Networking

Question 1

Classful vs classless

Answer 1

A /8, B /16, C /24

Question 2

CIDR

Answer 2

Classless inter domain routing

Question 3

second VPC range cannot be bigger than the original range

Answer 3

Block size has to be between /16 and /28

Question 4

CIDR cannot overlap

Answer 4

with VPC, VPC peers, or on direct connect

Question 5

dual stacking

Answer 5

using both IPV4 and V6 on a host.

Question 6

Two types of end points

Answer 6

Interface end point and gateway end point

Question 7

Interface end points

Answer 7

Are a virtual ethernet interface to connect AWS private link

Question 8

Gateway endpoints

Answer 8

are a target for a specific route in your route table. S3 and dynamoDB

Question 9

elastic network interface is different from elastic network adapters.

Answer 9

ENA is a custom interface used to optimize network performance on some interface types.

Question 10

3 types of placemnet groups

Answer 10

cluster(low latency, high netk throughput)same AZ, 
Partition PG(workload not placed on different hw)
spread PG( small number of critical instances that needs to be kept away from each other high availability )

Question 11

spread PG can have upto how many instances

Answer 11

7

Question 12

Types of VPN connectivity

Answer 12

Site-to-Site
AWS Client VPN
AWS VPN CloudHub

Question 13

Site to site

Answer 13

IPSec VPN connection between a VPC and customer network. The AWS side of the network uses a virtual private gateway(VGW).. The VGW provides two different end points running of two different AZ for auotmatic failover.

Question 14

AWS client VPN

Answer 14

Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client

Question 15

AWS VPN CloudHub

Answer 15

If you have multiple remote customer offices the VGW can act as a hub for site-to-site communication between the networks

Question 16

VPN can be used in two ways

Answer 16

connect VPC to on-premise data center

Connect two different VPC’s in same or different regioun

Question 17

Site to site

Answer 17

IPSec VPN connection between a VPC and customer network. The AWS side of the network uses a virtual private gateway(VGW).. The VGW provides two different end points running of two different AZ for automatic failover. Note customer GW is a SPOF

Question 18

AWS client VPN

Answer 18

Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client.
AWS Managed VPN or AWS client managed VPN. Connects over Internet gateway

Question 19

VPN can be used in two ways

Answer 19

connect VPC to on-premise data center

Connect two different VPC’s in same or different regioun

Question 20

IKE

Answer 20

Internet Key exchange is a protocol used to manage keys used by IPSec hosts

Question 21

IKE vs IPSec

Answer 21

IKE UDP port 500

IPSec IP protocol 50

Question 22

AWS client to site VPN

Answer 22

Client managed. client based VPN service used to securely access AWS resources from your on premise network. Sessions are connected using a secure TLS VPN session and an open VPN based client.
AWS Managed VPN or AWS client managed VPN. Connects over Internet gateway

Question 23

Client-to-Site VPN connectivity gives clients the ability to connect to a variety of resources including the VPC

Answer 23

On-Premises site-to-site VPN, and Peer VPCs.

Question 24

Client to site VPN

Answer 24

user needs to install OpenVPN based client on their PC.

Establish a client VPN endpoint in AWS one in each AZ in a target within a VPC. The target is essentially a subnet within a VPC. In this case 2 subnets one in each AZ.
User gets access to VPC and peered VPC and onpremise networks across VGW, user gets access to the internet through IGW and public aws services like S3

Question 25

site-to-site VPN routing options

Answer 25

static vs dynamic(BGP)

Question 26

VGW supports BGP configuration options

Answer 26

Autonomous systems prepends AND multi exit discriminator

Question 27

VGW uses BGP over TCP port

Answer 27

179( the standard BGP port)

Question 28

The configuration of CGW

Answer 28

is provided by AWS and a list of pretested devices are available. The config requires 4 components

1) IKE security association
2) IPSec security association
3) Tunnel interface ( a /30 CIDR block)
4) BGP peering is optional

Question 29

AWS VPN CloudHub

Answer 29

provides a means of peer-to-peer communication between Customer Gateways.

Question 30

AWS VPN CloudHub

Answer 30

provides a means of peer-to-peer communication between Customer Gateways. You don’t need a VPC for CloudHub to function. It is a hub and spoke model. VGW functions as a passthrough. IP ranges however cannot overlap. to configure VPN HUB

Question 31

Transitive routing is not supported in AWS between VPC Peers. Additionally, edge-to-edge routing is not supported. So how do we give on-premises users access to VPC Peer resources, without creating a VPN connection to each VPC

Answer 31

That’s where Tansit VPC are useful

Question 32

Transit VPC’s

Answer 32

run EC2 instances which enable software based VPN. This allows CGW can do edge to edge routing.

Question 33

The VPN connection is not active until the traffic is generated from the customer side of the VPN connection

Answer 33

To keep the tunnel active initiate regular traffic, ICMP pinging. The tunnel will close if it idle for more than 10 seconds.

Question 34

health checks defaults

Answer 34

Response timeout 2-60 default 5
health check interval 5-300 default 30
unhealthy threshold 2-10 default 2
healthy threshold 2-10 default 10

Question 35

Benefits of ALB vs classic LB

Answer 35

1) Path based routing
2) Hos tbased routing
3) custom http response
4) Supports targets outside your VPC
5) Redirecting requests from one URL to another
6) Users may optinally be authenticated before rourting
7) Health checks are at target level. which allows auto scaling based on cloud wathc metrics
8) ALB supports AWS WAF
9) sticky sessions

Question 36

Network load balancer is able to handle

Answer 36

millions of requests per second

Question 37

NLB by default work with a single AZ.

Answer 37

DNS failover with Route53 is possible. The NLB will redirect to another AZ if all instances are unhealthy in a particular AZ

Question 38

NLB flows logs are sent to cloudwatch

Answer 38

access logs can be enabled to capture information about TLS connections that listener recieves. This provides visibility into successful and failed handshakes so that they may be reviewed.

Question 39

with Classic Load Balancer you can specify your own application cookie

Answer 39

https://cloudacademy.com/blog/application-load-balancer-vs-classic-load-balancer/

Question 40

From edge location to S3 https is not supported

Answer 40

If your Amazon S3 bucket is configured as a website endpoint, you can’t configure CloudFront to use HTTPS to communicate with your origin because Amazon S3 doesn’t support HTTPS connections in that configuration

Question 41

Cloud front access logs

Answer 41

logs requests and RTMP. An s3 bucket is required to store the logs

Question 42

CF secrurity

Answer 42

custom headers can he used to make sure requests is originating only from CF. Origin can be configured to allow only requests which contain the custom origin

Question 43

CF can intgrated with

Answer 43

WAS, AWS Shield and Route53 to create security peremiter to protect against attacks and distributed to edge locations.

Question 44

Route53 supports 2types of zones

Answer 44

public and private

Question 45

BGP operates over

Answer 45

TCP 179 ensures reliable inter route communications

Question 46

Manual peering

Answer 46

no auto discovery by design. automatically shares routers between peers

Question 47

BGP is a path vector

Answer 47

not link state of distance victor

Question 48

BGP shares

Answer 48

best path to a destination with peers not every path

Question 49

BGP AS

Answer 49

Autonomous system a set of routers under a single technical administration

Question 50

two types of BGP

Answer 50

external BGP, internal BGP routers within a AS

Question 51

two types of BGP

Answer 51

external BGP, internal BGP routers within a AS

Question 52

NACL contains two implicit deny rule which denies all traffic one for inbound and another for outbound

Answer 52

But when you create a VPC a default NACL is created and that NACL has both inbound and outbound allow for all traffic. This is different when NACL is explicitly created.

Question 53

Ephemeral port range

Answer 53

Linux 32768-61000

FreeBSD 10000-65535

Question 54

SG’s have inbound and outbound rules

Answer 54

outbound rule by default allows all traffic which can be deleted

Question 55

Controlling access to VPCE via NACL is problematic use Security Groups instead

Answer 55

NACL focus on ip and CIDR ranges.

Question 56

Multiple VPCE’s within a VPC is fine even for the same service

Answer 56

If you want to control access by policies you can created different VPCE’s. All instances within a subnet has to use the same VPC. if you have to give different access to instances they should be in differenet subnets routing to different vpce.

Question 57

To create VPC you need to specify two things

Answer 57

THe VPC, the service to which it will be attached to and the policy(optional and unrestricted if nothing is specified).
By associating the vpce to a subnet the vpce end point is added to the subnet

Question 58

To create VPC you need to specify two things

Answer 58

THe VPC, the service to which it will be attached to and the policy(optional and unrestricted if nothing is specified).
By associating the vpce to a subnet the vpce end point is added to the subnet

Question 59

Why hybrid?

Answer 59

technical, business justification,
Reactive vs Proactive justification
Data center extension is mostly reactive in nature

Question 60

Three types of connections for hybrid

Answer 60

software VPN EC2 instances, Hardward VPN managed by AWS, Direct connect

Question 61

Direct connect location has

Answer 61

DX Router links to VGW in AWS via AWS backbone, Customer router

Question 62

direct connect

Answer 62

physical setup slow to setup,
No ongoing managemnet required
expensive than hw or sw VPN
Reduces bandwidth costs
Consistent netk latency and bandwidhth(1 & 10)
IPSec can be used to secure. sw or hw VPN

Question 63

one to one relationship between VPC and VGW

Answer 63

one VPC can have only one VGW and one VGW can have only one VPC

Question 64

Inputs for creating VPN

Answer 64

VGW, CGW, Routing options static vs dynamic, CIDR range for customer premises

Question 65

when you create a VPN, AWS creates two VPN end points for resiliency

Answer 65

CGW establishes connection with both the end points

Question 66

HW VPN

Answer 66

initiated frpm CPE, uses IKE pre shared keys. alternative to pre-shared is RSA certificate. However HW VPN does not support it,
AES 128 bit and sha1 hashing
Make sure device supports dead peer detection

Question 67

Route propogation preference

Answer 67

Most specific IP
direct connect learned routes
routes learned via static VPN
everything else BGP - shortest AS-PATH

Question 68

VPN end points and CGW uses ip range

Answer 68

169.254.59

Question 69

The port of the DX router is configured as 802.1q trunk which can carry multiple VLAN

Answer 69

AWS will then give you a LOA document

Question 70

LOA

Answer 70

Letter of Authority allows your network provided to connect a physical port on DX router to the physical port of the customer/partnet router
Over this connection you can create either a public or private connection

Question 71

DX connect relationship

Answer 71

AWS account( DX is owned by the account which created it)
It gets a DXconn ID
Speed(1G or 10Gig)
it gives a port of DX router.which is 802.1q trunk. Connect this port to the customer router. single mode fibre 1000Base-lx or 10Gig base lr

Question 72

LOA contains

Answer 72

Issue date, Issued by, requested by, issued to, 
facility cage number
AWS DX ID
Rack, patch panel, port number
Cable Type

Question 73

LOA contains

Answer 73

Issue date, Issued by, requested by, issued to, 
facility cage number
AWS DX ID
Rack, patch panel, port number
Cable Type

Question 74

When you use a partner for direct connect

Answer 74

the partner owns the cross connect between DX router and partner router

Question 75

When you order with a partner instead of a direct connect

Answer 75

You get a hosted connection which is created by the partner and shared with your account.. Only one VLAN is allowed with hosted connection. You have no control over VLAN assignment since it is preselected by your partner

Question 76

what is private VIF

Answer 76

A private virtual interface allows you to connect to your VPC resources (for example, EC2 instances, load balancers, RDS DB instances, etc.) on your private IP address or endpoint.

Question 77

public VIF

Answer 77

To connect to AWS public endpoints, such as an EC2 or S3, with dedicated network performance, use a public virtual interface

Question 78

Inputs required for private VIF

Answer 78

vgw, auto generate peer IP’s router peer IP , amazon router peer IP, BGP ASN( BGP key auto generate to configure customer router)

Question 79

public VIF

Answer 79

to avoid the disadvantages of accessing the public services via internet. Latency, inconsistent bandwidth and mainly internet data charges from AWS

Question 80

Inputs required to create public VIF

Answer 80

vgw is not required, router peer IP, amazon router peer IP cannot be auto generated since it needs publicly routable IP, vlan ID, BGP ASN

Question 81

QinQ 802.1ad VLAN stacking

Answer 81

Access port isn’t VLAN aware. traffic entering and leaving access port uses standard 802.3 which is standard ethernet

Question 82

802.3 Ethernet type2 frame

Answer 82

64-1518 bytes

Question 83

802.1Q add 4 bytes to header

Answer 83

64-1522bytes

Question 84

QinQ add ability to have multiple VLAN’s to a frame

Answer 84

64-1526bytes Supplier Tag and customer tag. Push and pop works on supplier tag

Question 85

root of the domain is aka

Answer 85

naked domain, apex of the domain
Standard says it has to be a A record. It cannot be a CNAME. This presents a problem. You can use CNAME on www.xyz.com But not a xyz.com. xyz.com should be a A record.

Question 86

Record sets have been introduced as A records

Answer 86

which names for an IP

Question 87

Alias recordsSets reference an Alias target

Answer 87

rather than a traditional DNS record

S3, loadbalancer, CloudFront

Question 88

split horizon DNS or split view DNS hosted zone

Answer 88

internal clients resolve the same DNS to internal IPs and external clients resolve to public IP’s

Question 89

+2 address used by the DNS server is not accessible outside the VPC

Answer 89

It can be solved by using a forwarder directory service

Question 90

conditional forwarders

Answer 90

use specific servers for

Question 91

DHCP

Answer 91

automatic dynamic configuration of machines.

Not just IP, subnet mask, local gw, DNS severs, wins servers, Time servers,

Question 92

DHCP. 4 phases, connectionless, UDP port 67 and 68

Answer 92

P1: discovery( client with its mask asking for a DHCP lease)
P2: Offer phase( DHCP servers checks MAC ), Offers a lease( starttime and endtime).
P3: DHCP request phase. picks an offer to lease
P4: Ackowledge phase

Question 93

Placement group limitations

Answer 93

Cannot span AZ, AZ is picked based on the AZ the first instance was created in the PG
Name is unique within your accout across all regions
Not all instance types are supported
Try and stick to same instance type
You can miove existing instances in PG
Transfer to and from PG is 5Gbps
Ideally launch all instances at the start
PG can work over VPC peers

Question 94

Can VPC Endpoints be combined to improve performance OR resiliency OR control

Answer 94

Yes. and use route table to control

Question 95

What is the minimum subnet size required to create an ELB

Answer 95

/27

Question 96

Can a public VIF be utilized to reach public services in regions OTHER than the one its connected to

Answer 96

Yes, but only in North American regions.. Only in North America are NON-local public ranges advertised over BGP.

Question 97

You have 3 VPCs: VPC-A (10.0.0.0/16), VPC-B (10.1.0.0/16) and VPC-C (10.1.0.0/16). You need to make sure that VPC-A can communicate with both. What options do you have.

Answer 97

2 Subnets in VPC-A are required, 1 RT per subnet, pointing at 2 different VPC peer objects.

Question 98

What information is required to setup a Direct Connect VIF/Peering Session

Answer 98

VLAN, Peer IP Addresses, BGP Config

Question 99

Are BGP Advertised routes learned by VPC Route Tables

Answer 99

Yes, if Route Propagation is enabled.

Question 100

A placement group can span AZ’s if the option is selected on creation. A placement group can span VPCs.

Answer 100

A Spread Placement group can span AZs to achieve the desired spread. While there will be a performance reduction, A Cluster Placement groups CAN span VPCs.

Question 101

When configuring a public VIF over a Direct Connect, which of the following statements is true

Answer 101

Public ASNs can be used, public peer IP addressing must be used.

Question 102

Jumbo frames are partially supported, a MTU of 1500 is required over DX links.

Answer 102

Outside the VPC, only 1500 L3 MTU and 1522 Layer 2 MTU are supported.

Question 103

NACL is not scoped to an ENI. But rather subnet

Answer 103

ENI can include

• primary private ipv4 from the ip range in VPC
• one or more secondary ipv4 …
• one elastic ip address per private ipv4 address
• one public ipv4 address
• one or more ipv6 addresses
• one ore more security groups
• a MAC address
• A source and destination check flag
• a description