AWS VPN Flashcards
With regard to VPN on AWS, what protocol is supported?
IPSec
When you assign a Virtual Private Gateway as part of a VPN, can you change the ASN after it has been assigned?
No it is not possible.
What happens if you do not assign an ASN to a Virtual Private Gateway?
AWS will assign a default of 64512
What are the key virtual components in an AWS VPN?
Virtual Private Gateway (VPG)
Customer Gateway (CG)
Connection
How do I know if my hardware or software VPN device on the customer side is compatible with AWS VPN?
AWS has a list of validated
With AWS VPN, how many IPSec tunnels connect to the customer gateway?
Two for redundancy.
If there is a device failure on one of the tunnels, will you lose connectivity?
No, traffic will start to flow on the second tunnel.
With AWS VPN, will the connection come up automatically?
No the connection only comes up with data is generated on the client side. The AWS VPG is not the initiator.
What protocol is used for payload encryption on AWS VPN IPsec tunnel?
AES 128 or AWS 256.
What authentication hashing algorithim is available on AWS VPN?
SHA-1 and SHA2. SHA-1 is vunerable to hacking so it should not be used.
What is Perfect Forward Secrecy?
It encure thet each session gets it uniuqu session keys for encryption so that if the session key got comp[eramized it would only be that session and not others.
What are the VPN componets used?
VPNGW
CUSTOMER GW
What is a customer GW?
The customer GW represents you on-prem physical VPN, this holds the information needed for AWS VPN about the Customer GW.
I need to connect from on-prem to my VPC using IPv6, I, what options do I have?
You cna not use IPV6 with AWS site-to-site VPN, only IPv4 is supported, you will need to use a commercial VPN form the market place.
I need to connect to a customer GW VPN, the customer insists that we need to use dynamic VPN’s, what options do I have?
AWS VPN supports dynamic routing.
What is a virtual private gateway?
It is a VPN gateway that is used as part of the AWS Sit-to-Site VPN.
To create an AWS VPN, what are the building blocks?
- Create a customer gateway and give it the IP of the public facing IP of the customer VPN.
- Create a virtual private gateway and attach to VPC
- Create a connection
I have an AWS VPN configured with a single tunnel to a single customer VPN server, I want to make it HA, what options do I have?
I can create a second tunnel on the same customer GW
I have an AWS VPN with two tunnels, how is this configuration providing HA for an AZ failure?
Each tunnel is served to form a separate AZ, a single AZ can fail or single v-appliance sup[plying the VPN tunnel.
I have an AWS VPN with two tunnels, I want to ensure that it is even more HA, what can I do?
You can set up a second AWS VPN.
I need 1.7GB of connectivity to my on-prem, what is the lowest cost option available?
Setup two VPNs, as each vpn is capable of 1.25gBs
What IKE versions are supported by AWS VPN?
IKE version 1 + 2
When you create VPG and create a connection to the customer GW, how many tunnels are created?
AWS creates two tunnels to a single customer gateway (the real VPN device on the customer’s side)
When you create a VPN to the customer gateway, where is the single point of failure?
It is the customer GW, there is only one customer GW (physical device), the VPN GW represents two VPN tunnels with each VPN in a separate in the VPC, you get two public IP on the AWS service network.
In AWS VPN architecture, how is a VPN at the AWS side resilient and highly available?
When you create a VPN connection, AWS creates two public facing endpoints in two different AZ’s
