AWS Networking

Question 1

What is the RFC for the private address space?

Answer 1

RFC 1918

Question 2

What is layer 1 of the OSI layer?

Answer 2

Physical, used for Ethernet, DSL, ISDN, WiFi.

Question 3

What is layer 2 of the OSI layer?

Answer 3

Data link layer, used for Ethernet frames. Switching layer with switches and hubs.

Question 4

What is layer 3 of the OSI layer?

Answer 4

Network layer, used for Ipv4, IPv6, ICMP, IPSec. Routing layer used with routers.

Question 5

What is layer 4 of the OSI layer?

Answer 5

Transport layer, TCP, UDP, Apple Talk., SPX.

Question 6

What is layer 5 of the OSI layer?

Answer 6

Sessions layer, establish and teardown

Question 7

What is layer 6 of the OSI model?

Answer 7

Presetation, translation, compression, excryption.

Question 8

What is layer 7 of the OSI model?

Answer 8

Application layer, HTTP, DNS, FTP

Question 9

Where in the OSI layer does TLS fit

Answer 9

TLS fits in the Presentation layer where the presentation layer is used for encryption and compression.

Question 10

How many hosts IP’s can I have with an AWS VPC /24?

Answer 10

251, you have 256 addresses in this space, 1 for the network, one for broadcast, 1 for the gateway, 1 DNS, 1 for reserve.

Question 11

What is the largest VPC I can have in AWS?

Answer 11

/16 (65536)

Question 12

Convert 192.168.0.15 to its bit form?

Answer 12

11000000.10101000.00000000.00001111

Question 13

What is the 172.16.0.0 private address space range?

Answer 13

is is a /12 address space ranging from 1172.16.0.0 - 172.31.255.255 and has 1M hosts

Question 14

What is the 10.0.0.0 private address space (range)?

Answer 14

Its is a /8 address apace ranging from 10.0.0.0 - 10.255.255.255 and has 16M hosts

Question 15

What is the 192.168.0.0 private address space(range)?

Answer 15

It is a /16 address space ranging from 192.168.0.0 - 192.168.255.255 and has 65K hosts.

Question 16

What is classless interdomain routing (CIDR)?

Answer 16

You can create a subnet mask to mask the network bits in use, this subdivides the network.

Question 17

If we have a CIDR of /8, how many host addresses can I have?

Answer 17

16M (16777214)

Question 18

What does a /8 CIDR look like in binary form?

Answer 18

11111111.00000000.00000000.0000000

Question 19

What does a /16 CIDR look like in binary?

Answer 19

11111111.11111111.00000000.000000000

Question 20

What does a /24 CIDR look like in binary?

Answer 20

11111111.11111111.11111111.00000000

Question 21

If we have a /24 network what is the max networks we can subnet from it?

Answer 21

7 subnets.

/24 = 1 network 254 hosts

/25 = 2 : 126 hosts

/26 = 4 : 62 hosts

/27 = 8 : 30 hosts

/28 = 16 : 14 hosts

/29= 32: 6 hosts

/30=64 : 2 hosts

Question 22

In a 10.x.x.x network how many bits are available for host or networking?

Answer 22

We can use 24bits for host and networking, we can say a 10 network is a /8 network.

Question 23

In a 172.x.x.x. network how many bits can be used for host or network?

Answer 23

22 bits can be sued for host or networking, we can say the 172 network is a /12 network.

Question 24

With a CIDR, when we add bits what are we doing?

Answer 24

We are increasing the number of bits in the CIDR blocks and subnetting the network.

Question 25

In the following CIDR how may subnet bits is there 192.168.0.0/24? also how many subnets are there?

Answer 25

Zero (0) subnet bits and 1 subnet

This network is a 192.168.0.0/24 network, this means it has only 8bits to play with for both networking and hosts.

The number of subnets is 2 to the power of n where n, in this case, is 0, gives is 1.

Question 27

What is the DHCP server port?

Answer 27

67

Question 28

What is the DHCP client port?

Answer 28

68

Question 29

Is UDP a TCP or UDP protocol?

Answer 29

UDP protocol as it sends a UDP broadcast on 255.255.255

Question 30

Is UDP unicast or broadcast?

Answer 30

Broadcast

Question 31

What is the typical DHCP exchange sequence to get an IP address from the server?

Answer 31

DHCPDiscover

DHCPOffer

DHCPRequest

DHCPAck

Question 32

What ports are used for DNS?

Answer 32

Port 53

Question 33

Are message sent over UDP, TCP or both for DNS?

Answer 33

Both

Question 34

A URL is mead up of 4 parts can you name them?

Answer 34

protocal

subdomain

domain

TLD (Top level domain)

Question 36

What is a Zone?

Answer 36

It is a domain for which the DNS server will answer for.

Question 37

In DNS was is a Private zone?

Answer 37

A zone for which the server is authoritive, this means the DNS servers has the final say.

Question 38

In DNS what is a secondary zone?

Answer 38

A secondary zone is the DNS server will respond but does not have the final say. The secondary zone must check in with the Primary Zone DNS server.

Question 40

In DNS when would you use a secondary zone?

Answer 40

You would use a secondary zone when you want to have redundancy for the primary server so when the primary server goes down the secondary zone DNS server responds.

Question 41

In DNS what is a root server used for?

Answer 41

Root server points to the TLD servers.

Question 42

In DNS what is the TLD servers?

Answer 42

TLD’s points to the Name servers.

Question 43

In DNS what is the Name servers used for?

Answer 43

Name servers point to the host’s when we say hosts,.

Question 44

In DNS what are the ‘A’ records used for?

Answer 44

An ‘A’ record is part of a zone and points to the IP of a host.

Question 45

In DNS what is a CNAME record used for?

Answer 45

A CNAME record is part of a zone and points to an ‘A’ record, with this record we could map bar.google.com to foo.google.com.

Question 46

From your laptop, how is a URL resolved?

Answer 46

Laptop reaches out to it local DSN server, the local DNS server checks the cache and does not find a record it looks up the root hints file and reaches out to the root servers, the root server responds with IP of the TLD, DNS server reaches out to TLD and TLD responds with the IP of the name server, the DNS reaches out to name server and the name server responds with the IP of the host, the DNS server responds to your laptop with the IP of the host you need to contact.

Question 47

In DNS wait is an ‘AAAA’’ record?

Answer 47

An ‘AAA’ record is the same as an ‘A’ record but for IPv6. It points to an host IP.

Question 48

What is an MX record in DNS?

Answer 48

It is a mail exchange record.

Question 49

In DNS what is a TXT record?

Answer 49

“Text records” are typically used for miscellaneous services that require information to be public in your DNS in order to prove ownership of a domain.

Question 50

In DNS what is a PTR record?

Answer 50

A PTR record is a reverse lookup the record and maps an IP back to a server, only one PRT record per server.

Question 51

In DNS what is an SOA record?

Answer 51

The SOA is a “Start of authority”, indicating which record is responsible for the DNS zone.

Question 52

In DSN, a records TTL valis is what?

Answer 52

It is the time the server waits before it will check for updates for the record.

Question 53

Can i delete a default security group?

Answer 53

No, this will not be allowed.

Question 54

With a security group can I deny IP addressed?

Answer 54

Security group by default deny all traffic inbound and you open ports. You can not explicitly say deny traffic from this address or port. But you can allow inbound traffic from an IP, Port or protocol.

Question 55

By default, will a security group allow or deny all traffic inbound?

Answer 55

Denys all traffic

Question 56

Can you create a security group rule that denies traffic?

Answer 56

No, rules are always permissive for both inbound and outbound.

Question 57

Are security groups stateful?

Answer 57

Yes if you rend a request to an instance, the response will be allowed to exit regardless of outbound rules.

Question 58

By default is all outbound (initiated by the server) allowed for a security group?

Answer 58

Yes, there is an outbound rule that allowed all outbound traffic.

Question 59

Can I create a security group rule to block port 80?

Answer 59

No, security groups are by default deny all traffic will allow rules, no deny rules are available.

Question 60

I want to block an incoming IP address, what is my best option in the VPC?

Answer 60

Use a NACL as you can not deny traffic on a security group.

Question 61

I have an on-prem application using multicast, I want to move to AWS, what should I be aware of?

Answer 61

Multi-cast is not supported in a VPC, you will need to create an overlay network.

Question 62

I need a public IP, what is the name AWS used for this public IP?

Answer 62

Elastic IP

Question 63

What is a public subnet?

Answer 63

It is a subnet that has an internet gateway and connects with the internet and internet traffic can enter and leave it.

Question 64

Can I have more than a single ACL on a VPC?

Answer 64

Yes

Question 65

When you create a VPC do you get a default ACL?

Answer 65

Yes

Question 66

Is the ACL filtering traffic on a VPC or on a subnet?

Answer 66

ACL filters traffic on a subnet and is assocated with a VPC.

Question 67

When you create an ACL, by default is assocated with all subnets in the VPC?

Answer 67

No, by default is not associated with any subnets, you have to associate with subnet to have the filter applied.

Question 68

When you areas a VPC, do you get an ACL by default?

Answer 68

Yes you bet a default ACL, but it is associated with no subnets

Question 69

Are ACL stateless or stateful?

Answer 69

Stateless, they do not know about connections, so if you allow traffic in, you have to allow traffic out. In a way, ACL is better used to deny traffic in or out.

Question 70

Can I associate an ACL with multiple subnets?

Answer 70

Yes

Question 71

Can subnets be associated with multiple ACL?

Answer 71

No

Question 72

By default do ACLs allow traffic in/out?

Answer 72

Yes

Question 73

In what order is rooting table, ACL and security group applied in the flow of traffic?

Answer 73

Route table

ACL

Subnet

security group

Instance

Question 74

I want to capture all source IP’s coming into an interface on an EC2 instance, is this possible and how?

Answer 74

Yes, you use VPC flow logs?

Question 75

I want to capture all source IP’s coming into VPC, is this possible and how?

Answer 75

Yes, Use VPC Flow logs.

Question 76

I want to capture all source IP’s coming into a subnet, is this possible and how?

Answer 76

Yes, use VPC flow logs, each interface in the VPC will have its own flow logs.

Question 77

For flow logs what are the 3 different scopes I can enable for?

Answer 77

VPC - All ENI’s in the VPC

Subnet - All ENI’s in the subnet

ENI for the instance.

Question 78

What outputs are available for flow logs?

Answer 78

S3

Cloudwatch

Question 79

I have an application on EC2 instances and I want to be notified if an IP address connects form another country, what options do I have?

Answer 79

You can use flow logs and connect with cloud watch and set a cloud watch alarm.

Question 80

I need to enable my instances to access the internet but I do not want the instances to have a public facing the internet, what is my best option?

Answer 80

Use a nat gateway for IPV4 and Egress only GW for ip[v6

Question 81

For a NAT GW do you need an EIP?

Answer 81

Yes, the EIP will be the public facing IP behind it will be the instances.

Question 82

What are you charged for with a NAT GW?

Answer 82

Hours running and per GB processed.

Question 83

I need a NAT GW to span multiple Availability Zones?

Answer 83

A single NAT will not work across Availability zones as it is tied to a single AZ when you select a subnet when you create the nAT, you will have to use two NAT GWs, one in each of the subnets you want to use.

Question 84

I have just created a NAT and my instances can get internet access, what do you think is wrong?

Answer 84

You have not pointed the traffic to the nat from the instance, this will require editing of the ROUTE tables.

Question 85

I need to secure my NAT GW with a Security group, how can I implement this?

Answer 85

You cna not as NAT does not use security groups, you can use ACL to block in or out trafic.,

Question 86

I have a number of instances that I do not what to be public facing, but I will have large amounts of information that I need to access in the internet, about 180GB, how can I architect these instances and what services do I need to enable internet access?

Answer 86

A single NAT GW can handle 5GB of traffic and scale up to 45GB, to get 180GB I will have to create 4 subnets and split the instances between the subnets with each subnet having a single NAT capable of 45GB.

Question 87

Can I have multiple EIPs on a NAT instance?

Answer 87

No, only a single EIP

Question 88

What is the Max number of connections a NATGW can sustain?

Answer 88

55K

Question 89

I have a Site to Site VPN, can I route traffic to my NAT GW over the VPN?

Answer 89

No, traffic over Site to Site VPN, DirectConetc, VPC Peering can not route to NAT GW.

Question 90

I have an application that used DynamoDB and S3 storage, what is my best option for connecting application running on EC2 to this service?

Answer 90

making calls that exit from AWS will have charges, creating an endpoint will l allow you to keep traffic in AWS.

Question 91

As we view networking in relation to AWS, what networks are at play?

Answer 91

• Your regional network (VPC)
• Your on-prem
• Internet
• AWS Public zone

Question 92

IN a VPC how may primary CIDR ranges can I have and how many secondary ranges can I have?

Answer 92

You can have 1 primary and 4 secondary

Question 93

What is the smallest and largest CIDER ranges for a VPC?

Answer 93

16 and 28

Question 94

I have a network (VP{C) that is using a DNS server, this is configured with option sets, I need to add a new server and delete the old one, what must I do.

Answer 94

You can edit an option set, you must create a new one.

Question 95

What are the reserved IPs in a subnet?

Answer 95

• 0 = Network
• 1 VPC Router
• 2= DNS
• 3 reserved
• 255 broadcast

Question 96

I have a VPC in us-west-1 and a CPC in eu-west-1 and I want to connect together, how is this possible?

Answer 96

Use VPC peering as it can be within the same region or in separate regions.

Question 97

What is network + 1 address used for?

Answer 97

It is the subnet router address.

Question 98

What is the network +2 address?

Answer 98

DNS

Question 99

When you create a subnet you get a route table with a default local route, can you modify this route?

Answer 99

No.

Question 100

What is the order routes are processed in the routeing table?

Answer 100

The highest subnet /x wins out, like /22 is processed before /16

Question 101

When I turn on route propagation, what happens to the routeing table?

Answer 101

Routes are learned from the VPGW are auto-populated into the routing table.

Question 102

Can I add a second route table to a subnet?

Answer 102

No, Only one route table per subnet.

Question 103

Can a VPC have more than a single RouteTable?

Answer 103

Yes as VPC can have multiple route tables but subnets can only have a single route table.

Question 104

I have just created an ACL and want to associate it with an instance, is this possible??

Answer 104

No, you can only be created in a VPC and associated with a subnet

Question 105

I have just created an NACL, what can I associate it with, a subnet, instance or VPC?

Answer 105

The NACL will be part of the VPC but you can associate it with one or more subnets, .

Question 106

I am deploying a new application to AWS in a VPC, the application only used port 80 and the ephemeral ports for TCP, what should I do from a network security perspective?

Answer 106

You should reduce footprint, this means locking down all UDP ports as they are not used.

Question 107

I want to explicitly deny all traffic on the inbound, should I use NACL or Subnets?

Answer 107

NACLS as you can explicitly deny traffic, security groups only allow you to allow traffic as they have an inplit deny.

Question 108

How are rules for NACLS processed?

Answer 108

from the lowest number of the highest number.

Question 109

I have a NACL 100# with a DENY rule and a NACL rule #200 with an allow, what will happen to the traffic will it be allowed or denied?

Answer 109

DENY as the DENY rule is the first rule with the lowest number.

Question 110

I have a subnet with two instances and an NACL associated with the subnet the two instances are in, this NACL has DENY all traffic in and out, will it stop the instances talking with each other?

Answer 110

No, as the NACL is on the outside of the subnets and only stops traffic passing it boundary, an example would be traffic from another subnet or traffic from internet or VPN, DirectConnetc.

Question 111

I have two subnets and each subnet has an NACL, I have an instance in both subnets, will one or both NACLs effect the traffic between both instances when talking to each other?

Answer 111

As traffic leaves a subnet it its the firt NACL and as it eenters the second subnet it hist the second NACL.

Question 112

Can I reference a URL with a NACL?

Answer 112

No only Cider blocks

Question 113

Can I reference a resource with a NACL?

Answer 113

No only a CIDR block

Question 114

Where are NACLS applied in the network stack in AWS?

Answer 114

They are applied at the subnet boundry.

Question 115

Where are security groups applied in the AWS network stack?

Answer 115

They are applied at the instance virtual nic interface.

Question 116

If I have a network security group with no rules in it and it is associated with each network interface of each instance, can these instances talk with each other?

Answer 116

No, the traffic will be blocked.

Question 117

Is a security group associated with all instance interfaces or just one?

Answer 117

If the security group is associated with the products then it is again all interfaces, but you can assign to a single interface.

Question 118

Are NACLS stateful?

Answer 118

No

Question 119

Are Security Groups stateful?

Answer 119

Yes.

Question 120

I have a security group and I want to explicitly deny traffic, how can I do this?

Answer 120

You can not explicitly deny traffic with a security group, you can use an NACL to explicitly deny traffic.

Question 121

Is all traffic DENY by default with NACLs

Answer 121

No, they are by default allowed.

Question 122

Is traffic denied by default with a security group?

Answer 122

Yes

Question 123

Is there ordered processing of rules in a security group?

Answer 123

No, they are all evaluated at the same time.

Question 124

With security groups can I reference other resources like security groups?

Answer 124

Yes

Question 125

If I want to allow traffic from an instance in a security group, what do I have to do?

Answer 125

Create an inbound rule that allows all traffic and reference itself.

Question 126

Are NATGW, highly available?

Answer 126

No, if you lose an AZ, then the NATGW is gone.

Question 127

I want to configure a NATGW to allow my bastion host to be connected from my remote home location, what configuration do I need to do?

Answer 127

A NATGW does not allow you to connect form our side.

Question 128

I have my NATGW configured, I want to use filtering of incoming IP’s, can I do this?

Answer 128

No, there is no functional available on the eNATGW.

Question 129

I am concerned that the load on my NATGW will cause issues, should I be concerned?

Answer 129

Not up to 5BDS, the NATGW scales up to 5gb, NATGW scales automatically.

Question 130

I have just created a NATGW, do I need to do anything else in my subnets to get instances to use traffic?

Answer 130

Yes, you need to modify the route table and add a default route to point to the NATGW.

Question 131

I have an instance with IPV6 and I want to use NAYGW to enable it to connect to the internet, how can I configure this?

Answer 131

You cna not, NATGW only work with IPv4, IPV6 will require an EGRESS only GW.

Question 132

I have my laptop on the internet and I ping the public DNS of an instance, what IP will I get back, public or private? also, how can I get the instances private IP?

Answer 132

Private. you can use the private DNS.

Question 133

When I use VPC flow logs, am i getting the packet data or something else?

Answer 133

You are getting the metadata and not the packets data.

Question 134

What is the data in the flow log metadata?

Answer 134

It is like src and dest port and address, account-id, interface-id, packets, start and end

Question 135

What is not logged by the VPC flow logs?

Answer 135

DHCP

AWS DNS

Metadata

Licence Activation Requests

Question 136

What are the three level/scopes I cna place the VPC flow logs?

Answer 136

In all cases below the loges are created on the instance ENI, thye cust defines the scope.

VPC

Subnet

Instance

I

Question 137

I want to quickly and easily collect a large number of flow logs and analyze hem in an offline way, the data is stored in s3, what cna I do?

Answer 137

You can use AWS Atena to query the data in S3.

Question 138

What do VPC endpoints do?

Answer 138

They enable access to AWS services from your VPC with traffic exiting to the internet, traffic moves directly from your VPC to the AWS service.

Question 139

I have several instances in a subnet in a VPC, this subnet has not internet gateway (no internet access), I require access to S3, DynamoDB and SQS, do I need to create an internet gateway or is there other options?

Answer 139

I can use VPC endpoints, the endpoint enables traffic to be directed to the AWS service (S3, DynamoDB) with our needing to go to the internet, traffic stays within AWS network infrastructure.

Question 140

For VPC endpoints what services are supported?

Answer 140

Amazon API Gateway

AWS CloudFormation

AWS CloudTrail

Amazon CloudWatch

Amazon CloudWatch Events

Amazon CloudWatch Logs

AWS CodeBuild

AWS CodeCommit

AWS CodePipeline

AWS Config

Amazon EC2 API

Elastic Load Balancing API

Amazon Elastic Container Registry

Amazon Elastic Container Service

AWS Key Management Service

Amazon Kinesis Data Streams

Amazon SageMaker and Amazon SageMaker Runtime

Amazon SageMaker Notebook Instance

AWS Secrets Manager

AWS Security Token Service

AWS Service Catalog

Amazon SNS

Amazon SQS

AWS Systems Manager

AWS Transfer for SFTP

Endpoint services hosted by other AWS accounts

Supported AWS Marketplace partner services

Question 141

I have a private subnet with an instance in it and I what to get access to SNS, I do not have a NAT instance or a NATGW or any king, how can I get access to the SNS?

Answer 141

Yes Endpoint, set up an endpoint in the VPC and configure the routeing table to point at it for the SNS service.

Question 142

I have an instance in a private subnet, I also have an endpoint set up for S3, I want to ensure that only traffic from this VPC can access the bucket, how can I do this.

Answer 142

Set up a bucket policy so that it restricts access based on the aws:sourceVpc

Question 143

What is the difference between GW and Interface Endpoints?

Answer 143

Depending on the service users you will get a GW or INterface endpoint, for S3 you get a GW and for SQS you get an interface. The big difference is GW is highly available and at the VPC level.

Question 144

I have an Interface Endpoint, how can I secure it?

Answer 144

Because it is an interface in a subnet you can use a security group to secure the endpoint.

Question 145

I am creating an endpoint to use with SNS, this will be an interface endpoint. I need to ensure it is fault tolerant, what options do I have.

Answer 145

You can select to have endpoints created in each subnet in each AZ, you will get a DNS name for each endpoint.

Question 146

What are the two services that use GW Endpoints?

Answer 146

S3 and Dynamo DB.

Question 147

What is a VPC Peer?

Answer 147

A VPC peer enables you to connect VPC that are in the same region or in a remote region.

Question 148

Do I need to establish two VPC peers for HA and fault tolerance?

Answer 148

N, you only need a single VPC peer, VPC’s are fault tolerant.

Question 149

I have two VPCs, one in each separate account, I want to VPC peer across accounts, can I do this?

Answer 149

Yes, you can VPC peer across VPC’s in separate accounts.

Question 150

I have two VPCs, I have just created a peering connection between both, but I can not ping t from one instance in VPC 01 to instance in VPC 02, what could be wrong.

Answer 150

It could be the security groups, but it is probaly that we did not add a route in the VPC subnets routing tables.

Question 151

I am using VPC peering between two VPC in separate accounts, I want to reference, the security group in the other account so I can enable traffic, is this possible?

Answer 151

Yes, you use the security group as a reference instead of CIDR.

Question 152

For |VPC peering, where the vPC’s are in separate regions, can use used the security group id as a reference?

Answer 152

No t5his is not supported.

Question 153

I have three VPC,s VPC 1 and VPV 2 peer, VPC 2 and VPC 3 also peer, can I ping from an instance in VPC 1 to VPC 3?

Answer 153

No, VPC peering is transitive.

Question 154

I am using VPC peering when I ping an instance using its public IP, in another VPC over the peering, I am getting the public IP, this is normal expected behaviour, what can I do so the private IP is returned?

Answer 154

There are setting in the VPC peering that enables you to have the private ip returned.

Question 155

For VPC peering is ipv6 supported?

Answer 155

Yes but not by default, also IPv6 is not supported across regions.

Question 156

I have two VPCs using VPC peering, cna I use direct connect or VPN to transverse VPCs?

Answer 156

No, you can not, it is not supported.

Question 157

I am using VPC peering, I have a requirement that all data is encrypted in transit, is peering data in transit encrypted?

Answer 157

Yes.

Question 158

I wnat to set up a second VPN with my VPC, can I just add a second APG to my VPC and establish a connection to a second customer GW?

Answer 158

You cna only have one VPG on a VPC, so this would not work. You could use CloudHUB for this. But an important point is only one VPG.

Question 159

Can I create a second VPG on my VPC?

Answer 159

No, only one VPG per VPC, you could use CloudHub.

Question 160

By default do rote tables route to all subnets in the VPC, if do what is the entry in the root table?

Answer 160

Yes, the root table has an entry that roots traffic to any subnet in the VPC, you cna not remove this.

Question 161

I wnat to block traffic going from one subnet to another, can I just remove the default toot to stop the traffic?

Answer 161

No, the default root cannot be removed. Each root table in the VPC gets a default root and this enables the traffic to be rooted to other subnets in the VPC.

Question 162

What are the types of network zones I should be concerned with when thinking about networking in general?

Answer 162

• > AWS private zone -> VPC networking, private and public subnets
• > AWS Public zone
• > Internet -> Public routed traffic
• > On-Prem

Question 163

How many CIDR ranges can I give a VPC?

Answer 163

You can assign one primary and 4 secondaries.

Question 164

What is the largest and smallest CIDR ranges for a VPC?

Answer 164

/16 and /28

Question 165

I need to have my VPC use a DNS server in the VPC, how can I configure this?

Answer 165

You need to create a new VPC Option Set and set the DNS server

Question 166

How many VPC option sets can I add to a VPC?

Answer 166

1

Question 167

I have to set up a new DNS server and edit the VPC OPtion set, how cna I do this?

Answer 167

You can not edit an option set, you have to create a new one.

Question 168

What are the reserved addresses in a Subnet in a VPC?

Answer 168

5 Addresses

10. 0.0.0 Network address
11. 0.0.,1 GW
12. 0.0.2 DNS
13. 0.0.3 Reserved
14. 0.0.255 Broadcast

Question 169

What is a VPC Peer?

Answer 169

It allows you to connect a VPC to another VPC in the same or even a different account?

Question 170

With VPC peering can you transverse a VPC when peered?

Answer 170

No

Question 171

What is the difference between a VPN GW and an Internet GW?

Answer 171

The internet GW is the exit point to the internet and the VPN GW is the exit point to the network associated with the VPN. Also the VPN GW is used to access the network associated with the DirectConect.

Question 172

What is a VPC endpoint?

Answer 172

It enables you to connect directly to the AWS Public Zone services such as S3, DynamoDB and CWLOgs

Question 173

What is an egress only GW?

Answer 173

It enables traffic to only flow to the internet, meaning you would not be able to connect from the internet to the any resources behind the egress GW.

Question 174

What are the network elements I can use in AWS?

Answer 174

Transit GW

VPN GW - VPN

VPN GW - DirectConentc

Intenet GW

Peering

Subnets

egress only GW

NAT Instance

NAT GW

VPC Option Sets

ACL’s

NSG’s

Question 175

When using the routeing table, what is the order of the routes?

Answer 175

the higher the / the higher the priority. For example, a /16 vs ./8 the /16 is first chose if it matches.

Question 176

When I set up an IG, VPN GW or egress GW, NAT instance and I wnat traffic to flow to it, what do I need to set up?

Answer 176

A route in the routeing table associated with the subnet and VPC.

Question 178

Do I need a route in the routing table for a peering connection?

Answer 178

Yes 100%.

Question 179

Where are ACL applied in the VPC?

Answer 179

Around the outside of the subnet. ACLs are associated with a subnet. They block traffic entering and leaving the subnet.

Question 180

Are ACL stateful or stateless?

Answer 180

Stateless meaning you have to allow traffic in and out.

Question 181

Can I block traffic with an ACL?

Answer 181

yes you can block on incoming and outgoing, but you will only have the SRC, no DST.

Question 182

How many ACL can you associate to a subnet?

Answer 182

One

Question 183

If you block on an ACL, will you block traffic between subnets?

Answer 183

Yes are the ACL is applied on the outside of it associated subnet all traffic is blocked from/to other subnets.

Question 184

How are ALS evaluated?

Answer 184

Lowest to highest number?

Question 185

Can I explicitly deny traffic with an ACL?

Answer 185

Yes 100%, you can deny.

Question 186

If I know bad traffic is coming from an extern IP, how cna I block it, just using basic VPC constructs?

Answer 186

You can block it incoming using an ACL with a deny rule, as this rule would be on a source?

Question 187

As I can block incoming traffic form a source if I have the source URL as part of a blacklist can I apply an ACL deny rule?

Answer 187

No, as the ACL source is IP only and even resolved URL IP may change.

Question 188

Can I associate an ACL with multiple subnets?

Answer 188

Yes, but a subnet can only have one ACL.

Question 189

I have two VM’s in a single subnet can I use an ACL to block all traffic, will the VM’s be able to talk to each other?

Answer 189

Yes, as the ACL is applied on the outside boundary of a Subnet.

Question 190

If I have two subnets (A and B and each has an instance VMA and VMB, and each subnet has an ACL when the two instances connect how may ACL be the traffic passing through?

Answer 190

Tow as it will pass through both ACL.

Question 191

I am using ACL can I reference another ACL or security group as the SRC?

Answer 191

No, ACL SRC only accepts a CIDR like 10.0.0.0/32

Question 192

I have a VPC and a subnet, I also have a peered VPC, my subnet has an ACL, how could I block all traffic coming from the peer?

Answer 192

Using the ACL you can deny traffic coming form the SRC CIDR like 10.0.20.0/24 if the peered VPS was using this CIDR.

Question 193

Are security groups stateless?

Answer 193

No, they stateful meaning if you initiate a connection they will remember and allow outgoing traffic.

Question 194

Where are security groups applied?

Answer 194

They are applied at the ENI.

Question 195

I have two instances in the same subnet and I am blocking all traffic, will the instance be able to talk to each other?

Answer 195

No, as SG are applied at the ENI all traffic will be blocked even in the subnet.

Question 196

Can I block traffic from an IP with security groups?

Answer 196

No there is no way to block an IP.

Question 197

Are security groups applied to the instance?

Answer 197

No, they are applied to the ENI.

Question 198

How do SG’s work when filtering traffic?

Answer 198

An SG is normally blocking traffic and you add allow rules.

Question 199

If I need to allow traffic to my instance from another security group, how cna I do this with a security group with no current rules?

Answer 199

You would create an allow rule and reference the other security group as the source. Security groups allow you to use another security group as an SRC reference.

Question 200

I have two instances in the same subnet in the same security group, I can not ssh from one instance to another, how cna I fix this?

Answer 200

The security group is blocking the traffic between both instances, you will have to create an allow all traffic rule and set the SRC to reference itself as in the security groups own name.

Question 201

What are public and private subnet?

Answer 201

A private subnet has no IG and a public subnet has an IG.

Question 202

I have a VPC with 4 subnets, two subnets are public subnets to the internet and two subnets are private. I have instances in the private subnets, 1 instance in each. I wnat these instance to download updates, how cna I achieve this?

Answer 202

You will have to add a NAT GW, in this case as there are two separate private subnets you would be better to add two separate NAT instance in the two private subnets.

Question 203

When I am using a NAT GW do I need an elastic IP allocated and assigned?

Answer 203

Yes.

Question 204

Are NAT GW highly available, explain?

Answer 204

A NAT GW is tied to an AZ, it the AZ fails then your NAT is gone, you need to have a NAT perr AZ, this way if the AZ fails then other AZ have there own NAT.

Question 205

Do NAT GW scale automatically?

Answer 205

Yes, they scale with load.

Question 206

If I have a private and public subnet using IPv6 and I wnat the instance in the private subnet to access the internet to download files can I use the NAT GW?

Answer 206

No, the NAT GW is for IPv4 only, you have to use egress GW for IPv6, egress GW is not doing a Port Nat, it is just doing the same thing as an IG but will only allow outgoing traffic. All incoming traffic is blocked.

Question 207

When using a VPC, at what address is the DNS server?

Answer 207

The DNS server is always located at the +2 address (10.0.0.2) and is only available internal to the VPC, it is connected with the R53 resolver.

Question 208

What DNS names does an instance get?

Answer 208

They get a public DNS that is resolved to a public IP if resolved outside the VPC, if resolved inside the VPC you get a private IP. And also a private DNS that is resolved to the private (10.0.0.50) IP.

Question 209

I need to enable R53 so it can be accessed over the corporate network, how can I do this?

Answer 209

You have to have a VPC and a subnet, the VPC has to be connected to the corporate network over VPN/Direct Connect. You use the R53 resolver to create an inbound endpoint. This endpoint is an ENI type interface created in tNexthe VPC subnet and can be accessed from the corporate network.

Question 210

Is the R53 resolver inbound endpoint highly available or is is just in on AZ?

Answer 210

When you create an inbound endpoint in R53 you have to define two AZ and subnets, two endpoints are created.

Question 211

What is an R53 Resolved inbound endpoint used for?

Answer 211

It is used to create a DNS endpoint that can resolve DNS queries for R53 that can be accessed from the external corporate network.

Question 212

What is the R53 outbound endpoint used for?

Answer 212

This is used when we set up forwarding rules in R53 to forward DNS queries.

Question 213

What is an R53 resolved rule used for?

Answer 213

The R53 rules are used as part of the R53 Resolver outbound endpoint to set up forwarding rules.

Question 214

What is the R53 Resolver used for?

Answer 214

It is used to when inbound endpoints are placed in the VPC subnet to allow an external corporate network to resolve a DNS query. Alos outbound endpoints can be sued with forwarding rules to forward DNS queries to an external DNS server.

Question 215

I need to identify traffic coming from a source of how can I do this?

Answer 215

You can use VPC flow logs to capture the incoming VPC traffic metadata and have it stored to S3.

Question 216

I want to capture VPC traffic data (not metadata), how can I do this with VPC Flow logs?

Answer 216

You can not with flow logs, Flow logs only allow you to capture the traffic metadata as in SRC IP, DST IP, etc.

Question 217

What traffic is not captured in FlowLogs?

Answer 217

DHCP

AWS DNS

Metadata

Licence Activation

Question 218

What op[tion do mI have with VPC flow logs to reduce the scope of the traffic I am monitoring?

Answer 218

You can select to have traffic captured at, VPC, Subnet or ENI level.

Question 219

What output is available for VPC Flow Logs?

Answer 219

You can capture VPC Flow Logs to CWLogs or S3.

Question 220

I want to analyze VPC traffic form all my accounts to search for know hackers IP’s, how can I do this?

Answer 220

You can set up all the VPC’s so you log thereFlow log traffic to S3 and use S3 Atenato search for know hackers IP’s

Question 221

I what to get access to AWS public services but for security reasons, I do not what to have the traffic flow over the internet, what options do I have?

Answer 221

Some of the AWS services can be accessed vis endpoints, and endpoint can be either an Interface EP and is placed in you VPC subnet or it can be an EP GW is attached to the VPC router.

Question 222

What are the two types of VPC endpoints?

Answer 222

Interface endpoints are placed in the VPPC subnet

EP GW is attached to the VPC router and effected by route tables.

Question 223

What services are EP GW used for?

Answer 223

S3, DynamoDB.

Question 224

When I use VPC interface endpoint what service am I connected with?

Answer 224

SQL, etc. Not s3 or dynamo DB as they use EP GW.

Question 225

When I am using VPC interface endpoints for SQS, how can I ensure my app is always going to have access to an available endpoint even if an EP fails?

Answer 225

Use the highly available DNS name to refer to the SQL, this DNS name is updated with all the available EPs, if one goes offline then it is taken out of the list.

Question 226

My application is using the sqs.us-eadt-1.amazonaws.com URL to access SQL, I have now deployed an interface endpoint into the VPC and I want to do not what to change the app but I do what this URL to resolve to my endpoint, how can I do it?

Answer 226

There is a feature in the VPC that when switched on will resolve the public SQS URL to the deployed endpoint.

Question 227

Do gateway endpoints use route tables to route traffic to the service?

Answer 227

Yes, they use the prefix lists.

Question 228

I have a VPC in APAC and EU and I need to connect both together, what are my option?

Answer 228

You can use VPC peering but you have to ensure there is no overlapping IP’s.

Question 229

When creating a VPC do you have to accept a peering connection?

Answer 229

Yes, this is when another account requests you have to accept.

Question 230

After creating a peering connection what do I have to do to get traffic to flow?

Answer 230

Set up routes in the routing tables.

Question 231

When using VPC peering, is traffic transitive?

Answer 231

No

Question 232

If I have 3 VPC (VPC-A, VPC-B, VPC-C), how can I connect them all together?

Answer 232

You will need a mesh,

VPC-A -> VPC-B

VPC-A -> VPC-C

VPC-B -> VPC-C

Question 233

IVPC Peering: if I have two VPC’s and two subnets and two instances, on in each subnet, if I use the public DNS of the instance t, what will it resolve to?

Answer 233

It will resolve to the public IP and this IP would require traffic to go out over the internet, you have the option to select so this public DNS of the instance will resolve to the privet IP of the instance.

Question 234

I am using direct connect to connect from an instance on my corporate network to an instance in a VPC that is peered through another VPC, will this work and why?

Answer 234

No, a transitive peered connection does not work and also you can no route peered connection through direct connect.

Question 235

When using VPC peering is the traffic over the backbone between two inter-region VPC’s encrypted?

Answer 235

Yes, traffic is encrypted and secure.

Question 236

What is an Endpoint GW?

Answer 236

EP GW is located in the VPC and connected to the VPC router, you have to add a rote to the routeing table. The connect to two services, DynamoDB and S3. They are highly available and redundant.

Question 237

What is an EndPoint Interface?

Answer 237

These are like ENI and are placed inside the subnet, they are subject to security groups and ACL’s, they are subject to failure from an AZ failure and you would need to have one in more than a single AZ. They have several DNS names, one that is tied to the AZ, and a group that is managed by AWS, where AWS will add or remove failed EP interfaces.

Question 238

What is an AWS public zone?

Answer 238

It is a network region belong to AWS where AWS makes there internal services available, services in this zone are accessible over the internet, through Direct Connect and also using endpoint interface and endpoint gW.

Question 239

When using VPC endpoint GW, what is a prefix-list?

Answer 239

It is a list of routes maintained by AWS for the services such as S3 in the region. it looks like pl-xxxxx the pl is the prefix list.

Question 240

What are the logical components of a VPN?

Answer 240

Customer GE

Virtual Private GW

Site to site VPN conenctions

Question 241

Do VPN support IPv6?

Answer 241

No only IPv4 is supported.

Question 242

For AWS VPN, what is the important info for a customer GW?

Answer 242

The customer endpoint IP, this is a public-facing and accessible IP and is connected with a VPN router or software appliance. Alos Static or Dynamic IP.

Question 243

What is the AWS VPN Virtual Private GW?

Answer 243

It is the AWS side of the connection and is a logical GW connected to the VPC much like the internet gateway but in this case, it connects to the VPN. You have to attach it to a VPC and you also have to set up routes in the route tables to have the traffic flow over it.

Question 244

When using the AWS VPN, what si the Site-to-Site VPN connection?

Answer 244

It hokes the customer GW and the site-to-site GW.

Question 245

When using AWS VPN’s, how can I improve VPN high availability?

Answer 245

For the VPN connection, you can use two tunnels, this gives you two sperate tunnels. You can also add a second customer GW and two more tunnels to improve high availability.

Question 246

For AWS VPN, when using a high availability setup, can I use static routing?

Answer 246

No, you have to be using dynamic routing.

Question 247

When using AWS VPN, what is diffe-Helman used for?

Answer 247

It is the security function used to share key information between two parties in a VPN session.

Question 248

When using AWS VPN, what is the encryption?

Answer 248

It is probably going to be AWS-256 but others are available.

Question 249

When using AWS VPN, what is the hashing algorithm used for?

Answer 249

It is used to validate packets and ensure they were not tampered with.

Question 250

How are routes evaluated in the routing table?

Answer 250

They are evaluated as largets first ./32.

Question 251

Do static route in a routing table take preference over dynamic routes?

Answer 251

Yes.

Question 252

In routing table is direct connect preferred over VPN?

Answer 252

Yes.

Question 253

What is the physical requirement for direct connect?

Answer 253

Single-mode fibre.

Router with BGP and MDB

8021Q (VLAN)

Question 254

What is a DX location?

Answer 254

This is a physical location where you place you router with it single-mode fibre to connect to AWS.

Question 255

Why would you use AWS DirectConnect?

Answer 255

Lower latency as traffic does not go over the internet, SLA and reliable packet delivery.

Question 256

What are the key components indirect connect?

Answer 256

DX Location is where the DirectConnect terminates and you do the cross-connect over single-mode fibre.

You have a switch capable of SMF, BGP and 8021Q (VLAN) BGP-MD5 auth.

you cross-connect you switch to AWS, to do this you need a LOCFA (letter of authorization).

Question 257

What speeds have you available for DirectConnect?

Answer 257

1 or 10GB

Question 258

When using DirectConnect are you billed for data out the same as data out to the internet?

Answer 258

No, you are billed at a lower cost.

Question 259

I need to get a reliable, low latency connection to transfer a large amount of data, this needs to happen this week, is directly connect a good option and why is it a good option?

Answer 259

Direct connect is not an option, it takes several weeks to order and configure a direct connect.

Question 260

I am a SAAS provider a and my clients are already on AWS, I wnat to share my service through my VPC, how cna I do this?

Answer 260

One could use VPC peering, but this is not correct as you have many customers an IP overlap is an issue. You will wnat to share your service through Privatelink so your customers will be able to create an endpoint in there VPC and access your service.