Networking Flashcards
What IP ranges can be used?
/16 (65532) to /28 (16)
What IPs are reserved and for what purpose?
.0 -> Networking .1 -> VPC Router .2 -> DNS Server .3 -> Future use .255 -> Broadcasting (reserved to not allow the user)
What are the parts of an ENI?
One or more IPv4 address One or more IPv6 address Security Groups MAC address Source/Destination checks
What is eth0?
The primary network interface
Cannot be detached from the instance. But there can be additional network interfaces. (up to a limit)
What needs to be considered using an Elastic IP?
- IPv6 is not supported (atm)
- When associating an EIP the currently attached IP will be send back to the IP pool
- The DNS host name will be changed
- Theres no charge for using an EIP but a charge when it is not used
- It is regional
What are VPC Flow Logs?
Captures information of IP traffic in/out of the network.
Can be retrieved in the CloudWatch Logs
What are the advantages of Direct Connect?
- Reduces bandwith costs
- Consistent network performance
- Private connectivity to AWS
- Network scaling possibilities
How to set up Direct Connect?
- Submit Connection Request
- Download and send Letter of Authorization and Connecting
- Create Virtual Interface
- Download Router Configuration
Options for a VPN?
- Virtual Private Gateway
- VPN CloudHub
- Software VPN
Functions of Route53?
- Register domain names
- Route internet traffic to the resources to the domain
- Check the health of the resources
What are the three types of health checks?
- Health of a specific resource, like web servers
- Status of CloudWatch alarms
- Status of other health checks
Can you have a CF distribution with your own domain?
Yes
What are Regional Edge Caches?
Between Origin and Edge Location.
Larger Cache with longer caching times
What can be an Origin Server?
AWS resources such as S3, EC2, Elastic Load Balancing.
Or something outside of AWS.
What is Private Content in CloudFront?
Enables to set access rights for the users, like signed URLs
What is Device Detection
Detects the device and therefore can deliver different content based on that
What is Geo Targeting?
Detects the country and can deliver content based on that
How are Query String Parameters handled in CF?
Per default query parameters are not used for the origin - it can be configured to use those
What is Object Versioning and Cache Invalidation?
Object Versioning: New Filename each time, so until deleted the old version is still online
Cache Invalidation: Old version is removed and replaced by the new version
What is Zone Apex Support?
You can use your own domain for the distribution
What is the primary cause(s) of an EC2 network bottleneck?
Geographical proximity, EC2 instance size, and lack of enhanced network features
What AWS VPC feature would you choose to connect and improve network performance between two VPCs without transiting the public internet?
VPC Peering is a way to connect two VPCs and improve network performance.
What information does a VPC Flow Log capture?
VPC Flow Logs capture IP traffic as metadata for a VPC.
What connection speeds does AWS Direct Connect provide?
1 Gbps
10 Gbps
What step is used to assign an Elastic IP (EIP) to an instance?
Association is the step used to assign an EIP to an instance.
Which of the following does a dedicated connection require?
Single-mode fiber
Dual-mode fiber
Single-mode fiber
Which of these is not a benefit of SSL Offloading?
Scalable HTTPS/SSL from a singular point
Improved networking
Ease of certificate management
Increased processing performance with SSL
SSL Offloading does not lead to improved networking.
Which of these is not a benefit of Amazon CloudFront?
Increased CPU performance
Increased network performance
High transfer speeds from the origin
Low latency
Amazon CloudFront is a CDN, and it does not increase the CPU performance of an instance. The instance workload may lessen due to the request of cached content from CloudFront, but this does not mean the CPU performance of an instance has been increased.
Which three make up the components of a load-balancer?
Load-balancer, Target Group, and Listener
Which three are the components of an AWS VPN?
VPN Connection
Customer Gateway
Virtual Private Gateway
What can the ALB do that the Network LB cannot?
Look at the content of a package (for example the header) and make decisions based on it
When should you pre warm your LB and how?
When there’s a planned spike in Traffic you can contact AWS to increase the capacity of your LB
What should be done when a 460 client closed connection error occured?
The user should increase the timeout
Describe the three placement group types and their advantages
Cluster: all Instances are in one AZ and have a 10GBs connection
Partition: Instances are created in segments, all located in separate racks (and can be in multiple AZs) - for distributes workloads
Spread: Each instance is in a separate rack
What is a Cache-Hit-Ratio?
Number of request served by the cache, compared to the origin
What can be done to have a better Cache-Hit Ratio?
- Longer cache time
- Query Parameter cache (beware: they are case sensitive)
- Caching based on cookie values
- Caching based on Request Header
- Remove Accept-Encoding Header (when no need for compression)
What are the two types of VPC endpoints?
Interface endpoint: powered by AWS PrivateLink
Gateway endpoint: S3/Dynamo DB
When connection two VPCs, how many Peering connections are needed?
Just one
What is Dual-Stack mode?
It runs IPv4 and IPv6
What is Connection Draining?
A setup done in the console or CLI that causses the LB to stop sending request to unhealty instances, but makes sure that already existing connections are handled correctly
What does “instance-monitoring Enabled=true” do on an auto scaling group
Enabling “detailed monitoring”, if “false” than normal monitoring is used
How can you connect on-prem servers with an ELB?
With direct connect or via a VPN
What is content-based routing?
Giving traffic to Target Gorups based on header information, such as the route /images or /forum
What is a Slow Start
New instances behind an ELB do not get as much traffic as older instances
ELB: What is a listener?
Handles requests based on conditions, such as ports or protocols.
An ELB has at least one listener
ELB: What is a target group?
A set of resources the LB directs traffic to. Sits behind the listener
ELB: What is a rule?
Defines rules on which target group the LB should direct traffic to, such as HTTP method or incoming IP
ELB: What is an ELB node?
For every AZ an ELB directs traffic to a node has to be set (this is done by selecting the AZs traffic wil be directed to)
ELB: What are the options to set a certificate to the LB?
1) Choose a certificate from ACM
2) Update a cert. from ACM
3) Choose a cert from IAM
4) Upload a cert from IAM
ELB: How is a request handles with HTTPS as the listener?
The encrypted request is terminated on the LB and then encrypted again using a different certificate
ELB: What is a “step scaling policy”?
policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.
VPN: What are the parts of an AWS managed VPN?
Cloud: Virtual Private Gateway
Connection: Tunnel via IPSec
On-Premise: Customer Gateway
VPN: What is the Transit Gateway?
Central hub to connect multiple VPCs
VPN: What is the AWS VPN CloudHub?
Uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs). Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.
What is AWS PrivateLink?
AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access your services, AWS PrivateLink ensures your traffic is not exposed to the public internet.
VPC: What makes a subnet public?
1) Internet Gateway - Subnet has a route (0.0.0.0/0) to the IG (igw-1234)
VPC: What allows the subnets to talk to each other?
The local route in the Routes Table.
Destination: CIDR Range of the VPC (10.0.0.0/16 e.g.)
Target: local
NACL: What are the configurable attributes of in/outbout rules?
Rule# (10 e.g.) Type (HTTP) Port (80) Source(in) /Destination(out) (0.0.0.0/0) Allow/Deny
What does stateful/stateless means for NACL/SG?
stateful: if inbound traffic is allowed, then the request can leave again
stateless: traffic can go in, but not out if not specified
What are the characteristics of a NAT Gateway (in terms of IPs, Subnet etc.)
It is located in a public subnet and has a public IP.
The private subnets that will use the NAT have a 0.0.0.0/0 destination route to the NAT Gateway (nat-012345)
The private subnets can only receive traffic after sending the request - the internet cannot directly talk to private subnets.
The Gateway is only accessible from the same AZ
How to connect from a Bastion Host to an instance in a private subnet?
SSH with your key to the Bastion.
Use SSH Agent Forwarding to ssh into the private instance
VPN: How is the route for a VPN connection to a Customer Gateway configured?
Destination: [CG] - 192.168.0.0/16 e.g.
Target: [VPG] - vgw-12345 e.g.
VPN: How are security groups configured for on premise networks?
The souce must reflect the IP / IP Range of the on premise network.
for example: HTTPS - 443 - 192.168.0.0/16
VPN-Direct Connect: What is the difference between Private and Public Virtual Interfaces?
Private: Goes directly to the customers VPC
Publice: Can connect to “open” services like S3
How to establish/configure a VPC Peering connection?
Destination is the other VPC and the target is the VPC-Connection (pcx-1234)
Every subnet that wants to send or receive traffic needs to have a route
VPC: Can a VPC peer with two VPCs that have the same IP range?
It depends:
There is no check of the origin, so there cannot be a complete overlap.
But it would be possible if the route is more specified, with a /24 instead of a /16
VPC: Can you attach more than one route table to a subnet and can you attach one route table to multiple subnets?
No
Yes
VPC: What happens to a subnet that does not have an explicit route table attached?
It receives the main route table
Routing: What is the “Longest Prefix Match” and when are they exluded?
The Routing happens for the most specific match.
When the local route collides with Route Propergation the static/non-propergated route has precedence
What are the typical 4xx error codes? (in ELB)
400 Bad Request - Invalid request header
401 Unauthorized - user access denied
403 Forbidden - blocked by the firewall
460 - Client closed connection before LB can answer
463 - Request with too many IP addresses in X-Forwarded-For Header
What are the typical 5xx error codes? (in ELB)
500 Internal Server Error - Error within the LB
502 Bad Gateway - Error from the target Server (closed connection or malformed response)
503 Service Unavailable - No answering servers
504 Gateway Timeout - Targets do not repsonse
You would like to receive an alert if more than 3 of your application servers fail to respond to a basic health check by the Elastic Load Balancer. Which metric could you use to configure this?
UnHealthyHostCount
You need to configure a load balancer with a static IP address, which of the following would you recommend?
Network Load Balancer
You are running an application on a load-balanced group of 10 EC2 instances. Which of the following metrics would use to check how many of your application servers are available?
HealthyHostCount
What are Source/Destination checks?
AWS checks if the traffic to an instance corresponse being the source or destination with the traffic it sends or receives.
This check must be disabled for a NAT instance since the recipient of the traffic is not the NAT instance
How are rules evaluated in the NACL?
In order - the first fitting rule that fits will be taken
How many NACLs can be attached to a subnet?
Only one.
If another NACL is attached, the old one will be removed
On which three levels can a VPC Flow Log be created?
- VPC
- Subnet
- Network Interface level
What two resources are necessary to create a VPC Flow Log?
- Role
- Log Group (created in CloudWatch)
VPC Flow Log: What are the restrictions regarding VPC Peering?
Only possible if the peered VPC is in the same account
VPN: What is necessary to concect multipleregions with a Direct Connection connection?
A Direct Connect Gateway behind the Virtual Private Gateway
DNS: What is SOA?
Start of Authority
Contains administrative information, as well als the TTL for the DNS record
DNS: What is the Name Server (NS)?
Service based on the Top-Level Domain to give a DNS Server to a Domain
DNS: What is an “A Record”
Address Record
Translates Domain to IP
Can be at domain or subdomain level
DNS: What is a CNAME?
Canonical Name
Is an alias to an A-Record
www.xyz.de -> xyz.de
m.xyz.de -> mobile.xyz.de
DNS: What is an Alias Record?
Specific to AWS
Maps a domain to another DNS entry, for example a Load Balancer
Route53: What is Multivalue Answer?
You give a list of (max.) 12 IPs, AWS checks the health of those and returns (max.) 8 as targets
Which protocol does AWS Direct Connect use to share routing information?
The Border Gateway Protocol (BGP) is the protocol used within the Direct Connect service for sharing routing information from the router in your Data Centre to AWS and vice versa.
VPN: What is Direct Connect Multi-Account Support?
Possiblity to use direct connect with multiple accounts (Test, Dev, Prod) as long as they are under one payer account (in AWS Organisations)
Using a NAT Gateway, how is the routing set up?
0.0.0.0/0 NAT-ID in the private subnet
Using a NAT Gateway, what changes have to be made for the security group (if not 0.0.0.0/0 is allowed)?
Add the subnet range to the allowed sources
Source 10.0.1.0/24 on port 80/443
By recommendation: What are the main/custom route tables used for?
main: private subnet
custom: public subnet
VPC: What is the Egress-only Internet Gateway?
A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
VPC: What is a VPC Endpoint?
Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
VPC: What are the different types of VPC endpoints available on Amazon VPC?
Gateway type endpoints are available only for AWS services including S3 and DynamoDB. These endpoints will add an entry to your route table you selected and route the traffic to the supported services through Amazon’s private network.
Interface type endpoints provide private connectivity to services powered by PrivateLink, being AWS services, your own services or SaaS solutions, and supports connectivity over Direct Connect. More AWS and SaaS solutions will be supported by these endpoints in the future. Please refer to VPC Pricing for the price of interface type endpoints.
VPC: How do instances without public IP addresses access the Internet?
- Through a NAT gateway or a NAT instance
- with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.
ELB: What happens to running instances if an ALB gets deleted?
Deleting a load balancer does not affect its registered targets. For example, your EC2 instances continue to run and are still registered to their target groups.
What is Traffic Mirroring?
Direct access to the network packets flowing through your VPC by allowing you to mirror and forward them to another network interface in the same or another VPC in the same or another account.
Can be used for further monitoring and security appliances.
What are the four layers of networking security
- VPC Route Table
- Subnet ACLs (NACL)
- ENI Security Groups
- Third-party host security features
VPN: What is the Virtual Private Gateway?
Enables connectivity between the VPC and another network.
What are the private IPv6 addresses?
Per default all IPv6 addresses are public
How is the internet connection for a private subnet set up in a route table?
0.0.0.0/0 - NAT-GW ID
What are the two (public / private) connection options for a VPN Gateway?
1) IPSec VPN Tunnel over the internet
2) private Direct Connect connection
There are two VPC (A/B), how are the route tables set up for a peering connection?
VPC-A 172.16.0.0/16
VPC-B 10.0.0.0/16
Peering connection pcx-11112222
VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-11112222
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-11112222
How is inter-regional peering set up?
The same as for one region.
The region must be selected in the “Create Peering Connection” dialog
Can you move an ENI to another instance?
Yes, as long as it is not the primary (eth0) ENI
Where are Flow Log files stores and can be viewed?
In Cloud Watch Logs
Is Direct Connect per default Highly Available?
No, the VPN gateway it uses in the VPC is, but the connection is not.
There need to be more than one line, ideally in two (+) regions
What is CloudHub?
A VPN (gateway) that connects to multiple Customer Gateways
What are the (three) functions of Route53?
- Register domain names
- Route internet traffic to resources based on rules
- Check the health of resources (instances or LBs)
Route53: What is “failover routing”?
There is a primary and a secondary resource.
In case of a failure the traffic is directed to the secondary
Route53: What is an alias in Route53?
Instead of pointing to an IP Route53 can also route to:
- CloudFront
- Elastic Beanstalk Application
- Elastic Load Balancer
- S3 Bucket (for static website hosting)
- Another Route53 resource record
Route53: What are the three types of health checks?
- Health of a specific resource (EC2 instance e.g.)
- Status of a CloudWatch Alarm
- Other health checks (Example: there are health checks on 5 instances, the checks sets an alert if 3 of them are in alert)
CloudFront: What is the Cache Behavior?
Set of rules how to cache the request based on the request URL
CloudFront: How to enable regional edge caches?
It is done automatically at no additional costs
CloudFront: What is the shortest possible caching time?
0 seconds - all requests go to the origin
CloudFront: How to keep response items small?
Use GZIP (if accept-encoding: gzip is sent in the header)
CloudFront: What is the Default Root Object?
File that is sent when there is a request to the “root” url
CloudFront: What is Zone Apex Support?
Using your one domain
What is a private VIF?
The logical interface between the customer location and the AWS services inside the VPC
How to get the public /private IP address from the metadata?
169.254.169.254/latest/meta-data/public-ipv4
169.254.169.254/1.0/
meta-data/local-ipv4
What CIDR Range will be assigned to a IPv6 VPN?
/56
Can you add a secondary CIDR IP Range to a VPC?
Yes, as long as it does not overlap
Does a VPC support “multicast”?
No
Is IPv6 supported for VPC peering?
No
Which of the following is true of an interface VPC endpoint? (Choose two.)
A. It supports TCP traffic.
B. It supports IPv6 traffic.
C. It supports UDP traffic.
D. It exists in only one availability zone.
It supports TCP traffic.
It exists in only one availability zone
How can you restrict EC2 access to an S3 Bucket with a S3 Gateway Endpoint?
Create and add a security group, which specifies the S3 prefix list ID
If using a IPv6 VPC, do you need to add a IPv4 CIDR as well?
yes
Which are the two options for connecting a site to AWS using Direct Connect?
- dedicated connection between your
equipment and AWS at a Direct Connect location or - a hosted connection from an AWS
Direct Connect Partner
What is the difference between Public / Private and Transit virtual interface?
- A public virtual interface allows you to use public AWS endpoints over a Direct
Connect connection. - A private virtual interface is used for connecting to a VPC.
- A transit
virtual interface is only for use with an Amazon VPC Transit Gateway.
How many VPN connections can you create to a single VPC?
You can have up to 10 VPN connections to a VPC.
How can you decrease the network overhead of a Direct Connect connection?
Using jumbo frames can decrease network overhead by allowing more data to be
sent across the connection in a single frame.
How many routes are you allowed to advertise in a BGP session over a Direct Connect
connection over a private virtual interface?
You can advertise up to 100 routes over each BGP session over a private virtual interface.
What happens if you advertise more than 100 routes over a BGP session over a Direct
Connect private virtual interface?
The oldest routes will be discarded to bring the total number of routes to 100 or
fewer
You have a VPN connection and a Direct Connect connection between your datacenter
and a VPC. BGP sessions on both connections have the exact same prefixes. Which
connection will be preferred?
Direct Connect
What are two differences between CloudHub and Direct Connect Gateway?
- CloudHub connects on-premises networks (via a VPN or Direct Connect link) and
VPCs in only one region. - Direct Connect Gateway connects on-premises networks and
VPCs in any region.
What’s the maximum number of Direct Connect dedicated connections you can have per
link aggregation group?
4
You have an EC2 instance with a global unicast IPv6 address assigned. How can you
ensure that hosts on the Internet are able to resolve the IPv6 address of the instance?
Create a publicly resolvable AAAA record that points to the instance’s IPv6 address
Your EC2 instance in the us-east-1 region is assigned the public IP address 203.0.113.25.
Whichis the DNS hostname?
ec2-203-0-113-25.compute-1.amazonaws.com
. You created a default VPC and made no other changes to it. Which of the following is true
of an EC2 instance launched into this default VPC? (Choose two.)
A. Its primary private IP address has a /16 CIDR.
B. It’s in a public subnet.
C. It has a public IP address.
D. It has no outbound access
B. It’s in a public subnet.
C. It has a public IP address.
Using a virtual private gateway, you’ve created a site-to-site VPN connection between a
VPC subnet and a datacenter. When creating routes to datacenter subnets, what should you specify as the target in the route table?
Virtual private gateway
What’s the maximum number of instance recovery attempts allowed per day?
3
What does NODATA mean in a VPC Flow log?
NODATA is written to the end of a flow log record when there’s no traffic to log
during a 10-minute capture window.
If there were too much traffic to log, SKIPDATA
would appear instead.
When trying to add an alternative domain name to a CloudFront distribution, you get an
“InvalidViewerCertificateException” error. What could be the reason?
The custom certificate you’ve provided isn’t signed by a trusted certificate
authority (CA)
How to identify an RTMP distribution?
rtmp://s*.cloudfront.net
When does a CloudFront edge location first fetch a file from an origin?
When the edge location receives a request for the file
Which network protocol is supported by CloudFront?
WebSocket
How can you enable Internet users to access a CloudFront distribution without allowing
public access to its origin S3 bucket?
Use an origin access identity.
Can a non public S3 bucket be a origin?
no
Can a public web server be an origin?
yes
Can you use publicly routable IP addresses in a Network Load Balancer?
no, only RFC 1918 or RFC 6598 addresses
When browsing to the public URL of an application load balancer, users receive a “Bad
Gateway” error. The target group contains only EC2 instances. What could this indicate?
The target instance closed the connection from the load balancer e.g.
The error usually indicates that the load balancer received an unexpected response from
the target, such as a TCP reset or TCP FIN. The “Bad Gateway” error is generated by the
application load balancer, so receiving the error indicates users are able to connect to it.
When browsing to the public URL of an application load balancer, users receive a
“Gateway Timeout” error. The target group contains only EC2 instances. What could this
indicate?
The “Gateway Timeout” error occurs when the target doesn’t respond.
What services can you BYOIP?
NLB, EC2, NAT Gateway
Which of the following is the cheapest S3 encryption option? A. SSE-KMS customer-managed CMK B. SSE-KMS AWS-managed CMK C. Client-side encryption using KMS D. SSE-ACL
SSE-KMS with AWS-managed CMK
What is “low jitter” and which service provides it?
Direct Connect provides consistent latency, also known as low jitter. I
You have an EC2 instance with an elastic IP address associated with it.
IPv6 is enabled
in the instance’s public subnet.
How can you ensure that hosts on the Internet are able to
reach the instance via IPv6?
Assign a global unicast IPv6 address to the instance
Which VPC attributes determines whether the Amazon DNS server is
enabled?
enableDnsSupport
