VPC / Networking Flashcards
When connecting to s3 from an on-premises service via direct connect, what type of interface is required?
Public Virtual Interface -
Public VIFs allow access from direct connect to public AWS services such as s3.
Private VIFs allow connection to services within your VPC
When connecting to s3 from a service within a VPC, if you want to avoid public internet traffic, what service should you use?
AWS PrivateLink -
AWS PrivateLink allows connections from within a VPC to public AWS services over AWS internal networking to avoid any public network traffic.
How do you create a IPv6 CIDR block for your VPC?
You must request an IPv6 CIDR block from Amazon, and it is not customizable.
Conversely, you can create an IPv4 CIDR block by defining the IP addresses in the range.
When configuring a VPN over Direct Connect to connect an on premise data center to your VPC, what type of interface should you use?
Public Virtual Interface -
A public VIF is necessary for all VPN connections, even over Direct Connect.
Traditionally, Direct Connect uses Private VIFs, but when a VPN is configured over Direct Connect, Public is necessary.
What is AWS PrivateLink?
AWS PrivateLink allows services within your VPC to connect to Public AWS services (S3, Lambda, Etc), Provider VPCs, or 3rd Party VPCs without using an Internet Gateway, and only using AWS internal networking
What is VPC Peering?
What are 2 limitations?
VPC Peering allows two VPCs to route traffic between resources using the Private IP addresses of the resources.
Limitation 1: the CIDR blocks of the VPCs must not overlap.
Limitation 2: VPC peering is not transitive
What is AWS Direct Connect?
AWS Direct Connect is a direct connection between your on-premise data center and AWS using a physical connection from your data center to an AWS edge location.
When should I use an egress-only Internet Gateway
Egress-only internet gateways are necessary for connecting services from a private subnet to the internet using IPv6 traffic.
A traditional NAT Gateway / Internet Gateway setup will not work for IPv6
What AWS Service allows multiple on premise data centers, each with their own customer gateway, to connect to a single VPC?
AWS VPN CloudHub
What are the two main reasons to keep connected services within a single VPC?
Latency and Security
What is a Private Hosted Zone
Private hosted zones in Route 53 is a service that allows you to register private domain names and routing that allows services in multiple VPCs to communicate without exposure to the public internet.
What is an inbound endpoint resolver? What is the use case?
Inbound resolvers are provided by Route 53 and is a service that exists within a VPC / AZ that forwards inbound traffic to a Route 53 Hosted Zone.
Often, these are used when a request from an on-premise data center attempts to access domain names in a Private Hosted Zone
What is AWS Global Accelerator
Networking service that provides fixed static IP addresses that act as an entry point for application endpoints in multiple regions
What is the best way to have a Dx Connection connect to multiple regions?
Direct Connect Gateway -
Note- Transit gateway exists within regions, so it doesn’t work here
