Network Flashcards
On a multi-tier architecture, what are the most common 3 tier combination used?
-Presentation tier (user interface)
-Application or logic tier
-Data tier
Assign True of False to the following statements:
-VPC Endpoints allow resources inside your VPC to comunicate with other AWS Services without coming into contact with the public network. This is done by granting the Endpoint an IP belonging to the network inside the VPC.
-There are 3 types of VPC Endpoints: Gateway VPC Endpoints, Interface Endpoints and Gateway Load Balancing Endpoints
-Gateway VPC Endpoints work by redirecting any requests inside the VPC targeting its service (uses a prefix list) to itself, serving as a proxy to access the service. It can only be pointed to S3.
- Interface VPC endpoints are Elastic Network Interfaces (ENI) with a VPC private address. It must serve as an entry point to all traffic pointed to its service. They are powered by AWS Private Link and can be configured for any AWS service. They use Security Groups for security.
- Gateway Load Balancing Endpoints works the same as the Interface Endpoint, however it can only target Gateway Load Balancers configured to control traffic to other services.
-True
-True
-False, Gateway Endpoints can be pointed to either S3 or DynamoDB
-False, Interface Endpoints can’t be pointed to DynamoDB
-True
Explain how a Gateway VPC Endpoint works.Can it be extended through peering?
Gateway Endpoints need DNS resolution enabled in the VPC to work properly. Any domain name or IP pointing to the service that a resource tries to access inside the VPC is redirected to the endpoint. This is done through the changing of the routing table of the VPC. Gateway Endpoints can’t be extended outside the VPC (peering, VPN, DX, TGW)
What are the differences between a Gateway VPC Endpoint and an Interface VPC Endpoint?
-Gateway Endpoints are free, while Interface Endpoints are billed for each hour the VPC endpoint remains provisioned in each Availability Zone and for each gigabyte processed through the VPC endpoint.
-Gateway Endpoints are only available for S3 and DynamoDB, while Interface Endpoints are available for all services except DynamoDB.
-A Gateway Endpoint will automatically reroute requests to its service, while EC2 instances have to be configured to access the Interface Endpoint
-Gateway Endpoints work on a VPC level, while Interface endpoints work on a Subnet Level
- Interface Endpoints can be used to connect with anything outside de Subnet, including On-Premises and other regions, while Gateway Endpoints can only access their respective services.
- Gateway Endpoints need DNS Resolution enabled to work, while Interface Endpoints need DNS Hostnames and DNS Support
True or False: Resources like Amazon S3 can block access based on Endpoint DNS but not on IP, since Endpoints use Private IPs and blocking based on IP can only be done if using Public IP
True
Describe the function of AWS Private Link
Private Link allows you to connect VPCs using TCP without the need for VPC peering. Requires an NLB in one VPC and an ENI on the other to work, and if NLB and ENI are in multiple AZs the solution becomes fault tolerant.. The access granted by Private Link is unidirectional
Assign True of False to the following statements:
-AWS PrivateLink, an consequently VPC Endpoints, support both IPv4 and IPv6
-Endpoint Services cannot be tagged
-Interface Endpoints can be accessed from Direct Connect and Site-to-Site VPN
-False, PrivateLink supports only IPv4
-True
-True
What kind of DNS names can be created for interface endpoints?
-Endpoint-specific regional DNS hostname :An endpoint-specific DNS hostname is automatically generated and includes all zonal DNS hostnames generated for the interface endpoint. The hostname includes a unique endpoint identifier, service identifier, Region, and vpce.amazonaws.com in its name. For example: vpce-0fe5b17a0707d6abc-29p5708s.ec2.us-east-1.vpce.amazonaws.com
-Zonal Specific DNS Hostnames: You can generate a zonal-specific DNS hostname for each Availability Zone in which the endpoint is available. The hostname includes the Availability Zone in its name. For example:
vpce-0fe5b17a0707d6abc-29p5708s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com
Zonal DNS hostnames support cross-zone load balancing to distribute traffic across registered targets in all activated Availability Zones. With this configuration, be aware that regional data transfer charges might apply for any data that is transferred between Availability Zones.
Private DNS Hostname: You can use a private DNS hostname to alias the automatically created zonal-specific or regional-specific DNS hostnames into a friendly hostname such as: myservice.example.com
Assign True of False to the following statements:
-VPC peering is the practice of connecting 2 VPC through their routing tables and without passing through the public net. It is highly available by default because it does not depend on any specific hardware or service
- VPC Peering is transitive, so connecting VPC A to VPC B and B to C connects A to C.
-VPC peering can be configured between different regions or AWS Accounts
- You cannot establish a peering connection between VPCs with an overlapping IPv4 CIDR block, even if you plan on using it with no overlapping IPv6 CIDR blocks
- Establishing Peering between 2 VPCs costs no money, but you are billed by the data transfer between the VPCs, regardless of AZ or Region.
-True
-False, VPC peering is not transitive
-True
-True
-True
What is Amazon Direct Connect (DX)? What are its available connection bandwidths?
Amazon Direct Connect is an AWS service that allows you to setup a physical connection between a local network and a VPC. It has 3 possible speeds, 1Gb/s, 10Gb/s and 100Gb/s.
What are the strategies that can be employed to obtain a Direct Connect (DX) connection?
-Setup on a location that already has a DX configured
-Colaboration with a partner that already has equipment setup on a DX location (does not have to provide equipment on this option)
-Performing a direct connection from your local network to a DX node alongside AWS.
Assign True of False to the following statements:
-Direct Connect accepts both IPv4 and IPv6
-After the Direct Connect setup, the DX connection itself generates no costs for the customer
- Direct Connect is not redundant by default, being necessary to configure additional DXs or VPC for failover.
-Any data passed through the DX is encrypted by default
-It is possible to create Link Aggragation Groups (LAG) to increase speed and failover by joining multiple DX into a single logical unit. Up to 4 connections can be joined, and they must have the same bandwidth.
-True
-False, Direct Connect is billed by both port hours and data transfer fees. It is generally more expensive than a VPN.
-True
-False, to make it so data passing through DX is encrypted you must configure a VPN inside it.
-True
What are the types of Virtual Interfaces (VIFs) available for Direct Connect?
-Public VIF: Connects to public AWS Endpoints (S3 buckets, EC2 service, anything AWS)
-Private VIF: Connects to your private VPC (EC2 instances, Interface Endpoints, etc ). Can only connect directly to a Virtual Private Gateway or a Direct Connect Gateway.
-Transit Virtual Interface: Connects to your VPC using a Transit Gateway
What service could you use to setup a Direct Connection to VPCs in different regions / cross account?
You could use Direct Connect Gateway, where you connect to the gateway then it performs the connection to the VPCs. You can also use it to connect multiple on-premises data centers by connecting the trough their respective DXs
What are the kinds of AWS VPN services?
-AWS Client VPN, which is used to connect Users to AWS or on-prem networks
-AWS Site-to_Site VPN, which is use to connect a on-prem network to Amazon VPCs
How does the Site-to-site VPN connection work?
It is necessary to setup a Customer Gateway to point the on premise VPN to AWS and a Virtual Private Gateway to be pointed to and attach it to your VPC. After that, 2 connection are created though the gateway that lead to different AZs inside the VPC.
Assign True of False to the following statements:
- Public net can be accessed by the On-prem server through the Site-to-site VPN if it uses a NAT Gateway to do so
- Public net can be accessed by the On-prem server through the Site-to-site VPN if it uses a NAT Instance to do so
- Public net cannot be accessed by the AWS Network through the On-prem network.
-Site-to-site VPN can be accelerated using Global Accelerator
-False, NAT Gateways restrictions will block the corporate data center
-True
-False, public network can be accessed through the corporate data center
-True
Can you connect multiple Customer Gateways to the same Virtual Private Gateway in site-to-site VPN?
Yes, you can use CloudHub to connect up to 10 Customer Gateways to the same VPG. If you want to connect one Customer Gateway to multiple VPGs you need multiple site-to-site VPNs, with Direct Connect Gateways probably being a better solution.
True of False: You can benefit from a single Site-to-Site VPC through multiple VPCs by using VPC peering to connect all VPCs to the one connected through Site-to-Site VPN and having copies or proxies of the on-prem resources on it.
True
How does monitoring work for Site-to-Site VPNs?
Site-to-Site VPN tunnels can be monitored by Cloudwatch, which collects the raw data being transmited end converts it into real-time metrics. These statistics are recorded for 15 months.
Explain the billing for Site-to-Site VPNs
Site-to-Site VPNs are billed by the amount of data transfered outside AWS through them and a fixed cost to mantain the connection. Additionally, is the connection uses Global Accelerator there is an addicional billing for 2 Global Accelerators per VPN connection and a premium on the Transfer Out billing.
Assign True of False to the following statements:
-Client VPNs function exactly as normal VPN connections, with a Client VPN Endpoint being created at AWS and being accessed by the user
-Client VPN accepts both IPv4 and IPv6
- Client VPNs can access resources through VPC Peering, Site-to-Site VPNs and NAT Gateways
- Client VPNs can be monitored through Cloudwatch, with logs being generated in real-time
- Billing is calculated based on number of active connections and number of subnets associated with Client VPN
-True
-False, works only with IPv4
-True
-False, logs are generated every 5 minutes
-True
Assign True of False to the following statements:
-Transit Gateway allows you to connect multiple different VPCs in a transitive manner
-Transit Gateways can perform peering with each other, even in other Regions, and all VPCs connected to this gateways can peer each other
-Works by implementing it’s own routing table
-Can work with Direct Connect Gateway and VPN connections
-Supports IP Multicast
-Only works between VPCs in the same region
-VPCs connected can access each other’s NAT Gateways, ELBs, Private Links and EFSs
- Can be Shared through RAM
- Billing is calculated base on number of connections and volume of data processed in GB
-True
-True
-True
-True
-True
-False
-True
-True
-True
What are the differences between a Public Subnet and a Private Subnet?
Public Subnet have routing tables that send 0.0.0.0/0 to an Internet Gateway (IGW) responsible for accessing the internet, meanwhile Private Subnets access the internet through NAT Gateways or NAT Instances setup in a Public Subnet, and all 0.0.0.0/0 traffic must be configured to be redirected to the NAT.
Explain the differences between NACLs and security groups
-NACLs affect the entire subnet or VPC, while security groups only affect individual instances
-NACLs only support ALLOW and DENY rules, while, while security groups only support ALLOW rules (implicit DENY)
-NACLs are stateless, which means return traffic must be explicitly allowed, while Security Groups are stateful, which means return traffic is always allowed as long as the input traffic was allowed
-NACLs only work with blocks of IP adresses, while Security Groups can other reference Security Groups in the same region (can also reference SGs of peered connections, even if cross-account)
Explain the following concepts:
- TLD
- ccTLD
- gTLD
- SLD
- FQDN
- TLD means Top Level Domain, at it is the topmost domain (most to the right) of an url. An example of a TLD is .com
- ccTLD is a country-code TLD, a TLD that is reserved for use by a nation. An example of a ccTLD is .br
- gTLD is a generic TLD, a TLD that does not have a country designation. An example of a gTLD is .com.
- SLD means Second Level Domain, and it comes after the TLD. An example of an SLD is .google in www.google.com
- An FQDN is a Fully Qualified Domain Name, and it contains the entire domain string. An example of a FQDN is www.google.com
Complete the following:
- _______ is the topmost domain (most to the right) of an url. An example of a is .com
- _______ is a TLD that is reserved for use by a nation. An example is .br
- _______ is a TLD that does not have a country designation. An example is .com.
- _______, and it comes after the TLD. An example is .google in www.google.com
- _______ contains the entire domain string. An example is www.google.com
- TLD, or Top Level Domain
- ccTLD, or country-code TLD
- gTLD, or generic TLD
- SLD, or Second Level Domain
- FQDN, or Fully Qualified Domain Name
Explain DNS Zones
A DNS Zone is a group of nodes on the domain hierarchy that possesses authority over a subset of domains. Generally, the highr up top a node is on the zone, more authority it has over the zone.
Explain the following DNS network functions:
- Registrant
- Registrar
- Registry operator/ Registry
- A registrant is someone who registers a domain name with a registrar
- A registrar sells domain names. Whenever a domain is purchased, it must inform registry responsible for the domain
- A registry is responsible for creating and managing zone files and mantaining the database of domain names for each TLD
What are the main type of DNS records accepted by Route 53 and what do they mean?
- A records: Maps domains to IPv4
- AAAA records: Maps domain to IPv6
- CNAME records: Maps domain to another domain, which must have an A or AAAA record associated to it. It also cannot be the top domain inside a zone (ex: example.com is forbidden, but www.example.com is not)
- NS: Maps a Domain to its authoritative name server
Complete the following:
- ______ records map domains to IPv4
- ______ records map domains to IPv6
- ______ records map domains to other domains, which must have an A or AAAA record associated to them.
- ______ records map a domain to its authoritative name server
-A
-AAAA
-CNAME
-NS (Name Server)
What info can you find in a DNS Record?
- The domain name
- The domain TTL (in seconds)
- The class of the protocol. Is almost always IN (Internet protocol)
- The record type
- The value to which the domain is mapped
What is a DNS Name Server?
Name servers are specialized servers that handle DNS queries and provide DNS resolution. They store and manage DNS records for specific domains. Name servers can be authoritative for a domain or act as a caching server to improve DNS lookup performance.
In a DNS lookup for www.example.com, in what order are the domain name servers accessed?
- 1st: Root Server, returns .com Server
- 2nd: .com Server, returns example.com Server
- 3rd: example.com Server, returns the ip of www.example.com.
Explain what is a Route 53 Hosted Zone?
A Hosted Zone is similar to a DNS Zone File, it contains DNS Records belonging to the same domain and that can be managed together. It then provides authoritative name servers for all Hosted Zones.
Assign True or False for each statement below:
- Route 53 allows you to create and manage DNS Records of various types, allowing for highly customizable DNS Routing
- Route 53 is highly available by default, with each Hosted Zone being assigned a set of Virtual DNS servers by the system
- Route 53 has autoscaling built-in by default, but it must be turned on by the user
- Performing any action on Route 53 needs the adequate IAM permissions granted to the user so he has the authority to perform the desired operations.
- It is possible to transfer Domains between registrars, but not between AWS accounts
-True
-True
-False, it scales by default
-True
-False, Domains can be transfered between accounts through the AWS CLI
Explain how Route 53 Health checks work
Route 53 can setup health checks for PUBLIC services it interacts with. There are 3 types of health check:
- Endpoint Health Check: Monitors an endpoint through IP or domain. Can be configured in regards of frequency
- Calculated Health Checks: A health check that checks the status of other health checks. Useful if you only need to take action if a number of n resources fail, so you only take action when n health cheks fail. parent health check can monitor up to 256 child health checks
-Cloudwatch Health Checks: Health Checks that monitor Cloudwatch Alarms based on specific metrics.
Explain the difference between Public Hosted Zones and Private Hosted Zones
Public Hosted Zones define how you want to reroute traffic in the internet, while Private ones define how you want to reroute trafiic inside VPCs. Private Hosted Zones don’t need to reroute traffic to the same VPC, being capable of reddirecting traffic to multiple ones (Relação n para n).
What are some important Private Hosted Zone configurations that are important to know regarding VPCs?
-To use Private Hosted Zones, you must set the enableDNSHostnames and enableDNSSupport settings to True.
-Route 53 DNS resolver ha 3 possible IPs, 169.254.169.253 for IPv4, fd00:ec2::253 for IPv6 and your private IPv4 CIDR + 2 (ex: if your block 10.11.12.0, the the IP is 10.11.12.2)
What routing policies are supported by private hosted zones?
-Simple
-Failover
-Weighted
-Multi-value answer
-Geolocation
-Latency-based
(All except Geoproximity and IP based)
True or False: There are no types of records you cannot create inside a private hosted zone
False, you cannot create NS records inside private hosted zones
What are the differences between CNAME records and Route 53 aliases
- CNAME returns a Domain, while alias returns the IP of that Domain
- Alias can point to zone apex Domain (example.com)
- Alias can route traffic to AWS resource endpoints
- Alias records evaluate target health by default using a function called Evaluate Target Health
When you create a record in Route 53 you also define a routing policy for it. What routing policy types are available?
-Simple (Standard)
-Failover (When you want active-passive failover)
-Weighted (Multiple resources inspecific proportions)
-Latency (Resource with best latency)
-Geolocation (Routing based on client location)
-Geoproximity (Routing based on resource location)
-IP-Based (Specific routing for specific IPs)
-Multivalue (Up to 8 possible records at random)
Explain DNSSEC extension
DNSSEC extension protects your Domain from DNS Spoofing or man-in-the-middle attacks. It does so by detectin if a DNS response has come from Route 53 and if it has been tampered with. DNSSEC works only with public host zones.
What are possible AWS Service Endpoints you can point your alias record to?
- S3 Websites
- ELB
- Cloudfront
- API Gateway
- Global Accelerator
- Route 53 Record
- Elastic Beanstalk
- VPC Interface Endpoint
- CANNOT be set for EC2 DNS Name
Explain the trade-offs between having a higher or lower Record TTL
The TTL defines how long a record can stay cached before having to be updated on route 53 again. Therefore, Records with a high TTL have a lower cost, since you need to hit Route 53 less frequently, but they run the risk of becoming stale.
Assign True or False indicating if each routing strategy below can have a health check associated to it or not:
-Simple: _______________
-Weighted: ____________
-Failover: ______________
-Geoproximity: ________
-Geolocation: __________
-IP-based: _____________
-Latency: ______________
-Multivalue: ___________
-False
-True
-True
-?
-True
-?
-True
-True
What is a route 53 resolver? What are it’s use cases?
A Route 53 resolver helps you redirect DNS traffic between multiple networks, and it should be used on a hybrid architecture use case.
Assign True or False to following statementes regarding Route 53 Resolver Endpoints:
- An Inbound Endpoint redirects DNS queries from the internet to your Route 53 Resolver, while an Outbound Endpoints redirects from the Route 53 Resolver to outside DNS servers
- You can configure Inbound Endpoints, Outbound Endpoints or Endpoints capable of handling both Inbound and Outbound Traffic
- All endpoints must be located within at least 2 subnets accross different AZs
- When creating your Resolver Endpoints, it is necessary to create the appropriate inbound and outbound traffic rules for your VPC adn forwarding rules to your endpoints
- The endpoints are made of ENIs with different IP addresses
- True
- False, there are no endpoint types that can handle both inbound and outbound traffic
- True
- True
- True
Whats the name of the AWS Service you can use to check which resources a web request passes through when accessing a resource inside your AWS Account?
AWS Network Access Analyzer
How does AWS global accelerator work?
Global accelerator works by providing you with 2 fixed Anycast IP addresses that can be used to route data through AWS’ internal network by going through edge locations
What is AWS CloudFront?
It’s a service for setting up a Content Delivery Network that allows you to improve read performance by caching content
True or False: Cloudfront can’t help you agains DDoS and other application/network layer attacks, you must use WAF for that
False, Cloudfront can help against those kinds of attacks and has AWS Shield integration
What kinds of data origins does Cloudfront support?
-S3 Bucket
-S3 Bucket configured as website
-MediaStore Container & MediaPackage Endpoint
-Custom Origin (HTTP). Ex: EC2, ELB, API Gateway
When should you use Cloudfront and when should you use S3 Cross Region Replication?
Cloudfront is good for static content that must be available everywhere. Meanwhile, S3 Cross Region Replication is good for dynamic content that must be available at low latency in some specific regions
What are Cloudfront origin groups?
They are a group of related origins configured so if one of them fails Cloudfront can reroute the requests a different origin inside the group
True or False: Cloudfront can block requests based on the requester’s country
True
