Book-Notes Section 10 Flashcards
What is a Serverless Computing Environment in FaaS? (Simple Explanation)
Serverless computing in a FaaS (Function as a Service) setup means that you run small pieces of code (called functions) without managing or worrying about servers.
Simple Example:
Imagine you own a coffee machine in your kitchen (a regular server). You have to buy it, maintain it, and keep it running, even if you only drink coffee once a day.
Now imagine instead you go to a coffee shop and only pay for each cup you drink. You don’t worry about machines, cleaning, or anything else.
That’s serverless computing:
You write code that does one specific task.
The cloud provider (like AWS, Azure, or Google Cloud) runs it for you only when needed.
You pay only when your code runs, not for keeping a server on all the time.
FaaS (Function as a Service):
A cloud service where you upload your function (a piece of code).
The cloud automatically runs it when triggered (like when someone clicks a button on your app or sends a request).
Examples: AWS Lambda, Azure Functions, Google Cloud Functions.
Why Use It?
✔ No server management
✔ Scales automatically
✔ Pay only when your function runs
✔ Great for small tasks like sending emails, resizing images, or handling user input
In Short:
Serverless computing with FaaS means you just write code for a task, and the cloud runs it only when needed—no server setup, no ongoing costs, and no maintenance. Just code → run → done. ✅💻☁️
what’s the difference between Cloud networking and cloud infurstacture?
Cloud Infrastructure
This refers to the entire physical and virtual setup that makes cloud computing possible.
Think of it like the building and hardware behind a cloud service:
Servers 🖥️
Storage drives 💾
Data centers 🏢
Virtual machines (VMs)
Operating systems
🟢 It’s the foundation—everything needed to run and store things in the cloud.
Cloud Networking
This is about how everything in the cloud connects and communicates.
Think of it like the roads and traffic system between cloud parts:
IP addresses & DNS 🌐
Firewalls 🔥
Load balancers ⚖️
Virtual networks (VPCs, subnets)
How data moves between servers or regions
🟢 It’s the communication layer—making sure data moves securely and efficiently between users and cloud systems.
what’s the difference between SDN and SDV?
🔹 SDN – Software-Defined Networking
SDN stands for Software-Defined Networking. It means that network control is done by software, not by manually configuring physical devices like routers and switches.
Simple Explanation:
Think of SDN like a remote control for your network.
Instead of going to each device to set things up, you can use one software to manage and control everything.
What it does:
Controls how data moves across the network.
Makes networks more flexible, faster to change, and easier to manage.
🔸 SDV – Software-Defined Visibility
SDV stands for Software-Defined Visibility. It focuses on giving you a clear view of what’s happening in the network, especially in complex cloud or virtual environments.
Simple Explanation:
Think of SDV like putting security cameras on your network.
It helps you monitor, analyze, and troubleshoot what’s happening with the data moving through your systems.
What it does:
Provides insight into network traffic.
Helps with security, performance monitoring, and debugging.
SDN = Control the network with software.
SDV = See what’s happening in the network using software.
🔐 What is a Security Group in the Cloud?
A security group is like a virtual firewall for your cloud resources (like virtual machines, databases, or containers).
It controls incoming and outgoing network traffic based on rules you set.
It’s most commonly used in platforms like AWS, Azure, and Google Cloud.
🧑💻 Do Customers Have Direct Access to the Cloud Provider’s Firewall?
No, you don’t have direct access to the actual physical firewall used by the cloud provider.
BUT…
Cloud providers give you a tool (security group) that acts like a firewall for your cloud resources — and you fully control that.
⚙️ How Can You Set Rules?
You can create and manage security group rules using:
The cloud provider’s web dashboard (e.g., AWS Console)
Their command-line tools (like AWS CLI)
Their APIs or Infrastructure as Code tools (e.g., Terraform)
You define rules that allow or deny:
Specific IP addresses or IP ranges
Specific ports (like port 80 for websites, 22 for SSH)
Protocols (TCP, UDP, etc.)
📍 Where Are These Rules Applied?
These rules are attached to your virtual machines or cloud resources.
The rules live in the virtual network layer of the cloud — kind of like an invisible firewall wrapped around your VM.
For example:
In AWS, a security group is attached to an EC2 instance (a virtual server).
In Azure, it’s called a Network Security Group (NSG) and is attached to a VM or subnet.
In Google Cloud, it’s part of VPC firewall rules.
what’s VPC and VPC’s endpoint?
🌐 What is a VPC (Virtual Private Cloud)?
A VPC is like your own private network inside the cloud.
Simple Example:
Imagine the cloud is a big apartment building 🏢.
A VPC is like your private apartment inside that building — only you can decide what goes in and out.
What does a VPC include?
Subnets (smaller networks inside your VPC)
IP addresses
Routing rules
Security groups or firewalls
You use a VPC to:
Keep your cloud resources isolated and secure
Control network traffic
Connect safely to the internet or other cloud services
🔗 What is a VPC Endpoint?
A VPC endpoint lets you connect securely to other cloud services (like storage or databases) without using the public internet.
Simple Example:
Normally, if your virtual machine in the VPC wants to talk to a service like Amazon S3, it has to go out to the internet, even though both are in the same cloud.
A VPC endpoint acts like a private shortcut or tunnel that connects your VPC directly to the service, without leaving the cloud’s internal network.
✅ Why Use VPC Endpoints?
More secure (no exposure to the public internet)
Faster and more reliable
Better control over traffic
NOTE:
A VPC endpoint only works to access services within the same cloud provider.
🔒 Why?
A VPC endpoint is a private connection inside the cloud provider’s own network. It’s designed to let your VPC safely and directly connect to:
Cloud-native services (like AWS S3, DynamoDB)
Other VPCs in the same provider
Private services hosted within the same cloud provider
It does not connect to:
The public internet
External clouds (like Azure to AWS)
On-premises networks (unless you set up something else like a VPN or Direct Connect)
🟢 Example:
In AWS, you can use a VPC endpoint to:
Access S3 or DynamoDB privately.
Connect to a private service in another AWS account using PrivateLink.
But you cannot use that same VPC endpoint to connect to:
A service on Google Cloud ☁️
A public website 🌐
what’s the difference btween VPC end point and cloud transit gateways?
🔹 VPC Endpoint
A VPC Endpoint is like a private shortcut from your VPC to a specific cloud service (like S3 or DynamoDB) without using the public internet.
🧾 Key Points:
Used to connect your VPC to cloud-native services privately.
Stays within the cloud provider’s internal network.
Supports services like:
S3 and DynamoDB (Gateway Endpoint)
Other AWS services or your own services (Interface Endpoint using PrivateLink)
Good for: Secure, private access to cloud services from inside your VPC.
✅ Simple Analogy:
A VPC Endpoint is like a private door from your room (VPC) to a service inside the same building (cloud) — no need to go outside.
🔸 Transit Gateway
A Transit Gateway is like a central hub that connects multiple VPCs, on-premises networks, and VPNs together.
🧾 Key Points:
Used to connect many VPCs and networks to each other.
Acts like a cloud router or hub-and-spoke model.
Great for large, multi-VPC environments or hybrid networks.
Can route traffic between:
VPCs
On-prem networks
VPNs
Direct Connect links
✅ Simple Analogy:
A Transit Gateway is like a main train station where different rail lines (VPCs and networks) come together and can route traffic between each other.
✅ What is a Secure Web Gateway (SWG)? – Simple Explanation
A Secure Web Gateway is a security tool that filters and monitors internet traffic going in and out of a network to protect users from threats like:
Malicious websites
Phishing attacks
Unapproved web usage
Malware downloads
It enforces company policies and keeps the network safe while users browse the internet.
✅ Where is a SWG implemented?
SWGs can be:
Standalone appliances (hardware or virtual)
Cloud-based services
Installed as software on endpoints (especially for remote users)
Integrated into next-generation firewalls (NGFWs) — some advanced firewalls include SWG features
So yes, in some cases, SWG features can be included in a firewall, but in general, they are separate solutions.
🔐 What is CASB (Cloud Access Security Broker)?
A CASB is a security tool that sits between users and cloud services (like Google Drive, Office 365, Dropbox, etc.) to protect data and enforce security rules.
✅ Simple Definition:
A CASB watches and controls how people use cloud apps, to make sure they’re using them safely, securely, and within company policy.
🛡️ What Does a CASB Do?
Blocks risky file sharing ☁️📤
Detects unauthorized apps (Shadow IT) 🕵️♂️
Prevents data leaks 💧
Scans for malware or sensitive data
Helps follow rules like GDPR, HIPAA, etc.
✌️ Two Main Types of CASB:
🔹 1. Inline CASB
This type of CASB sits directly in the path of traffic between the user and the cloud app — like a security checkpoint.
How it works: All user traffic goes through the CASB.
Real-time control (can block/allow immediately)
Used for: Web traffic, enforcing rules on the spot
✅ Good for: Real-time protection
❌ Needs network reconfiguration, can affect speed
🔸 2. API-based CASB
This CASB connects to cloud apps using their APIs (Application Programming Interfaces) — it doesn’t sit in the traffic path.
How it works: CASB talks to the cloud app directly to scan and monitor what’s already in the cloud.
Not real-time, but great for deep scanning and data auditing
Used for: Looking inside Google Drive, OneDrive, etc.
✅ Good for: Post-upload analysis, finding sensitive data
❌ Not real-time blocking
🔐 What Are Resource Policies in the Cloud?
Resource policies are rules that control who can access a specific cloud resource (like a storage bucket, database, or VM) and what they’re allowed to do with it.
✅ Simple Explanation:
Imagine you own a storage room (the resource).
A resource policy is like a set of written rules on the door that says:
Who can come in (e.g., only team members)
What they can do (read stuff, add stuff, delete stuff)
When or from where they can access it (only during work hours, or only from a company laptop)
💡 Examples of Cloud Resources:
An S3 bucket in AWS
A VM or disk in Google Cloud
A Storage account in Azure
Each of these resources can have its own policy.
🛡️ What Can a Resource Policy Control?
✅ Who can access the resource (users, roles, services)
✅ What actions they can take (read, write, delete)
✅ From where (IP address, network, region)
✅ Under what conditions (like using MFA or encryption)
🟢 Example (AWS S3 Bucket Policy in simple terms):
Only allow users from a specific AWS account to read files
Block all access from outside the company’s IP address
🔄 How It’s Different From IAM Policies:
IAM Policy = Attached to users (what a user is allowed to do)
Resource Policy = Attached to resources (who is allowed to touch this resource)
They work together to secure cloud access.
