Networking

Question 1

What is a customer gateway?

Answer 1

Device used in the on prem network to implement a AWS site to site VPN.

Question 2

Route 53 weighted routing

Answer 2

Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource.

Question 3

VPC Peering

Answer 3

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.

Question 4

Transit Gateway

Answer 4

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network.

Question 5

What are the scope of NACLs?

Answer 5

NACLs apply to subnets, or any instance within the subnet

Question 6

Are NACL stateful or stateless? Why?

Answer 6

Stateless, because you must declare rules to allow request in and to also allow responses out

Question 7

Are NACL stateful or stateless? Why?

Answer 7

Stateless, because you must declare rules to allow request in and to also allow responses out

Question 8

Are security groups stateful? Why or Why not?

Answer 8

Yes, they are stateful because they allow traffic out that was initially allowed in

Question 9

What is the scope of security groups?

Answer 9

Security groups are connected to EC2 instances

Question 10

What type of network traffic is blocked by default with security groups? not blocked by default?

Answer 10

Inbound traffic is blocked by default

Outbound traffic is not blocked by default

Question 11

AWS Site-to-Site VPN

Answer 11

AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with an AWS Site-to-Site VPN (Site-to-Site VPN) connection. It uses internet protocol security (IPSec) communications to create encrypted VPN tunnels between two locations.

Question 12

AWS Direct Connect

Answer 12

lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry-standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.

Can take longer than one month to establish

Question 13

AWS Global Accelerator

How is it billed?

Answer 13

a network layer service (e.g. TCP or UDP) that directs traffic to optimal endpoints over the AWS global network, this improves the availability and performance of your internet applications for local or global users.

It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones. AWS Global Accelerator always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, your user’s location, and policies that you configure.

AWS Global Accelerator is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees.

Question 14

What are private IP in CIDR?

Answer 14

10. 0.0.0/8
11. 16.0.0/12
12. 168.0.0/16
13. 0.0.0/4

Question 15

Amazon Route 53

Answer 15

provides a Domain Name System (DNS), domain name registration, and health-checking web services. The service was designed to give developers and businesses a reliable and cost-effective way to route end users to internet applications by translating names like example.com into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other.

Question 16

What are the route 53 routing options

Answer 16

1. Simple Round Robin
2 Weighted Round Robin
3. Health Check and DNS Failover
4. Geolocation Routing
5. Geoproximity Routing with traffic Biasing
6. Multi Value Answer

Question 17

Simple routing

Answer 17

Round robin distributes the number of of requests as evenly as possible between all participating servers

Question 18

Weighted round robin, what and list typical use cases

Answer 18

Allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change.

Weights can be any number between 0 and 255.

Question 19

Route 53 DNS Failover

Answer 19

monitor the health and performance of your web applications, web servers, and other resources. Each health check that you create can
monitor one of the following:
• The health of a specified resource, such as a web server
• The status of other health checks
• The status of an Amazon CloudWatch alarm

After you create a health check, you can get the status of the health check, get notifications when the status changes, and configure DNS failover.

You can take advantage of this feature to increase the availability of your customer-facing application.

Question 20

Geolocation routing, what and typical use cases

Answer 20

lets you choose the resources that serve your traffic based on the geographic location of your users (the origin of DNS queries).

When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. You can also balance load across endpoints in a predictable, easy-to-manage way, so each end-user location is consistently routed to the same endpoint.

Question 21

Geoproximity routing

Answer 21

lets you route traffic based on the physical distance between your users and your resources if you’re using Route 53 traffic flow. You can also route more or less traffic to each resource* by specifying a positive or negative bias. When you create a traffic flow policy, you can specify either an AWS Region (if you’re using AWS resources) or the latitude and longitude for each endpoint.

A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource

Question 22

multi-value answers

Answer 22

If you want to route traffic approximately randomly to multiple resources, such as web servers, you can create one multi-value answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record.

Amazon Route 53 gives different answers to different DNS resolvers.

Question 23

Virtual Private Gateway

Answer 23

The AWS side of an AWS VPN

Question 24

AWS VPN CloudHub

Answer 24

A service for connecting multiple sites into your VPC over VPN connections.

Question 25

VPC Endpoint

Answer 25

Private access (e.g not routed over public internet, but traffic kept inside AWS) to AWS services

Question 26

AWS Global Accelerator use cases

Answer 26

non-HTTP user cases
UDP (gaming)
IoT (MQTT)
Voice over IP
HTTP that require static IP addresses or fast regional failover

Question 27

AWS PrivateLink

Answer 27

private connectivity between virtual private clouds (VPC) and services hosted on AWS or on-premises, without exposing traffic between your VPC and the service to the internet

Question 28

Why use AWS PrivateLink?

Answer 28

1. Traffic doesn’t traverse the internet - Use Private IP Addresses and Security Groups to access AWS hosted services or on prem hosted services
2. Simplify Network Management - No need for Internet GW, NAT GW, firewall proxies route table modification, VPC Peering, Transit GW or whitelisting IPs
3. Facilitate Your Cloud Migration - AWS PrivateLink gives on-premises networks private access to AWS services via AWS
   Direct Connect

Question 29

What is a VPC Endpoint?

Answer 29

Endpoint within VPC that is used to create AWS Private Link to AWS Service

horizontally scaled, redundant, and highly
available Amazon VPC components that allow communication between instances in an Amazon VPC (consumer VPC) and AWS hosted services in another VPC (service VPC)

Question 30

List types of VPC endpoints?

Answer 30

There are two types of VPC endpoints: (1) interface endpoints and (2)
gateway endpoints

Question 31

Interface endpoints

Answer 31

Enable connectivity to services over AWS PrivateLink. These services
include some AWS managed services, services hosted by other AWS customers and partners in their own Amazon VPCs , and supported AWS Marketplace partner services.

An interface endpoint is a collection of one or more elastic network interfaces with a private IP address that serves as an entry point for traffic destined to a supported service. Interface endpoints currently support over 17 AWS managed services.

Question 32

Gateway endpoints

Answer 32

A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list, used for traffic destined to Amazon DynamoDB or Amazon SimpleStorage Service (Amazon S3). Gateway endpoints do not use AWS PrivateLink.

Question 33

What networking components does Global Accelerator provide you in order to function? Why?

Answer 33

Two static IPs - static IP addresses provided by AWS Global Accelerator serve as single fixed entry points for your clients

Question 34

Route53 Hosted Zone

Answer 34

A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). A hosted zone and the corresponding domain have the same name.

Question 35

What are the two types of hosted zones in Route53?

Answer 35

Public Hosted Zone

Private Hosted Zone

Question 36

Public hosted zones

Answer 36

contain records that specify how you want to route traffic on the internet

Question 37

Private hosted zones

Answer 37

contain records that specify how you want to route traffic in an Amazon VPC

Question 38

Route 53 alias records

Answer 38

provide a Route 53–specific extension to DNS functionality

let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets

let you route traffic from one record in a hosted zone to another record

Question 39

CNAME record type - DNS Record Type

Answer 39

maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com) or subdomain (acme.example.com) - used to map one domain name to another

You can’t create a CNAME record that has the same name as the hosted zone

This is true both for hosted zones for domain names (example.com) and for hosted zones for subdomains (zenith.example.com)

Question 40

A record type - DNS Record Type

Answer 40

route traffic to a resource using IPv4 address

Question 41

AAAA record type - DNS Record Type

Answer 41

route traffic to a resource using IPv6 address

Question 42

CAA record type - DNS Record Type

Answer 42

specifies which certificate authorities (CAs) are allowed to issue certificates for a domain or subdomain

Question 43

MX record type - DNS Record Type

Answer 43

specifies the names of your mail servers

Question 44

SOA record type - DNS Record Type

Answer 44

A start of authority (SOA) record provides information about a domain and the corresponding Amazon Route 53 hosted zone

Question 45

NS record type - DNS Record Type

Answer 45

NS record identifies the name servers for the hosted zone

Question 46

For each public hosted zone, what records are automatically created?

Answer 46

Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record. You rarely need to change these records.

Question 47

Where can an alias record redirect queries to?

Answer 47

Amazon S3 buckets

CloudFront distributions

Another record in the same Route 53 hosted zone

An alias record can’t redirect queries anywhere else.

Question 48

Compare alias and CNAME records

Answer 48

1. CNAME records can redirect queries anywhere, alias records are constrained with where queries can be redirected
2. Alias records can hav the same name as the hosted zone, CNAME can not
3. Amazon doesn’t charge for alias queries but CNAME queries incur costs
4. DNS query must match alias type and name, but CNAME will always redirect
5. Responses to dig or nslookup are different for alias, standard for CNAME

Question 49

NAT Gateway

Answer 49

Network Address Translation (NAT) service

use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances

Question 50

Public NAT Gateway - How do you create it, what does it do?

Answer 50

Default NAT Gateway

Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet or

create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation

route traffic from the NAT gateway to the internet gateway for the VPC

or

public NAT gateway to connect to other VPCs or your on-premises network, in this case, you route traffic from the NAT gateway through a transit gateway or a virtual private gateway

Question 51

Private NAT Gateway - How do you create it, what does it do?

Answer 51

Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway

route traffic from the NAT gateway through a transit gateway or a virtual private gateway

Question 52

NAT Instance

Answer 52

create your own AMI that provides network address translation and use your AMI to launch an EC2 instance as a NAT instance

Question 53

How do you create a public NAT instance and what is it used for?

Answer 53

launch a NAT instance in a public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated on the internet

Must have public or elastic IP

Question 54

What two features does NAT instance support that NAT Gateway doesn’t?

Answer 54

Instance can be used as a bastion host

Instance can be configured to support port forwarding

Question 55

Egress-only Internet gateway

Answer 55

horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances

Question 56

Internet gateway

How is it billed?

Answer 56

horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet

serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses

There’s no additional charge for having an internet gateway in your account

Question 57

Route53 Inbound Endpoint

Answer 57

DNS resolvers in on-prem network can forward DNS queries to Route 53 Resolver via this endpoint to resolve domain names for AWS resources

Question 58

Route53 Outbound Endpoint

Answer 58

Route53 resolver conditionally forwards queries to on-prem DNS resolvers via this endpoint to resolve on-prem resources from VPC

Question 59

What is the default entry in a default route table for local routing in the VPC?

Answer 59

Destination - CIDR block for VPC

Target - local

Question 60

What entry needs to be in the route table for the subnet to communicate to the internet using IGW?

Answer 60

Destination - 0.0.0.0/0

Target - IGW ID

Question 61

What entry needs to be in the route table to allow instances in the subnet to communicate with NGW

Answer 61

Destination - 0.0.0.0/0

Target - NAT gateway id

Question 62

enable access to or from the internet for instances in a subnet in a VPC, you must do the following?

Answer 62

1. Create an internet gateway and attach it to your VPC.
2. Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway.
3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
4. Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.

Question 63

public subnet

Answer 63

a subnet is associated with a route table that has a route to an internet gateway

Question 64

private subnet

Answer 64

a subnet is associated with a route table that does not have a route to an internet gateway

Question 65

Main route table

Answer 65

The route table that automatically comes with your VPC. It controls the routing for all subnets that are not explicitly associated with any other route table

Question 66

Explain how subnet is associated to route table(s)?

Answer 66

Subnet can only be associated to one route table at a time
By default its the main route table, but you can explicitly associate to another
Multiple subnets can be associated to one route table

Question 67

Amazon Route 53 pricing

Answer 67

Paying for What You Use

Managing hosted zones: You pay a monthly charge for each hosted zone managed with Route 53.

Serving DNS queries: You incur charges for every DNS query answered by the Amazon Route 53 service, except for queries to Alias A records that are mapped to Elastic Load Balancing instances, CloudFront distributions, AWS Elastic Beanstalk environments, API Gateways, VPC endpoints, or Amazon S3 website buckets, which are provided at no additional charge.

Managing domain names: You pay an annual charge for each domain name registered via or transferred into Route 53.