VPN

Question 1

With regard to VPN on AWS, what protocol is supported?

Answer 1

IPSec which is a secure network protocol suite that authenticates and encrypts the packets of data to provide secure encrypted communication between two computers over an Internet Protocol network

Question 2

When you assign a Virtual Private Gateway as part of a VPN, can you change the ASN after it has been assigned?

Answer 2

No it is not possible.

Question 3

What happens if you do not assign an ASN to a Virtual Private Gateway?

Answer 3

AWS will assign a default

Question 4

What are the key virtual components in an AWS VPN?

Answer 4

• Virtual Private Gateway (VPG)
• Customer Gateway (CG)
• Connection

Question 5

How do I know if my hardware or software VPN device on the customer side is compatible with AWS VPN

Answer 5

AWS has a list of validated

Question 6

With AWS VPN, how many IPSec tunnels connect to the customer gateway?

Answer 6

Two for redundancy.

Question 7

If there is a device failure on one of the tunnels, will you lose connectivity?

Answer 7

No, traffic will start to flow on the second tunnel.

Question 8

With AWS VPN, will the connection come up automatically?

Answer 8

No the connection only comes up with data is generated on the client side.
The AWS Virtual Private Gateway is not the initiator.

Question 9

What protocol is used for payload encryption on AWS VPN IPsec tunnel?

Answer 9

AES 128 ( Advanced Encryption Standard ) or AES 256.(one of the strongest block ciphers available to encrypt your data, 256-bit Advanced Encryption Standard (AES-256).)

Question 10

What authentication hashing algorithm is available on AWS VPN?

Answer 10

SHA-1 and SHA2. SHA-1 is vulnerable to hacking so it should not be used.

Question 11

What is Perfect Forward Secrecy?

Answer 11

It is an encryption style known for producing temporary private key exchanges between clients and servers.

Question 12

What are the VPN components used?

Answer 12

• VPN Gateway

- CUSTOMER Gateway

Question 13

What is a customer Gateway ?

Answer 13

The customer GW represents your on-prem physical VPN, this holds the information needed for AWS VPN about the Customer GW.

Question 14

I need to connect from on-prem to my VPC using IPv6, I, what options do I have?

Answer 14

You can’t use IPV6 with AWS site-to-site VPN, only IPv4 is supported, you will need to use a commercial VPN form the market place.

Question 15

I need to connect to a customer Gateway VPN, the customer insists that we need to use dynamic VPN’s, what options do I have?

Answer 15

AWS VPN supports dynamic routing.

Question 16

What is a virtual private gateway?

Answer 16

It is a VPN gateway that is used as part of the AWS Sit-to-Site VPN.
It’s is a logical, fully redundant distributed edge routing function that sits at the edge of your VPC. As it is capable of terminating VPN connections from your on-prem or customer environments, the VPG is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection

Question 17

To create an AWS VPN, what are the building blocks?

Answer 17

• Create a customer gateway and give it the IP of the public facing IP of the customer VPN.
• Create a virtual private gateway and attach to VPC
• Create a connection

Question 18

I have an AWS VPN configured with a single tunnel to a single customer VPN server, I want to make it HA, what options do I have?

Answer 18

I can create a second tunnel on the same Customer Gateway

Question 19

I have an AWS VPN with two tunnels, how is this configuration providing HA for an AZ failure?

Answer 19

Each tunnel is served to form a separate AZ, a single Each tunnel is served to form a separate AZ, a single AZ can fail or single v-appliance sup[plying the VPN tunnel.

Question 20

I have an AWS VPN with two tunnels, I want to ensure that it is even more HA, what can I do?

Answer 20

You can set up a second AWS VPN.

Question 21

I need 1.7GB of connectivity to my on-prem, what is the lowest cost option available?

Answer 21

Setup two VPNs, as each vpn is capable of 1.25gBs

Question 22

What IKE versions are supported by AWS VPN?

Answer 22

IKE version 1 + 2

Question 23

When you create VPG and create a connection to the customer GW, how many tunnels are created?

Answer 23

AWS creates two tunnels to a single customer gateway (the real VPN device on the customer’s side)

Question 24

When you create a VPN to the customer gateway, where is the single point of failure?

Answer 24

It is the customer GW, there is only one customer GW (physical device), the VPN GW represents two VPN tunnels with each VPN in a separate in the VPC, you get two public IP on the AWS service network.

Question 25

In AWS VPN architecture, how is a VPN at the AWS side resilient and highly available?

Answer 25

When you create a VPN connection, AWS creates two public facing endpoints in two different AZ’s

Question 26

What is an ASN ?

Answer 26

An autonomous system number (ASN) is a unique number assigned to an autonomous system (AS) by the Internet Assigned Numbers Authority (IANA).

An AS consists of blocks of IP addresses which have a distinctly defined policy for accessing external networks and are administered by a single organization but may be made up of several operators.

Question 27

What is AWS VPN ?

Answer 27

AWS VPN is comprised of two services:

• AWS Site-to-Site VPN
• AWS Client VPN.

AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC).
AWS Client VPN enables you to securely connect users to AWS or on-premises networks.

Question 28

What is a Client VPN endpoint?

Answer 28

The Client VPN endpoint is a regional construct that you configure to use the service. The VPN sessions of the end users terminate at the Client VPN endpoint. As part of configuring the Client VPN endpoint, you specify the authentication details, server certificate information, client IP address allocation, logging, and VPN options.

Question 29

What is a target network?

Answer 29

A target network, is a network that you associate to the Client VPN endpoint that enables secure access to your AWS resources as well as access to on-premises. Currently, the target network is a subnet in your Amazon VPC.

Question 30

How many customer gateways, virtual private gateways, and AWS Site-to-Site VPN connections can I create?

Answer 30

You can have:

• 1 internet gateway per VPC
• 5 virtual private gateways per AWS account per AWS Region
• 50 customer gateways per AWS account per AWS Region
• 10 IPsec VPN Connections per virtual private gateway

Question 31

How does an AWS Site-to-Site VPN connection work with Amazon VPC?

Answer 31

An AWS Site-to-Site VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a Site-to-Site VPN connection.