AWS Networking Flashcards
You have a central VPC for AD authentications and many other VPCs across multiple regions. How can you use Transit Gateways to route traffic to the shared VPC but NOT allow traffic to other VPCs. (2)
Use (1) transit gateway to associate all vpcs. Route traffic to the shared VPC and use (2) “blackhole routes” to disallow traffic to the other VPCs.
You need higher DX throughput. How can you achieve this?
Provision a new DX connection and transfer traffic to the new connection.
What limitation is there for adding secondary CIDR blocks to your VPC?
Must not overlap and must NOT be publicly routable (non-RFC 1918) if your primary CIDR block is publicly routable.
Which CIDR ranges are RFC 1918?
10.0.0.0–10.255.255.255 (10/8 prefix)
172.16.0.0–172.31.255.255 (172.16/12 prefix)
192.168.0.0–192.168.255.255 (192.168/16 prefix)
Network Load Balancer feeding EKS cluster distributed across AZs. One AZ’s instances are not receiving traffic. What is the likely reason?
The AZ is not registered with the network load balancer.
Network Load Balancer feeding EKS cluster distributed across peered VPCs. The clusters in one VPC are not receiving traffic. What is the likely reason?
The instance is in a peered VPC and must be registered via IP address, not instance ID.
Load Balancer handling traffic between application and RDS MySQL database. How do you ensure encryption end-to-end? (3)
(1) terminate SSL/TLS at the load balancer
(2) configure load balancer to use TLS
(3) set the RDS to accept only SSL connections by using the GRANT command with the REQUIRE SSL option
Instance Metadata URL
http://169.254.169.254/latest/
Most operationally efficient method to allow many globally distributed department teams to connect logically isolated VPCs spread across many regions?
Use an AWS Cloud WAN core network with edge locations. Create distinct segments for each department.
DX connecting on-prem applications to ECS clusters in multiple VPCs. How can you prevent VPC-to-VPC communication?
Use multiple DX Gateways - one for each set of VPCs you want to isolate.
How do you log and query DNS traffic most easily?
Route 53 Resolver Query logging, query with CloudWatch Logs Insights.
How do you propagate BGP routes to/from DX connection?
Enable route propagation from the route table and set the vpg as the target.
What is the purpose of AWS VPN CloudHub?
Connect one VPC to many on-prem locations.
What are three valid tunnel options for site-to-site VPN?
Pre-shared key (PSK)
Dead peer detection (DPD) timeout
Phase 2 Diffie-Hellman (DH) group numbers
How do you aggregate multiple DX connections (from disparate DX partners) into a single DX endpoint, which is treated as a single, managed connection?
Link Aggregation Group (LAG)
What are three INVALID tunnel options for site-to-site VPN?
Bidirectional Forwarding Detection (BFD)
Multiprotocol Label Switching (MPLS)
Path MTU Discovery (PMTUD)
Site-to-Site VPN: How can you improve bandwidth over multiple paths (multiple connections associated with a transit gateway)?
Configure Equal-Cost Multi-Path (ECMP) routing and enable it in the transit gateway.
At what number of bytes do you need to consider using jumbo frames for your MTU?
> 1500
What is the MTU cap for jumbo frames (in bytes)?
9001
What is billed for Direct Connect?
- Port hours
- Data transfer OUT
What information is needed to provision a public virtual interface to connect on-prem to VPC via Direct Connect (Should support Autonomous System [AS] prepending)? (3)
Virtual local area network (VLAN) ID.
Border Gateway Protocol Autonomous System Number (BGP ASN)
CIDR ranges you wish to advertise to AWS
How can you check EIP assignment to EC2s and validate no spare EIPs?
Config. Use the EIP-attached AWS Config Managed Rule
How do you set up a VPC for private Workspaces instances?
With at least one private and one public subnet (to install OS updates)
Do you need BGP multi-hop to set up active-passive connections with two VPGs?
No, in fact VPGs do not support multi-hop on AWS
DX: What happens if you set the load-sharing of inbound traffic to your 2 VPGs with similar ‘AS_PATH’ configurations?
You create an active/active route configuration
DX: How do you configure the ‘AS_PATH’ attribute for your VPGs to create a active/passive route configuration?
prepend the customer gateway ASN on the secondary connection’s ‘AS_PATH’ attribute twice.
ex. ASN of CGW = 123
advertise prefix to secondary connection = 123 123
T/F You can assign an elastic IP to your Lambda function in a private subnet
False.
What service can provide deep packet inspection on ingress and egress traffic in your VPC?
AWS Network Firewall
What does Amazon Network Access Analyzer do?
Analyzes network security settings to identify unintended access.
(Does not inspect traffic)
When transferring 3rd-party hosted domains to Route53, how do you enable DNSSEC signing?
Re-enable after transferring domain registration to Route53
In order to optimize DNS calls after a domain registration migration, how should you set the TTL on the NS record?
Set to a high value like 172800 (2 days)
Domain migration: What prerequisite is there to updating NS records in Route53 if there is DNSSEC configured on the current domain registration?
Remove the Delegation Signer (DS) record from the parent zone
DX Connection: When creating a VPI, what information is needed other than BGP ASN and the IP Addresses to advertise to AWS?
VLAN ID (virtual local area network)
Does AWS Transit Gateway automatically create and approve VPC Peering connections?
No
How do you connect SD-WAN virtual appliances to centrally networked (transit-gateway-connected) VPCs?
Using Transit Gateway Connect attachments
Why can’t you use A VPN for redundancy for your DX connection when requiring throughput of 10 Gbps?
The limit for even aggregated throughput on managed VPNs through a virtual private gateway is 1.25 Gbps
What limitation is there on creating CNAME records for your domain?
You cannot create a CNAME record for the top node/zone apex. i.e. ‘tutorialsdojo.com’