Networking Flashcards

1
Q

when creating a NAT instnace, disable source/destination check on the instance

  • NAT instance must be in public subnet
  • There must be a route out fo teh private subnet to the NAT instance, in order for this to work
  • the amount of traffic that NAT instances can support depends on the instance size. if you are bottlenecking, increase the instance size.
A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NAT Gateway

  • preferred by the enterprise
  • scale automatically up to 10Gbps
  • no need to patch
  • not associated with security groups
  • automatically assigned a public ip address
  • remember to update your route tables
  • no need to disable source/destination checks
  • more secure than a NAT instance
A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

your VPC automatically comes a default network ACL, and by default it allows all outbound and inbound traffic

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

you can create custom network ACLs. by default, each custom network ACL denies all inbounc and outbound traffic until you add rules

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

each subnet in your VPC must be associated with a network ACL. if you don’t explicitly associate a subnet with a network ACL the subnet is automatically associated with teh default network ACL.

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

you can associate a network ACL with multiple subnets, however, a subnet can be assocaited with only one network ACL at a time. when you associae a network ACL with a subnet, the previous association is removed.

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Network ACLs contain a numbered list fo rules that is evaluated in order, starting with teh lowest numbered rule.

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic.

A

t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

block IP addresses using ACLs not security groups

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

VPC flow logs can be created at what 3 levels?

A

VPC

subnet

network interface level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

you cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

you cannot tag a flow log

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

after you’ve created a flow log, you cannot change its configuration; for example, you can’t associate a different IAM role with teh flow log

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

traffic generated by instances when they contact AWS DNS server. if you use your own DNS server, then all traffic to that DNS server is logged

A

T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

not monitored by vpc flow logs:

traffic generated by a windows instance for aws license activation

  • traffic to and from 169.254.169.254 for instance metadata
  • dhcp traffic
  • traffic t the esrverd IP address for the default router
A

T

17
Q

start of authority (soa)

teh soa record stores info about:

the name of the server that supplied the data for the zone.

the administrator of the zone

the current version of the data file

the default number of seconds for the TTL file on resource records.

A

T

18
Q

NS records

ns stands for name server records. they are used by toop level domoain servers to direrct traffic to the content DNS server which contains the authoritative DNS records.

A

T

19
Q

alias records are use to map resource record sets in your hosted zone to elb, cf, s3 buckets taht are configured as websites.

they work like cnames. one dns name to another.

key difference -cname can’t be used for naked domain names.

can’t have cname for http://acloud.guru, that would have to be A creod or alias

A

T

20
Q

given choice, always use an alias over a cname

A

T

21
Q

each zone contains a single SOA record

A

T

22
Q
A