AWS Networking Facts Flashcards
1
Q
Can a ENI be moved across AZs?
A
No. ENIs are specific to subnets since they get an IP address in the subnet’s CIDR range.
You can move a network interface from one instance to another, if the instances are in the same Availability Zone and VPC but in different subnets. e.g. Multihoming.
2
Q
Can ENIs be detached from an instance?
A
You can detach secondary network interfaces when the instance is running or stopped. However, you can’t detach the primary network interface.
3
Q
Can VPCs span AZs and Regions?
A
VPCs are specific to a Region and hence cannot span a Region.
VPCs can span multiple AZs
4
Q
What are the 5 IP addresses in each subnet reserved by AWS?
A
.0 - Network Address .1 - Router address .2- DNS Address .3-Reserved for future use .255 - Broadcast (not supported/hence reserved).
5
Q
What are the attributes of an ENI?
A
- A primary private IPv4 address from the IPv4 address range of your VPC
- One or more secondary private IPv4 addresses from the IPv4 address range of your VPC
- One Elastic IP address (IPv4) per private IPv4 address
- One public IPv4 address
- One or more IPv6 addresses
- One or more security groups
- A MAC address
- A source/destination check flag
- A description
6
Q
Can ENIs support multiple Security Groups?
A
Yes. An ENI can have up to 5 security groups.
7
Q
How do multiple SGs work?
A
A single SG can be associated with multiple ENIs.
A single ENI can have multiple SGs.
When multiple SGs are used, the rules are the product of all of them.
SGs are stateful.
They have an implicit deny - i.e. you can only specify “Allow”.
All rules are evaluated before proceeding (i.e. the rules are OR’ed - so if SG allows a particular traffic even if other don’t explicitly allow, then traffic is allowed)
8
Q
How do NACLs work?
A
A single NACL can be associate with multiple subnets.
However, a single subnet can have only one NACL.
NACLs are stateless.
Both “Allow” and “Deny” can be specified.
Rules are evaluated in order.
The very last rule is a DENY ALL.
9
Q
How do you configure ephemeral ports in NACLs?
A
- Client initiating connection always chooses the ephemeral port. So, inbound/outbound rules have to be specified according to who the client is.
- Ephemeral ports vary based on operating system.
- In general, it is best to have inbound/outbound ports opened from 1024-65536 to cover all OS.
- You can have a specific DENY rule earlier to deny traffic from malicious ports, before the rule that allows such a broad range of ports.
10
Q
What port does the “Port Range” in SGs rules refer to?
A
The port ranges are all destination ports - NOT source ports.
11
Q
What’s the difference between default NACL and Custom NACL?
A
Your VPC automatically comes with a modifiable default network ACL. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
12
Q
What’s the difference between default SG and Custom SG?
A
Your VPC automatically comes with a default security group. All inbound traffic (from itself) is permitted. All outbound traffic is permitted.
When you create a new security group, it has no inbound rules. Therefore, no inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.
By default, a security group includes an outbound rule that allows all outbound traffic.
13
Q
What does statefulness for SG mean?
A
It means that if inbound traffic is permitted, then the corresponding outbound traffic is also permitted - i.e. the outbound rules are not evaluated and vice versa.
14
Q
What makes a subnet public?
A
A public subnet is a subnet that’s associated with a route table that has a route to an Internet gateway.
Note also that: instances in the subnet must have a globally unique IP address (EIP, IPv4 or IPv6). Or else, they must use a NAT GW or instance if they only have a private address.
Additionally, NACLs and SGs must permit the relevant traffic.
15
Q
What are the different types of VPC Endpoints?
A
Interface Endpoints
Gateway Load Balancer Endpoints
Gateway Endpoints
16
Q
What are the functions of the IGW?
A
IGW performs two functions:
a) to provide a target in your VPC route tables for internet-routable traffic, and
b) to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
17
Q
What are CIDR Range limitations in VPC Peering?
A
The requester and acceptor VPCs cannot have overlapping CIDR ranges.
However, a hub VPC can peer with two spoke VPC with overlapping CIDR range. The two spoke VPCs essentially communicate with different subnets in the hub VPC each with their own route table pointing to a different peering connection.
18
Q
In VPC Peering, what is the impact of Regions on Security Groups?
A
Peer VPCs can be in the same account, different account in the same Region or in different Regions.
When VPCs are in the same Region, the SGs can reference each other in the SG-rules.
Across Regions, the SG rules have to use CIDR blocks.
If SG reference is “Stale” -that indicates that the peer deleted the referenced SG or the peering connection itself is terminated.
19
Q
How does DNS resolution work in VPC Peering?
A
By default, if instances on either side of a VPC peering connection address each other using a public DNS hostname, the hostname resolves to the instance’s public IP address. To change this behavior, enable DNS hostname resolution for your VPC connection. After enabling DNS hostname resolution, if instances on either side of the VPC peering connection address each other using a public DNS hostname, the hostname resolves to the private IP address of the instance.
20
Q
Where can VPC Flow Logs be attached?
A
a) VPC
b) Subnet
c) ENI.
Can capture Accepted, Rejected or All traffic.
Different combinations can be setup - e.g. one VPC Flow Log for accepted and another for rejected.
Flow Logs cannot be modified once created. Delete and recreate.
Flow Logs are NOT real-time. There may be a delay of up to 5 minutes (for Cloudwatch) and up to 10 minutes (for S3) after the close of the aggregation window.
They are customizable; can be stored to S3 or Cloudwatch. Some fields can only be captured to S3.
21
Q
What are the fields in Flow Logs?
A
There are two FL formats a) Default and b) Custom.
Default cannot be modified - a subset of all available fields. Includes version#, acct id, interface id, src/dst port/IP, protocol, pkt, bytes, time (start and end), action (accept/reject), status (OK, NO DATA, SKIP DATA).
Custom formats are customizable.
22
Q
What is a Flow Log Aggregation Interval?
A
This specifies the capture window. Default is the maximum of 10 minutes.
You can set it to 1 minute, but this would mean more logs.
23
Q
What traffic does VPC Flow Logs NOT capture?
A
a) Traffic to Amazon DNS Server
b) Windows instance license activation
c) Instance metadata to 169.254.169.254
d) Traffic to time sync: 169.254.169.123
e) DHCP
f) Traffic to VPC Router
g) Traffic between an ENI and ELB.
24
Q
How does FL integrate with CW?
A
When publishing to CloudWatch Logs, flow log data is published to a log group, and each network interface has a unique log stream in the log group. Log streams contain flow log records.
25
In the flow logs what are the key TCP Flags value?
```
The bitmask value for the following TCP flags:
SYN: 2 (Client to Server)
SYN-ACK: 18 (Server back to Client)
FIN: 1 (Bidirectional)
RST: 4
```
A flag value of 3 means client sent both SYN and FIN and it was recorded in the same flow log.
A flag value of 19 means, server sent both SYN-ACK and FIN and it was recorded in the same flow log.
26
What is the difference between regular and jumbo frames?
Regular frames are Ethernet v2 which support a Max Transmission Unit (MTU) size of 1500 bytes. Most of the internet is limited to this.
In AWS, some EC2 instances support a MTU of 9001 bytes - Jumbo frames. But this is only within AWS environment. When they leave the boundaries of AWS (including VPN connections) they are broken into 1500 MTUs.
Jumbo frames are supported only within a single Region. Inter-region traffic is limited to 1500 MTU.
Jumbo frames are supported over VPC peering connections, however, not if it is inter-Region VPC peering. JFs are supported over DX Private/Transit VIFs.
Jumbo frames are enabled by default within a VPC. Instances don't have to be within a placement group to take advantage.
27
What are the high performance computing instance types?
Compute Optimized instances are ideal for HPC - c4, c5 and c6 instance types.
However, for graphics use the G3 instance. These are the latest generation of Amazon EC2 GPU graphics instances that deliver a powerful combination of CPU, host memory, and GPU capacity.
28
What are the different placement groups?
Cluster
Partition
Spread
All placement groups are specific to a single AZ.
29
What are the characteristics of the Cluster PG?
Cluster - best for low network latency, high network throughput, or both.
All instances in the group reside in the same AZ (does not say same HW rack/host, but it does say it in the same high-bisection bandwidth segment of the network). Instances can span peer VPCs.
Supports up to 10 Gbps for single-flow traffic within placement group. Limited to 5 Gbps for Direct Connect.
Limited to 5 Gbps for flows outside the placement group - e.g. traffic between AZs, flow between EC2 and S3 etc.
30
What are the characteristics of the Partition PG?
Groups of instances (called partitions) are hosted on separate HW. No partition shares a rack with another.
Best for large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct racks.
31
What are the characteristics of the Spread PG?
Instances are spread across distinct HW (separate power and network). Can span AZs.
32
What is Enhanced Networking?
ENA uses single root I/O virtualization to provide high-performance networking capabilities on supported instance types.
SR-IOV is a method of device virtualization that provides higher I/O performance and lower CPU utilization when compared to traditional virtualized network interfaces.
Enhanced networking provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies.
33
What are the two types of enhanced networking?
Elastic Network Adapter - a network driver, ENA can support network speeds of up to 400 Gbps for supported instance types (current instances only support 100 Gbps).
Intel 82599 Virtual Function Interface - supports network speeds of up to 10 Gbps for supported instance types.
34
Why would you want to have multiple IP addresses for EC2 instances?
a) Host multiple websites on a single server - associate SSL certs with a specific IP
b) For network appliances like Firewalls and LBs
c) Redirect internal traffic to a standby by moving secondary IP to a standby instance.
35
When you add a secondary IP to an instance are you also adding a new network interface?
No. You can assign a secondary private IPv4 address to any network interface.
Security Groups apply to network interfaces and hence all IPs associated with an interface are subject to the SG rules.
36
What is an Elastic IP Address?
An Elastic IP address is a static public IPv4 address, which is reachable from the internet. No IPv6 Elastic IP.
37
What are the attributes on an ENI?
A primary private IPv4 address from the IPv4 address range of your VPC
One or more secondary private IPv4 addresses from the IPv4 address range of your VPC
One Elastic IP address (IPv4) per private IPv4 address
One public IPv4 address
One or more IPv6 addresses
One or more security groups
A MAC address
A source/destination check flag
A description
38
How do you enable enhanced networking with ENA?
Do the following:
a) Choose an instance type that supports ENA; set the instance attribute to enable ENA
b) Choose an OS/AMI that supports it (e.g. Amazon Linux 2); enable enhanced networking attribute.
This should automatically enable it.
39
How do you enable enhanced networking with Intel 82599 VF I/F?
a) Choose an appropriate instance type
| b) Launch using HVM AMI (Hardware Virtual Machine). - e.g. Amazon Linux HMV AMI.
40
What's an Elastic Fabric Adapter?
An Elastic Fabric Adapter (EFA) is a network device that you can attach to your Amazon EC2 instance to accelerate High Performance Computing (HPC) and machine learning applications.
41
How's an EFA different from an ENA?
ENAs provide traditional IP networking features that are required to support VPC networking. EFAs provide all of the same traditional IP networking features as ENAs, and they also support OS-bypass capabilities.
OS-bypass enables HPC and machine learning applications to bypass the operating system kernel and to communicate directly with the EFA device.
ENAs are used by traditional TCP/IP stacks provided by the OS.
EFAs are used by HPC applications that bypass TCP/IP. They use something called Libfabric that interacts directly with the EFA device.
42
What is a Gateway Route Table?
A route table that is associated with an Internet GW or Virtual GW. Has Destination and Targets that is used by the Gateways to route.
43
What is Ingress Routing?
Traffic destined for a VPC is routed by IGW or VGW based on Gateway Route Table.
For example, internet traffic destined for Instance B, could be routed by the IGW, based on the GW Route Table to instance A's ENI (which provides firewall services - e.g. Palo Alto FW).
Instance A (in this case) is the next hop (i.e. an explicit router) which inspects traffic and then forward it to the destination.
44
What is a Transit Gateway?
* TGW is a Regional network construct that allows large scale (up to 5,000) communication between VPCs.
* Supports VPN and Direct Connect communications.
* Peering connections between TGWs in different regions (Static routes must be added)
* Support multiple route tables (VRF/Network Segmentation) - up to 20 TGW RT and 10,000 routes per TGW.
* Attachments are their own objects (e.g. connects VPCs to TGW)
* Each attachment is associated with one route table
* Each attachment propagates routes to one or more route tables
* Attaching a VPC - specify one subnet in each AZ. Otherwise resources in that AZ cannot reach TGW even if the route table has an entry.
* VPC route tables must be updated to route traffic to the TGW.
* TGW Route Tables support blackhole routes.
*
45
What do the enableDnsHostnames and enableDnsSupport in a VPC configuration do?
enableDnsHostnames -Indicates whether instances with public IPv4 addresses get corresponding public DNS hostnames. If this attribute is true, instances in the VPC get public DNS hostnames, but only if the enableDnsSupport attribute is also set to true.
enableDnsSupport-Indicates whether the DNS resolution is supported. If this attribute is false, the Amazon Route 53 Resolver server that resolves public DNS hostnames to IP addresses is not enabled.
If this attribute is true, queries to the Amazon provided DNS server at the 169.254.169.253 IP address, or the reserved IP address at the base of the VPC IPv4 network range plus two will succeed.
When you launch an instance into a VPC, it always receives a private DNS name.
No DNS hostnames for IPv6.
46
What is the size of the smallest subnet you can create?
The size is /28 (16 IPv4 addresses).
Remember (5 of the 16 addresses are not usable).
Also, to deploy a ELB, you must have a subnet that is /27 or larger with at least 8 available IP addresses.
47
What's the size of the VPC's IPv6 CIDR block?
A /56 is automatically assigned by AWS. You cannot select your own range.
48
What's the size of a IPv6 subnet?
A /64 is automatically assigned.
49
What is a IPv6 GUA?
Global Unicast Addresses in IPv6 always start with a "2" or "3".
2000::/3 (first three bits are 001). Leftmost 64 bits are the network segment and the rest (64 bits) are the node.
50
How many rules can you have per Security Group?
You can have 60 inbound and 60 outbound rules per security group (making a total of 120 rules). Separately enforced for IPv4 and IPv6 - i.e. 60 inbound IPv4 rules and 60 inbound for IPv6 rules.
Security groups per network interface = 5 (default) and 16 (max).
No more than 1,000 rules total (#of SG * # of rules/SG).
51
How many IPsec tunnels are there in a VPN connection?
2 IPsec tunnels per VPN Connection.
Each tunnel terminates to a specific public IP address (on the VGW). 2 public IPs total.
If a second VPN connection is terminated on the same VGW, then the VGW allocates two more new IP addresses - total 4 Public IPs.
Each tunnel can support up to 1.25 Gbps depending on packet size. But the VGW itself has a max of 1.25 Gbps (this means if there are two tunnels, each tunnel can only support .625 Gbps, if there are multiple connections to a single VGW, then they can only support less than that!).
To increase bandwidth you can forward traffic to both endpoints. Requires support of Equal Cost Multipath on the CGW. However, on the return side, AWS will always pick a single tunnel.
52
What are the two types of VPN in AWS?
1) Hardware VPN: Involves VGW and CGW;
| 2) SW VPN: EC2 instances run VPN SW (no VGW is involved).
53
What types of routing does the VGW support?
```
Dynamic Routing (uses BGP)
Static Routing
```
Note:
1) A VGW must be assigned a private ASN whether you plan to use BGP or not.
2) VGWs support only IPv4 based VPN tunnels. However, TGWs support IPv6.
3) Firewall at the customer location must be opened for UDP Port 500 (Phase 1 Tunnel/IKE) and IP Protocol #50 (ESP Traffic - Phase 2 Tunnel).
4) If behind NAT-GW, then NAT-T must be supported and port 4500 must also be opened.
5) For every VPN connection you terminate on a VGW, two IP addresses are assigned. So, if you have two VPN connections (4 tunnels) then VGW presents 4 IP addresses.
6) New: You can use a certificate from the customer device to connect to the VGW. In this case, when you create the CGW, you don't need to specify the IP address. This is useful when the CGW uses dynamic addressing.
54
Can ENIs be moved across subnets?
No. Since ENIs are allocated a Private IP address from the subnet addressing space, they cannot be moved.
However, ENIs can be attached to instances that have their primary ENIs in another subnet - so long as the instances are in the same AZ.
ENIs are essentially scoped to AZs and cannot be used across AZs.
55
Can ENIs be used across AZs?
No. ENIs can only be attached to instances in the same AZs.
Instances can have ENIs in multiple subnets within an AZ (multihoming).
56
Can multiple ENIs be used to increase bandwidth?
No. NIC teaming cannot be used to increase bandwidth.
57
In a VPC Gateway Endpoint is transitive routing supported?
No. VPC Gateway Endpoints do not support transitive routing - this means, you cannot access them from across a VPN connection/Direct Connect/VPC Peering connection.
You can get around this using proxy routing - see Page 63.
58
Can VPC I/F Endpoint be accessed from Direct Connect?
Yes. IFEP can be accessed from DX and S2S-VPN. However, not over VPC Peering.
GW EPs, on the other hand, cannot be access from DX, VPN/VPC Peering conns.
59
What are the key differences between VPC Peering and Private Link Interface End Points?
VPC Peering - allows two way comms between VPC whereas PL/IEP allow only the consumer to initiate a request to the VPC.
PL/IEP more scalable than peering - can supports thousands of VPCs.
PL/IEP Network LB does Source NAT - hence, source IP is not available to the Service Provider.
60
How many secondary CIDRs can you add to a VPC?
Besides the primary, you can add up to 5 secondary CIDR ranges, if you run out of address space.
You can increase the limit beyond this by contacting AWS Support.
61
Can you create a VPN Connection between two VGWs?
No. Because neither VGW will initiate the connection.
Note: a VGW will never initiate a tunnel to a CGW. If the tunnel drops due to inactivity, then, an EC2 instance in a VPC wanting to send traffic to an on-prem server will not be able to do so. However, when the tunnels is up, EC2 can initiate traffic anytime.
62
Do AWS Private Link support UDP?
No. Only TCP traffic is supported.
Note: Interface Endpoints only support IPv4 traffic - which means that if an EC2 instance wants to access a
63
Does Direct Connect support static routing?
No. Direct connect only supports BGP. 802.1q VLAN tagging is also a requirements.
64
On Direct Connect, what defines a VIF?
A VIF is defined by the VLAN tag and BGP session.
Note: DX GW is a Layer 2 circuit. VIFs define layer 3 information. You can support multiple VIFs (L3) by separating information at L2 using VLANs.
65
What is the Routing Preference inside a VPC?
1. Local Routes to the VPC preferred over overlapping propagated routes (even if propagated routes are more specific).
2. Longest prefix match first
3. VPC Static routes preferred over matching dynamic propagated routes
4. Dynamic routes:
a) Prefer DX BGP routes i) Shortest Path ii) if equivalent, balance traffic flow (ECMP)
b) VPN static routes
c) BGP Routes from VPN (shortest AS Path).
66
Does DX Gateway work with Public VIFs?
No. DX GW is only about Private VIFs and Transit VIFs.
67
Do NLBs support static IPs?
Yes. NLBs can be referenced by static IPs in each AZ.
Contrast this with ALBs and CLBs - which should only be referenced by FQDNs since their IPs change when scaling.
68
When using ELBs, how is the client's source IP address and port preserved?
For CLB, enable proxy protocol which injects this information into the request before sending it to the backend.
For ALB, nothing is needed, since ALB inserts the HTTP X-Forwarded-For headers.
Ensure that the CLB is not behind a proxy server already. Proxy server may already have added a request to the header. CLB may add another header causing duplication errors.
NLBs, provides client IP pass through to Amazon EC2 instances (if you use instance id when configuring a target). However, if you can only register targets by IP address, then enable proxy protocol v2 on the NLB.
69
How does the NLB select a target?
NLB uses a flow-hashing algorithm. Uses protocol, source IP/port, Dest IP/port, TCP sequence#.
Each individual TCP connection is routed to a single target for the life of the connection.
70
Can Root zone (domain) have a CNAME record?
No.
In DNS, you cannot create a CNAME record for a root zone. For example, you cannot have a CNAME record for "example.com"
71
What type of distributions does Cloudfront support?
```
Web Distribution (using HTTP/HTTPS)
Media Streaming Distribution (using HTTP and RTMP).
```
72
How can you serve private content in Cloudfront?
a) Signed URL
b) Signed cookies
c) Origin Access Identity (OAI) - works with S3 bucket origins when used with bucket policies.
73
How does RTMP distribution work in Cloudfront?
a) Media player is served using HTTP (Basic Distribution)
b) Streaming media is served using RTMP (streaming distribution.
c) RTMP origins always have to be a S3 bucket.
74
What type of origin servers does Cloudfront support?
a) Amazon S3 buckets
b) Amazon S3 static websites
c) EC2 instances
d) Elastic Load Balancers
e) Custom Origin Servers (e.g. on-prem servers).
75
How does Cloudfront handle HLS, HDS, DASH etc.
Cloudfront will break video into smaller chunks that are cached in the cloudfront network for improved performance and scalability.
76
How can you use HTTPS and Cloudfront?
You can configure users to connect to cfrnt using HTTP.
Similarly, you can use HTTPS between edge and origin.
You can also apply field level encryption - by uploading public/private key pairs.
77
What two techniques does R53 use to provide 100% Availability?
a) Shuffle Sharding
| b) Anycast Striping - multiple name servers share the same IP address; clients routed to nearest NS by BGP.
78
In Cloudfront, how can you restrict access to the origin server?
a) Use Origin Access Identity (for S3 buckets) or Security Groups restricting access to Cloudfront IP address range
b) Use of custom headers (normally non S3 related such as EC2/ELB) - this can be used to differentiate your distribution from others
c) Signed URLs and cookies.
d) You can also impose Geo-restrictions; Allow/Deny lists for countries.
Note: restricting access to CF IP addresses alone is not enough since another distro could point to your origin. You should use this with custom headers.
79
With what services is ACM integrated?
AWS Certificate Manager is integrated with:
a) CloudFront
b) ELB
c) Beanstalk
d) API Gateway
80
What data sources does Amazon GuardDuty monitor?
a) VPC Flow Logs
b) DNS Logs
c) Cloudtrail logs
d) Intelligence feeds - malicious IPs and domains
81
What are EBS-optimized instances?
EC2 instances with dedicated throughput that minimizes contention with other network traffic.
Hence, can support high IOPS.
82
What is DPDK?
Intel's Data Plane Development Kit
A set of libraries and drivers for fast data processing. It extends the packet processing capabilities and supports both Intel 82599 Virtual I/F and the ENA driver.
While ENA and Intel 82599 decrease networking overhead between instance and hypervisor, DPDK decreases overhead of packet processing within the operating system.
DPDK and ENA can be used together to support high performance apps (real time comms, firewalls etc.).
83
What data rates does Direct Connect support?
DX offers 1, 10 and 100 Gbps connections. These are dedicated circuits allocated entirely to the customer. With Link Aggregation, you can combine up to 4x10Gbps for up to 40 Gbps link. Or 2x100Gbps links.
Sub 1 Gbps connections are available from partners - normally shared between multiple customers.
84
Does DX support DSCP/QOS?
Yes. AWS Direct Connect can be used in conjunction with QoS to improve application performance and reliability. When packets leave on-prem, DSCP can be used for QoS if service provider network supports it. It appears to depend on DX service provider's capability.
DSCP = Differentiated Services Code Point (7bit field in IP header) - used to prioritize traffic.
Inside a VPC, traffic is NOT differentiated - all treated equally.
85
How do flows and data rates relate to ENA?
ENA drivers are built to support speed up to 400Gbps, current instances support up to 25 Gbps.
Inside a VPC, any instance accessing data over the networks (e.g. S3) is limited to 5 Gbps. Instances that are ENA enabled can achieve higher bw by combining multiple flows up to 25 Gpbs.
Within Placement groups, a single flow is limited to 10 Gbps. Outside is 5 Gbps.
Some newer instances do support 10 Gbps and 25 Gbps networks outside of a placement group.
86
Does increasing Packets per Second increase throughput?
No. Sometimes, it can decrease it. It takes more CPU cycles to process more packets.
Jumbo frames reduce PPS thereby increasing throughput.
Also tweaking TCP stack configurations (buffer size), using network accelerators etc. can increase throughput.
87
What does supporting TLS on ELB entail?
ALBs can terminate TLS connections - but needs to know the private key (e.g. TLS Certificate).
NLBs, on the other hand, can pass through the TLS connection, which can then terminate on the Webserver. This means more processing on the Webserver. However, from a security standpoint, you don't have to provision the private key on the NLB.
88
Does UDP traffic have congestion awareness?
No. Only TCP does.
89
What does CloudFormation Change Sets do?
Change sets allow you to visualize and approve a proposed change to a stack before it is updated.
90
What are the two types of CloudFormation errors?
Validation errors - detected by cloudformation right away - cannot parse the template
Semantic error - only detected when resource is created or updated - e.g. CloudFormation calls an API and it fails.
91
How does CloudFormation differ from traditional programming and scripting languages?
CF template describes the end state of a stack - not the actions needed to get to that state (such as API calls etc.).
92
In CloudFormation what's the different between a template and a stack?
Template specifies what is to be created - e.g. a recipe.
Stack is a set of resources created according to the template - e.g. the dish!
93
How does CodePipeline work?
A pipeline has stages
Each stage has one or more actions (serial or parallel)
Output of an action is an artifact.
Six Action Types: source, build, approval, deploy, invoke and test.
94
Can Lambda functions have public IPs?
Depends....
Lambda functions have two states.
a) Not associated with a VPC, where it can talk openly to the web, but can't talk to any of your AWS VPC services.
b) Associated with a VPC, the default setting where the lambda function can talk to your AWS services but can't talk to the web.
For case b) if Lambda needs access to the Internet, a NAT GW is needed in the public subnet. It cannot be assigned a public IP address.
95
What is a TCP Flow?
TCP flow is defined as traffic going through a single TCP port.
Single TCP flow is limited to 10 Gbps for instances in the same placement group and 5 Gpbs between instances anywhere else.
Aggregate flows combine multiple flows?
(Ref. Amazon EC2 for telecom Whitepaper)
96
Does AWS support Layer 2 VPN technologies?
No. Only L3 technologies are supported.
97
For EC2-based VPNs, can EC2 establish BGP peering with other instances in a different subnet?
No. EC2 instances have to be in the same subnet for BGP peering to be established between them- a limitation of the way BGP peering works.
For multi-AZ EC2-based VPNs, BGP needs to be established over a GRE tunnel between instances (BGP/GRE).
In essence, building a VPN between the two instances.
98
What are two things you should do on the EC2 instance that is a VPN termination endpoint?
To enable routing of traffic:
a) Source/dest check is disabled on EC2
b) IP forwarding is enabled at the OS level.
99
Why would you use EC2-based VPN instead of a VGW?
a) You need special feature e.g. advanced threat protection or transitive routing
b) On-prem devices don't support IPsec; you want to use something different (GRE or DMVPN)
c) Overlapping CIDR ranges or multicasting between EC2s.
d) Very high throughput requirements.
100
How can you implement encryption between EC2 instances within a VPC?
Within a VPC traffic between instances is NOT encrypted.
To encrypt, you have to setup an overlay VPN mesh. Each EC2 instance will have VPN SW loaded on to it. It will need an "inside tunnel" IP address which is what will be used to address communication to each other. (See Page 115).
101
How do you support multicast in VPC?
AWS does not natively support multicast or broadcast.
To do this, you have to build a VPN overlay network using GRE tunnels (available in the kernel of Linux OS).
102
How do you build a transit architecture in AWS?
Using EC2 instances as VPN endpoints.
AWS products (VPC peering, VGW, VPC Endpoints, IGW) do NOT support transitive routing.
EC2 as a VPN endpoint, will effectively unencrypt/re-encrypt communications and act as a proxy. (See pg 117).
103
In DX what is a LAG?
Link Aggregation Group
Combines multiple 1 Gbps or 10 Gbps physical links into a single logical link.
Max of 4 links - all links in a group must have the same BW (i.e. you cannot combine 1 and 10 Gbps)
Links must be in same DX location and same AWS device.
Uses LACP - Link Aggregation Control Protocol.
You can configure to mark the whole link as down, if n connections are down - enabling failover.
104
On DX, what is the MTU size?
MTU = 1500 bytes at the IP layer
MTU = 1522 bytes at the physical connection layer
14 byte Ethernet header + 4 byte VLAN Tag + 4 bytes of Frame Check Sequence + 1500 bytes of IP datagram traffic.
Private and Transit VIFs support jumbo frames.
105
In DX, where is a Private VIF terminated?
Private VIFs are terminated at a VGW or DX GW.
Note: If you want to build an encrypted connection over DX, you can use VPN. You do this by connecting over a Public VIF to the public IP endpoints of the VGW. Or use a Private VIF to connect to EC2-based VPN Endpoints.
In contrast, Public VIFs are not terminated anywhere. They are used to access AWS public endpoints.
106
In DX, what are some of the key requirements for Public VIFs?
a) For IPv4 - peer routers much have public IP addresses. Contrast this with Private VIFs, where the BGP peer IP addresses can be auto generated at the time of creation.
b) You must own the public IP address blocks that you advertise - AWS will verify this with the internet registries.
c) If you don't have public IP addresses you can request them from AWS.
You can advertise up to 1,000 prefixes via BGP per Public VIF.
107
What does CloudHub in VGW do?
VGWs can be either attached to a VPC or be standalone.
In either mode, VGW supports cloudhub which allows multiple networks to talk to each other securely and to a VPC (if one is attached).
VGW forwards BGP announcements between the private networks.
Private networks may be connected via VPN, or DX Private VIFs.
You can advertise up to 100 prefixes via BGP per Private VIF.
108
What is a Direct Connect Gateway?
DX GW allows you to combine Private VIFs with multiple VGWs.
Normally, a single private VIF terminates on one VGW. But, if you want to scale this, DX GW is the way to do it. You terminate the Private VIF to the DXGW. The DXGW can then be connected to multiple VGWs (up to 10) each attached to a different VPC.
Note: The VGWs to which DXGW connects cannot be a detached VGW. It has to be attached to a VPC.
#of Private VIFs that can be attached to a single DX GW = 30; however, only sessions via a single VIF to one connected VPC at a time allowed.
DXGW allows connection to VPCs in multiple Regions - not just the Region in which the DX is located.
DXGW also support Transit VIFs. Terminate the TVIF to a DXGW and conntect the DXGW to up to 3 TGWs.
109
How do you build resilient connections with DX?
a) Use VPN/Internet as a backup to DX
b) Dual connection in a single location terminating on different devices (not part of the same LAG) - protects against device failure but not a complete location failure.
c) Single connection in dual location
d) Dual connection in dual location - highest level of redundancy
Any of these options can be combined with a VPN/public internet fallback.
110
In BGP what is AS_PATH prepending?
It is a mechanism where you artificially make the AS_PATH longer on one connection by adding your own ASN multiple times to the path. AWS will always prefer the shortest path prefix.
111
When using multiple DX connections, how do you influence routing from VPC to customer network?
a) Since AWS chooses the longest prefix first, you can advertise a supernet on both VIFs (e.g. /23) and specific subnets on individual VIFs (e.g. /24).
b) Use AS_PATH prepending
These techniques are applicable to both Public and Private VIFs. Note that these techniques make the connection active/standby.
If you want active-active, then, advertise the same routes on both VIFs and AWS will use ECMP (traffic flows are hashed to one connection).
For the Customer network to AWS direction, you can use local preferences.
112
In DX, how can you restrict access to specific AWS services?
The on-prem router can be configured to ignore all BGP route advertisements except the one you want. This restricts what the DX connection is used for.
For example, you can use a Public VIF to only access S3, by configuring your router to ignore all but the S3 IP ranges.
113
In R53, what's the difference between a CNAME and Alias Record?
Alias records are an AWS specific construct.
CNAME is a canonical name that is returned back to the resolver. The resolve then re-queries with the alias. CNAMEs cannot be used for the apex zone (e.g. example.com)
Alias records, are used with Cloudfront, ELB, VPC end points etc. where the IP address changes dynamically as they scale. R53 will resolve this dynamically at the time of the query and return the IP address to the resolver. So, resolver does not have to launch an additional query.
114
In R53, what are the different types of health checks?
a) Endpoint - i.e. this checks availability of an endpoint (e.g. an IP address or domain name). Check via HTTP.
b) Status of other health checks (calculated health check) - use case: ensure that a minimum number of resources are up and functioning.
c) State of a cloudwatch alarm.
If less than 18% of health checkers consider the endpoint unhealthy, then R53 marks the end points as unhealthy.
Remember: Domain name based health checks will return healthy even if one of multiple IP addresses are unreachable. Best to use IP address based health checks in this case.
115
In R53 what are the various routing policies?
1) Simple - single host record that can have multiple IP addresses all of which are returned. Client chooses. Can associate health checks with IP addresses or domain name.
2) Weighted routing - has multiple records with same name (different set ID). Each record has a weight. Can associate health checks. A weight of 0 means no traffic is sent. All zeros mean traffic is equally distributed. If one server fails, then it is taken out (its weight is not added to the total sum).
3) Latency-based - multiple records in a record set. R53 routes to lowest latency from user's location. Can associate health checks. Latency checks only rtt - not availability of service which is why you need health checks too.
4) Failover - A & B sites. Active-standby/Disaster Recovery use cases. A is always returned so long as it is healthy. Uses health checks. If both are unhealthy, A is returned!!!
5) Geolocation - R53 returns record based on resolver's location (not latency). Use case: Geo-restrictions. Supports default, continent, country, states. Can be integrated with healthchecks. If no default, it returns a no result (this allows you to lock users into a specific location).
6) Multivalue Response (responds with multiple hosts). Returns up to 8 values. healthcheck integration.
116
In R53 what does the edns-client-subnet extension do?
For geolocation routing R53 uses the location of the DNS Resolver (which could be the ISP's resolver and different from the location of the client).
edns-client-subnet - a portion of the IP address is sent by the resolver to R53 which is used as the client's location.
117
In R53, what are private zones associated with?
Private Zones are associated with one more VPCs. This is what makes it private.
DNS queries from these VPCs use this zone file to resolve fqdns to IP address (private).
enableDNSHostnames and enableDnsSupport must be set to true.
118
Why would you want to use R53 private hosted zones instead of Private DNS names provided by the VPC?
This allows you to access resources using custom names (e.g. example.com) instead of AWS provided DNS-hostnames.
119
In R53, what is split view DNS?
In split view DNS, a public and private hosted zone both share the same name space (e.g. advnetspec.com).
Internal clients have access to both private (first) and public zones. External clients only ever have access to public zone.
120
What are the subnet requirement for deploying ELB?
a) Subnet must be public
b) Must be /27 or larger (cannot use /28 or smaller).
c) Must have at least 8 available IP addresses.
121
In ELB, what is cross zone load balancing?
ELBs deployed in one AZ can send traffic to instances in another AZ - ensuring that traffic is evenly distributed across all instances even though the instances themselves may not be evenly distributed among AZs.
122
What's the easiest way to resolve VPC DNS queries from on-prem servers?
Using Simple Active Directory.
Simple AD forwards DNS requests to the IP address of the Amazon-provided DNS servers for your VPC. These DNS servers will resolve names configured in your Route 53 private hosted zones. By pointing your on-premises computers to your Simple AD, you can now resolve DNS requests to the private hosted zone.
123
How does ELB support sticky sessions?
Sticky sessions (aka session affinity) are applicable to CLB and ALBs. They are done using cookies which clients must support. They are enabled at the target level.
Cookies are of two types and are encrypted:
a) duration based (AWSALB cookie) - generated by LB
b) application based (cookie name has to be specified) - generated by the application (custom cookie) and LB (application cookie). Essentially 2 cookies.
Clients have to send cookies back to LB with each request.
Note: NLBs are inherently sticky due to the flow-hashing algorithm used.
124
In CloudFront, what do "behaviors" do?
You can create one or more behaviors and associate them with CF.
A behavior specifies how requests are treated - e.g. use of HTTP vs. HTTPS, caching timers, signed URLs etc.
There is a default behavior associated with each distribution.
You can define additional behaviors - e.g. all requests for accessing the images/public/*.jpg and images/private/*.jpg portion of your S3 bucket are treated as defined by a behavior.
125
Does Cloudfront benefit dynamic content?
Yes.
Although dynamic content cannot be cached, there is still a performance benefit as the edge reuses TCP connections to the origin server. This can save a significant amount of setup time.
126
Can VPC Interface Endpoints be accessed across Regions?
No.
Interface end-points can only be created within a same region - i.e. both Service Provider VPC and Consumer VPC have to be in the same region.
They also need to be in the same AZ - i.e. the NLB that is created as part of the service must be deployed in the same AZ from which consumer VPCs are connecting from.
For inter-region access, Service Providers must create a new VPC in the new region with a NLB and add IP addresses of instances in the original region over a peering connection.
127
Does NLB support TLS termination?
Yes. It does.
The certificates can be stored in ACM.
Not sure how this works though! Since NLB is Layer 4 LB. But the documentation says it does!
128
Do NLBs support source IP/port preservation?
It depends on how targets are registered.
If you register targets by instance ID, the source IP addresses of the clients are preserved and provided to your applications. If you register targets by IP address, the source IP addresses are the private IP addresses of the load balancer nodes.
129
How does Lambda with VPC work?
Normally Lambda runs within a VPC managed by AWS.
However, a Lambda function can be associated with a VPC. Specific subnets have to be chosen. ENIs are created.
This gives Lambda access to resources within a VPC. For example, access to on-prem resources via a VPN connection.
Since Lambda does not get public IP addresses, in order to access the internet, a NAT GW in a public subnet is needed.
Of course, SG and NACLs have to be set appropriately.
130
What are the networking requirements for Workspaces?
Workspaces require a) Client Application b) Directory service to authenticate user and c) VPC with two subnets in multiple AZs.
A VPC with minimum of two subnets (these need to be private! and in different AZs) is needed for each AWS Directory service to deploy ENIs in.
The right subnet size depends on multiple factors (e.g. how many WSs you'll need over time, expected growth, types of users...). However, since two subnets are needed, they cannot be larger than /17. The smallest they can be is /28.
Each subnet has 5 IP addresses reserved.
Each AD connector consumes 1 IP address in each subnet in which it persists.
You may need more than one AD connector to separate different types of users (e.g. full time employees vs. Contractors).
AD Connector itself may communicate with either an on-prem MSAD service or an AWS Active Directory (in which case two more IP addresses are used by the AD service).
Then there is an ENI that workspaces itself will deploy into a 1 private subnet into which it is deployed (hence, one more IP address). Note, that unlike the AD service, here it is deployed in only 1 subnet.
131
What are the networking requirements for Appstream 2.0?
Appstream 2.0 architecture is similar to Workspaces.
The instances for each user is a dedicated VM. The VM lives in an AWS VPC.
It has two ENIs. One Management ENI is managed by AWS and lives in the AWS VPC. It is used by the user to connect in for authentication and streaming.
The second ENI, is projected into a subnet of a customer managed VPC and provides access to VPC resources. The customer can control this using SG/NACLs/RTs etc.
132
What is the R53 Resolver?
R53 Resolver (aka AmazonProvidedDNS or EC2 DNS etc.) lives at the base on VPC+.2 address.
R53 resolver receives queries from EC2 and forwards it in the following order a) Private DNS (trumps all), b) VPC DNS (i.e. ec2 DNS names) and c) Public DNS.
In reality R53 Res lives in each AZ and is shared by all VPCs in that AZ. It does not live in the .2 address, but it is cached on the instance hardware. This is why only the EC2 instances that run on the HW can call it and not servers from a corporate center.
R52Res supports inbound and outbound ENIs. On-prem DNS resolvers can forward queries to inbound ENIs.
Limits:
* Each EC2 instance (per ENI), can only send 1024 PPS to the R53 Resolver.
* Each inbound/outbound ENI can support up to 10,000 Queries
Source: Youtube video by: Gavin McCullagh (2019 Reinvent).
133
In BGP, how do you manipulate route selection?
1) Weight
2) Local Preference
3) AS Path Prepending
4) Metric or Multi-exit discriminator
Weight and Local Pref. control outbound routes. Weight is local to a single router. LP is advertised to other interior BGP routers (higher is preferred).
AS Path and MED (aka Metric) control which local router eBGP peers prefer. MED/metric (lower is preferred).
134
What are the limitations of VGW based VPNs?
a) VGWs are not VPC transitive (i.e. cannot reach other VPCs other than the one that the VGW is connected to).
b) Throughput capped at 1.25 Gbps per VGW - however, if you use TGW, you can actually combine tunnels to increase your data rate.
c) VGW uses a single VPN tunnel when returning traffic to a network
d) Only support two one-way security associations (i.e. cannot support policy based VPNs.)
e) Only IPSec protocol
f) Only IPv4
g) No client-to-site VPN support.
135
What is AWS Client VPN?
- Client to site VPN based on OpenVPN (not IPSec).
- Client auth - certificate based or Active Directory based
- Client VPN Endpoint is created and associated with multiple subnets within a VPC.
- This creates an ENI through which traffic can flow to the VPC, peered VPCs, internet and even on-prem via VGW.
- Client VPN EP has a route table with all subnets to which traffic can go to. This RT is copied to the client.
136
What are the different types of VIFs that DX supports?
a) Private VIF (terminates at a VGW or DXGW)
b) Transit VIF (Terminates at a DXGW which then connects to a TGW)
c) Public VIF (public endpoints in ALL Regions!)
Therefore, a DXGW support a private VIF and VGWs (OR) Transit VIF and TGWs - but not both together.
137
How is DX billed?
Two factors are used
a) Port Hours
b) Data Transfer Out
Each may be billed to a different AWS Account. Port hour charges are billed to the connection owner. Data transfer out charges are billed to the account consuming the VIF (i.e. hosted VIF).
138
What are key DX quotas?
```
#of Public or Private VIFs per dedicated DX Connection - 50
#of Transit VIFs per dedicated connection - 1
# of Pub/Priv/Transit VIF per Hosted Connection - 1
# Routes/BGP session for Priv/Transit VIF - 100
#of Routes/BGP session for Public VIF - 1,000
#of Private VIFs that can be attached to a single DX GW = 30
```
139
What do BGP communities tag do?
Applicable to Public VIFs: You can use BGP communities tag to control how far the routes that you advertise to AWS over a DX BGP session goes.
7224: 9100 - Local Region Only
7224: 9200 - All AWS Regions in Continent
7224: 9300 or absence of tag - Global
On the reverse side (BGP adverts originating from AWS)
7224:8100 - Routes from same AWS Region
7224:8200 - Routes from Regions in same continent.
No tag - Global.
140
BGP Basic Facts
BGP uses Port 179 (FW has to allow these ports).
141
What is the tunnel establishment process in IPSec VPN?
The two VPN endpoints use Internet Key Exchange protocol (v2 and v1 are supported).
IKE Phases 1 & 2 tunnels - involves peers mutually authenticating, generating security keys, agreeing on security parameters. Phase 2 tunnels have shorter lifespan than Phase 1.
In IKE Phase 1 - authentication can use either certifications (loaded into ACM) or pre-shared keys (AWS generated).
After IKE Phase 2 tunnel is considered ready - two one-way Security Association between the VPN End points.
SA is a relationship between two VPN peers where both parties agree on a common set of security settings.
AWS VGW supports only Route-based VPNs (all traffic uses a single set of SAs). No support for Policy based VPNs (SAs vary depending on traffic type - determined by policy).
142
For HW-based VPNs using VGW, what are the CGW requirements?
a) Support for IKE (v2 or v1)
b) IP Sec (ESP Mode)
c) Static public IPv4 address
d) Support for Dead Peer Detection
e) Firewalls must allow UDP Port 500 and IP Protocol 50
f) If behind NAT-T, then FW must allow UDP Port 4500.
143
In a VPN Connection (VGW-based) what are the "inside IP CIDRs" for tunnels 1 & 2?
Inside IP CIDRs represents a network of two nodes that make up the VPN connection (i.e. VGW and CGW).
Inside IP CIDRs is used only for dynamic BGP routing to identify the two peers (VGW and CGW) inside the encrypted network. Not applicable for static routing.
It must be a /30 (2 usable IP addresses) in the 169.254.0.0/16 range (which is a private IP range used when DHCP server is unavailable).
They uniquely identify the tunnels when more than one VPN connection terminates at a single VGW.
See: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html
144
For DX, what are the HW requirements?
- Single Mode Fiber
- 1000Base-LX (1 Gbps), 10GBase-LR (10 Gbps), 100GBase-LR4 (100 Gbps)
- Disable auto negotiation on all ports (speeds must be explicitly configured)
- 802.1Q VLAN encapsulation
- BGP and BGP-MD5 authentication
- BFD (optional) - quick detection of link failures
145
How can you support multiple on-prem VLANs on Hosted DX connections?
Remember: a hosted DX connection can only support one VIF.
If you want to support multiple VLANs, you can
a) Use multiple hosted connections with each hosted connection supporting a separate VLAN.
b) Use aggregated VLANs (tag types are used to encapsulate 802.1q within another 802.1q - customer and provider switches). Enables provider network to support multiple customer networks.
Note: you can still only support one VIF - even with aggregated VLAN.
146
How do LAGs work in DX Connection?
Up to 4 DX connections can be combined into a LAG.
They must terminate at the same location (and on the same switch!!!! - see FAQ which clarifies that multi-chassis LAGs are not supported)
Connections have to be same speed (either 1, 10 or 100 Gbps)
Min links specific the number of DX conns that must be up for LAG to be operational (0=no minimum).
VIFs can be associated with a LAG (instead of a specific DX connection)
On the customer side, LAGs must be created to support VIF traffic.
147
For what do you use BGP communities in Private and Transit VIFs?
Use BGP Communities to achieve load balancing and route preference for incoming traffic (from AWS to on-prem).
7224: 7100 - Low Pref
7224: 7200 - Med Pref
7224: 7300 - High Pref
Local preference BGP community tags are evaluated before any AS_PATH attribute.
148
What metrics are associated with DX?
DX Connections have CW Metrics (Up/Down, Bps and Pps for ingress and egress)
VIFs, on the other hand, have no CW metrics.
149
What are some common issues with DX and their reasons?
a) DX Connection down - HW issues/Physical layer problem at on-prem or DX location; check cable/port configs
b) DX Conn is up but VIF down - Layer 2 issue; verify 802.1q support, correct VLAN config
c) VIF is up, but BGP is not - misconfig - check ASN, MD5-auth; no more than 100/1000 BGP advert on Pri/Pub VIF.
150
In R53, how do Resolver End Points work?
R53EPs - inbound and outbound - provide access to R53 Resolver.
a) Each R53EP can support anywhere from 2 to 8 ENIs.
b) Each ENI of the R53EP can support up to 10,000 QPS
c) The R53EPs are placed in specific subnets - but are accessible from other VPCs in the Region (Hmmm...how is this possible? - using RAM?).
d) All ENIs associated with an R53EP are associated with a SG.
e) Get an IP address (dynamic or customer assigned)
f) Outbound EPs have system rules and forward rules. System rules are implicit and defined for i) Priv HZ ii) VPC Domain Names and c) Public domain names
151
DX Gateway - Basic Facts
a) DXGW is a global construct. Multiple VPC (in multiple regions and accounts) can connect to it (up to 10). VPCs cannot have overlapping CIDR blocks.
b) It acts as one end of the BGP peering connection. It acts as a BGP reflector for AS’ that sit behind it on the AWS side (i.e. all the VGWs).
c) It does not allow VGW to VGW traffic.
d) It supports VPC attachments from multiple accounts
e) Can connect to multiple VPCs via a TGW (T-VIF). But, the TGW can only advertise 20 routes to the DGW. Hence, route aggregation is required.
152
What is VPC Sharing?
A feature that allows a subnet in one AWS account to be shared with other AWS accounts.
Must be part of the same AWS Organization.
Subnets are shared via Resource Access Manager
Once shared, other accounts may provision resources within that subnet as if it were native to their account.
153
How do you build a transitive network in AWS?
a) Transit VPC (spoke and hub model)
b) Transit Gateway
Transit VPC:
* EC2 based instances act as CGW and establish VPN connections to spoke VPCs that have a VGW.
* Dynamic routing should be used. This ensures that spoke VPCs advertises routes to the EC2 instances in the T-VPC. T-VPC may reflect routes back to each S-VPC - so that each S-VPC learns about other SVPCs.
* Multiple EC2 instances with EIPs recommended
154
How can you integrate on-prem networks into the Transit VPC architecture?
a) You can build a VPN tunnel from on-prem routers to T-VPC EC2 instances and use BGP to communicate with spoke VPCs.
Note: You cannot use a VGW in this instance, because the traffic can only be delivered to the TVPC - it cannot then pass transitively to another VPC.
b) If using DX, then use a detached VGW - i.e. terminate a Private VIF to a detached VGW. Build VPN connections from T-VPC EC2 to detached VGW with BGP. VGW's cloud hub functionality will ensure that routes from TVPC is shared with on-prem and vice-versa.
(See Page 146).
155
In BGP, what is the private ASN Range?
Private 16-bit range: 64512 to 65535
| Private 32-bit range: 4,200,000,000 to 4,294,967,294
156
How can you integrate on-prem networks to TGW-based multi-VPC architecture?
a) Build a VPN connection to the TGW over the internet (CGW --> TGW). Use BGP
b) Build a VPN connection to the TGW over DX Public VIFs (TGW offers public endpoints for VPN terminations).
157
What is AWS Global Accelerator?
Connects from ISPs to AWS Backbone directly. Avoids multiple hops.
158
What is the TGW routing preference?
1) Most specific routes
2) Static > Propagated
3) If propagated
a) VPC > DXGW > TXGW Connect > S2S VPN
159
How does WAF work?
Works at L7 (HTTP/HTTPS) - uses Web ACLs
Allows, deny or count
Integrated with APIGW, CF, ALB
Note: R53 NOT supported.
Conditions and Filters (XSS, IP, Country, String/regex...), multiple are OR'ed.
Rules have one or more conditions (AND'ed) that must either match or not match, normal and rate-based rules
Web ACLs - 1 or more rules (processed in order)
Association with resources
Note: Rate-based rules help mitigate DDOS L7 attacks.
Web ACL to AWS resources is one-to-many. However, Web ACL associated with Cloudfront cannot be associated with any other resource.
160
What are S3 Access Points?
Feature that facilitates S3 bucket sharing - e.g. large data lakes accessed by hundreds of applications.
S3AP are unique DNS hostnames through which S3 buckets can be accessed. Multiple APs can be created and distinct policies associated with a S3 bucket.
Each AP can be distinctly managed. Can be restricted to VPC access.
161
How does ALB Authentication work?
Applications can offload authentication to the ALB.
You define a listener rule with path-based routing set to match a URL that handles authentication.
As an action for that rule - you can then hook a authentication call to an IdP - OIDC, SAML, LDAP Cognito etc.
162
Does S3-Static Website endpoints support TLS?
No.
Amazon S3 website endpoints do not support HTTPS. (Probably because there is no way to provision a TLS certificate).
However, with CF, you can use S3 as an origin (instead of a S3-static website). In which case, HTTPS is supported if the user requests are HTTPs based (viewer match policy).
163
What is an AWS Firewall Manager?
Firewall Manager is a security management service. Enforces compliance.
Centrally enforces deployment of
a) WAF ACLs
b) Shield Advanced protection policies
c) VPC Security Groups.
Note: NACLs are not covered by this service.
Accounts across AWS Organizations can be managed centrally.
Integrates with AWS Security Hub.
Compliance violations can be viewed on Firewall Manager console or on AWS Security Hub console.
164
What are the different section of a CloudFormation template?
1) Format Version
2) Description
3) Metadata - data you want to pass to instances
4) Parameters
5) Rules
6) Mappings - for e.g. use a specific AMI in US-east-2
7) Conditions - e.g. tags/IP ranges- conditional statements
8) Transform
9) Resources (Required)
10) Outputs - returns any piece of information
165
In CloudFormation what does Fn::Cidr do?
It is an intrinsic function that returns an array of CIDR block ranges you use when creating subnets.
166
What are the networking requirements for AWS Opsworks?
AWS OpsWorks is a configuration management service (support Chef, Puppet, Stacks).
An automation server runs is a private subnet (think about it like K8 ControlPlane node) and communicates with Appservers/nodes that it manages in other private (equivalent to K8 worker nodes).
The automation server can access SW updates from the internet via NAT GW in a public subnet. Or a VPC Gateway Endpoint to a S3 bucket where all the configuration information is stored.
A bastion host in a public subnet provides access to Automation Server's dashboard.
All website traffic can come through the ALB and hit the web/app servers without ever touching the Automation server.
167
In CloudFormation, how do you create a VPC Peering Connection between two VPCs in different accounts?
You need a) VPC ID b) peer AWS Acct ID c) cross-account access role that is assumable by the requester account.
The peered-accepter VPC needs to create an IAM role. The ARN for that IAM role is used, along with a region indicator to create the peering connection.
168
In CloudFront, when do you use signed cookies vs signed URLs?
Signed URLs are for controlling access to a single file. Used when browsers don't support cookies.
Signed cookies are for controlling access to multiple restricted files.
Signed URLs take precedence over signed cookies.
169
What is AWS Shield?
DDos Mitigation (Layer 3 & 4 attacks). L7-HTTP/cache-busting flood. For L7 attacks Shield Adv notifies via CW alarms only (no proactive action taken).
Shield standard: Available to all, particularly effective with R53 and CloudFront.
Shield Advanced: You need to specify resources to protect (either via Shield Adv or AWS Firewall Manager). AWS WAF is included at no extra cost.
Resources include CldFrnt, R53, Global Accelerator, ALB, ELBs, EC2-EIPs.
170
How does a Gateway LB work?
- GWLB is used for supporting 3rd party security appliances.
- A combination of GW (L3 - can be next hop in a route table) and Load Balancer (L4 Load Balancer).
- Health Checks, Stickiness
- User Traffic encapsulated in L3 protocol called GENEVE (packet seen by appliance as is - no change in Source IP/port)
- Can be deployed in one Shared services VPC and multiple VPCs can be supported.
- GWLB EPs are projected into other VPCs.
171
How can you do deep packet inspection in AWS?
AWS does not have any native services that do DPI.
Use Traffic Mirroring, third party IDS, Gateway LBs to accomplish your task.
Remember VPC flow logs only capture meta data and not the actual packet contents.
172
How does Traffic Mirroring work?
Mirror Source - e.g. ENI, the traffic to which is monitored
Mirror Target - another ENI or NLB (destination of mirrored traffic).
Mirror Filter - accepted or rejected traffic, protocol type, port, IP range etc.
173
Does NLB Support multiple services on a single instance?
Yes. But they have to be on different ports.
You can register a target in a target group multiple times with different ports.
174
How do you control access to S3 via a VPC Gateway Endpoint?
Using EP policies and S3 bucket policies.
With EP policies, you can specify which bucket to access (e.g. as a Resource within a permission statement). Default policy allows access to everything.
With bucket policy you can specify endpoint ID as the as the "sourceVpce" as a condition within the permission statement.
175
What is the Uset-Agent header in HTTP requests and how does it relate to CloudFront?
User-Agent (in the HTTP header) contains information about the device that submitted the request.
Lambda@Edge can inspect this element and react (e.g. send low-resolution image to mobiles).
L@Edge can also inspect cookies and modify paths.
ALBs can support path based routing to different targets allowing you to customize content.
176
Can VPC DHCP option sets be modified?
No. Once created they cannot be modified. They can be replaced with a new options set.
Option sets allows you to define a) DNS server b) NTP sever c) NetBIOS Name server and d) NetBIOS node type.
Note: While you can define new DHCP Option Set, You have to use the AWS DHCP server. Custom DHCP servers are not supported. DCHP requires broadcast which is not supported in the AWS VPC.
177
How does VPN Billing Work?
For AWS S2S:
a) VPN Connection hour (partial hours billed as whole).
b) Data transfer charges
For AWS C2S VPN:
Client VPN Endpoint itself is free.
However, you pay for the subnet associations
Number of client connections.
178
How does EC2 data transfer billing work?
```
Data-in (Internet to EC2) = Free
Data out (EC2 to Internet) = charged after 1st GB
```
DTO to Cloudfront = Free
DTO within the same Region
EC2/EIP/RDS - Across AZ charged in both direction
EC2 transfers within the same AZ is free
EIP/Public IP transfers are always charged.
S3 transfers in the same region is free.
179
In R53 hosted zone, how is an Alias record represented?
Alias records appear as an A record. However, unlike a regular A record which has an IP address for its value, Alias record has an FQDN for a value.
180
With R53 Resolver EPs, how do you resolve queries between on-prem and AWS?
a) Build a shared services VPC (Central DNS happens here)
b) Connect spoke VPCs via TG.
c) Associate Priv-HZ with each spoke VPC directly. This preserves AZ isolation. EC2 instances can query PHZ directly (1024 PPS limit). VPCs can be in different accounts.
c) Create inbound and outbound resolver endpoints.
d) Create conditional forwarding rules for on-prem domains.
e) Forwarding Rules can be shared with other VPCs. If VPCs are in the same account, simply choose them. If in different account use RAM. Share with all VPCs that need it.
181
How can you access Private Link Interface Endpoints in a shared services VPC from spoke VPCs?
At creation of an interface endpoint, you receive an endpoint-specific regional DNS hostname that includes a unique endpoint identifier, service identifier, the Region, and vpce.amazonaws.com in its name. For example, vpce-12345678-abcdefg.sqs.us-east-1.vpce.amazonaws.com. This name resolves to the IP addresses of the endpoint in the shared services VPC. The default DNS hostname for this service is sqs.us-east-1.amazonaws.com. Resolution of this DNS hostname results in a public IP address.
Enabling Private DNS for the interface endpoint creates a private hosted zone so that the default name (sqs.us-east-1.amazonaws.com) resolves to the endpoint IP addresses. However, today this only works in the VPC where the endpoint resides. Other VPCs continue to resolve the public IP address.
If you want to access the interface endpoint sqs.us-east-1.amazonaws.com in the shared services VPC from spoke VPCs and on-premises servers, do the following:
(Spoke and T-VPCs should already be connected - e.g. via TGW).
a. Create a Route 53 private hosted zone called sqs.us-east-1.amazonaws.com associated to the shared services VPC.
b. Create an alias record called sqs.us-east-1.amazonaws.com that targets the endpoint-specific regional DNS hostname (vpce-12345678-abcdefg.sqs.us-east-1.vpce.amazonaws.com).
182
What is AWS Network Firewall?
An AWS Managed FW that protects the VPC
Regional service - secures NW traffic at Org and Acct level
Integrates with AWS FW Manager
Offers L3-L7 visibility and control
Uses Rules (custom or Marketplace)
Also protects VPN and DX traffic.
NOT for DDoS
IPS - offers traffic flow inspection (threat detection using signatures)
Can be used with SG, WAF and Marketplace appliances
Can be deployed with VPC or TGW.
Creates a Interface EP within a subnet (/28 min size).
NW Firewall policies consists of rule groups.
Rules can be stateful or stateless
Logs -> S3, Kinesis (NO cloudwatch)
No Encrypted Traffic Support.
Note: NWFW does NOT do NATing - hence the workload instances need an EIP to communicate with the Internet.
183
Can an EC2 instance be moved to another subnet, AZ or VPC?
No!
You have to manually migrate it - i.e. make a AMI of the original instance and start a new instance in the new subnet, AZ or VPC.
EIPs can be reassigned however.
184
With WAF, what are the six types of conditions you can specify in a rule?
a) Cross-site scripting (XSS)
b) IP Addresses
c) size constraints
d) SQL injection
e) geographic match
f) string match
185
What is a Hosted Connection in DX?
A partner providing a new connection on their interconnect to a customer.
186
How can AWS Glue Network Interfaces connect to external data sources?
AWS Glue ENIs cannot be assigned a public IP address. Hence a NAT GW is needed.
187
In CloudFormation, how do you prevent resources from being deleted when the stack is deleted?
You can use the DeletionPolicy property against specific resources and set it to "Retain". This overrides the default behavior of deleting the resource when the stack is deleted.
Stack policies are only applicable to updates. You can use stack policies to prevent deletion during updates.
188
How can you access EFS in a hybrid environment?
EFS uses NFS v4.0 and v4.1 protocol
A mount target provides an IP address for an NFSv4 endpoint at which you can mount an Amazon EFS file system.
You mount your file system using its Domain Name Service (DNS) name, which resolves to the IP address of the EFS mount target in the same Availability Zone as your EC2 instance.
You can create one mount target in each Availability Zone in an AWS Region. If there are multiple subnets in an Availability Zone in your VPC, you create a mount target in one of the subnets. Then all EC2 instances in that Availability Zone share that mount target.
You can mount EFS on to a on-prem server. Done via DX. Best to use IP address instead of DNS name of the EFS mount points.
Security group associated with the ENI/Mount point must allow traffic to the NFS port (2049).
189
What are prefix lists?
A prefix list is a set of one or more CIDR blocks.
You can use them in security groups and route tables.
You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually. For example, you can consolidate security group rules with different CIDR blocks but the same port and protocol into a single rule that uses a prefix list. If you scale your network and need to allow traffic from another CIDR block, you can update the relevant prefix list and all security groups that use the prefix list are updated.
190
In Cloudfront, what is an alternative to object invalidation?
CF Invalidation allows you to remove objects from the cache before it expires.
You can use versioning instead of invalidation. For example, change image_v1 to image_v2 and update your links.
191
When using Multiple VPN Connections and Stateful Firewalls how do you prevent packets being dropped?
When using multiple VPN connections, if you have a stateful firewall, it may be best to use the VPN connections in active standby. Otherwise, packets will be dropped.
So, you want to set up the connections (using AS_PATH) such that AWS routes traffic back on the same VPN connection (not use ECMP).
192
What are the networking requirements for EMR?
a) Access to S3 for logging (can be enabled via Gateway EP)
| b) DNS for name resolution.
193
How do custom resources work in Cloudformation?
There are three parties:
a) Template developer - specifies a service token provided by the custom resource provider
b) custom resource provider - owns the resource, provides the token to developer
c) Clouformation - which during stack operation sends a request to the service token specified and awaits a response.
