Networking

Question 1

Route53 Record Types

Answer 1

• A - maps a hostname to IPv4
• AAAA - maps hostname to IPv6
• CNAME - maps a hostname to another hostname
• NS - Name Servers for the Hosted Zone (indicates which DNS server is authoritative for that domain)

Question 2

Route53

CNAME vs Alias

Answer 2

• CNAME: Points a hostname to any other hostname (can’t be use with root domain)
• Alias: Points a hostname to an AWS resource (works with root domain) and is free of charge.

Question 3

Route53

Alias Records Targets

Answer 3

• ELB
• CloudFront Distributions
• API Gateway
• Elastic Beanstalk
• S3 websites
• VPC Interface endpoints
• Global Accelerator
• Route53 record in the same hosted zone

Question 4

Routing Policies

Simple

Answer 4

Route traffic to a single resource, can’t be associated with Health Checks. If a record has multiple values, a random one is chosen by the client.

Question 5

Routing Policies

Weighted

Answer 5

Control de % of the requests that go to each resource. Can be associated with Health Checks.

Question 6

Route Policy

Latency based

Answer 6

Redirect to the resource that has the least latency, based on traffic between users and AWS regions. Can be associated with Health Checks.

Question 7

Routing Policies

Failover (Active-Passive)

Answer 7

You have a primary and secondary record for disaster recovery.

Question 8

Routing Policies

Geolocation

Answer 8

Based on user location by continent, country or US state Can be associated with Health Checks.

Question 9

Routing Policies

Geoproximity

Answer 9

Based on the geographical location of users and resources. Ability to shift more traffic to resources based on the defined bias.

Must use Route53 Traffic Flow

Question 10

Route53 Traffic Flow

Answer 10

Visual editor to
* Manage complex routing trees
* Create and mantain records in complex configurations.
* Configurations can be saved as Traffic Flow Policies

Question 11

Routing Policies

Multi-Value

Answer 11

Can be associated with Health Checks, returns up to 8 healthy records.

Question 12

Routing Policies

IP-based Routing

Answer 12

You provide a list of CIDRs for your clients and the corresponding endpoints. Optimizes performance and reduces network costs.

Question 13

Route 53

Hosted Zones

Answer 13

Container for records that define how to route traffic.

• Public: specify how to route traffic on the Internet
• Private: specify how to route traffic within one or more VPCs

Question 14

DNS Security Extensions (DNSSEC)

Answer 14

Verifies DNS data integrity and origin. Works only with Public Hosted Zones.

Question 15

Route53 Health Checks

Answer 15

• Health checks that monitor a public endpoint
• Health checks that monitor up to 256 other health checks (calculated health checks)
• Health checks that monitor CloudWatch alarms (efective for private resources)

Question 16

Route53 Resolver

Answer 16

Answers DNS queries for:
1. Local domain names for EC2 instances
2. Records in Private Hosted Zones
3. Records in public Name Servers

Question 17

Route 53

Resolver Endpoints for Hybrid DNS

Answer 17

Can be associated with one or move VPCs in the same region
* Inbound Endpoint forward external DNS queries of domain names, for AWS resources and records in Private Hosted Zones to Route 53 resolver.
* Outbound Endpoint Conditionally forwards DNS queries to other DNS resolvers.

Question 18

AWS Global Accelerator

Answer 18

Provides static IP addresses that serve as single fixed entry points for your clients. You associate them to regional endpoints. Accept incoming traffic onto the AWS global network from the edge location that is closest to your users

Question 19

With which resources does standard Global Accelerator works?

Answer 19

• Elastic IP
• EC2 instances
• ALB
• NLB

Continuously monitors the health of all endpoints

Question 20

CloudFront vs Global Accelerator

Answer 20

CloudFront
* Improves performance for both cacheable content
* Dynamic content served at the edge

Global Accelerator
* Manage traffic globally to multiple regional applications
* Optimize API performance by reducing latency
* Use static IP addresses for application access

Question 21

Network ACLs

Answer 21

Stateless firewall at the subnet level. Supports allow and deny rules

Question 22

Security Groups

Answer 22

Stateful rules at the instance level. Only supports allow rules

Question 23

VPC Peering

Answer 23

• Connect to VPC privately using AWS network.
• Is not transitive.
• Must update route tables in subnets, uses the longest prefix match.

Question 24

VPC Peering

Edge to edge routing

Answer 24

Invalid configuration of VPC Peering. Not transitive with VPN, Direct Connect, IGW, NAT and VPC Endpoints.

Question 25

Transit Gateway

Answer 25

Transitive peering between thousands of VPCs and on-premise. Is a hub-and-spoke connection.

Question 26

How to configure Transit Gateway Cross Account

Answer 26

Share Transit Gateway using Resource Access Manager (RAM)

Question 27

IP Multicast in AWS

Answer 27

Only Transit Gateway allows to send IP datagrams to a group of interested receivers in a single transmission.

Question 28

A single internet exit point

Answer 28

* Create a central NAT Gateway in a public subnet * Create an ENI in a private subnet to which Transit Gateway redirects traffic * Connect all VPCs to a Transit Gateway * Create Routing Tables to direct traffic to the NAT Gateway

Question 29

Direct Connect Gateway and Transit Gateway

Answer 29

Is possible to connect one direct connect gateway to multiple transit gateways in different regions

Question 30

Transit Gateway Peering Attachments

Answer 30

You can do an intra-region or inter-region peering mesh. If data go cross-region it has standard charges.

Question 31

VPC Endpoints

Answer 31

Allow you to connect to AWS services using a private network

Question 32

VPC Endpoint Gateway

Answer 32

For S3 and DynamoDB * One gateway per VPC * Must update route tables entries * DNS resolution must be enabled in VPC

Question 33

VPC Endpoint Interface

Answer 33

For all services, * Provision an ENI that will have a private endpoint interface hostname * Must be in a subnet * Enable private DNS so public hostname of a service will resolve to de private endpoint interface hostname * Can be accessed from Direct Connect and VPN

Question 34

VPC Endpoint Gateway troubleshooting

Answer 34

* Check SGs outbound rules * Check VPC endpoint policy * Check route tables * Check DNS resolution is enabled * Check S3/Dynamo policy

Question 35

Private Link

Answer 35

Secure way to expose a service to other VPCs without peering, internate gateway or NAT. * Requires a NLB on the service side and an ENI on the consumer side

Question 36

Connect to S3 with Direct Connect

Answer 36

In a VPC create a PrivateLink to which DirectConnect sends traffic. From there direct it to a Interface VPC Endpoint and to S3.

Question 37

Site to Site VPN configuración

Answer 37

1. On-premise setup a VPN appliance accessible using a public IP 2. On AWS setup a Virtual Private Gateway and attach it to a VPC 3. On AWS setup a Customer Gateway pointing to the VPN appliance

Question 38

Site to Site VPN and Direct Connect Internet Access

Answer 38

It is not possible to connect a S2S VPN and Direct Connect to an Internet Gateway through a NAT Gateway. Must use a NAT Instance

Question 39

AWS VPN CloudHub

Answer 39

Connect up to 10 Customer Gateways to a Virtual Private Gateway

Question 40

AWS Client VPN

Answer 40

Connect from a computer using OpenVPN to a private network on AWS

Question 41

Direct Connect Gateway

Answer 41

Setup a Direct Connect to one or more VPCs in different regions. Can also be used to connect to a Transit Gateway.

Question 42

Border Gateway Protocol

Answer 42

Set of rules that determine the best network routes for data transmission on the internet

Question 43

# Direct Connect Virtual Interfaces (VIF)

Answer 43

Enable access to AWS services public VIF or private VIF. A transit VIF is used to access one or more Transit Gateways associated with Direct Connect gateways

Question 44

IPv6 for existing VPCs and subnets

Answer 44

1. Associate an IPv6 CIDR block with your VPC and subnet 2. For a public subnet, create a route that routes **all IPv6 traffic** from the subnet to the internet gateway. For a private subnet, create a route that routes **all internet-bound IPv6 traffic** from the subnet to an egress-only internet gateway. 3. Update your security groups rules 4. Assign IPv6 addresses to your instances

Question 45

Egress-only internet gateway

Answer 45

Allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the internet from initiating an IPv6 connection.

Question 46

Egress-only internet gateway vs NAT gateway

Answer 46

An egress-only internet gateway is for use with IPv6 traffic only. To enable outbound-only internet communication over IPv4, use a NAT gateway instead.

Question 47

Keep a static MAC Address in an EC2 instance

Answer 47

If a static MAC address is assigned to an Elastic Network Interface it remains unchanged

Question 48

VPC Routing Enhancement

Answer 48

Any traffic from within a VPC destined to a target within the VPC is covered by the local route and therefore directly routed. The enhancement allows you to configure specific routes at a subnet route table level or replace target for the “local” destination with a middlebox such as firewall.

Question 49

Virtual appliances to handle traffic filtering and provide security inspection capabilities

Answer 49

1. Gateway Load Balancer is deployed in a separate security VPC along with the virtual appliances. Because GLB endpoints are a routable target. 2. To ensure flow symmetry, appliance mode is enabled on the Transit Gateway

Question 50

Reserved IP addresses in subnet

Answer 50

1. First IP Address: Network address 2. Second IP Address: VPC Router 3. Third IP Address: DNS Server 4. Fourth IP Address: Future use 5. Last IP Address: Broadcast address