AWS Networking

Question 1

VPC Peering

Answer 1

• AWS provided connection between two VPCs

- No transitive peering

Question 2

vpc flow logs

Answer 2

• information about the IP traffic
• stored using cloudwatchlogs or s3
• vpc, subnet, network interfaces

Question 3

Cloudfront Lambda@edge

Answer 3

• used to customize content cloudfront delivers
• viewer request
• origin request
• origin response
• viewer response

Question 4

AWS Cloudfront

Answer 4

• Content deliver network (CDN)
• Moves content closer to the User
• Geo Location filtering
• Uses AWS backbone

Question 5

Signed Cookies

Answer 5

• provides control over access to content
• doesn’t require a url change
• Used for multiple files

Question 6

Signed URL

Answer 6

• Provides control over access to content
• URL updates
• for Individual files
• expires date and time
• IP Ranges

Question 7

CloudFront Origins

Answer 7

• Where the content originates

Question 8

AWS Managed VPN

Answer 8

• IPsec vpn over your existing network
• quick and simple tunnel to a vpc
• used as redundant for DirectConnect
• Dependent on your INET

Question 9

AWS Direct Connect

Answer 9

• Dedicated Network connection to AWS backbone
• when a large link to AWS is required
• Lead time > 1 month
• Not encrypted by default

Question 10

Direct Connected + VPN

Answer 10

• Adds IPSec to Direct Connect

- Encrypted tunnels over Direct Connect

Question 11

Cloudfront Edge Locations

Answer 11

• 100s located in different parts of the world

- Content is pushed and cached at the edge

Question 12

Software VPN

Answer 12

• Customers provide their own VPN
• when you must manage both ends for compliance reasons
• when you must use a vpn option not provided by AWS

Question 13

Transit VPC

Answer 13

• For Connecting geographically dispersed VPCs and Locations
• When locations and vpcs across multiple regions need to talk
• Flexibility with AWS managed vpn
• Hub and spoke with vpcs

Question 14

CloudHub

Answer 14

• connect locations in hub/spoke using AWS Private Gateway
• Used to link remote offices
• Uses existing INET

Question 15

AWS Security Groups

Answer 15

• Instance level

- Can specify allow not deny

Question 16

AWS Default Security groups

Answer 16

• Can’t be deleted

- Can Change the rules

Question 17

AWS Subnets

Answer 17

• EC2 instance can have 5 subnets

- Will be assigned to default NACL if not assigned to custom NACL

Question 18

VPC Interface endpoint

Answer 18

• EC2 in VPC to EC2 in VPC
• Uses ENI with private IP to connected to PrivateLink
• Typical ELB as the connection point in PrivateLink
• Service provider model
• Secured by security groups

Question 19

VPC Gateway endpoint

Answer 19

• Used for connection from VPC to S3 or Dynamo DB
• Uses endpoint policies
• Prefix list in route table
• Bucket policies can be added to restrict S3 access

Question 20

NAT Gateway

Answer 20

• Used to allow Private IPs access to INET
• Download software
• Goes in Publish Subnet

Question 21

Can VPC Peering with Overlapping IPS

Answer 21

• will fail… IPs cannot overlap.

Question 22

Public Subnets

Answer 22

• Have a route via the Internet gateway to the Internet

Question 23

What type of IP is not considered unique

• IPv6
• Elastic IPs
• IPv4 - Public IPs
• IPv4 - Private IPs

Answer 23

IPv4 Private ips… think 10.x.x.x

Question 24

AWS Private Link

Answer 24

• Service provider … a single service to 1ks of VPCs
• Doesn’t require VPC peering
• Requires NLB on Service side and ENI on Client side

Question 25

AWS Global Accelerator

Answer 25

- improves the availability and performance of apps with local or global users - Uses the AWS global network to optimize the path from user to app - Uses AWS Edge locations - Uses 2 static anycast IPs that are globally advertised - IPS server as the frontend interface of the application - NLB, ALB, or EC2 - Don't need to make any client facing changes or update DNS as you modify or replce the endpoints - Static IPs

Question 26

NAT Gateways support outbound traffic only.

Answer 26

- True

Question 27

I have 2 public IPs for my website. I want to increase performance and redundancy using multiple AWS regions behind NLBs.

Answer 27

Create an AWS Global Accelerator and attache endpoints in each region Migrate both IPS to AWS Global Accelerator

Question 28

When using throttling controls with API Gateway, what happens when request submissions exceed the steady state request rate?

Answer 28

429 Too Many Requests

Question 29

cost-effective solution for Direct connect backup

Answer 29

IPSec VPN and use the same BGP prefix

Question 30

IPsec VPN connection has a virtual private gateway on aws side and customer gateway on the on premise side?

Answer 30

True

Question 31

Dedicated tenancy can be changed to Host tenancy and visa versa?

Answer 31

True

Question 32

How can VPC services access SQS without traversing the internet?

Answer 32

VPV interface endpoint

Question 33

How many AZs can a single subnet map to

Answer 33

One

Question 34

Each subnet you create is associated to which route table

Answer 34

Main

Question 35

Transfer gbs of data quickly and on a regular basis to an s3 bucket

Answer 35

Transfer Acceleration

Question 36

Features and advantages of a vpn

Answer 36

Between on prem and vpc using secure and private connection with IPsec and tls

Question 37

What are the default inbound and outbound rules for a new / Custom NACL

Answer 37

Deny Inbound | Deny Outbound

Question 38

Should you use CloudFront to help latency within a data center... between the app and the S3 bucket?

Answer 38

No... use a Cache for that like Redis.

Question 39

Which should you use for VPC flowlogs.... Interfaces or Subnets

Answer 39

Interfaces are more secure

Question 40

Do you need to configure Access Logs on an ELB?

Answer 40

Yes... this allows you to get information like requestor, ip, path... that cloudtrail won't get you.

Question 41

How can you enhance the security of data via CloudFront

Answer 41

Field Level encryption

Question 42

Virtual Private Gateway

Answer 42

- Allows VPC to communicate with on prem over VPN for a secure connection.

Question 43

Route 53 Alias Support for

Answer 43

Amazon CloudFront distribution – A record (IPv4) or AAAA record (IPv6) AWS Elastic Beanstalk environment – A record (IPv4) Elastic Load Balancing (ELB) load balancer – A record (IPv4) or AAAA record (IPv6) Amazon Simple Storage Service (Amazon S3) bucket – A record (IPv4) Amazon API Gateway custom regional API and edge-optimized API – A record (IPv4) Amazon VPC interface endpoint – A record (IPv4) AWS Global Accelerator – A record (IPv4) Another Route 53 record in the same hosted zone

Question 44

a private subnet that need to connect to Internet-based hosts using the IPv6 protocol. What needs to be configured to enable this connectivity?

Answer 44

An egress only Internet Gateway

Question 45

Internet connectivity for a data-processing application in a VPC…that will pull large amounts of data from an object storage system via the Internet.

Answer 45

Attach an internet gateway. since the traffic is going over the internet, a VPC Gateway Endpoint is not an option.

Question 46

An elastic IP is what

Answer 46

Public static IP