TD Exam 2 - Long review Flashcards
Why should classic load balancers be avoided
Each unique HTTPS name requires an individual CLB, so it does not scale
Which layer is ALB
Layer 7
Which protocols are supported by ALB
HTTP and HTTPS
What are some Layer 7 protocols not understood by ALB
SMTP, SSH, custom gaming protocols…
What are some listeners not supported by ALB
TCP, UDP, TLS
What load balancer should you use if you need to make decisions based on L7 content (cookies, custom header, user location, etc)
ALB
What is a security trade-off of ALB
SSL always terminates on ALB - No unbroken SSL chain
A new connection is made to the application
What is needed if ALB uses HTTPS
The ALB must have SSL cert(s)
Which is faster, ALB or NLB
NLB
What is an advantage of ALB with regards to Healthchecks
ALB evaluates app health at layer 7 (can make an app-layer request)
What can be used to direct connections in ALB
Rules
What can ALB rule conditions be based on
Host header
Http header
Http request method
Path pattern
Query string
Source IP
What are some actions ALB can do with rules
Forward
Redirect
Fixed response
Authenticate-oidc
Authenticate-cognito
What should you do if you need to forward connections to the instance without terminating it on load balancer
Use NLB
Which layer do NLBs work on
Layer 4
What protocols are supported by NLB
TCP, TLS, UDP, TCP_UDP
How much faster are NLBs compared to ALBs
Much faster (1/4 of latency)
What is a limitation of Healthchecks for NLB
Only checks ICMP / TCP handshakes
Which Load Balancer can have a static IP
NLB; ALB can with workarounds I think
What is a security advantage of NLB
They forward TCP to instances, the HTTPS encryption is unbroken
(With TCP listener)
Which Load Balancers can be used with Private Link
NLB
Can Lambda@Edge run inside a VPC
No
Which languages are supported by Lambda@Edge
Node and Python
Where would you place your Lambda@Edge to perform A/B testing
Viewer request
In CloudFront, how can you have a different version of an image depending on the customer without redirects or url changes
With a Lambda@Edge function on the viewer request
Change the url with the Lambda
How can you do a gradual S3 origin migration in CLoudFront
With Lambda@Edge on the origin request
How can you deliver different objects based on device in CLoudFront
Lambda@Edge Origin Request
How can you vary the content displayed by country in CloudFront
Lambda@Edge Origin Request
What are the units of distribution in CloudFront
Distributions
What are the price classes in CloudFront
Which edge locations to use
In CloudFront, where do you associate WAF
At a distribution level
In CloudFront, where do you specify an alternate domain name
In the distribution
In CloudFront, where do you specify TLS and certifications
At the distribution level
What are the protocols supported by DataSync
SMB and NFS
Where does DataSync run
As a VM onprem
What are some features of DataSync
Schedule, throttle, recover from failure
What are some destinations of DataSync
S3, EFS, FSx
When should you use DataSync
When you need reliable transfer of large amounts of data
What is redshift
A PB-scale data warehouse
What type of db is Redshift
OLAP (Column-based)
What is OLTP
Online Transaction Processing, row/transactions
What is OLAP
Online Analytical Processing (Column based)
What does Redshift allow with S3
Direct query to S3 using REdshift Spectrum
What does Redshift allow with other DBs
Direct query with federated query
What interface is supported by Readshift
SQL-like (JDBC/ODBC)
Is Redshift serverless
No
What should you use for ad-hoc queries of S3 objects
Athena
How are rules processed for NACLs
In order, lowest rule number first. Once match occurs, processing stops. * is an implicit deny if nothing else matches
What type of firewall are NACLs
Seubnet-level stateless firewall
Why do should NACLs be used in conjunction with SGs
To add explicit denys
How many NACLs can a subnet have
One
How many subnets can a NACL be associated with
Many
Are Security Groups stateless or stateful
Stateful
What is a major limitation of Security Groups
You cannot do specific deny (like block bad actor IPs)
What do SGs support
IP/CIDR and logical AWS ressources, including other SGs and itself
What are SGs attached to
To an Elastic Network Interface
What actually happens when you attach an SG to an instance
It is attached to it’s primary ENI
How can you use SGs to allow 2 instances to communicate
Reference each other’s SGs in it’s own SG rules
What do SG references apply to
Anything which has the SG attached
What are benefits of SG references
It scales well (new instances)
No need to handle changing IPs
What is an advantage of self-referencing SGs
Means intra-app communication is allowed if you have multiple instances running an app
What are the 3 important values associated to ASG
Minimum, Desired and Maximum
What is used to update ASGs based on metrics
Scaling policies
Where do auto-scaling groups run
On a VPC across one or more subnets
What are the 2 potential sources for instance config for ASG
Launch templates or launch configurations
What do Scaling Policies adjust
The desired capacity
What do ASGs define
Where instances are launched
What are the 3 types of scaling policies
Manual
Scheduled
Dynamic scalings
What are the 3 subtypes of dynamic scaling
Simple
Stepped scaling
Target tracking
What is a Cooldown Period in ASGs
Period to wait after a scaling event before another one can happen
What is an advantage of an ASG using an ALB Healthcheck rather than EC2 status check
Can monitor state of HTTP/HTTPS requests
Why is RDS Proxy needed
Prevent constant open/closing of DB connections (like with Lambda)
Helps with handling db failure
Where does RDS Proxy run
In a VPC (Across all AZs)
Is RDS Proxy managed
Yes
What is behind RDS Proxy
Long-term connection pool
What does RDS Proxy do in practice
Makes connections much faster than connecting directly to db
Connections to RDS from proxy can be reused
Multiplexing
What happens with RDS Proxy if db is unresponsive
It waits, the connection between client and RDS proxy is established anyways
Can RDS Proxy be used with Aurora
Yes
Where is an RDS Proxy accessible from
Only from a VPC
When using RDS Proxy, do you need to change your app
No, the app sees it as a normal db endpoint
Can RDS enforce SSL/TLS
Yes
What are some characteristics of API Gateway
HA, Scalable, handles authorization, throttling, caching, transformations, openapi spec, direct integration
Can API Gateway connect to onprem service
Yes
What APIs are supported by API Gateway
HTTP, REST and WebSocket
What are the endpoint types for API Gateway
Edge Optimized
Regional
Private (only accessed within a VPC)
Does API Gateway support stages
Yes
Where do you enable canary for API Gateway
It is on a specific stage
What does API Gateway give when the throtting limit is reached
429
What does a 502 from API Gateway mean
Bad Gateway exception - the lambda is returning something invalid
What is the timeout for API Gateway
29s
What do you get when you go beyond the timeout for API Gateway
504
What does 503 mean from API Gateway
Backing endpoint is offline; Major service issue
What is AWS Config used for
Record configuration changes over time on resources
Auditing of changes, compliance with standards
Does AWS Config prevent changes happening
No
What type of service is AWS Config
Regional service
What can AWS Config be integrated with
SNS
EventBridge & Lambda
Where does AWS Config store it’s data
S3
What does AWS Inspector do
It scans EC2 instances and its OS (also containers) for vulnerabilities and deviations against best practices
What does AWS Inspector output
A report of findings ordered by priority
Does Inspector need an agent
Not for Network assessment, but for network and host assessment yes
Can Inspector check CVEs
Yes
What do you use to check for CVEs and CIS of EC2
Inspector
What does GuardDuty do
It is a continues security monitoring service
Analyses supported data sources
Uses AI
Identifies unexpected and unauthorised activity
What does synchronous data replication
RDS Multi-AZ Instance mode
How do you access the primary db instance in RDS multi-AZ
With the database CNAME (DNS record)
What can happen from the standby in RDS Multi-AZ
Backups & snapshots (to S3)
Do reads occur in the secondary instance in instance-mode multi-AZ RDS
no
How long does the failover take in RDS multi-AZ
60-120 seconds
What happens during failover for RDS multi-az instance mode
DNS CNAME changes to point to secondary
How can you reduce failover time for RDS multi-AZ instance mode
Remove DNS caching in app for the dns name
How many standby replicas can you have in multi-az instance mode rds
Only one
What are differences between multi-az RDS cluster mode and Aurora
You can have more than 2 readers in Aurora
Instances have separate local storage in cluster mode
What is RDS multi-AZ cluster mode
One write, many readers, still synchronous replication
How many instances can you have in RDS multi-AZ cluster mode
2 readers and one writer
What are differences between RDS multi-AZ instance and cluster mode
You can use reader instances in cluster mode, and you can have 2
Do you need to change app code to take advantage of RDS multi az cluster mode
Yes, to handle the fact that there are read-only instances
In RDS multi-AZ cluster mode, when is data seen as committed
When 1+ read finishes writing
In RDS multi-AZ Cluster mode, where does the cluster endpoint point
To the writer
In RDS multi-AZ Cluster mode, what is the cluster endpoint point used for
Read, Writes and admin
What does a reader endpoint do in RDS multi-az cluster mode
Directs reads to an available reader (can include writer)
What are instance endpoints in RDS ulti-AZ cluster mode
They point at specific instances, used for testing and fault finding
What is the failover in RDS cluster mode multi-AZ
35s
What is Amazon Database Migration Service
A managed database migration service
What does DMS use
A Replication instance running on ec2
What are the 3 modes you can run DMS jobs
Full load (transfer everything)
CDC (Change data capture)
Or both
What is a use case for CDC mode of DMS job
If you’re using another service to transfer the bulk of the data
How can you do schema conversion with DMS
Using Schema Conversion Tool
When is Schema Conversion Tool Used
When converting from one db type to another
What should you do about DMS when having a large amount of Data
You can use Snowball
Use SCT locally to write to snowball
Load data from snowball into s3, then from s3 to target db
Then do CDC
What does AWS Control Tower do
Enables Quick and easy setup of multi-account env
What is the difference between Control Tower and AWS Organizations
Control Tower uses other AWS services, including orgnizations
What is a Control Tower Landing Zone
It is the multi-account environment
What are some features of Landing Zone
SSO/ID Federation, Centralised Logging and Auditing
What is Landing Zone Guard Rails
It is used to detect/mandate rules/standards across all accounts
What is Landing Zone Account Factory
It Automates and Standardises new account creation
Where do you create a Control Tower Landing zone
From an account that becomes the management account
What provides the SSO for aws
IAM Identity center
What are some AWS services used by Control Tower
AWS Organizations, AWS Config, CloudFormation
What are the 3 types of Control Tower Guard rails
Mandatory, Strongly recommended or elective
What are Control Tower preventive Guard rails
They stop you from doing things, they use AWS ORG Service Control Policy
What are Control Tower detective guard rails
They do compliance checks using AWS Config
What are the 2 types of identities in AWS
IAM User and IAM Role
What is the number limit of IAM Users
5000
What are the 2 types of policies associated with a role
Trust policy and Permissions policy
What is a roleTrust Policy
Who can assume the role
What generates temporary credentials
Security Token Service
Where do you specify the role of an ECS task
in the task definition, in the taskRoleArn section
What is Kinesis Firehose
Fully managed service to load data for data lakes, data stores and analytics service
Fully serverless
Is FireHose Real-Time
Near-Real-Time (60s)
What are the valid destinations for Kinesis Firehose
HTTP endpoints
splunk
Redshift
ElasticSearch
Destination bucket
Are Kinesis streams real-time
Yes, 200 ms
How many master accounts can an organization have
One
Can organizations pool service usage to get discounts
Yes
What are Service Control Policies
They are account permissions boundaries
What can SCPs be attached to
It can be attached to accounts, OUs or the whole organization
Can all accounts be affected by SCPs
No, the management account ignores SCPs
Can SCPs affect root users
Yes, the SCP restricts the whole account
Do SCPs grant permissions
No
What do SCPs do
They limit permissions that can be assigned
How many VPCs are involved in VPC peering
2
Can you do VPC peering with 3 VPCs
No
What is VPC peering
A direct encrypted network link between 2 vpcs
Can you do VPC peering cross-region
Yes
Can you do VPC peering cross-account
Yes
Can you use Security Groups over vpc peers
Yes, but only in the same region
Does VPC peering support transitive peering
No
What configs are necessary to ensure peering works
Routing (route tables in both vpcs), Sgs and NACL could filter also
What is a limitation of VPC peering
Cannot be done if the VPCs have CIDR range overlap
Is site-to-site HA
Yes, if designed and implemented correctly
Do you need a static IP for onprem when setting up VPN
yes
What is geolocation routing
You tag records with country, continent, subdivision or default
Then check location of user (normally the resolver)
What is the order of checking in geolocation routing
Starts with state, if match returns record
Then Country
Then continent
Then default (optionally)
It returns the most specific record or NO ANSWER
What can geolocation routing be used for
Regional restrictions, language-specific content or load balancing across regional endpoints
Does geolocation routing return the closest record
No, just the most relevant
What does geoproximity routing do
It gives the CLOSEST record
What can resources be tagged with in R53 geoproximity routing
AWS region, or lat and long
What does a bias do in geoproximity routing
Affects the effective area of a resource
What kind of storage does EBS provide
Block storage
Can EBS be encrypted
Yes, using KMS
Can EBS be across AZs
No
What kind of resiliency does EBS have
Some built-in resiliency if a physical device fails, but it can<t withstand an AZ failure
Can you attach EBS to multiple instances
Yes, but app needs to manage concurrency
By default, think of it as being attached to one instance at a time
Can you backup EBS
Yes, with a snapshot in S3
How can you migrate EBS between AZs
Create a snapshot, then create a volume in a different az from the snapshot
How can you configure private access to AWS Public services from a private VPC
Use VPC Gateway endpoints or VPC interface endpoints
What services are supported by VPC Gateway endpoints
DynamoDB and S3
What services are supported by VPC Interface Endpoint
Everything but DynamoDB
What is a Gateway endpoint associated with
It is per service per region
How does a Gateway endpoint work
A prefix list is added to the route table
Which type of VPC endpoint is HA by default (Gateway or interface)
Gateway
How do you change what a Gateway endpoint can access
Endpoint policy
Can Gateway endpoint access inter-region services
No
How can you make sure a bucket can only be used from within a specific VPC
Set up a bucket policy
If you don’t use a VPC endpoint, what do you need to access AWS public services from within a VPC
NAT GW or public subnet
Where is a Gateway endpoint located
From within a VPC, but it has a private tunnel to the service
Are gateway endpoints accessible from outside it’s VPC
No
Are interface endpoints HA
Not by default
How do you control access to interface endpoints
Via Security Groups
What protocols are supported by interface endpoints
TCP only
What IP version can you use with interface endpoints
IPv4 only
What is used by interface endpoints
PrivateLink
What does a PrivateLink do
It allows you to inject AWS or 3rd party services in a VPC
How do you specify what can be done with an interface endpoint
Endpoint policies
How do interface endpoints work
They have a DNS name
What are the different ways to un interface endpoints with regards to DNS
Use AZ DNS name
Use region DNS name
Use provateDNS to force it’s usage when the public DNS name of the service is called
Which kind of VPC endpoint use routing to give private access to AWS public services
Gateway endpoint
What is Glue
Serverless ETL and data catalog
Moves and transforms data between source and destination
What is datapipeline
It can do ETL using EMR (uses server)
What does Glue generate
AWS Glue Data Catalog
What is a data catalog
Persistent metadata about data sources in a region
One catalog per region per account
How are catalogs discovered
Using crawlers
What do crawlers do
Connect to data stores, determine schema and create metadata in the catalog
