Virtual Private Networks Flashcards

1
Q

Site-to-Site VPN

A

Two networks can securely communicated over an untrusted intermediary network (such as the internet)
Need endpoints at each site
Used to contact resource within the vpc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Virtual Private Gateway (VGW)

A

Managed endpoint in your VPC
VPN and Direct Connect
VPC can only have one VGW attached to it
Can be detached and attached to another VPC
Define ASN for BGP (ASN cannot be changed)
Can terminate a VPN connection on it (only IPsec) in ESP mode

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

VGW Redundancy and Availability

A

When created -> 2 highly available endpoints each in a different availability zones
Each endpoint has an IP
Endpoints can be setup as Active/Active (noted as a single VPN connection)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

VPN Tunnels

A

Each tunnel contains Internet Key Exchange (IDE) Security Association (SA) and a BGP peering
1 Unique SA per tunnel (1 inbound, 1 outbound)
2 unique SA pairs for each tunnel (2 tunnels - 4 pairs)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Policy-based VPN

A

Policy-based VPNs that are configured with more than one security association will drop existing VPN tunnel connections when initiating a VPN tunnel connection that uses a different SA.

Can overcome this problem by:

1) Limit the number of encryptions domains that are allowed to VPC
2) Configure the policy to allow an network behind the VPN termination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

VGW routing

A

Supports both static and BGP dynamic routes
VGW will use BGP route advertisement
Can have up to 100 BGP prop orated routes per VPC subnet route table
Within VPC enable VGW route propagation
BGP configuration cannot be modified. It is fully managed by AWS
2 tunnels per VPN connection, can do multiple VPN connection for HA
Tunnels should be active/passive

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NAT and Traversal (NAT-T) support

A

Traditionally, the IPsec protocol does not work very well when traversing a NAT device. Due to the encrypted nature of the ESP header, NAT translations fail.

NAT-T solves this problem by encapsulating the packet in a User Datagram Protocol (UDP) enabling header using port 4500

VPN endpoints must use NAT-T

How well did you know this?
1
Not at all
2
3
4
5
Perfectly