AWS Networking Flashcards

1
Q

What is the RFC for the private address space?

A

RFC 1918

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is layer 1 of the OSI layer?

A

Physical, used for Ethernet, DSL, ISDN, WiFi.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is layer 2 of the OSI layer?

A

Data link layer, used for Ethernet frames. Switching layer with switches and hubs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is layer 3 of the OSI layer?

A

Network layer, used for Ipv4, IPv6, ICMP, IPSec. Routing layer used with routers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is layer 4 of the OSI layer?

A

Transport layer, TCP, UDP, Apple Talk., SPX.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is layer 5 of the OSI layer?

A

Sessions layer, establish and teardown

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is layer 6 of the OSI model?

A

Presetation, translation, compression, excryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is layer 7 of the OSI model?

A

Application layer, HTTP, DNS, FTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Where in the OSI layer does TLS fit

A

TLS fits in the Presentation layer where the presentation layer is used for encryption and compression.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How many hosts IP’s can I have with an AWS VPC /24?

A

251, you have 256 addresses in this space, 1 for the network, one for broadcast, 1 for the gateway, 1 DNS, 1 for reserve.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the largest VPC I can have in AWS?

A

/16 (65536)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Convert 192.168.0.15 to its bit form?

A

11000000.10101000.00000000.00001111

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the 172.16.0.0 private address space range?

A

is is a /12 address space ranging from 1172.16.0.0 - 172.31.255.255 and has 1M hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the 10.0.0.0 private address space (range)?

A

Its is a /8 address apace ranging from 10.0.0.0 - 10.255.255.255 and has 16M hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the 192.168.0.0 private address space(range)?

A

It is a /16 address space ranging from 192.168.0.0 - 192.168.255.255 and has 65K hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is classless interdomain routing (CIDR)?

A

You can create a subnet mask to mask the network bits in use, this subdivides the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

If we have a CIDR of /8, how many host addresses can I have?

A

16M (16777214)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What does a /8 CIDR look like in binary form?

A

11111111.00000000.00000000.0000000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does a /16 CIDR look like in binary?

A

11111111.11111111.00000000.000000000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does a /24 CIDR look like in binary?

A

11111111.11111111.11111111.00000000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

If we have a /24 network what is the max networks we can subnet from it?

A

7 subnets.

/24 = 1 network 254 hosts

/25 = 2 : 126 hosts

/26 = 4 : 62 hosts

/27 = 8 : 30 hosts

/28 = 16 : 14 hosts

/29= 32: 6 hosts

/30=64 : 2 hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

In a 10.x.x.x network how many bits are available for host or networking?

A

We can use 24bits for host and networking, we can say a 10 network is a /8 network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

In a 172.x.x.x. network how many bits can be used for host or network?

A

22 bits can be sued for host or networking, we can say the 172 network is a /12 network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

With a CIDR, when we add bits what are we doing?

A

We are increasing the number of bits in the CIDR blocks and subnetting the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

In the following CIDR how may subnet bits is there 192.168.0.0/24? also how many subnets are there?

A

Zero (0) subnet bits and 1 subnet

This network is a 192.168.0.0/24 network, this means it has only 8bits to play with for both networking and hosts.

The number of subnets is 2 to the power of n where n, in this case, is 0, gives is 1.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the DHCP server port?

A

67

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the DHCP client port?

A

68

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Is UDP a TCP or UDP protocol?

A

UDP protocol as it sends a UDP broadcast on 255.255.255

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Is UDP unicast or broadcast?

A

Broadcast

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is the typical DHCP exchange sequence to get an IP address from the server?

A

DHCPDiscover

DHCPOffer

DHCPRequest

DHCPAck

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What ports are used for DNS?

A

Port 53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Are message sent over UDP, TCP or both for DNS?

A

Both

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

A URL is mead up of 4 parts can you name them?

A

protocal

subdomain

domain

TLD (Top level domain)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is a Zone?

A

It is a domain for which the DNS server will answer for.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

In DNS was is a Private zone?

A

A zone for which the server is authoritive, this means the DNS servers has the final say.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

In DNS what is a secondary zone?

A

A secondary zone is the DNS server will respond but does not have the final say. The secondary zone must check in with the Primary Zone DNS server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

In DNS when would you use a secondary zone?

A

You would use a secondary zone when you want to have redundancy for the primary server so when the primary server goes down the secondary zone DNS server responds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

In DNS what is a root server used for?

A

Root server points to the TLD servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

In DNS what is the TLD servers?

A

TLD’s points to the Name servers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

In DNS what is the Name servers used for?

A

Name servers point to the host’s when we say hosts,.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

In DNS what are the ‘A’ records used for?

A

An ‘A’ record is part of a zone and points to the IP of a host.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

In DNS what is a CNAME record used for?

A

A CNAME record is part of a zone and points to an ‘A’ record, with this record we could map bar.google.com to foo.google.com.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

From your laptop, how is a URL resolved?

A

Laptop reaches out to it local DSN server, the local DNS server checks the cache and does not find a record it looks up the root hints file and reaches out to the root servers, the root server responds with IP of the TLD, DNS server reaches out to TLD and TLD responds with the IP of the name server, the DNS reaches out to name server and the name server responds with the IP of the host, the DNS server responds to your laptop with the IP of the host you need to contact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

In DNS wait is an ‘AAAA’’ record?

A

An ‘AAA’ record is the same as an ‘A’ record but for IPv6. It points to an host IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

What is an MX record in DNS?

A

It is a mail exchange record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

In DNS what is a TXT record?

A

“Text records” are typically used for miscellaneous services that require information to be public in your DNS in order to prove ownership of a domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

In DNS what is a PTR record?

A

A PTR record is a reverse lookup the record and maps an IP back to a server, only one PRT record per server.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

In DNS what is an SOA record?

A

The SOA is a “Start of authority”, indicating which record is responsible for the DNS zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

In DSN, a records TTL valis is what?

A

It is the time the server waits before it will check for updates for the record.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Can i delete a default security group?

A

No, this will not be allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

With a security group can I deny IP addressed?

A

Security group by default deny all traffic inbound and you open ports. You can not explicitly say deny traffic from this address or port. But you can allow inbound traffic from an IP, Port or protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

By default, will a security group allow or deny all traffic inbound?

A

Denys all traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

Can you create a security group rule that denies traffic?

A

No, rules are always permissive for both inbound and outbound.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

Are security groups stateful?

A

Yes if you rend a request to an instance, the response will be allowed to exit regardless of outbound rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

By default is all outbound (initiated by the server) allowed for a security group?

A

Yes, there is an outbound rule that allowed all outbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Can I create a security group rule to block port 80?

A

No, security groups are by default deny all traffic will allow rules, no deny rules are available.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

I want to block an incoming IP address, what is my best option in the VPC?

A

Use a NACL as you can not deny traffic on a security group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

I have an on-prem application using multicast, I want to move to AWS, what should I be aware of?

A

Multi-cast is not supported in a VPC, you will need to create an overlay network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

I need a public IP, what is the name AWS used for this public IP?

A

Elastic IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What is a public subnet?

A

It is a subnet that has an internet gateway and connects with the internet and internet traffic can enter and leave it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Can I have more than a single ACL on a VPC?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

When you create a VPC do you get a default ACL?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Is the ACL filtering traffic on a VPC or on a subnet?

A

ACL filters traffic on a subnet and is assocated with a VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

When you create an ACL, by default is assocated with all subnets in the VPC?

A

No, by default is not associated with any subnets, you have to associate with subnet to have the filter applied.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

When you areas a VPC, do you get an ACL by default?

A

Yes you bet a default ACL, but it is associated with no subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

Are ACL stateless or stateful?

A

Stateless, they do not know about connections, so if you allow traffic in, you have to allow traffic out. In a way, ACL is better used to deny traffic in or out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

Can I associate an ACL with multiple subnets?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

Can subnets be associated with multiple ACL?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

By default do ACLs allow traffic in/out?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

In what order is rooting table, ACL and security group applied in the flow of traffic?

A

Route table

ACL

Subnet

security group

Instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

I want to capture all source IP’s coming into an interface on an EC2 instance, is this possible and how?

A

Yes, you use VPC flow logs?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

I want to capture all source IP’s coming into VPC, is this possible and how?

A

Yes, Use VPC Flow logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

I want to capture all source IP’s coming into a subnet, is this possible and how?

A

Yes, use VPC flow logs, each interface in the VPC will have its own flow logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

For flow logs what are the 3 different scopes I can enable for?

A

VPC - All ENI’s in the VPC

Subnet - All ENI’s in the subnet

ENI for the instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What outputs are available for flow logs?

A

S3

Cloudwatch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

I have an application on EC2 instances and I want to be notified if an IP address connects form another country, what options do I have?

A

You can use flow logs and connect with cloud watch and set a cloud watch alarm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

I need to enable my instances to access the internet but I do not want the instances to have a public facing the internet, what is my best option?

A

Use a nat gateway for IPV4 and Egress only GW for ip[v6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

For a NAT GW do you need an EIP?

A

Yes, the EIP will be the public facing IP behind it will be the instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

What are you charged for with a NAT GW?

A

Hours running and per GB processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

I need a NAT GW to span multiple Availability Zones?

A

A single NAT will not work across Availability zones as it is tied to a single AZ when you select a subnet when you create the nAT, you will have to use two NAT GWs, one in each of the subnets you want to use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

I have just created a NAT and my instances can get internet access, what do you think is wrong?

A

You have not pointed the traffic to the nat from the instance, this will require editing of the ROUTE tables.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

I need to secure my NAT GW with a Security group, how can I implement this?

A

You cna not as NAT does not use security groups, you can use ACL to block in or out trafic.,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

I have a number of instances that I do not what to be public facing, but I will have large amounts of information that I need to access in the internet, about 180GB, how can I architect these instances and what services do I need to enable internet access?

A

A single NAT GW can handle 5GB of traffic and scale up to 45GB, to get 180GB I will have to create 4 subnets and split the instances between the subnets with each subnet having a single NAT capable of 45GB.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

Can I have multiple EIPs on a NAT instance?

A

No, only a single EIP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What is the Max number of connections a NATGW can sustain?

A

55K

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

I have a Site to Site VPN, can I route traffic to my NAT GW over the VPN?

A

No, traffic over Site to Site VPN, DirectConetc, VPC Peering can not route to NAT GW.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

I have an application that used DynamoDB and S3 storage, what is my best option for connecting application running on EC2 to this service?

A

making calls that exit from AWS will have charges, creating an endpoint will l allow you to keep traffic in AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

As we view networking in relation to AWS, what networks are at play?

A
  • Your regional network (VPC)
  • Your on-prem
  • Internet
  • AWS Public zone
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

IN a VPC how may primary CIDR ranges can I have and how many secondary ranges can I have?

A

You can have 1 primary and 4 secondary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What is the smallest and largest CIDER ranges for a VPC?

A

16 and 28

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

I have a network (VP{C) that is using a DNS server, this is configured with option sets, I need to add a new server and delete the old one, what must I do.

A

You can edit an option set, you must create a new one.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

What are the reserved IPs in a subnet?

A
  • 0 = Network
  • 1 VPC Router
  • 2= DNS
  • 3 reserved
  • 255 broadcast
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

I have a VPC in us-west-1 and a CPC in eu-west-1 and I want to connect together, how is this possible?

A

Use VPC peering as it can be within the same region or in separate regions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What is network + 1 address used for?

A

It is the subnet router address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

What is the network +2 address?

A

DNS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

When you create a subnet you get a route table with a default local route, can you modify this route?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

What is the order routes are processed in the routeing table?

A

The highest subnet /x wins out, like /22 is processed before /16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

When I turn on route propagation, what happens to the routeing table?

A

Routes are learned from the VPGW are auto-populated into the routing table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

Can I add a second route table to a subnet?

A

No, Only one route table per subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

Can a VPC have more than a single RouteTable?

A

Yes as VPC can have multiple route tables but subnets can only have a single route table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

I have just created an ACL and want to associate it with an instance, is this possible??

A

No, you can only be created in a VPC and associated with a subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

I have just created an NACL, what can I associate it with, a subnet, instance or VPC?

A

The NACL will be part of the VPC but you can associate it with one or more subnets, .

106
Q

I am deploying a new application to AWS in a VPC, the application only used port 80 and the ephemeral ports for TCP, what should I do from a network security perspective?

A

You should reduce footprint, this means locking down all UDP ports as they are not used.

107
Q

I want to explicitly deny all traffic on the inbound, should I use NACL or Subnets?

A

NACLS as you can explicitly deny traffic, security groups only allow you to allow traffic as they have an inplit deny.

108
Q

How are rules for NACLS processed?

A

from the lowest number of the highest number.

109
Q

I have a NACL 100# with a DENY rule and a NACL rule #200 with an allow, what will happen to the traffic will it be allowed or denied?

A

DENY as the DENY rule is the first rule with the lowest number.

110
Q

I have a subnet with two instances and an NACL associated with the subnet the two instances are in, this NACL has DENY all traffic in and out, will it stop the instances talking with each other?

A

No, as the NACL is on the outside of the subnets and only stops traffic passing it boundary, an example would be traffic from another subnet or traffic from internet or VPN, DirectConnetc.

111
Q

I have two subnets and each subnet has an NACL, I have an instance in both subnets, will one or both NACLs effect the traffic between both instances when talking to each other?

A

As traffic leaves a subnet it its the firt NACL and as it eenters the second subnet it hist the second NACL.

112
Q

Can I reference a URL with a NACL?

A

No only Cider blocks

113
Q

Can I reference a resource with a NACL?

A

No only a CIDR block

114
Q

Where are NACLS applied in the network stack in AWS?

A

They are applied at the subnet boundry.

115
Q

Where are security groups applied in the AWS network stack?

A

They are applied at the instance virtual nic interface.

116
Q

If I have a network security group with no rules in it and it is associated with each network interface of each instance, can these instances talk with each other?

A

No, the traffic will be blocked.

117
Q

Is a security group associated with all instance interfaces or just one?

A

If the security group is associated with the products then it is again all interfaces, but you can assign to a single interface.

118
Q

Are NACLS stateful?

A

No

119
Q

Are Security Groups stateful?

A

Yes.

120
Q

I have a security group and I want to explicitly deny traffic, how can I do this?

A

You can not explicitly deny traffic with a security group, you can use an NACL to explicitly deny traffic.

121
Q

Is all traffic DENY by default with NACLs

A

No, they are by default allowed.

122
Q

Is traffic denied by default with a security group?

A

Yes

123
Q

Is there ordered processing of rules in a security group?

A

No, they are all evaluated at the same time.

124
Q

With security groups can I reference other resources like security groups?

A

Yes

125
Q

If I want to allow traffic from an instance in a security group, what do I have to do?

A

Create an inbound rule that allows all traffic and reference itself.

126
Q

Are NATGW, highly available?

A

No, if you lose an AZ, then the NATGW is gone.

127
Q

I want to configure a NATGW to allow my bastion host to be connected from my remote home location, what configuration do I need to do?

A

A NATGW does not allow you to connect form our side.

128
Q

I have my NATGW configured, I want to use filtering of incoming IP’s, can I do this?

A

No, there is no functional available on the eNATGW.

129
Q

I am concerned that the load on my NATGW will cause issues, should I be concerned?

A

Not up to 5BDS, the NATGW scales up to 5gb, NATGW scales automatically.

130
Q

I have just created a NATGW, do I need to do anything else in my subnets to get instances to use traffic?

A

Yes, you need to modify the route table and add a default route to point to the NATGW.

131
Q

I have an instance with IPV6 and I want to use NAYGW to enable it to connect to the internet, how can I configure this?

A

You cna not, NATGW only work with IPv4, IPV6 will require an EGRESS only GW.

132
Q

I have my laptop on the internet and I ping the public DNS of an instance, what IP will I get back, public or private? also, how can I get the instances private IP?

A

Private. you can use the private DNS.

133
Q

When I use VPC flow logs, am i getting the packet data or something else?

A

You are getting the metadata and not the packets data.

134
Q

What is the data in the flow log metadata?

A

It is like src and dest port and address, account-id, interface-id, packets, start and end

135
Q

What is not logged by the VPC flow logs?

A

DHCP

AWS DNS

Metadata

Licence Activation Requests

136
Q

What are the three level/scopes I cna place the VPC flow logs?

A

In all cases below the loges are created on the instance ENI, thye cust defines the scope.

VPC

Subnet

Instance

I

137
Q

I want to quickly and easily collect a large number of flow logs and analyze hem in an offline way, the data is stored in s3, what cna I do?

A

You can use AWS Atena to query the data in S3.

138
Q

What do VPC endpoints do?

A

They enable access to AWS services from your VPC with traffic exiting to the internet, traffic moves directly from your VPC to the AWS service.

139
Q

I have several instances in a subnet in a VPC, this subnet has not internet gateway (no internet access), I require access to S3, DynamoDB and SQS, do I need to create an internet gateway or is there other options?

A

I can use VPC endpoints, the endpoint enables traffic to be directed to the AWS service (S3, DynamoDB) with our needing to go to the internet, traffic stays within AWS network infrastructure.

140
Q

For VPC endpoints what services are supported?

A

Amazon API Gateway

AWS CloudFormation

AWS CloudTrail

Amazon CloudWatch

Amazon CloudWatch Events

Amazon CloudWatch Logs

AWS CodeBuild

AWS CodeCommit

AWS CodePipeline

AWS Config

Amazon EC2 API

Elastic Load Balancing API

Amazon Elastic Container Registry

Amazon Elastic Container Service

AWS Key Management Service

Amazon Kinesis Data Streams

Amazon SageMaker and Amazon SageMaker Runtime

Amazon SageMaker Notebook Instance

AWS Secrets Manager

AWS Security Token Service

AWS Service Catalog

Amazon SNS

Amazon SQS

AWS Systems Manager

AWS Transfer for SFTP

Endpoint services hosted by other AWS accounts

Supported AWS Marketplace partner services

141
Q

I have a private subnet with an instance in it and I what to get access to SNS, I do not have a NAT instance or a NATGW or any king, how can I get access to the SNS?

A

Yes Endpoint, set up an endpoint in the VPC and configure the routeing table to point at it for the SNS service.

142
Q

I have an instance in a private subnet, I also have an endpoint set up for S3, I want to ensure that only traffic from this VPC can access the bucket, how can I do this.

A

Set up a bucket policy so that it restricts access based on the aws:sourceVpc

143
Q

What is the difference between GW and Interface Endpoints?

A

Depending on the service users you will get a GW or INterface endpoint, for S3 you get a GW and for SQS you get an interface. The big difference is GW is highly available and at the VPC level.

144
Q

I have an Interface Endpoint, how can I secure it?

A

Because it is an interface in a subnet you can use a security group to secure the endpoint.

145
Q

I am creating an endpoint to use with SNS, this will be an interface endpoint. I need to ensure it is fault tolerant, what options do I have.

A

You can select to have endpoints created in each subnet in each AZ, you will get a DNS name for each endpoint.

146
Q

What are the two services that use GW Endpoints?

A

S3 and Dynamo DB.

147
Q

What is a VPC Peer?

A

A VPC peer enables you to connect VPC that are in the same region or in a remote region.

148
Q

Do I need to establish two VPC peers for HA and fault tolerance?

A

N, you only need a single VPC peer, VPC’s are fault tolerant.

149
Q

I have two VPCs, one in each separate account, I want to VPC peer across accounts, can I do this?

A

Yes, you can VPC peer across VPC’s in separate accounts.

150
Q

I have two VPCs, I have just created a peering connection between both, but I can not ping t from one instance in VPC 01 to instance in VPC 02, what could be wrong.

A

It could be the security groups, but it is probaly that we did not add a route in the VPC subnets routing tables.

151
Q

I am using VPC peering between two VPC in separate accounts, I want to reference, the security group in the other account so I can enable traffic, is this possible?

A

Yes, you use the security group as a reference instead of CIDR.

152
Q

For |VPC peering, where the vPC’s are in separate regions, can use used the security group id as a reference?

A

No t5his is not supported.

153
Q

I have three VPC,s VPC 1 and VPV 2 peer, VPC 2 and VPC 3 also peer, can I ping from an instance in VPC 1 to VPC 3?

A

No, VPC peering is transitive.

154
Q

I am using VPC peering when I ping an instance using its public IP, in another VPC over the peering, I am getting the public IP, this is normal expected behaviour, what can I do so the private IP is returned?

A

There are setting in the VPC peering that enables you to have the private ip returned.

155
Q

For VPC peering is ipv6 supported?

A

Yes but not by default, also IPv6 is not supported across regions.

156
Q

I have two VPCs using VPC peering, cna I use direct connect or VPN to transverse VPCs?

A

No, you can not, it is not supported.

157
Q

I am using VPC peering, I have a requirement that all data is encrypted in transit, is peering data in transit encrypted?

A

Yes.

158
Q

I wnat to set up a second VPN with my VPC, can I just add a second APG to my VPC and establish a connection to a second customer GW?

A

You cna only have one VPG on a VPC, so this would not work. You could use CloudHUB for this. But an important point is only one VPG.

159
Q

Can I create a second VPG on my VPC?

A

No, only one VPG per VPC, you could use CloudHub.

160
Q

By default do rote tables route to all subnets in the VPC, if do what is the entry in the root table?

A

Yes, the root table has an entry that roots traffic to any subnet in the VPC, you cna not remove this.

161
Q

I wnat to block traffic going from one subnet to another, can I just remove the default toot to stop the traffic?

A

No, the default root cannot be removed. Each root table in the VPC gets a default root and this enables the traffic to be rooted to other subnets in the VPC.

162
Q

What are the types of network zones I should be concerned with when thinking about networking in general?

A
  • > AWS private zone -> VPC networking, private and public subnets
  • > AWS Public zone
  • > Internet -> Public routed traffic
  • > On-Prem
163
Q

How many CIDR ranges can I give a VPC?

A

You can assign one primary and 4 secondaries.

164
Q

What is the largest and smallest CIDR ranges for a VPC?

A

/16 and /28

165
Q

I need to have my VPC use a DNS server in the VPC, how can I configure this?

A

You need to create a new VPC Option Set and set the DNS server

166
Q

How many VPC option sets can I add to a VPC?

A

1

167
Q

I have to set up a new DNS server and edit the VPC OPtion set, how cna I do this?

A

You can not edit an option set, you have to create a new one.

168
Q

What are the reserved addresses in a Subnet in a VPC?

A

5 Addresses

  1. 0.0.0 Network address
  2. 0.0.,1 GW
  3. 0.0.2 DNS
  4. 0.0.3 Reserved
  5. 0.0.255 Broadcast
169
Q

What is a VPC Peer?

A

It allows you to connect a VPC to another VPC in the same or even a different account?

170
Q

With VPC peering can you transverse a VPC when peered?

A

No

171
Q

What is the difference between a VPN GW and an Internet GW?

A

The internet GW is the exit point to the internet and the VPN GW is the exit point to the network associated with the VPN. Also the VPN GW is used to access the network associated with the DirectConect.

172
Q

What is a VPC endpoint?

A

It enables you to connect directly to the AWS Public Zone services such as S3, DynamoDB and CWLOgs

173
Q

What is an egress only GW?

A

It enables traffic to only flow to the internet, meaning you would not be able to connect from the internet to the any resources behind the egress GW.

174
Q

What are the network elements I can use in AWS?

A

Transit GW

VPN GW - VPN

VPN GW - DirectConentc

Intenet GW

Peering

Subnets

egress only GW

NAT Instance

NAT GW

VPC Option Sets

ACL’s

NSG’s

175
Q

When using the routeing table, what is the order of the routes?

A

the higher the / the higher the priority. For example, a /16 vs ./8 the /16 is first chose if it matches.

176
Q

When I set up an IG, VPN GW or egress GW, NAT instance and I wnat traffic to flow to it, what do I need to set up?

A

A route in the routeing table associated with the subnet and VPC.

177
Q
A
178
Q

Do I need a route in the routing table for a peering connection?

A

Yes 100%.

179
Q

Where are ACL applied in the VPC?

A

Around the outside of the subnet. ACLs are associated with a subnet. They block traffic entering and leaving the subnet.

180
Q

Are ACL stateful or stateless?

A

Stateless meaning you have to allow traffic in and out.

181
Q

Can I block traffic with an ACL?

A

yes you can block on incoming and outgoing, but you will only have the SRC, no DST.

182
Q

How many ACL can you associate to a subnet?

A

One

183
Q

If you block on an ACL, will you block traffic between subnets?

A

Yes are the ACL is applied on the outside of it associated subnet all traffic is blocked from/to other subnets.

184
Q

How are ALS evaluated?

A

Lowest to highest number?

185
Q

Can I explicitly deny traffic with an ACL?

A

Yes 100%, you can deny.

186
Q

If I know bad traffic is coming from an extern IP, how cna I block it, just using basic VPC constructs?

A

You can block it incoming using an ACL with a deny rule, as this rule would be on a source?

187
Q

As I can block incoming traffic form a source if I have the source URL as part of a blacklist can I apply an ACL deny rule?

A

No, as the ACL source is IP only and even resolved URL IP may change.

188
Q

Can I associate an ACL with multiple subnets?

A

Yes, but a subnet can only have one ACL.

189
Q

I have two VM’s in a single subnet can I use an ACL to block all traffic, will the VM’s be able to talk to each other?

A

Yes, as the ACL is applied on the outside boundary of a Subnet.

190
Q

If I have two subnets (A and B and each has an instance VMA and VMB, and each subnet has an ACL when the two instances connect how may ACL be the traffic passing through?

A

Tow as it will pass through both ACL.

191
Q

I am using ACL can I reference another ACL or security group as the SRC?

A

No, ACL SRC only accepts a CIDR like 10.0.0.0/32

192
Q

I have a VPC and a subnet, I also have a peered VPC, my subnet has an ACL, how could I block all traffic coming from the peer?

A

Using the ACL you can deny traffic coming form the SRC CIDR like 10.0.20.0/24 if the peered VPS was using this CIDR.

193
Q

Are security groups stateless?

A

No, they stateful meaning if you initiate a connection they will remember and allow outgoing traffic.

194
Q

Where are security groups applied?

A

They are applied at the ENI.

195
Q

I have two instances in the same subnet and I am blocking all traffic, will the instance be able to talk to each other?

A

No, as SG are applied at the ENI all traffic will be blocked even in the subnet.

196
Q

Can I block traffic from an IP with security groups?

A

No there is no way to block an IP.

197
Q

Are security groups applied to the instance?

A

No, they are applied to the ENI.

198
Q

How do SG’s work when filtering traffic?

A

An SG is normally blocking traffic and you add allow rules.

199
Q

If I need to allow traffic to my instance from another security group, how cna I do this with a security group with no current rules?

A

You would create an allow rule and reference the other security group as the source. Security groups allow you to use another security group as an SRC reference.

200
Q

I have two instances in the same subnet in the same security group, I can not ssh from one instance to another, how cna I fix this?

A

The security group is blocking the traffic between both instances, you will have to create an allow all traffic rule and set the SRC to reference itself as in the security groups own name.

201
Q

What are public and private subnet?

A

A private subnet has no IG and a public subnet has an IG.

202
Q

I have a VPC with 4 subnets, two subnets are public subnets to the internet and two subnets are private. I have instances in the private subnets, 1 instance in each. I wnat these instance to download updates, how cna I achieve this?

A

You will have to add a NAT GW, in this case as there are two separate private subnets you would be better to add two separate NAT instance in the two private subnets.

203
Q

When I am using a NAT GW do I need an elastic IP allocated and assigned?

A

Yes.

204
Q

Are NAT GW highly available, explain?

A

A NAT GW is tied to an AZ, it the AZ fails then your NAT is gone, you need to have a NAT perr AZ, this way if the AZ fails then other AZ have there own NAT.

205
Q

Do NAT GW scale automatically?

A

Yes, they scale with load.

206
Q

If I have a private and public subnet using IPv6 and I wnat the instance in the private subnet to access the internet to download files can I use the NAT GW?

A

No, the NAT GW is for IPv4 only, you have to use egress GW for IPv6, egress GW is not doing a Port Nat, it is just doing the same thing as an IG but will only allow outgoing traffic. All incoming traffic is blocked.

207
Q

When using a VPC, at what address is the DNS server?

A

The DNS server is always located at the +2 address (10.0.0.2) and is only available internal to the VPC, it is connected with the R53 resolver.

208
Q

What DNS names does an instance get?

A

They get a public DNS that is resolved to a public IP if resolved outside the VPC, if resolved inside the VPC you get a private IP. And also a private DNS that is resolved to the private (10.0.0.50) IP.

209
Q

I need to enable R53 so it can be accessed over the corporate network, how can I do this?

A

You have to have a VPC and a subnet, the VPC has to be connected to the corporate network over VPN/Direct Connect. You use the R53 resolver to create an inbound endpoint. This endpoint is an ENI type interface created in tNexthe VPC subnet and can be accessed from the corporate network.

210
Q

Is the R53 resolver inbound endpoint highly available or is is just in on AZ?

A

When you create an inbound endpoint in R53 you have to define two AZ and subnets, two endpoints are created.

211
Q

What is an R53 Resolved inbound endpoint used for?

A

It is used to create a DNS endpoint that can resolve DNS queries for R53 that can be accessed from the external corporate network.

212
Q

What is the R53 outbound endpoint used for?

A

This is used when we set up forwarding rules in R53 to forward DNS queries.

213
Q

What is an R53 resolved rule used for?

A

The R53 rules are used as part of the R53 Resolver outbound endpoint to set up forwarding rules.

214
Q

What is the R53 Resolver used for?

A

It is used to when inbound endpoints are placed in the VPC subnet to allow an external corporate network to resolve a DNS query. Alos outbound endpoints can be sued with forwarding rules to forward DNS queries to an external DNS server.

215
Q

I need to identify traffic coming from a source of how can I do this?

A

You can use VPC flow logs to capture the incoming VPC traffic metadata and have it stored to S3.

216
Q

I want to capture VPC traffic data (not metadata), how can I do this with VPC Flow logs?

A

You can not with flow logs, Flow logs only allow you to capture the traffic metadata as in SRC IP, DST IP, etc.

217
Q

What traffic is not captured in FlowLogs?

A

DHCP

AWS DNS

Metadata

Licence Activation

218
Q

What op[tion do mI have with VPC flow logs to reduce the scope of the traffic I am monitoring?

A

You can select to have traffic captured at, VPC, Subnet or ENI level.

219
Q

What output is available for VPC Flow Logs?

A

You can capture VPC Flow Logs to CWLogs or S3.

220
Q

I want to analyze VPC traffic form all my accounts to search for know hackers IP’s, how can I do this?

A

You can set up all the VPC’s so you log thereFlow log traffic to S3 and use S3 Atenato search for know hackers IP’s

221
Q

I what to get access to AWS public services but for security reasons, I do not what to have the traffic flow over the internet, what options do I have?

A

Some of the AWS services can be accessed vis endpoints, and endpoint can be either an Interface EP and is placed in you VPC subnet or it can be an EP GW is attached to the VPC router.

222
Q

What are the two types of VPC endpoints?

A

Interface endpoints are placed in the VPPC subnet

EP GW is attached to the VPC router and effected by route tables.

223
Q

What services are EP GW used for?

A

S3, DynamoDB.

224
Q

When I use VPC interface endpoint what service am I connected with?

A

SQL, etc. Not s3 or dynamo DB as they use EP GW.

225
Q

When I am using VPC interface endpoints for SQS, how can I ensure my app is always going to have access to an available endpoint even if an EP fails?

A

Use the highly available DNS name to refer to the SQL, this DNS name is updated with all the available EPs, if one goes offline then it is taken out of the list.

226
Q

My application is using the sqs.us-eadt-1.amazonaws.com URL to access SQL, I have now deployed an interface endpoint into the VPC and I want to do not what to change the app but I do what this URL to resolve to my endpoint, how can I do it?

A

There is a feature in the VPC that when switched on will resolve the public SQS URL to the deployed endpoint.

227
Q

Do gateway endpoints use route tables to route traffic to the service?

A

Yes, they use the prefix lists.

228
Q

I have a VPC in APAC and EU and I need to connect both together, what are my option?

A

You can use VPC peering but you have to ensure there is no overlapping IP’s.

229
Q

When creating a VPC do you have to accept a peering connection?

A

Yes, this is when another account requests you have to accept.

230
Q

After creating a peering connection what do I have to do to get traffic to flow?

A

Set up routes in the routing tables.

231
Q

When using VPC peering, is traffic transitive?

A

No

232
Q

If I have 3 VPC (VPC-A, VPC-B, VPC-C), how can I connect them all together?

A

You will need a mesh,

VPC-A -> VPC-B

VPC-A -> VPC-C

VPC-B -> VPC-C

233
Q

IVPC Peering: if I have two VPC’s and two subnets and two instances, on in each subnet, if I use the public DNS of the instance t, what will it resolve to?

A

It will resolve to the public IP and this IP would require traffic to go out over the internet, you have the option to select so this public DNS of the instance will resolve to the privet IP of the instance.

234
Q

I am using direct connect to connect from an instance on my corporate network to an instance in a VPC that is peered through another VPC, will this work and why?

A

No, a transitive peered connection does not work and also you can no route peered connection through direct connect.

235
Q

When using VPC peering is the traffic over the backbone between two inter-region VPC’s encrypted?

A

Yes, traffic is encrypted and secure.

236
Q

What is an Endpoint GW?

A

EP GW is located in the VPC and connected to the VPC router, you have to add a rote to the routeing table. The connect to two services, DynamoDB and S3. They are highly available and redundant.

237
Q

What is an EndPoint Interface?

A

These are like ENI and are placed inside the subnet, they are subject to security groups and ACL’s, they are subject to failure from an AZ failure and you would need to have one in more than a single AZ. They have several DNS names, one that is tied to the AZ, and a group that is managed by AWS, where AWS will add or remove failed EP interfaces.

238
Q

What is an AWS public zone?

A

It is a network region belong to AWS where AWS makes there internal services available, services in this zone are accessible over the internet, through Direct Connect and also using endpoint interface and endpoint gW.

239
Q

When using VPC endpoint GW, what is a prefix-list?

A

It is a list of routes maintained by AWS for the services such as S3 in the region. it looks like pl-xxxxx the pl is the prefix list.

240
Q

What are the logical components of a VPN?

A

Customer GE

Virtual Private GW

Site to site VPN conenctions

241
Q

Do VPN support IPv6?

A

No only IPv4 is supported.

242
Q

For AWS VPN, what is the important info for a customer GW?

A

The customer endpoint IP, this is a public-facing and accessible IP and is connected with a VPN router or software appliance. Alos Static or Dynamic IP.

243
Q

What is the AWS VPN Virtual Private GW?

A

It is the AWS side of the connection and is a logical GW connected to the VPC much like the internet gateway but in this case, it connects to the VPN. You have to attach it to a VPC and you also have to set up routes in the route tables to have the traffic flow over it.

244
Q

When using the AWS VPN, what si the Site-to-Site VPN connection?

A

It hokes the customer GW and the site-to-site GW.

245
Q

When using AWS VPN’s, how can I improve VPN high availability?

A

For the VPN connection, you can use two tunnels, this gives you two sperate tunnels. You can also add a second customer GW and two more tunnels to improve high availability.

246
Q

For AWS VPN, when using a high availability setup, can I use static routing?

A

No, you have to be using dynamic routing.

247
Q

When using AWS VPN, what is diffe-Helman used for?

A

It is the security function used to share key information between two parties in a VPN session.

248
Q

When using AWS VPN, what is the encryption?

A

It is probably going to be AWS-256 but others are available.

249
Q

When using AWS VPN, what is the hashing algorithm used for?

A

It is used to validate packets and ensure they were not tampered with.

250
Q

How are routes evaluated in the routing table?

A

They are evaluated as largets first ./32.

251
Q

Do static route in a routing table take preference over dynamic routes?

A

Yes.

252
Q

In routing table is direct connect preferred over VPN?

A

Yes.

253
Q

What is the physical requirement for direct connect?

A

Single-mode fibre.

Router with BGP and MDB

8021Q (VLAN)

254
Q

What is a DX location?

A

This is a physical location where you place you router with it single-mode fibre to connect to AWS.

255
Q

Why would you use AWS DirectConnect?

A

Lower latency as traffic does not go over the internet, SLA and reliable packet delivery.

256
Q

What are the key components indirect connect?

A

DX Location is where the DirectConnect terminates and you do the cross-connect over single-mode fibre.

You have a switch capable of SMF, BGP and 8021Q (VLAN) BGP-MD5 auth.

you cross-connect you switch to AWS, to do this you need a LOCFA (letter of authorization).

257
Q

What speeds have you available for DirectConnect?

A

1 or 10GB

258
Q

When using DirectConnect are you billed for data out the same as data out to the internet?

A

No, you are billed at a lower cost.

259
Q

I need to get a reliable, low latency connection to transfer a large amount of data, this needs to happen this week, is directly connect a good option and why is it a good option?

A

Direct connect is not an option, it takes several weeks to order and configure a direct connect.

260
Q

I am a SAAS provider a and my clients are already on AWS, I wnat to share my service through my VPC, how cna I do this?

A

One could use VPC peering, but this is not correct as you have many customers an IP overlap is an issue. You will wnat to share your service through Privatelink so your customers will be able to create an endpoint in there VPC and access your service.