Lesson 5: Managing Networks in the Cloud Flashcards
The IT team is setting up a hybrid cloud environment that requires secure communication between the company’s datacenter and the cloud service provider (CSP). What type of network configuration will provide tunneled connection between the company and the CSP that require less work for administrators and users?
A.Software-Defined Network (SDN)
B.Site-to-Site VPN
C.Remote Access VPN
D.Content Delivery Network (CDN)
B.Site-to-Site VPN
Site-to-Site Virtual Private Network (VPN) is a tunneled connection between two sites. Configuration occurs on the VPN router on the company end and another VPN router on the cloud service provider (CSP) end.
An organization currently has a cloud network subnetted using Layer 2 technology to isolate separate networks. However, the organization is rapidly growing and will soon need to accommodate over 5000 separate networks, which is more than the current subnetting technology can handle. What can the organization do to manage the growth? (Select all that apply.)
A.Add a load balancer
B.Use VRF
C.Use VLANs
D.Use VXLANs
B.Use VRF
D.Use VXLANs
The organization can use VRF (Virtual Routing and Forwarding), a Layer 3 technology that is more scalable than VLANs. It allows a router to manage multiple routing tables that each directs traffic to a different route.
The organization can use VXLANs (Virtual Extensible Local Area Networks) to manage the growth. VXLANs extend the scalability of VLANs and support up to 16 million separate networks.
A cloud administrator is setting up security measures for a publicly available web service. Which of the following is the most suited solution for this scenario, understanding that security is a defense in depth approach?
A.Web application firewall
B.Load balancer
C.Firewalls
D.GENEVE
A.Web application firewall
Web application firewalls (WAFs) extend the functionality of traditional firewalls to cloud services. The AWS WAF can be deployed to protect AWS CloudFront, Application Programming Interface (API) Gateway for Representational state transfer (REST) API, Application Load Balancers, and AppSync GraphQL API.
A cloud architect establishes a software defined network policy for tightly controlled integration between on-premises and cloud services. Which of the following architectural designs should they implement?
A.Cloud native
B.Hybrid
C.Cloud DMZ
D.Hub and spoke
B.Hybrid
A Hybrid architectural design is the most suitable in this case, as it provides a controlled yet efficient integration between on-premises networks and cloud services. Hybrid architectures offer the flexibility of maintaining some services on-premises while utilizing the cloud for other services.
A company has dispatched one of its information technology teams to begin the initial setup for a new office location in a different state. The team will begin by building networking and architectural diagrams, as well as migrating data from the home office to the new location. What should the team utilize to secure this connection?
A.Point-to-point tunneling protocol
B.Point-to-site VPN
C.DNSSEC
D.Site-to-site VPN
D.Site-to-site VPN
Site-to-site connections are tunneled connections between two sites. In this case, the new location would reach back and connect to the home office.
An administrator created three virtual networks for an organization and then connected them together so that employees on any of the networks can seamlessly use the resources in any of the other networks. What type of software-defined networking is this?
A.Hub-and-spoke
B.Peering
C.Subnetting
D.VPC
B.Peering
Peering connects two or more virtual networks so that using resources in any of the networks is seamless and appears as just one network to the user.
An organization is using a public cloud to host sensitive information. The organization must ensure that the data is secure and private. What can the organization implement to provide greater security within the public cloud?
A.VRF
B.VPC
C.vNIC
D.Load balancer
B.VPC
The organization can provide greater security by implementing a VPC (Virtual Private Cloud) to add VPN (Virtual Private Network) connectivity and isolation to the regular public cloud implementation.
To improve a system’s performance during virtualization, the VMs installed should have direct access to network hardware within the system. Which component facilitates this access?
A.MPLS
B.SR-IOV
C.Virtual switch
D.IPAM
B.SR-IOV
The single root input/output virtualization (SR-IOV) component permits direct access between virtual machines and the PCIe bus, including the NICs on the bus. This permits faster communication between the physical network connection and the VMs on the host server.
The web developers are decommissioning a legacy web server on Amazon Web Services (AWS) and want to stand up a newly configured web server in the same location. The developers have not yet configured the new server’s network configuration but are requesting that the cloud administrators switch over the same network settings to the new server. What should the cloud administrator do to fulfill the request?
A.Reattach vNIC to the new server.
B.Setup VRF on the router.
C.Create a virtual private cloud (VPC).
D.Configure multiple VXLANs.
A.Reattach vNIC to the new server.
Virtual Network Interface Cards (vNICs) provide network configuration information to the VM instance. In the case of AWS Elastic Network Interface, the vNIC can be detached from one instance and reattached to another. Doing so maintains the vNIC’s configuration, making it portable.
Recently, an attacker successfully obtained website name history from multiple employees at a company by intercepting plain text traffic on the web. Aside from better monitoring practices, which of the following would use digital signatures to aid in mitigating an attack like this in the future?
A.DNSSEC
B.IPAM
C.CDN
D.HIDS
A.DNSSEC
Domain Name System Security Extensions (DNSSEC) is a security protocol that strengthens DNS authentication by using digital signatures based on public key cryptography. It is a feature provided in Google Cloud DNS.
An administrator is securing the organization’s cloud-based network resources from potential connections by configuring rules in the Access Control List (ACL). The rules will either accept or block the connections to the network based on predetermined criteria. What cloud appliance is the administrator configuring?
A.Load balancer
B.VLAN
C.WAF
D.VPC
C.WAF
The administrator is configuring a WAF (Web Application Firewall). A WAF examines network traffic, applies rules via the Access Control List (ACL), and then permits or denies traffic to cloud resources based on the rules.
Which of the following is a rule-based, lower-level security method generally seen as a highly secure means of communication encryption?
A.IPsec
B.SSL
C.HTTPS
D.TLS
A.IPsec
IPsec resides between the Internet and media layers. Encryption and decryption processes occur below the layer where the applications reside, so the applications never know it is happening. As a result, there are no application compatibility problems.
A Microsoft cloud technician has configured a VPC for a large group project and would now like to connect different, smaller projects to the VPC. What kind of network is the technician setting up?
A.Control plane
B.PaaS only
C.Hub-and-spoke
D.DMZ
C.Hub-and-spoke
A hub-and-spoke network model is centrally managed, providing connectivity and services with isolated networks for specific workloads. Here, the virtual private cloud (VPC) serves as the hub, with the smaller projects as the spokes.
In which of the following circumstances would a hub-and-spoke SDN (Software Defined Networking) design be an appropriate choice? (Select all that apply.)
A.When the organization needs to isolate workloads
B.When the organization needs to centralize management of administrative tasks
C.When the organization needs to delegate the management of Active Directory and DNS
D.When the organization needs to centralize the management and analysis of traffic
A.When the organization needs to isolate workloads
D.When the organization needs to centralize the management and analysis of traffic
A hub-and-spoke design is suitable as it isolates separate workloads, such as development, testing, and production environments in the spokes. Each spoke essentially operates as an independent network, reducing the risk of issues spreading across them.
In a hub-and-spoke design, all traffic between spokes must pass through the hub, allowing the organization to centralize its monitoring, management, and analysis. This centralization provides a holistic view of the network traffic and better control.