NS6 AWS FORTINET Flashcards
(22 cards)
ENI
Virtual network interface, elastic network interface
Public subnet
Internet gateway connected
Doesn’t mean public addressing within the subnet
Private subnet
Internal subnet without an Internet GW
They follow the affording space defined on the VPC
Reserved IP addresses
Fist IP address X.x.x.1 Intrinsic Router
Second IP address X.X.X.2 AWS DNS
Third address X.X.X.3. Reserved for future
Intrinsic router
Service in hypervisor
All subnets are connected to a intrinsic router that resides a VPC level
The default Gw or intrinsic router is always the first IP address of the subnet.
Internet Gateway
Allow communication between instances in your VPC an the internet, It is a redundant.
Two purposes of INTERNET GW
Provides a target in you VPC route tables for internet - routable traffic
Performs NAT for instances that have been assigned public IPv4
What do you need to enable communication over the internet and your instance
A IPv4 address or an Elastic IP that’s associated with a private UPv4 address on your instance
Routing table
By default, subnets are associate with a main routing table.
You can create more Routing tables and explicitly associate then with subnets
EC2 instances always use the intrinsic router as the default GW, but they are then redirected to each gateway defined in the routing table.
AWS NAT Gateway
Allows instances in a private subnet to connect to the internet or other services without using NAT instance.
Main routing table sends internet traffic from the private subnet instance to the NAT GW.
NAT GW sends traffic to the IGW using the source IP address of the elastic IP address.
EIP
It is a static address, public IPv4.
You can associate with any instance or network interface.
Route 53
AWS DNS service, for public and private.
You can buy or transfer domains in it.
Implicit DDoS protection.
VPC peering
It is a networking connection between two VPCs, enables you to route traffic between them using private addresses.
The VPCs can be in different regions.
It is a one to one relationship between two VPCs.
Transit VPC
It is a reference architecture that you can use multiple products to achieve.
Good solution to reduce the complexity of the VPC peering but huge administrative work in central VPC.
VPC peering complexity
In order to achieve full mesh connectivity between VPCs you will need to connect each one to each one.
AWS TRANSIT GW
Solves most of the problems introduces by VPC peering, transit gateway is similar to transit VPC hub and spoke technology.
You can create multiple transit GW route tables inside transit GW for better traffic control.
It support multicast
Transit gateway connect
Provides a way to connect customer SD-WAN infrastructure with AWS.
Transit GW connect extends SD-WAN into AWS without the need to set up IPSEC VPNs between SD-WAN networks device and transit GW.
Supports BGP
SG SECURITY GROUP
a SG acts as a virtual firewall. SGs are associate with network interfaces. SGs allow all outbound traffic.
Network Access Lists NACL
It is an optional layer of security for your VPC that acts as a FW for controlling traffic in and out of one or more subnets. Each custom NACL denies all inbound and outbound traffic until you add rules.
VPC flow logs
It is a feature that enables you to capture information about the IP traffic going to and from network interface in your VPC. Flow log data is published to a log group in cloud watch logs.
Amazon GuardDuty
It is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS account and workloads
Monitors for activity such as unusual API calls.
It uses machine learning, anomaly detection, and integrated threat intelligence.
AWS WAF
web application firewall monitors the http and https requests that are forwarded to Amazon cloudfront or an application load balancer.