Networking

Question 1

Is higher or lower priority preferred with Local preference?

Answer 1

Higher

Question 2

Is shorter or longer path preferred with AS-PATH length?

Answer 2

Shortest AS path value preferred

Question 3

Is higher or lower MED metric preferred?

Answer 3

Lowest MED metric

Question 4

Which Origin code is preferred?

Answer 4

Prefer the route advertised by “network” command (I) over “redistributed” command (?)

Question 5

Which path is preferred with IGP metric (MED2)?

Answer 5

Prefer the path whose next hop has the lowest IGP metric. (also referred as location cost in AWS)

Question 6

What are the default SG rules?

Answer 6

Allows all inbound from the same security group. Allows all outbound.

Question 7

What are the Scope BGP Communities?

Answer 7

7224:9100—Local AWS Region

7224:9200—All AWS Regions for a continent

• North America–wide
• Asia Pacific
• Europe, the Middle East and Africa

7224:9300—Global (all public AWS Regions)

Question 8

If you don’t apply scope BGP tags, what happens by default?

Answer 8

Prefixes are advertised to all public AWS Regions (global) by default.

Question 9

How do you setup BGP for multi-pathing?

Answer 9

Prefixes that are marked with the same communities, and have identical AS_PATH attributes

Question 10

What are the advertised routes BGP Communities?

Answer 10

7224:8100—Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated.

7224:8200—Routes that originate from the same continent with which the AWS Direct Connect point of presence is associated.

No tag—Global (all public AWS Regions).

Question 11

What BGP communities are reserved for DX?

Answer 11

The communities 7224:1 – 7224:65535 are reserved by AWS Direct Connect.

Question 12

What happens to communities that are not supported for an AWS Direct Connect public connection?

Answer 12

They are removed

Question 13

What is the NO_EXPORT BGP community tag for?

Answer 13

It’s supported for public virtual interfaces. All routes that AWS Direct Connect advertises to customers are tagged with the NO_EXPORT community tag.

Question 14

Where are Lambda@Edge functions executed?

Answer 14

Regional Cache locations

Question 15

Where are Cloudfront functions executed?

Answer 15

Edge locations

Question 16

What are CloudFront functions suitable for?

Answer 16

1. Cache key normalization
2. Header manipulation (i.e. True-Client-IP)
3. URL redirects or rewrites
4. Request authorization

Question 17

What does middlebox routing wizard do?

Answer 17

Middlebox routing wizard helps you by automatically creating the necessary route tables and routes (hops) to redirect traffic as needed.

Question 18

What scenarios best suit middlebox routing wizard?

Answer 18

1. Routing traffic to a middlebox appliance, for example, an Amazon EC2 instance that’s configured as a security appliance.
2. Routing traffic to a Gateway Load Balancer. For more information, see the User Guide for Gateway Load Balancers.

Question 19

How can you prevent TCP session timeouts involving a network firewall and GWLB?

Answer 19

Set the firewall keep-alive timers to less than 350 seconds.

Question 20

For what does Route 53 Resolver automatically answers DNS queries?

Answer 20

1. Local VPC domain names for EC2 instances (for example, ec2-192-0-2-44.compute-1.amazonaws.com).
2. Records in private hosted zones (for example, acme.example.com).

3.For public domain names, Route 53 Resolver performs recursive lookups against public name servers on the internet.

Question 21

What if you need to Route 53 resolver to handle more queries?

Answer 21

You can add more IP addresses to your existing endpoint in one or more AZs instead of adding another endpoint.

Question 22

How is Route 53 resolver priced?

Answer 22

Resolver pricing is based on the number of IP addresses in your endpoints and on the number of DNS queries that the endpoint processes. Each endpoint includes a minimum of two IP addresses

Question 23

If you create multiple outbound endpoints, how do you associate a rule with them?

Answer 23

Each rule specifies the outbound endpoint that DNS queries are forwarded from. If you create multiple outbound endpoints in an AWS Region and you want to associate some or all Resolver rules with every VPC, you need to create multiple copies of those rules.

Question 24

What is the size limit for Route 53 responses?

Answer 24

512 bytes

Question 25

What’s the difference between Geolocation and Geoproximity routing policies?

Answer 25

Geolocation - Use when you want to route traffic based on the location of your users.

Geoproximity – Use when you want to route traffic based on the location of your resources and, optionally, shift traffic from resources in one location to resources in another.

Question 26

What are the 3 types of placement groups?

Answer 26

1. Cluster – packs instances close together inside an Availability Zone. This strategy enables workloads to achieve the low-latency network performance necessary for tightly-coupled node-to-node communication that is typical of high-performance computing (HPC) applications.
2. Partition – spreads your instances across logical partitions such that groups of instances in one partition do not share the underlying hardware with groups of instances in different partitions. This strategy is typically used by large distributed and replicated workloads, such as Hadoop, Cassandra, and Kafka.
3. Spread – strictly places a small group of instances across distinct underlying hardware to reduce correlated failures.

Question 27

What if you receive a capacity error when launching an instance in a placement group that already has running instances?

Answer 27

Stop and start all of the instances in the placement group, and try the launch again. Starting the instances may migrate them to hardware that has capacity for all of the requested instances.

Question 28

What is An Elastic Fabric Adapter (EFA)?

Answer 28

A network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications. EFA enables you to achieve the application performance of an on-premises HPC cluster, with the scalability, flexibility, and elasticity provided by the AWS Cloud.

Question 29

What do Elastic Fabric Adapters provide?

Answer 29

Lower and more consistent latency and higher throughput than the TCP transport traditionally used in cloud-based HPC systems. It enhances the performance of inter-instance communication that is critical for scaling HPC and machine learning applications.

Question 30

What is the difference between an EFA and ENA?

Answer 30

Elastic Network Adapters (ENAs) provide traditional IP networking features that are required to support VPC networking. EFAs provide all of the same traditional IP networking features as ENAs, and they also support OS-bypass capabilities. OS-bypass enables HPC and machine learning applications to bypass the operating system kernel and to communicate directly with the EFA device.

Question 31

How does Gateway Load Balancer pricing work?

Answer 31

You are charged for each hour or partial hour that a Gateway Load Balancer is running and the number of Load Balancer Capacity Units (LCU) used by Gateway Load Balancer per hour.

Question 32

What is a Load Balancer Capacity Unit (LCU)?

Answer 32

An LCU is an Elastic Load Balancing metric for determining how you pay for a Gateway Load Balancer. An LCU defines the maximum resource consumed in any one of the dimensions (new connections/flows, active connections/flows, and bandwidth) the Gateway Load Balancer processes your traffic.

Question 33

What is the LCU metrics for the Gateway Load Balancer?

Answer 33

The LCU metrics for the TCP traffic is as follows:

• 600 new flows (or connections) per second.
• 60,000 active flows (or connections) (sampled per minute).
• 1 GB per hour for EC2 instances, containers and IP addresses as targets.

Question 34

What is the route evaluation order for TGW?

Answer 34

1. The most specific route for the destination address.
2. For routes with the same destination IP address but different targets, the route priority is as follows:

a. Static routes (for example, Site-to-Site VPN static routes)

b. Prefix list referenced routes

c. VPC propagated routes

d. Direct Connect gateway propagated routes

e. Transit Gateway Connect propagated routes

f. Site-to-Site VPN propagated routes

Question 35

When does a certificate need to be imported into US-EAST region only?

Answer 35

Only when used by CloudFront. Otherwise, it is a regional service.

Question 36

What is an Outpost service link?

Answer 36

During AWS Outposts provisioning, you or AWS creates a service link connection that connects your Outpost back to your chosen AWS Region or Outposts home Region. The service link is an encrypted set of VPN connections that are used whenever the Outpost communicates with your chosen home Region. You use a virtual LAN (VLAN) to segment traffic on the service link. The service link VLAN enables communication between the Outpost and the AWS Region for both management of the Outpost and intra-VPC traffic between the AWS Region and Outpost.

Question 37

What options exist for Outpost connectivity to AWS?

Answer 37

Outpost needs connectivity to the AWS Region’s public IP ranges, either through the public internet or AWS Direct Connect public virtual interface. This connectivity can be through specific routes in the service link VLAN, or through a default route of 0.0.0.0/0.

Question 38

What is the default AWS BFD liveness detection minimum interval?

Answer 38

The default AWS BFD liveness detection minimum interval is 300 ms. The default BFD liveness detection multiplier is three.

Question 39

What is BFD?

Answer 39

A detection protocol that provides fast forwarding path failure detection times. These fast failure detection times facilitate faster routing reconvergence times.

Question 40

What is the routing priority for VPNs?

Answer 40

1. BGP propagated routes from an AWS Direct Connect connection
2. Manually added static routes for a Site-to-Site VPN connection
3. BGP propagated routes from a Site-to-Site VPN connection
4. For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.

Question 41

What are the uses for Lambda@Edge?

Answer 41

A Lambda function can inspect cookies and rewrite URLs so that users see different versions of a site for A/B testing.

CloudFront can return different objects to viewers based on the device they’re using by checking the User-Agent header, which includes information about the devices. For example, CloudFront can return different images based on the screen size of their device. Similarly, the function could consider the value of the Referer header and cause CloudFront to return the images to bots that have the lowest available resolution.

Or you could check cookies for other criteria. For example, on a retail website that sells clothing, if you use cookies to indicate which color a user chose for a jacket, a Lambda function can change the request so that CloudFront returns the image of a jacket in the selected color.

A Lambda function can generate HTTP responses when CloudFront viewer request or origin request events occur.

A function can inspect headers or authorization tokens, and insert a header to control access to your content before CloudFront forwards the request to your origin.

A Lambda function can also make network calls to external resources to confirm user credentials, or fetch additional content to customize a response.

Question 42

What networking solution supports RADIUS?

Answer 42

None of the AWS-provided solutions provide support for RADIUS authentication. A third party VPN solution must be used - many are available in the AWS Marketplace.

Question 43

Does AWS Managed Microsoft AD support trust with Single Label Domains?

Answer 43

No

Question 44

What are the technical requirements for DX?

Answer 44

AWS Direct Connect supports 1000BASE-LX, 10GBASE-LR, or 100GBASE-LR4 connections over single mode fiber using Ethernet transport. Your device must support 802.1Q VLANs.

Question 45

What is the range of 32-bit private ASNs?

Answer 45

We support 32-bit ASNs from 4200000000 to 4294967294

Question 46

Which type of AWS Direct Connect connections support MACsec?

Answer 46

MACsec is supported on 10 Gbps and 100 Gbps dedicated AWS Direct Connect connections at selected points of presence. For MACsec to work, your dedicated connection must be transparent to Layer 2 traffic and the device terminating the Layer 2 adjacency must support MACsec. If you are using a last-mile connectivity partner, check that your last-mile connection can support MACsec. MACsec is not supported on 1 Gbps dedicated connections or any hosted connections.

Question 47

What do vpc endpoint policies allow by default?

Answer 47

By default VPC endpoint policies allow all access

Question 48

In an S3 bucket policy, how can access be granted to endpoints?

Answer 48

by identifying the endpoint ID number as the ‘sourceVpce’ as a condition within the permission statement.

Question 49

In an endpoint policy, how can access be restricted to specific S3 buckets?

Answer 49

By identifying their ARNs as a resource within the permission statement.

Question 50

How do you preserve the source IP address of clients on an NLB and allow connectivity from the Internet?

Answer 50

Register targets by instance ID and the source IP addresses of the clients are preserved and provided to your applications. If you want the targets that sit behind an NLB to be accessible from the internet, you will need to allow traffic from the internet on the security groups attached to the EC2 instances.

Question 51

What is Amazon Route 53?

Answer 51

Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services. It is designed to give developers and businesses an extremely reliable and cost effective way to route end users to Internet applications by translating names like example.com into the numeric IP addresses

Question 52

What can I do with Amazon Route 53?

Answer 52

1/ With Amazon Route 53, you can create and manage your public DNS records

2/answers requests to translate specific domain names like into their corresponding IP addresses like 192.0.2.1

3/ create DNS records for a new domain or transfer DNS records for an existing domain

4/ offers health checks to monitor the health and performance of your application as well as your web servers and other resources.

5/ Registrar

Question 53

How is Route 53 priced?

Answer 53

Amazon Route 53 charges are based on actual usage of the service for Hosted Zones, Queries, Health Checks, and Domain Names.

Question 54

What DNS record types does Route 53 support?

Answer 54

A (address record)
AAAA (IPv6 address record)
CNAME (canonical name record)
CAA (certification authority authorization)
MX (mail exchange record)
NAPTR (name authority pointer record)
NS (name server record)
PTR (pointer record)
SOA (start of authority record)
SPF (sender policy framework)
SRV (service locator)
TXT (text record)
Amazon Route 53 also offers alias records, which are an Amazon Route 53-specific extension to DNS.

Question 55

How quickly will changes I make to my DNS settings on Amazon Route 53 propagate globally?

Answer 55

Amazon Route 53 is designed to propagate updates you make to your DNS records to its world-wide network of authoritative DNS servers within 60 seconds under normal conditions. A change is successfully propagated world-wide when the API call returns an INSYNC status listing.

Question 56

What are benefits of Alias records?

Answer 56

1/ you can create an Alias record for your zone apex

2/ queries to Alias records are free of charge

Question 57

Is BYOIP IPv6 public or private on AWS?

Answer 57

With BYOIPv6, on the other hand, the addresses you bring are used as the “native” or internal addresses inside your VPC, with the optional ability to use them to connect to the public Internet. While these IPv6 addresses are publicly routable, that does not mean that using them automatically connects your VPC resources to the Internet. Instead, you have complete control and a number of options for when and how your VPC resources can reach the Internet or be reached by systems on the Internet.