Networking Flashcards
Classful vs classless
A /8, B /16, C /24
CIDR
Classless inter domain routing
second VPC range cannot be bigger than the original range
Block size has to be between /16 and /28
CIDR cannot overlap
with VPC, VPC peers, or on direct connect
dual stacking
using both IPV4 and V6 on a host.
Two types of end points
Interface end point and gateway end point
Interface end points
Are a virtual ethernet interface to connect AWS private link
Gateway endpoints
are a target for a specific route in your route table. S3 and dynamoDB
elastic network interface is different from elastic network adapters.
ENA is a custom interface used to optimize network performance on some interface types.
3 types of placemnet groups
cluster(low latency, high netk throughput)same AZ, Partition PG(workload not placed on different hw) spread PG( small number of critical instances that needs to be kept away from each other high availability )
spread PG can have upto how many instances
7
Types of VPN connectivity
Site-to-Site
AWS Client VPN
AWS VPN CloudHub
Site to site
IPSec VPN connection between a VPC and customer network. The AWS side of the network uses a virtual private gateway(VGW).. The VGW provides two different end points running of two different AZ for auotmatic failover.
AWS client VPN
Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client
AWS VPN CloudHub
If you have multiple remote customer offices the VGW can act as a hub for site-to-site communication between the networks
VPN can be used in two ways
connect VPC to on-premise data center
Connect two different VPC’s in same or different regioun
Site to site
IPSec VPN connection between a VPC and customer network. The AWS side of the network uses a virtual private gateway(VGW).. The VGW provides two different end points running of two different AZ for automatic failover. Note customer GW is a SPOF
AWS client VPN
Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client.
AWS Managed VPN or AWS client managed VPN. Connects over Internet gateway
VPN can be used in two ways
connect VPC to on-premise data center
Connect two different VPC’s in same or different regioun
IKE
Internet Key exchange is a protocol used to manage keys used by IPSec hosts
IKE vs IPSec
IKE UDP port 500
IPSec IP protocol 50
AWS client to site VPN
Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client.
AWS Managed VPN or AWS client managed VPN. Connects over Internet gateway
Client-to-Site VPN connectivity gives clients the ability to connect to a variety of resources including the VPC
On-Premises site-to-site VPN, and Peer VPCs.
Client to site VPN
user needs to install OpenVPN based client on their PC.
Establish a client VPN endpoint in AWS one in each AZ in a target within a VPC. The target is essentially a subnet within a VPC. In this case 2 subnets one in each AZ.
User gets access to VPC and peered VPC and onpremise networks across VGW, user gets access to the internet through IGW and public aws services like S3
site-to-site VPN routing options
static vs dynamic(BGP)
VGW supports BGP configuration options
Autonomous systems prepends AND multi exit discriminator
VGW uses BGP over TCP port
179( the standard BGP port)
The configuration of CGW
is provided by AWS and a list of pretested devices are available. The config requires 4 components
1) IKE security association
2) IPSec security association
3) Tunnel interface ( a /30 CIDR block)
4) BGP peering is optional
AWS VPN CloudHub
provides a means of peer-to-peer communication between Customer Gateways.
AWS VPN CloudHub
provides a means of peer-to-peer communication between Customer Gateways. You don’t need a VPC for CloudHub to function. It is a hub and spoke model. VGW functions as a passthrough. IP ranges however cannot overlap. to configure VPN HUB
Transitive routing is not supported in AWS between VPC Peers. Additionally, edge-to-edge routing is not supported. So how do we give on-premises users access to VPC Peer resources, without creating a VPN connection to each VPC
That’s where Tansit VPC are useful
Transit VPC’s
run EC2 instances which enable software based VPN. This allows CGW can do edge to edge routing.
The VPN connection is not active until the traffic is generated from the customer side of the VPN connection
To keep the tunnel active initiate regular traffic, ICMP pinging. The tunnel will close if it idle for more than 10 seconds.
health checks defaults
Response timeout 2-60 default 5
health check interval 5-300 default 30
unhealthy threshold 2-10 default 2
healthy threshold 2-10 default 10
Benefits of ALB vs classic LB
1) Path based routing
2) Hos tbased routing
3) custom http response
4) Supports targets outside your VPC
5) Redirecting requests from one URL to another
6) Users may optinally be authenticated before rourting
7) Health checks are at target level. which allows auto scaling based on cloud wathc metrics
8) ALB supports AWS WAF
9) sticky sessions
Network load balancer is able to handle
millions of requests per second
NLB by default work with a single AZ.
DNS failover with Route53 is possible. The NLB will redirect to another AZ if all instances are unhealthy in a particular AZ
NLB flows logs are sent to cloudwatch
access logs can be enabled to capture information about TLS connections that listener recieves. This provides visibility into successful and failed handshakes so that they may be reviewed.
with Classic Load Balancer you can specify your own application cookie
https://cloudacademy.com/blog/application-load-balancer-vs-classic-load-balancer/
From edge location to S3 https is not supported
If your Amazon S3 bucket is configured as a website endpoint, you can’t configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn’t support HTTPS connections in that configuration
Cloud front access logs
logs requests and RTMP. An s3 bucket is required to store the logs
CF secrurity
custom headers can he used to make sure requests is originating only from CF. Origin can be configured to allow only requests which contain the custom origin
CF can intgrated with
WAS, AWS Shield and Route53 to create security peremiter to protect against attacks and distributed to edge locations.
Route53 supports 2types of zones
public and private
BGP operates over
TCP 179 ensures reliable inter route communications
Manual peering
no auto discovery by design. automatically shares routers between peers
BGP is a path vector
not link state of distance victor
BGP shares
best path to a destination with peers not every path
BGP AS
Autonomous system a set of routers under a single technical administration
two types of BGP
external BGP, internal BGP routers within a AS
two types of BGP
external BGP, internal BGP routers within a AS
NACL contains two implicit deny rule which denies all traffic one for inbound and another for outbound
But when you create a VPC a default NACL is created and that NACL has both inbound and outbound allow for all traffic. This is different when NACL is explicitly created.
Ephemeral port range
Linux 32768-61000
FreeBSD 10000-65535
SG’s have inbound and outbound rules
outbound rule by default allows all traffic which can be deleted
Controlling access to VPCE via NACL is problematic use Security Groups instead
NACL focus on ip and CIDR ranges.
Multiple VPCE’s within a VPC is fine even for the same service
If you want to control access by policies you can created different VPCE’s. All instances within a subnet has to use the same VPC. if you have to give different access to instances they should be in differenet subnets routing to different vpce.
To create VPC you need to specify two things
THe VPC, the service to which it will be attached to and the policy(optional and unrestricted if nothing is specified).
By associating the vpce to a subnet the vpce end point is added to the subnet
To create VPC you need to specify two things
THe VPC, the service to which it will be attached to and the policy(optional and unrestricted if nothing is specified).
By associating the vpce to a subnet the vpce end point is added to the subnet
Why hybrid?
technical, business justification,
Reactive vs Proactive justification
Data center extension is mostly reactive in nature
Three types of connections for hybrid
software VPN EC2 instances, Hardward VPN managed by AWS, Direct connect
Direct connect location has
DX Router links to VGW in AWS via AWS backbone, Customer router
direct connect
physical setup slow to setup,
No ongoing managemnet required
expensive than hw or sw VPN
Reduces bandwidth costs
Consistent netk latency and bandwidhth(1 & 10)
IPSec can be used to secure. sw or hw VPN
one to one relationship between VPC and VGW
one VPC can have only one VGW and one VGW can have only one VPC
Inputs for creating VPN
VGW, CGW, Routing options static vs dynamic, CIDR range for customer premises
when you create a VPN, AWS creates two VPN end points for resiliency
CGW establishes connection with both the end points
HW VPN
initiated frpm CPE, uses IKE pre shared keys. alternative to pre-shared is RSA certificate. However HW VPN does not support it,
AES 128 bit and sha1 hashing
Make sure device supports dead peer detection
Route propogation preference
Most specific IP
direct connect learned routes
routes learned via static VPN
everything else BGP - shortest AS-PATH
VPN end points and CGW uses ip range
169.254.59
The port of the DX router is configured as 802.1q trunk which can carry multiple VLAN
AWS will then give you a LOA document
LOA
Letter of Authority allows your network provided to connect a physical port on DX router to the physical port of the customer/partnet router
Over this connection you can create either a public or private connection
DX connect relationship
AWS account( DX is owned by the account which created it)
It gets a DXconn ID
Speed(1G or 10Gig)
it gives a port of DX router.which is 802.1q trunk. Connect this port to the customer router. single mode fibre 1000Base-lx or 10Gig base lr
LOA contains
Issue date, Issued by, requested by, issued to, facility cage number AWS DX ID Rack, patch panel, port number Cable Type
LOA contains
Issue date, Issued by, requested by, issued to, facility cage number AWS DX ID Rack, patch panel, port number Cable Type
When you use a partner for direct connect
the partner owns the cross connect between DX router and partner router
When you order with a partner instead of a direct connect
You get a hosted connection which is created by the partner and shared with your account.. Only one VLAN is allowed with hosted connection. You have no control over VLAN assignment since it is preselected by your partner
what is private VIF
A private virtual interface allows you to connect to your VPC resources (for example, EC2 instances, load balancers, RDS DB instances, etc.) on your private IP address or endpoint.
public VIF
To connect to AWS public endpoints, such as an EC2 or S3, with dedicated network performance, use a public virtual interface
Inputs required for private VIF
vgw, auto generate peer IP’s router peer IP , amazon router peer IP, BGP ASN( BGP key auto generate to configure customer router)
public VIF
to avoid the disadvantages of accessing the public services via internet. Latency, inconsistent bandwidth and mainly internet data charges from AWS
Inputs required to create public VIF
vgw is not required, router peer IP, amazon router peer IP cannot be auto generated since it needs publicly routable IP, vlan ID, BGP ASN
QinQ 802.1ad VLAN stacking
Access port isn’t VLAN aware. traffic entering and leaving access port uses standard 802.3 which is standard ethernet
802.3 Ethernet type2 frame
64-1518 bytes
802.1Q add 4 bytes to header
64-1522bytes
QinQ add ability to have multiple VLAN’s to a frame
64-1526bytes Supplier Tag and customer tag. Push and pop works on supplier tag
root of the domain is aka
naked domain, apex of the domain
Standard says it has to be a A record. It cannot be a CNAME. This presents a problem. You can use CNAME on www.xyz.com But not a xyz.com. xyz.com should be a A record.
Record sets have been introduced as A records
which names for an IP
Alias recordsSets reference an Alias target
rather than a traditional DNS record
S3, loadbalancer, CloudFront
split horizon DNS or split view DNS hosted zone
internal clients resolve the same DNS to internal IPs and external clients resolve to public IP’s
+2 address used by the DNS server is not accessible outside the VPC
It can be solved by using a forwarder directory service
conditional forwarders
use specific servers for
DHCP
automatic dynamic configuration of machines.
Not just IP, subnet mask, local gw, DNS severs, wins servers, Time servers,
DHCP. 4 phases, connectionless, UDP port 67 and 68
P1: discovery( client with its mask asking for a DHCP lease)
P2: Offer phase( DHCP servers checks MAC ), Offers a lease( starttime and endtime).
P3: DHCP request phase. picks an offer to lease
P4: Ackowledge phase
Placement group limitations
Cannot span AZ, AZ is picked based on the AZ the first instance was created in the PG
Name is unique within your accout across all regions
Not all instance types are supported
Try and stick to same instance type
You can miove existing instances in PG
Transfer to and from PG is 5Gbps
Ideally launch all instances at the start
PG can work over VPC peers
Can VPC Endpoints be combined to improve performance OR resiliency OR control
Yes. and use route table to control
What is the minimum subnet size required to create an ELB
/27
Can a public VIF be utilized to reach public services in regions OTHER than the one its connected to
Yes, but only in North American regions.. Only in North America are NON-local public ranges advertised over BGP.
You have 3 VPCs: VPC-A (10.0.0.0/16), VPC-B (10.1.0.0/16) and VPC-C (10.1.0.0/16). You need to make sure that VPC-A can communicate with both. What options do you have.
2 Subnets in VPC-A are required, 1 RT per subnet, pointing at 2 different VPC peer objects.
What information is required to setup a Direct Connect VIF/Peering Session
VLAN, Peer IP Addresses, BGP Config
Are BGP Advertised routes learned by VPC Route Tables
Yes, if Route Propagation is enabled.
A placement group can span AZ’s if the option is selected on creation. A placement group can span VPCs.
A Spread Placement group can span AZs to achieve the desired spread. While there will be a performance reduction, A Cluster Placement groups CAN span VPCs.
When configuring a public VIF over a Direct Connect, which of the following statements is true
Public ASNs can be used, public peer IP addressing must be used.
Jumbo frames are partially supported, a MTU of 1500 is required over DX links.
Outside the VPC, only 1500 L3 MTU and 1522 Layer 2 MTU are supported.
NACL is not scoped to an ENI. But rather subnet
ENI can include
- primary private ipv4 from the ip range in VPC
- one or more secondary ipv4 …
- one elastic ip address per private ipv4 address
- one public ipv4 address
- one or more ipv6 addresses
- one ore more security groups
- a MAC address
- A source and destination check flag
- a description
