Networking

Question 1

What is the OSI model?

Answer 1

A way of thinking about networking operations. If there is an issue with one layer then the message will not get through. Can be used in troubleshooting.

Question 2

What are the 7 layers of the OSI model?

Answer 2

Please Do Not Throw Sausage Pizza Away

Physical- CAT5, fibre optic cable
Data link- MAC
Network- IP, ARP
Transport- TCP
Session- Setup, negotiation
Presentation- TLS/SSL, compression
Application- Web browser

Question 3

What does the application layer do?

Answer 3

Interprets the messages in HTTP protocol and renders HTML

Question 4

Does AWS allow multicast?

Answer 4

No

Question 5

What is unicast?

Answer 5

one on one conversation between servers

like a phone call

Question 6

What is multicast?

Answer 6

When a network card/server sends messages to everyone on a network- layer 2 (MAC)

Question 7

What are the 3 main communication protocols used in AWS networking?

Answer 7

1) TCP (layer 4)
2) UDP (layer 4)
3) ICMP (layer 3)

Question 8

What are the characteristics of TCP and its common uses?

Answer 8

A connection-based stateful communication protocol that acknowledges receipt

e.g. web, email or file transfer

Question 9

What are the characteristics of UDP and its common uses?

Answer 9

Connectionless stateless with no transmission delays

e.g. streaming media, DNS (why… it’s simple)

Question 10

What are the characteristics of ICMP and its common uses?

Answer 10

Used by network devices to exchange information

e.g. Traceroute, ping

Question 11

What is an ephemeral port?

Answer 11

A short-lived transport protocol port used in IP communication

Question 12

What port ranges are used for ephemeral ports?

Answer 12

Suggested range = 49152 to 65535

linux generally use 32568 to 61000
windows default from 1025

Question 13

Who defines the ephemeral port number during TCP communication?

Answer 13

The client! e.g. Dial on port 80 (HTTP) and use port 56784 to respond…

Question 14

Which protocols use ephemeral ports to transfer data?

Answer 14

1) TCP

2) UDP

Question 15

Why use UDP instead of TCP for large streaming data?

Answer 15

Because there is no acknowledgement. Acknowledging every receipt during streaming would be burdensome

Question 16

How many IP addresses are reserved in an AWS VPC and what are they? and what are they used for?

Answer 16

5

1) 10.0.0.0- Network address
2) 10.0.0.1- Reserved for AWS for the VPC router
3) 10.0.0.2- Reserved for Amazon DNS
4) 10.0.0.3- Reserved for future use
5) 10.0.0.255- VPCs do no support broadcast for AWS reserves this

Question 17

Are the reserved IP addresses tied to a specific IP addresses (or numbers)?

Answer 17

No, the IP number doesn’t matter, it is the position in the address that matters!

Question 18

What consideration do you need to make when creating a VPC?

Answer 18

Ensure that you have enough IP addresses available

e. g. 10.0.0.0/16 ~
10. 0.0.0/32

Question 19

How many IP addresses will be available for the CIDR block 10.0.0.0/28?

Answer 19

16

Question 20

How many IP addresses will be available for the CIDR block 10.0.0.0/16?

Answer 20

65536

Question 21

What are the 8 methods of connecting on-prem network with a VPC?

Answer 21

1) AWS managed VPN
2) AWS managed VPN-Redundant
3) AWS Direct Connect
4) AWS Direct Connect plus VPN
5) AWS VPN Cloud Hub
6) Software VPN
7) Transit VPC

Question 22

What, when, pros and cons of…. AWS managed VPN

Answer 22

What- iPsec VPN connection
when- want quick and easy, secure connection to a VPC, can be used as a redundant link for direct connect
Pros- Supports static routes or BGP peering and routing
Cons- Dependent on internet connection

Question 23

What are the 5 steps to set up a AWS managed VPN?

Answer 23

1) Designate an appliance to act as your customer gateway, this is usually your on-prem router
2) Create the VPN connection in AWS and download the config file for your customer gateway
3) Configure your customer gateway using the information from the config file e.g. IPSEC encryption
4) Generate traffic from your side of the VPN connection to bring up the VPN tunnel
5) Configure BGP routing if required

Question 24

What, when, pros and cons of…. AWS managed VPN- redundant

Answer 24

what- secondary VPN connection
when- want additional redundancy for your AWS VPN
pros- provides redundant architecture
cons- You will have to manually deal with failover, additional cost?

Question 25

What, when, pros and cons of…. AWS Direct connect

Answer 25

What- Dedicated network connection over PRIVATE lines straight into AWS backbone
when- When you require a “big pipe” into AWS, lots of resources or services being provided on AWS to your corporate users
Pros- More predictable network performance up to 10Gbps connections, supports BGP peering and routing
cons- may require additional telecom and hosting provider relationships and or new network circuits

Question 26

How do you set up AWS Direct Connect?

Answer 26

Work with your existing provider, create a virtual interface (VIF) to connect a VPC (private VIF) or to other AWS services like S3 (public VIF)

Question 27

How would you increase the redundancy of a direct connect connection?

Answer 27

You would need to set up a second direct connect connection, ideally using a different provider

Question 28

What, when, pros and cons of…. Direct connect plus VPN

Answer 28

what- IPSEC VPN connection over private lines
when- Want added security of an encrypted tunnel over direct connect
pros- More secure (in theory) than direct connect alone
cons- more complexity by adding a VPN layer

Question 29

How would you set up a Direct Connect plus VPN connection?

Answer 29

Organise this through your existing data networking provider

Question 30

What, when, pros and cons of…. AWS VPN CloudHub

Answer 30

what-Connect locations in a hub and spoke manner using AWS’s virtual private gateway
when- If you wanted to link remote offices for back-up or primary WAN access to AWS resources and each other
pros- Uses existing internet connection, iPSEC VPN connection, support BGP routes to direct traffic e.g. uses MPLS first then Cloud Hub VPN as a backup
cons- Dependent on internet connection; no inherent redundancy

Question 31

How would you set up a AWS VPN CloudHub

Answer 31

1) create single virtual private gateway
2) create multiple customer gateways, each with the public IP address of the gateway. You must use unique BGP ASNs for each customer gateway
3) Create dynamically routed site-to-site VPN connection from each customer gateway to the common virtual gateway
4) configure the customer gateway devices to advertise a site-specific pre-fix (e.g. 10.0.0.0/24, 10.0.1.0) to the virtual private gateway. These routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites
5) configure the routes in your subnet route table to enable instances in your VPC to communicate with your sites

Question 32

What, when, pros and cons of…. software VPN

Answer 32

What- You provide your own VPN endpoints and software
when- When you must manage both ends of the VPN connection for compliance reasons you want to use a VPN option not supported by AWS e.g. openVPN
Pros- Ultimate flexibility and manageability
cons- You must design for any needed redundancy across the whole chain

Question 33

How would you go about setting up a software VPN?

Answer 33

Install the VPN software via a market place appliance or on an EC2 instance

Question 34

What, when, pros and cons of…. Transit VPC?

Answer 34

What- common strategy for connecting geographically disperse VPCs and locations in order to create a global network transit center
when- locations and VPC-deployed assets across multiple regions that need to communicate with one another
pros- ultimate flexibility and manageability but also AWS-managed VPN hub and spokes between VPCs, good for one VPC as a pass through and to deploy across different cloud providers
cons- You must design for any redundancy across the whole chain

Question 35

How do you set up a transit VPC?

Answer 35

Contact provider such as cisco that link their equipment with an AWS VPC

Question 36

What are the two types of VPC to VPC connections?

Answer 36

1) VPC peering

2) AWS private link

Question 37

What, when, pros and cons of….VPC peering

Answer 37

What- AWS provided network connectivity between 2 VPCs
when- When you have multiple VPCs that need to communicate or access each others resources
pros- Uses AWS’s backbone without touching the internet
cons- Does not support transitive peering

Question 38

How do you set up VPC peering?

Answer 38

You make a VPC peering request, acceptor accepts!

Question 39

What, when, pros and cons of…. AWS private link?

Answer 39

What- AWS provided network connectivity between VPCs and or AWS services using interface endpoints
when- When you want to keep private subnets truely private by using the AWS backbone to reach the services rather than the public internet.
Pros- Redundant as it uses AWS backbone
cons- cost? time to set up manually?

Question 40

How do you create an AWS private link?

Answer 40

Create endpoints for needed AWS or marketplace services in all needed subnet, access these via the provided DNS hostname

Question 41

What are the 2 types of endpoints in AWS?

Answer 41

1) Interface endpoint

2) Gateway endpoint

Question 42

The What, How, What products and security of… Interface endpoints and e.g….

Answer 42

What- Elastic network interface with a priave IP
How- uses DNS entries to redirect traffic
What products- API-Gateway, Cloud front, Cloudwatch
Security- Security groups

e.g. Routing call to S3 from within S3

Question 43

The What, How, What products and security of… Gateway endpoints and e.g….

Answer 43

What- A gateway that is a target for a specific route
How- Uses prefix lists in the route table to re-direct traffic
What products- DynamoDB or S3
Security- VPC endpoint policies

e.g. control access to S3 or DynamoDB where you can only access item when traffic comes through an endpoint

Question 44

What are the two ways of providing internet access to VPCs?

Answer 44

1) Internet gateway

2) Egress-only internet gateway

Question 45

What are the 2 main purposes of the internet gateway?

Answer 45

1) provides route table targets for internet-bound traffic

2) Performs NAT for instances WITH public IP addresses- Not for instances with private IP addresses

Question 46

Are IPv6 addresses global?

Answer 46

Yes, so are public by default.

Question 47

What are the 2 roles of the Egress-only gateway?

Answer 47

1) Provides outbound internet access to for IPv6 addressed instances
2) Prevents inbound access to IPv6 instances

Question 48

Is the Egress-only gateway stateful or stateless?

Answer 48

Stateful

Question 49

What is a NAT instance? and what is it’s role?

Answer 49

Amazon created AMI EC2 instance.

Role is to translate traffic from many private IP instances to a single public IP address and back

Question 50

What does a NAT instance NOT allow?

Answer 50

Public internet initiated connections into private instances

Question 51

Does the NAT instance support IPv6?

Answer 51

Nope, use Egress only gate way for NAT

Question 52

What must private instances have to access the internet?

Answer 52

A route to the NAT instance in the public subnet. The traffic will then be directed to the internet gateway bia the NAT instance.

Question 53

What is the NAT gateway?

Answer 53

AWS managed NAT service that replaces the need for a NAT instance on EC2. Uses an elastic IP.

Question 54

What is the default route and target for a NAT gateway? Entered in your private route table.

Answer 54

Destination, enter 0.0.0.0/0. For Target, select the ID of your NAT gateway.

Question 55

How would you increase the redundancy of your NAT gateway architecture?

Answer 55

Create a NAT gateway in each AZ with routes for private subnets to use the local gateway- Multi-AZ redundancy

Question 56

Both the NAT gateway and NAT instances use elastic IP addresses, but only one can be detached, which is it?

Answer 56

NAT instance- detach Elastic IP

NAT Gateway- Cannot detach

Question 57

Can you associate a security group with a NAT gateway?

Answer 57

Nope, but you can with a NAT instance

Question 58

How can you control routing at the VPC level?

Answer 58

you can control routing via:

1) Route tables
2) BGP

Question 59

How can you control routing at the Route53 level?

Answer 59

You can apply routing policies

Question 60

How can you control routing at the ELB level?

Answer 60

Request routing

Question 61

What is a route table? (3 points)

Answer 61

1) Each VPC has an implicit router and main routing table
2) Each route table contains a local route for the CIDR block
3) The most specific route for an address wins

Question 62

What is the BGP?

Answer 62

Border Gateway Protocol

Allows dynamic routing, the method of choosing different paths depending on the availability and weighting

Weighting is local to the router and higher weight is the preferred path for outbound traffic

Question 63

Which ports need to be open for BGP?

Answer 63

179 and Ephermeral ports

Question 64

What is ASN?

Answer 64

Autonomous System Number (ASN)…. a unique endpoint identifier

Question 65

What would you do if you needed very high performing network if you had lots and lots of data?

Answer 65

Can use Single Root I/O virtualisation (SRIOV)

Higher performance options than normal virtualised interfaces

may need to install a specific adapter/interface e.g. Intel 82599 VF interface

Question 66

What is a placement group?

Answer 66

Relevant for networking performance…

Gives you control over where physical servers are provisioned.

Question 67

What are the3 types of placement groups?

Answer 67

1) Clustered
2) spread
3) Partition

Question 68

What, when, pros and cons of… Clustered placement group? Same rack or separate?

Answer 68

what- Instances are placed into a low-latency group within a singe AZ
When- When you need low network latency and/or high network throughput
pros- Get the most out of enhanced networking instances
cons- Finite capacity

Same rack

Question 69

What, when, pros and cons of… Spread placement group? Same rack or separate?

Answer 69

When- Instances are spread across underlying hardware
when- When you want to reduce the risk of simultaneous failure if underlying hardware fails.
pros- can span multiple AZ’s
cons- Max of 7 instances per group per AZ

Separate racks

Question 70

What, when, pros and cons of… partition placement group? Same or separate rack?

Answer 70

what- Instances are group into partitions and spread across racks
when- You want to reduce the risk of correlated hardware failures for multi-instance workloads
pros- Better for large DISTRIBUTED or REPLICATED instance workloads than spread. Increases tolerance when one VM goes offline
cons- Not supported for dedicated hosts

Separate racks

Question 71

Name and describe 7 routing policies available in Route53…

Answer 71

1) simple- Heres the destination for that name
2) Failover- Normally I would route you to there, but based on health checks I will route you this backup.
3) Geolocation- Looks like you are in Europe I will route you to a resource that is closer to you in that region
4) Geoproximity- Your user is closer to US-EAST1 than US-WEST-2. So I will route you to US-EAST1
5) Latency- Let me see which resources has the lowest latency then I will direct you that way
6) Multivalue answer- I will return several IP addresses as a sort of basic load balancer (round-robin based on health checks)
7) Weighted- You can set up multiple resources and I’ll route you according to the percentage of weight you assign to each

Question 72

What does bias mean in the context of geoproximity routing?

Answer 72

Balances resources based on population

Assign a value between -99 and +99

Question 73

How does weighted routing work?

Answer 73

You apply a weight number between 0-255 and calculate the weight of each route as a percentage.

If you apply 0, then this will disable traffic.

Question 74

What is CloudFront?

Answer 74

A distributed content delivery service for simple static asset caching up to 4K

Question 75

What service is CloudFront integrated with?

Answer 75

CloudFront is integrated with Amazon certification manager and supports SNI

Question 76

What is the function of an SSL certificate? and how do they work?

Answer 76

Main function is to ensure websites are legitimate. Does this by checking the domain name matches the name of the certificate

Question 77

How do you get around the SSL certificate error when using CloudFront to serve content over HTTPS? (2 points)

Answer 77

1) Can use CloudFront allocated dedicated IP addresses at each CloudFront edge location to server your content over HTTPS
2) Use Server Name Indication (SNI) to allows the client to specify which host it is trying to connect to. The server can present multiple certificates on the same IP. The client is asking for the correct certificate and CloudFront is providing it

Question 78

Which security policies are available in CloudFront?

Answer 78

SSL or TLS, most recent TLS v1.2

Question 79

What is the function of an Elastic Load Balancer?

Answer 79

Enables you to distribute inbound connections to one or many backend endpoints. Essentially how you control the flow of traffic to backend servers.

Question 80

What are the 3 elastic load balancer options?

Answer 80

1) Application load balancer (Layer 7)
2) Network load balancer (Layer 3)
3) Classic load balancer (layer 4 or 7)

Question 81

What features do you use to route using a Network Load Balancer? (1 point)

Answer 81

1) port numbers

TCP connections to the backend are persisted for the duration of the connection

Question 82

What features do use to route using an Application load balancer? (6 points)

Answer 82

1) Host-based routing
2) path-based routing
3) HTTPS header-based routing
4) HTTPS method-based routing
5) Query, string parameter-based routing
6) Source IP address CIDR-based routing

Question 83

When you use a Network load balancer over an application load balancer?

Answer 83

When you are interested in RAW SPEED!

Question 84

Which protocols does a application load balancer use to control traffic?

Answer 84

HTTP/HTTPS

Question 85

Which protools does a network load balancer use to control traffic?

Answer 85

TCP, UDP, and TLS

Question 86

What are sticky sessions?

Answer 86

Important feature for web applications, most web applications keep up with clients using sticky session ID

The session ID is used to uniquely identify the client for stuff like shopping carts

Question 87

What does enabling sticky sessions on an application load balancer do?

Answer 87

Allows the ELB to keep track of the client and which webserver it handed it off too… increases continuity for the user

Question 88

What is a stateless protocol? provide an example…

Answer 88

A communication protocol in which no session information is retained by the receiver. Relevant session data is sent to the receiver by the client. Every packet of information can be understood in isolation.

e.g. HTTPS/HTTP

Question 89

What is the benefit of using a stateless protocol?

Answer 89

Improves performance by removing server load caused by retaining session information, but does have an overhead cost as this information must be interpreted by the receiving server.

Question 90

What is a stateful protocol? provide an example…

Answer 90

A communication protocol that requires keeping of the internal state on the server. A TCP connection session is stateful because both systems maintain information about the session itself during it’s life.

e.g. FTP

Question 91

What is a connectionless protocol? Provide an example

Answer 91

Designed to stream data. no beginning and no end.

e.g. UDP

Question 92

What is a connection-based protocol? provide an example…

Answer 92

A communication that requires a logical connection to be established between 2 parties before data is exchanged. The connection must be maintained during the entire communication.

Question 93

How can you allow your VPC instances to resolve using an on-prem DNS?

Answer 93

You can configure a DHCP (Dynamic Host Configuration Protocol) which provides a standard for passing configuration information to hosts on a TCP/IP network .

Question 94

What is contained in an options field of a DHCP message?

Answer 94

configuration parameters

1) The domain name
2) domain name server
3) netbios node-type

Question 95

what are the 2 purposes of the Egress-only gateway?

Answer 95

1) Allows VPC based IPv6 traffic to communicate to the internet
2) prevents IPv6 internet resources initiating a connection into a VPC

Question 96

What networking components will allow an IPv6 data to communicate between a VPC and the internet for inbound and outbound traffic?

Answer 96

1) internet gateway (inbound traffic)

2) Egress only (outbound traffic)

Question 97

What could be stopping you from SSHing into an instance from the internet?

Answer 97

Need to check NACL to ensure that TCP traffic is allowed for ports between 1025 to 65535.

Ephemeral ports are required to communicate back to the client

Question 98

Does Direct Connect require 802.1Q VLAN support

Answer 98

Yes

Question 99

Is Direct Connect HA by default?

Answer 99

Nope

Question 100

Does Direct Connect require BGP routing?

Answer 100

Yes

Question 101

What must you ensure when using geolocation routing?

Answer 101

That you have a default route specified in case that location cannot be used

Question 102

Do Application load balancers support elastic IPs?

Answer 102

Nope, but network load balancer do!

Question 103

Does Route53 support a TLSA record? and what are they?

Answer 103

Nope, TLSA records are used to specify the keys used in a domain’s TLS servers.