Hybrid Networking

Question 1

What standardized exterior gateway protocol is designed to exchange routing and reachability information among autonomous systems on the Internet?

Answer 1

Border Gateway Protocol (BGP)

Question 2

What is the primary purpose of Border Gateway Protocol (BGP)?

Answer 2

BGP is a path-vector protocol designed to exchange the best path to a destination between peers, this path is referred to as the AS_PATH (Autonomous System Path)

Question 3

Which TCP port does Border Gateway Protocol (BGP) use?

Answer 3

TCP port 179

Question 4

Does Border Gateway Protocol (BGP) require manual configuration?

Answer 4

Yes, BGP peering must be configured manually, it is not automatic

Question 5

What path does Border Gateway Protocol (BGP) prefer by default?

Answer 5

Shortest path to the destination

Question 6

Using Border Gateway Protocol (BGP) is it possible to artificially make certain paths appear longer, causing other paths to be preferred?

Answer 6

Yes, using AS_PATH Prepending:

• Example 1 appears shorter to BGP:
  DES 10.18.0.0/16 | NEXT HOP 10.17.0.1 | AS_PATH 201, 202, i
• Example 2 appears longer to BGP:
  DES 10.18.0.0/16 | NEXT HOP 10.18.0.1 | AS_PATH 202, 202, 202, i

Question 7

Which AWS networking services utilize Border Gateway Protocol (BGP)?

Answer 7

• AWS Direct Connect
• AWS Site-to-Site VPN (Dynamic)

Question 8

What term is used to describe routers controlled by a single network entity?

Answer 8

Autonomous System (AS), each AS is assigned an Autonomous System Number (ASN) by IANA.

Question 9

What is the difference between Interior Border Gateway Protocol (iBGP) and Exterior Border Gateway Protocol (eBGP)?

Answer 9

• iBGP: Propagates routes within a single Autonomous System (AS)
• eBGP: Propagates routes between different Autonomous Systems (ASs)

Question 10

What AWS service enables a private, physical connection between customer facilities and AWS?

Answer 10

AWS Direct Connect

AWS Region ↔ DX Location ↔ Customer Premises

Question 11

What does ordering AWS Direct Connect involve?

Answer 11

Ordering Direct Connect involves requesting a dedicated port at an AWS DX Location, enabling physical connectivity to AWS services

Question 12

Can AWS Direct Connect be used to access only private resources within a VPC?

Answer 12

No, DX can be used to access both private resources within a VPC and public AWS services

Question 13

Can AWS Direct Connect be used to access the public internet?

Answer 13

No, DX cannot be used to access the public internet, it is designed for private connections to AWS services

Question 14

What are the cost components of AWS Direct Connect?

Answer 14

• Hourly Port Allocation Fee: Charged for reserving the DX port
• Outbound Data Transfer Charges: Data sent from AWS to your premises (inbound is free)

Question 15

What types of connections does AWS Direct Connect offer?

Answer 15

• Dedicated Connection: Provided directly by AWS, using an Ethernet port allocated exclusively for a single customer
• Hosted Connection: Offered by an AWS Direct Connect Partner, utilizing their existing network link to AWS

Question 16

What network speed options are available for AWS Direct Connect?

Answer 16

• Dedicated Connections: 1 Gbps, 10 Gbps, 100 Gbps, 400 Gbps
• Hosted Connections: 50 Mbps to 25 Gbps in increments (e.g., 50 Mbps, 100 Mbps, 200 Mbps, 300 Mbps, 400 Mbps, 500 Mbps, 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, and 25 Gbps)

Question 17

What factors should be considered when using AWS Direct Connect?

Answer 17

• Establishes a private network connection to AWS
• Offers low latency and high-speed connectivity
• Requires provisioning time (can take weeks or months)
• Does not include built-in redundancy; resilience must be implemented with multiple connections

Question 18

What AWS Direct Connect component enables access to AWS public or private services?

Answer 18

Virtual Interface (VIF)

Question 19

Which two types of Virtual Interfaces (VIFs) does AWS Direct Connect provide?

Answer 19

• Public VIF: Provides access to AWS public services (e.g., S3, DynamoDB)
• Private VIF: Provides access to private AWS services within a VPC

Question 20

Which AWS Direct Connect Virtual Interface (VIF) is used to access AWS Public services like S3?

Answer 20

Public VIF

Path: Customer Router → Customer DX Router → AWS DX Router → AWS Public Space

Question 21

Which AWS Direct Connect Virtual Interface (VIF) is used to access AWS Private services like an EC2 instance in a VPC?

Answer 21

Private VIF

Path: Customer Router → Customer DX Router → AWS DX Router → VGW → VPC

Question 21

What are the components of an AWS Direct Connect (DX) connection, and is it inherently resilient?

Answer 21

• DX Location
• DX Router
• Cross Connect
• Customer DX Router
• Extension Cables
• Customer Premises
• Customer Router

Resilience is not built-in and must be planned separately

Question 22

How is resiliency achieved with AWS Direct Connect (DX)?

Answer 22

• Option 1: Use multiple cross-connects from DX routers to multiple customer DX routers and extend these connections with multiple cables to multiple customer premises routers.
  (DX Location, cables, or premises can still fail)
• Option 2: Achieve maximum resiliency by combining Option 1 with two geographically separated DX locations and connecting them to two separate customer premises data centers

Question 23

How can the security of AWS Direct Connect (DX) be enhanced?

Answer 23

• Using a VPN over Public VIF ensures performance and security by providing an encrypted and authenticated tunnel with low and consistent latency, using Public VIF and VGW/TGW public endpoints

Question 24

Which AWS service provides a central hub to simplify complex peering relationships by connecting VPCs and on-premises networks?

Answer 24

AWS Transit Gateway

Question 25

Does AWS Transit Gateway support transitive connections?

Answer 25

Yes, it enables a hub-and-spoke topology for VPCs and on-premises networks

Question 26

What is the primary purpose of AWS Transit Gateway?

Answer 26

To serve as a network transit hub, simplifying network complexity by connecting various AWS and on-premises resources through attachments, resulting in a more streamlined network architecture

Question 27

What is the resiliency posture of AWS Transit Gateway?

Answer 27

Regionally resilient, highly available, and scalable by default

Question 28

What types of attachments are supported by AWS Transit Gateway?

Answer 28

• VPC attachment
• Site-to-Site VPN attachment
• Direct Connect Gateway attachment

Question 29

Can AWS Transit Gateway connect multiple VPCs?

Answer 29

Yes, it allows traffic to flow transitively between connected VPCs

Question 30

How is AWS Transit Gateway integrated with AWS Site-to-Site VPN?

Answer 30

By connecting to Customer Gateway routers

Question 31

Which Virtual Interface (VIF) type is used to connect AWS Direct Connect with AWS Transit Gateway?

Answer 31

Transit VIF

Question 32

Can AWS Transit Gateway connect with other Transit Gateways?

Answer 32

Yes, Transit Gateways can be peered across accounts and regions to build a global network, typically using a mesh topology

Question 33

Is it possible to share AWS Transit Gateway across AWS accounts?

Answer 33

Yes, by using AWS Resource Access Manager (RAM)

Question 34

What secure protocol suite provides encrypted communication between two computers over an IP network?

Answer 34

Internet Protocol Security (IPSec), a collection of protocols that establishes secure tunnels over insecure networks

Question 35

What is the primary purpose of Internet Protocol Security (IPSec)?

Answer 35

To securely connect two networks (specifically their routers, or peers) over the public internet

Question 36

What are the two main phases of Internet Protocol Security (IPSec)?

Answer 36

• Internet Key Exchange (IKE) Phase 1: Establishes a secure channel; it’s slow and resource-intensive
• Internet Key Exchange (IKE) Phase 2: Manages quick and efficient data exchange

Question 37

Which Internet Protocol Security (IPSec) phase handles authentication (e.g., passwords or certificates)?

Answer 37

Internet Key Exchange (IKE) Phase 1

Question 38

Which Internet Protocol Security (IPSec) phase uses asymmetric encryption to establish a shared symmetric key?

Answer 38

Internet Key Exchange (IKE) Phase 1

Question 39

In which Internet Protocol Security (IPSec) phase is the IKE Security Association (SA) (Phase 1 tunnel) created?

Answer 39

Internet Key Exchange (IKE) Phase 1

Question 40

Which Internet Protocol Security (IPSec) phase builds on Phase 1 and utilizes the keys established in that phase?

Answer 40

Internet Key Exchange (IKE) Phase 2

Question 41

During which Internet Protocol Security (IPSec) phase are encryption methods and keys for bulk data transfer agreed upon?

Answer 41

Internet Key Exchange (IKE) Phase 2

Question 42

Which Internet Protocol Security (IPSec) phase establishes the IPSec Security Association (SA) (Phase 2 tunnel) over the Phase 1 tunnel?

Answer 42

Internet Key Exchange (IKE) Phase 2

Question 43

Why are Internet Protocol Security (IPSec) operations divided into two separate phases?

Answer 43

The separation allows the Phase 1 tunnel (slow and resource-intensive) to remain active while the Phase 2 tunnel (used for data transfer) can be created and torn down as needed, optimizing performance

Question 44

What are the steps involved in Internet Key Exchange (IKE) Phase 1?

Answer 44

1. Authentication using a certificate or pre-shared key
2. Each peer generates a Diffie-Hellman (DH) private key and derives its public key
3. Public keys are exchanged securely over the internet
4. Both peers use their private key and the other’s public key to generate the same shared Diffie-Hellman key
5. Agreement on encryption and key exchange parameters using the DH key
6. Symmetric keys are created using the shared DH key and the agreed material

Question 45

What are the steps involved in Internet Key Exchange (IKE) Phase 2?

Answer 45

1. A symmetric key encrypts and decrypts agreements while exchanging additional key material
2. Both peers communicate and agree on the best encryption and integrity methods
3. The Diffie-Hellman (DH) key and exchanged material are used to generate a symmetric IPSec key
4. The IPSec key is used for bulk encryption and decryption of interesting traffic
5. Two security associations (SAs) are established: one for traffic from Peer A to Peer B and another for traffic from Peer B to Peer A

Question 46

What are the two main types of VPNs?

Answer 46

• Policy-based VPN
• Route-based VPN

Question 47

Which type of VPN uses traffic-matching rules to send traffic over specific Security Associations (SAs)?

Answer 47

Policy-based VPN

Question 48

Which type of VPN allows different rules for various traffic types, offering greater flexibility but being more complex to configure?

Answer 48

Policy-based VPN

Question 49

Which type of VPN matches traffic based on prefixes and uses a single pair of Security Associations (SAs) for each prefix?

Answer 49

Route-based VPN

Question 50

Which AWS service provides a fully managed, secure connection between on-premises networks and AWS resources using IPSec tunnels?

Answer 50

AWS Site-to-Site VPN

Question 51

What are the pricing components of AWS Site-to-Site VPN?

Answer 51

• Hourly cost
• Data transfer out cost (inbound data is free)

Question 52

What factors should be considered when using AWS Site-to-Site VPN?

Answer 52

• Speed limit of 1.25 Gbps
• Latency varies due to public internet routing
• Costs include hourly charges, GB outbound charges, and on-premises data cap
• Quick deployment, typically within hours
• Supports dynamic routing via BGP
• Serves as a backup for Direct Connect (DX), often paired with one DX for primary connectivity and VPN for secondary
• Can overlay a DX Public VIF to add encryption for data in transit

Question 53

What are the two types of VPNs?

Answer 53

• Static VPN
• Dynamic VPN

Question 54

Which type of VPN uses static network configuration?

Answer 54

Static VPN
- Routes to the remote side are manually added to route tables
- Remote network details are pre-configured on the VPN connection

Question 55

Which type of VPN uses the BGP protocol, requiring the customer’s router to support it?

Answer 55

Dynamic VPN
- BGP is configured on both the customer side and AWS side using Autonomous System Numbers (ASN)
- Network routes are exchanged dynamically via BGP

Question 56

How can high availability and traffic distribution be improved with Dynamic VPN?

Answer 56

By establishing multiple VPN connections

Question 57

Which feature allows dynamically learned routes from the Virtual Private Gateway (VGW) to be automatically added to route tables in a Dynamic VPN setup?

Answer 57

Route propagation

Question 59

What protocol encrypts the logical connection established by AWS Site-to-Site VPN between a VPC and an on-premises network?

Answer 59

Internet Protocol Security (IPSec) over the public internet

Question 60

Can AWS Site-to-Site VPN be a highly available solution?

Answer 60

Yes, when designed with redundancy - using two on-premises data centers, dual customer routers, and separate internet connections

Question 61

How long does it typically take to set up AWS Site-to-Site VPN?

Answer 61

Less than an hour for an experienced engineer

Question 62

Which AWS service enables the quickest way to create the connection between AWS and non-AWS environments, such as on-premises, other cloud platforms, or data centers?

Answer 62

AWS Site-to-Site VPN

Question 63

What are the primary components involved in implementing AWS Site-to-Site VPN?

Answer 63

• VPC that we goign to connec twith, and VPC Router
• Virtual Private Gateway (VGW)
• Customer Gateway (CGW)
• VPN Connection

Question 64

Which component of AWS Site-to-Site VPN acts as a logical gateway associated with a single VPC?

Answer 64

Virtual Private Gateway (VGW)

Question 65

What does the Customer Gateway (CGW) in AWS Site-to-Site VPN represent?

Answer 65

Logical configuration in AWS or the physical device associated with that configuration

Question 66

Which AWS Site-to-Site VPN component holds the configuration and connects one Virtual Private Gateway (VGW) to one Customer Gateway (CGW)?

Answer 66

VPN Connection