Networking Flashcards
What is a customer gateway?
Device used in the on prem network to implement a AWS site to site VPN.
Route 53 weighted routing
Weighted routing lets you associate multiple resources with a single domain name (example.com) or subdomain name (acme.example.com) and choose how much traffic is routed to each resource.
VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
Transit Gateway
AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. With AWS Transit Gateway, you only have to create and manage a single connection from the central gateway into each Amazon VPC, on-premises data center, or remote office across your network.
What are the scope of NACLs?
NACLs apply to subnets, or any instance within the subnet
Are NACL stateful or stateless? Why?
Stateless, because you must declare rules to allow request in and to also allow responses out
Are NACL stateful or stateless? Why?
Stateless, because you must declare rules to allow request in and to also allow responses out
Are security groups stateful? Why or Why not?
Yes, they are stateful because they allow traffic out that was initially allowed in
What is the scope of security groups?
Security groups are connected to EC2 instances
What type of network traffic is blocked by default with security groups? not blocked by default?
Inbound traffic is blocked by default
Outbound traffic is not blocked by default
AWS Site-to-Site VPN
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can securely extend your data center or branch office network to the cloud with an AWS Site-to-Site VPN (Site-to-Site VPN) connection. It uses internet protocol security (IPSec) communications to create encrypted VPN tunnels between two locations.
AWS Direct Connect
lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry-standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. AWS Direct Connect does not involve the Internet; instead, it uses dedicated, private network connections between your intranet and Amazon VPC.
Can take longer than one month to establish
AWS Global Accelerator
How is it billed?
a network layer service (e.g. TCP or UDP) that directs traffic to optimal endpoints over the AWS global network, this improves the availability and performance of your internet applications for local or global users.
It provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones. AWS Global Accelerator always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, your user’s location, and policies that you configure.
AWS Global Accelerator is a self-service, pay-per-use offering, requiring no long term commitments or minimum fees.
What are private IP in CIDR?
- 0.0.0/8
- 16.0.0/12
- 168.0.0/16
- 0.0.0/4
Amazon Route 53
provides a Domain Name System (DNS), domain name registration, and health-checking web services. The service was designed to give developers and businesses a reliable and cost-effective way to route end users to internet applications by translating names like example.com into the numeric IP addresses, such as 192.0.2.1, that computers use to connect to each other.
What are the route 53 routing options
1. Simple Round Robin 2 Weighted Round Robin 3. Health Check and DNS Failover 4. Geolocation Routing 5. Geoproximity Routing with traffic Biasing 6. Multi Value Answer
Simple routing
Round robin distributes the number of of requests as evenly as possible between all participating servers
Weighted round robin, what and list typical use cases
Allows you to assign weights to resource record sets in order to specify the frequency with which different responses are served. You may want to use this capability to do A/B testing, sending a small portion of traffic to a server on which you’ve made a software change.
Weights can be any number between 0 and 255.
Route 53 DNS Failover
monitor the health and performance of your web applications, web servers, and other resources. Each health check that you create can
monitor one of the following:
• The health of a specified resource, such as a web server
• The status of other health checks
• The status of an Amazon CloudWatch alarm
After you create a health check, you can get the status of the health check, get notifications when the status changes, and configure DNS failover.
You can take advantage of this feature to increase the availability of your customer-facing application.
Geolocation routing, what and typical use cases
lets you choose the resources that serve your traffic based on the geographic location of your users (the origin of DNS queries).
When you use geolocation routing, you can localize your content and present some or all of your website in the language of your users. You can also use geolocation routing to restrict distribution of content to only the locations in which you have distribution rights. You can also balance load across endpoints in a predictable, easy-to-manage way, so each end-user location is consistently routed to the same endpoint.
Geoproximity routing
lets you route traffic based on the physical distance between your users and your resources if you’re using Route 53 traffic flow. You can also route more or less traffic to each resource* by specifying a positive or negative bias. When you create a traffic flow policy, you can specify either an AWS Region (if you’re using AWS resources) or the latitude and longitude for each endpoint.
A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource
multi-value answers
If you want to route traffic approximately randomly to multiple resources, such as web servers, you can create one multi-value answer record for each resource and, optionally, associate an Amazon Route 53 health check with each record.
Amazon Route 53 gives different answers to different DNS resolvers.
Virtual Private Gateway
The AWS side of an AWS VPN
AWS VPN CloudHub
A service for connecting multiple sites into your VPC over VPN connections.
VPC Endpoint
Private access (e.g not routed over public internet, but traffic kept inside AWS) to AWS services
AWS Global Accelerator use cases
non-HTTP user cases UDP (gaming) IoT (MQTT) Voice over IP HTTP that require static IP addresses or fast regional failover
AWS PrivateLink
private connectivity between virtual private clouds (VPC) and services hosted on AWS or on-premises, without exposing traffic between your VPC and the service to the internet
Why use AWS PrivateLink?
- Traffic doesn’t traverse the internet - Use Private IP Addresses and Security Groups to access AWS hosted services or on prem hosted services
- Simplify Network Management - No need for Internet GW, NAT GW, firewall proxies route table modification, VPC Peering, Transit GW or whitelisting IPs
- Facilitate Your Cloud Migration - AWS PrivateLink gives on-premises networks private access to AWS services via AWS
Direct Connect
What is a VPC Endpoint?
Endpoint within VPC that is used to create AWS Private Link to AWS Service
horizontally scaled, redundant, and highly
available Amazon VPC components that allow communication between instances in an Amazon VPC (consumer VPC) and AWS hosted services in another VPC (service VPC)
List types of VPC endpoints?
There are two types of VPC endpoints: (1) interface endpoints and (2)
gateway endpoints
Interface endpoints
Enable connectivity to services over AWS PrivateLink. These services
include some AWS managed services, services hosted by other AWS customers and partners in their own Amazon VPCs , and supported AWS Marketplace partner services.
An interface endpoint is a collection of one or more elastic network interfaces with a private IP address that serves as an entry point for traffic destined to a supported service. Interface endpoints currently support over 17 AWS managed services.
Gateway endpoints
A gateway endpoint targets specific IP routes in an Amazon VPC route table, in the form of a prefix-list, used for traffic destined to Amazon DynamoDB or Amazon SimpleStorage Service (Amazon S3). Gateway endpoints do not use AWS PrivateLink.
What networking components does Global Accelerator provide you in order to function? Why?
Two static IPs - static IP addresses provided by AWS Global Accelerator serve as single fixed entry points for your clients
Route53 Hosted Zone
A hosted zone is a container for records, and records contain information about how you want to route traffic for a specific domain, such as example.com, and its subdomains (acme.example.com, zenith.example.com). A hosted zone and the corresponding domain have the same name.
What are the two types of hosted zones in Route53?
Public Hosted Zone
Private Hosted Zone
Public hosted zones
contain records that specify how you want to route traffic on the internet
Private hosted zones
contain records that specify how you want to route traffic in an Amazon VPC
Route 53 alias records
provide a Route 53–specific extension to DNS functionality
let you route traffic to selected AWS resources, such as CloudFront distributions and Amazon S3 buckets
let you route traffic from one record in a hosted zone to another record
CNAME record type - DNS Record Type
maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com) or subdomain (acme.example.com) - used to map one domain name to another
You can’t create a CNAME record that has the same name as the hosted zone
This is true both for hosted zones for domain names (example.com) and for hosted zones for subdomains (zenith.example.com)
A record type - DNS Record Type
route traffic to a resource using IPv4 address
AAAA record type - DNS Record Type
route traffic to a resource using IPv6 address
CAA record type - DNS Record Type
specifies which certificate authorities (CAs) are allowed to issue certificates for a domain or subdomain
MX record type - DNS Record Type
specifies the names of your mail servers
SOA record type - DNS Record Type
A start of authority (SOA) record provides information about a domain and the corresponding Amazon Route 53 hosted zone
NS record type - DNS Record Type
NS record identifies the name servers for the hosted zone
For each public hosted zone, what records are automatically created?
Amazon Route 53 automatically creates a name server (NS) record and a start of authority (SOA) record. You rarely need to change these records.
Where can an alias record redirect queries to?
Amazon S3 buckets
CloudFront distributions
Another record in the same Route 53 hosted zone
An alias record can’t redirect queries anywhere else.
Compare alias and CNAME records
- CNAME records can redirect queries anywhere, alias records are constrained with where queries can be redirected
- Alias records can hav the same name as the hosted zone, CNAME can not
- Amazon doesn’t charge for alias queries but CNAME queries incur costs
- DNS query must match alias type and name, but CNAME will always redirect
- Responses to dig or nslookup are different for alias, standard for CNAME
NAT Gateway
Network Address Translation (NAT) service
use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances
Public NAT Gateway - How do you create it, what does it do?
Default NAT Gateway
Instances in private subnets can connect to the internet through a public NAT gateway, but cannot receive unsolicited inbound connections from the internet or
create a public NAT gateway in a public subnet and must associate an elastic IP address with the NAT gateway at creation
route traffic from the NAT gateway to the internet gateway for the VPC
or
public NAT gateway to connect to other VPCs or your on-premises network, in this case, you route traffic from the NAT gateway through a transit gateway or a virtual private gateway
Private NAT Gateway - How do you create it, what does it do?
Instances in private subnets can connect to other VPCs or your on-premises network through a private NAT gateway
route traffic from the NAT gateway through a transit gateway or a virtual private gateway
NAT Instance
create your own AMI that provides network address translation and use your AMI to launch an EC2 instance as a NAT instance
How do you create a public NAT instance and what is it used for?
launch a NAT instance in a public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated on the internet
Must have public or elastic IP
What two features does NAT instance support that NAT Gateway doesn’t?
Instance can be used as a bastion host
Instance can be configured to support port forwarding
Egress-only Internet gateway
horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection with your instances
Internet gateway
How is it billed?
horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet
serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses
There’s no additional charge for having an internet gateway in your account
Route53 Inbound Endpoint
DNS resolvers in on-prem network can forward DNS queries to Route 53 Resolver via this endpoint to resolve domain names for AWS resources
Route53 Outbound Endpoint
Route53 resolver conditionally forwards queries to on-prem DNS resolvers via this endpoint to resolve on-prem resources from VPC
What is the default entry in a default route table for local routing in the VPC?
Destination - CIDR block for VPC
Target - local
What entry needs to be in the route table for the subnet to communicate to the internet using IGW?
Destination - 0.0.0.0/0
Target - IGW ID
What entry needs to be in the route table to allow instances in the subnet to communicate with NGW
Destination - 0.0.0.0/0
Target - NAT gateway id
enable access to or from the internet for instances in a subnet in a VPC, you must do the following?
- Create an internet gateway and attach it to your VPC.
- Add a route to your subnet’s route table that directs internet-bound traffic to the internet gateway.
- Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
- Ensure that your network access control lists and security group rules allow the relevant traffic to flow to and from your instance.
public subnet
a subnet is associated with a route table that has a route to an internet gateway
private subnet
a subnet is associated with a route table that does not have a route to an internet gateway
Main route table
The route table that automatically comes with your VPC. It controls the routing for all subnets that are not explicitly associated with any other route table
Explain how subnet is associated to route table(s)?
Subnet can only be associated to one route table at a time
By default its the main route table, but you can explicitly associate to another
Multiple subnets can be associated to one route table
Amazon Route 53 pricing
Paying for What You Use
Managing hosted zones: You pay a monthly charge for each hosted zone managed with Route 53.
Serving DNS queries: You incur charges for every DNS query answered by the Amazon Route 53 service, except for queries to Alias A records that are mapped to Elastic Load Balancing instances, CloudFront distributions, AWS Elastic Beanstalk environments, API Gateways, VPC endpoints, or Amazon S3 website buckets, which are provided at no additional charge.
Managing domain names: You pay an annual charge for each domain name registered via or transferred into Route 53.