Networking Flashcards
What is the OSI model?
A way of thinking about networking operations. If there is an issue with one layer then the message will not get through. Can be used in troubleshooting.
What are the 7 layers of the OSI model?
Please Do Not Throw Sausage Pizza Away
Physical- CAT5, fibre optic cable Data link- MAC Network- IP, ARP Transport- TCP Session- Setup, negotiation Presentation- TLS/SSL, compression Application- Web browser
What does the application layer do?
Interprets the messages in HTTP protocol and renders HTML
Does AWS allow multicast?
No
What is unicast?
one on one conversation between servers
like a phone call
What is multicast?
When a network card/server sends messages to everyone on a network- layer 2 (MAC)
What are the 3 main communication protocols used in AWS networking?
1) TCP (layer 4)
2) UDP (layer 4)
3) ICMP (layer 3)
What are the characteristics of TCP and its common uses?
A connection-based stateful communication protocol that acknowledges receipt
e.g. web, email or file transfer
What are the characteristics of UDP and its common uses?
Connectionless stateless with no transmission delays
e.g. streaming media, DNS (why… it’s simple)
What are the characteristics of ICMP and its common uses?
Used by network devices to exchange information
e.g. Traceroute, ping
What is an ephemeral port?
A short-lived transport protocol port used in IP communication
What port ranges are used for ephemeral ports?
Suggested range = 49152 to 65535
linux generally use 32568 to 61000
windows default from 1025
Who defines the ephemeral port number during TCP communication?
The client! e.g. Dial on port 80 (HTTP) and use port 56784 to respond…
Which protocols use ephemeral ports to transfer data?
1) TCP
2) UDP
Why use UDP instead of TCP for large streaming data?
Because there is no acknowledgement. Acknowledging every receipt during streaming would be burdensome
How many IP addresses are reserved in an AWS VPC and what are they? and what are they used for?
5
1) 10.0.0.0- Network address
2) 10.0.0.1- Reserved for AWS for the VPC router
3) 10.0.0.2- Reserved for Amazon DNS
4) 10.0.0.3- Reserved for future use
5) 10.0.0.255- VPCs do no support broadcast for AWS reserves this
Are the reserved IP addresses tied to a specific IP addresses (or numbers)?
No, the IP number doesn’t matter, it is the position in the address that matters!
What consideration do you need to make when creating a VPC?
Ensure that you have enough IP addresses available
e. g. 10.0.0.0/16 ~
10. 0.0.0/32
How many IP addresses will be available for the CIDR block 10.0.0.0/28?
16
How many IP addresses will be available for the CIDR block 10.0.0.0/16?
65536
What are the 8 methods of connecting on-prem network with a VPC?
1) AWS managed VPN
2) AWS managed VPN-Redundant
3) AWS Direct Connect
4) AWS Direct Connect plus VPN
5) AWS VPN Cloud Hub
6) Software VPN
7) Transit VPC
What, when, pros and cons of…. AWS managed VPN
What- iPsec VPN connection
when- want quick and easy, secure connection to a VPC, can be used as a redundant link for direct connect
Pros- Supports static routes or BGP peering and routing
Cons- Dependent on internet connection
What are the 5 steps to set up a AWS managed VPN?
1) Designate an appliance to act as your customer gateway, this is usually your on-prem router
2) Create the VPN connection in AWS and download the config file for your customer gateway
3) Configure your customer gateway using the information from the config file e.g. IPSEC encryption
4) Generate traffic from your side of the VPN connection to bring up the VPN tunnel
5) Configure BGP routing if required
What, when, pros and cons of…. AWS managed VPN- redundant
what- secondary VPN connection
when- want additional redundancy for your AWS VPN
pros- provides redundant architecture
cons- You will have to manually deal with failover, additional cost?
What, when, pros and cons of…. AWS Direct connect
What- Dedicated network connection over PRIVATE lines straight into AWS backbone
when- When you require a “big pipe” into AWS, lots of resources or services being provided on AWS to your corporate users
Pros- More predictable network performance up to 10Gbps connections, supports BGP peering and routing
cons- may require additional telecom and hosting provider relationships and or new network circuits
How do you set up AWS Direct Connect?
Work with your existing provider, create a virtual interface (VIF) to connect a VPC (private VIF) or to other AWS services like S3 (public VIF)
How would you increase the redundancy of a direct connect connection?
You would need to set up a second direct connect connection, ideally using a different provider
What, when, pros and cons of…. Direct connect plus VPN
what- IPSEC VPN connection over private lines
when- Want added security of an encrypted tunnel over direct connect
pros- More secure (in theory) than direct connect alone
cons- more complexity by adding a VPN layer
How would you set up a Direct Connect plus VPN connection?
Organise this through your existing data networking provider
What, when, pros and cons of…. AWS VPN CloudHub
what-Connect locations in a hub and spoke manner using AWS’s virtual private gateway
when- If you wanted to link remote offices for back-up or primary WAN access to AWS resources and each other
pros- Uses existing internet connection, iPSEC VPN connection, support BGP routes to direct traffic e.g. uses MPLS first then Cloud Hub VPN as a backup
cons- Dependent on internet connection; no inherent redundancy
How would you set up a AWS VPN CloudHub
1) create single virtual private gateway
2) create multiple customer gateways, each with the public IP address of the gateway. You must use unique BGP ASNs for each customer gateway
3) Create dynamically routed site-to-site VPN connection from each customer gateway to the common virtual gateway
4) configure the customer gateway devices to advertise a site-specific pre-fix (e.g. 10.0.0.0/24, 10.0.1.0) to the virtual private gateway. These routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites
5) configure the routes in your subnet route table to enable instances in your VPC to communicate with your sites
What, when, pros and cons of…. software VPN
What- You provide your own VPN endpoints and software
when- When you must manage both ends of the VPN connection for compliance reasons you want to use a VPN option not supported by AWS e.g. openVPN
Pros- Ultimate flexibility and manageability
cons- You must design for any needed redundancy across the whole chain
How would you go about setting up a software VPN?
Install the VPN software via a market place appliance or on an EC2 instance
What, when, pros and cons of…. Transit VPC?
What- common strategy for connecting geographically disperse VPCs and locations in order to create a global network transit center
when- locations and VPC-deployed assets across multiple regions that need to communicate with one another
pros- ultimate flexibility and manageability but also AWS-managed VPN hub and spokes between VPCs, good for one VPC as a pass through and to deploy across different cloud providers
cons- You must design for any redundancy across the whole chain
How do you set up a transit VPC?
Contact provider such as cisco that link their equipment with an AWS VPC
What are the two types of VPC to VPC connections?
1) VPC peering
2) AWS private link
What, when, pros and cons of….VPC peering
What- AWS provided network connectivity between 2 VPCs
when- When you have multiple VPCs that need to communicate or access each others resources
pros- Uses AWS’s backbone without touching the internet
cons- Does not support transitive peering
How do you set up VPC peering?
You make a VPC peering request, acceptor accepts!
What, when, pros and cons of…. AWS private link?
What- AWS provided network connectivity between VPCs and or AWS services using interface endpoints
when- When you want to keep private subnets truely private by using the AWS backbone to reach the services rather than the public internet.
Pros- Redundant as it uses AWS backbone
cons- cost? time to set up manually?
How do you create an AWS private link?
Create endpoints for needed AWS or marketplace services in all needed subnet, access these via the provided DNS hostname
What are the 2 types of endpoints in AWS?
1) Interface endpoint
2) Gateway endpoint
The What, How, What products and security of… Interface endpoints and e.g….
What- Elastic network interface with a priave IP
How- uses DNS entries to redirect traffic
What products- API-Gateway, Cloud front, Cloudwatch
Security- Security groups
e.g. Routing call to S3 from within S3
The What, How, What products and security of… Gateway endpoints and e.g….
What- A gateway that is a target for a specific route
How- Uses prefix lists in the route table to re-direct traffic
What products- DynamoDB or S3
Security- VPC endpoint policies
e.g. control access to S3 or DynamoDB where you can only access item when traffic comes through an endpoint
What are the two ways of providing internet access to VPCs?
1) Internet gateway
2) Egress-only internet gateway
What are the 2 main purposes of the internet gateway?
1) provides route table targets for internet-bound traffic
2) Performs NAT for instances WITH public IP addresses- Not for instances with private IP addresses
Are IPv6 addresses global?
Yes, so are public by default.
What are the 2 roles of the Egress-only gateway?
1) Provides outbound internet access to for IPv6 addressed instances
2) Prevents inbound access to IPv6 instances
Is the Egress-only gateway stateful or stateless?
Stateful
What is a NAT instance? and what is it’s role?
Amazon created AMI EC2 instance.
Role is to translate traffic from many private IP instances to a single public IP address and back
What does a NAT instance NOT allow?
Public internet initiated connections into private instances
Does the NAT instance support IPv6?
Nope, use Egress only gate way for NAT
What must private instances have to access the internet?
A route to the NAT instance in the public subnet. The traffic will then be directed to the internet gateway bia the NAT instance.
What is the NAT gateway?
AWS managed NAT service that replaces the need for a NAT instance on EC2. Uses an elastic IP.
What is the default route and target for a NAT gateway? Entered in your private route table.
Destination, enter 0.0.0.0/0. For Target, select the ID of your NAT gateway.
How would you increase the redundancy of your NAT gateway architecture?
Create a NAT gateway in each AZ with routes for private subnets to use the local gateway- Multi-AZ redundancy
Both the NAT gateway and NAT instances use elastic IP addresses, but only one can be detached, which is it?
NAT instance- detach Elastic IP
NAT Gateway- Cannot detach
Can you associate a security group with a NAT gateway?
Nope, but you can with a NAT instance
How can you control routing at the VPC level?
you can control routing via:
1) Route tables
2) BGP
How can you control routing at the Route53 level?
You can apply routing policies
How can you control routing at the ELB level?
Request routing
What is a route table? (3 points)
1) Each VPC has an implicit router and main routing table
2) Each route table contains a local route for the CIDR block
3) The most specific route for an address wins
What is the BGP?
Border Gateway Protocol
Allows dynamic routing, the method of choosing different paths depending on the availability and weighting
Weighting is local to the router and higher weight is the preferred path for outbound traffic
Which ports need to be open for BGP?
179 and Ephermeral ports
What is ASN?
Autonomous System Number (ASN)…. a unique endpoint identifier
What would you do if you needed very high performing network if you had lots and lots of data?
Can use Single Root I/O virtualisation (SRIOV)
Higher performance options than normal virtualised interfaces
may need to install a specific adapter/interface e.g. Intel 82599 VF interface
What is a placement group?
Relevant for networking performance…
Gives you control over where physical servers are provisioned.
What are the3 types of placement groups?
1) Clustered
2) spread
3) Partition
What, when, pros and cons of… Clustered placement group? Same rack or separate?
what- Instances are placed into a low-latency group within a singe AZ
When- When you need low network latency and/or high network throughput
pros- Get the most out of enhanced networking instances
cons- Finite capacity
Same rack
What, when, pros and cons of… Spread placement group? Same rack or separate?
When- Instances are spread across underlying hardware
when- When you want to reduce the risk of simultaneous failure if underlying hardware fails.
pros- can span multiple AZ’s
cons- Max of 7 instances per group per AZ
Separate racks
What, when, pros and cons of… partition placement group? Same or separate rack?
what- Instances are group into partitions and spread across racks
when- You want to reduce the risk of correlated hardware failures for multi-instance workloads
pros- Better for large DISTRIBUTED or REPLICATED instance workloads than spread. Increases tolerance when one VM goes offline
cons- Not supported for dedicated hosts
Separate racks
Name and describe 7 routing policies available in Route53…
1) simple- Heres the destination for that name
2) Failover- Normally I would route you to there, but based on health checks I will route you this backup.
3) Geolocation- Looks like you are in Europe I will route you to a resource that is closer to you in that region
4) Geoproximity- Your user is closer to US-EAST1 than US-WEST-2. So I will route you to US-EAST1
5) Latency- Let me see which resources has the lowest latency then I will direct you that way
6) Multivalue answer- I will return several IP addresses as a sort of basic load balancer (round-robin based on health checks)
7) Weighted- You can set up multiple resources and I’ll route you according to the percentage of weight you assign to each
What does bias mean in the context of geoproximity routing?
Balances resources based on population
Assign a value between -99 and +99
How does weighted routing work?
You apply a weight number between 0-255 and calculate the weight of each route as a percentage.
If you apply 0, then this will disable traffic.
What is CloudFront?
A distributed content delivery service for simple static asset caching up to 4K
What service is CloudFront integrated with?
CloudFront is integrated with Amazon certification manager and supports SNI
What is the function of an SSL certificate? and how do they work?
Main function is to ensure websites are legitimate. Does this by checking the domain name matches the name of the certificate
How do you get around the SSL certificate error when using CloudFront to serve content over HTTPS? (2 points)
1) Can use CloudFront allocated dedicated IP addresses at each CloudFront edge location to server your content over HTTPS
2) Use Server Name Indication (SNI) to allows the client to specify which host it is trying to connect to. The server can present multiple certificates on the same IP. The client is asking for the correct certificate and CloudFront is providing it
Which security policies are available in CloudFront?
SSL or TLS, most recent TLS v1.2
What is the function of an Elastic Load Balancer?
Enables you to distribute inbound connections to one or many backend endpoints. Essentially how you control the flow of traffic to backend servers.
What are the 3 elastic load balancer options?
1) Application load balancer (Layer 7)
2) Network load balancer (Layer 3)
3) Classic load balancer (layer 4 or 7)
What features do you use to route using a Network Load Balancer? (1 point)
1) port numbers
TCP connections to the backend are persisted for the duration of the connection
What features do use to route using an Application load balancer? (6 points)
1) Host-based routing
2) path-based routing
3) HTTPS header-based routing
4) HTTPS method-based routing
5) Query, string parameter-based routing
6) Source IP address CIDR-based routing
When you use a Network load balancer over an application load balancer?
When you are interested in RAW SPEED!
Which protocols does a application load balancer use to control traffic?
HTTP/HTTPS
Which protools does a network load balancer use to control traffic?
TCP, UDP, and TLS
What are sticky sessions?
Important feature for web applications, most web applications keep up with clients using sticky session ID
The session ID is used to uniquely identify the client for stuff like shopping carts
What does enabling sticky sessions on an application load balancer do?
Allows the ELB to keep track of the client and which webserver it handed it off too… increases continuity for the user
What is a stateless protocol? provide an example…
A communication protocol in which no session information is retained by the receiver. Relevant session data is sent to the receiver by the client. Every packet of information can be understood in isolation.
e.g. HTTPS/HTTP
What is the benefit of using a stateless protocol?
Improves performance by removing server load caused by retaining session information, but does have an overhead cost as this information must be interpreted by the receiving server.
What is a stateful protocol? provide an example…
A communication protocol that requires keeping of the internal state on the server. A TCP connection session is stateful because both systems maintain information about the session itself during it’s life.
e.g. FTP
What is a connectionless protocol? Provide an example
Designed to stream data. no beginning and no end.
e.g. UDP
What is a connection-based protocol? provide an example…
A communication that requires a logical connection to be established between 2 parties before data is exchanged. The connection must be maintained during the entire communication.
How can you allow your VPC instances to resolve using an on-prem DNS?
You can configure a DHCP (Dynamic Host Configuration Protocol) which provides a standard for passing configuration information to hosts on a TCP/IP network .
What is contained in an options field of a DHCP message?
configuration parameters
1) The domain name
2) domain name server
3) netbios node-type
what are the 2 purposes of the Egress-only gateway?
1) Allows VPC based IPv6 traffic to communicate to the internet
2) prevents IPv6 internet resources initiating a connection into a VPC
What networking components will allow an IPv6 data to communicate between a VPC and the internet for inbound and outbound traffic?
1) internet gateway (inbound traffic)
2) Egress only (outbound traffic)
What could be stopping you from SSHing into an instance from the internet?
Need to check NACL to ensure that TCP traffic is allowed for ports between 1025 to 65535.
Ephemeral ports are required to communicate back to the client
Does Direct Connect require 802.1Q VLAN support
Yes
Is Direct Connect HA by default?
Nope
Does Direct Connect require BGP routing?
Yes
What must you ensure when using geolocation routing?
That you have a default route specified in case that location cannot be used
Do Application load balancers support elastic IPs?
Nope, but network load balancer do!
Does Route53 support a TLSA record? and what are they?
Nope, TLSA records are used to specify the keys used in a domain’s TLS servers.
