AWS Networking

Question 1

You have a central VPC for AD authentications and many other VPCs across multiple regions. How can you use Transit Gateways to route traffic to the shared VPC but NOT allow traffic to other VPCs. (2)

Answer 1

Use (1) transit gateway to associate all vpcs. Route traffic to the shared VPC and use (2) “blackhole routes” to disallow traffic to the other VPCs.

Question 2

You need higher DX throughput. How can you achieve this?

Answer 2

Provision a new DX connection and transfer traffic to the new connection.

Question 3

What limitation is there for adding secondary CIDR blocks to your VPC?

Answer 3

Must not overlap and must NOT be publicly routable (non-RFC 1918) if your primary CIDR block is publicly routable.

Question 4

Which CIDR ranges are RFC 1918?

Answer 4

10.0.0.0–10.255.255.255 (10/8 prefix)
172.16.0.0–172.31.255.255 (172.16/12 prefix)
192.168.0.0–192.168.255.255 (192.168/16 prefix)

Question 5

Network Load Balancer feeding EKS cluster distributed across AZs. One AZ’s instances are not receiving traffic. What is the likely reason?

Answer 5

The AZ is not registered with the network load balancer.

Question 6

Network Load Balancer feeding EKS cluster distributed across peered VPCs. The clusters in one VPC are not receiving traffic. What is the likely reason?

Answer 6

The instance is in a peered VPC and must be registered via IP address, not instance ID.

Question 7

Load Balancer handling traffic between application and RDS MySQL database. How do you ensure encryption end-to-end? (3)

Answer 7

(1) terminate SSL/TLS at the load balancer
(2) configure load balancer to use TLS
(3) set the RDS to accept only SSL connections by using the GRANT command with the REQUIRE SSL option

Question 8

Instance Metadata URL

Answer 8

http://169.254.169.254/latest/

Question 9

Most operationally efficient method to allow many globally distributed department teams to connect logically isolated VPCs spread across many regions?

Answer 9

Use an AWS Cloud WAN core network with edge locations. Create distinct segments for each department.

Question 10

DX connecting on-prem applications to ECS clusters in multiple VPCs. How can you prevent VPC-to-VPC communication?

Answer 10

Use multiple DX Gateways - one for each set of VPCs you want to isolate.

Question 11

How do you log and query DNS traffic most easily?

Answer 11

Route 53 Resolver Query logging, query with CloudWatch Logs Insights.

Question 12

How do you propagate BGP routes to/from DX connection?

Answer 12

Enable route propagation from the route table and set the vpg as the target.

Question 13

What is the purpose of AWS VPN CloudHub?

Answer 13

Connect one VPC to many on-prem locations.

Question 14

What are three valid tunnel options for site-to-site VPN?

Answer 14

Pre-shared key (PSK)
Dead peer detection (DPD) timeout
Phase 2 Diffie-Hellman (DH) group numbers

Question 15

How do you aggregate multiple DX connections (from disparate DX partners) into a single DX endpoint, which is treated as a single, managed connection?

Answer 15

Link Aggregation Group (LAG)

Question 16

What are three INVALID tunnel options for site-to-site VPN?

Answer 16

Bidirectional Forwarding Detection (BFD)
Multiprotocol Label Switching (MPLS)
Path MTU Discovery (PMTUD)

Question 17

Site-to-Site VPN: How can you improve bandwidth over multiple paths (multiple connections associated with a transit gateway)?

Answer 17

Configure Equal-Cost Multi-Path (ECMP) routing and enable it in the transit gateway.

Question 18

At what number of bytes do you need to consider using jumbo frames for your MTU?

Answer 18

> 1500

Question 19

What is the MTU cap for jumbo frames (in bytes)?

Answer 19

9001

Question 20

What is billed for Direct Connect?

Answer 20

1. Port hours
2. Data transfer OUT

Question 21

What information is needed to provision a public virtual interface to connect on-prem to VPC via Direct Connect (Should support Autonomous System [AS] prepending)? (3)

Answer 21

Virtual local area network (VLAN) ID.
Border Gateway Protocol Autonomous System Number (BGP ASN)
CIDR ranges you wish to advertise to AWS

Question 22

How can you check EIP assignment to EC2s and validate no spare EIPs?

Answer 22

Config. Use the EIP-attached AWS Config Managed Rule

Question 23

How do you set up a VPC for private Workspaces instances?

Answer 23

With at least one private and one public subnet (to install OS updates)

Question 24

Do you need BGP multi-hop to set up active-passive connections with two VPGs?

Answer 24

No, in fact VPGs do not support multi-hop on AWS

Question 25

DX: What happens if you set the load-sharing of inbound traffic to your 2 VPGs with similar ‘AS_PATH’ configurations?

Answer 25

You create an active/active route configuration

Question 26

DX: How do you configure the ‘AS_PATH’ attribute for your VPGs to create a active/passive route configuration?

Answer 26

prepend the customer gateway ASN on the secondary connection’s ‘AS_PATH’ attribute twice.

ex. ASN of CGW = 123
advertise prefix to secondary connection = 123 123

Question 27

T/F You can assign an elastic IP to your Lambda function in a private subnet

Answer 27

False.

Question 28

What service can provide deep packet inspection on ingress and egress traffic in your VPC?

Answer 28

AWS Network Firewall

Question 29

What does Amazon Network Access Analyzer do?

Answer 29

Analyzes network security settings to identify unintended access.

(Does not inspect traffic)

Question 30

When transferring 3rd-party hosted domains to Route53, how do you enable DNSSEC signing?

Answer 30

Re-enable after transferring domain registration to Route53

Question 31

In order to optimize DNS calls after a domain registration migration, how should you set the TTL on the NS record?

Answer 31

Set to a high value like 172800 (2 days)

Question 32

Domain migration: What prerequisite is there to updating NS records in Route53 if there is DNSSEC configured on the current domain registration?

Answer 32

Remove the Delegation Signer (DS) record from the parent zone

Question 33

DX Connection: When creating a VPI, what information is needed other than BGP ASN and the IP Addresses to advertise to AWS?

Answer 33

VLAN ID (virtual local area network)

Question 34

Does AWS Transit Gateway automatically create and approve VPC Peering connections?

Answer 34

No

Question 35

How do you connect SD-WAN virtual appliances to centrally networked (transit-gateway-connected) VPCs?

Answer 35

Using Transit Gateway Connect attachments

Question 36

Why can’t you use A VPN for redundancy for your DX connection when requiring throughput of 10 Gbps?

Answer 36

The limit for even aggregated throughput on managed VPNs through a virtual private gateway is 1.25 Gbps

Question 37

What limitation is there on creating CNAME records for your domain?

Answer 37

You cannot create a CNAME record for the top node/zone apex. i.e. ‘tutorialsdojo.com’

Question 38

What is the difference between and alias A record and a non-alias A record?

Answer 38

Non-alias A records can only point to IP addresses, not DNS names.

Question 39

How to use X-Ray to capture client IP address when monitoring traffic from an ALB?

Answer 39

It will automatically be captured in the ‘x-forwarded-for’ metric

Question 40

ALB: how can you get insights on network traffic controls for every service in an application

Answer 40

Appmesh integration

Question 41

Which IP Address in the ‘x-forwarded-for’ header likely contains info on the user’s geographical location?

Answer 41

the last

Question 42

EC2 application: How can you get the IP addresses of the users who are visiting your website

Answer 42

You can use a web server variable (e.g. REMOTE_ADDR)

Question 43

Which UDP Ports must be allowed in your firewall for a NAT-T transmission over an IPsec tunnel on a Site-to-Site VPN? (2)

Answer 43

500
4500
NO TCP required

Question 44

LBs: Which type of load balancer supports path conditions?

Answer 44

Application Load Balancer ONLY

Question 45

DX + Public Virtual Interface: What can local servers connect to on AWS? (2)

Answer 45

1. Amazon S3 buckets in any AWS Region excluding the AWS China Region
2. All AWS Public IP addresses globally

Question 46

T/F You should enable VLAN trunking for the 802.1Q VLAN tag on all intermediate devices for a successful DX connection

Answer 46

True

Question 47

In a VPN + DX scenario, which types of routes will be highest priority to the virtual private gateway?

Answer 47

BGP propagated routes

Question 48

How do you designate a new NTP time server in your VPC?

Answer 48

Create a new DHCP options set with the new server. Replace the old DHCP options set with the new one to hot-swap NTP servers.

Question 49

LB: How can you route traffic to specific target groups based on the DNS host name? ex. newsletter.davidblocher.com vs blog.davidblocher.com, etc

Answer 49

Create a host condition (can be NLB or ALB)

Question 50

CLoudFront: How do you change the origin based on the protocol being used by the viewer? (HTTP or HTTPS)

Answer 50

Set the Origin Protocol Policy to ‘Match Viewer’

Question 51

T/F A Gateway Load balancer can receive millions of requests per second while achieving low latency

Answer 51

False

Question 52

How can you achieve low latency for millions of requests per second directed to EKS kubernetes clusters? (2)

Answer 52

1. Set up the AWS Load Balance Controller on the EKS cluster
2. Use a network load balancer

Question 53

IP Address Manager (IPAM): How do you request an IP address/CIDR block for reference in a CloudFormation template?

Answer 53

Using a Lambda function custom resource

Question 54

DX: What type of connection allows Autonomous System (AS) prepending?

Answer 54

A public-ASN-based connection

Question 55

What is the highest allowable netmask for VPCs or subnets?

Answer 55

/28

Question 56

From where do you enable route propagation?

Answer 56

From the VPC

Question 57

What is the maximum bandwidth of an IPsec VPN connection?

Answer 57

1 Gbps

Question 58

How can you encrypt communications over a 10 Gbps DX connection?

Answer 58

MACsec

Question 59

You want to use the proxy protocol to track origin IP addresses for users hitting your load balancer. What type of ELB should you use?

Answer 59

Network LB.

Application does not support proxy protocol.

Question 60

3 ways to connect multiple VPCs

Answer 60

1. Transit GW
2. VPC peering
3. PrivateLink

Question 61

How do you find the DNS server IP for a VPC?

Answer 61

The IP address of the DNS server is the base of the VPC network range plus two

Question 62

Site-to-Site VPN: How can you get higher VPN bandwidth than the default VPN bandwidth limit of 1.25 Gbps?

Answer 62

Set up Equal-Cost Multi-Path routing (ECMP)

Question 63

Site-to-site VPN: Can you enable jumbo frames to increase throughput?

Answer 63

no

Question 64

What does CloudWatch RUM do?

Answer 64

performs real-time analysis of your web application performance (no packet inspection or real-time security)

Question 65

How can you make sure data stored in Microsoft SQL Server on RDS is encrypted BEFORE it is sent to the DB?

Answer 65

Configure the SQL server to use Transparent Data Encryption (TDE)

Question 66

Security measure to protect against DNS spoofing?

Answer 66

DNSsec

Question 67

How can you bring your own static IP addresses to be used with Global accelerator? (2)

Answer 67

Set up Rout Origin Authorization (ROA)
Use the ‘aws globalaccelerator provision-byoip-cidr’ CLI Command

Question 68

2 ways to provide a static IP for a single EC2 instance that shuts down once/week?

Answer 68

1. Global Accelerator
2. Attach an Elastic IP address

Question 69

CloudFormation: Which properties must be explicitly passed when peering 2 VPCs in different accounts AND Regions?

Answer 69

1. PeerRoleArn (accounts)
2. PeerRegion (region)

Question 70

BGP: The shortest AS_Path is typically preferred. What is the next preference if AS_PATH attributes are of similar length?

Answer 70

Lowest multi-exit discriminator (MED)

Question 71

Private subnet - hitting a single 3rd party API through NAT Gateway - receiving increased ‘ErrorPortAllocation’ for the NAT gateway and dropping connections… How to alleviate?

Answer 71

Distribute instances across AZs and create NAT gateways in each AZ.

There is a limit of 55k simultaneous connections to each destination.

Question 72

After defining a VPC CIDR Block in CF, how can you define an array of equally sized CIDR ranges for subnets?

Answer 72

Using the Fn::Cidr intrinsic function

Question 73

When would you use subdomain delegation?

Answer 73

When you have to use different DNS providers for a domain and one or more subdomains

Question 74

How can you manage DNS for two separate applications that share the same root domain?

Answer 74

Route53: Use split-view DNS

Question 75

DX: When establishing a VPN connection over your DX connection, what type of interface should be used?

Answer 75

Public virtual interface (Private cannot reach virtual private gateway IPsec endpoints)

Question 76

Route 53 private hosted zone: How can you easily monitor health checks for record sets within the zone which are used by EC2 instances?

Answer 76

Use CloudWatch to monitor “StatusCheckFailed” on EC2 instances

Question 77

VPC FLow logs: What do you need to capture in a custom log group in order to log EKS pod-to-pod traffic?

Answer 77

pkt-srcaddr, pkt-dstaddr, srcaddr, and dstadrr

Question 78

DX - V Private Interface - DX Gateway. Can you connect to VPC’s in any region with this setup?

Answer 78

Yes.

Question 79

Can you authorize a VPC access to your R53 private hosted zone if it is in an external AWS account?

Answer 79

Yes, but not from the console.

Question 80

What IP can reach the Amazon Time Sync service on any EC2 instance?

Answer 80

169.254.169.123

Question 81

Endpoints for Simple Email Service: Which endpoint ports can be used to protect data in transit using TLS

Answer 81

25, 587, or 2587

Question 82

How do you derive the third parameter in the fn::Cidr intrinsic function for cloudformation

Answer 82

32 minus the netmask.

So if you want /27s, you would use “5”

Question 83

How can you create a proxy server with network bandwidth of up to 100 Gbps?

Answer 83

Use a compute-intensive instance type like P3 or higher. Enable enhanced networking.

Question 84

BGP: Which community tag filter will help you only accept routes propagated from the Region in which your DX connection was established?

Answer 84

allow only 7224:8100 community tag
8200 is continent
no filter is global

Question 85

Container Network interface - Kubernetes application: You want at least 5 pods running in each node. How do you guarantee that IP addresses will be available?

Answer 85

Set the MINIMUM_IP_TARGET attribute to ‘5’

Question 86

BGP: Which Community Tag prefixes should you advertise to route to a local AWS Region?

Answer 86

7224:9100
9200 is continent
9300 is global

Question 87

Which BGP community tag is high preference: 7442:7100 or 7300?

Answer 87

7300

Question 88

Does a NAT gateway support TCP fragmentation?

Answer 88

Nope

Question 89

What type of wildcard characters are available in a host condition on an ALB?

Answer 89

• • any number of characters
    ? - any single character

Question 90

DX - transit virtual interface: what can you connect? (2)

Answer 90

VPCs in multiple accounts
Up to 3 Transit Gateways in the same Region

Question 91

Migrate an application that has static IPs that are whitelisted by your customers. How do you keep those IPs?

Answer 91

Set up a Route Origin Authorization (ROA) document

Question 92

BGP: How to consolidate routes if they exceed 100?

Answer 92

Summarize them