All cards Flashcards
How many bytes of the body part of a request does AWS WAF consider?
It depends on the entity being protected by WAF.
- CloudFront distributions: up to 64 KB (default: 16 KB)
- Others: 8 KB
Exam questions will likely ask for the 8 KB limit only.
Last review: 2023-07-28
Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html
How can you run multiple types of Layer 3 (IP) networks over a single DX connection?
Using separate VLANs between Customer and AWS Router in the DX location and separate VIFs between the AWS Router and AWS Region.
What’s the maximum number of VIFs on a single (dedicated) DX connection?
50 public/private VIFs + 1 transit VIF
What’s the maximum number of VIFs on a single hosted DX connection?
1 VIF
What’s layer 2 adjacency?
It means that two routers can communicate directly with each other, i.e. exchange frames directly with each other.
What does BGP use for authentication?
MD5
How can you extend a VLAN/BGP session to a customer site when using a service (COMS) provider?
Using Q-in-Q
What’s the networking standard for VLAN?
802.1Q
Which ASN range is reserved for private usage?
16 bit: 64.512 - 65.534
32 bit: 4.200.000.000 - 4.294.967.294
Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/
What’s VLAN 0 reserved for?
It stands for “NO VLAN”
What’s VLAN 1 often used for?
For the management VLAN
What problem does QinQ (802.1AD) solve?
That COMS provider that provide one single physical connection for multiple clients may have clients that are using the same VLAN numbers. QinQ solves that by adding an additional header in the ethernet frame.
What’s an C-TAG and what is it used for?
It stands for customer tag and refers to the 802.1Q header.
What’s an S-TAG and what is it used for?
It stands for service tag and refers to the 802.1AD header that service providers use to isolate customer traffic from each other (Q-in-Q).
What is happening when traffic in a Q-in-Q scenario arrives at the service provider (COMS provider) network?
The COMS provider adds the S-TAG to ensure traffic from different customers is isolated against each other.
What is happening when traffic in a Q-in-Q scenario leaves the service provider (COMS provider) network?
The COMS provider strips away the S-TAG to ensure customers only see their own VLAN IDs (via the 802.1Q header), but not the VLAN IDs of other customers.
What two type of ports exist on a switch in the context of 802.1Q?
Access ports and trunk ports
What’s a trunk port used for on a switch in the context of 802.1Q?
It’s a connection between two 802.1Q capable devices, able to transport and by that exchange the VLAN IDs when traffic is flowing between those devices.
In the context of 802.1Q, does an access port on a switch use VLAN tagging when sending data to a client?
No. Access ports use “regular” ethernet frames.
What is the main criteria to consider when choosing between dynamic vs static routing in a site-to-site VPN connection?
Whether the router supports BGP advertising - if so, choose dynamic routing, otherwise choose static routing.
What’s a single IPsec tunnel’s maximum throughput in Gbps?
1.25 Gbps
How can you scale a VPN tunnel beyond the maximum limit of 1.25 Gbps?
By using Transit Gateway with equal cost multi-path (ECMP) routing enabled over multiple VPN tunnels.
What’s the maximum throughput of Transit Gateway?
50 Gbps
Can you access an S3 bucket that is located in eu-central-1 via a public VIF that is connected to us-east-1?
Yes
How is information on BGP communities exchanged between systems?
Via labels/tags that are attached to advertised prefixes (so essentially, metadata)
Which well-known BGP community tag is used to instruct that no advertisement shall be done to any peers?
NO_ADVERTISE
Which format has a regular BGP community label/tag?
AS_NUMBER : OPERATOR_ASSIGNED_VALUE
(32 bit value, split into 2x16 bit)
What does the BGP community tag “7224:9100” stand for?
Instructs AWS to advertise the prefix that this tag is attached to only in the local AWS region
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
Which well-known BGP community tag is used by AWS on public prefixes to instruct that advertisements are not shared with external peers?
NO_EXPORT
What does the BGP community tag “7224:9200” stand for?
Instructs AWS to advertise the prefix that this tag is attached to only on the current continent
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
What does the BGP community tag “7224:9300” stand for?
Instructs AWS to advertise the prefix that this tag is attached to globally
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
If no BGP community tag is attached to an advertised prefix, how far (local region, continent, globally) is the prefix advertised?
Globally
What does the BGP community tag “7224:7100” stand for?
Indicates a “low preference”, i.e. low priority, for traffic
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
What does the BGP community tag “7224:8100” stand for?
Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
What is AS Number 7224 used for?
It’s the AS Number owned by Amazon.com, used to advertise prefixes and BGP communities for Direct Connect.
What is BFD and where is it enabled?
Bidirectional Forwarding Detection - protocol for detecting failed routing paths, allowing quick recovery. Enabled by default on the AWS side, but needs to be enabled on the on-prem router (if not already done) to benefit from quicker recovery times.
What does the BGP community tag 7224:7300 indicate?
“High preference” of the associated path for returning traffic. For example, would be preferred over a path that has 7224:7200 (medium preference) as a tag.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
Can you attach multiple VGWs to a VPC at the same time?
No
What VPN connectivity type does AWS VPN CloudHub support? (site-to-site VPN, client VPN, etc.)?
Site-to-site VPN, i.e. connectivity between multiple VPCs and remote networks. But NOT client VPN.
How can you configure an EC2 instance to use jumbo frames?
Either by shell command (sudo ip link set dev eth0 mtu 1500) or by modifying the ethernet interface’s configuration file (different per Linux distribution).
What is the private CIDR range for a class A network?
10.0.0.0 - 10.255.255.255
What is the IP address range for a class B network?
172.16.0.0 - 172.31.255.255
What is the private CIDR range for a class C network?
192.168.0.0 - 192.168.255.255
Does Auto-negotiation for a port have to be disabled in order to use DX?
It depends. For any ports with speeds higher than 1 Gbps: yes. For 1 Gbps ports it may be enabled, depending on the DX endpoint serving the connection.
Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Is 802.1Q VLAN encapsulation a hard requirement to use DX?
Yes. And that’s needed for the entire connection, so including any intermediate devices.
Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Which protocol and authentication does the client device have to support to be able to use DX?
Border Gateway Protocol (BGP) and BGP MD5 authentication.
Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Which Internet Protocol versions does DX support?
IPv4 and IPv6
Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
What Ethernet frame sizes (i.e. at OSI layer 2 / link layer) does AWS Direct Connect support?
1522 or 9023
Last revision: 2023-07-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
Does VPC peering work across regions?
Yes
Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
What pricing model does VPC peering use?
The peering is free. Charges only apply for data transfers between AZs or regions.
Last updated: 2023-09-29
Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html#vpc-peering-pricing
If you want to connect VPCs with each other, at which number of VPCs is it a good idea to consider alternatives to VPC peering?
~10
Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
Is Transit Gateway a global or regional resource?
Regional. But you can create peerings between Transit Gateways.
Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
What is the maximum number of Transit Gateways that you can connect over a single Direct Connect connection?
3
Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html
What is a Transit VPC and how does it work?
Transit VPCs are a hub-and-spoke style network pattern where a central VPC (the transit VPC, or hub) connects other networks (VPCs, on-prem networks) through VPN (usually using BGP over IPSec).
It requires usage of EC2 instances where the VPN and routing software (sometimes also additional software such as IDP) runs, so it may increase higher cost and operational burden than other solutions. On the other hand it opens up for a lot of flexibility.
Last updated: 2023-08-12
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html
What is the maximum bandwidth per VPN tunnel?
1.25 Gbps
Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/
How many VPC tunnels are used per VPN connection?
2, each with 1.25 Gbps throughput
Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/
What is a Virtual private gateway (VGW) and what is it used for?
A virtual private gateway (VGW) is part of a VPC that provides edge routing for AWS managed VPN connections and AWS Direct Connect connections. It’s the endpoint on the AWS side that a VPN or Direct Connect connection goes to.
Last updated: 2023-08-31
Sources:
- https://aws.amazon.com/vpc/faqs/
- https://aws.amazon.com/vpn/faqs/
- https://aws.amazon.com/directconnect/faqs/
What ASNs can I use to configure my Customer Gateway (CGW)?
ASN in the range 1 – 2.147.483.647 with noted exceptions can be used.
Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/
Once the virtual gateway is created, can I change or modify the Amazon side ASN?
No, you cannot modify the Amazon side ASN after creation. You can delete the virtual gateway and recreate a new virtual gateway with the desired ASN.
Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/
How many VPCs are supported per (private) VIF when using Direct Connect Gateway?
10
Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/
How many Transit Gateways can be associated with an AWS Direct Connect gateway?
Up to 3.
So that’s 3 TGWs per Transit VIF. And you can only have 1 Transit VIF per DX connection.
Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/
How many Transit VIFs are supported per Direct Connect connection?
Only 1
Last updated: 2023-08-24
Source: https://aws.amazon.com/directconnect/faqs/
Does AWS Transit Gateway Connect support static routes?
No, AWS Transit Gateway Connect does not support static routes. BGP is a minimum requirement.
Last updated: 2023-08-24
Source: https://aws.amazon.com/transit-gateway/faqs/
Does AWS Transit Gateway support IPv6?
Yes, AWS Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs.
Last updated: 2023-08-24
Source: https://aws.amazon.com/transit-gateway/faqs/
What is the maximum number of Transit Gateways per account? And can that be adjusted?
5 - and yes, it can
Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
What is the maximum number of attachments per Transit Gateways? And can that be adjusted?
5000 - and no, it cannot
Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
What is the maximum number of Transit Gateways attachments per VPC? And can that be adjusted?
5 - and no, it cannot
Last updated: 2023-08-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
What is a transit VIF attached to?
The only resource type it can attached to is a Direct Connect gateway. From the DX gatway, up to three Transit Gateways (TGWs) can be attached.
What is the Generic Routing Encapsulation (GRE) tunnel protocol and in which context is it used in an AWS networking environment?
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. It’s used by Transit Gateway’s “Connect” feature to ensure high performance. After creating a Connect attachment, one or more GRE tunnels (referred to as Transit Gateway Connect peers) are created to TGW with a third-party appliance.
Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
What is Transit Gateway Connect?
It allows establishing connectivity between SD-WAN infrastructure (third-party appliances) and AWS.
Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
What are reasons to choose a Transit VPC over Transit Gateway?
- Allows for deploying third-party vendor software for routing, layer 7 firewalls, IPS and IDS (which customers may also use on-prem, so management is easier for them)
- Enables non-AWS-native connectivity such as peering regular AWS regions with GovCloud regions
Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-vpc-solution.html
Does Transit Gateway support transitive routing?
Yes
Last updated: 2023-09-06
Source: https://docs.aws.amazon.com/prescriptive-guidance/latest/integrate-third-party-services/architecture-3.html
What are key elements of the architecture of a transit VPC?
- Hub and spoke model with one central VPC (transit VPC) and multiple hub VPCs
- VPCs connected through VPN connections (typically BGP over IPSec)
- Central VPC contains multiple EC2 instances running third-party routing software
What are the basic elements of an AWS PrivateLink architecture?
On the service provide side, a VPC endpoint service that points to a Network Load Balancer (NLB), which points to the application. On the consumer side, an interface endpoint that points to the VPC endpoint service.
What is the difference between a VPC endpoint and a VPC endpoint service?
VPC endpoints are used to access AWS services. VPC endpoint services are used to expose applications hosted in a VPC to other AWS accounts (client-server or provider-consumer model).
What is the primary use case of a private NAT Gateway?
Connecting VPCs with each other that have overlapping CIDR blocks
Last updated: 2023-09-11
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/private-nat-gateway.html
What four options are there to establish VPN connectivity with AWS?
1) VPN via Transit Gateway
2) VPN via vendor software hosted on EC2
3) VPN via Virtual Private Gateway
4) VPN via client VPN endpoint
Last updated: 2023-09-11
Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/hybrid-connectivity.html
What is the difference between private and public VIFs regarding connectivity to AWS regions, when no Direct Connect Gateway is involved?
Public VIFs can access all AWS regions while private VIFs can only access VPCs in the same region as the DX location.
Last updated: 2023-09-12
Source: https://learn.cantrill.io/courses/1231680/lectures/31664371
What is the maximum number of VPCs you can connect over a single Direct Connect connection when not having Transit Gateway involved in the architecture?
500 VPCs (1 DX supports 50 private VIFs with each can have a single DX Gateway; and 1 DX GW supports up to 10 VGWs => 50 * 10 = 500)
What is static routing?
Static routing is if network routes are preconfigured on the routing device, usually by a network administrator, and then rarely changed after. This is in contrast to dynamic routing, where routes are automatically learned and updated by the devices exchanging routing information between each other using the Border Gateway Protocol (BGP). Both types can be used in conjunction.
True or False? The Internet-routable IP address for your Customer Gateway must be static?
True - Yes, it must be static and may be behind a device performing network address translation (NAT).
What Autonomous System Number (ASN) is reserved in all AWS Regions if you want to establish a Site-to-Site VPN?
7224
What is the default Autonomous System Number (ASN) in an AWS VPN connection?
65000
True or False? If you don’t have a public ASN, you can use a private ASN in the range of 64,512–65,534.
True
What is the VPN concentrator on the Amazon side of the site-to-site VPN connection?
Virtual Private Gateway
What does the “Enable Acceleration” option in your AWS VPN configuration do?
It will launch a total of two AWS Global Accelerators for your VPN connection. Launches one for each VPN tunnel.
What is the Customer Gateway?
A resource in AWS that represents the physical/software device residing on your on premises network. It is your side of the Direct Connect or Site-To-Site VPN connection on premises.
Last updated: 2023-10-25
Sources:
- https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html
- https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html
True or False? Does an AWS VPN connection support Path MTU Discovery.
False, it does not support.
True or False? Is IPv6 traffic supported for VPN connections with a Virtual Private Gateway?
False, it is not supported. You have to use a Transit Gateway to enable IPv6 connectivity within the tunnel.
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html
What type of certificate is associated with the Customer Gateway in a certificate-based VPN using AWS Site-to-Site VPN?
A Private Certificate issued from the AWS Certificate Manager (ACM) Private Certificate Authority.
True or False? Does AWS recommend using ASPATH Prepending for Customer Gateway devices that support Asymmetric Routing? And why is that?
False, AWS does NOT recommend using AS PATH Prepending. This is to ensure that instead of the AS Path, the MED that AWS manages on the tunnel can be used for determining the route with highest priority. This generally leads to higher availability as the MED is updated by AWS when necessary, while with AS Path pretending the customer would have to manage this.
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
What does MED stand for and what is it used for?
Stands for multi-exit discriminator (MED) and helps to decide which route takes priority. For routes that have the same AS PATH length and if the first AS in the AS_SEQUENCE is the same across multiple paths, the MED value is compared for both routes and the route with lower MED value takes priority.
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
Does certificate-based authentication in AWS VPN use digital certificates instead of pre-shared keys for IKE authentication?
Yes, this is possible by using AWS Certificate Manager Private Certificate Authority
Last updated: 2023-09-26
Source 1: https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site
Source 2: https://aws.amazon.com/about-aws/whats-new/2019/08/aws-site-to-site-vpn-now-supports-certificate-authentication/
What is Direct Connect gateway used for mainly?
It allows connecting to multiple VPCs via a single private VIF, even across different AWS regions or different AWS accounts.
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
Which VIF types can you use with Direct Connect gateway?
Private and Transit VIFs only. Public VIFs are not supported as connecting to public AWS services in other AWS Regions are supported out-of-the-box with a regular Direct Connect connection, even if the connection always goes to a regional DX location.
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
What AWS resource do you implement to reduce latency by routing traffic to the nearest application endpoint that is closest in proximity with the users?
AWS Global Accelerator
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html
What do you use to aggregate multiple connections at a single Direct Connect endpoint for a single managed connection?
Link aggregation group (LAG)
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
Can Transit Gateway Connect attachments establish a connection to third-party SD-WAN virtual appliances? if so, using what?
Yes, using Generic Routing Encapsulation (GRE) tunnels
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
Which condition do you use with AWS WAF to implement a web filtering solution to automatically block web requests from a list of blacklisted countries?
Geo match condition
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html
What features of CloudFront can you use to prevent users in geographic locations from accessing a website’s static content?
Geo-Restriction and Origin Shield features in your CloudFront distribution
Last updated: 2023-09-26
Source:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
What are different types of transit gateway attachment types?
One or more of the following:
- VPC
- VPN connection
- Direct Connect gateway
- Transit Gateway Connect
- Transit Gateway Peering
Last updated: 2023-09-26
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
What service provides a global view of your private network, allowing you to manage your AWS and on-premises resources and seamlessly integrate with your SD-WAN solutions?
AWS Transit Gateway Network Manager
Last updated: 2023-10-19
Source: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-announces-aws-transit-gateway-network-manager/
What is causing a ErrorPortAllocation error on a NAT Gateway and how can you resolve it?
This error occurs when the NAT Gateway reaches it’s maximum of 55,000 simultaneous connections. This can be resolved by distributing multiple NAT Gateways across multiple AZs. It’s also best practice to, on the client side, limit the maximum number of connections and close connections as soon as possible to avoid high numbers of simultaneous connections.
Last updated: 2023-09-27
Source: https://repost.aws/knowledge-center/vpc-resolve-port-allocation-errors
If you want to allow DNS queries to be resolved even when the DNS Firewall in Route 53 is impaired, what do you have to configure? And what implication does that have?
Within the VPC settings of Route 53, you need to activate the “fail open” option. This means the system will favor availability over security.
Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html
What is the default setting in Route 53 for the DNS Firewall “fail open” option?
By default it’s deactivated (= “fail closed”), which means that DNS queries won’t be resolved when the DNS Firewall is impaired or unavailable. This approach favors security over availability.
Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html
What service is available behind 169.254.169.123 within AWS VPC? And do you need Internet Access to access it?
Amazon Time Sync Service
No, no internet access needed.
Last updated: 2023-09-27
Source: https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/
Which intrinsic function in CloudFormation is a valid one? Fn::Cidr or Fn::CidrBlock?
Fn:Cidr
What are the three factors that determine pricing for AWS Direct Connect?
Capacity, port hours, and data transfer out (DTO)
Last updated: 2023-09-27
Source: https://aws.amazon.com/directconnect/pricing/
What is DPD and in what context is it used?
Stands for Dead peer detection and is a configurable timeout for when setting up an AWS Site-to-Site VPN connection. It defines the duration, in seconds, after which DPD timeout occurs.
Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
What are Phase 1 and Phase 2 Diffie-Hellman (DH) group numbers and in which context are they used?
They’re options that can be defined when setting up an AWS Site-to-Site VPN connection. They specify the DH group numbers that are permitted for the VPN tunnel for phase 1 and phase 2 of the IKE negotiations.
Last updated: 2023-09-27
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
What is MPLS?
“Multiprotocol Label Switching” - encapsulation protocol used in many service providers and largescale enterprise networks. Instead of relying on IP lookups to discover a viable “next-hop” at every single router within a path (as in traditional IP networking), MPLS predetermines the path and uses a label-swapping push, pop, and swap method to direct the traffic to its destination.
What does ECMP stand for, in which context is it used and for what?
Equal-cost multi-path routing. Used in the context of AWS Site-To-Site VPN when it’s required to connect more than one tunnel to a Transit Gateway. That way, VPN connections can scale beyond the regular limit of 1.25 Gbps.
Last updated: 2023-09-28
Source: https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway/
Which VIF types support jumbo frames?
Private VIFs and transit VIFs, but not public VIFs
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html
Are jumbo frames supported for static routes, propagated routes, or both?
Only propagated routes when using Direct Connect. Only static routes when using transit gateway.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html
What’s the key difference between BGP community tags in the 7224:8* range versus 7224:9* range?
7224:8* tags are advertised by AWS (attached to AWS prefixes) while 7224:9* tags are advertised by the customer (attached to the own prefixes)
What is Transit Gateway “appliance mode” used for?
Ensures that Transit Gateway uses the same AZ for a VPC attachment for the lifetime of traffic flow between source and destination. Useful when planning to configure stateful network appliances in the VPC, hence the name.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
Do intermediate devices between two Direct Connect endpoints have to have VLAN trunking enabled or disabled for the 802.1Q VLAN tag?
Enabled
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
What is the maximum number of connections that you can have in a link aggregation group (LAG) in AWS Direct Connect?
2 when connection = 100 Gbps
4 when connection < 100 Gbps (i.e. 1 Gbps or 10 Gbps
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
What are the four key differences between Gateway and Interface endpoints?
- Gateway endpoints use public IP addresses, Interface endpoints have private ones
- Gateway endpoints cannot be accessed from on-prem, Interface endpoints can
- Gateway endpoints don’t allow access from other AWS regions, Interface endpoints do (via VPC peering or TGW)
- Gateway endpoints are not billed, Interface endpoints are
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
How many route tables can you assign to a VPC and how many to a subnet?
200 per VPC and exactly 1 per subnet
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
Is route propagation enabled or disabled by default in a VPC?
Disabled
What is DNS64, in which context is it used for and where do you enable it?
It’s a translation mechanism so that IPv6-only services can communicate with IPv4-only endpoints. Amazon VPC supports this by enabling it for a subnet. The actual translation then happens through a NAT Gateway and the Route 53 Resolver of the VPC.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html
Can you associate a VPC from an external AWS account to your own private hosted zone in Route 53?
Yes. But this requires you to first authorize the VPC association from your account and then have the external AWS account perform the actual association.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html
What is the IP address that is reserved by AWS in each VPC for the DNS server?
Depends on the CIDR of the VPC as it’s the base of the VPC network range plus two. For a VPC with a CIDR of 10.0.0.0/24, the DNS server IP is 10.0.0.2, as an example.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html
What’s the IPv4 address of the AWS metadata service?
169.254.169.254
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
Does Storage Gateway use private or public endpoints?
Public endpoints
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/filegateway/latest/filefsxw/using-dx.html
What are the parameters that the CloudFormation Fn:Cidr function expects?
1: The user-specified CIDR address block to be split into smaller CIDR blocks.
2: The number of CIDRs to generate. Valid range is between 1 and 256.
3: The number of subnet bits for the CIDR. For example, specifying a value “8” for this parameter will create a CIDR with a mask of “/24”.
Last updated: 2023-09-28
Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html
Within the X-Forwarded-For HTTP header, where do you find the client IP address where the request was first made?
Left-most in the header
Last updated: 2023-10-19
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
What is an optional add-on in an Amazon EKS cluster that manages AWS Elastic Load Balancers for the Kubernetes cluster?
AWS Load Balancer Controller
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
What type of AWS Load Balancer will the Load Balancer Controller provision to the Amazon EKS cluster if you create a Kubernetes Ingress?
Application load balancer
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
What type of load balancer cluster will the Load Balancer Controller provision if you create a Kubernetes service of type Load Balancer?
AWS Network Load Balancer
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
What protocol will the Gateway Load Balancer and its registered virtual appliance instances exchange for the application traffic?
GENEVE (Generic Network Virtualization Encapsulation)
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html
What is VPC Reachability Analyzer?
A feature in the VPC console that allows testing connectivity between a source and destination within a VPC, even across accounts.
Last updated: 2023-10-05
Source: https://aws.amazon.com/blogs/networking-and-content-delivery/visualize-and-diagnose-network-reachability-across-aws-accounts-using-reachability-analyzer/
How can you capture traffic that includes the vpc-id and the interface-id ?
Use VPC flow logs with a custom format.
Last updated: 2023-10-05
Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
How can you troubleshoot a Direct Connect connection when it’s in DOWN status?
- Verify physical connection is okay, i.e. checking cross connect, ports, etc. (OSI layer 1)
- Verify data link is okay, i.e. VLAN and IP configurations, etc. (OSI layer 2)
- Verify network/transport is okay, i.e. BGP and ASN configurations etc. (OSI layer 3/4)
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
What is a CKN/CAK pair and in which connectivity context of AWS is it used?
Stands for Connection Key Name (CKN) and Connectivity Association Key (CAK). Used by AWS Direct Connect’s when establishing a connection that is encrypted through MACsec. The customer generates the key pair and assigns it to the Direct Connect connection, as well as on the on-prem device that Direct Connect is connected to.
Last updated: 2023-10-17
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html
In which order from the following does virtual private gateway prioritize routes?
- Manually added static routes for a Site-to-Site VPN connection
- BGP propagated routes from an AWS Direct Connect connection
- Lowest Multi-exit discriminators (MEDs)
- Shortest AS PATH
- BGP propagated routes from a Site-to-Site VPN connection
1/ BGP propagated routes from an AWS Direct Connect connection
2/ Manually added static routes for a Site-to-Site VPN connection
3/ BGP propagated routes from a Site-to-Site VPN connection
4/ Shortest AS PATH (
5/ Lowest Multi-exit discriminators (MEDs)
Last updated: 2023-10-17
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
Which port (number and protocol) does BGP use?
TCP 179
Last updated: 2023-10-17
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
In which context of AWS is NAT-T relevant, and which protocols and ports are used?
AWS uses NAT-T in the context of Site-To-Site VPN. Relevant ports are:
- UDP port 4500 (for IPsec NAT traversal)
- UDP port 500 (for Internet Key Exchange (IKE) packets)
- IP Protocol 50 (for Encapsulating Security Payload (ESP))
Last updated: 2023-10-18
Sources:
- https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-options.html
- https://en.wikipedia.org/wiki/NAT_traversal
How do NAT Gateway and NAT instances compare to each other in regards to IP fragmentation?
NAT instance support reassembly of fragmented packets for UDP, TCP and ICMP, whereas NAT Gateways support this only for UDP.
Last updated: 2023-10-18
Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
In which context is route propagation used in AWS, and where is it enabled?
AWS uses route propagation to dynamically update VPC route tables with information from a VPN Site-To-Site or Direct Connect connection. It’s an option that is enabled on the route table of a VPC.
Last updated: 2023-10-18
Source: https://repost.aws/knowledge-center/routing-dx-private-virtual-interface
What are the five network modes of ECS and what are the respective defaults for Linux and Windows based containers?
awsvpc, bridge, host, none, default
bridge is the default for Linux based containers, default the one for Windows
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
What happens regarding network connectivity in ECS if “bridge” is selected as network mode?
The ECS task uses Docker’s built-in virtual network on Linux, which runs inside each Amazon EC2 instance that hosts the task.
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
What happens regarding network connectivity in ECS if “host” is selected as network mode? And what is a limitation of this mode?
The ECS task uses the host’s network which bypasses Docker’s built-in virtual network by mapping container ports directly to the ENI of the Amazon EC2 instance that hosts the task. A port number on a host can’t be used by multiple tasks. As a result, you can’t run multiple tasks of the same task definition on a single Amazon EC2 instance.
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
What happens regarding network connectivity in ECS if “awsvpc” is selected as network mode?
The ECS task is allocated its own elastic network interface (ENI) and a primary private IPv4 address. This gives the task the same networking properties as Amazon EC2 instances.
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
If you want to use Security Groups on ECS tasks, which ECS network mode do you have to use? Bridge or awsvpc?
awsvpc
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 172.16.0.0/16 (172.16.0.1 - 172.16.255.254) as a secondary CIDR?
No. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 172.16.0.0/16 is neither of these (is a private CIDR according to RFC 1918, but not in the same range as the original CIDR).
Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 10.1.0.0/16 (10.1.0.1 - 10.1.255.254) as a secondary CIDR?
Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 10.1.0.0/16 is a private CIDR according to RFC 1918 and in the same private address range as the primary CIDR (10.0.0.0/8).
Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 100.0.0.0/16 (100.0.0.1 - 100.0.255.254) as a secondary CIDR?
Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 100.0.0.0/16 is a publicly routable CIDR according to RFC 1918.
Last updated: 2023-10-21
Source:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
What is the maximum number of routes that can be advertised over a BGP session in Direct Connect? What happens when this limit is exceeded?
100 each for IPv4 and IPv6. If exceeded, the BGP session will go down.
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html
What port is used by SES for a TLS Wrapper connection?
465 or 2462
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html
What port is used by SES for a TLS connection?
25, 587, or 2587
Last updated: 2023-10-21
Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html
What protocol does the Link Aggregation Group (LAG) use to aggregate multiple connections at a single AWS Direct Connect endpoint?
Link Aggregation Control Protocol (LACP)
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
What is CIDR Reservation?
A subnet setting to prevent AWS from automatically assigning IPv4 or IPv6 addresses within a CIDR range you specify.
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html
What are the two types of Subnet CIDR reservations in Amazon VPC?
Explicit and Prefix
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html
What are Route 53 Resolver Outbound Endpoints used for?
They allow DNS queries from your VPC to your on-premises network or another VPC
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
What are Route 53 Resolver Inbound Endpoints used for?
They allow DNS queries to your VPC from your on-premises network or another VPC
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
What do the fields with pkt represent in a VPC flow log when troubleshooting pod-to-pod traffic?
Represent the source and destination address of the actual IP packet (Pod IP). Source and destination fields without a pkt prefix represent the address of the interface the packet is sent from or received on.
Last updated: 2023-10-22
Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
What (mandatory) attributes do you have to provide when creating a private VIF via Direct Connect?
Name, Owner (account), VLAN ID, ASN, the DX connection that the VIF uses and either a VGW or the DX Gateway that the VIF shall connect to.
Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/directconnect/latest/APIReference/API_NewPrivateVirtualInterface.html
Can you request a CIDR block from IPAM natively via CloudFormation, or do you have to use a Lambda custom function for this?
CloudFormation has native support for this using AWS::EC2::IPAMPool
Last updated: 2023-10-24
Source:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ipampool.html
What is important regarding the ASN when attaching Transit Gateways in different regions to a Direct Connect Gateway?
You have to use unique ASNs for each transit gateway.
Last updated: 2023-10-24
Source:
https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html
Do you associate Transit Gateways with the VPC or the VGW of the VPC?
TGW can use the VPC directly and doesn’t need a VGW (unlike Site-To-Site VPN or Direct Connect).
Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
What is PAT?
An extension of Network Address Translation (NAT) that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses. Relevant for AWS Direct Connect for example, where the on-prem router does the translation.
Last updated: 2023-10-24
Source: https://repost.aws/knowledge-center/connect-private-network-dx-vif
If a key-signing key (KSK) in Route 53 DNSSEC changes its status to Action needed (or ACTION_NEEDED in a KeySigningKey status), what is the root cause?
This occurs if Route 53 loses access to a corresponding AWS KMS key (due to a change in permissions or AWS KMS key deletion).
Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-troubleshoot.html
What are the two types of keys used by DNSSEC?
key-signing key (KSK) and a zone-signing key (ZSK)
Last updated: 2023-10-24
Source: https://simpledns.plus/help/definition-dnssec
What is a KSK used for?
Used in the context of DNSSEC to sign the public key records (DNSKEY) for a zone.
Last updated: 2023-10-24
Source: https://simpledns.plus/help/definition-dnssec
What KMS key type is a key-signing key (KSK) based on?
asymmetric customer managed key
Last updated: 2023-10-24
Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html
How does AWS Private IP Site-to-Site VPN work, i.e. what services and components are involved, and what advantages does it have over Public IP Site-To-Site VPN?
It uses Direct Connect with a transit VIF that’s connected to a Transit Gateway via a Direct Connect Gateway. Benefits are:
- simplified management (vs. self-managed VPN)
- improved security (vs. public IP Site-To-Site VPN)
- higher route scale (vs. standalone Direct Connect)
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html
Which BGP community value does AWS apply to routes pointing to global AWS services?
No tag. Note that there’s also the 7224:8300 tag that has the same meaning, which isn’t applied by AWS though.
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
What type of authentication key does Direct Connect support to use for BGP MD5 authentication? AWS-managed, customer-managed, or both?
Both
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
What is the attribute called that defines when LAG members will be logically disabled if the number of active member-connections falls below which value?
Minimum links
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-lag.html
How many virtual interfaces (VIFs) can an AWS Direct Connect-hosted connection support?
Only a single virtual interface (VIF)
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
Can you associate a Direct Connect Gateway directly with a VPC?
No, this requires a VGW. Transit Gateways however can be attached directly to VPCs.
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
How many TGW route tables can be associated with each Transit Gateway attachment?
Exactly one
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
By default, each Transit Gateway attachment may propagate to how many TGW route tables?
TGW attachments may propagate to as many route tables as the TGW can support, which by default is 20.
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
When routes are evaluated by Transit gateway what is the order of priority from the following options?
- Transit Gateway Connect propagated routes
- Prefix list referenced routes
- Transit Gateway peering propagated routes (Cloud WAN)
- VPC propagated routes
- Static routes
- Site-to-Site VPN propagated routes
- Direct Connect gateway propagated routes
- Static routes
- Prefix list referenced routes
- VPC propagated routes
- Direct Connect gateway propagated routes
- Transit Gateway Connect propagated routes
- Site-to-Site VPN propagated routes
- Transit Gateway peering propagated routes (Cloud WAN)
Last updated: 2023-10-25
Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
When using equal cost multi-path (ECMP) with Transit Gateway as a Site-To-Site VPN solution, does it support static routes, dynamic routes, or both?
Only dynamic routes (using BGP)
Last updated: 2023-10-25
Source:
https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html
What is the MTU for VPC peerings?
9001 for inter-region peerings, 1500 for cross-region peerings
Last updated: 2023-10-25
Source:
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html
Can you use Simple AD to resolve DNS queries of AWS VPC as well as on-prem resources?
Yes and no. Resolving AWS VPC resources works out-of-the-box with Simple AD, but to resolve on-prem resources, you’ll have to use a separate DNS resolver (such as an EC2-hosted DNS server).
Last updated: 2023-10-26
Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
Can you forward DNS requests for VPC resources to Route 53 Resolver from on-prem?
Yes, but not directly, i.e. you cannot send the DNS request to the VPC +2 IP address (the IP address of the DNS resolver). Instead you have to create a Route 53 Inbound Resolver Endpoint first and send DNS requests to the address of that endpoint.
Last updated: 2023-10-26
Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
Can you connect to an S3 Gateway endpoint via a Site-To-Site VPN connection that ends in a VGW?
No. VGWs do not support transitive routing, therefore, the Gateway endpoint won’t be accessible.
How do you set up an Active/Active Direct Connect connection using a private or transit VIF?
Set up two connections where advertised prefixes, local preference, autonomous system (AS) path, and Multi-Exit Discriminator (MED) values are the same.
Last updated: 2023-10-26
Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html
How do you set up an Active/Passive Direct Connect connection using a private or transit VIF?
Set up two connections and have the “Active” connection using a longer (more specific) prefix, or higher local preference (for example 7224:7300), or shorter autonomous system (AS) path, or lower Multi-Exit Discriminator (MED).
Last updated: 2023-10-26
Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html
What effect does it have when a VPC has the tenancy set to “dedicated”?
Any EC2 instances launched in that VPC will automatically be dedicated instances.
Last updated: 2023-10-26
Source:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html#dedicated-howitworks