AWS Networking Flashcards
What is the RFC for the private address space?
RFC 1918
What is layer 1 of the OSI layer?
Physical, used for Ethernet, DSL, ISDN, WiFi.
What is layer 2 of the OSI layer?
Data link layer, used for Ethernet frames. Switching layer with switches and hubs.
What is layer 3 of the OSI layer?
Network layer, used for Ipv4, IPv6, ICMP, IPSec. Routing layer used with routers.
What is layer 4 of the OSI layer?
Transport layer, TCP, UDP, Apple Talk., SPX.
What is layer 5 of the OSI layer?
Sessions layer, establish and teardown
What is layer 6 of the OSI model?
Presetation, translation, compression, excryption.
What is layer 7 of the OSI model?
Application layer, HTTP, DNS, FTP
Where in the OSI layer does TLS fit
TLS fits in the Presentation layer where the presentation layer is used for encryption and compression.
How many hosts IP’s can I have with an AWS VPC /24?
251, you have 256 addresses in this space, 1 for the network, one for broadcast, 1 for the gateway, 1 DNS, 1 for reserve.
What is the largest VPC I can have in AWS?
/16 (65536)
Convert 192.168.0.15 to its bit form?
11000000.10101000.00000000.00001111
What is the 172.16.0.0 private address space range?
is is a /12 address space ranging from 1172.16.0.0 - 172.31.255.255 and has 1M hosts
What is the 10.0.0.0 private address space (range)?
Its is a /8 address apace ranging from 10.0.0.0 - 10.255.255.255 and has 16M hosts
What is the 192.168.0.0 private address space(range)?
It is a /16 address space ranging from 192.168.0.0 - 192.168.255.255 and has 65K hosts.
What is classless interdomain routing (CIDR)?
You can create a subnet mask to mask the network bits in use, this subdivides the network.
If we have a CIDR of /8, how many host addresses can I have?
16M (16777214)
What does a /8 CIDR look like in binary form?
11111111.00000000.00000000.0000000
What does a /16 CIDR look like in binary?
11111111.11111111.00000000.000000000
What does a /24 CIDR look like in binary?
11111111.11111111.11111111.00000000
If we have a /24 network what is the max networks we can subnet from it?
7 subnets.
/24 = 1 network 254 hosts
/25 = 2 : 126 hosts
/26 = 4 : 62 hosts
/27 = 8 : 30 hosts
/28 = 16 : 14 hosts
/29= 32: 6 hosts
/30=64 : 2 hosts
In a 10.x.x.x network how many bits are available for host or networking?
We can use 24bits for host and networking, we can say a 10 network is a /8 network.
In a 172.x.x.x. network how many bits can be used for host or network?
22 bits can be sued for host or networking, we can say the 172 network is a /12 network.
With a CIDR, when we add bits what are we doing?
We are increasing the number of bits in the CIDR blocks and subnetting the network.
In the following CIDR how may subnet bits is there 192.168.0.0/24? also how many subnets are there?
Zero (0) subnet bits and 1 subnet
This network is a 192.168.0.0/24 network, this means it has only 8bits to play with for both networking and hosts.
The number of subnets is 2 to the power of n where n, in this case, is 0, gives is 1.
What is the DHCP server port?
67
What is the DHCP client port?
68
Is UDP a TCP or UDP protocol?
UDP protocol as it sends a UDP broadcast on 255.255.255
Is UDP unicast or broadcast?
Broadcast
What is the typical DHCP exchange sequence to get an IP address from the server?
DHCPDiscover
DHCPOffer
DHCPRequest
DHCPAck
What ports are used for DNS?
Port 53
Are message sent over UDP, TCP or both for DNS?
Both
A URL is mead up of 4 parts can you name them?
protocal
subdomain
domain
TLD (Top level domain)
What is a Zone?
It is a domain for which the DNS server will answer for.
In DNS was is a Private zone?
A zone for which the server is authoritive, this means the DNS servers has the final say.
In DNS what is a secondary zone?
A secondary zone is the DNS server will respond but does not have the final say. The secondary zone must check in with the Primary Zone DNS server.
In DNS when would you use a secondary zone?
You would use a secondary zone when you want to have redundancy for the primary server so when the primary server goes down the secondary zone DNS server responds.
In DNS what is a root server used for?
Root server points to the TLD servers.
In DNS what is the TLD servers?
TLD’s points to the Name servers.
In DNS what is the Name servers used for?
Name servers point to the host’s when we say hosts,.
In DNS what are the ‘A’ records used for?
An ‘A’ record is part of a zone and points to the IP of a host.
In DNS what is a CNAME record used for?
A CNAME record is part of a zone and points to an ‘A’ record, with this record we could map bar.google.com to foo.google.com.
From your laptop, how is a URL resolved?
Laptop reaches out to it local DSN server, the local DNS server checks the cache and does not find a record it looks up the root hints file and reaches out to the root servers, the root server responds with IP of the TLD, DNS server reaches out to TLD and TLD responds with the IP of the name server, the DNS reaches out to name server and the name server responds with the IP of the host, the DNS server responds to your laptop with the IP of the host you need to contact.
In DNS wait is an ‘AAAA’’ record?
An ‘AAA’ record is the same as an ‘A’ record but for IPv6. It points to an host IP.
What is an MX record in DNS?
It is a mail exchange record.
In DNS what is a TXT record?
“Text records” are typically used for miscellaneous services that require information to be public in your DNS in order to prove ownership of a domain.
In DNS what is a PTR record?
A PTR record is a reverse lookup the record and maps an IP back to a server, only one PRT record per server.
In DNS what is an SOA record?
The SOA is a “Start of authority”, indicating which record is responsible for the DNS zone.
In DSN, a records TTL valis is what?
It is the time the server waits before it will check for updates for the record.
Can i delete a default security group?
No, this will not be allowed.
With a security group can I deny IP addressed?
Security group by default deny all traffic inbound and you open ports. You can not explicitly say deny traffic from this address or port. But you can allow inbound traffic from an IP, Port or protocol.
By default, will a security group allow or deny all traffic inbound?
Denys all traffic
Can you create a security group rule that denies traffic?
No, rules are always permissive for both inbound and outbound.
Are security groups stateful?
Yes if you rend a request to an instance, the response will be allowed to exit regardless of outbound rules.
By default is all outbound (initiated by the server) allowed for a security group?
Yes, there is an outbound rule that allowed all outbound traffic.
Can I create a security group rule to block port 80?
No, security groups are by default deny all traffic will allow rules, no deny rules are available.
I want to block an incoming IP address, what is my best option in the VPC?
Use a NACL as you can not deny traffic on a security group.
I have an on-prem application using multicast, I want to move to AWS, what should I be aware of?
Multi-cast is not supported in a VPC, you will need to create an overlay network.
I need a public IP, what is the name AWS used for this public IP?
Elastic IP
What is a public subnet?
It is a subnet that has an internet gateway and connects with the internet and internet traffic can enter and leave it.
Can I have more than a single ACL on a VPC?
Yes
When you create a VPC do you get a default ACL?
Yes
Is the ACL filtering traffic on a VPC or on a subnet?
ACL filters traffic on a subnet and is assocated with a VPC.
When you create an ACL, by default is assocated with all subnets in the VPC?
No, by default is not associated with any subnets, you have to associate with subnet to have the filter applied.
When you areas a VPC, do you get an ACL by default?
Yes you bet a default ACL, but it is associated with no subnets
Are ACL stateless or stateful?
Stateless, they do not know about connections, so if you allow traffic in, you have to allow traffic out. In a way, ACL is better used to deny traffic in or out.
Can I associate an ACL with multiple subnets?
Yes
Can subnets be associated with multiple ACL?
No
By default do ACLs allow traffic in/out?
Yes
In what order is rooting table, ACL and security group applied in the flow of traffic?
Route table
ACL
Subnet
security group
Instance
I want to capture all source IP’s coming into an interface on an EC2 instance, is this possible and how?
Yes, you use VPC flow logs?
I want to capture all source IP’s coming into VPC, is this possible and how?
Yes, Use VPC Flow logs.
I want to capture all source IP’s coming into a subnet, is this possible and how?
Yes, use VPC flow logs, each interface in the VPC will have its own flow logs.
For flow logs what are the 3 different scopes I can enable for?
VPC - All ENI’s in the VPC
Subnet - All ENI’s in the subnet
ENI for the instance.
What outputs are available for flow logs?
S3
Cloudwatch
I have an application on EC2 instances and I want to be notified if an IP address connects form another country, what options do I have?
You can use flow logs and connect with cloud watch and set a cloud watch alarm.
I need to enable my instances to access the internet but I do not want the instances to have a public facing the internet, what is my best option?
Use a nat gateway for IPV4 and Egress only GW for ip[v6
For a NAT GW do you need an EIP?
Yes, the EIP will be the public facing IP behind it will be the instances.
What are you charged for with a NAT GW?
Hours running and per GB processed.
I need a NAT GW to span multiple Availability Zones?
A single NAT will not work across Availability zones as it is tied to a single AZ when you select a subnet when you create the nAT, you will have to use two NAT GWs, one in each of the subnets you want to use.
I have just created a NAT and my instances can get internet access, what do you think is wrong?
You have not pointed the traffic to the nat from the instance, this will require editing of the ROUTE tables.
I need to secure my NAT GW with a Security group, how can I implement this?
You cna not as NAT does not use security groups, you can use ACL to block in or out trafic.,
I have a number of instances that I do not what to be public facing, but I will have large amounts of information that I need to access in the internet, about 180GB, how can I architect these instances and what services do I need to enable internet access?
A single NAT GW can handle 5GB of traffic and scale up to 45GB, to get 180GB I will have to create 4 subnets and split the instances between the subnets with each subnet having a single NAT capable of 45GB.
Can I have multiple EIPs on a NAT instance?
No, only a single EIP
What is the Max number of connections a NATGW can sustain?
55K
I have a Site to Site VPN, can I route traffic to my NAT GW over the VPN?
No, traffic over Site to Site VPN, DirectConetc, VPC Peering can not route to NAT GW.
I have an application that used DynamoDB and S3 storage, what is my best option for connecting application running on EC2 to this service?
making calls that exit from AWS will have charges, creating an endpoint will l allow you to keep traffic in AWS.
As we view networking in relation to AWS, what networks are at play?
- Your regional network (VPC)
- Your on-prem
- Internet
- AWS Public zone
IN a VPC how may primary CIDR ranges can I have and how many secondary ranges can I have?
You can have 1 primary and 4 secondary
What is the smallest and largest CIDER ranges for a VPC?
16 and 28
I have a network (VP{C) that is using a DNS server, this is configured with option sets, I need to add a new server and delete the old one, what must I do.
You can edit an option set, you must create a new one.
What are the reserved IPs in a subnet?
- 0 = Network
- 1 VPC Router
- 2= DNS
- 3 reserved
- 255 broadcast
I have a VPC in us-west-1 and a CPC in eu-west-1 and I want to connect together, how is this possible?
Use VPC peering as it can be within the same region or in separate regions.
What is network + 1 address used for?
It is the subnet router address.
What is the network +2 address?
DNS
When you create a subnet you get a route table with a default local route, can you modify this route?
No.
What is the order routes are processed in the routeing table?
The highest subnet /x wins out, like /22 is processed before /16
When I turn on route propagation, what happens to the routeing table?
Routes are learned from the VPGW are auto-populated into the routing table.
Can I add a second route table to a subnet?
No, Only one route table per subnet.
Can a VPC have more than a single RouteTable?
Yes as VPC can have multiple route tables but subnets can only have a single route table.
I have just created an ACL and want to associate it with an instance, is this possible??
No, you can only be created in a VPC and associated with a subnet