Hybrid Networking

Question 1

What standardized exterior gateway protocol is designed to exchange routing and reachability information among autonomous systems on the Internet?

Answer 1

Border Gateway Protocol (BGP)

Question 2

What is the primary purpose of Border Gateway Protocol (BGP)?

Answer 2

BGP is a path-vector protocol designed to exchange the best path to a destination between peers, this path is referred to as the AS_PATH (Autonomous System Path)

Question 3

Which TCP port does Border Gateway Protocol (BGP) use?

Answer 3

TCP port 179

Question 4

Does Border Gateway Protocol (BGP) require manual configuration?

Answer 4

Yes, BGP peering must be configured manually, it is not automatic

Question 5

What path does Border Gateway Protocol (BGP) prefer by default?

Answer 5

Shortest path to the destination

Question 6

Is it possible to artificially make certain paths appear longer, causing other paths to be preferred?

Answer 6

Yes, using AS_PATH Prepending:

• Example 1 appears shorter to BGP:
  DES 10.18.0.0/16 | NEXT HOP 10.17.0.1 | AS_PATH 201, 202, i
• Example 2 appears longer to BGP:
  DES 10.18.0.0/16 | NEXT HOP 10.18.0.1 | AS_PATH 202, 202, 202, i

Question 7

Which AWS networking services utilize Border Gateway Protocol (BGP)?

Answer 7

AWS Direct Connect and Dynamic Site-to-Site VPN

Question 8

What term is used to describe routers controlled by a single network entity?

Answer 8

Autonomous System (AS), each AS is assigned an Autonomous System Number (ASN) by IANA.

Question 9

What is the difference between Interior Border Gateway Protocol (iBGP) and Exterior Border Gateway Protocol (eBGP)?

Answer 9

• iBGP: Propagates routes within a single Autonomous System (AS)
• eBGP: Propagates routes between different Autonomous Systems (ASs)

Question 10

What AWS service enables a private, physical connection between customer facilities and AWS?

Answer 10

AWS Direct Connect

AWS Region ↔ DX Location ↔ Customer Premises

Question 11

What does ordering AWS Direct Connect involve?

Answer 11

Ordering Direct Connect involves requesting a dedicated port at an AWS DX Location, enabling physical connectivity to AWS services

Question 12

Can AWS Direct Connect be used to access only private resources within a VPC?

Answer 12

No, DX can be used to access both private resources within a VPC and public AWS services

Question 13

Can AWS Direct Connect be used to access the public internet?

Answer 13

No, DX cannot be used to access the public internet; it is designed for private connections to AWS services

Question 14

What are the cost components of AWS Direct Connect?

Answer 14

• Hourly Port Allocation Fee: Charged for reserving the DX port
• Outbound Data Transfer Charges: Data sent from AWS to your premises (inbound is free)

Question 15

What types of connections does AWS Direct Connect offer?

Answer 15

• Dedicated Connection: Provided directly by AWS, using an Ethernet port allocated exclusively for a single customer
• Hosted Connection: Offered by an AWS Direct Connect Partner, utilizing their existing network link to AWS

Question 16

What network speed options are available for AWS Direct Connect?

Answer 16

• Dedicated Connections: 1 Gbps, 10 Gbps, 100 Gbps, 400 Gbps
• Hosted Connections: 50 Mbps to 25 Gbps in increments (e.g., 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 25 Gbps)

Question 17

What factors should be considered when using AWS Direct Connect?

Answer 17

• Establishes a private network connection to AWS
• Offers low latency and high-speed connectivity
• Requires provisioning time (can take weeks or months)
• Does not include built-in redundancy; resilience must be implemented with multiple connections

Question 18

What AWS Direct Connect component enables access to AWS public or private services?

Answer 18

Virtual Interface (VIF)

Question 19

Which two types of Virtual Interfaces (VIFs) does AWS Direct Connect provide?

Answer 19

• Public VIF: Provides access to AWS public services (e.g., S3, DynamoDB)
• Private VIF: Provides access to private AWS services within a VPC

Question 20

Which AWS Direct Connect Virtual Interface (VIF) is used to access AWS Public services like S3?

Answer 20

Public VIF

Path: Customer Router → Customer DX Router → AWS DX Router → AWS Public Space

Question 21

Which AWS Direct Connect Virtual Interface (VIF) is used to access AWS Private services like an EC2 instance in a VPC?

Answer 21

Private VIF

Path: Customer Router → Customer DX Router → AWS DX Router → VGW → VPC

Question 21

What are the components of an AWS Direct Connect (DX) connection, and is it inherently resilient?

Answer 21

• DX Location
• DX Router
• Cross Connect
• Customer DX Router
• Extension Cables
• Customer Premises
• Customer Router

Resilience is not built-in and must be planned separately

Question 22

How is resiliency achieved with AWS Direct Connect (DX)?

Answer 22

• Option 1: Use multiple cross-connects from DX routers to multiple customer DX routers and extend these connections with multiple cables to multiple customer premises routers.
  (DX Location, cables, or premises can still fail)
• Option 2: Achieve maximum resiliency by combining Option 1 with two geographically separated DX locations and connecting them to two separate customer premises data centers

Question 23

How can the security of AWS Direct Connect (DX) be enhanced?

Answer 23

• Using a VPN over Public VIF ensures performance and security by providing an encrypted and authenticated tunnel with low and consistent latency, using Public VIF and VGW/TGW public endpoints

Question 24

Which AWS service provides a central hub to simplify complex peering relationships by connecting VPCs and on-premises networks?

Answer 24

AWS Transit Gateway

Question 25

Does AWS Transit Gateway support transitive connections?

Answer 25

Yes, it enables a hub-and-spoke topology for VPCs and on-premises networks

Question 26

What is the primary purpose of AWS Transit Gateway?

Answer 26

To serve as a network transit hub, simplifying network complexity by connecting various AWS and on-premises resources through attachments, resulting in a more streamlined network architecture

Question 27

What is the resiliency posture of AWS Transit Gateway?

Answer 27

Regionally resilient, highly available, and scalable by default

Question 28

What types of attachments are supported by AWS Transit Gateway?

Answer 28

• VPC attachment
• Site-to-Site VPN attachment
• Direct Connect Gateway attachment

Question 29

Can AWS Transit Gateway connect multiple VPCs?

Answer 29

Yes, it allows traffic to flow transitively between connected VPCs

Question 30

How is AWS Transit Gateway integrated with AWS Site-to-Site VPN?

Answer 30

By connecting to Customer Gateway routers

Question 31

Which Virtual Interface (VIF) type is used to connect AWS Direct Connect with AWS Transit Gateway?

Answer 31

Transit VIF

Question 32

Can AWS Transit Gateway connect with other Transit Gateways?

Answer 32

Yes, Transit Gateways can be peered across accounts and regions to build a global network, typically using a mesh topology

Question 33

Is it possible to share AWS Transit Gateway across AWS accounts?

Answer 33

Yes, by using AWS Resource Access Manager (RAM)

Question 34

What secure protocol suite provides encrypted communication between two computers over an IP network?

Answer 34

Internet Protocol Security (IPSec), a collection of protocols that establishes secure tunnels over insecure networks

Question 35

What is the primary purpose of Internet Protocol Security (IPSec)?

Answer 35

To securely connect two networks (specifically their routers, or peers) over the public internet

Question 36

What are the two main phases of Internet Protocol Security (IPSec)?

Answer 36

• Internet Key Exchange (IKE) Phase 1: Establishes a secure channel; it’s slow and resource-intensive
• Internet Key Exchange (IKE) Phase 2: Manages quick and efficient data exchange

Question 37

Which Internet Protocol Security (IPSec) phase handles authentication (e.g., passwords or certificates)?

Answer 37

Internet Key Exchange (IKE) Phase 1

Question 38

Which Internet Protocol Security (IPSec) phase uses asymmetric encryption to establish a shared symmetric key?

Answer 38

Internet Key Exchange (IKE) Phase 1

Question 39

In which Internet Protocol Security (IPSec) phase is the IKE Security Association (SA) (Phase 1 tunnel) created?

Answer 39

Internet Key Exchange (IKE) Phase 1

Question 40

Which Internet Protocol Security (IPSec) phase builds on Phase 1 and utilizes the keys established in that phase?

Answer 40

Internet Key Exchange (IKE) Phase 2

Question 41

During which Internet Protocol Security (IPSec) phase are encryption methods and keys for bulk data transfer agreed upon?

Answer 41

Internet Key Exchange (IKE) Phase 2

Question 42

Which Internet Protocol Security (IPSec) phase establishes the IPSec Security Association (SA) (Phase 2 tunnel) over the Phase 1 tunnel?

Answer 42

Internet Key Exchange (IKE) Phase 2

Question 43

Why are Internet Protocol Security (IPSec) operations divided into two separate phases?

Answer 43

The separation allows the Phase 1 tunnel (slow and resource-intensive) to remain active while the Phase 2 tunnel (used for data transfer) can be created and torn down as needed, optimizing performance

Question 44

What are the steps involved in Internet Key Exchange (IKE) Phase 1?

Answer 44

1. Authentication using a certificate or pre-shared key
2. Each peer generates a Diffie-Hellman (DH) private key and derives its public key
3. Public keys are exchanged securely over the internet
4. Both peers use their private key and the other’s public key to generate the same shared Diffie-Hellman key
5. Agreement on encryption and key exchange parameters using the DH key
6. Symmetric keys are created using the shared DH key and the agreed material

Question 45

What are the steps involved in Internet Key Exchange (IKE) Phase 2?

Answer 45

1. A symmetric key encrypts and decrypts agreements while exchanging additional key material
2. Both peers communicate and agree on the best encryption and integrity methods
3. The Diffie-Hellman (DH) key and exchanged material are used to generate a symmetric IPSec key
4. The IPSec key is used for bulk encryption and decryption of interesting traffic
5. Two security associations (SAs) are established: one for traffic from Peer A to Peer B and another for traffic from Peer B to Peer A

Question 46

What are the two main types of VPNs?

Answer 46

• Policy-based VPN
• Route-based VPN

Question 47

Which type of VPN uses traffic-matching rules to send traffic over specific Security Associations (SAs)?

Answer 47

Policy-based VPN

Question 48

Which type of VPN allows different rules for various traffic types, offering greater flexibility but being more complex to configure?

Answer 48

Policy-based VPN

Question 49

Which type of VPN matches traffic based on prefixes and uses a single pair of Security Associations (SAs) for each prefix?

Answer 49

Route-based VPN