Networking Flashcards
Where is data encrypted with encrypted AWS EBS?
Data at rest, snapshots and data moving between the volume and the instance is encrypted
How do you setup an IPsec (site-to-site VPN) between an on-premise and AWS VPC?
Create a Virtual Private Gateway on the AWS side and a customer gateway on the on-premise side
What is VPN CloudHub?
Provides secure coms between multiple site-to-site VPN connections for both on-premise and VPCs
What is a VPC Endpoint?
Connect your VPC to supported AWS services without traffic leaving AWS
What is a VPC Peering connection?
Connection between two VPCs in AWS
What is AWS Shield Advanced?
Sophisticated protection against DDOS attacks, costs $3k / month / org. Cost is per org if consolidated billing enabled
When is user data script run?
When an instance is first started - can set it to be everytime instance restarts but not by default
What is RDS Custom?
Allows you to customize your database and operating system but still use RDS
What is Amazon FSx Lustre?
Highpperformance file system, useful for HPC
What is an EC2 Launch Configuration
Instance configuration template that an Auto Scaling group uses to launch EC2 instances
Can you modify an EC2 Launch Configuration?
No, you must create a new launch configuration and then modify the auto scaling group
What is Amazon Aurora?
MySQL and PostgreSQL compatbile relational database for the cloud
Can a NAT instance be used as a bastion host?
Yes
Are security groups associated with a NAT instance?
Yes
Can port forwarding be enabled on a NAT instance?
Yes
Can port forwarding be enabled on a NAT gateway?
No
Are security groups associated with a NAT gateway?
No
What is CloudTrail?
Log management API calls to your AWS account
What is AWS Global Accelerator?
Network layer service that directs traffic to optimal endpoints over the AWS global network.
Protected by AWS Shield
Can do weighted routing which is great for global blue/green deployments
What is Amazon Redshift?
Uses SQL to analyze data across data warehouses and data lakes for BigData queries
What is Amazon Redshift Spectrum?
Directly query S3 without having to load data into Redshift tables. Offload processing to the Redshift Spectrum layer
What are IAM Permission Boundaries?
limits the maximum permissions for a given IAM principle
What are placement groups?
Describes the spread of EC2 instances
Cluster - packs instances physically close together for low latency
Partition - spread instances across different AZs but in the same rack
Spread - Places small group of instances across AZs
What is the minimum storage period before you can transition objects to IA?
30 days
What are the different S3 storage tiers?
S3 Standard, Standard IA, S3 Intelligent Tiering, S3 One Zone-IA, S3 Glacier
What are the different Aurora DB endpoints?
Primary DB instance - Supports read/write operations, only one DB instance
Aurora Replica - Supports only read operations, can have up to 15 replicas in this cluster
What is VPC sharing?
Allows multiple AWS accounts to share subnets, so that different accounts can deploy resources to subnets with other accounts. There is a primary account which controls the VPC
How to stream S3 data files and changes to Amazon Kinesis Data Streams?
Use AWS DMS (Database Migration Service) as a bridge between S3 and Kinesis Data Streams
I need to stream data from RDS into Redshift for querying, how should I do this?
Use AWS Database Migration Service to replicate the data from the database into Amazon Redshift
What is AWS EMR?
Elastic Map Reduce (Hadoop Clusters)
Run BigData open source petabyte data scale with Apache Spark, Hive or Presto
A serverless option
What is AWS Glue?
Extract, Transform and load (ETL) service for preparing their data for analytics.
Describe S3 consistency
Strong read-after-write consistency
What is AWS DataSync?
Online data transfer service that simplifies, automates and accelerates copying large data between on-premise and AWS Storage services as well as between AWS Storage services
When would you use EC2 dedicated hosts?
Gives you the physical server dedicated for you use. Great for server-bound licences
When would you use EC2 dedicated instances?
Instances are physically isolated from instances from other AWS accounts, can’t be used for server-bound licences
What is AWS Direct connect?
On-premise connection to AWS without going over the internet.
What is Amazon GuardDuty?
Threat detection service that monitors for malicous activity by monitoring across AWS data sources including CloudTrail, VPC Flow Logs and DNS logs
Can integrate with EventBridge
Can you directly copy data from Snowball into S3 Glacier?
No, it goes directly into S3 Standard Tier. You can create an S3 lifecycle policy to move it into S3 Glacier
What is the maximum number of instances running in an AVailability Zone for a spread placement group?
Maximum in 7
How can you secure data in transit with RDS?
Configure RDS to use SSL for data in transit. RDS will create a certificate so the client can verify the connection
What is the difference between a Launch Template and Launch Configuration?
Launch Configuration - used by ASGs
Launch Template - used to launch spot / on-demand instances
SQS FIFO
SQS FIFO
Max throughput 3000 messages per second
Queue name must end in ‘.fifo’
Must specify queue type at creation time, if you want to change the type you must recreate the queue
Exactly once delivery
What is Amazon Macie?
Removes PII from data automatically with AI
What is Amazon GuardDuty?
Intelligent threat discovery with machine learning
What data sources are supported by GuardDuty?
CloudTrail, VPC Flow Logs, DNS Logs and K8 logs
What are the targets of a CloudWatch alarm?
EC2 action, auto scaling action or SNS
What is a Launch template?
Similar to launch configuration but allows you to provision capacity across multiple instance types and using Spot and On-Demand instances.
Your Amazon Kinesis Data Stream has many consumers reading from it, how do you speed it up?
Use enhanced fan-out feature so that each consumer can consume it’s own output pipe of 2MB/second pipe per shard
What is a VPC Gateway Endpoint?
Specify a target in your route table directly to an AWS service. Current supported are DynamoDB and S3
What is a VPC Interface Endpoint?
An Elastic Network Interface with a private IP address to route to an AWS service
How can you copy data from one bucket to another?
Use aws S3 sync command that copies objects that aren’t in the target bucket but are in the source bucket. Can run multiple times.
Set up S3 batch replication
How can you save money on EC2 instances based on your usage?
Use AWS Cost Explorer Resource Optimization to get a report of EC2 instances that are idle or have low utilization
Use the AWS Compute Optimizer to look at instance type recommendations
How can you speed up client bucket uploads?
Use Amazon S3 Transfer Acceleration to enable faster file uploads
Use multipart uploads for faster file uploads
What is the AWS Database Migration Service?
Helps you migrate databases to AWS quickly and securely
What is AWS Schema Conversion Tool?
Converts the source schema and code to match that of the target database
What is a transit gateway?
A network transit hub that you can use to interconnect VPCs and on-premise networks
Can connect Transit Gateways with Inter-Region peering
What is AWS Global Accelerator?
Provides static IP addresses as a fixed entry point to your applications
Routes traffic to the optimal endpoint based on performance
What are the pillars of the AWS Well-Architected Framework?
Operational excellence
Security
Reliability
Performance efficiency
Cost Optimization
Sustainability
What is EBS?
Elastic Block Store: Network drive you can attach to a single instance
One EBS can be attached to only on EC2 instance
Bound to a specific AZ
How to query meta data on an EC2 instance?
169.254.169.254/latest/meta-data
Holds IAM credentials, private IP
How to migrate an EBS volume across regions?
Create a snapshot, then restore that snapshot into another region
What is an EC2 instance store?
Ephemeral storage for EC2 instance that is physically connected to EC2 instance for high I/O. But data is lost when EC2 instance crashes.
How to encrypt a non encrypted EBS volume?
Create an encrypted snapshot form volume, create a volume from the encrypted snapshot
What is EFS?
Elastic File System - NFS a single EFS can be mounted to many EC2 instances. Can be across multiple AZs within a single region
Access control is done with Security Groups
Supports 1000s of attached EC2 instances
What is a Gateway Load Balancer?
GLB - routes traffic via a target group and then to a destination. Operates at level 3 and is good for firewalls or packet inspection
What is Cross-Zone Load Blancing
Allows the load balancer instance to distribute traffic across all registered instances in all AZs. Enabled by default for ALB.
What are the Auto Scaling Groups Dynamic scaling policies?
Target Tracking Scaling, tracks a simple metric
Step scaling - When a CloudWatch alarm is triggered then step up/down
Scheduled scaling - Change the capacity at a time period
Predicative Scaling - forecast load and schedule scaling
What is RDS Read Replicas?
For read scalability
Up to 5 read replicas
Can be cross region/AZ
Each replica has it’s own DNS name
Asynchronous replication
What is RDS Multi-AZ?
Used for failover not scaling
Increases availability
Synchronous replication
Can only connect to it in the event of a failure
What is RDS Custom?
You have access to the underlying OS and control it but still within RDS
What is Amazon Aurora?
A performant manage relational database service
Compatible with Postgres & MySQL
More performant than RDS
Up to 15 replicas
Can backtrack to snapshots in the past
What are the Aurora scaling methods?
Serverless - auto scaling based on actual usage
Multi-Master - Instance failover if the master DB crashes
What is Global Aurora?
High availability of aurora across the globe, great for disaster recovery
What is Aurora Machine Learning?
Simple SQL interface for ML based predications on data
Your RDS instance is dropping connections frequently, how to solve?
Use Amazon RDS Proxy, a fully managed proxy for RDS which intelligently reuses DB connections to reduce stress on DB
What is Amazon ElastiCache?
Managed Redis / Memcached for read intensive workloads
When to use Redis?
Multi AZ, replicas, with data durability and supports complex queries
When to use Memcached?
Simple key-value data that does not need to be persisted
How is access managed on ElastiCache?
Security Groups
What are the caching strategies?
Lazy loading: data is added to cache as it is read with TTL
Write through: adds / updates cache when written to the DB
What is Amazon Route 53?
Fully managed DNS service for registering certificates
What are the DNS record types?
A - maps a hostname to IPv4
AAAA - maps a hostname to IPv6
CNAME - maps a hostname to another hostname
NS - Name Servers for the Hosted Zone
What are Route 53 hosted Zones?
Public Hosted Zones - contains records that specify how to route traffic on the internet
Private Hosted Zones - contains records that specify how your traffic is routed within a VPC
What is the difference between CNAME vs Alias?
CNAME: Points a hostname to any other hostname for non root domains
Alias (A or AAAA): Points a hostname to an AWS Resource
What are the Route 53 Routing Policies?
Simple: specify multiple values in same record
Weighted: control the % of requests that go to each resource
Failover: DNS lookup can point to a different ip based on a health check
Latency: redirect to resource that is closed to the user
Geolocation: direct to a server based on Geolocation
Geoproximity: Direct to a server based on distance, can set a bias to attract more traffic
What is Elastic Beanstalk?
Platform-as-a-Service tool that manages an application for you including:
ECS instances, ALB, RDS, SQS and CloudWatch it uses CloudFormation under the hood at no extra cost!
What are the different Elastic Beanstalk tiers and what are their uses?
Web Server tier: handling web requests
Work Environment Tier: handling longer running jobs, e.g periodic or background tasks. Can be triggered by SQS
What is the max S3 object size?
5 TB
What is the max S3 object single part upload size?
5 GB but consider doing it smaller than that as it will be faster
What are the main S3 access controls?
IAM: Role based policies
Bucket policies - bucket wide rules
What are the S3 Storage classes?
Standard
Standard IA
S3 Glacier
What S3 Lifecycle Rules?
Automatically transition objects between storage classes or deleting them
What are S3 Event Notifications?
Become notified of s# event with object pattern name filtering
Destination can be SQS queue, Lambda, EventBridge or SNS
What are the S3 Server-Side encryption options?
SSE-S3: Encryption keys entirely handled by AWS, enabled by default
SSE-KMS: Encryption managed by a key AWS KMS
SSE-C: Server side encryption using keys managed by the customer
S3 encryption in transit
Use SSL/TLS, S3 exposes a HTTP and HTTPS endpoint.
Can force encryption with a bucket policy to refuce API calls without encryption options
Must use HTTPS for SSE-C
What is S3 CORS?
Web Browser based mechanism to control request to other origins
If the resource server does not have the origin ‘Access-Control-Allow-Origin’ header then the request will fail.
How is the CloudFront cache invalidated?
Data is refreshed after the TTL has expired
OR
You can force a cache refresh by performing a CloudFront Invalidation
What is Athena?
Serverless query service to analyze data stored in S3. Integrated with QuickSight
What is Athena Federated Query
Use lambda to run queries across many data sources (S3, RDS, DDB, CloudWatch)
What is Amazon ElasticSearch / Open Search Service?
Search any field, supports partial matches
What is Amazon QuickSight?
Create interactive dashboards, integrates with RDS, Aurora, Athena Redshift, OpenSearch
What is AWS Glue?
ETL (Extract, Transform and Load) service. Convert data between formats
What is AWS Lake Formation?
Central place for data to be stored for analytics
What is Amazon Rekognition?
Find object, people in images/video using ML
