Module 10 - Networking 2 Flashcards
How can you connect VPCs without routing through the public internet?
Use a VPC endpoint.
What is a VPC endpoint? Why would you use it?
A virtual device entry point in your VPC that enables you to connect privately to a service. Instances in your VPC do not require public IP addresses. Like a secret tunnel where you don’t have to leave the AWS network.
Eliminates the need for IGW, NAT device, VPN or Direct Connect.
What kinds of VPC endpoints are there?
Gateway endpoint - a gateway that you specify as a target for a route in your route table. Supports only Amazon S3 and DynamoDB. Free!
Interface endpoint (powered by AWS PrivateLink) - an elastic network interface (ENI) with a PRIVATE IP address from the IP address range of your subnet. You can connect to services powered by PrivateLink. (Costs $). Support MANY AWS services.
Gateway Load Balancer endpoint (powered by AWS PrivateLink)
What is AWS PrivateLink?
provides private connectivity between VPCs, AWS services, and your on-premises networks without exposing your traffic to the public internet.
How can VPCs communicate even if they are in different AWS accounts?
Use a VPC Peering connection. There can only be one peering resource between any two VPCs. NO transitive peering relationships. No overlapping CIDR blocks.
How do you set up a VPC peering connection?
The owner of the requester VPC (or local VPC) sends a request to the owner of the peer VPC. It cannot have a CIDR block that overlaps with your requester VPC’s CIDR block.
Once accepted, add a route to one or more of your VPC’s route tables that points to the IP address range of the peer VPC. (And the peer does the same).
What is a full mesh network design?
When each VPC connects to every other VPC in the organization.
What if I want to connect to multiple VPCs using an on-prem VPN or with full mesh peering?
You could have a zillion connections, but it is easier to use Direct Connect. Direct Connect is a network service that provides an alternative to using the Internet to utilize AWS cloud services
What is a Transit Gateway?
It’s a managed service that works like a cloud router to simplify your network architecture. Traffic between VPC and Transit Gateway is on the private network, never on the open internet. Protects against DDoS and other attacks.
Operates at Layer 3.
If I am using a Transit Gateway, how do I keep track of all the connections?
Use Transit Gateway Network Manager. You use it to monitor connections and identify issues in your network.
How do you connect to a Transit Gateway from on-prem?
VPN connections and Direct Connect gateways
What can you connect to a Transit Gateway?
- One or more VPCs
- One or more VPN connections
- One or more Direct Connect gateways
- One or more transit gateway peering connections (in a different region)
How can you set up a low-latency connection between on-prem and AWS resources?
AWS Site-to-Site VPN connection.
How is a Site-to-Site VPN Connection set up?
It has 2 VPN tunnels between a virtual private gateway (or a transit gateway) on the AWS side, and a customer gateway on the on-premises side.
The tunnels end in different AZs.
You can choose a static or dynamic VPN
Supports IPsec VPN connections
How do you initiate the Site-to-Site VPN connection?
Your customer gateway device must bring up the tunnels for your AWS Site-to-Site VPN connection by generating traffic and initiating the Internet Key Exchange (IKE) negotiation process. When you create a customer gateway, you provide information about your device to AWS.
What are three different connection methods for your VPN connection to AWS?
- Connect to a virtual gateway
- Connect to an EC2 instance (an unmanaged solution)
- Connect to a transit gateway
What is AWS Direct Connect?
Links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. With this connection, you can create virtual interfaces directly to public AWS services, bypassing internet service providers (ISPs) in your network path.
You have the option of securing your data when it leaves your network until it arrives at AWS, using MACsec security.
What are the features of AWS Direct Connect?
Choose physical connections of 1, 10, and 100 Gbps.
Predictable network performance
Reduced bandwidth costs
Associated with a Region
When can you use Direct Connect in a Direct Connect location?
When:
• Your network is co-located with an existing Direct Connect location.
• You are working with a Direct Connect Partner.
• You are working with an independent service provider to connect to Direct Connect.
What are some ways you can connect a VPC with Direct Connect?
Transit VIF (virtual interface) to transit gateway (up to three transit gateways)
Private VIF to Direct Connect gateway
Private VIF to virtual private gateway
What is Route 53 Resolver?
It compares the domain name in the DNS query with the domain name in the rules that are associated with the VPC that the query originated from.
What is a connection to a transit gateway called?
Attachment
What are the 2 components of a Site-to-Site VPN connection?
Customer gateway device
Virtual private gateway
What are 2 ways an application running in a VPC can access S3 without internet access?
Interface endpoint.
Gateway endpoint.
What is a Star Configuration?
A way of connecting VPCs through peering, with one central VPC connected to 4 other VPCs.
