AWS Networking Facts Flashcards

Question 1

Q

Can a ENI be moved across AZs?

Answer

A

No. ENIs are specific to subnets since they get an IP address in the subnet’s CIDR range.

You can move a network interface from one instance to another, if the instances are in the same Availability Zone and VPC but in different subnets. e.g. Multihoming.

Question 2

Q

Can ENIs be detached from an instance?

Answer

A

You can detach secondary network interfaces when the instance is running or stopped. However, you can’t detach the primary network interface.

Question 3

Q

Can VPCs span AZs and Regions?

Answer

A

VPCs are specific to a Region and hence cannot span a Region.
VPCs can span multiple AZs

Question 4

Q

What are the 5 IP addresses in each subnet reserved by AWS?

Answer

A

.0 - Network Address
.1 - Router address
.2- DNS Address
.3-Reserved for future use
.255 - Broadcast (not supported/hence reserved).

Question 5

Q

What are the attributes of an ENI?

Answer

A

A primary private IPv4 address from the IPv4 address range of your VPC
One or more secondary private IPv4 addresses from the IPv4 address range of your VPC
One Elastic IP address (IPv4) per private IPv4 address
One public IPv4 address
One or more IPv6 addresses
One or more security groups
A MAC address
A source/destination check flag
A description

Question 6

Q

Can ENIs support multiple Security Groups?

Answer

A

Yes. An ENI can have up to 5 security groups.

Question 7

Q

How do multiple SGs work?

Answer

A

A single SG can be associated with multiple ENIs.
A single ENI can have multiple SGs.
When multiple SGs are used, the rules are the product of all of them.
SGs are stateful.
They have an implicit deny - i.e. you can only specify “Allow”.
All rules are evaluated before proceeding (i.e. the rules are OR’ed - so if SG allows a particular traffic even if other don’t explicitly allow, then traffic is allowed)

Question 8

Q

How do NACLs work?

Answer

A

A single NACL can be associate with multiple subnets.
However, a single subnet can have only one NACL.
NACLs are stateless.
Both “Allow” and “Deny” can be specified.
Rules are evaluated in order.
The very last rule is a DENY ALL.

Question 9

Q

How do you configure ephemeral ports in NACLs?

Answer

A

Client initiating connection always chooses the ephemeral port. So, inbound/outbound rules have to be specified according to who the client is.
Ephemeral ports vary based on operating system.
In general, it is best to have inbound/outbound ports opened from 1024-65536 to cover all OS.
You can have a specific DENY rule earlier to deny traffic from malicious ports, before the rule that allows such a broad range of ports.

Question 10

Q

What port does the “Port Range” in SGs rules refer to?

Answer

A

The port ranges are all destination ports - NOT source ports.

Question 11

Q

What’s the difference between default NACL and Custom NACL?

Answer

A

Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.

You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

Question 12

Q

What’s the difference between default SG and Custom SG?

Answer

A

Your VPC automatically comes with a default security group. All inbound traffic (from itself) is permitted. All outbound traffic is permitted.

When you create a new security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.

By default, a security group includes an outbound rule that allows all outbound traffic.

Question 13

Q

What does statefulness for SG mean?

Answer

A

It means that if inbound traffic is permitted, then the corresponding outbound traffic is also permitted - i.e. the outbound rules are not evaluated and vice versa.

Question 14

Q

What makes a subnet public?

Answer

A

A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.

Note also that: instances in the subnet must have a globally unique IP address (EIP, IPv4 or IPv6). Or else, they must use a NAT GW or instance if they only have a private address.

Additionally, NACLs and SGs must permit the relevant traffic.

Question 15

Q

What are the different types of VPC Endpoints?

Answer

A

Interface Endpoints
Gateway Load Balancer Endpoints
Gateway Endpoints

Question 16

Q

What are the functions of the IGW?

Answer

A

IGW performs two functions:

a) to provide a target in your VPC route tables for internet-routable traffic, and
b) to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

Question 17

Q

What are CIDR Range limitations in VPC Peering?

Answer

A

The requester and acceptor VPCs cannot have overlapping CIDR ranges.

However, a hub VPC can peer with two spoke VPC with overlapping CIDR range. The two spoke VPCs essentially communicate with different subnets in the hub VPC each with their own route table pointing to a different peering connection.

Question 18

Q

In VPC Peering, what is the impact of Regions on Security Groups?

Answer

A

Peer VPCs can be in the same account, different account in the same Region or in different Regions.

When VPCs are in the same Region, the SGs can reference each other in the SG-rules.

Across Regions, the SG rules have to use CIDR blocks.

If SG reference is “Stale” -that indicates that the peer deleted the referenced SG or the peering connection itself is terminated.

Question 19

Q

How does DNS resolution work in VPC Peering?

Answer

A

By default, if instances on either side of a VPC peering connection address each other using a public DNS hostname, the hostname resolves to the instance’s public IP address. To change this behavior, enable DNS hostname resolution for your VPC connection. After enabling DNS hostname resolution, if instances on either side of the VPC peering connection address each other using a public DNS hostname, the hostname resolves to the private IP address of the instance.

Question 20

Q

Where can VPC Flow Logs be attached?

Answer

A

a) VPC
b) Subnet
c) ENI.

Can capture Accepted, Rejected or All traffic.
Different combinations can be setup - e.g. one VPC Flow Log for accepted and another for rejected.

Flow Logs cannot be modified once created. Delete and recreate.

Flow Logs are NOT real-time. There may be a delay of up to 5 minutes (for Cloudwatch) and up to 10 minutes (for S3) after the close of the aggregation window.

They are customizable; can be stored to S3 or Cloudwatch. Some fields can only be captured to S3.

Question 21

Q

What are the fields in Flow Logs?

Answer

A

There are two FL formats a) Default and b) Custom.

Default cannot be modified - a subset of all available fields. Includes version#, acct id, interface id, src/dst port/IP, protocol, pkt, bytes, time (start and end), action (accept/reject), status (OK, NO DATA, SKIP DATA).

Custom formats are customizable.

Question 22

Q

What is a Flow Log Aggregation Interval?

Answer

A

This specifies the capture window. Default is the maximum of 10 minutes.

You can set it to 1 minute, but this would mean more logs.

Question 23

Q

What traffic does VPC Flow Logs NOT capture?

Answer

A

a) Traffic to Amazon DNS Server
b) Windows instance license activation
c) Instance metadata to 169.254.169.254
d) Traffic to time sync: 169.254.169.123
e) DHCP
f) Traffic to VPC Router
g) Traffic between an ENI and ELB.

Question 24

Q

How does FL integrate with CW?

Answer

A

When publishing to CloudWatch Logs, flow log data is published to a log group, and each network interface has a unique log stream in the log group. Log streams contain flow log records.

Question 25

Q

In the flow logs what are the key TCP Flags value?

Answer

A

The bitmask value for the following TCP flags:
SYN: 2 (Client to Server)
SYN-ACK: 18 (Server back to Client)
FIN: 1 (Bidirectional)
RST: 4

A flag value of 3 means client sent both SYN and FIN and it was recorded in the same flow log.
A flag value of 19 means, server sent both SYN-ACK and FIN and it was recorded in the same flow log.

Question 26

Q

What is the difference between regular and jumbo frames?

Answer

A

Regular frames are Ethernet v2 which support a Max Transmission Unit (MTU) size of 1500 bytes. Most of the internet is limited to this.

In AWS, some EC2 instances support a MTU of 9001 bytes - Jumbo frames. But this is only within AWS environment. When they leave the boundaries of AWS (including VPN connections) they are broken into 1500 MTUs.

Jumbo frames are supported only within a single Region. Inter-region traffic is limited to 1500 MTU.

Jumbo frames are supported over VPC peering connections, however, not if it is inter-Region VPC peering. JFs are supported over DX Private/Transit VIFs.

Jumbo frames are enabled by default within a VPC. Instances don’t have to be within a placement group to take advantage.

Question 27

Q

What are the high performance computing instance types?

Answer

A

Compute Optimized instances are ideal for HPC - c4, c5 and c6 instance types.

However, for graphics use the G3 instance. These are the latest generation of Amazon EC2 GPU graphics instances that deliver a powerful combination of CPU, host memory, and GPU capacity.

Question 28

Q

What are the different placement groups?

Answer

A

Cluster
Partition
Spread

All placement groups are specific to a single AZ.

Question 29

Q

What are the characteristics of the Cluster PG?

Answer

A

Cluster - best for low network latency, high network throughput, or both.

All instances in the group reside in the same AZ (does not say same HW rack/host, but it does say it in the same high-bisection bandwidth segment of the network). Instances can span peer VPCs.

Supports up to 10 Gbps for single-flow traffic within placement group. Limited to 5 Gbps for Direct Connect.

Limited to 5 Gbps for flows outside the placement group - e.g. traffic between AZs, flow between EC2 and S3 etc.

Question 30

Q

What are the characteristics of the Partition PG?

Answer

A

Groups of instances (called partitions) are hosted on separate HW. No partition shares a rack with another.

Best for large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct racks.

Question 31

Q

What are the characteristics of the Spread PG?

Answer

A

Instances are spread across distinct HW (separate power and network). Can span AZs.

Question 32

Q

What is Enhanced Networking?

Answer

A

ENA uses single root I/O virtualization to provide high-performance networking capabilities on supported instance types.

SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.

Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies.

Question 33

Q

What are the two types of enhanced networking?

Answer

A

Elastic Network Adapter - a network driver, ENA can support network speeds of up to 400 Gbps for supported instance types (current instances only support 100 Gbps).

Intel 82599 Virtual Function Interface - supports network speeds of up to 10 Gbps for supported instance types.

Question 34

Q

Why would you want to have multiple IP addresses for EC2 instances?

Answer

A

a) Host multiple websites on a single server - associate SSL certs with a specific IP
b) For network appliances like Firewalls and LBs
c) Redirect internal traffic to a standby by moving secondary IP to a standby instance.

Question 35

Q

When you add a secondary IP to an instance are you also adding a new network interface?

Answer

A

No. You can assign a secondary private IPv4 address to any network interface.

Security Groups apply to network interfaces and hence all IPs associated with an interface are subject to the SG rules.

Question 36

Q

What is an Elastic IP Address?

Answer

A

An Elastic IP address is a static public IPv4 address, which is reachable from the internet. No IPv6 Elastic IP.

Question 37

Q

What are the attributes on an ENI?

Answer

A

A primary private IPv4 address from the IPv4 address range of your VPC
One or more secondary private IPv4 addresses from the IPv4 address range of your VPC
One Elastic IP address (IPv4) per private IPv4 address
One public IPv4 address
One or more IPv6 addresses
One or more security groups
A MAC address
A source/destination check flag
A description

Question 38

Q

How do you enable enhanced networking with ENA?

Answer

A

Do the following:

a) Choose an instance type that supports ENA; set the instance attribute to enable ENA
b) Choose an OS/AMI that supports it (e.g. Amazon Linux 2); enable enhanced networking attribute.

This should automatically enable it.

Question 39

Q

How do you enable enhanced networking with Intel 82599 VF I/F?

Answer

A

a) Choose an appropriate instance type

b) Launch using HVM AMI (Hardware Virtual Machine). - e.g. Amazon Linux HMV AMI.

Question 40

Q

What’s an Elastic Fabric Adapter?

Answer

A

An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.

Question 41

Q

How’s an EFA different from an ENA?

Answer

A

ENAs provide traditional IP networking features that are required to support VPC networking. EFAs provide all of the same traditional IP networking features as ENAs, and they also support OS-bypass capabilities.

OS-bypass enables HPC and machine learning applications to bypass the operating system kernel and to communicate directly with the EFA device.

ENAs are used by traditional TCP/IP stacks provided by the OS.
EFAs are used by HPC applications that bypass TCP/IP. They use something called Libfabric that interacts directly with the EFA device.

Question 42

Q

What is a Gateway Route Table?

Answer

A

A route table that is associated with an Internet GW or Virtual GW. Has Destination and Targets that is used by the Gateways to route.

Question 43

Q

What is Ingress Routing?

Answer

A

Traffic destined for a VPC is routed by IGW or VGW based on Gateway Route Table.

For example, internet traffic destined for Instance B, could be routed by the IGW, based on the GW Route Table to instance A’s ENI (which provides firewall services - e.g. Palo Alto FW).

Instance A (in this case) is the next hop (i.e. an explicit router) which inspects traffic and then forward it to the destination.

Question 44

Q

What is a Transit Gateway?

Answer

A

TGW is a Regional network construct that allows large scale (up to 5,000) communication between VPCs.
Supports VPN and Direct Connect communications.
Peering connections between TGWs in different regions (Static routes must be added)
Support multiple route tables (VRF/Network Segmentation) - up to 20 TGW RT and 10,000 routes per TGW.
Attachments are their own objects (e.g. connects VPCs to TGW)
Each attachment is associated with one route table
Each attachment propagates routes to one or more route tables
Attaching a VPC - specify one subnet in each AZ. Otherwise resources in that AZ cannot reach TGW even if the route table has an entry.
VPC route tables must be updated to route traffic to the TGW.
TGW Route Tables support blackhole routes.
*

Question 45

Q

What do the enableDnsHostnames and enableDnsSupport in a VPC configuration do?

Answer

A

enableDnsHostnames -Indicates whether instances with public IPv4 addresses get corresponding public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.

enableDnsSupport-Indicates whether the DNS resolution is supported. If this attribute is false, the Amazon Route 53 Resolver server that resolves public DNS hostnames to IP addresses is not enabled.

If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.

When you launch an instance into a VPC, it always receives a private DNS name.

No DNS hostnames for IPv6.

Question 46

Q

What is the size of the smallest subnet you can create?

Answer

A

The size is /28 (16 IPv4 addresses).

Remember (5 of the 16 addresses are not usable).
Also, to deploy a ELB, you must have a subnet that is /27 or larger with at least 8 available IP addresses.

Question 47

Q

What’s the size of the VPC’s IPv6 CIDR block?

Answer

A

A /56 is automatically assigned by AWS. You cannot select your own range.

Question 48

Q

What’s the size of a IPv6 subnet?

Answer

A

A /64 is automatically assigned.

Question 49

Q

What is a IPv6 GUA?

Answer

A

Global Unicast Addresses in IPv6 always start with a “2” or “3”.

2000::/3 (first three bits are 001). Leftmost 64 bits are the network segment and the rest (64 bits) are the node.

Question 50

Q

How many rules can you have per Security Group?

Answer

A

You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules). Separately enforced for IPv4 and IPv6 - i.e. 60 inbound IPv4 rules and 60 inbound for IPv6 rules.

Security groups per network interface = 5 (default) and 16 (max).

No more than 1,000 rules total (#of SG * # of rules/SG).

Question 51

Q

How many IPsec tunnels are there in a VPN connection?

Answer

A

2 IPsec tunnels per VPN Connection.

Each tunnel terminates to a specific public IP address (on the VGW). 2 public IPs total.

If a second VPN connection is terminated on the same VGW, then the VGW allocates two more new IP addresses - total 4 Public IPs.

Each tunnel can support up to 1.25 Gbps depending on packet size. But the VGW itself has a max of 1.25 Gbps (this means if there are two tunnels, each tunnel can only support .625 Gbps, if there are multiple connections to a single VGW, then they can only support less than that!).

To increase bandwidth you can forward traffic to both endpoints. Requires support of Equal Cost Multipath on the CGW. However, on the return side, AWS will always pick a single tunnel.

Question 52

Q

What are the two types of VPN in AWS?

Answer

A

1) Hardware VPN: Involves VGW and CGW;

2) SW VPN: EC2 instances run VPN SW (no VGW is involved).

Question 53

Q

What types of routing does the VGW support?

Answer

A

Dynamic Routing (uses BGP)
Static Routing

Note:

1) A VGW must be assigned a private ASN whether you plan to use BGP or not.
2) VGWs support only IPv4 based VPN tunnels. However, TGWs support IPv6.
3) Firewall at the customer location must be opened for UDP Port 500 (Phase 1 Tunnel/IKE) and IP Protocol #50 (ESP Traffic - Phase 2 Tunnel).
4) If behind NAT-GW, then NAT-T must be supported and port 4500 must also be opened.
5) For every VPN connection you terminate on a VGW, two IP addresses are assigned. So, if you have two VPN connections (4 tunnels) then VGW presents 4 IP addresses.
6) New: You can use a certificate from the customer device to connect to the VGW. In this case, when you create the CGW, you don’t need to specify the IP address. This is useful when the CGW uses dynamic addressing.

Question 54

Q

Can ENIs be moved across subnets?

Answer

A

No. Since ENIs are allocated a Private IP address from the subnet addressing space, they cannot be moved.

However, ENIs can be attached to instances that have their primary ENIs in another subnet - so long as the instances are in the same AZ.

ENIs are essentially scoped to AZs and cannot be used across AZs.

Question 55

Q

Can ENIs be used across AZs?

Answer

A

No. ENIs can only be attached to instances in the same AZs.

Instances can have ENIs in multiple subnets within an AZ (multihoming).

Question 56

Q

Can multiple ENIs be used to increase bandwidth?

Answer

A

No. NIC teaming cannot be used to increase bandwidth.

Question 57

Q

In a VPC Gateway Endpoint is transitive routing supported?

Answer

A

No. VPC Gateway Endpoints do not support transitive routing - this means, you cannot access them from across a VPN connection/Direct Connect/VPC Peering connection.

You can get around this using proxy routing - see Page 63.

Question 58

Q

Can VPC I/F Endpoint be accessed from Direct Connect?

Answer

A

Yes. IFEP can be accessed from DX and S2S-VPN. However, not over VPC Peering.

GW EPs, on the other hand, cannot be access from DX, VPN/VPC Peering conns.

Question 59

Q

What are the key differences between VPC Peering and Private Link Interface End Points?

Answer

A

VPC Peering - allows two way comms between VPC whereas PL/IEP allow only the consumer to initiate a request to the VPC.

PL/IEP more scalable than peering - can supports thousands of VPCs.

PL/IEP Network LB does Source NAT - hence, source IP is not available to the Service Provider.

Question 60

Q

How many secondary CIDRs can you add to a VPC?

Answer

A

Besides the primary, you can add up to 5 secondary CIDR ranges, if you run out of address space.

You can increase the limit beyond this by contacting AWS Support.

Question 61

Q

Can you create a VPN Connection between two VGWs?

Answer

A

No. Because neither VGW will initiate the connection.

Note: a VGW will never initiate a tunnel to a CGW. If the tunnel drops due to inactivity, then, an EC2 instance in a VPC wanting to send traffic to an on-prem server will not be able to do so. However, when the tunnels is up, EC2 can initiate traffic anytime.

Question 62

Q

Do AWS Private Link support UDP?

Answer

A

No. Only TCP traffic is supported.

Note: Interface Endpoints only support IPv4 traffic - which means that if an EC2 instance wants to access a

Question 63

Q

Does Direct Connect support static routing?

Answer

A

No. Direct connect only supports BGP. 802.1q VLAN tagging is also a requirements.

Question 64

Q

On Direct Connect, what defines a VIF?

Answer

A

A VIF is defined by the VLAN tag and BGP session.

Note: DX GW is a Layer 2 circuit. VIFs define layer 3 information. You can support multiple VIFs (L3) by separating information at L2 using VLANs.

Answer 65

A

Local Routes to the VPC preferred over overlapping propagated routes (even if propagated routes are more specific).
Longest prefix match first
VPC Static routes preferred over matching dynamic propagated routes
Dynamic routes:
a) Prefer DX BGP routes i) Shortest Path ii) if equivalent, balance traffic flow (ECMP)
b) VPN static routes
c) BGP Routes from VPN (shortest AS Path).

Answer 66

A

No. DX GW is only about Private VIFs and Transit VIFs.

Answer 67

A

Yes. NLBs can be referenced by static IPs in each AZ.

Contrast this with ALBs and CLBs - which should only be referenced by FQDNs since their IPs change when scaling.

Answer 68

A

For CLB, enable proxy protocol which injects this information into the request before sending it to the backend.

For ALB, nothing is needed, since ALB inserts the HTTP X-Forwarded-For headers.

Ensure that the CLB is not behind a proxy server already. Proxy server may already have added a request to the header. CLB may add another header causing duplication errors.

NLBs, provides client IP pass through to Amazon EC2 instances (if you use instance id when configuring a target). However, if you can only register targets by IP address, then enable proxy protocol v2 on the NLB.

Answer 69

A

NLB uses a flow-hashing algorithm. Uses protocol, source IP/port, Dest IP/port, TCP sequence#.

Each individual TCP connection is routed to a single target for the life of the connection.

Answer 70

A

No.

In DNS, you cannot create a CNAME record for a root zone. For example, you cannot have a CNAME record for “example.com”

Answer 71

A

Web Distribution (using HTTP/HTTPS)
Media Streaming Distribution (using HTTP and RTMP).

Answer 72

A

a) Signed URL
b) Signed cookies
c) Origin Access Identity (OAI) - works with S3 bucket origins when used with bucket policies.

Answer 73

A

a) Media player is served using HTTP (Basic Distribution)
b) Streaming media is served using RTMP (streaming distribution.
c) RTMP origins always have to be a S3 bucket.

Answer 74

A

a) Amazon S3 buckets
b) Amazon S3 static websites
c) EC2 instances
d) Elastic Load Balancers
e) Custom Origin Servers (e.g. on-prem servers).

Answer 75

A

Cloudfront will break video into smaller chunks that are cached in the cloudfront network for improved performance and scalability.

Answer 76

A

You can configure users to connect to cfrnt using HTTP.
Similarly, you can use HTTPS between edge and origin.
You can also apply field level encryption - by uploading public/private key pairs.

Answer 77

A

a) Shuffle Sharding

b) Anycast Striping - multiple name servers share the same IP address; clients routed to nearest NS by BGP.

Answer 78

A

a) Use Origin Access Identity (for S3 buckets) or Security Groups restricting access to Cloudfront IP address range
b) Use of custom headers (normally non S3 related such as EC2/ELB) - this can be used to differentiate your distribution from others
c) Signed URLs and cookies.
d) You can also impose Geo-restrictions; Allow/Deny lists for countries.

Note: restricting access to CF IP addresses alone is not enough since another distro could point to your origin. You should use this with custom headers.

Answer 79

A

AWS Certificate Manager is integrated with:

a) CloudFront
b) ELB
c) Beanstalk
d) API Gateway

Answer 80

A

a) VPC Flow Logs
b) DNS Logs
c) Cloudtrail logs
d) Intelligence feeds - malicious IPs and domains

Answer 81

A

EC2 instances with dedicated throughput that minimizes contention with other network traffic.

Hence, can support high IOPS.

Answer 82

A

Intel’s Data Plane Development Kit

A set of libraries and drivers for fast data processing. It extends the packet processing capabilities and supports both Intel 82599 Virtual I/F and the ENA driver.

While ENA and Intel 82599 decrease networking overhead between instance and hypervisor, DPDK decreases overhead of packet processing within the operating system.

DPDK and ENA can be used together to support high performance apps (real time comms, firewalls etc.).

Answer 83

A

DX offers 1, 10 and 100 Gbps connections. These are dedicated circuits allocated entirely to the customer. With Link Aggregation, you can combine up to 4x10Gbps for up to 40 Gbps link. Or 2x100Gbps links.

Sub 1 Gbps connections are available from partners - normally shared between multiple customers.

Answer 84

A

Yes. AWS Direct Connect can be used in conjunction with QoS to improve application performance and reliability. When packets leave on-prem, DSCP can be used for QoS if service provider network supports it. It appears to depend on DX service provider’s capability.

DSCP = Differentiated Services Code Point (7bit field in IP header) - used to prioritize traffic.

Inside a VPC, traffic is NOT differentiated - all treated equally.

Answer 85

A

ENA drivers are built to support speed up to 400Gbps, current instances support up to 25 Gbps.

Inside a VPC, any instance accessing data over the networks (e.g. S3) is limited to 5 Gbps. Instances that are ENA enabled can achieve higher bw by combining multiple flows up to 25 Gpbs.

Within Placement groups, a single flow is limited to 10 Gbps. Outside is 5 Gbps.

Some newer instances do support 10 Gbps and 25 Gbps networks outside of a placement group.

Answer 86

A

No. Sometimes, it can decrease it. It takes more CPU cycles to process more packets.

Jumbo frames reduce PPS thereby increasing throughput.

Also tweaking TCP stack configurations (buffer size), using network accelerators etc. can increase throughput.

Answer 87

A

ALBs can terminate TLS connections - but needs to know the private key (e.g. TLS Certificate).

NLBs, on the other hand, can pass through the TLS connection, which can then terminate on the Webserver. This means more processing on the Webserver. However, from a security standpoint, you don’t have to provision the private key on the NLB.

Answer 88

A

No. Only TCP does.

Answer 89

A

Change sets allow you to visualize and approve a proposed change to a stack before it is updated.

Answer 90

A

Validation errors - detected by cloudformation right away - cannot parse the template
Semantic error - only detected when resource is created or updated - e.g. CloudFormation calls an API and it fails.

Answer 91

A

CF template describes the end state of a stack - not the actions needed to get to that state (such as API calls etc.).

Answer 92

A

Template specifies what is to be created - e.g. a recipe.

Stack is a set of resources created according to the template - e.g. the dish!

Answer 93

A

A pipeline has stages
Each stage has one or more actions (serial or parallel)
Output of an action is an artifact.
Six Action Types: source, build, approval, deploy, invoke and test.

Answer 94

A

Depends….

Lambda functions have two states.

a) Not associated with a VPC, where it can talk openly to the web, but can’t talk to any of your AWS VPC services.
b) Associated with a VPC, the default setting where the lambda function can talk to your AWS services but can’t talk to the web.

For case b) if Lambda needs access to the Internet, a NAT GW is needed in the public subnet. It cannot be assigned a public IP address.

Answer 95

A

TCP flow is defined as traffic going through a single TCP port.

Single TCP flow is limited to 10 Gbps for instances in the same placement group and 5 Gpbs between instances anywhere else.

Aggregate flows combine multiple flows?

(Ref. Amazon EC2 for telecom Whitepaper)

Answer 96

A

No. Only L3 technologies are supported.

Answer 97

A

No. EC2 instances have to be in the same subnet for BGP peering to be established between them- a limitation of the way BGP peering works.

For multi-AZ EC2-based VPNs, BGP needs to be established over a GRE tunnel between instances (BGP/GRE).

In essence, building a VPN between the two instances.

Answer 98

A

To enable routing of traffic:

a) Source/dest check is disabled on EC2
b) IP forwarding is enabled at the OS level.

Answer 99

A

a) You need special feature e.g. advanced threat protection or transitive routing
b) On-prem devices don’t support IPsec; you want to use something different (GRE or DMVPN)
c) Overlapping CIDR ranges or multicasting between EC2s.
d) Very high throughput requirements.

Answer 100

A

Within a VPC traffic between instances is NOT encrypted.

To encrypt, you have to setup an overlay VPN mesh. Each EC2 instance will have VPN SW loaded on to it. It will need an “inside tunnel” IP address which is what will be used to address communication to each other. (See Page 115).

Answer 101

A

AWS does not natively support multicast or broadcast.

To do this, you have to build a VPN overlay network using GRE tunnels (available in the kernel of Linux OS).

Answer 102

A

Using EC2 instances as VPN endpoints.

AWS products (VPC peering, VGW, VPC Endpoints, IGW) do NOT support transitive routing.

EC2 as a VPN endpoint, will effectively unencrypt/re-encrypt communications and act as a proxy. (See pg 117).

Answer 103

A

Link Aggregation Group
Combines multiple 1 Gbps or 10 Gbps physical links into a single logical link.
Max of 4 links - all links in a group must have the same BW (i.e. you cannot combine 1 and 10 Gbps)
Links must be in same DX location and same AWS device.
Uses LACP - Link Aggregation Control Protocol.
You can configure to mark the whole link as down, if n connections are down - enabling failover.

Answer 104

A

MTU = 1500 bytes at the IP layer
MTU = 1522 bytes at the physical connection layer
14 byte Ethernet header + 4 byte VLAN Tag + 4 bytes of Frame Check Sequence + 1500 bytes of IP datagram traffic.

Private and Transit VIFs support jumbo frames.

Answer 105

A

Private VIFs are terminated at a VGW or DX GW.

Note: If you want to build an encrypted connection over DX, you can use VPN. You do this by connecting over a Public VIF to the public IP endpoints of the VGW. Or use a Private VIF to connect to EC2-based VPN Endpoints.

In contrast, Public VIFs are not terminated anywhere. They are used to access AWS public endpoints.

Answer 106

A

a) For IPv4 - peer routers much have public IP addresses. Contrast this with Private VIFs, where the BGP peer IP addresses can be auto generated at the time of creation.
b) You must own the public IP address blocks that you advertise - AWS will verify this with the internet registries.
c) If you don’t have public IP addresses you can request them from AWS.

You can advertise up to 1,000 prefixes via BGP per Public VIF.

Answer 107

A

VGWs can be either attached to a VPC or be standalone.

In either mode, VGW supports cloudhub which allows multiple networks to talk to each other securely and to a VPC (if one is attached).

VGW forwards BGP announcements between the private networks.

Private networks may be connected via VPN, or DX Private VIFs.

You can advertise up to 100 prefixes via BGP per Private VIF.

Answer 108

A

of Private VIFs that can be attached to a single DX GW = 30; however, only sessions via a single VIF to one connected VPC at a time allowed.

DX GW allows you to combine Private VIFs with multiple VGWs.

Normally, a single private VIF terminates on one VGW. But, if you want to scale this, DX GW is the way to do it. You terminate the Private VIF to the DXGW. The DXGW can then be connected to multiple VGWs (up to 10) each attached to a different VPC.

Note: The VGWs to which DXGW connects cannot be a detached VGW. It has to be attached to a VPC.

DXGW allows connection to VPCs in multiple Regions - not just the Region in which the DX is located.

DXGW also support Transit VIFs. Terminate the TVIF to a DXGW and conntect the DXGW to up to 3 TGWs.

Answer 109

A

a) Use VPN/Internet as a backup to DX
b) Dual connection in a single location terminating on different devices (not part of the same LAG) - protects against device failure but not a complete location failure.
c) Single connection in dual location
d) Dual connection in dual location - highest level of redundancy

Any of these options can be combined with a VPN/public internet fallback.

Answer 110

A

It is a mechanism where you artificially make the AS_PATH longer on one connection by adding your own ASN multiple times to the path. AWS will always prefer the shortest path prefix.

Answer 111

A

a) Since AWS chooses the longest prefix first, you can advertise a supernet on both VIFs (e.g. /23) and specific subnets on individual VIFs (e.g. /24).
b) Use AS_PATH prepending

These techniques are applicable to both Public and Private VIFs. Note that these techniques make the connection active/standby.

If you want active-active, then, advertise the same routes on both VIFs and AWS will use ECMP (traffic flows are hashed to one connection).

For the Customer network to AWS direction, you can use local preferences.

Answer 112

A

The on-prem router can be configured to ignore all BGP route advertisements except the one you want. This restricts what the DX connection is used for.

For example, you can use a Public VIF to only access S3, by configuring your router to ignore all but the S3 IP ranges.

Answer 113

A

Alias records are an AWS specific construct.

CNAME is a canonical name that is returned back to the resolver. The resolve then re-queries with the alias. CNAMEs cannot be used for the apex zone (e.g. example.com)

Alias records, are used with Cloudfront, ELB, VPC end points etc. where the IP address changes dynamically as they scale. R53 will resolve this dynamically at the time of the query and return the IP address to the resolver. So, resolver does not have to launch an additional query.

Answer 114

A

a) Endpoint - i.e. this checks availability of an endpoint (e.g. an IP address or domain name). Check via HTTP.
b) Status of other health checks (calculated health check) - use case: ensure that a minimum number of resources are up and functioning.
c) State of a cloudwatch alarm.

If less than 18% of health checkers consider the endpoint unhealthy, then R53 marks the end points as unhealthy.

Remember: Domain name based health checks will return healthy even if one of multiple IP addresses are unreachable. Best to use IP address based health checks in this case.

Answer 115

A

1) Simple - single host record that can have multiple IP addresses all of which are returned. Client chooses. Can associate health checks with IP addresses or domain name.
2) Weighted routing - has multiple records with same name (different set ID). Each record has a weight. Can associate health checks. A weight of 0 means no traffic is sent. All zeros mean traffic is equally distributed. If one server fails, then it is taken out (its weight is not added to the total sum).
3) Latency-based - multiple records in a record set. R53 routes to lowest latency from user’s location. Can associate health checks. Latency checks only rtt - not availability of service which is why you need health checks too.
4) Failover - A & B sites. Active-standby/Disaster Recovery use cases. A is always returned so long as it is healthy. Uses health checks. If both are unhealthy, A is returned!!!
5) Geolocation - R53 returns record based on resolver’s location (not latency). Use case: Geo-restrictions. Supports default, continent, country, states. Can be integrated with healthchecks. If no default, it returns a no result (this allows you to lock users into a specific location).
6) Multivalue Response (responds with multiple hosts). Returns up to 8 values. healthcheck integration.

Answer 116

A

For geolocation routing R53 uses the location of the DNS Resolver (which could be the ISP’s resolver and different from the location of the client).

edns-client-subnet - a portion of the IP address is sent by the resolver to R53 which is used as the client’s location.

Answer 117

A

Private Zones are associated with one more VPCs. This is what makes it private.

DNS queries from these VPCs use this zone file to resolve fqdns to IP address (private).

enableDNSHostnames and enableDnsSupport must be set to true.

Answer 118

A

This allows you to access resources using custom names (e.g. example.com) instead of AWS provided DNS-hostnames.

Answer 119

A

In split view DNS, a public and private hosted zone both share the same name space (e.g. advnetspec.com).

Internal clients have access to both private (first) and public zones. External clients only ever have access to public zone.

Answer 120

A

a) Subnet must be public
b) Must be /27 or larger (cannot use /28 or smaller).
c) Must have at least 8 available IP addresses.

Answer 121

A

ELBs deployed in one AZ can send traffic to instances in another AZ - ensuring that traffic is evenly distributed across all instances even though the instances themselves may not be evenly distributed among AZs.

Answer 122

A

Using Simple Active Directory.

Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC. These DNS servers will resolve names configured in your Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone.

Answer 123

A

Sticky sessions (aka session affinity) are applicable to CLB and ALBs. They are done using cookies which clients must support. They are enabled at the target level.

Cookies are of two types and are encrypted:

a) duration based (AWSALB cookie) - generated by LB
b) application based (cookie name has to be specified) - generated by the application (custom cookie) and LB (application cookie). Essentially 2 cookies.

Clients have to send cookies back to LB with each request.

Note: NLBs are inherently sticky due to the flow-hashing algorithm used.

Answer 124

A

You can create one or more behaviors and associate them with CF.

A behavior specifies how requests are treated - e.g. use of HTTP vs. HTTPS, caching timers, signed URLs etc.

There is a default behavior associated with each distribution.

You can define additional behaviors - e.g. all requests for accessing the images/public/.jpg and images/private/.jpg portion of your S3 bucket are treated as defined by a behavior.

Answer 125

A

Yes.
Although dynamic content cannot be cached, there is still a performance benefit as the edge reuses TCP connections to the origin server. This can save a significant amount of setup time.

Answer 126

A

No.

Interface end-points can only be created within a same region - i.e. both Service Provider VPC and Consumer VPC have to be in the same region.

They also need to be in the same AZ - i.e. the NLB that is created as part of the service must be deployed in the same AZ from which consumer VPCs are connecting from.

For inter-region access, Service Providers must create a new VPC in the new region with a NLB and add IP addresses of instances in the original region over a peering connection.

Answer 127

A

Yes. It does.

The certificates can be stored in ACM.

Not sure how this works though! Since NLB is Layer 4 LB. But the documentation says it does!

Answer 128

A

It depends on how targets are registered.

If you register targets by instance ID, the source IP addresses of the clients are preserved and provided to your applications. If you register targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes.

Answer 129

A

Normally Lambda runs within a VPC managed by AWS.

However, a Lambda function can be associated with a VPC. Specific subnets have to be chosen. ENIs are created.

This gives Lambda access to resources within a VPC. For example, access to on-prem resources via a VPN connection.

Since Lambda does not get public IP addresses, in order to access the internet, a NAT GW in a public subnet is needed.

Of course, SG and NACLs have to be set appropriately.

Answer 130

A

Workspaces require a) Client Application b) Directory service to authenticate user and c) VPC with two subnets in multiple AZs.

A VPC with minimum of two subnets (these need to be private! and in different AZs) is needed for each AWS Directory service to deploy ENIs in.

The right subnet size depends on multiple factors (e.g. how many WSs you’ll need over time, expected growth, types of users…). However, since two subnets are needed, they cannot be larger than /17. The smallest they can be is /28.

Each subnet has 5 IP addresses reserved.
Each AD connector consumes 1 IP address in each subnet in which it persists.

You may need more than one AD connector to separate different types of users (e.g. full time employees vs. Contractors).

AD Connector itself may communicate with either an on-prem MSAD service or an AWS Active Directory (in which case two more IP addresses are used by the AD service).

Then there is an ENI that workspaces itself will deploy into a 1 private subnet into which it is deployed (hence, one more IP address). Note, that unlike the AD service, here it is deployed in only 1 subnet.

Answer 131

A

Appstream 2.0 architecture is similar to Workspaces.

The instances for each user is a dedicated VM. The VM lives in an AWS VPC.

It has two ENIs. One Management ENI is managed by AWS and lives in the AWS VPC. It is used by the user to connect in for authentication and streaming.

The second ENI, is projected into a subnet of a customer managed VPC and provides access to VPC resources. The customer can control this using SG/NACLs/RTs etc.

Answer 132

A

R53 Resolver (aka AmazonProvidedDNS or EC2 DNS etc.) lives at the base on VPC+.2 address.

R53 resolver receives queries from EC2 and forwards it in the following order a) Private DNS (trumps all), b) VPC DNS (i.e. ec2 DNS names) and c) Public DNS.

In reality R53 Res lives in each AZ and is shared by all VPCs in that AZ. It does not live in the .2 address, but it is cached on the instance hardware. This is why only the EC2 instances that run on the HW can call it and not servers from a corporate center.

R52Res supports inbound and outbound ENIs. On-prem DNS resolvers can forward queries to inbound ENIs.

Limits:

Each EC2 instance (per ENI), can only send 1024 PPS to the R53 Resolver.
Each inbound/outbound ENI can support up to 10,000 Queries

Source: Youtube video by: Gavin McCullagh (2019 Reinvent).

Answer 133

A

1) Weight
2) Local Preference
3) AS Path Prepending
4) Metric or Multi-exit discriminator

Weight and Local Pref. control outbound routes. Weight is local to a single router. LP is advertised to other interior BGP routers (higher is preferred).

AS Path and MED (aka Metric) control which local router eBGP peers prefer. MED/metric (lower is preferred).

Answer 134

A

a) VGWs are not VPC transitive (i.e. cannot reach other VPCs other than the one that the VGW is connected to).
b) Throughput capped at 1.25 Gbps per VGW - however, if you use TGW, you can actually combine tunnels to increase your data rate.
c) VGW uses a single VPN tunnel when returning traffic to a network
d) Only support two one-way security associations (i.e. cannot support policy based VPNs.)
e) Only IPSec protocol
f) Only IPv4
g) No client-to-site VPN support.

Answer 135

A

Client to site VPN based on OpenVPN (not IPSec).
Client auth - certificate based or Active Directory based
Client VPN Endpoint is created and associated with multiple subnets within a VPC.
This creates an ENI through which traffic can flow to the VPC, peered VPCs, internet and even on-prem via VGW.
Client VPN EP has a route table with all subnets to which traffic can go to. This RT is copied to the client.

Answer 136

A

a) Private VIF (terminates at a VGW or DXGW)
b) Transit VIF (Terminates at a DXGW which then connects to a TGW)
c) Public VIF (public endpoints in ALL Regions!)

Therefore, a DXGW support a private VIF and VGWs (OR) Transit VIF and TGWs - but not both together.

Answer 137

A

Two factors are used

a) Port Hours
b) Data Transfer Out

Each may be billed to a different AWS Account. Port hour charges are billed to the connection owner. Data transfer out charges are billed to the account consuming the VIF (i.e. hosted VIF).

Answer 138

A

#of Public or Private VIFs per dedicated DX Connection - 50
#of Transit VIFs per dedicated connection - 1
# of Pub/Priv/Transit VIF per Hosted Connection - 1
# Routes/BGP session for Priv/Transit VIF - 100
#of Routes/BGP session for Public VIF - 1,000
#of Private VIFs that can be attached to a single DX GW = 30

Answer 139

A

Applicable to Public VIFs: You can use BGP communities tag to control how far the routes that you advertise to AWS over a DX BGP session goes.

7224: 9100 - Local Region Only
7224: 9200 - All AWS Regions in Continent
7224: 9300 or absence of tag - Global

On the reverse side (BGP adverts originating from AWS)
7224:8100 - Routes from same AWS Region
7224:8200 - Routes from Regions in same continent.
No tag - Global.

Answer 140

A

BGP uses Port 179 (FW has to allow these ports).

Answer 141

A

The two VPN endpoints use Internet Key Exchange protocol (v2 and v1 are supported).

IKE Phases 1 & 2 tunnels - involves peers mutually authenticating, generating security keys, agreeing on security parameters. Phase 2 tunnels have shorter lifespan than Phase 1.

In IKE Phase 1 - authentication can use either certifications (loaded into ACM) or pre-shared keys (AWS generated).

After IKE Phase 2 tunnel is considered ready - two one-way Security Association between the VPN End points.

SA is a relationship between two VPN peers where both parties agree on a common set of security settings.

AWS VGW supports only Route-based VPNs (all traffic uses a single set of SAs). No support for Policy based VPNs (SAs vary depending on traffic type - determined by policy).

Answer 142

A

a) Support for IKE (v2 or v1)
b) IP Sec (ESP Mode)
c) Static public IPv4 address
d) Support for Dead Peer Detection
e) Firewalls must allow UDP Port 500 and IP Protocol 50
f) If behind NAT-T, then FW must allow UDP Port 4500.

Answer 143

A

Inside IP CIDRs represents a network of two nodes that make up the VPN connection (i.e. VGW and CGW).

Inside IP CIDRs is used only for dynamic BGP routing to identify the two peers (VGW and CGW) inside the encrypted network. Not applicable for static routing.

It must be a /30 (2 usable IP addresses) in the 169.254.0.0/16 range (which is a private IP range used when DHCP server is unavailable).

They uniquely identify the tunnels when more than one VPN connection terminates at a single VGW.

See: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html

Answer 144

A

Single Mode Fiber
1000Base-LX (1 Gbps), 10GBase-LR (10 Gbps), 100GBase-LR4 (100 Gbps)
Disable auto negotiation on all ports (speeds must be explicitly configured)
802.1Q VLAN encapsulation
BGP and BGP-MD5 authentication
BFD (optional) - quick detection of link failures

Answer 145

A

Remember: a hosted DX connection can only support one VIF.

If you want to support multiple VLANs, you can

a) Use multiple hosted connections with each hosted connection supporting a separate VLAN.
b) Use aggregated VLANs (tag types are used to encapsulate 802.1q within another 802.1q - customer and provider switches). Enables provider network to support multiple customer networks.

Note: you can still only support one VIF - even with aggregated VLAN.

Answer 146

A

Up to 4 DX connections can be combined into a LAG.
They must terminate at the same location (and on the same switch!!!! - see FAQ which clarifies that multi-chassis LAGs are not supported)
Connections have to be same speed (either 1, 10 or 100 Gbps)
Min links specific the number of DX conns that must be up for LAG to be operational (0=no minimum).
VIFs can be associated with a LAG (instead of a specific DX connection)
On the customer side, LAGs must be created to support VIF traffic.

Answer 147

A

Use BGP Communities to achieve load balancing and route preference for incoming traffic (from AWS to on-prem).

7224: 7100 - Low Pref
7224: 7200 - Med Pref
7224: 7300 - High Pref

Local preference BGP community tags are evaluated before any AS_PATH attribute.

Answer 148

A

DX Connections have CW Metrics (Up/Down, Bps and Pps for ingress and egress)

VIFs, on the other hand, have no CW metrics.

Answer 149

A

a) DX Connection down - HW issues/Physical layer problem at on-prem or DX location; check cable/port configs
b) DX Conn is up but VIF down - Layer 2 issue; verify 802.1q support, correct VLAN config
c) VIF is up, but BGP is not - misconfig - check ASN, MD5-auth; no more than 100/1000 BGP advert on Pri/Pub VIF.

Answer 150

A

R53EPs - inbound and outbound - provide access to R53 Resolver.

a) Each R53EP can support anywhere from 2 to 8 ENIs.
b) Each ENI of the R53EP can support up to 10,000 QPS
c) The R53EPs are placed in specific subnets - but are accessible from other VPCs in the Region (Hmmm…how is this possible? - using RAM?).
d) All ENIs associated with an R53EP are associated with a SG.
e) Get an IP address (dynamic or customer assigned)
f) Outbound EPs have system rules and forward rules. System rules are implicit and defined for i) Priv HZ ii) VPC Domain Names and c) Public domain names

Answer 151

A

a) DXGW is a global construct. Multiple VPC (in multiple regions and accounts) can connect to it (up to 10). VPCs cannot have overlapping CIDR blocks.
b) It acts as one end of the BGP peering connection. It acts as a BGP reflector for AS’ that sit behind it on the AWS side (i.e. all the VGWs).
c) It does not allow VGW to VGW traffic.
d) It supports VPC attachments from multiple accounts
e) Can connect to multiple VPCs via a TGW (T-VIF). But, the TGW can only advertise 20 routes to the DGW. Hence, route aggregation is required.

Answer 152

A

A feature that allows a subnet in one AWS account to be shared with other AWS accounts.
Must be part of the same AWS Organization.
Subnets are shared via Resource Access Manager
Once shared, other accounts may provision resources within that subnet as if it were native to their account.

Answer 153

A

a) Transit VPC (spoke and hub model)
b) Transit Gateway

Transit VPC:

EC2 based instances act as CGW and establish VPN connections to spoke VPCs that have a VGW.
Dynamic routing should be used. This ensures that spoke VPCs advertises routes to the EC2 instances in the T-VPC. T-VPC may reflect routes back to each S-VPC - so that each S-VPC learns about other SVPCs.
Multiple EC2 instances with EIPs recommended

Answer 154

A

a) You can build a VPN tunnel from on-prem routers to T-VPC EC2 instances and use BGP to communicate with spoke VPCs.

Note: You cannot use a VGW in this instance, because the traffic can only be delivered to the TVPC - it cannot then pass transitively to another VPC.

b) If using DX, then use a detached VGW - i.e. terminate a Private VIF to a detached VGW. Build VPN connections from T-VPC EC2 to detached VGW with BGP. VGW’s cloud hub functionality will ensure that routes from TVPC is shared with on-prem and vice-versa.

(See Page 146).

Answer 155

A

Private 16-bit range: 64512 to 65535

Private 32-bit range: 4,200,000,000 to 4,294,967,294

Answer 156

A

a) Build a VPN connection to the TGW over the internet (CGW –> TGW). Use BGP
b) Build a VPN connection to the TGW over DX Public VIFs (TGW offers public endpoints for VPN terminations).

Answer 157

A

Connects from ISPs to AWS Backbone directly. Avoids multiple hops.

Answer 158

A

1) Most specific routes
2) Static > Propagated
3) If propagated
a) VPC > DXGW > TXGW Connect > S2S VPN

Answer 159

A

Works at L7 (HTTP/HTTPS) - uses Web ACLs
Allows, deny or count
Integrated with APIGW, CF, ALB
Note: R53 NOT supported.

Conditions and Filters (XSS, IP, Country, String/regex…), multiple are OR’ed.
Rules have one or more conditions (AND’ed) that must either match or not match, normal and rate-based rules
Web ACLs - 1 or more rules (processed in order)
Association with resources

Note: Rate-based rules help mitigate DDOS L7 attacks.

Web ACL to AWS resources is one-to-many. However, Web ACL associated with Cloudfront cannot be associated with any other resource.

Answer 160

A

Feature that facilitates S3 bucket sharing - e.g. large data lakes accessed by hundreds of applications.

S3AP are unique DNS hostnames through which S3 buckets can be accessed. Multiple APs can be created and distinct policies associated with a S3 bucket.

Each AP can be distinctly managed. Can be restricted to VPC access.

Answer 161

A

Applications can offload authentication to the ALB.

You define a listener rule with path-based routing set to match a URL that handles authentication.

As an action for that rule - you can then hook a authentication call to an IdP - OIDC, SAML, LDAP Cognito etc.

Answer 162

A

No.

Amazon S3 website endpoints do not support HTTPS. (Probably because there is no way to provision a TLS certificate).

However, with CF, you can use S3 as an origin (instead of a S3-static website). In which case, HTTPS is supported if the user requests are HTTPs based (viewer match policy).

Answer 163

A

Firewall Manager is a security management service. Enforces compliance.

Centrally enforces deployment of

a) WAF ACLs
b) Shield Advanced protection policies
c) VPC Security Groups.

Note: NACLs are not covered by this service.

Accounts across AWS Organizations can be managed centrally.

Integrates with AWS Security Hub.

Compliance violations can be viewed on Firewall Manager console or on AWS Security Hub console.

Answer 164

A

1) Format Version
2) Description
3) Metadata - data you want to pass to instances
4) Parameters
5) Rules
6) Mappings - for e.g. use a specific AMI in US-east-2
7) Conditions - e.g. tags/IP ranges- conditional statements
8) Transform
9) Resources (Required)
10) Outputs - returns any piece of information

Answer 165

A

It is an intrinsic function that returns an array of CIDR block ranges you use when creating subnets.

Answer 166

A

AWS OpsWorks is a configuration management service (support Chef, Puppet, Stacks).

An automation server runs is a private subnet (think about it like K8 ControlPlane node) and communicates with Appservers/nodes that it manages in other private (equivalent to K8 worker nodes).

The automation server can access SW updates from the internet via NAT GW in a public subnet. Or a VPC Gateway Endpoint to a S3 bucket where all the configuration information is stored.

A bastion host in a public subnet provides access to Automation Server’s dashboard.

All website traffic can come through the ALB and hit the web/app servers without ever touching the Automation server.

Answer 167

A

You need a) VPC ID b) peer AWS Acct ID c) cross-account access role that is assumable by the requester account.

The peered-accepter VPC needs to create an IAM role. The ARN for that IAM role is used, along with a region indicator to create the peering connection.

Answer 168

A

Signed URLs are for controlling access to a single file. Used when browsers don’t support cookies.

Signed cookies are for controlling access to multiple restricted files.

Signed URLs take precedence over signed cookies.

Answer 169

A

DDos Mitigation (Layer 3 & 4 attacks). L7-HTTP/cache-busting flood. For L7 attacks Shield Adv notifies via CW alarms only (no proactive action taken).

Shield standard: Available to all, particularly effective with R53 and CloudFront.

Shield Advanced: You need to specify resources to protect (either via Shield Adv or AWS Firewall Manager). AWS WAF is included at no extra cost.

Resources include CldFrnt, R53, Global Accelerator, ALB, ELBs, EC2-EIPs.

Answer 170

A

GWLB is used for supporting 3rd party security appliances.
A combination of GW (L3 - can be next hop in a route table) and Load Balancer (L4 Load Balancer).
Health Checks, Stickiness
User Traffic encapsulated in L3 protocol called GENEVE (packet seen by appliance as is - no change in Source IP/port)
Can be deployed in one Shared services VPC and multiple VPCs can be supported.
GWLB EPs are projected into other VPCs.

Answer 171

A

AWS does not have any native services that do DPI.

Use Traffic Mirroring, third party IDS, Gateway LBs to accomplish your task.

Remember VPC flow logs only capture meta data and not the actual packet contents.

Answer 172

A

Mirror Source - e.g. ENI, the traffic to which is monitored
Mirror Target - another ENI or NLB (destination of mirrored traffic).
Mirror Filter - accepted or rejected traffic, protocol type, port, IP range etc.

Answer 173

A

Yes. But they have to be on different ports.

You can register a target in a target group multiple times with different ports.

Answer 174

A

Using EP policies and S3 bucket policies.

With EP policies, you can specify which bucket to access (e.g. as a Resource within a permission statement). Default policy allows access to everything.

With bucket policy you can specify endpoint ID as the as the “sourceVpce” as a condition within the permission statement.

Answer 175

A

User-Agent (in the HTTP header) contains information about the device that submitted the request.

Lambda@Edge can inspect this element and react (e.g. send low-resolution image to mobiles).

L@Edge can also inspect cookies and modify paths.

ALBs can support path based routing to different targets allowing you to customize content.

Answer 176

A

No. Once created they cannot be modified. They can be replaced with a new options set.

Option sets allows you to define a) DNS server b) NTP sever c) NetBIOS Name server and d) NetBIOS node type.

Note: While you can define new DHCP Option Set, You have to use the AWS DHCP server. Custom DHCP servers are not supported. DCHP requires broadcast which is not supported in the AWS VPC.

Answer 177

A

For AWS S2S:

a) VPN Connection hour (partial hours billed as whole).
b) Data transfer charges

For AWS C2S VPN:
Client VPN Endpoint itself is free.
However, you pay for the subnet associations
Number of client connections.

Answer 178

A

Data-in (Internet to EC2) = Free
Data out (EC2 to Internet) = charged after 1st GB

DTO to Cloudfront = Free

DTO within the same Region
EC2/EIP/RDS - Across AZ charged in both direction
EC2 transfers within the same AZ is free
EIP/Public IP transfers are always charged.
S3 transfers in the same region is free.

Answer 179

A

Alias records appear as an A record. However, unlike a regular A record which has an IP address for its value, Alias record has an FQDN for a value.

Answer 180

A

a) Build a shared services VPC (Central DNS happens here)
b) Connect spoke VPCs via TG.
c) Associate Priv-HZ with each spoke VPC directly. This preserves AZ isolation. EC2 instances can query PHZ directly (1024 PPS limit). VPCs can be in different accounts.
c) Create inbound and outbound resolver endpoints.
d) Create conditional forwarding rules for on-prem domains.
e) Forwarding Rules can be shared with other VPCs. If VPCs are in the same account, simply choose them. If in different account use RAM. Share with all VPCs that need it.

Answer 181

A

At creation of an interface endpoint, you receive an endpoint-specific regional DNS hostname that includes a unique endpoint identifier, service identifier, the Region, and vpce.amazonaws.com in its name. For example, vpce-12345678-abcdefg.sqs.us-east-1.vpce.amazonaws.com. This name resolves to the IP addresses of the endpoint in the shared services VPC. The default DNS hostname for this service is sqs.us-east-1.amazonaws.com. Resolution of this DNS hostname results in a public IP address.

Enabling Private DNS for the interface endpoint creates a private hosted zone so that the default name (sqs.us-east-1.amazonaws.com) resolves to the endpoint IP addresses. However, today this only works in the VPC where the endpoint resides. Other VPCs continue to resolve the public IP address.

If you want to access the interface endpoint sqs.us-east-1.amazonaws.com in the shared services VPC from spoke VPCs and on-premises servers, do the following: (Spoke and  T-VPCs should already be connected - e.g. via TGW).

a. Create a Route 53 private hosted zone called sqs.us-east-1.amazonaws.com associated to the shared services VPC.
b. Create an alias record called sqs.us-east-1.amazonaws.com that targets the endpoint-specific regional DNS hostname (vpce-12345678-abcdefg.sqs.us-east-1.vpce.amazonaws.com).

Answer 182

A

An AWS Managed FW that protects the VPC
Regional service - secures NW traffic at Org and Acct level
Integrates with AWS FW Manager
Offers L3-L7 visibility and control
Uses Rules (custom or Marketplace)
Also protects VPN and DX traffic.
NOT for DDoS
IPS - offers traffic flow inspection (threat detection using signatures)
Can be used with SG, WAF and Marketplace appliances
Can be deployed with VPC or TGW.
Creates a Interface EP within a subnet (/28 min size).
NW Firewall policies consists of rule groups.
Rules can be stateful or stateless
Logs -> S3, Kinesis (NO cloudwatch)
No Encrypted Traffic Support.
Note: NWFW does NOT do NATing - hence the workload instances need an EIP to communicate with the Internet.

Answer 183

A

No!

You have to manually migrate it - i.e. make a AMI of the original instance and start a new instance in the new subnet, AZ or VPC.

EIPs can be reassigned however.

Answer 184

A

a) Cross-site scripting (XSS)
b) IP Addresses
c) size constraints
d) SQL injection
e) geographic match
f) string match

Answer 185

A

A partner providing a new connection on their interconnect to a customer.

Answer 186

A

AWS Glue ENIs cannot be assigned a public IP address. Hence a NAT GW is needed.

Answer 187

A

You can use the DeletionPolicy property against specific resources and set it to “Retain”. This overrides the default behavior of deleting the resource when the stack is deleted.

Stack policies are only applicable to updates. You can use stack policies to prevent deletion during updates.

Answer 188

A

EFS uses NFS v4.0 and v4.1 protocol

A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system.

You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance.

You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target.

You can mount EFS on to a on-prem server. Done via DX. Best to use IP address instead of DNS name of the EFS mount points.

Security group associated with the ENI/Mount point must allow traffic to the NFS port (2049).

Answer 189

A

A prefix list is a set of one or more CIDR blocks.

You can use them in security groups and route tables.

You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually. For example, you can consolidate security group rules with different CIDR blocks but the same port and protocol into a single rule that uses a prefix list. If you scale your network and need to allow traffic from another CIDR block, you can update the relevant prefix list and all security groups that use the prefix list are updated.

Answer 190

A

CF Invalidation allows you to remove objects from the cache before it expires.

You can use versioning instead of invalidation. For example, change image_v1 to image_v2 and update your links.

Answer 191

A

When using multiple VPN connections, if you have a stateful firewall, it may be best to use the VPN connections in active standby. Otherwise, packets will be dropped.

So, you want to set up the connections (using AS_PATH) such that AWS routes traffic back on the same VPN connection (not use ECMP).

Answer 192

A

a) Access to S3 for logging (can be enabled via Gateway EP)

b) DNS for name resolution.

Answer 193

A

There are three parties:

a) Template developer - specifies a service token provided by the custom resource provider
b) custom resource provider - owns the resource, provides the token to developer
c) Clouformation - which during stack operation sends a request to the service token specified and awaits a response.

Brainscape's Knowledge GenomeTM

AWS Networking Facts Flashcards

Brainscape's Knowledge Genome^TM