Networking Flashcards
Route53 Record Types
- A - maps a hostname to IPv4
- AAAA - maps hostname to IPv6
- CNAME - maps a hostname to another hostname
- NS - Name Servers for the Hosted Zone (indicates which DNS server is authoritative for that domain)
Route53
CNAME vs Alias
- CNAME: Points a hostname to any other hostname (can’t be use with root domain)
- Alias: Points a hostname to an AWS resource (works with root domain) and is free of charge.
Route53
Alias Records Targets
- ELB
- CloudFront Distributions
- API Gateway
- Elastic Beanstalk
- S3 websites
- VPC Interface endpoints
- Global Accelerator
- Route53 record in the same hosted zone
Routing Policies
Simple
Route traffic to a single resource, can’t be associated with Health Checks. If a record has multiple values, a random one is chosen by the client.
Routing Policies
Weighted
Control de % of the requests that go to each resource. Can be associated with Health Checks.
Route Policy
Latency based
Redirect to the resource that has the least latency, based on traffic between users and AWS regions. Can be associated with Health Checks.
Routing Policies
Failover (Active-Passive)
You have a primary and secondary record for disaster recovery.
Routing Policies
Geolocation
Based on user location by continent, country or US state Can be associated with Health Checks.
Routing Policies
Geoproximity
Based on the geographical location of users and resources. Ability to shift more traffic to resources based on the defined bias.
Must use Route53 Traffic Flow
Route53 Traffic Flow
Visual editor to
* Manage complex routing trees
* Create and mantain records in complex configurations.
* Configurations can be saved as Traffic Flow Policies
Routing Policies
Multi-Value
Can be associated with Health Checks, returns up to 8 healthy records.
Routing Policies
IP-based Routing
You provide a list of CIDRs for your clients and the corresponding endpoints. Optimizes performance and reduces network costs.
Route 53
Hosted Zones
Container for records that define how to route traffic.
- Public: specify how to route traffic on the Internet
- Private: specify how to route traffic within one or more VPCs
DNS Security Extensions (DNSSEC)
Verifies DNS data integrity and origin. Works only with Public Hosted Zones.
Route53 Health Checks
- Health checks that monitor a public endpoint
- Health checks that monitor up to 256 other health checks (calculated health checks)
- Health checks that monitor CloudWatch alarms (efective for private resources)
Route53 Resolver
Answers DNS queries for:
1. Local domain names for EC2 instances
2. Records in Private Hosted Zones
3. Records in public Name Servers
Route 53
Resolver Endpoints for Hybrid DNS
Can be associated with one or move VPCs in the same region
* Inbound Endpoint forward external DNS queries of domain names, for AWS resources and records in Private Hosted Zones to Route 53 resolver.
* Outbound Endpoint Conditionally forwards DNS queries to other DNS resolvers.
AWS Global Accelerator
Provides static IP addresses that serve as single fixed entry points for your clients. You associate them to regional endpoints. Accept incoming traffic onto the AWS global network from the edge location that is closest to your users
With which resources does standard Global Accelerator works?
- Elastic IP
- EC2 instances
- ALB
- NLB
Continuously monitors the health of all endpoints
CloudFront vs Global Accelerator
CloudFront
* Improves performance for both cacheable content
* Dynamic content served at the edge
Global Accelerator
* Improves performance for a wide range of apps
* Proxying packets at the edge to apps in one or more Regions.
Network ACLs
Stateless firewall at the subnet level. Supports allow and deny rules
Security Groups
Stateful rules at the instance level. Only supports allow rules
VPC Peering
- Connect to VPC privately using AWS network.
- Is not transitive.
- Must update route tables in subnets, uses the longest prefix match.
VPC Peering
Edge to edge routing
Invalid configuration of VPC Peering. Not transitive with VPN, Direct Connect, IGW, NAT and VPC Endpoints.
Transit Gateway
Transitive peering between thousands of VPCs and on-premise. Is a hub-and-spoke connection.
How to configure Transit Gateway Cross Account
Share Transit Gateway using Resource Access Manager (RAM)
IP Multicast in AWS
Only Transit Gateway allows to send IP datagrams to a group of interested receivers in a single transmission.
A single internet exit point
- Create a central NAT Gateway in a public subnet
- Create an ENI in a private subnet to which Transit Gateway redirects traffic
- Connect all VPCs to a Transit Gateway
- Create Routing Tables to direct traffic to the NAT Gateway
Direct Connect Gateway and Transit Gateway
Is possible to connect one direct connect gateway to multiple transit gateways in different regions
Transit Gateway Peering Attachments
You can do an intra-region or inter-region peering mesh. If data go cross-region it has standard charges.
VPC Endpoints
Allow you to connect to AWS services using a private network
VPC Endpoint Gateway
For S3 and DynamoDB
* One gateway per VPC
* Must update route tables entries
* DNS resolution must be enabled in VPC
VPC Endpoint Interface
For all services,
* Provision an ENI that will have a private endpoint interface hostname
* Must be in a subnet
* Enable private DNS so public hostname of a service will resolve to de private endpoint interface hostname
* Can be accessed from Direct Connect and VPN
VPC Endpoint Gateway troubleshooting
- Check SGs outbound rules
- Check VPC endpoint policy
- Check route tables
- Check DNS resolution is enabled
- Check S3/Dynamo policy
Private Link
Secure way to expose a service to other VPCs without peering, internate gateway or NAT.
* Requires a NLB on the service side and an ENI on the consumer side
Connect to S3 with Direct Connect
In a VPC create a PrivateLink to which DirectConnect sends traffic. From there direct it to a Interface VPC Endpoint and to S3.
Site to Site VPN configuración
- On-premise setup a VPN appliance accessible using a public IP
- On AWS setup a Virtual Private Gateway and attach it to a VPC
- On AWS setup a Customer Gateway pointing to the VPN appliance
Site to Site VPN and Direct Connect Internet Access
It is not possible to connect a S2S VPN and Direct Connect to an Internet Gateway through a NAT Gateway. Must use a NAT Instance
AWS VPN CloudHub
Connect up to 10 Customer Gateways to a Virtual Private Gateway
AWS Client VPN
Connect from a computer using OpenVPN to a private network on AWS
Direct Connect Gateway
Setup a Direct Connect to one or more VPCs in different regions. Can also be used to connect to a Transit Gateway.
Border Gateway Protocol
Set of rules that determine the best network routes for data transmission on the internet
Direct Connect
Virtual Interfaces (VIF)
Enable access to AWS services public VIF or private VIF. A transit VIF is used to access one or more Transit Gateways associated with Direct Connect gateways
IPv4 for existing VPCs and subnets
- Associate an IPv6 CIDR block with your VPC and subnet
- For a public subnet, create a route that routes all IPv6 traffic from the subnet to the internet gateway. For a private subnet, create a route that routes all internet-bound IPv6 traffic from the subnet to an egress-only internet gateway.
- Update your security groups rules
- Assign IPv6 addresses to your instances
Egress-only internet gateway
Allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection.
Egress-only internet gateway vs NAT gateway
An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead.
Keep a static MAC Address in an EC2 instance
If a static MAC address is assigned to an Elastic Network Interface it remains unchanged
VPC Routing Enhancement
Any traffic from within a VPC destined to a target within the VPC is covered by the local route and therefore directly routed. The enhancement allows you to configure specific routes at a subnet route table level or replace target for the “local” destination with a middlebox such as firewall.
Virtual appliances to handle traffic filtering and provide security inspection capabilities
- Gateway Load Balancer is deployed in a separate security VPC along with the virtual appliances. Because GLB endpoints are a routable target.
- To ensure flow symmetry, appliance mode is enabled on the Transit Gateway
