AWS Networking Flashcards

1
Q

You have a central VPC for AD authentications and many other VPCs across multiple regions. How can you use Transit Gateways to route traffic to the shared VPC but NOT allow traffic to other VPCs. (2)

A

Use (1) transit gateway to associate all vpcs. Route traffic to the shared VPC and use (2) “blackhole routes” to disallow traffic to the other VPCs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You need higher DX throughput. How can you achieve this?

A

Provision a new DX connection and transfer traffic to the new connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What limitation is there for adding secondary CIDR blocks to your VPC?

A

Must not overlap and must NOT be publicly routable (non-RFC 1918) if your primary CIDR block is publicly routable.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which CIDR ranges are RFC 1918?

A

10.0.0.0–10.255.255.255 (10/8 prefix)
172.16.0.0–172.31.255.255 (172.16/12 prefix)
192.168.0.0–192.168.255.255 (192.168/16 prefix)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Network Load Balancer feeding EKS cluster distributed across AZs. One AZ’s instances are not receiving traffic. What is the likely reason?

A

The AZ is not registered with the network load balancer.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Network Load Balancer feeding EKS cluster distributed across peered VPCs. The clusters in one VPC are not receiving traffic. What is the likely reason?

A

The instance is in a peered VPC and must be registered via IP address, not instance ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Load Balancer handling traffic between application and RDS MySQL database. How do you ensure encryption end-to-end? (3)

A

(1) terminate SSL/TLS at the load balancer
(2) configure load balancer to use TLS
(3) set the RDS to accept only SSL connections by using the GRANT command with the REQUIRE SSL option

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Instance Metadata URL

A

http://169.254.169.254/latest/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Most operationally efficient method to allow many globally distributed department teams to connect logically isolated VPCs spread across many regions?

A

Use an AWS Cloud WAN core network with edge locations. Create distinct segments for each department.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

DX connecting on-prem applications to ECS clusters in multiple VPCs. How can you prevent VPC-to-VPC communication?

A

Use multiple DX Gateways - one for each set of VPCs you want to isolate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How do you log and query DNS traffic most easily?

A

Route 53 Resolver Query logging, query with CloudWatch Logs Insights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you propagate BGP routes to/from DX connection?

A

Enable route propagation from the route table and set the vpg as the target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the purpose of AWS VPN CloudHub?

A

Connect one VPC to many on-prem locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are three valid tunnel options for site-to-site VPN?

A

Pre-shared key (PSK)
Dead peer detection (DPD) timeout
Phase 2 Diffie-Hellman (DH) group numbers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How do you aggregate multiple DX connections (from disparate DX partners) into a single DX endpoint, which is treated as a single, managed connection?

A

Link Aggregation Group (LAG)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are three INVALID tunnel options for site-to-site VPN?

A

Bidirectional Forwarding Detection (BFD)
Multiprotocol Label Switching (MPLS)
Path MTU Discovery (PMTUD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Site-to-Site VPN: How can you improve bandwidth over multiple paths (multiple connections associated with a transit gateway)?

A

Configure Equal-Cost Multi-Path (ECMP) routing and enable it in the transit gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

At what number of bytes do you need to consider using jumbo frames for your MTU?

A

> 1500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the MTU cap for jumbo frames (in bytes)?

A

9001

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is billed for Direct Connect?

A
  1. Port hours
  2. Data transfer OUT
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What information is needed to provision a public virtual interface to connect on-prem to VPC via Direct Connect (Should support Autonomous System [AS] prepending)? (3)

A

Virtual local area network (VLAN) ID.
Border Gateway Protocol Autonomous System Number (BGP ASN)
CIDR ranges you wish to advertise to AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can you check EIP assignment to EC2s and validate no spare EIPs?

A

Config. Use the EIP-attached AWS Config Managed Rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How do you set up a VPC for private Workspaces instances?

A

With at least one private and one public subnet (to install OS updates)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Do you need BGP multi-hop to set up active-passive connections with two VPGs?

A

No, in fact VPGs do not support multi-hop on AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

DX: What happens if you set the load-sharing of inbound traffic to your 2 VPGs with similar ‘AS_PATH’ configurations?

A

You create an active/active route configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

DX: How do you configure the ‘AS_PATH’ attribute for your VPGs to create a active/passive route configuration?

A

prepend the customer gateway ASN on the secondary connection’s ‘AS_PATH’ attribute twice.

ex. ASN of CGW = 123
advertise prefix to secondary connection = 123 123

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

T/F You can assign an elastic IP to your Lambda function in a private subnet

A

False.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What service can provide deep packet inspection on ingress and egress traffic in your VPC?

A

AWS Network Firewall

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What does Amazon Network Access Analyzer do?

A

Analyzes network security settings to identify unintended access.

(Does not inspect traffic)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

When transferring 3rd-party hosted domains to Route53, how do you enable DNSSEC signing?

A

Re-enable after transferring domain registration to Route53

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

In order to optimize DNS calls after a domain registration migration, how should you set the TTL on the NS record?

A

Set to a high value like 172800 (2 days)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Domain migration: What prerequisite is there to updating NS records in Route53 if there is DNSSEC configured on the current domain registration?

A

Remove the Delegation Signer (DS) record from the parent zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

DX Connection: When creating a VPI, what information is needed other than BGP ASN and the IP Addresses to advertise to AWS?

A

VLAN ID (virtual local area network)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Does AWS Transit Gateway automatically create and approve VPC Peering connections?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

How do you connect SD-WAN virtual appliances to centrally networked (transit-gateway-connected) VPCs?

A

Using Transit Gateway Connect attachments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Why can’t you use A VPN for redundancy for your DX connection when requiring throughput of 10 Gbps?

A

The limit for even aggregated throughput on managed VPNs through a virtual private gateway is 1.25 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What limitation is there on creating CNAME records for your domain?

A

You cannot create a CNAME record for the top node/zone apex. i.e. ‘tutorialsdojo.com’

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What is the difference between and alias A record and a non-alias A record?

A

Non-alias A records can only point to IP addresses, not DNS names.

39
Q

How to use X-Ray to capture client IP address when monitoring traffic from an ALB?

A

It will automatically be captured in the ‘x-forwarded-for’ metric

40
Q

ALB: how can you get insights on network traffic controls for every service in an application

A

Appmesh integration

41
Q

Which IP Address in the ‘x-forwarded-for’ header likely contains info on the user’s geographical location?

A

the last

42
Q

EC2 application: How can you get the IP addresses of the users who are visiting your website

A

You can use a web server variable (e.g. REMOTE_ADDR)

43
Q

Which UDP Ports must be allowed in your firewall for a NAT-T transmission over an IPsec tunnel on a Site-to-Site VPN? (2)

A

500
4500
NO TCP required

44
Q

LBs: Which type of load balancer supports path conditions?

A

Application Load Balancer ONLY

45
Q

DX + Public Virtual Interface: What can local servers connect to on AWS? (2)

A
  1. Amazon S3 buckets in any AWS Region excluding the AWS China Region
  2. All AWS Public IP addresses globally
46
Q

T/F You should enable VLAN trunking for the 802.1Q VLAN tag on all intermediate devices for a successful DX connection

A

True

47
Q

In a VPN + DX scenario, which types of routes will be highest priority to the virtual private gateway?

A

BGP propagated routes

48
Q

How do you designate a new NTP time server in your VPC?

A

Create a new DHCP options set with the new server. Replace the old DHCP options set with the new one to hot-swap NTP servers.

49
Q

LB: How can you route traffic to specific target groups based on the DNS host name? ex. newsletter.davidblocher.com vs blog.davidblocher.com, etc

A

Create a host condition (can be NLB or ALB)

50
Q

CLoudFront: How do you change the origin based on the protocol being used by the viewer? (HTTP or HTTPS)

A

Set the Origin Protocol Policy to ‘Match Viewer’

51
Q

T/F A Gateway Load balancer can receive millions of requests per second while achieving low latency

A

False

52
Q

How can you achieve low latency for millions of requests per second directed to EKS kubernetes clusters? (2)

A
  1. Set up the AWS Load Balance Controller on the EKS cluster
  2. Use a network load balancer
53
Q

IP Address Manager (IPAM): How do you request an IP address/CIDR block for reference in a CloudFormation template?

A

Using a Lambda function custom resource

54
Q

DX: What type of connection allows Autonomous System (AS) prepending?

A

A public-ASN-based connection

55
Q

What is the highest allowable netmask for VPCs or subnets?

A

/28

56
Q

From where do you enable route propagation?

A

From the VPC

57
Q

What is the maximum bandwidth of an IPsec VPN connection?

A

1 Gbps

58
Q

How can you encrypt communications over a 10 Gbps DX connection?

A

MACsec

59
Q

You want to use the proxy protocol to track origin IP addresses for users hitting your load balancer. What type of ELB should you use?

A

Network LB.

Application does not support proxy protocol.

60
Q

3 ways to connect multiple VPCs

A
  1. Transit GW
  2. VPC peering
  3. PrivateLink
61
Q

How do you find the DNS server IP for a VPC?

A

The IP address of the DNS server is the base of the VPC network range plus two

62
Q

Site-to-Site VPN: How can you get higher VPN bandwidth than the default VPN bandwidth limit of 1.25 Gbps?

A

Set up Equal-Cost Multi-Path routing (ECMP)

63
Q

Site-to-site VPN: Can you enable jumbo frames to increase throughput?

A

no

64
Q

What does CloudWatch RUM do?

A

performs real-time analysis of your web application performance (no packet inspection or real-time security)

65
Q

How can you make sure data stored in Microsoft SQL Server on RDS is encrypted BEFORE it is sent to the DB?

A

Configure the SQL server to use Transparent Data Encryption (TDE)

66
Q

Security measure to protect against DNS spoofing?

A

DNSsec

67
Q

How can you bring your own static IP addresses to be used with Global accelerator? (2)

A

Set up Rout Origin Authorization (ROA)
Use the ‘aws globalaccelerator provision-byoip-cidr’ CLI Command

68
Q

2 ways to provide a static IP for a single EC2 instance that shuts down once/week?

A
  1. Global Accelerator
  2. Attach an Elastic IP address
69
Q

CloudFormation: Which properties must be explicitly passed when peering 2 VPCs in different accounts AND Regions?

A
  1. PeerRoleArn (accounts)
  2. PeerRegion (region)
70
Q

BGP: The shortest AS_Path is typically preferred. What is the next preference if AS_PATH attributes are of similar length?

A

Lowest multi-exit discriminator (MED)

71
Q

Private subnet - hitting a single 3rd party API through NAT Gateway - receiving increased ‘ErrorPortAllocation’ for the NAT gateway and dropping connections… How to alleviate?

A

Distribute instances across AZs and create NAT gateways in each AZ.

There is a limit of 55k simultaneous connections to each destination.

72
Q

After defining a VPC CIDR Block in CF, how can you define an array of equally sized CIDR ranges for subnets?

A

Using the Fn::Cidr intrinsic function

73
Q

When would you use subdomain delegation?

A

When you have to use different DNS providers for a domain and one or more subdomains

74
Q

How can you manage DNS for two separate applications that share the same root domain?

A

Route53: Use split-view DNS

75
Q

DX: When establishing a VPN connection over your DX connection, what type of interface should be used?

A

Public virtual interface (Private cannot reach virtual private gateway IPsec endpoints)

76
Q

Route 53 private hosted zone: How can you easily monitor health checks for record sets within the zone which are used by EC2 instances?

A

Use CloudWatch to monitor “StatusCheckFailed” on EC2 instances

77
Q

VPC FLow logs: What do you need to capture in a custom log group in order to log EKS pod-to-pod traffic?

A

pkt-srcaddr, pkt-dstaddr, srcaddr, and dstadrr

78
Q

DX - V Private Interface - DX Gateway. Can you connect to VPC’s in any region with this setup?

A

Yes.

79
Q

Can you authorize a VPC access to your R53 private hosted zone if it is in an external AWS account?

A

Yes, but not from the console.

80
Q

What IP can reach the Amazon Time Sync service on any EC2 instance?

A

169.254.169.123

81
Q

Endpoints for Simple Email Service: Which endpoint ports can be used to protect data in transit using TLS

A

25, 587, or 2587

82
Q

How do you derive the third parameter in the fn::Cidr intrinsic function for cloudformation

A

32 minus the netmask.

So if you want /27s, you would use “5”

83
Q

How can you create a proxy server with network bandwidth of up to 100 Gbps?

A

Use a compute-intensive instance type like P3 or higher. Enable enhanced networking.

84
Q

BGP: Which community tag filter will help you only accept routes propagated from the Region in which your DX connection was established?

A

allow only 7224:8100 community tag
8200 is continent
no filter is global

85
Q

Container Network interface - Kubernetes application: You want at least 5 pods running in each node. How do you guarantee that IP addresses will be available?

A

Set the MINIMUM_IP_TARGET attribute to ‘5’

86
Q

BGP: Which Community Tag prefixes should you advertise to route to a local AWS Region?

A

7224:9100
9200 is continent
9300 is global

87
Q

Which BGP community tag is high preference: 7442:7100 or 7300?

A

7300

88
Q

Does a NAT gateway support TCP fragmentation?

A

Nope

89
Q

What type of wildcard characters are available in a host condition on an ALB?

A
    • any number of characters
      ? - any single character
90
Q

DX - transit virtual interface: what can you connect? (2)

A

VPCs in multiple accounts
Up to 3 Transit Gateways in the same Region

91
Q

Migrate an application that has static IPs that are whitelisted by your customers. How do you keep those IPs?

A

Set up a Route Origin Authorization (ROA) document

92
Q

BGP: How to consolidate routes if they exceed 100?

A

Summarize them

93
Q
A