for a port have to be disabled in order to use DX?

A

It depends. For any ports with speeds higher than 1 Gbps: yes. For 1 Gbps ports it may be enabled, depending on the DX endpoint serving the connection.

Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Is 802.1Q VLAN encapsulation a hard requirement to use DX?

A

Yes. And that’s needed for the entire connection, so including any intermediate devices.

Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which protocol and authentication does the client device have to support to be able to use DX?

A

Border Gateway Protocol (BGP) and BGP MD5 authentication.

Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Which Internet Protocol versions does DX support?

A

IPv4 and IPv6

Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What Ethernet frame sizes (i.e. at OSI layer 2 / link layer) does AWS Direct Connect support?

A

1522 or 9023

Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Does VPC peering work across regions?

A

Yes

Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What pricing model does VPC peering use?

A

The peering is free. Charges only apply for data transfers between AZs or regions.

Last updated: 2023-09-29
Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html#vpc-peering-pricing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

If you want to connect VPCs with each other, at which number of VPCs is it a good idea to consider alternatives to VPC peering?

A

~10

Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Is Transit Gateway a global or regional resource?

A

Regional. But you can create peerings between Transit Gateways.

Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is the maximum number of Transit Gateways that you can connect over a single Direct Connect connection?

A

3

Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is a Transit VPC and how does it work?

A

Transit VPCs are a hub-and-spoke style network pattern where a central VPC (the transit VPC, or hub) connects other networks (VPCs, on-prem networks) through VPN (usually using BGP over IPSec).

It requires usage of EC2 instances where the VPN and routing software (sometimes also additional software such as IDP) runs, so it may increase higher cost and operational burden than other solutions. On the other hand it opens up for a lot of flexibility.

Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is the maximum bandwidth per VPN tunnel?

A

1.25 Gbps

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

How many VPC tunnels are used per VPN connection?

A

2, each with 1.25 Gbps throughput

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is a Virtual private gateway (VGW) and what is it used for?

A

A virtual private gateway (VGW) is part of a VPC that provides edge routing for AWS managed VPN connections and AWS Direct Connect connections. It’s the endpoint on the AWS side that a VPN or Direct Connect connection goes to.

Last updated: 2023-08-31
Sources:
- https://aws.amazon.com/vpc/faqs/
- https://aws.amazon.com/vpn/faqs/
- https://aws.amazon.com/directconnect/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What ASNs can I use to configure my Customer Gateway (CGW)?

A

ASN in the range 1 – 2.147.483.647 with noted exceptions can be used.

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Once the virtual gateway is created, can I change or modify the Amazon side ASN?

A

No, you cannot modify the Amazon side ASN after creation. You can delete the virtual gateway and recreate a new virtual gateway with the desired ASN.

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

How many VPCs are supported per (private) VIF when using Direct Connect Gateway?

A

10

Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

How many Transit Gateways can be associated with an AWS Direct Connect gateway?

A

Up to 3.
So that’s 3 TGWs per Transit VIF. And you can only have 1 Transit VIF per DX connection.

Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

How many Transit VIFs are supported per Direct Connect connection?

A

Only 1

Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

Does AWS Transit Gateway Connect support static routes?

A

No, AWS Transit Gateway Connect does not support static routes. BGP is a minimum requirement.

Last updated: 2023-08-24
Source: https://aws.amazon.com/transit-gateway/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Does AWS Transit Gateway support IPv6?

A

Yes, AWS Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs.

Last updated: 2023-08-24
Source: https://aws.amazon.com/transit-gateway/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What is the maximum number of Transit Gateways per account? And can that be adjusted?

A

5 - and yes, it can

Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What is the maximum number of attachments per Transit Gateways? And can that be adjusted?

A

5000 - and no, it cannot

Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What is the maximum number of Transit Gateways attachments per VPC? And can that be adjusted?

A

5 - and no, it cannot

Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

What is a transit VIF attached to?

A

The only resource type it can attached to is a Direct Connect gateway. From the DX gatway, up to three Transit Gateways (TGWs) can be attached.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

What is the Generic Routing Encapsulation (GRE) tunnel protocol and in which context is it used in an AWS networking environment?

A

Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. It’s used by Transit Gateway’s “Connect” feature to ensure high performance. After creating a Connect attachment, one or more GRE tunnels (referred to as Transit Gateway Connect peers) are created to TGW with a third-party appliance.

Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

What is Transit Gateway Connect?

A

It allows establishing connectivity between SD-WAN infrastructure (third-party appliances) and AWS.

Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

What are reasons to choose a Transit VPC over Transit Gateway?

A
  • Allows for deploying third-party vendor software for routing, layer 7 firewalls, IPS and IDS (which customers may also use on-prem, so management is easier for them)
  • Enables non-AWS-native connectivity such as peering regular AWS regions with GovCloud regions

Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-vpc-solution.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Does Transit Gateway support transitive routing?

A

Yes

Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/prescriptive-guidance/latest/integrate-third-party-services/architecture-3.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

What are key elements of the architecture of a transit VPC?

A
  • Hub and spoke model with one central VPC (transit VPC) and multiple hub VPCs
  • VPCs connected through VPN connections (typically BGP over IPSec)
  • Central VPC contains multiple EC2 instances running third-party routing software
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

What are the basic elements of an AWS PrivateLink architecture?

A

On the service provide side, a VPC endpoint service that points to a Network Load Balancer (NLB), which points to the application. On the consumer side, an interface endpoint that points to the VPC endpoint service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is the difference between a VPC endpoint and a VPC endpoint service?

A

VPC endpoints are used to access AWS services. VPC endpoint services are used to expose applications hosted in a VPC to other AWS accounts (client-server or provider-consumer model).

76
Q

What is the primary use case of a private NAT Gateway?

A

Connecting VPCs with each other that have overlapping CIDR blocks

Last updated: 2023-09-11
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/private-nat-gateway.html

77
Q

What four options are there to establish VPN connectivity with AWS?

A

1) VPN via Transit Gateway
2) VPN via vendor software hosted on EC2
3) VPN via Virtual Private Gateway
4) VPN via client VPN endpoint

Last updated: 2023-09-11
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/hybrid-connectivity.html

78
Q

What is the difference between private and public VIFs regarding connectivity to AWS regions, when no Direct Connect Gateway is involved?

A

Public VIFs can access all AWS regions while private VIFs can only access VPCs in the same region as the DX location.

Last updated: 2023-09-12
Source: https://learn.cantrill.io/courses/1231680/lectures/31664371

79
Q

What is the maximum number of VPCs you can connect over a single Direct Connect connection when not having Transit Gateway involved in the architecture?

A

500 VPCs (1 DX supports 50 private VIFs with each can have a single DX Gateway; and 1 DX GW supports up to 10 VGWs => 50 * 10 = 500)

80
Q

What is static routing?

A

Static routing is if network routes are preconfigured on the routing device, usually by a network administrator, and then rarely changed after. This is in contrast to dynamic routing, where routes are automatically learned and updated by the devices exchanging routing information between each other using the Border Gateway Protocol (BGP). Both types can be used in conjunction.

81
Q

True or False? The Internet-routable IP address for your Customer Gateway must be static?

A

True - Yes, it must be static and may be behind a device performing network address translation (NAT).

82
Q

What Autonomous System Number (ASN) is reserved in all AWS Regions if you want to establish a Site-to-Site VPN?

A

7224

83
Q

What is the default Autonomous System Number (ASN) in an AWS VPN connection?

A

65000

84
Q

True or False? If you don’t have a public ASN, you can use a private ASN in the range of 64,512–65,534.

A

True

85
Q

What is the VPN concentrator on the Amazon side of the site-to-site VPN connection?

A

Virtual Private Gateway

86
Q

What does the “Enable Acceleration” option in your AWS VPN configuration do?

A

It will launch a total of two AWS Global Accelerators for your VPN connection. Launches one for each VPN tunnel.

87
Q

What is the Customer Gateway?

A

A resource in AWS that represents the physical/software device residing on your on premises network. It is your side of the Direct Connect or Site-To-Site VPN connection on premises.

Last updated: 2023-10-25
Sources:
- https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html
- https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html

88
Q

True or False? Does an AWS VPN connection support Path MTU Discovery.

A

False, it does not support.

89
Q

True or False? Is IPv6 traffic supported for VPN connections with a Virtual Private Gateway?

A

False, it is not supported. You have to use a Transit Gateway to enable IPv6 connectivity within the tunnel.

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html

90
Q

What type of certificate is associated with the Customer Gateway in a certificate-based VPN using AWS Site-to-Site VPN?

A

A Private Certificate issued from the AWS Certificate Manager (ACM) Private Certificate Authority.

90
Q

True or False? Does AWS recommend using ASPATH Prepending for Customer Gateway devices that support Asymmetric Routing? And why is that?

A

False, AWS does NOT recommend using AS PATH Prepending. This is to ensure that instead of the AS Path, the MED that AWS manages on the tunnel can be used for determining the route with highest priority. This generally leads to higher availability as the MED is updated by AWS when necessary, while with AS Path pretending the customer would have to manage this.

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html

91
Q

What does MED stand for and what is it used for?

A

Stands for multi-exit discriminator (MED) and helps to decide which route takes priority. For routes that have the same AS PATH length and if the first AS in the AS_SEQUENCE is the same across multiple paths, the MED value is compared for both routes and the route with lower MED value takes priority.

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html

92
Q

Does certificate-based authentication in AWS VPN use digital certificates instead of pre-shared keys for IKE authentication?

A

Yes, this is possible by using AWS Certificate Manager Private Certificate Authority

Last updated: 2023-09-26
Source 1: https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site
Source 2: https://aws.amazon.com/about-aws/whats-new/2019/08/aws-site-to-site-vpn-now-supports-certificate-authentication/

93
Q

What is Direct Connect gateway used for mainly?

A

It allows connecting to multiple VPCs via a single private VIF, even across different AWS regions or different AWS accounts.

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

94
Q

Which VIF types can you use with Direct Connect gateway?

A

Private and Transit VIFs only. Public VIFs are not supported as connecting to public AWS services in other AWS Regions are supported out-of-the-box with a regular Direct Connect connection, even if the connection always goes to a regional DX location.

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

95
Q

What AWS resource do you implement to reduce latency by routing traffic to the nearest application endpoint that is closest in proximity with the users?

A

AWS Global Accelerator

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html

96
Q

What do you use to aggregate multiple connections at a single Direct Connect endpoint for a single managed connection?

A

Link aggregation group (LAG)

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html

97
Q

Can Transit Gateway Connect attachments establish a connection to third-party SD-WAN virtual appliances? if so, using what?

A

Yes, using Generic Routing Encapsulation (GRE) tunnels

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html

98
Q

Which condition do you use with AWS WAF to implement a web filtering solution to automatically block web requests from a list of blacklisted countries?

A

Geo match condition

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html

99
Q

What features of CloudFront can you use to prevent users in geographic locations from accessing a website’s static content?

A

Geo-Restriction and Origin Shield features in your CloudFront distribution

Last updated: 2023-09-26
Source:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

100
Q

What are different types of transit gateway attachment types?

A

One or more of the following:
- VPC
- VPN connection
- Direct Connect gateway
- Transit Gateway Connect
- Transit Gateway Peering

Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

101
Q

What service provides a global view of your private network, allowing you to manage your AWS and on-premises resources and seamlessly integrate with your SD-WAN solutions?

A

AWS Transit Gateway Network Manager

Last updated: 2023-10-19
Source: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-announces-aws-transit-gateway-network-manager/

102
Q

What is causing a ErrorPortAllocation error on a NAT Gateway and how can you resolve it?

A

This error occurs when the NAT Gateway reaches it’s maximum of 55,000 simultaneous connections. This can be resolved by distributing multiple NAT Gateways across multiple AZs. It’s also best practice to, on the client side, limit the maximum number of connections and close connections as soon as possible to avoid high numbers of simultaneous connections.

Last updated: 2023-09-27
Source: https://repost.aws/knowledge-center/vpc-resolve-port-allocation-errors

103
Q

If you want to allow DNS queries to be resolved even when the DNS Firewall in Route 53 is impaired, what do you have to configure? And what implication does that have?

A

Within the VPC settings of Route 53, you need to activate the “fail open” option. This means the system will favor availability over security.

Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html

104
Q

What is the default setting in Route 53 for the DNS Firewall “fail open” option?

A

By default it’s deactivated (= “fail closed”), which means that DNS queries won’t be resolved when the DNS Firewall is impaired or unavailable. This approach favors security over availability.

Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html

105
Q

What service is available behind 169.254.169.123 within AWS VPC? And do you need Internet Access to access it?

A

Amazon Time Sync Service
No, no internet access needed.

Last updated: 2023-09-27
Source: https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/

106
Q

Which intrinsic function in CloudFormation is a valid one? Fn::Cidr or Fn::CidrBlock?

A

Fn:Cidr

107
Q

What are the three factors that determine pricing for AWS Direct Connect?

A

Capacity, port hours, and data transfer out (DTO)

Last updated: 2023-09-27
Source: https://aws.amazon.com/directconnect/pricing/

108
Q

What is DPD and in what context is it used?

A

Stands for Dead peer detection and is a configurable timeout for when setting up an AWS Site-to-Site VPN connection. It defines the duration, in seconds, after which DPD timeout occurs.

Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

109
Q

What are Phase 1 and Phase 2 Diffie-Hellman (DH) group numbers and in which context are they used?

A

They’re options that can be defined when setting up an AWS Site-to-Site VPN connection. They specify the DH group numbers that are permitted for the VPN tunnel for phase 1 and phase 2 of the IKE negotiations.

Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html

110
Q

What is MPLS?

A

“Multiprotocol Label Switching” - encapsulation protocol used in many service providers and largescale enterprise networks. Instead of relying on IP lookups to discover a viable “next-hop” at every single router within a path (as in traditional IP networking), MPLS predetermines the path and uses a label-swapping push, pop, and swap method to direct the traffic to its destination.

111
Q

What does ECMP stand for, in which context is it used and for what?

A

Equal-cost multi-path routing. Used in the context of AWS Site-To-Site VPN when it’s required to connect more than one tunnel to a Transit Gateway. That way, VPN connections can scale beyond the regular limit of 1.25 Gbps.

Last updated: 2023-09-28
Source: https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway/

112
Q

Which VIF types support jumbo frames?

A

Private VIFs and transit VIFs, but not public VIFs

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html

113
Q

Are jumbo frames supported for static routes, propagated routes, or both?

A

Only propagated routes when using Direct Connect. Only static routes when using transit gateway.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html

114
Q

What’s the key difference between BGP community tags in the 7224:8* range versus 7224:9* range?

A

7224:8* tags are advertised by AWS (attached to AWS prefixes) while 7224:9* tags are advertised by the customer (attached to the own prefixes)

115
Q

What is Transit Gateway “appliance mode” used for?

A

Ensures that Transit Gateway uses the same AZ for a VPC attachment for the lifetime of traffic flow between source and destination. Useful when planning to configure stateful network appliances in the VPC, hence the name.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

116
Q

Do intermediate devices between two Direct Connect endpoints have to have VLAN trunking enabled or disabled for the 802.1Q VLAN tag?

A

Enabled

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html

117
Q

What is the maximum number of connections that you can have in a link aggregation group (LAG) in AWS Direct Connect?

A

2 when connection = 100 Gbps
4 when connection < 100 Gbps (i.e. 1 Gbps or 10 Gbps

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html

118
Q

What are the four key differences between Gateway and Interface endpoints?

A
  • Gateway endpoints use public IP addresses, Interface endpoints have private ones
  • Gateway endpoints cannot be accessed from on-prem, Interface endpoints can
  • Gateway endpoints don’t allow access from other AWS regions, Interface endpoints do (via VPC peering or TGW)
  • Gateway endpoints are not billed, Interface endpoints are

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3

119
Q

How many route tables can you assign to a VPC and how many to a subnet?

A

200 per VPC and exactly 1 per subnet

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html

120
Q

Is route propagation enabled or disabled by default in a VPC?

A

Disabled

121
Q

What is DNS64, in which context is it used for and where do you enable it?

A

It’s a translation mechanism so that IPv6-only services can communicate with IPv4-only endpoints. Amazon VPC supports this by enabling it for a subnet. The actual translation then happens through a NAT Gateway and the Route 53 Resolver of the VPC.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html

122
Q

Can you associate a VPC from an external AWS account to your own private hosted zone in Route 53?

A

Yes. But this requires you to first authorize the VPC association from your account and then have the external AWS account perform the actual association.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html

123
Q

What is the IP address that is reserved by AWS in each VPC for the DNS server?

A

Depends on the CIDR of the VPC as it’s the base of the VPC network range plus two. For a VPC with a CIDR of 10.0.0.0/24, the DNS server IP is 10.0.0.2, as an example.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html

124
Q

What’s the IPv4 address of the AWS metadata service?

A

169.254.169.254

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html

125
Q

Does Storage Gateway use private or public endpoints?

A

Public endpoints

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/filegateway/latest/filefsxw/using-dx.html

126
Q

What are the parameters that the CloudFormation Fn:Cidr function expects?

A

1: The user-specified CIDR address block to be split into smaller CIDR blocks.
2: The number of CIDRs to generate. Valid range is between 1 and 256.
3: The number of subnet bits for the CIDR. For example, specifying a value “8” for this parameter will create a CIDR with a mask of “/24”.

Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html

127
Q

Within the X-Forwarded-For HTTP header, where do you find the client IP address where the request was first made?

A

Left-most in the header

Last updated: 2023-10-19
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html

128
Q

What is an optional add-on in an Amazon EKS cluster that manages AWS Elastic Load Balancers for the Kubernetes cluster?

A

AWS Load Balancer Controller

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html

129
Q

What type of AWS Load Balancer will the Load Balancer Controller provision to the Amazon EKS cluster if you create a Kubernetes Ingress?

A

Application load balancer

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html

130
Q

What type of load balancer cluster will the Load Balancer Controller provision if you create a Kubernetes service of type Load Balancer?

A

AWS Network Load Balancer

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html

131
Q

What protocol will the Gateway Load Balancer and its registered virtual appliance instances exchange for the application traffic?

A

GENEVE (Generic Network Virtualization Encapsulation)

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html

132
Q

What is VPC Reachability Analyzer?

A

A feature in the VPC console that allows testing connectivity between a source and destination within a VPC, even across accounts.

Last updated: 2023-10-05
Source: https://aws.amazon.com/blogs/networking-and-content-delivery/visualize-and-diagnose-network-reachability-across-aws-accounts-using-reachability-analyzer/

133
Q

How can you capture traffic that includes the vpc-id and the interface-id ?

A

Use VPC flow logs with a custom format.

Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

134
Q

How can you troubleshoot a Direct Connect connection when it’s in DOWN status?

A
  1. Verify physical connection is okay, i.e. checking cross connect, ports, etc. (OSI layer 1)
  2. Verify data link is okay, i.e. VLAN and IP configurations, etc. (OSI layer 2)
  3. Verify network/transport is okay, i.e. BGP and ASN configurations etc. (OSI layer 3/4)

https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html

135
Q

What is a CKN/CAK pair and in which connectivity context of AWS is it used?

A

Stands for Connection Key Name (CKN) and Connectivity Association Key (CAK). Used by AWS Direct Connect’s when establishing a connection that is encrypted through MACsec. The customer generates the key pair and assigns it to the Direct Connect connection, as well as on the on-prem device that Direct Connect is connected to.

Last updated: 2023-10-17
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html

136
Q

In which order from the following does virtual private gateway prioritize routes?

  • Manually added static routes for a Site-to-Site VPN connection
  • BGP propagated routes from an AWS Direct Connect connection
  • Lowest Multi-exit discriminators (MEDs)
  • Shortest AS PATH
  • BGP propagated routes from a Site-to-Site VPN connection
A

1/ BGP propagated routes from an AWS Direct Connect connection

2/ Manually added static routes for a Site-to-Site VPN connection

3/ BGP propagated routes from a Site-to-Site VPN connection

4/ Shortest AS PATH (

5/ Lowest Multi-exit discriminators (MEDs)

Last updated: 2023-10-17
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html

137
Q

Which port (number and protocol) does BGP use?

A

TCP 179

Last updated: 2023-10-17
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html

138
Q

In which context of AWS is NAT-T relevant, and which protocols and ports are used?

A

AWS uses NAT-T in the context of Site-To-Site VPN. Relevant ports are:
- UDP port 4500 (for IPsec NAT traversal)
- UDP port 500 (for Internet Key Exchange (IKE) packets)
- IP Protocol 50 (for Encapsulating Security Payload (ESP))

Last updated: 2023-10-18
Sources:
- https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-options.html
- https://en.wikipedia.org/wiki/NAT_traversal

139
Q

How do NAT Gateway and NAT instances compare to each other in regards to IP fragmentation?

A

NAT instance support reassembly of fragmented packets for UDP, TCP and ICMP, whereas NAT Gateways support this only for UDP.

Last updated: 2023-10-18
Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html

140
Q

In which context is route propagation used in AWS, and where is it enabled?

A

AWS uses route propagation to dynamically update VPC route tables with information from a VPN Site-To-Site or Direct Connect connection. It’s an option that is enabled on the route table of a VPC.

Last updated: 2023-10-18
Source: https://repost.aws/knowledge-center/routing-dx-private-virtual-interface

141
Q

What are the five network modes of ECS and what are the respective defaults for Linux and Windows based containers?

A

awsvpc, bridge, host, none, default

bridge is the default for Linux based containers, default the one for Windows

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

142
Q

What happens regarding network connectivity in ECS if “bridge” is selected as network mode?

A

The ECS task uses Docker’s built-in virtual network on Linux, which runs inside each Amazon EC2 instance that hosts the task.

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

143
Q

What happens regarding network connectivity in ECS if “host” is selected as network mode? And what is a limitation of this mode?

A

The ECS task uses the host’s network which bypasses Docker’s built-in virtual network by mapping container ports directly to the ENI of the Amazon EC2 instance that hosts the task. A port number on a host can’t be used by multiple tasks. As a result, you can’t run multiple tasks of the same task definition on a single Amazon EC2 instance.

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

144
Q

What happens regarding network connectivity in ECS if “awsvpc” is selected as network mode?

A

The ECS task is allocated its own elastic network interface (ENI) and a primary private IPv4 address. This gives the task the same networking properties as Amazon EC2 instances.

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html

145
Q

If you want to use Security Groups on ECS tasks, which ECS network mode do you have to use? Bridge or awsvpc?

A

awsvpc

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html

146
Q

If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 172.16.0.0/16 (172.16.0.1 - 172.16.255.254) as a secondary CIDR?

A

No. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 172.16.0.0/16 is neither of these (is a private CIDR according to RFC 1918, but not in the same range as the original CIDR).

Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html

147
Q

If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 10.1.0.0/16 (10.1.0.1 - 10.1.255.254) as a secondary CIDR?

A

Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 10.1.0.0/16 is a private CIDR according to RFC 1918 and in the same private address range as the primary CIDR (10.0.0.0/8).

Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html

148
Q

If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 100.0.0.0/16 (100.0.0.1 - 100.0.255.254) as a secondary CIDR?

A

Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 100.0.0.0/16 is a publicly routable CIDR according to RFC 1918.

Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html

149
Q

What is the maximum number of routes that can be advertised over a BGP session in Direct Connect? What happens when this limit is exceeded?

A

100 each for IPv4 and IPv6. If exceeded, the BGP session will go down.

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html

150
Q

What port is used by SES for a TLS Wrapper connection?

A

465 or 2462

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

151
Q

What port is used by SES for a TLS connection?

A

25, 587, or 2587

Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html

152
Q

What protocol does the Link Aggregation Group (LAG) use to aggregate multiple connections at a single AWS Direct Connect endpoint?

A

Link Aggregation Control Protocol (LACP)

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html

153
Q

What is CIDR Reservation?

A

A subnet setting to prevent AWS from automatically assigning IPv4 or IPv6 addresses within a CIDR range you specify.

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html

154
Q

What are the two types of Subnet CIDR reservations in Amazon VPC?

A

Explicit and Prefix

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html

155
Q

What are Route 53 Resolver Outbound Endpoints used for?

A

They allow DNS queries from your VPC to your on-premises network or another VPC

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

156
Q

What are Route 53 Resolver Inbound Endpoints used for?

A

They allow DNS queries to your VPC from your on-premises network or another VPC

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html

157
Q

What do the fields with pkt represent in a VPC flow log when troubleshooting pod-to-pod traffic?

A

Represent the source and destination address of the actual IP packet (Pod IP). Source and destination fields without a pkt prefix represent the address of the interface the packet is sent from or received on.

Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

158
Q

What (mandatory) attributes do you have to provide when creating a private VIF via Direct Connect?

A

Name, Owner (account), VLAN ID, ASN, the DX connection that the VIF uses and either a VGW or the DX Gateway that the VIF shall connect to.

Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/directconnect/latest/APIReference/API_NewPrivateVirtualInterface.html

159
Q

Can you request a CIDR block from IPAM natively via CloudFormation, or do you have to use a Lambda custom function for this?

A

CloudFormation has native support for this using AWS::EC2::IPAMPool

Last updated: 2023-10-24
Source:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ipampool.html

160
Q

What is important regarding the ASN when attaching Transit Gateways in different regions to a Direct Connect Gateway?

A

You have to use unique ASNs for each transit gateway.

Last updated: 2023-10-24
Source:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html

161
Q

Do you associate Transit Gateways with the VPC or the VGW of the VPC?

A

TGW can use the VPC directly and doesn’t need a VGW (unlike Site-To-Site VPN or Direct Connect).

Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

162
Q

What is PAT?

A

An extension of Network Address Translation (NAT) that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses. Relevant for AWS Direct Connect for example, where the on-prem router does the translation.

Last updated: 2023-10-24
Source: https://repost.aws/knowledge-center/connect-private-network-dx-vif

163
Q

If a key-signing key (KSK) in Route 53 DNSSEC changes its status to Action needed (or ACTION_NEEDED in a KeySigningKey status), what is the root cause?

A

This occurs if Route 53 loses access to a corresponding AWS KMS key (due to a change in permissions or AWS KMS key deletion).

Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-troubleshoot.html

164
Q

What are the two types of keys used by DNSSEC?

A

key-signing key (KSK) and a zone-signing key (ZSK)

Last updated: 2023-10-24
Source: https://simpledns.plus/help/definition-dnssec

165
Q

What is a KSK used for?

A

Used in the context of DNSSEC to sign the public key records (DNSKEY) for a zone.

Last updated: 2023-10-24
Source: https://simpledns.plus/help/definition-dnssec

166
Q

What KMS key type is a key-signing key (KSK) based on?

A

asymmetric customer managed key

Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html

167
Q

How does AWS Private IP Site-to-Site VPN work, i.e. what services and components are involved, and what advantages does it have over Public IP Site-To-Site VPN?

A

It uses Direct Connect with a transit VIF that’s connected to a Transit Gateway via a Direct Connect Gateway. Benefits are:
- simplified management (vs. self-managed VPN)
- improved security (vs. public IP Site-To-Site VPN)
- higher route scale (vs. standalone Direct Connect)

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html

168
Q

Which BGP community value does AWS apply to routes pointing to global AWS services?

A

No tag. Note that there’s also the 7224:8300 tag that has the same meaning, which isn’t applied by AWS though.

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html

169
Q

What type of authentication key does Direct Connect support to use for BGP MD5 authentication? AWS-managed, customer-managed, or both?

A

Both

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

170
Q

What is the attribute called that defines when LAG members will be logically disabled if the number of active member-connections falls below which value?

A

Minimum links

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-lag.html

171
Q

How many virtual interfaces (VIFs) can an AWS Direct Connect-hosted connection support?

A

Only a single virtual interface (VIF)

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html

172
Q

Can you associate a Direct Connect Gateway directly with a VPC?

A

No, this requires a VGW. Transit Gateways however can be attached directly to VPCs.

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

173
Q

How many TGW route tables can be associated with each Transit Gateway attachment?

A

Exactly one

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

174
Q

By default, each Transit Gateway attachment may propagate to how many TGW route tables?

A

TGW attachments may propagate to as many route tables as the TGW can support, which by default is 20.

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html

174
Q

When routes are evaluated by Transit gateway what is the order of priority from the following options?

  • Transit Gateway Connect propagated routes
  • Prefix list referenced routes
  • Transit Gateway peering propagated routes (Cloud WAN)
  • VPC propagated routes
  • Static routes
  • Site-to-Site VPN propagated routes
  • Direct Connect gateway propagated routes
A
  • Static routes
  • Prefix list referenced routes
  • VPC propagated routes
  • Direct Connect gateway propagated routes
  • Transit Gateway Connect propagated routes
  • Site-to-Site VPN propagated routes
  • Transit Gateway peering propagated routes (Cloud WAN)

Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html

175
Q

When using equal cost multi-path (ECMP) with Transit Gateway as a Site-To-Site VPN solution, does it support static routes, dynamic routes, or both?

A

Only dynamic routes (using BGP)

Last updated: 2023-10-25
Source:
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html

176
Q

What is the MTU for VPC peerings?

A

9001 for inter-region peerings, 1500 for cross-region peerings

Last updated: 2023-10-25
Source:
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html

177
Q

Can you use Simple AD to resolve DNS queries of AWS VPC as well as on-prem resources?

A

Yes and no. Resolving AWS VPC resources works out-of-the-box with Simple AD, but to resolve on-prem resources, you’ll have to use a separate DNS resolver (such as an EC2-hosted DNS server).

Last updated: 2023-10-26
Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/

178
Q

Can you forward DNS requests for VPC resources to Route 53 Resolver from on-prem?

A

Yes, but not directly, i.e. you cannot send the DNS request to the VPC +2 IP address (the IP address of the DNS resolver). Instead you have to create a Route 53 Inbound Resolver Endpoint first and send DNS requests to the address of that endpoint.

Last updated: 2023-10-26
Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/

179
Q

Can you connect to an S3 Gateway endpoint via a Site-To-Site VPN connection that ends in a VGW?

A

No. VGWs do not support transitive routing, therefore, the Gateway endpoint won’t be accessible.

180
Q

How do you set up an Active/Active Direct Connect connection using a private or transit VIF?

A

Set up two connections where advertised prefixes, local preference, autonomous system (AS) path, and Multi-Exit Discriminator (MED) values are the same.

Last updated: 2023-10-26
Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html

181
Q

How do you set up an Active/Passive Direct Connect connection using a private or transit VIF?

A

Set up two connections and have the “Active” connection using a longer (more specific) prefix, or higher local preference (for example 7224:7300), or shorter autonomous system (AS) path, or lower Multi-Exit Discriminator (MED).

Last updated: 2023-10-26
Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html

182
Q

What effect does it have when a VPC has the tenancy set to “dedicated”?

A

Any EC2 instances launched in that VPC will automatically be dedicated instances.

Last updated: 2023-10-26
Source:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html#dedicated-howitworks

183
Q
A

AWS Advanced Networking (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions