Networking and Hybrid

Question 1

What services does DCHP provide to a client?

Answer 1

IP address, subnet mask, default gateway. Also DNS servers. Netbios name server, NTP

Question 2

At what network layer does DHCP start its communicaiton?

Answer 2

Layer 2

Question 3

Are DHCP option sets changeble once implemented?

Answer 3

No, immutable

Question 4

How many VPCs can DHCP option sets be associated with?

Answer 4

0 to many

Question 5

How many DHCP option sets can VPC have?

Answer 5

0 or 1

Question 6

Are changes to DHCP option sets immediate?

Answer 6

Yes, but client DHCP renew takes time

Question 7

Can you provide your own EC2 domain names using DHCP option sets?

Answer 7

Yes, you have to configure your own custom domains and DNS servers and add config to the option set

Question 8

What is the default gateway for an AWS DHCP option set?

Answer 8

VPC router (subnet +1)

Question 9

What is the default DNS server in an AWS DHCP option set?

Answer 9

R53 resolver (VPC +2)

Question 10

Is the VPC router HA?

Answer 10

Yes, it is highly available across the region when you provision a VPC

Question 11

How does the VPC router participate in each subnet?

Answer 11

It has an interface in each subnet, which is the subnet +1 address and is the default gateway in a DHCP option set.

Question 12

How do you configure the behavior of the VPC router?

Answer 12

By using route tables

Question 13

At what level of the VPC do route tables work?

Answer 13

Trick quesiton: They are defined at the VPC level, but associated to a subnet

Question 14

Can a subnet be associated to more than one route table at a time?

Answer 14

No

Question 15

Explain how the default route table works

Answer 15

Created at the time of the VPC, associated with all subnets

Question 16

If a route table has two paths to a destination, how does it select the route it will use?

Answer 16

Selects the most specific path first.

Question 17

Name on other time route tables can be associated with

Answer 17

Gateways

Question 18

What does target = local mean on a route table

Answer 18

in the current VPC

Question 19

What is always in the route table and uneditable?

Answer 19

The local route

Question 20

What is the primary concern with using stateless firewalls?

Answer 20

You have to account for both incoming and outgoing connections of a communication chain. Often means you have to allow all outbound to ephemeral ports.

Question 21

Where do NACLs fit in the VPC hierarchy?

Answer 21

They operate at the subnet boundary…things coming into the subnet and things going out

Question 22

What two sets of rules do NACLs have?

Answer 22

Inbound
Outbound

Question 23

NACLs allow both of what

Answer 23

Explicit Allows
Explicit Denies (different that SGs)

Question 24

Explain NACL rule evaluation

Answer 24

First it selects direction
Then it starts with the lowest rule number
Stops at first match

Question 25

What is the catch all rule in NACLs?

Answer 25

a * that catches everything and Denies

Question 26

NACL screen shot

Answer 26

Question 27

Default NACL

Answer 27

Rule 100 that allows all

Catch all that Denies if that first rule didn’t exist.

Question 28

At what level are NACLs defined?

Answer 28

At the VPC level, but are associated with different subnets. A subnet can have one NACL assoicated at a time. A NACL can be assigned to many subnest in the VPC.

Question 29

Can you use AWS logical resources in NACLs?

Answer 29

No, only IPs, IP ranges, and ports.

Question 30

What can you not do with SGs

Answer 30

You cannot explicitly deny traffic with SGs

Question 31

What can you do with SGs that you can’t do with NACls?

Answer 31

You can apply them to enis

You can use IP/cidr ranges…and AWS logical resources…and reference other SGs…and reference yourself!

Question 32

What is automatically allowed with SGs?

Answer 32

response traffic

Question 33

Name a benefit of security groups

Answer 33

Self reference, basically allows all communication between everything with this SG.

Question 34

Parent region

Answer 34

The region that a local zone is tied to and relies upon for management and operational support

Question 35

us-west-2-las-1

Answer 35

Parent region: us-west-2

Local zone: las-1

Question 36

Can you have more than one local zone in an area?

Answer 36

Yes

Question 37

Do local zones have built in resilience like and AZ?

Answer 37

No

Question 38

In local zones, some services utilize services in the parent region

Answer 38

EBS snapshots a good example here. Snapshots sent to S3 in the parent region to achieve redundancy and HA

Question 39

Numbers 0-65535 allocated by IANA

Answer 39

ASNs Autonomous System Numbers

Question 40

64512-65535

Answer 40

Private ASNs

Question 41

BGP operates over this

Answer 41

TCP 179

Question 42

BGP exchanges network topology with its peers and is focused on determining the best path to a destination (least hops, not fastest), which is also know as this

Answer 42

ASPATH

Question 43

How many routes does a BGP route advertise to the other BGP routers it is peered with?

Answer 43

One, the shortest path

Question 44

What if a BGP path is slow and an admin want’s to force a different path?

Answer 44

AS Path Prepending can be used…make the ASPATH artificially longer

Question 45

What type of address allows a single IP to be “assumable” by many devices in different locations, with the result of the traffic going to the device closest to the request?

Answer 45

Anycast IP

Question 46

What type of addressing does Global Accelerator use to route traffic to the nearest edge location, and then over the AWS transit network?

Answer 46

Anycast IP

Question 47

Key difference between AWS Global Accelerator and CloudFront

Answer 47

AWS Global Accelerator is any network traffic (TCP/UDP), CloudFront HTTP/HTTPS and caching etc. Global accelerator trying to get you to the closest service endpoint on the fastest route possible.

Question 48

Which phase of an IPSEC VPN tunnel is associated with key exchange and considered slow and heavy?

Answer 48

IKE Phase 1

Question 49

Which phase of an IPSEC VPN tunnel is associated with encryption algorithm negotiation, bulk key agreement, and runs over IKE Phase 1?

Answer 49

IKE Phase 2

Question 50

Which IKE phase is considered permanent, and one that is fired up for “interesting traffic”?

Answer 50

IKE Phase 1 permanent

IKE Phase 2 interesting

Question 51

What type of VPN is an AWS Site-to-Site VPN?

Answer 51

IPSEC

Question 52

What are the three components of a site to site VPN?

Answer 52

Virtual Private Gateway (VGW)

Customer Gateway (CGW)

VPN Connection between the two

Question 53

Three key components of the Virtual Private Gateway (VGW)

Answer 53

Logical gateway that you can attach to the VPC

It can be the target of routes

Lives in the AWS Public Zone

Question 54

Customer Gateway (CGW)

Answer 54

Must contain all of the data about the physical router on the customer site, but is a logical representation of that device in AWS.

Question 55

Is a Virtual Private Gateway (VGW) highly available?

Answer 55

Yes, it has at least two public IPV4 endpoints in different AZs in the AWS public zone.

Question 56

When you configure a VPN to communicate between the VGW and a CGW, how many tunnels are established?

Answer 56

Two, one from each public endpoint of the VGW.

Question 57

What is a static VPN?

Answer 57

Routes to the on-premises traffic are configured to route through the VGW on the AWS side, and routes to AWS are configured to route through the CGW on the on prem side.

Question 58

To acheive HA with a site to side VPN, do you need two VGWs?

Answer 58

No, but you do need two CGWs, preferably one in a different building on the customer site. From the VGW, it can understand the second CGW and create new VPNs using new public enpoints.

Question 59

What key technology is in use for Dynamic VPNs?

Answer 59

BGP

Question 60

Can you use static routing over Dynamic VPNs?

Answer 60

Yes, you can, but you can also enable route propagation on your VGW and the BGP routers will advertise their routing information to each other.

Question 61

AWS enforced limit on site to site VPNs

Answer 61

1.25 Gbps

Question 62

If latency is an issue for your application, should you choose VPN?

Answer 62

Not if you have faster, better performing, more reliable options

Question 63

AWS VPN Cost

Answer 63

Hourly, GB out

Question 64

If speed of setup is your key factor, what private connection technology should you choose

Answer 64

Site to Site VPN

Question 65

What are the 3 valid attachment types for Transit Gateways?

Answer 65

VPC

Site-to-Site VPN

Direct Connect Gateway

Question 66

Transit Gateway has these two properties out of the box

Answer 66

HA

Scalable

Question 67

Does VPC peering support transitive routing?

Answer 67

No, if you peer A and B and B and C, you still need to peer A and C…and set up routes.

Question 68

Can you terminate a site-to-site VPN on a Transit Gateway, or do you have to terminate it on a Virtual Private Gateway in a VPC?

Answer 68

Can terminate at TG

Question 69

Is transit gateway routing transitive?

Answer 69

Yes, one you peer a VPC to a TG, it can transitively route traffic

Question 70

Does TG have any limitations for regions and accounts?

Answer 70

No, you can peer/share across regions and accounts.

Question 71

What tech would one use to share a TG across accounts?

Answer 71

RAM - Resource Access Manager

Question 72

By default, how many route tables does a Transit Gateway have
?

Answer 72

1

Question 73

Three properties of the TG default route

Answer 73

All attachments use this route table

All attachments dynamically add to it

All attachments can route to all attachments

Question 74

Do peered transit gateways propgate route information?

Answer 74

No. You need to use static routes to

Question 75

Just like VPC peering traffic, traffic is this in transit between TG to TG peers

Answer 75

Encrypted

Question 76

How many route tables can a TG attachment be associated with?

Answer 76

1

Question 77

How many attachments can TG route tables be associated with?

Answer 77

Many

Question 78

Steps to isolate routing with TG

Answer 78

Define route tables on the TG

Propogate routes to route tables that you want to enable communication, exclude propgating CIDR ranges that you don’t want to route to

Attach route table to appropriate TG attachments

Question 79

What direction of traffic does a route table apply to?

Answer 79

Stuff coming out of an attachment, VPC, etc