Module 7: Create a networking env Flashcards

1
Q

Reminder on AWS Physical infrastructure

A

Servers in racks in data center. Every rack has network routers and switch to route traffic.
Data centers grouped in AZ.
AZ grouped in regions and connected with 0.001-9 second latency network.
Region inter connected with 0.01-9 second latency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Reminder on Virtual networks

A

A virtual network emulates a phyisical one with switches, firewall, and load balacer. It comes on top of the physical network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A VPC is logically or Phiysically isolated?

A

Logically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Name two services designed to operate in a VPC

A

EC2 and RDS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Name two services operating outside a customer VPC

A

Lambda and CloudWatch

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why should you build a new VPC for production environment ?

A

Because the default VPC already has connectivity conifgurations, You should configure your own depending on your configuration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you size a VPC ?

A

By allocating a range of IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is another name for a range of IP.

A

A CIDR block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a CIDR block?

A

It’s a Classeless Inter-Domain Routing. In other words, a range of IP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Is the size of the VPC easy to modify ?

A

No, this is why it’s important to assess the size correctly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Min and Max size of an IPv4 VPC ?

A

Min of 16 IP adresses (/28)
Max of 65536 IP adresses (/16)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the dual stack configuraion for a VPC ?

A

Includes both IPv4 and IPv6 domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What tool can I use to manage my adresses more easily ?

A

The IP address manager (IPAM)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why opt for IPv6?

A

More adresses and also often better performance because IPV4 doesn’t do NAT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What should I be careful with when sizing a VPC with IPv4?

A

The cost because each IP is billed by the hour whether attached to a service or not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a subnet ?

A

It’s a division of a VPC. They are linked to AZ. It’s also a segment of the range of IP in the VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can subnet CIDR block overlap ?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Are all IP in a subnet freely available to the customer?

A

No Amazon reserves 5 for its usage.
1. Network Adress
2. VPC local Router
3. DNS resolution
4. Future use (Undefined yet)
last. Network broadcast address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Two types of subnet

A

Public or Pricate depending on how accessible they are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What should I consider for making ressources accessible through the internet ?

A

A subnet with an internet Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How to configure my VPC to send traffic to the internet?

A

Create a public VPC with a public subnet route table

22
Q

What is an elastic IP address ?

A

An IP address that can migrate from an EC2 to another. The IP stays the same.

While a private IP is released when the instance is terminated, the elastic IP stays.

First is free but additional incur charges.

23
Q

Cost and elastic IPs?

A

The first one is free but if detached and not reattach there is an hourly fee.
Additional Elastic IP are at cost.

24
Q

What can elastic IP link to ?

A

Load balancer, VPC network interface, or EC2

25
Q

If you don’t want your ressource to be accessible from the internet?

A

Create a private subnet

26
Q

What is best practie about route tables and subnet?

A

To define custom route table for every subnet

27
Q

What are NAT useful for ?

A

If you don’t want to expose your Ip to the internet a NAT will replace the IP with its own.

28
Q

Can IPV4 do NAT?

A

No this is also why an internet gateway can be used

29
Q

Sometime a ressource in a private subnet may need access to the internet. How to do that?

A

Use a NAT device hosted in another public subnet that will be linked to the private subnet through the private subnet route.

30
Q

What are the options for setting up a NAT device ?

A

NAT gateway provided by AWS, or setup your own NAT device in an EC2 instance.
Note: When using multiple AZ create a gateway for each AZ for better resilience

31
Q

What about IPv6 if a private subnet wants to access the internet?

A

Setup an Egress only internet gateway that allows outbound but no inbound

32
Q

Should I place web app in a private or public subnet

A

Amazon recommands private with load balancer in front. Except if the environment requires a public subnet.

33
Q

Recall in your mind the proper security layer between the client application and the EC2

A

1.Secure network protocol (TLS or HTTPS)
2. Internet Gateway
3. Route table
4. ACL
5.Subnet layer
6.Security group layer

34
Q

What is the differnce between a security group and an access Control list ?

A

The security group will prevent you to enter a building quite like having a key to open a door.
An ACL will let you in if you are the right person.

Security group = do you have the Key
The security group controls the ressource

ACL = Does the doorman know you. The ACL controls the subnet.

A security group is statefull, meaning that if inbound traffic allowed, outbound allowed as well by default.

An ACL is stateless inbound and outbound must be explicitely stated.

Security groups only specifies allow

ACL specifes allow and deny

35
Q

What additional safety can be added to the network ?

A

A firewall, when dealing with sensitive data. It’s a buffer to ensure that the incoming traffic is not malicious. It’s deplyoed in a specific firewall subnet.

The route will point to the firewall instead.

Other option is to use a bastion host. A server providing maintenance access to the private subnet. You host it in a public subnet and allow access to it through IAM policies and sec group. and only link it to the private subnet.

36
Q

How do I best connect to managed AWS services ?

A

Through the use of an interface VPC endpoint

37
Q

How to set up the interface VPC endpoint?

A

Choose the service, choose the VPC in the service, then the subnet and specify the security group

38
Q

What other type of endpoint exists and what is it used for ?

A

Gateway VPC endpoints to connect to S3 or Dynamo DB. The diff is that there is no AWS Privatelink like for interface VPC.

39
Q

Interface VPC endpoints vs gateway VPC endpoints

A

Gateway need a public IP, and interface a private one.

Basically interface is more secure but costs and limits perf.
While gateway is less secure but free and no limitation on perf.

40
Q

How do I monitor the traffic in my VPC?

A

With VPC flow logs

41
Q

What type of traffic do I monitor in my VPC flow log ?

A

All traffic, accepted traffic or rejected traffic

42
Q

What service may work well in conjunction with the flow logs ?

A

Amazon Cloudwatch, but can also be exported to a S3 and be analysed there through Athena for example.
Amazon Kinesis data firehose can also deliver logs to Amazon Open search dashboard or third party solutions like Spunk

43
Q

Can all users acces the logs ?

A

No. attach a role to an IAM user with the appropriate permissions

44
Q

Additional tools for VPC monitoring ?

A

Reachability analyzer
Network Access Analyzer
Traffic mirroring

45
Q

Well architected: How to make the network RELIABLE?

A

Ensure IP subnet allocation accounts for expansion and availability.
(do not forget the 5 reserved ip by subnet, be careful of services having to provision additional IP, plan carefully)

46
Q

Well architected: How to make the network SECURE?

A

Create network layers: Group services sharing the same security requirements in a layer with the proper security rules
control traffic at all layers: Combine ACL, Security groups…
Inspect and Protect: VPC network Acces analyzer

47
Q

Well architected: How to make the network EFFICIENT?

A

Understand how networking impact performance.
Evaluate available networking features
Choose network protocol to improve perf: Do not use TCP for all but also consider UDP for real time data

48
Q

What Network protocol for real time data?

A

UDP

49
Q

What network protocol for critical data?

A

TCP because more reliable

50
Q

Well architected: How to make the network COST OPTIMIZED?

A

Choose the region accordingly

51
Q

How do you create a public subnet ?

A

Create an internet gateway.

Create a route table.

Add a route to the route table that directs 0.0.0.0/0 traffic to the internet gateway.

Associate the route table with a subnet, which becomes a public subnet.

52
Q
A