advanced networking Flashcards
1
Q
network layer
A
switches routes based on mac address
2
Q
Datalink layer
A
MAC address
3
Q
Network layer
A
IP address, where we are going to send it to . Where it is begin sent
4
Q
Transport layer
A
How it is being sent. is about how it is going to tbe sent. TCP UDP
overhead of tcp
5
Q
web browzer
A
TCP,
6
Q
DDos attacks
A
Protection at multiple layers
7
Q
Load balancers protect at
A
layer 3-4 Ddos attacks
8
Q
Class A, B , C
A
8, 16, 24
9
Q
Unicast only in AWS
A
no broadcast and multicast
10
Q
Why create multiple subnet within aws vpc
A
security isolation
11
Q
network addres vs host address
A
10.0 is the network address. . Last address we cannot used
12
Q
network addres vs host address
A
10.0 is the network address. . Last address we cannot used for broadcast although there is no broadcast in aws.
13
Q
range of address in aws
A
/16 to /28
14
Q
Can VPC have the same network as subnet
A
yes
15
Q
IPVC addresses are automtically assigned by AWS
A
It is all public. You don’t want to communicate via public?
16
Q
IPV6 addresses are automtically assigned by AWS
A
It is all public. You don’t want to communicate via public?
::/0 equivalent to all
link local prefix fe80::/64 not routable( 169.254 on IPV4)
17
Q
secondary CIDR blocks
A
You can add additional CIDR block to
You can add 4 additional
Total 5 CIDR.
18
Q
To extend CIDR what you have
A
it has to be continuous
19
Q
DHCP options
A
EC2 gets gw, ip, Dynamic host configuration protocol.
setup a DNCP option set to get control on the IP and other configuration
20
Q
security group when created
A
does not allow anything in and everything is allowed out
21
Q
security groups is linked to a resource
A
it is an instance level firewall but is is not the complete descrition. Seucurity groups is attached to the network adapter.. You can have multiple security groups to EIN
22
Q
When do you use security group
A
always
23
Q
NACL when
A
You use it when you need deny. You have to open up a wide range of ports in outbound
24
Q
ephemeral ports
A
1024 and above till 65000.
25
Every subnet has a route table inside
initial route table comes from the VPC.
| Main route table everything
26
internet gateway
0-1 per vpc.
27
How do you create a public subnet
create a internet gw, modify the route table to point to intetnet gateway
28
NAT gateway
resource in private subnet to communicate to internet. NAT GW should be in public subnet. One way door.
29
How do you create a public subnet
create a internet gw, modify the route table to point to intetnet gateway
30
VPC peering
done by creating the route. Choose the VPC and owners of the VPC should accept it, modify the route table.
VPC's can be any region for peering. But inter-region traffic can generate cross-regioon traffic cost.
Requestors DNS vs acceptors DNS.
How does the DNS work in peering.
31
VPC endpoints
Providing local(non-internet) access to services . Problem with internet performance and security
32
2 typs of endpoints
gateways end points and interface end points
33
Gateway endpoint
Amazon S3 and Amazon Db.
34
Interface( powered by AWS PrivateLink)
Unlike a GW EP
An elastic network interface with a private IP address that serves as an entry point for traffic destines to a supported AWS service
35
GW EP
Pick S3 or dynamo, link it to VPC and also target specific subnets, GW end point relies on route table.
Just chaging the route. Control the flow of traffic.
How do you secure GW connection. Resource policy
GW also have polices attached. Policy in GW ep comes with no restrictions.
Policies govern what speicic activity do you want to allow like API's get vs put. Can restrict the resource that you can connect to .
If you are routing
36
Interface based EP
Kinesis, drops and Network table that .
Use the name for the interface.
Since it is an interface you can secure by attaching a security group
No route table updates are necessary for interface base EP. Private DNS gets automatically craeted.
37
PrivateLink
it is fronted with a network load balancer
38
PrivateLink
it is fronted with a network load balancer
39
An instance can be multihome and attached to two different VPC subnet as long as
the VPC's is in same AZ
40
EBS volumes
same AZ
41
EC2 Networking( optimized for EBS)
Had dedicated throughput. A portion of bandwidth is dedicated. Lots of instances are dedicated
42
Network performance
25Gig to 10Gig( Note lately it has gone upto 100G)
43
Enhanced networking( we want better netk performance)
When you enable EN on a instance SR-IOV allows to bypass the hypervisor and gets direct access to the host network adapter.
Elastic Network Adapter(ENA) gives hiher network speeds
Device pass-through
Intel Data Place Development Kit(DPDK)
44
EC2 networking: Placement group
AZ is a cluster of data centers( 3 DC)
45
3 types of PG
```
cluster PG( get physically close to each other for high speed networking)
Partition PG
```
46
Amazon EC2 netowrking
Jumbo frame
MTU( maximum transmission Unit) 1500 per data portion of
Jumbo Frame(9001 MTU) increase teh data payload into your packets. It makes it more efficient. Fewer packets
47
Site-2-Site VPN
datacenter to AWS
48
You can attach only one VGW to a VPC
Route table decides when to route to IGW vs VGW
49
VGW
On customer side of hte house you have a routing device called customer GW, You have 2 tonnes on VGW. there is auto. Reduntant connection does not give 2 times of bandwidth. Because traffic
50
dynamic vs static
static is not
51
Test isusually related to dynamic routing
BGP: dynamic routing.
52
Border GW protocol
It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .
Distance vector protocol tries to use shortest path.
53
Border GW protocol
It is primarily used on internet.. They send traffic information to the route table. When route gets added each router sends that to another .
Distance vector protocol tries to use shortest path.
54
BGP makes decision on how to route the traffic
as soon as multiple paths from A to B. BGP you define ASN( autonomous system number )
Best PAthc Selection.
Local_PREF: You modify route table in BGP
AS_PATH: if local_PREF is awaiting
MED: Multi exit discriminator
55
asssimitric routing
trust is hte problem. request goes in one path and resonse comes from another. Router will not trust by default
Local_PREF is not good for assymitric routing
56
Prepend AS_PATH or use MED
Prepend AS_PATH can create a fake extension on path
57
AWS VPN cloudhub
needs BGP, Each GW needs a AN
58
VGW does not initiate IP sec negotiation
the customer starts the connection.
59
VGW only supports only IPSec
You can use EC2 and install the VPN software and .
| Different protocol and low level control
60
AWS on-demand dead peer detection(DPD) mechanism
Function o a router to listen for. Enable it on custoerm gateway.
61
Bidirectional forwarding detection, Dead peer detection
both needed for automation failover
62
client2site VPN
it is not asked in the test
| Client VPN may now be known as AWS VPN
63
AWS director connect
bandwidth, security,
private connection , dedicated fibre channel, not encrypted by default.. Limit is 10Gig. If you go only below 1Gig you can do only one subinterface.
Gives physical connectivity. .
Setup itself may take a lot of time to run the physical cable.
64
with direct connect you are not using static routes
You can only use BGP
65
setup multiple direct connect for redundance
yes. You can route to a particular Directo connect using BGP
66
Private VIF
You can connect to a VPC in the same regioon
67
Direct Connect gW is an add on component
Aloows connections from VPC to another region
68
PUblic VIF
AWS advertises theprevius list of all the services that yoy can get access to
69
BGP communities
tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propogated
70
BGP communities
tags that you can put to BGP on your side of the. It can put restriction on how far these routes are propagated
71
diirect is not encrypted by default
Create DX. use aws managed VPN over public VIF. it does not get routed through the public router though.
VPN to VGW over public VIF
72
VPN to EC2 instance over private VIF( VPC IP)
full control on connection and different protocol.
73
VPN to EC2 instances overpblic VIF(Elastics IP addres)
if you are going public make sure the IP address is reserved
74
direct connect you could use with a single gw
currently DX allows multiple account. But for test puposes it is tied back to a single account.
75
Trasitive routing: direct connect
Direct connect gets access to interface endpoints
76
Edge2Edge via proxy
Proxy route table
77
vpce
vpc endpoint
78
Trasit VPC
Transit VPC architecture allows you to connec to any remote network wile transiting all traffic through a pair of EC2 instances. Spokes VPC connect via VPN to Trnsit VPC. There is no boundary on where Spoke VPC is located
use VGW in spoke
79
Detached VPW
if you have 1Gig or lowe connection to keep your cost down. There is a different pricing
80
To recover from failure
use CFD, DPD, BGP timers
81
enableDNsHostnames=true
| enableDnsSupport=true
enables private zones. enable friendly names
| How can you queyr private zone in VPC from corporte network
82
Hybrid DNS
Provide DNS integration between on-remises and AWWS
| tThe ability to
83
classic vs network
Layer4
84
where does AWS WAF run by default
it runs on all the edge locations. Like cloud front and route 53
How WAF is also available on the ALB
85
What is targeted for each target group
health check. LB are per target groups
86
Cloudfront is a CDN
caching at edge locations
87
Regional edge caches
cache of the cache.
88
cloudTrail is on by default
one per region. take aways the logs from the owners . Get it to another bucket
89
VPC flows logs
clear show
90
AWS config service
1) record config changes
2) time serial view of resource changes
3) archive and compare
91
AWS config rules( lambda functions)
Assess changes against your security policy( none of hte s3 buckets are public. example)
enforce best practice
Can be hooked onto to SNS( There is some automatic remediation built in in the latest version)
92
ALB configuration
listener, listener-rules
93
You can connect VPC over internet or VPC peering
VPC peerign should be accepted, and route table updated on both sides
94
VPC peering with another regioon is possible and across multiple AWS accounts
must not have overhapping ip address
95
VPC peering- things to know
can referece nsecurity gorups from
96
Connecting to on-premises network
Site2Site VPN - VGW
| Virtual private gateway and give a ASN number to it. Either you can give one ASN(custom) or AWS can generate one
97
When you provision VPG it creates two different endpoints on AWS for resiliency.
1xVPN connection = 2x VPN tunnels
98
AWS direct connect
physical connection 1G to 10G
99
Three types of VIF's
Private, Transit and Public
100
Private VIF
Used to connect to Amazon
101
Route propagation
Enable propagation of route table or you will have to speicify it manually
102
AWS Transit VIF
VPC peering cannot be handles at scale. AWS transit gateway addresses this problem
103
Route 53 resolver
VPC+2 resolver
enableDnsHostnames
enableDnsSupport
DNS hostnames( fully qualified domain names), if you have a public
104
Route 53 resolver end points
```
Inbound ENI( requires forwarding rule in corporate DNS server)
Route 53 outbound end point and define a rule to forward to corporate DNS servers
```
105
DNS
if you have to share between account you need resource access manager
106
AWS managed VPC's
RDS runs on it and publishes a ENI in your subnet
107
Lambda service VPC
VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC
108
Lambda service VPC
VPC2VPC NAT(V2N) instead of lamba inserting numerouse interfaces into your subbet. It can pool into a specific endoint on Lambda VPC
