AWS Networking Services

Question 1

A virtual network dedicated to your AWS account

Answer 1

Amazon Virtual Private Cloud (VPC)

Question 2

Amazon Virtual Private Cloud (VPC) Features

Answer 2

Analogous to having your own Data Center (DC) inside AWS.

It is logically isolated from other virtual networks in the AWS Cloud.

Provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways.

You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

Question 3

VPC IP Addresses

Answer 3

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.

This is the primary CIDR block for your VPC.

Question 4

Amazon VPC Facts

Answer 4

A VPC spans all the Availability Zones in the region.

You have full control over who has access to the AWS resources inside your VPC.

You can create your own IP address ranges, and create subnets, route tables and network gateways.

When you first create your AWS account a default VPC is created for you in each AWS region.

A default VPC is created in each region with a subnet in each AZ.

By default you can create up to 5 VPCs per region.

You can define dedicated tenancy for a VPC to ensure instances are launched on dedicated hardware (overrides the configuration specified at launch).

Question 5

Default VPC

Answer 5

A default VPC is automatically created for each AWS account the first time Amazon EC2 resources are provisioned.

The default VPC has all-public subnets.

Instances in the default VPC always have both a public and private IP address.

Question 6

Public subnets

Answer 6

Public subnets are subnets that have:

“Auto-assign public IPv4 address” set to “Yes”.

The subnet route table has an attached Internet Gateway.

Question 7

Availability Zone Fact

Answer 7

AZs names are mapped to different zones for different users

(i.e. the AZ “ap-southeast-2a” may map to a different physical zone for a different user).

Question 8

Components of a VPC

Answer 8

A Virtual Private Cloud

Subnet

Internet Gateway

NAT Gateway

Hardware VPN Connection

Virtual Private Gateway
Router.

Peering Connection

VPC Endpoints

Egress-only Internet Gateway

Question 9

A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.

Answer 9

A Virtual Private Cloud

Question 10

A segment of a VPC’s IP address range where you can place groups of isolated resources (maps to an AZ, 1:1).

Answer 10

Subnet

Question 11

The Amazon VPC side of a connection to the public Internet.

Answer 11

Internet Gateway

Question 12

A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

Answer 12

NAT Gateway

Question 13

A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.

Answer 13

Hardware VPN Connection

Question 14

The Amazon VPC side of a VPN connection.

Answer 14

Virtual Private Gateway

Question 15

Customer side of a VPN connection

Answer 15

Customer Gateway

Question 16

Used to interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.

Answer 16

Router

Question 17

Enables you to route traffic via private IP addresses between two peered VPCs.

Can be created with VPCs in different regions (available in most regions now).

Answer 17

Peering Connection

Question 18

Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.

Answer 18

VPC Endpoints

Question 19

A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

Answer 19

Egress-only Internet Gateway

Question 20

Options for securely connecting to a VPC are:

Answer 20

AWS managed VPN – fast to setup.

Direct Connect – high bandwidth, low-latency but takes weeks to months to setup.

VPN CloudHub – used for connecting multiple sites to AWS.

Software VPN – use 3rd party software.

Question 21

A logical networking component that represents a Network Interface Card (NIC).

Answer 21

Elastic Network Interface (ENI)

ENIs can be attached and detached from EC2 instances, and the configuration of the ENI will be maintained.

Question 22

Capture information about the IP traffic going to and from network interfaces in a VPC

Answer 22

Flow Logs

Flow log data is stored using Amazon CloudWatch Logs

Question 23

Flow logs can be created at the following levels:

Answer 23

VPC.
Subnet.
Network interface.

Question 24

Subnet Facts

Answer 24

After creating a VPC, you can add one or more subnets in each Availability Zone.

When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.

Each subnet must reside entirely within one Availability Zone and cannot span zones.

Question 25

Types of subnet:

Answer 25

If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.

If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.

If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.

Question 26

Internet Gateway Fact

Answer 26

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

Question 27

Provides a firewall/security layer at the subnet level

Answer 27

Network Access Control Lists (ACLs)

Question 28

Provides a firewall/security layer at the instance level

Answer 28

Security Groups

Question 29

Security Group Facts

Answer 29

Operates at the instance (interface) level

Supports allow rules only

Stateful

Evaluates all rules

Applies to an instance only if associated with a group

Question 30

Network ACL Facts

Answer 30

Operates at the subnet level

Supports allow and deny rules

Stateless

Processes rules in order

Automatically applies to all instances in the subnets its associated with

Question 31

VPC Wizard

Answer 31

The VPC Wizard can be used to create the following four configurations:

VPC with a Single Public Subnet

VPC with Public and Private Subnets

VPC with Public and Private Subnets and Hardware VPN Access

VPC with a Private Subnet Only and Hardware VPN Access

Question 32

VPC with a Single Public Subnet:

Answer 32

Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet.

Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances.

Creates a /16 network with a /24 subnet. Public subnet instances use Elastic IPs or Public IPs to access the Internet.

Question 33

VPC with Public and Private Subnets:

Answer 33

In addition to containing a public subnet, this configuration adds a private subnet whose instances are not addressable from the Internet.

Instances in the private subnet can establish outbound connections to the Internet via the public subnet using Network Address Translation (NAT).

Creates a /16 network with two /24 subnets.

Public subnet instances use Elastic IPs to access the Internet.

Private subnet instances access the Internet via Network Address Translation (NAT).

Question 34

VPC with Public and Private Subnets and Hardware VPN Access:

Answer 34

This configuration adds an IPsec Virtual Private Network (VPN) connection between your Amazon VPC and your data center – effectively extending your data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC.

Creates a /16 network with two /24 subnets.

One subnet is directly connected to the Internet while the other subnet is connected to your corporate network via an IPsec VPN tunnel.

Question 35

VPC with a Private Subnet Only and Hardware VPN Access:

Answer 35

Your instances run in a private, isolated section of the AWS cloud with a private subnet whose instances are not addressable from the Internet.

You can connect this private subnet to your corporate data center via an IPsec Virtual Private Network (VPN) tunnel.

Creates a /16 network with a /24 subnet and provisions an IPsec VPN tunnel between your Amazon VPC and your corporate network.

Question 36

NAT Instance Facts

Answer 36

NAT instances are managed by you. (e.g. software updates)

Used to enable private subnet instances to access the Internet.

When creating NAT instances always disable the source/destination check on the instance.

NAT instances must be in a single public subnet.

NAT instances need to be assigned to security groups.

Scale up (instance type) manually and use enhanced networking

No high availability – scripted/auto-scaled HA possible using multiple NATs in multiple subnets

Can use as a bastion host

Question 37

NAT Gateway Facts

Answer 37

NAT gateways are managed for you by AWS.

NAT gateways are highly available in each AZ into which they are deployed.

Can be placed in multiple AZs

They are preferred by enterprises.

Can scale automatically up to 45Gbps.

No need to patch.

Not associated with any security groups

Cannot access through SSH

Question 38

A network service that provides an alternative to using the Internet to connect a customer’s on-premises sites to AWS.

Data is transmitted through a private network connection between AWS and a customer’s data center or corporate network.

Answer 38

AWS Direct Connect (DX)

Question 39

Benefits of Direct Connect:

Answer 39

Reduce cost when using large volumes of traffic.

Increase reliability (predictable performance).

Increase bandwidth (predictable bandwidth).

Decrease latency.

Question 40

AWS Direct Connect Virtual Interface (VIF)

Answer 40

Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs)

Public VIFs allow access to public services such as S3, EC2, and DynamoDB.

Private VIFs allow access to your VPC.

Question 41

AWS Direct Connect Facts

Answer 41

From Direct Connect you can connect to all AZs within the Region.

You can establish IPSec connections over public VIFs to remote regions.

Direct Connect is charged by port hours and data transfer.

Available in 1Gbps and 10Gbps.

Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased through AWS Direct Connect Partners.

Each connection consists of a single dedicated connection between ports on the customer router and an Amazon router.

for HA you must have 2 DX connections – can be active/active or active/standby.

Route tables need to be updated to point to a Direct Connect connection.

Question 42

A service that improves the availability and performance of applications with local or global users

Answer 42

AWS Global Accelerator

Question 43

AWS Global Accelerator Features and Benefits

Answer 43

Provides static IP addresses that act as a fixed entry point to application endpoints in a single or multiple AWS Regions, such as Application Load Balancers, Network Load Balancers or EC2 instances.

Uses the AWS global network to optimize the path from users to applications, improving the performance of TCP and UDP traffic.

AWS Global Accelerator continually monitors the health of application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute.

Question 44

AWS Global Accelerator Facts

Answer 44

Uses redundant (two) static anycast IP addresses in different network zones (A and B).

The redundant pair are globally advertised.

Uses AWS Edge Locations – addresses are announced from multiple edge locations at the same time.

Addresses are associated to regional AWS resources or endpoints.

AWS Global Accelerator’s IP addresses serve as the frontend interface of applications.

Intelligent traffic distribution: Routes connections to the closest point of presence for applications.

Targets can be Amazon EC2 instances or Elastic Load Balancers (ALB and NLB).

By using the static IP addresses, you don’t need to make any client-facing changes or update DNS records as you modify or replace endpoints.

The addresses are assigned to your accelerator for as long as it exists, even if you disable the accelerator and it no longer accepts or routes traffic.

Question 45

A fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience

Answer 45

AWS Outposts

Question 46

AWS Outposts Benefits and Features

Answer 46

AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, data residency, and migration of applications with local system interdependencies.

AWS compute, storage, database, and other services run locally on Outposts, and you can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools.

Outposts is available as a 42U rack that can scale from 1 rack to 96 racks to create pools of compute and storage capacity.

Question 47

Services you can run on AWS Outposts include:

Answer 47

Amazon EC2.

Amazon EBS.

Amazon S3.

Amazon VPC.

Amazon ECS/EKS.

Amazon RDS.

Amazon EMR.