AWS Networking Flashcards
VPC Peering
- AWS provided connection between two VPCs
- No transitive peering
vpc flow logs
- information about the IP traffic
- stored using cloudwatchlogs or s3
- vpc, subnet, network interfaces
Cloudfront Lambda@edge
- used to customize content cloudfront delivers
- viewer request
- origin request
- origin response
- viewer response
AWS Cloudfront
- Content deliver network (CDN)
- Moves content closer to the User
- Geo Location filtering
- Uses AWS backbone
Signed Cookies
- provides control over access to content
- doesn’t require a url change
- Used for multiple files
Signed URL
- Provides control over access to content
- URL updates
- for Individual files
- expires date and time
- IP Ranges
CloudFront Origins
- Where the content originates
AWS Managed VPN
- IPsec vpn over your existing network
- quick and simple tunnel to a vpc
- used as redundant for DirectConnect
- Dependent on your INET
AWS Direct Connect
- Dedicated Network connection to AWS backbone
- when a large link to AWS is required
- Lead time > 1 month
- Not encrypted by default
Direct Connected + VPN
- Adds IPSec to Direct Connect
- Encrypted tunnels over Direct Connect
Cloudfront Edge Locations
- 100s located in different parts of the world
- Content is pushed and cached at the edge
Software VPN
- Customers provide their own VPN
- when you must manage both ends for compliance reasons
- when you must use a vpn option not provided by AWS
Transit VPC
- For Connecting geographically dispersed VPCs and Locations
- When locations and vpcs across multiple regions need to talk
- Flexibility with AWS managed vpn
- Hub and spoke with vpcs
CloudHub
- connect locations in hub/spoke using AWS Private Gateway
- Used to link remote offices
- Uses existing INET
AWS Security Groups
- Instance level
- Can specify allow not deny
AWS Default Security groups
- Can’t be deleted
- Can Change the rules
AWS Subnets
- EC2 instance can have 5 subnets
- Will be assigned to default NACL if not assigned to custom NACL
VPC Interface endpoint
- EC2 in VPC to EC2 in VPC
- Uses ENI with private IP to connected to PrivateLink
- Typical ELB as the connection point in PrivateLink
- Service provider model
- Secured by security groups
VPC Gateway endpoint
- Used for connection from VPC to S3 or Dynamo DB
- Uses endpoint policies
- Prefix list in route table
- Bucket policies can be added to restrict S3 access
NAT Gateway
- Used to allow Private IPs access to INET
- Download software
- Goes in Publish Subnet
Can VPC Peering with Overlapping IPS
- will fail… IPs cannot overlap.
Public Subnets
- Have a route via the Internet gateway to the Internet
What type of IP is not considered unique
- IPv6
- Elastic IPs
- IPv4 - Public IPs
- IPv4 - Private IPs
IPv4 Private ips… think 10.x.x.x
AWS Private Link
- Service provider … a single service to 1ks of VPCs
- Doesn’t require VPC peering
- Requires NLB on Service side and ENI on Client side
AWS Global Accelerator
- improves the availability and performance of apps with local or global users
- Uses the AWS global network to optimize the path from user to app
- Uses AWS Edge locations
- Uses 2 static anycast IPs that are globally advertised
- IPS server as the frontend interface of the application
- NLB, ALB, or EC2
- Don’t need to make any client facing changes or update DNS as you modify or replce the endpoints - Static IPs
NAT Gateways support outbound traffic only.
- True
I have 2 public IPs for my website. I want to increase performance and redundancy using multiple AWS regions behind NLBs.
Create an AWS Global Accelerator and attache endpoints in each region
Migrate both IPS to AWS Global Accelerator
When using throttling controls with API Gateway, what happens when request submissions exceed the steady state request rate?
429 Too Many Requests
cost-effective solution for Direct connect backup
IPSec VPN and use the same BGP prefix
IPsec VPN connection has a virtual private gateway on aws side and customer gateway on the on premise side?
True
Dedicated tenancy can be changed to Host tenancy and visa versa?
True
How can VPC services access SQS without traversing the internet?
VPV interface endpoint
How many AZs can a single subnet map to
One
Each subnet you create is associated to which route table
Main
Transfer gbs of data quickly and on a regular basis to an s3 bucket
Transfer Acceleration
Features and advantages of a vpn
Between on prem and vpc using secure and private connection with IPsec and tls
What are the default inbound and outbound rules for a new / Custom NACL
Deny Inbound
Deny Outbound
Should you use CloudFront to help latency within a data center… between the app and the S3 bucket?
No… use a Cache for that like Redis.
Which should you use for VPC flowlogs…. Interfaces or Subnets
Interfaces are more secure
Do you need to configure Access Logs on an ELB?
Yes… this allows you to get information like requestor, ip, path… that cloudtrail won’t get you.
How can you enhance the security of data via CloudFront
Field Level encryption
Virtual Private Gateway
- Allows VPC to communicate with on prem over VPN for a secure connection.
Route 53 Alias Support for
Amazon CloudFront distribution – A record (IPv4) or AAAA record (IPv6)
AWS Elastic Beanstalk environment – A record (IPv4)
Elastic Load Balancing (ELB) load balancer – A record (IPv4) or AAAA record (IPv6)
Amazon Simple Storage Service (Amazon S3) bucket – A record (IPv4)
Amazon API Gateway custom regional API and edge-optimized API – A record (IPv4)
Amazon VPC interface endpoint – A record (IPv4)
AWS Global Accelerator – A record (IPv4)
Another Route 53 record in the same hosted zone
a private subnet that need to connect to Internet-based hosts using the IPv6 protocol. What needs to be configured to enable this connectivity?
An egress only Internet Gateway
Internet connectivity for a data-processing application in a VPC…that will pull large amounts of data from an object storage system via the Internet.
Attach an internet gateway. since the traffic is going over the internet, a VPC Gateway Endpoint is not an option.
An elastic IP is what
Public static IP
