Networking Flashcards

1
Q

What is a customer gateway?

A

Device used in the on prem network to implement a AWS site to site VPN.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Route 53 weighted routing

A

Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

VPC Peering

A

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Transit Gateway

A

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the scope of NACLs?

A

NACLs apply to subnets, or any instance within the subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Are NACL stateful or stateless? Why?

A

Stateless, because you must declare rules to allow request in and to also allow responses out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Are NACL stateful or stateless? Why?

A

Stateless, because you must declare rules to allow request in and to also allow responses out

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Are security groups stateful? Why or Why not?

A

Yes, they are stateful because they allow traffic out that was initially allowed in

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the scope of security groups?

A

Security groups are connected to EC2 instances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What type of network traffic is blocked by default with security groups? not blocked by default?

A

Inbound traffic is blocked by default

Outbound traffic is not blocked by default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Site-to-Site VPN

A

AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with an AWS Site-to-Site VPN (Site-to-Site VPN) connection. It uses internet protocol security (IPSec) communications to create encrypted VPN tunnels between two locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

AWS Direct Connect

A

lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry-standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

Can take longer than one month to establish

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS Global Accelerator

How is it billed?

A

a network layer service (e.g. TCP or UDP) that directs traffic to optimal endpoints over the AWS global network, this improves the availability and performance of your internet applications for local or global users.

It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones. AWS Global Accelerator always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, your user’s location, and policies that you configure.

AWS Global Accelerator is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are private IP in CIDR?

A
  1. 0.0.0/8
  2. 16.0.0/12
  3. 168.0.0/16
  4. 0.0.0/4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Amazon Route 53

A

provides a Domain Name System (DNS), domain name registration, and health-checking web services. The service was designed to give developers and businesses a reliable and cost-effective way to route end users to internet applications by translating names like example.com into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the route 53 routing options

A
1. Simple Round Robin
2 Weighted Round Robin
3. Health Check and DNS Failover
4. Geolocation Routing
5. Geoproximity Routing with traffic Biasing
6. Multi Value Answer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Simple routing

A

Round robin distributes the number of of requests as evenly as possible between all participating servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Weighted round robin, what and list typical use cases

A

Allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change.

Weights can be any number between 0 and 255.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Route 53 DNS Failover

A

monitor the health and performance of your web applications, web servers, and other resources. Each health check that you create can
monitor one of the following:
• The health of a specified resource, such as a web server
• The status of other health checks
• The status of an Amazon CloudWatch alarm

After you create a health check, you can get the status of the health check, get notifications when the status changes, and configure DNS failover.

You can take advantage of this feature to increase the availability of your customer-facing application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Geolocation routing, what and typical use cases

A

lets you choose the resources that serve your traffic based on the geographic location of your users (the origin of DNS queries).

When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. You can also balance load across endpoints in a predictable, easy-to-manage way, so each end-user location is consistently routed to the same endpoint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Geoproximity routing

A

lets you route traffic based on the physical distance between your users and your resources if you’re using Route 53 traffic flow. You can also route more or less traffic to each resource* by specifying a positive or negative bias. When you create a traffic flow policy, you can specify either an AWS Region (if you’re using AWS resources) or the latitude and longitude for each endpoint.

A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

multi-value answers

A

If you want to route traffic approximately randomly to multiple resources, such as web servers, you can create one multi-value answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record.

Amazon Route 53 gives different answers to different DNS resolvers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Virtual Private Gateway

A

The AWS side of an AWS VPN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

AWS VPN CloudHub

A

A service for connecting multiple sites into your VPC over VPN connections.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

VPC Endpoint

A

Private access (e.g not routed over public internet, but traffic kept inside AWS) to AWS services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

AWS Global Accelerator use cases

A
non-HTTP user cases
UDP (gaming)
IoT (MQTT)
Voice over IP
HTTP that require static IP addresses or fast regional failover
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

AWS PrivateLink

A

private connectivity between virtual private clouds (VPC) and services hosted on AWS or on-premises, without exposing traffic between your VPC and the service to the internet

28
Q

Why use AWS PrivateLink?

A
  1. Traffic doesn’t traverse the internet - Use Private IP Addresses and Security Groups to access AWS hosted services or on prem hosted services
  2. Simplify Network Management - No need for Internet GW, NAT GW, firewall proxies route table modification, VPC Peering, Transit GW or whitelisting IPs
  3. Facilitate Your Cloud Migration - AWS PrivateLink gives on-premises networks private access to AWS services via AWS
    Direct Connect
29
Q

What is a VPC Endpoint?

A

Endpoint within VPC that is used to create AWS Private Link to AWS Service

horizontally scaled, redundant, and highly
available Amazon VPC components that allow communication between instances in an Amazon VPC (consumer VPC) and AWS hosted services in another VPC (service VPC)

30
Q

List types of VPC endpoints?

A

There are two types of VPC endpoints: (1) interface endpoints and (2)
gateway endpoints

31
Q

Interface endpoints

A

Enable connectivity to services over AWS PrivateLink. These services
include some AWS managed services, services hosted by other AWS customers and partners in their own Amazon VPCs , and supported AWS Marketplace partner services.

An interface endpoint is a collection of one or more elastic network interfaces with a private IP address that serves as an entry point for traffic destined to a supported service. Interface endpoints currently support over 17 AWS managed services.

32
Q

Gateway endpoints

A

A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list, used for traffic destined to Amazon DynamoDB or Amazon SimpleStorage Service (Amazon S3). Gateway endpoints do not use AWS PrivateLink.

33
Q

What networking components does Global Accelerator provide you in order to function? Why?

A

Two static IPs - static IP addresses provided by AWS Global Accelerator serve as single fixed entry points for your clients

34
Q

Route53 Hosted Zone

A

A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). A hosted zone and the corresponding domain have the same name.

35
Q

What are the two types of hosted zones in Route53?

A

Public Hosted Zone

Private Hosted Zone

36
Q

Public hosted zones

A

contain records that specify how you want to route traffic on the internet

37
Q

Private hosted zones

A

contain records that specify how you want to route traffic in an Amazon VPC

38
Q

Route 53 alias records

A

provide a Route 53–specific extension to DNS functionality

let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets

let you route traffic from one record in a hosted zone to another record

39
Q

CNAME record type - DNS Record Type

A

maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com) or subdomain (acme.example.com) - used to map one domain name to another

You can’t create a CNAME record that has the same name as the hosted zone

This is true both for hosted zones for domain names (example.com) and for hosted zones for subdomains (zenith.example.com)

40
Q

A record type - DNS Record Type

A

route traffic to a resource using IPv4 address

41
Q

AAAA record type - DNS Record Type

A

route traffic to a resource using IPv6 address

42
Q

CAA record type - DNS Record Type

A

specifies which certificate authorities (CAs) are allowed to issue certificates for a domain or subdomain

43
Q

MX record type - DNS Record Type

A

specifies the names of your mail servers

44
Q

SOA record type - DNS Record Type

A

A start of authority (SOA) record provides information about a domain and the corresponding Amazon Route 53 hosted zone

45
Q

NS record type - DNS Record Type

A

NS record identifies the name servers for the hosted zone

46
Q

For each public hosted zone, what records are automatically created?

A

Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record. You rarely need to change these records.

47
Q

Where can an alias record redirect queries to?

A

Amazon S3 buckets

CloudFront distributions

Another record in the same Route 53 hosted zone

An alias record can’t redirect queries anywhere else.

48
Q

Compare alias and CNAME records

A
  1. CNAME records can redirect queries anywhere, alias records are constrained with where queries can be redirected
  2. Alias records can hav the same name as the hosted zone, CNAME can not
  3. Amazon doesn’t charge for alias queries but CNAME queries incur costs
  4. DNS query must match alias type and name, but CNAME will always redirect
  5. Responses to dig or nslookup are different for alias, standard for CNAME
49
Q

NAT Gateway

A

Network Address Translation (NAT) service

use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances

50
Q

Public NAT Gateway - How do you create it, what does it do?

A

Default NAT Gateway

Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet or

create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation

route traffic from the NAT gateway to the internet gateway for the VPC

or

public NAT gateway to connect to other VPCs or your on-premises network, in this case, you route traffic from the NAT gateway through a transit gateway or a virtual private gateway

51
Q

Private NAT Gateway - How do you create it, what does it do?

A

Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway

route traffic from the NAT gateway through a transit gateway or a virtual private gateway

52
Q

NAT Instance

A

create your own AMI that provides network address translation and use your AMI to launch an EC2 instance as a NAT instance

53
Q

How do you create a public NAT instance and what is it used for?

A

launch a NAT instance in a public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated on the internet

Must have public or elastic IP

54
Q

What two features does NAT instance support that NAT Gateway doesn’t?

A

Instance can be used as a bastion host

Instance can be configured to support port forwarding

55
Q

Egress-only Internet gateway

A

horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances

56
Q

Internet gateway

How is it billed?

A

horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet

serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

There’s no additional charge for having an internet gateway in your account

57
Q

Route53 Inbound Endpoint

A

DNS resolvers in on-prem network can forward DNS queries to Route 53 Resolver via this endpoint to resolve domain names for AWS resources

58
Q

Route53 Outbound Endpoint

A

Route53 resolver conditionally forwards queries to on-prem DNS resolvers via this endpoint to resolve on-prem resources from VPC

59
Q

What is the default entry in a default route table for local routing in the VPC?

A

Destination - CIDR block for VPC

Target - local

60
Q

What entry needs to be in the route table for the subnet to communicate to the internet using IGW?

A

Destination - 0.0.0.0/0

Target - IGW ID

61
Q

What entry needs to be in the route table to allow instances in the subnet to communicate with NGW

A

Destination - 0.0.0.0/0

Target - NAT gateway id

62
Q

enable access to or from the internet for instances in a subnet in a VPC, you must do the following?

A
  1. Create an internet gateway and attach it to your VPC.
  2. Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway.
  3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
  4. Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
63
Q

public subnet

A

a subnet is associated with a route table that has a route to an internet gateway

64
Q

private subnet

A

a subnet is associated with a route table that does not have a route to an internet gateway

65
Q

Main route table

A

The route table that automatically comes with your VPC. It controls the routing for all subnets that are not explicitly associated with any other route table

66
Q

Explain how subnet is associated to route table(s)?

A

Subnet can only be associated to one route table at a time
By default its the main route table, but you can explicitly associate to another
Multiple subnets can be associated to one route table

67
Q

Amazon Route 53 pricing

A

Paying for What You Use

Managing hosted zones: You pay a monthly charge for each hosted zone managed with Route 53.

Serving DNS queries: You incur charges for every DNS query answered by the Amazon Route 53 service, except for queries to Alias A records that are mapped to Elastic Load Balancing instances, CloudFront distributions, AWS Elastic Beanstalk environments, API Gateways, VPC endpoints, or Amazon S3 website buckets, which are provided at no additional charge.

Managing domain names: You pay an annual charge for each domain name registered via or transferred into Route 53.