Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS Advanced Networking > All cards > Flashcards

All cards Flashcards

(185 cards)

Start Studying
1
Q

How many bytes of the body part of a request does AWS WAF consider?

A

It depends on the entity being protected by WAF.
- CloudFront distributions: up to 64 KB (default: 16 KB)
- Others: 8 KB
Exam questions will likely ask for the 8 KB limit only.

Last review: 2023-07-28
Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-oversize-request-components.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you run multiple types of Layer 3 (IP) networks over a single DX connection?

A

Using separate VLANs between Customer and AWS Router in the DX location and separate VIFs between the AWS Router and AWS Region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What’s the maximum number of VIFs on a single (dedicated) DX connection?

A

50 public/private VIFs + 1 transit VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What’s the maximum number of VIFs on a single hosted DX connection?

A

1 VIF

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What’s layer 2 adjacency?

A

It means that two routers can communicate directly with each other, i.e. exchange frames directly with each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does BGP use for authentication?

A

MD5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you extend a VLAN/BGP session to a customer site when using a service (COMS) provider?

A

Using Q-in-Q

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What’s the networking standard for VLAN?

A

802.1Q

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which ASN range is reserved for private usage?

A

16 bit: 64.512 - 65.534
32 bit: 4.200.000.000 - 4.294.967.294

Last updated: 2023-08-24
Source: https://aws.amazon.com/vpn/faqs/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What’s VLAN 0 reserved for?

A

It stands for “NO VLAN”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What’s VLAN 1 often used for?

A

For the management VLAN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What problem does QinQ (802.1AD) solve?

A

That COMS provider that provide one single physical connection for multiple clients may have clients that are using the same VLAN numbers. QinQ solves that by adding an additional header in the ethernet frame.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What’s an C-TAG and what is it used for?

A

It stands for customer tag and refers to the 802.1Q header.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What’s an S-TAG and what is it used for?

A

It stands for service tag and refers to the 802.1AD header that service providers use to isolate customer traffic from each other (Q-in-Q).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is happening when traffic in a Q-in-Q scenario arrives at the service provider (COMS provider) network?

A

The COMS provider adds the S-TAG to ensure traffic from different customers is isolated against each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is happening when traffic in a Q-in-Q scenario leaves the service provider (COMS provider) network?

A

The COMS provider strips away the S-TAG to ensure customers only see their own VLAN IDs (via the 802.1Q header), but not the VLAN IDs of other customers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What two type of ports exist on a switch in the context of 802.1Q?

A

Access ports and trunk ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What’s a trunk port used for on a switch in the context of 802.1Q?

A

It’s a connection between two 802.1Q capable devices, able to transport and by that exchange the VLAN IDs when traffic is flowing between those devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

In the context of 802.1Q, does an access port on a switch use VLAN tagging when sending data to a client?

A

No. Access ports use “regular” ethernet frames.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the main criteria to consider when choosing between dynamic vs static routing in a site-to-site VPN connection?

A

Whether the router supports BGP advertising - if so, choose dynamic routing, otherwise choose static routing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What’s a single IPsec tunnel’s maximum throughput in Gbps?

A

1.25 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How can you scale a VPN tunnel beyond the maximum limit of 1.25 Gbps?

A

By using Transit Gateway with equal cost multi-path (ECMP) routing enabled over multiple VPN tunnels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What’s the maximum throughput of Transit Gateway?

A

50 Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Can you access an S3 bucket that is located in eu-central-1 via a public VIF that is connected to us-east-1?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
How is information on BGP communities exchanged between systems?
Via labels/tags that are attached to advertised prefixes (so essentially, metadata)
26
Which well-known BGP community tag is used to instruct that no advertisement shall be done to any peers?
NO_ADVERTISE
27
Which format has a regular BGP community label/tag?
AS_NUMBER : OPERATOR_ASSIGNED_VALUE (32 bit value, split into 2x16 bit)
28
What does the BGP community tag "7224:9100" stand for?
Instructs AWS to advertise the prefix that this tag is attached to only in the local AWS region Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
29
Which well-known BGP community tag is used by AWS on public prefixes to instruct that advertisements are not shared with external peers?
NO_EXPORT
30
What does the BGP community tag "7224:9200" stand for?
Instructs AWS to advertise the prefix that this tag is attached to only on the current continent Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
31
What does the BGP community tag "7224:9300" stand for?
Instructs AWS to advertise the prefix that this tag is attached to globally Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
32
If no BGP community tag is attached to an advertised prefix, how far (local region, continent, globally) is the prefix advertised?
Globally
33
What does the BGP community tag "7224:7100" stand for?
Indicates a "low preference", i.e. low priority, for traffic Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
34
What does the BGP community tag "7224:8100" stand for?
Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
35
What is AS Number 7224 used for?
It's the AS Number owned by Amazon.com, used to advertise prefixes and BGP communities for Direct Connect.
36
What is BFD and where is it enabled?
Bidirectional Forwarding Detection - protocol for detecting failed routing paths, allowing quick recovery. Enabled by default on the AWS side, but needs to be enabled on the on-prem router (if not already done) to benefit from quicker recovery times.
37
What does the BGP community tag 7224:7300 indicate?
"High preference" of the associated path for returning traffic. For example, would be preferred over a path that has 7224:7200 (medium preference) as a tag. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
38
Can you attach multiple VGWs to a VPC at the same time?
No
39
What VPN connectivity type does AWS VPN CloudHub support? (site-to-site VPN, client VPN, etc.)?
Site-to-site VPN, i.e. connectivity between multiple VPCs and remote networks. But NOT client VPN.
40
How can you configure an EC2 instance to use jumbo frames?
Either by shell command (sudo ip link set dev eth0 mtu 1500) or by modifying the ethernet interface's configuration file (different per Linux distribution).
41
What is the private CIDR range for a class A network?
10.0.0.0 - 10.255.255.255
42
What is the IP address range for a class B network?
172.16.0.0 - 172.31.255.255
43
What is the private CIDR range for a class C network?
192.168.0.0 - 192.168.255.255
44
Does Auto-negotiation for a port have to be disabled in order to use DX?
It depends. For any ports with speeds higher than 1 Gbps: yes. For 1 Gbps ports it may be enabled, depending on the DX endpoint serving the connection. Last revision: 2023-07-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
45
Is 802.1Q VLAN encapsulation a hard requirement to use DX?
Yes. And that's needed for the entire connection, so including any intermediate devices. Last revision: 2023-07-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
46
Which protocol and authentication does the client device have to support to be able to use DX?
Border Gateway Protocol (BGP) and BGP MD5 authentication. Last revision: 2023-07-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
47
Which Internet Protocol versions does DX support?
IPv4 and IPv6 Last revision: 2023-07-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
48
What Ethernet frame sizes (i.e. at OSI layer 2 / link layer) does AWS Direct Connect support?
1522 or 9023 Last revision: 2023-07-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
49
Does VPC peering work across regions?
Yes Last updated: 2023-08-12 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
50
What pricing model does VPC peering use?
The peering is free. Charges only apply for data transfers between AZs or regions. Last updated: 2023-09-29 Source: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html#vpc-peering-pricing
51
If you want to connect VPCs with each other, at which number of VPCs is it a good idea to consider alternatives to VPC peering?
~10 Last updated: 2023-08-12 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
52
Is Transit Gateway a global or regional resource?
Regional. But you can create peerings between Transit Gateways. Last updated: 2023-08-12 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/vpc-to-vpc-connectivity.html
53
What is the maximum number of Transit Gateways that you can connect over a single Direct Connect connection?
3 Last updated: 2023-08-12 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html
54
What is a Transit VPC and how does it work?
Transit VPCs are a hub-and-spoke style network pattern where a central VPC (the transit VPC, or hub) connects other networks (VPCs, on-prem networks) through VPN (usually using BGP over IPSec). It requires usage of EC2 instances where the VPN and routing software (sometimes also additional software such as IDP) runs, so it may increase higher cost and operational burden than other solutions. On the other hand it opens up for a lot of flexibility. Last updated: 2023-08-12 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html
55
What is the maximum bandwidth per VPN tunnel?
1.25 Gbps Last updated: 2023-08-24 Source: https://aws.amazon.com/vpn/faqs/
56
How many VPC tunnels are used per VPN connection?
2, each with 1.25 Gbps throughput Last updated: 2023-08-24 Source: https://aws.amazon.com/vpn/faqs/
57
What is a Virtual private gateway (VGW) and what is it used for?
A virtual private gateway (VGW) is part of a VPC that provides edge routing for AWS managed VPN connections and AWS Direct Connect connections. It's the endpoint on the AWS side that a VPN or Direct Connect connection goes to. Last updated: 2023-08-31 Sources: - https://aws.amazon.com/vpc/faqs/ - https://aws.amazon.com/vpn/faqs/ - https://aws.amazon.com/directconnect/faqs/
58
What ASNs can I use to configure my Customer Gateway (CGW)?
ASN in the range 1 – 2.147.483.647 with noted exceptions can be used. Last updated: 2023-08-24 Source: https://aws.amazon.com/vpn/faqs/
59
Once the virtual gateway is created, can I change or modify the Amazon side ASN?
No, you cannot modify the Amazon side ASN after creation. You can delete the virtual gateway and recreate a new virtual gateway with the desired ASN. Last updated: 2023-08-24 Source: https://aws.amazon.com/vpn/faqs/
60
How many VPCs are supported per (private) VIF when using Direct Connect Gateway?
10 Last updated: 2023-08-24 Source: https://aws.amazon.com/directconnect/faqs/
61
How many Transit Gateways can be associated with an AWS Direct Connect gateway?
Up to 3. So that's 3 TGWs per Transit VIF. And you can only have 1 Transit VIF per DX connection. Last updated: 2023-08-24 Source: https://aws.amazon.com/directconnect/faqs/
62
How many Transit VIFs are supported per Direct Connect connection?
Only 1 Last updated: 2023-08-24 Source: https://aws.amazon.com/directconnect/faqs/
63
Does AWS Transit Gateway Connect support static routes?
No, AWS Transit Gateway Connect does not support static routes. BGP is a minimum requirement. Last updated: 2023-08-24 Source: https://aws.amazon.com/transit-gateway/faqs/
64
Does AWS Transit Gateway support IPv6?
Yes, AWS Transit Gateway supports attaching Amazon VPCs with IPv6 CIDRs. Last updated: 2023-08-24 Source: https://aws.amazon.com/transit-gateway/faqs/
65
What is the maximum number of Transit Gateways per account? And can that be adjusted?
5 - and yes, it can Last updated: 2023-08-24 Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
66
What is the maximum number of attachments per Transit Gateways? And can that be adjusted?
5000 - and no, it cannot Last updated: 2023-08-24 Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
67
What is the maximum number of Transit Gateways attachments per VPC? And can that be adjusted?
5 - and no, it cannot Last updated: 2023-08-24 Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
68
What is a transit VIF attached to?
The only resource type it can attached to is a Direct Connect gateway. From the DX gatway, up to three Transit Gateways (TGWs) can be attached.
69
What is the Generic Routing Encapsulation (GRE) tunnel protocol and in which context is it used in an AWS networking environment?
Generic Routing Encapsulation (GRE) is a protocol that encapsulates packets in order to route other protocols over IP networks. It's used by Transit Gateway's "Connect" feature to ensure high performance. After creating a Connect attachment, one or more GRE tunnels (referred to as Transit Gateway Connect peers) are created to TGW with a third-party appliance. Last updated: 2023-09-06 Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
70
What is Transit Gateway Connect?
It allows establishing connectivity between SD-WAN infrastructure (third-party appliances) and AWS. Last updated: 2023-09-06 Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
71
What are reasons to choose a Transit VPC over Transit Gateway?
- Allows for deploying third-party vendor software for routing, layer 7 firewalls, IPS and IDS (which customers may also use on-prem, so management is easier for them) - Enables non-AWS-native connectivity such as peering regular AWS regions with GovCloud regions Last updated: 2023-09-06 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-vpc-solution.html
72
Does Transit Gateway support transitive routing?
Yes Last updated: 2023-09-06 Source: https://docs.aws.amazon.com/prescriptive-guidance/latest/integrate-third-party-services/architecture-3.html
73
What are key elements of the architecture of a transit VPC?
- Hub and spoke model with one central VPC (transit VPC) and multiple hub VPCs - VPCs connected through VPN connections (typically BGP over IPSec) - Central VPC contains multiple EC2 instances running third-party routing software
74
What are the basic elements of an AWS PrivateLink architecture?
On the service provide side, a VPC endpoint service that points to a Network Load Balancer (NLB), which points to the application. On the consumer side, an interface endpoint that points to the VPC endpoint service.
75
What is the difference between a VPC endpoint and a VPC endpoint service?
VPC endpoints are used to access AWS services. VPC endpoint services are used to expose applications hosted in a VPC to other AWS accounts (client-server or provider-consumer model).
76
What is the primary use case of a private NAT Gateway?
Connecting VPCs with each other that have overlapping CIDR blocks Last updated: 2023-09-11 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/private-nat-gateway.html
77
What four options are there to establish VPN connectivity with AWS?
1) VPN via Transit Gateway 2) VPN via vendor software hosted on EC2 3) VPN via Virtual Private Gateway 4) VPN via client VPN endpoint Last updated: 2023-09-11 Source: https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/hybrid-connectivity.html
78
What is the difference between private and public VIFs regarding connectivity to AWS regions, when no Direct Connect Gateway is involved?
Public VIFs can access all AWS regions while private VIFs can only access VPCs in the same region as the DX location. Last updated: 2023-09-12 Source: https://learn.cantrill.io/courses/1231680/lectures/31664371
79
What is the maximum number of VPCs you can connect over a single Direct Connect connection when not having Transit Gateway involved in the architecture?
500 VPCs (1 DX supports 50 private VIFs with each can have a single DX Gateway; and 1 DX GW supports up to 10 VGWs => 50 * 10 = 500)
80
What is static routing?
Static routing is if network routes are preconfigured on the routing device, usually by a network administrator, and then rarely changed after. This is in contrast to dynamic routing, where routes are automatically learned and updated by the devices exchanging routing information between each other using the Border Gateway Protocol (BGP). Both types can be used in conjunction.
81
True or False? The Internet-routable IP address for your Customer Gateway must be static?
True - Yes, it must be static and may be behind a device performing network address translation (NAT).
82
What Autonomous System Number (ASN) is reserved in all AWS Regions if you want to establish a Site-to-Site VPN?
7224
83
What is the default Autonomous System Number (ASN) in an AWS VPN connection?
65000
84
True or False? If you don’t have a public ASN, you can use a private ASN in the range of 64,512–65,534.
True
85
What is the VPN concentrator on the Amazon side of the site-to-site VPN connection?
Virtual Private Gateway
86
What does the "Enable Acceleration" option in your AWS VPN configuration do?
It will launch a total of two AWS Global Accelerators for your VPN connection. Launches one for each VPN tunnel.
87
What is the Customer Gateway?
A resource in AWS that represents the physical/software device residing on your on premises network. It is your side of the Direct Connect or Site-To-Site VPN connection on premises. Last updated: 2023-10-25 Sources: - https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html - https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html
88
True or False? Does an AWS VPN connection support Path MTU Discovery.
False, it does not support.
89
True or False? Is IPv6 traffic supported for VPN connections with a Virtual Private Gateway?
False, it is not supported. You have to use a Transit Gateway to enable IPv6 connectivity within the tunnel. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/ipv4-ipv6.html
90
What type of certificate is associated with the Customer Gateway in a certificate-based VPN using AWS Site-to-Site VPN?
A Private Certificate issued from the AWS Certificate Manager (ACM) Private Certificate Authority.
90
True or False? Does AWS recommend using ASPATH Prepending for Customer Gateway devices that support Asymmetric Routing? And why is that?
False, AWS does NOT recommend using AS PATH Prepending. This is to ensure that instead of the AS Path, the MED that AWS manages on the tunnel can be used for determining the route with highest priority. This generally leads to higher availability as the MED is updated by AWS when necessary, while with AS Path pretending the customer would have to manage this. Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
91
What does MED stand for and what is it used for?
Stands for multi-exit discriminator (MED) and helps to decide which route takes priority. For routes that have the same AS PATH length and if the first AS in the AS_SEQUENCE is the same across multiple paths, the MED value is compared for both routes and the route with lower MED value takes priority. Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
92
Does certificate-based authentication in AWS VPN use digital certificates instead of pre-shared keys for IKE authentication?
Yes, this is possible by using AWS Certificate Manager Private Certificate Authority Last updated: 2023-09-26 Source 1: https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site Source 2: https://aws.amazon.com/about-aws/whats-new/2019/08/aws-site-to-site-vpn-now-supports-certificate-authentication/
93
What is Direct Connect gateway used for mainly?
It allows connecting to multiple VPCs via a single private VIF, even across different AWS regions or different AWS accounts. Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
94
Which VIF types can you use with Direct Connect gateway?
Private and Transit VIFs only. Public VIFs are not supported as connecting to public AWS services in other AWS Regions are supported out-of-the-box with a regular Direct Connect connection, even if the connection always goes to a regional DX location. Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
95
What AWS resource do you implement to reduce latency by routing traffic to the nearest application endpoint that is closest in proximity with the users?
AWS Global Accelerator Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html
96
What do you use to aggregate multiple connections at a single Direct Connect endpoint for a single managed connection?
Link aggregation group (LAG) Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
97
Can Transit Gateway Connect attachments establish a connection to third-party SD-WAN virtual appliances? if so, using what?
Yes, using Generic Routing Encapsulation (GRE) tunnels Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-connect.html
98
Which condition do you use with AWS WAF to implement a web filtering solution to automatically block web requests from a list of blacklisted countries?
Geo match condition Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html
99
What features of CloudFront can you use to prevent users in geographic locations from accessing a website's static content?
Geo-Restriction and Origin Shield features in your CloudFront distribution Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
100
What are different types of transit gateway attachment types?
One or more of the following: - VPC - VPN connection - Direct Connect gateway - Transit Gateway Connect - Transit Gateway Peering Last updated: 2023-09-26 Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
101
What service provides a global view of your private network, allowing you to manage your AWS and on-premises resources and seamlessly integrate with your SD-WAN solutions?
AWS Transit Gateway Network Manager Last updated: 2023-10-19 Source: https://aws.amazon.com/about-aws/whats-new/2019/12/aws-announces-aws-transit-gateway-network-manager/
102
What is causing a ErrorPortAllocation error on a NAT Gateway and how can you resolve it?
This error occurs when the NAT Gateway reaches it's maximum of 55,000 simultaneous connections. This can be resolved by distributing multiple NAT Gateways across multiple AZs. It's also best practice to, on the client side, limit the maximum number of connections and close connections as soon as possible to avoid high numbers of simultaneous connections. Last updated: 2023-09-27 Source: https://repost.aws/knowledge-center/vpc-resolve-port-allocation-errors
103
If you want to allow DNS queries to be resolved even when the DNS Firewall in Route 53 is impaired, what do you have to configure? And what implication does that have?
Within the VPC settings of Route 53, you need to activate the "fail open" option. This means the system will favor availability over security. Last updated: 2023-09-27 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html
104
What is the default setting in Route 53 for the DNS Firewall "fail open" option?
By default it's deactivated (= "fail closed"), which means that DNS queries won't be resolved when the DNS Firewall is impaired or unavailable. This approach favors security over availability. Last updated: 2023-09-27 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-vpc-configuration.html
105
What service is available behind 169.254.169.123 within AWS VPC? And do you need Internet Access to access it?
Amazon Time Sync Service No, no internet access needed. Last updated: 2023-09-27 Source: https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/
106
Which intrinsic function in CloudFormation is a valid one? Fn::Cidr or Fn::CidrBlock?
Fn:Cidr
107
What are the three factors that determine pricing for AWS Direct Connect?
Capacity, port hours, and data transfer out (DTO) Last updated: 2023-09-27 Source: https://aws.amazon.com/directconnect/pricing/
108
What is DPD and in what context is it used?
Stands for Dead peer detection and is a configurable timeout for when setting up an AWS Site-to-Site VPN connection. It defines the duration, in seconds, after which DPD timeout occurs. Last updated: 2023-09-27 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
109
What are Phase 1 and Phase 2 Diffie-Hellman (DH) group numbers and in which context are they used?
They're options that can be defined when setting up an AWS Site-to-Site VPN connection. They specify the DH group numbers that are permitted for the VPN tunnel for phase 1 and phase 2 of the IKE negotiations. Last updated: 2023-09-27 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
110
What is MPLS?
"Multiprotocol Label Switching" - encapsulation protocol used in many service providers and largescale enterprise networks. Instead of relying on IP lookups to discover a viable “next-hop” at every single router within a path (as in traditional IP networking), MPLS predetermines the path and uses a label-swapping push, pop, and swap method to direct the traffic to its destination.
111
What does ECMP stand for, in which context is it used and for what?
Equal-cost multi-path routing. Used in the context of AWS Site-To-Site VPN when it's required to connect more than one tunnel to a Transit Gateway. That way, VPN connections can scale beyond the regular limit of 1.25 Gbps. Last updated: 2023-09-28 Source: https://aws.amazon.com/blogs/networking-and-content-delivery/scaling-vpn-throughput-using-aws-transit-gateway/
112
Which VIF types support jumbo frames?
Private VIFs and transit VIFs, but not public VIFs Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html
113
Are jumbo frames supported for static routes, propagated routes, or both?
Only propagated routes when using Direct Connect. Only static routes when using transit gateway. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/set-jumbo-frames-vif.html
114
What's the key difference between BGP community tags in the 7224:8*** range versus 7224:9*** range?
7224:8*** tags are advertised by AWS (attached to AWS prefixes) while 7224:9*** tags are advertised by the customer (attached to the own prefixes)
115
What is Transit Gateway "appliance mode" used for?
Ensures that Transit Gateway uses the same AZ for a VPC attachment for the lifetime of traffic flow between source and destination. Useful when planning to configure stateful network appliances in the VPC, hence the name. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
116
Do intermediate devices between two Direct Connect endpoints have to have VLAN trunking enabled or disabled for the 802.1Q VLAN tag?
Enabled Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
117
What is the maximum number of connections that you can have in a link aggregation group (LAG) in AWS Direct Connect?
2 when connection = 100 Gbps 4 when connection < 100 Gbps (i.e. 1 Gbps or 10 Gbps Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
118
What are the four key differences between Gateway and Interface endpoints?
- Gateway endpoints use public IP addresses, Interface endpoints have private ones - Gateway endpoints cannot be accessed from on-prem, Interface endpoints can - Gateway endpoints don't allow access from other AWS regions, Interface endpoints do (via VPC peering or TGW) - Gateway endpoints are not billed, Interface endpoints are Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
119
How many route tables can you assign to a VPC and how many to a subnet?
200 per VPC and exactly 1 per subnet Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
120
Is route propagation enabled or disabled by default in a VPC?
Disabled
121
What is DNS64, in which context is it used for and where do you enable it?
It's a translation mechanism so that IPv6-only services can communicate with IPv4-only endpoints. Amazon VPC supports this by enabling it for a subnet. The actual translation then happens through a NAT Gateway and the Route 53 Resolver of the VPC. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-nat64-dns64.html
122
Can you associate a VPC from an external AWS account to your own private hosted zone in Route 53?
Yes. But this requires you to first authorize the VPC association from your account and then have the external AWS account perform the actual association. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zone-private-associate-vpcs-different-accounts.html
123
What is the IP address that is reserved by AWS in each VPC for the DNS server?
Depends on the CIDR of the VPC as it's the base of the VPC network range plus two. For a VPC with a CIDR of 10.0.0.0/24, the DNS server IP is 10.0.0.2, as an example. Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-sizing.html
124
What's the IPv4 address of the AWS metadata service?
169.254.169.254 Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
125
Does Storage Gateway use private or public endpoints?
Public endpoints Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/filegateway/latest/filefsxw/using-dx.html
126
What are the parameters that the CloudFormation Fn:Cidr function expects?
1: The user-specified CIDR address block to be split into smaller CIDR blocks. 2: The number of CIDRs to generate. Valid range is between 1 and 256. 3: The number of subnet bits for the CIDR. For example, specifying a value "8" for this parameter will create a CIDR with a mask of "/24". Last updated: 2023-09-28 Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-cidr.html
127
Within the X-Forwarded-For HTTP header, where do you find the client IP address where the request was first made?
Left-most in the header Last updated: 2023-10-19 Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html
128
What is an optional add-on in an Amazon EKS cluster that manages AWS Elastic Load Balancers for the Kubernetes cluster?
AWS Load Balancer Controller Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
129
What type of AWS Load Balancer will the Load Balancer Controller provision to the Amazon EKS cluster if you create a Kubernetes Ingress?
Application load balancer Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
130
What type of load balancer cluster will the Load Balancer Controller provision if you create a Kubernetes service of type Load Balancer?
AWS Network Load Balancer Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
131
What protocol will the Gateway Load Balancer and its registered virtual appliance instances exchange for the application traffic?
GENEVE (Generic Network Virtualization Encapsulation) Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/gateway/gateway-load-balancers.html
132
What is VPC Reachability Analyzer?
A feature in the VPC console that allows testing connectivity between a source and destination within a VPC, even across accounts. Last updated: 2023-10-05 Source: https://aws.amazon.com/blogs/networking-and-content-delivery/visualize-and-diagnose-network-reachability-across-aws-accounts-using-reachability-analyzer/
133
How can you capture traffic that includes the vpc-id and the interface-id ?
Use VPC flow logs with a custom format. Last updated: 2023-10-05 Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
134
How can you troubleshoot a Direct Connect connection when it's in DOWN status?
1. Verify physical connection is okay, i.e. checking cross connect, ports, etc. (OSI layer 1) 2. Verify data link is okay, i.e. VLAN and IP configurations, etc. (OSI layer 2) 3. Verify network/transport is okay, i.e. BGP and ASN configurations etc. (OSI layer 3/4) https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
135
What is a CKN/CAK pair and in which connectivity context of AWS is it used?
Stands for Connection Key Name (CKN) and Connectivity Association Key (CAK). Used by AWS Direct Connect's when establishing a connection that is encrypted through MACsec. The customer generates the key pair and assigns it to the Direct Connect connection, as well as on the on-prem device that Direct Connect is connected to. Last updated: 2023-10-17 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/MACsec.html
136
In which order from the following does virtual private gateway prioritize routes? - Manually added static routes for a Site-to-Site VPN connection - BGP propagated routes from an AWS Direct Connect connection - Lowest Multi-exit discriminators (MEDs) - Shortest AS PATH - BGP propagated routes from a Site-to-Site VPN connection
1/ BGP propagated routes from an AWS Direct Connect connection 2/ Manually added static routes for a Site-to-Site VPN connection 3/ BGP propagated routes from a Site-to-Site VPN connection 4/ Shortest AS PATH ( 5/ Lowest Multi-exit discriminators (MEDs) Last updated: 2023-10-17 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
137
Which port (number and protocol) does BGP use?
TCP 179 Last updated: 2023-10-17 https://docs.aws.amazon.com/directconnect/latest/UserGuide/Troubleshooting.html
138
In which context of AWS is NAT-T relevant, and which protocols and ports are used?
AWS uses NAT-T in the context of Site-To-Site VPN. Relevant ports are: - UDP port 4500 (for IPsec NAT traversal) - UDP port 500 (for Internet Key Exchange (IKE) packets) - IP Protocol 50 (for Encapsulating Security Payload (ESP)) Last updated: 2023-10-18 Sources: - https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-options.html - https://en.wikipedia.org/wiki/NAT_traversal
139
How do NAT Gateway and NAT instances compare to each other in regards to IP fragmentation?
NAT instance support reassembly of fragmented packets for UDP, TCP and ICMP, whereas NAT Gateways support this only for UDP. Last updated: 2023-10-18 Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
140
In which context is route propagation used in AWS, and where is it enabled?
AWS uses route propagation to dynamically update VPC route tables with information from a VPN Site-To-Site or Direct Connect connection. It's an option that is enabled on the route table of a VPC. Last updated: 2023-10-18 Source: https://repost.aws/knowledge-center/routing-dx-private-virtual-interface
141
What are the five network modes of ECS and what are the respective defaults for Linux and Windows based containers?
awsvpc, bridge, host, none, default bridge is the default for Linux based containers, default the one for Windows Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
142
What happens regarding network connectivity in ECS if "bridge" is selected as network mode?
The ECS task uses Docker's built-in virtual network on Linux, which runs inside each Amazon EC2 instance that hosts the task. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
143
What happens regarding network connectivity in ECS if "host" is selected as network mode? And what is a limitation of this mode?
The ECS task uses the host's network which bypasses Docker's built-in virtual network by mapping container ports directly to the ENI of the Amazon EC2 instance that hosts the task. A port number on a host can’t be used by multiple tasks. As a result, you can’t run multiple tasks of the same task definition on a single Amazon EC2 instance. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
144
What happens regarding network connectivity in ECS if "awsvpc" is selected as network mode?
The ECS task is allocated its own elastic network interface (ENI) and a primary private IPv4 address. This gives the task the same networking properties as Amazon EC2 instances. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking.html
145
If you want to use Security Groups on ECS tasks, which ECS network mode do you have to use? Bridge or awsvpc?
awsvpc Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-networking-awsvpc.html
146
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 172.16.0.0/16 (172.16.0.1 - 172.16.255.254) as a secondary CIDR?
No. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 172.16.0.0/16 is neither of these (is a private CIDR according to RFC 1918, but not in the same range as the original CIDR). Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
147
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 10.1.0.0/16 (10.1.0.1 - 10.1.255.254) as a secondary CIDR?
Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 10.1.0.0/16 is a private CIDR according to RFC 1918 and in the same private address range as the primary CIDR (10.0.0.0/8). Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
148
If the primary CIDR in a VPC is 10.0.0.0/16 (10.0.0.1 - 10.0.255.254), can you assign 100.0.0.0/16 (100.0.0.1 - 100.0.255.254) as a secondary CIDR?
Yes. Secondary CIDRs have to be in the same private address range as the primary CIDR, or be a publicly routable CIDR. 100.0.0.0/16 is a publicly routable CIDR according to RFC 1918. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
149
What is the maximum number of routes that can be advertised over a BGP session in Direct Connect? What happens when this limit is exceeded?
100 each for IPv4 and IPv6. If exceeded, the BGP session will go down. Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html
150
What port is used by SES for a TLS Wrapper connection?
465 or 2462 Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html
151
What port is used by SES for a TLS connection?
25, 587, or 2587 Last updated: 2023-10-21 Source: https://docs.aws.amazon.com/ses/latest/dg/smtp-connect.html
152
What protocol does the Link Aggregation Group (LAG) use to aggregate multiple connections at a single AWS Direct Connect endpoint?
Link Aggregation Control Protocol (LACP) Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/lags.html
153
What is CIDR Reservation?
A subnet setting to prevent AWS from automatically assigning IPv4 or IPv6 addresses within a CIDR range you specify. Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html
154
What are the two types of Subnet CIDR reservations in Amazon VPC?
Explicit and Prefix Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html
155
What are Route 53 Resolver Outbound Endpoints used for?
They allow DNS queries from your VPC to your on-premises network or another VPC Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
156
What are Route 53 Resolver Inbound Endpoints used for?
They allow DNS queries to your VPC from your on-premises network or another VPC Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
157
What do the fields with pkt represent in a VPC flow log when troubleshooting pod-to-pod traffic?
Represent the source and destination address of the actual IP packet (Pod IP). Source and destination fields without a pkt prefix represent the address of the interface the packet is sent from or received on. Last updated: 2023-10-22 Source: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html
158
What (mandatory) attributes do you have to provide when creating a private VIF via Direct Connect?
Name, Owner (account), VLAN ID, ASN, the DX connection that the VIF uses and either a VGW or the DX Gateway that the VIF shall connect to. Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/directconnect/latest/APIReference/API_NewPrivateVirtualInterface.html
159
Can you request a CIDR block from IPAM natively via CloudFormation, or do you have to use a Lambda custom function for this?
CloudFormation has native support for this using AWS::EC2::IPAMPool Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-ipampool.html
160
What is important regarding the ASN when attaching Transit Gateways in different regions to a Direct Connect Gateway?
You have to use unique ASNs for each transit gateway. Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-transit-gateways.html
161
Do you associate Transit Gateways with the VPC or the VGW of the VPC?
TGW can use the VPC directly and doesn't need a VGW (unlike Site-To-Site VPN or Direct Connect). Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
162
What is PAT?
An extension of Network Address Translation (NAT) that permits multiple devices on a LAN to be mapped to a single public IP address to conserve IP addresses. Relevant for AWS Direct Connect for example, where the on-prem router does the translation. Last updated: 2023-10-24 Source: https://repost.aws/knowledge-center/connect-private-network-dx-vif
163
If a key-signing key (KSK) in Route 53 DNSSEC changes its status to Action needed (or ACTION_NEEDED in a KeySigningKey status), what is the root cause?
This occurs if Route 53 loses access to a corresponding AWS KMS key (due to a change in permissions or AWS KMS key deletion). Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec-troubleshoot.html
164
What are the two types of keys used by DNSSEC?
key-signing key (KSK) and a zone-signing key (ZSK) Last updated: 2023-10-24 Source: https://simpledns.plus/help/definition-dnssec
165
What is a KSK used for?
Used in the context of DNSSEC to sign the public key records (DNSKEY) for a zone. Last updated: 2023-10-24 Source: https://simpledns.plus/help/definition-dnssec
166
What KMS key type is a key-signing key (KSK) based on?
asymmetric customer managed key Last updated: 2023-10-24 Source: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring-dnssec.html
167
How does AWS Private IP Site-to-Site VPN work, i.e. what services and components are involved, and what advantages does it have over Public IP Site-To-Site VPN?
It uses Direct Connect with a transit VIF that's connected to a Transit Gateway via a Direct Connect Gateway. Benefits are: - simplified management (vs. self-managed VPN) - improved security (vs. public IP Site-To-Site VPN) - higher route scale (vs. standalone Direct Connect) Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/vpn/latest/s2svpn/private-ip-dx.html
168
Which BGP community value does AWS apply to routes pointing to global AWS services?
No tag. Note that there's also the 7224:8300 tag that has the same meaning, which isn't applied by AWS though. Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/routing-and-bgp.html
169
What type of authentication key does Direct Connect support to use for BGP MD5 authentication? AWS-managed, customer-managed, or both?
Both Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
170
What is the attribute called that defines when LAG members will be logically disabled if the number of active member-connections falls below which value?
Minimum links Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-lag.html
171
How many virtual interfaces (VIFs) can an AWS Direct Connect-hosted connection support?
Only a single virtual interface (VIF) Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/WorkingWithVirtualInterfaces.html
172
Can you associate a Direct Connect Gateway directly with a VPC?
No, this requires a VGW. Transit Gateways however can be attached directly to VPCs. Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html
173
How many TGW route tables can be associated with each Transit Gateway attachment?
Exactly one Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
174
By default, each Transit Gateway attachment may propagate to how many TGW route tables?
TGW attachments may propagate to as many route tables as the TGW can support, which by default is 20. Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/vpc/latest/tgw/transit-gateway-quotas.html
174
When routes are evaluated by Transit gateway what is the order of priority from the following options? - Transit Gateway Connect propagated routes - Prefix list referenced routes - Transit Gateway peering propagated routes (Cloud WAN) - VPC propagated routes - Static routes - Site-to-Site VPN propagated routes - Direct Connect gateway propagated routes
- Static routes - Prefix list referenced routes - VPC propagated routes - Direct Connect gateway propagated routes - Transit Gateway Connect propagated routes - Site-to-Site VPN propagated routes - Transit Gateway peering propagated routes (Cloud WAN) Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html
175
When using equal cost multi-path (ECMP) with Transit Gateway as a Site-To-Site VPN solution, does it support static routes, dynamic routes, or both?
Only dynamic routes (using BGP) Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html
176
What is the MTU for VPC peerings?
9001 for inter-region peerings, 1500 for cross-region peerings Last updated: 2023-10-25 Source: https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html
177
Can you use Simple AD to resolve DNS queries of AWS VPC as well as on-prem resources?
Yes and no. Resolving AWS VPC resources works out-of-the-box with Simple AD, but to resolve on-prem resources, you'll have to use a separate DNS resolver (such as an EC2-hosted DNS server). Last updated: 2023-10-26 Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
178
Can you forward DNS requests for VPC resources to Route 53 Resolver from on-prem?
Yes, but not directly, i.e. you cannot send the DNS request to the VPC +2 IP address (the IP address of the DNS resolver). Instead you have to create a Route 53 Inbound Resolver Endpoint first and send DNS requests to the address of that endpoint. Last updated: 2023-10-26 Source: https://aws.amazon.com/blogs/security/how-to-set-up-dns-resolution-between-on-premises-networks-and-aws-using-aws-directory-service-and-amazon-route-53/
179
Can you connect to an S3 Gateway endpoint via a Site-To-Site VPN connection that ends in a VGW?
No. VGWs do not support transitive routing, therefore, the Gateway endpoint won't be accessible.
180
How do you set up an Active/Active Direct Connect connection using a private or transit VIF?
Set up two connections where advertised prefixes, local preference, autonomous system (AS) path, and Multi-Exit Discriminator (MED) values are the same. Last updated: 2023-10-26 Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html
181
How do you set up an Active/Passive Direct Connect connection using a private or transit VIF?
Set up two connections and have the "Active" connection using a longer (more specific) prefix, or higher local preference (for example 7224:7300), or shorter autonomous system (AS) path, or lower Multi-Exit Discriminator (MED). Last updated: 2023-10-26 Source: https://docs.aws.amazon.com/architecture-diagrams/latest/active-active-and-active-passive-configurations-in-aws-direct-connect/active-active-and-active-passive-configurations-in-aws-direct-connect.html
182
What effect does it have when a VPC has the tenancy set to "dedicated"?
Any EC2 instances launched in that VPC will automatically be dedicated instances. Last updated: 2023-10-26 Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-instance.html#dedicated-howitworks
183

AWS Advanced Networking (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions