Networks Flashcards

Question 1

Q

AWS PrivateLink

Answer

A

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace.

Question 2

Q

VPC Peering Connection

Answer

A

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions (also known as an inter-Region VPC peering connection).

Question 3

Q

AWS DirectConnect

Answer

A

Dedicated connection to the AWS network

Question 4

Q

Gateway Endpoints

Answer

A

Provides private access to the supported services.
Can access public services (S3 and DynamoDB) from private VPC.
Operates at VPC level, not subnet!
Target specific routes
Is highly available
Is not billed for S3 access
Use Amazon S3 public IP addresses
Does not allow access from on premises
Does not allow access from another AWS Region

Question 5

Q

Interface Endpoints

Answer

A

Provides private access to the supported services.
Operates at subnet level
Target specific DNS names
Have associated costs to access S3 bucket
Use private IP addresses from your VP to access Amazon S3
Allow access from on premises
Allow access from a VPC in another AWS Region using VPC peering or AWS Transit Gateway

Question 6

Q

FSx

Answer

A

Windows file services. Resilient and highly available
Can be deployed in single or multi AZ mode.
Full range of backups
Accesible via VPC, Peering, VPN, Direct Connect

Question 7

Q

Transit Gateway

Answer

A

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub.
-Transit gateways are local devices and only can be associated with the VPCs in the same region (can be peered with the TG in other regions).
TG can connect directly to the user VPN gateway
Is transitive capable device

Question 8

Q

Security Group

Answer

A

Applied to the instance/service interface
Is stateful
Only contains ALLOW rule
Can filter traffic between instances in the same subnet

Question 9

Q

Network ACL

Answer

A

Applied at the subnet level
Not stateful
Can contain ALLOW and DENY rules
Filter traffic entering on leaving subnet

Question 10

Q

ENI

Answer

A

Elastic Network Interface
- Primary ENI is attached to the instance and cannot be detached
- ENI only have private IPs
- Private IP address is assigned automatically and stays same during the lifetime of instance
- Public IP is not visible to the OS
- Public IP is not static, it can change after instance restart
- IPv6 is visible to the OS because it is publically routable

Question 11

Q

Elastic IP

Answer

A

Static public IP allocated per 1 private IP

Question 12

Q

SR-IOV

Answer

A

Single Route IO virtualisation. Allows many VMs share single NIC without impacting performance
- NICs are virtualisation-aware and can create multiple “virtual functions” NICs (cut down version) inside physical NIC
- 1 Physical NIC can support up to 256 virtual functions
- VM can communicate with the VF directly avoiding Hypervisor.

Question 13

Q

5-Tuple

Answer

A

5 Tuple- SRC IP, DST IP, SRC Port, DST Port, Protocol.
- Considered as “single flow”
- 5Gbps max for single 5 Tuple flow. Applies to the traffic between regions.
- Same region- physical limits of NIC e.g. 10 or 100Gbps

Question 14

Q

MPTCP

Answer

A

Multi Path TCP. Protocol to use many streams of TCP which is presented to the application as single stream.

Question 15

Q

EFA

Answer

A

Elastic Fabric Adapter
- Type of NIC on EC2
- Allows OS bypass, is used on HPC or ML (machine learning) applications
- HPC/ML application which use MPI or NCCL (???) are candidates for EFA
- Single subnet only, cannot be routed, security group should have “allow all” self reference inbound and outbound

Question 16

Q

Placement Groups

Answer

A

How physically close instances are placed.
- Cluster (keep instances together). Should be placed in the same AZ. Same rack and/or same host. Can achieve 10Gbps per stream instead of 5Gbps per stream.
- Spread (keep instances separated). Each instance runs in separate rack. 7 instances per AZ.
- Partition (spread groups of instances apart). More than 7 instances per AZ. max 7 partitions.

Question 17

Q

R53 Public Hosted Zone

Answer

A

Public zone is accessible from the internet, VPC can use public resolver via R53 endpoint on VPC +2 IP addressess

Question 18

Q

R53 Private hosted Zone

Answer

A

Associated with particular VPC, is not accessible from public Internet

Question 19

Q

CNAME record

Answer

A

Maps name to the another name. Cannot be used on “naked/apex domain” (e.g. kestasli.click). To solve this, ALIAS record should be used.

Question 20

Q

ALIAS record

Answer

A

Maps name to AWS resource. Can be used for naked or normal records. Default to pick ALIAS if AWS resources are used

Question 21

Q

Classic Load Balancer (CLB)

Answer

A

V1, Not really L7 device, can only use 1 SSL certificate per LB

Question 22

Q

Application Load Balancer (ALB)

Answer

A

V2, L7 aware device, HTTP/S/WebSockets. Requires 8+ free IP addresses per subnet. /27 is minimal subnet size (/28 is absolute minimum).
ELB is a DNS A Record pointing at 1+ Nodes per AZ
EC2 doesn’t need to be public to work with a LB

Question 23

Q

Network Load Balancer (NLB)

Answer

A

V2, Can balance TCP, TLS, UDP. Requires 8+ free IP addresses per subnet. /27 is minimal subnet size (/28 is absolute minimum).
ELB is a DNS A Record pointing at 1+ Nodes per AZ
EC2 doesn’t need to be public to work with a LB

Question 24

Q

CrossZone Load Balancer

Answer

A

Feature which allows LB to distribute load across all Availability Zones. Otherwise load can be distributed unequally if e.g. one AZ runs more EC2 instances. For Application Load Balancer this is enabled by default.

Question 25

Q

X-Forwarded-For

Answer

A

Helps identify client ID behind Load Balancer. Is L7 thing, works only with HTTP/S. NLB don’t use the header because it operates at L3-4

Question 26

Q

PROXY protocol

Answer

A

Helps identify client ID behind Load Balancer. Works at L4, TCP header is added. Can be used if unbroken (by ALB) HTTPS connection is needed.

Question 27

Q

Gateway Load Balancer (GWLB)

Answer

A

Help run and scale 3rd party security appliances. Uses GENEVE tunneling protocol to fix problem with IP addresses. GWLB will load balance across multiple security appliances.

Question 28

Q

Ingress Route Table

Answer

A

Defines what happens when packet arrives at the VPC. Usually configured on the Internet gateway

Question 29

Q

Internet Gateway

Answer

A

1 IGV per 1 VPC
Used to access internet as well as public AWS services
HA and scalable
Works IPv4 and IPv6 inbound and outbound
For IPv4 1:1 NAT is done. For IPv6 no NAT is performed.
Flows from VPC to the public AWS services never leave AWS network

Question 30

Q

DX Gateway

Answer

A

Direct Connect Gateway
Global device (accessible in all regions vs. VGW, which is accessible only from the same region)
Is used to overcome limitation of Private VIF only to be able to communicate in the same region.
DX gateway not route traffic from VPC to VPC, only between on-prem and VPCs
DX gateway works cross-account
DX can connect to the private VIF & VGW or transit VIF & transit GW, not both (cannot mix).
One Transit GW can be attached up to 50 DX gateways

Question 31

Q

Virtual Private Gateway

Answer

A

Gateway object connecting VPC and non-AWS networks (e.g. other clouds).
Is used for site2site VPNs
Attached to max 1 VPC
It can be as target in the VPC route table.

Question 32

Q

VPN CloudHub

Answer

A

Allows few connections to terminate in one point and exchange routing info.

Question 33

Q

Customer Gateway

Answer

A

Logical object representing customer device in AWS config for VPN connection
Physical customer device to establish VPN
Speed cap of 1.25Gbps is applied for the VPN.

Question 34

Q

Static VPN

Answer

A

Uses static routes

Question 35

Q

Dynamic VPN

Answer

A

Uses BGP to establish routes
Route propagation should be enabled on VPC

Question 36

Q

Global Accelerator

Answer

A

Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover.
Provides you with a set of two static IP addresses that are anycast from the AWS edge network.
Assigns a default Domain Name System (DNS) name to your accelerator.
Supports both TCP and UDP protocols (CloudFront only HTTP/S).
Integrate with AWS Shield for DDoS protection.
Improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.

Question 37

Q

Route association

Answer

A

Which route table will be used when exiting TG association

Question 38

Q

Route propagation

Answer

A

To which route table routes learned from the attachment will be propagated

Question 39

Q

DX Private VIF

Answer

A

Used to access private IP ranges in VPC (cannot access public services/IPs)
Limited to the same region (there is workaround to use Transit GW)
Can be terminated on VGW (Virtual Private Gateway) or Direct Connect Gateway
Can use Jumbo Frames
Max 100 prefixes can be advertised on private VIF

Question 40

Q

DX Public VIF

Answer

A

Used to access AWS public zone services. No access to the private VPC IP ranges. Not limited to the same region.
Your prefixes no leave AWS (are not transitive)
Supports bi-directional communities

Question 41

Q

Lambda@Edge

Answer

A

Feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency

Question 42

Q

Virtual Private Gateway route prioritisation

Answer

A

Virtual private gateway prioritizes routes as follows, from MOST preferred to LEAST preferred:

-BGP propagated routes from an AWS Direct Connect connection
-Manually added static routes for a Site-to-Site VPN connection
-BGP propagated routes from a Site-to-Site VPN connection
-For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred. Alternatively, you can prepend AS_PATH, so that the path is less preferred.
-When the AS PATHs are the same length and if the first AS in the AS_SEQUENCE is the same across multiple paths, multi-exit discriminators (MEDs) are compared. The path with the lowest MED value is preferred.

Question 43

Q

Amazon Inspector

Answer

A

Scans EC2 OS and containers for vulnerabilities and deviations from best security practices.
Network assessment
OS/host assessment (requires agent)
Assessment is running at the regular interval (15m, 30min etc)

Question 44

Q

ip-ranges.json

Answer

A

AWS published structure of all public service IP range usage for all AWS regions. SNS topic is upgraded when update is made in the file.

Question 45

Q

CloudTrail

Answer

A

Can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
Logs API calls, is NOT real time. Action taken by user, role or a service.
Stores 90 days of history.
By default only logs management events.
Is regional service.
Can be configured as one region or all regions (adds other regions automatically). Global services leave records in us-east-1 region.

Question 46

Q

AWS Shield

Answer

A

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.
Can be Professional (paid) or Std version.

Question 47

Q

AWS Macie

Answer

A

Data security service that discovers sensitive data (in S3) using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.

Question 48

Q

NAT64

Answer

A

Network address translation from IPv6 to IPv4. NAT gateway supports NAT64.

Question 49

Q

OpenSearch

Answer

A

Open source, distributed search and analytics suite derived from Elasticsearch.

Question 50

Q

GuardDuty

Answer

A

Threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior.

Question 51

Q

Container Network Interface

Answer

A

VPC CNI plugin for Kubernetes add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. The add-on also assigns a private IPv4 or IPv6 address from your VPC to each Pod and service.

Question 52

Q

Bidirectional Forwarding Detection (BFD)

Answer

A

Enabling BFD for your Direct Connect connection allows the Border Gateway Protocol (BGP) neighbor relationship to be quickly torn down. Otherwise, by default, BGP waits for three keep-alives to fail at a hold-down time of 90 seconds.
Asynchronous BFD is automatically enabled for Direct Connect virtual interfaces on the AWS side. However, you must configure your router to enable asynchronous BFD for your connection.

Question 53

Q

Enhanced Networking

Answer

A

Amazon EC2 feature that provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies.

Question 54

Q

WebACL

Answer

A

Web Application Firewall configuration unit

Question 55

Q

AWS Config

Answer

A

Record changes in the resources config
Auditing changes
Doesn’t prevent changes
Is regional service, can be configured in cross-region or cross-account setup
Config Rules can be created, criteria matching

Question 56

Q

SSM (Systems Manager)

Answer

A

Operations hub for your AWS applications and resources, and is broken into four core feature groups:
- Operations Management
- Application Management
- Change Management
- Node Management

Question 57

Q

CloudHSM

Answer

A

Hardware Security Module
True “single tenant” HSM, not shared with the other accounts.
Don’t have native integration with other AWS services (e.g. S3 SSE).
Can be used to offload SSL/TLS processing from the Web servers.
Can transparently encrypt data on Oracle DB.
Protect Private keys for CA (Certificate Authority).
AWS have no access to the module itself. If customer loses access to the module- game over.
FIPS 140-2 Level 3, PKCS#11, Java Cryptography Extensions (JCE), Microsoft CryptoNG.
KMS (key management Service) is shared service, AWS have some degree of access to the keys.

Question 58

Q

CVE

Answer

A

Common Vulnerabilities and Exposures
Rule set for Cloud Inspector to check against

Question 59

Q

CIS

Answer

A

Center of Internet Security benchmarks
Rule set for Cloud Inspector to check against

Question 60

Q

AWS Control Tower

Answer

A

Allow quick and easy setup for for multi account environments
Orchestrates the capabilities of other services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour.
Landing Zone is multiaccount environment
Guard Rails enforces/detects rules across accounts
Accounts Factory
Dashboard

Question 61

Q

Flow logs

Answer

A

Capture information about the IP traffic going to and from network interfaces in your VPC that is published to CloudWatch Logs.
Does not affect network throughput or latency.
Do not capture real-time log streams for your network interfaces.

Question 62

Q

ECMP

Answer

A

Equal Cost Multi-Path (ECMP). AWS Transit Gateway enables you to scale the IPsec VPN throughput with ECMP routing support over multiple VPN tunnels.
- If you establish multiple VPN tunnels to an ECMP-enabled transit gateway, it can scale beyond the default maximum limit of 1.25 Gbps.

Question 63

Q

BGP Local Preference

Answer

A

Choose outbound paths
Local preference wins over AS path when choosing the route!
Is advertised to local AS only, not advertised to external BGP AS

Question 64

Q

BGP MED

Answer

A

Multi Exit Discriminator
Lower value is preferred route
Is advertised to external AS
You can influence which path is choosen
Path preference wins over MED
Increase MED you deprioritise path.

Answer 65

A

Runs under 169.254.169.123

Answer 66

A

Highly available
Supports UDP packet fragmentation
Don’t support TCP and ICMP packet fragmentation
Security Group cannot be associated

Answer 67

A

Security Group can be associated
Supports reassembly of TCP, UDP and ICMP packets

Answer 68

A

You can use the following BGP communities for your prefixes:
- 7224:9100—Local AWS Region
- 7224:9200—All AWS Regions for a continent (North America–wide, Asia Pacific, Europe, the Middle East, and Africa)
- 7224:9300—Global (all public AWS Regions)

AWS Direct Connect applies the following BGP communities to its advertised routes:
-7224:8100—Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated.
-7224:8200—Routes that originate from the same continent with which the AWS Direct Connect point of presence is associated.
-No tag—Global (all public AWS Regions).

Answer 69

A

Cloud Map allows you to register any application resources, such as databases, queues, microservices, and other cloud resources, with custom names. Cloud Map then constantly checks the health of resources to make sure the location is up-to-date. The application can then query the registry for the location of the resources needed based on the application version and deployment environment.

Answer 70

A

Communication framework
Works over HTTP/S
Can handle multiple communications over one TCP stream
Uses “protocol buffers”

Answer 71

A

Can have several records pointing at the same name and associated with the health check. If target is marked unhealthy, record is not returned.
Improves availability, is not replacement for the load balancer.

Answer 72

A

Can be used as simple load balancer.
Can be used to test new software versions

Answer 73

A

Trying to optimise performance and user experience
Specify region for each record where the resource is located
Database (not real time!) of latencies between user IP and region is evaluated, record with the lowest latency is returned.

Answer 74

A

Similar to latency, but location is used as selection criteria
Matching record is returned in order of state, country, continent, default
Can be used to restrict content based on location.
It is not about proximity, it is about relevant record!

Answer 75

A

Routing is based on the proximity to the location
Bias can be added/removed to bias towards specific location

Answer 76

A

Rules can be configured to route specific domain to the on premises DNS

Answer 77

A

Get attribute, only returns default attribute

Answer 78

A

Get attribute, can select which attribute is returned

Answer 79

A

Substitutes value in the text from function e.g. ${VPC.CidrBlock}

Answer 80

A

!Cidr [ ipBlock, count, cidrBits ]

“ipBlock” The user-specified CIDR address block to be split into smaller CIDR blocks.
“count” The number of CIDRs to generate. Valid range is between 1 and 256.
“cidrBits” The number of subnet bits for the CIDR. For example, specifying a value “8” for this parameter will create a CIDR with a mask of “/24”.

Answer 81

A

Finds value in the pre-created map:

!FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Answer 82

A

Visible as CLI or console UI output
Accessible from the parent stack when using nesting
Can be exported for cross-stack reference

Answer 83

A

Evaluated first, before template is applied

Answer 84

A

By default resources are created in parallel
Tries to determine dependency order
To explicitly define dependencies DependsOn is used

Answer 85

A

Resources in single stack share lifecycle
500 resources per stack limit
Stacks are isolated
Root stack have resource type “Type: AWS:: CloudFormation:: Stack”
Reusing code, not the stack!

Answer 86

A

Outputs can be exported to be visible for other stacks
Exports must have unique name in that region
!ImportValue can be used to import values from different stacks, !Ref can be used to import value from the same stack.

Answer 87

A

AWS Cloud WAN is a managed wide-area networking service that simplifies a global network’s setup, management, and operation using the AWS cloud infrastructure.
A key feature of AWS Cloud WAN is using segments, which are logical network partitions within the WAN. Each segment can represent different departments, business units, or workloads, providing isolated environments for security and compliance purposes. With segment actions, administrators can define policies to control traffic flow between segments, ensuring only authorized communication occurs between network parts.

Answer 88

A

Internet Key Exchange
Diffie–Hellman is used (DH)
Asymmetric encryption used to exchange keys
Slow.

Answer 89

A

Uses keys agreed in Phase 1
Fast and agile

Answer 90

A

Rules to match the traffic. Matched traffic is sent to SA (security association)
Can be used to precisely define policy.
Many Phase 2 tunnels inside Phase 1 tunnel

Answer 91

A

Route traffic based on prefix.
One Phase 2 tunnel inside Phase 1 tunnel

Answer 92

A

Feature of VGW (Virtual Private Gateway)
Can be used to move traffic between VPN peers as well (e.g. between remote offices)
Each remote site should have unique BGP ASN.

Answer 93

A

Only 1 Transit VIF per DX location
Each transit VIF supports up to 3 TGW
In the DX location DX gateway can be used with transit VIF or private VIF, not both!

Answer 94

A

Encrypt stored data on your DB instances running Microsoft SQL Server. TDE automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.

Answer 95

A

VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. You can use IPAM automated workflows to more efficiently manage IP addresses.

Answer 96

A

Condition is used to specify from which Endpoint traffic is coming

Answer 97

A

Condition is used to specify the VPC ID.

Answer 98

A

Document you get after configuring Direct Connect

Answer 99

A

CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery)
Content delivery platform
“Distribution” is configuration unit.
Self signed certificates will not work.

Answer 100

A

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC
Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.

Answer 101

A

Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment—from capacity provisioning, load balancing, and auto scaling to application health monitoring.

Answer 102

A

AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) and with IAM roles and users for supported resource types.

Answer 103

A

Managed service for HTTP, REST and WebSockets
Can be public or private

Answer 104

A

Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS.
You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements.
Network Access Analyzer uses automated reasoning algorithms to analyze the network paths that a packet can take between resources in an AWS network. It then produces findings for paths that match a customer defined Network Access Scope. Network Access Analyzer performs a static analysis of a network configuration, meaning that no packets are transmitted in the network as part of this analysis.

Answer 105

A

Driver for AKS (Kubernetes cluster) to load balance to pods?

Answer 106

A

DNS Firewall provides filtering for outbound DNS queries that pass through the Route 53 Resolver from applications within your VPCs. You can also configure DNS Firewall to send custom responses for queries to blocked domain names.

AWS Network Firewall provides filtering for both network and application layer traffic, but does not have visibility into queries made to the Route 53 Resolver.

Answer 107

A

AWS App Mesh is a service mesh that makes it easy to monitor and control services. A service mesh is an infrastructure layer dedicated to handling service-to-service communication, usually through an array of lightweight network proxies deployed alongside the application code.

Answer 108

A

AWS X-Ray provides a complete view of requests as they travel through your application and filters visual data across payloads, functions, traces, services, APIs, and more with no-code and low-code motions.

Answer 109

A

Collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information.
Ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications.
Process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Answer 110

A

You set up a stream with a source, destination, and required transformations. Amazon Data Firehose continuously processes the stream, automatically scales based on the amount of data available, and delivers it within seconds.

Answer 111

A

VPN NAT packets, 4500 UDP port needs to be open

Answer 112

A

The values for the srcaddr and pkt-srcaddr fields are different. The srcaddr field displays the private IP address of the NAT gateway network interface, and the pkt-srcaddr field displays the IP address of the host on the internet.

Answer 113

A

Fully managed application streaming service that provides users with instant access to their desktop applications from anywhere. AppStream 2.0 manages the AWS resources required to host and run your applications, scales automatically, and provides access to your users on demand.

Answer 114

A

To load balance traffic across multiple AWS Direct Connect connections, apply the same community tag across the prefixes for the connections. To support failover across multiple AWS Direct Connect connections, apply a community tag with a higher preference to the prefixes for the primary or active virtual interface. For example, set the BGP community tags for your primary or active virtual interfaces to 7224:7300 (high preference).

-7224:7100 — Low preference
-7224:7200 — Medium preference
-7224:7300 — High preference

Answer 115

A

DPD is primarily used in a VPN connection only. It enables VPN devices to rapidly identify when a network condition prevents the delivery of packets across the public Internet.

Answer 116

A

Uses DX connection to establish VPN. Should use public interface to access Virtual Private Gateway.

Answer 117

A

Can include one or more containers
Represents application as a whole
Define what role can be assumed by the task
Is not by itself highly scalable and available

Answer 118

A

Defines how ECS tasks should scale, how many copies should run
LB can be deployed in front of ECS Service

Answer 119

A

Container (Images and ports)
Task (Task role, containers, resources)
Service (How many copies, HA, restarts)

Answer 120

A

DNSSEC private/public pair to sign Resource Record Sets

Answer 121

A

Stores public key for signature verification in DNSSEC

Answer 122

A

Used to sign zone signing keys

Answer 123

A

Delegated Signer record
Stores child domain public key hash

Answer 124

A

New attachment type that supports Generic Routing Encapsulation (GRE) for higher bandwidth performance compared to a VPN connection. Used for SD-WAN integration

Answer 125

A

Container Network Interface

Brainscape's Knowledge GenomeTM

Networks Flashcards

Brainscape's Knowledge Genome^TM