Networks Flashcards

Question

X-Forwarded-For

Answer 1

Helps identify client ID behind Load Balancer. Is L7 thing, works only with HTTP/S. NLB don't use the header because it operates at L3-4

Answer 2

Helps identify client ID behind Load Balancer. Works at L4, TCP header is added. Can be used if unbroken (by ALB) HTTPS connection is needed.

Answer 3

Help run and scale 3rd party security appliances. Uses GENEVE tunneling protocol to fix problem with IP addresses. GWLB will load balance across multiple security appliances.

Answer 4

Defines what happens when packet arrives at the VPC. Usually configured on the Internet gateway

Answer 5

- 1 IGV per 1 VPC - Used to access internet as well as public AWS services - HA and scalable - Works IPv4 and IPv6 inbound and outbound - For IPv4 1:1 NAT is done. For IPv6 no NAT is performed. - Flows from VPC to the public AWS services never leave AWS network

Answer 6

- Direct Connect Gateway - Global device (accessible in all regions vs. VGW, which is accessible only from the same region) - Is used to overcome limitation of Private VIF only to be able to communicate in the same region. - DX gateway not route traffic from VPC to VPC, only between on-prem and VPCs - DX gateway works cross-account - DX can connect to the private VIF & VGW or transit VIF & transit GW, not both (cannot mix). - One Transit GW can be attached up to 50 DX gateways

Answer 7

- Gateway object connecting VPC and non-AWS networks (e.g. other clouds). - Is used for site2site VPNs - Attached to max 1 VPC - It can be as target in the VPC route table.

Answer 8

- Allows few connections to terminate in one point and exchange routing info.

Answer 9

- Logical object representing customer device in AWS config for VPN connection - Physical customer device to establish VPN - Speed cap of 1.25Gbps is applied for the VPN.

Answer 10

Uses static routes

Answer 11

- Uses BGP to establish routes - Route propagation should be enabled on VPC

Answer 12

- Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions. Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover. - Provides you with a set of two static IP addresses that are anycast from the AWS edge network. - Assigns a default Domain Name System (DNS) name to your accelerator. - Supports both TCP and UDP protocols (CloudFront only HTTP/S). - Integrate with AWS Shield for DDoS protection. - Improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.

Answer 13

Which route table will be used when exiting TG association

Answer 14

To which route table routes learned from the attachment will be propagated

Answer 15

- Used to access private IP ranges in VPC (cannot access public services/IPs) - Limited to the same region (there is workaround to use Transit GW) - Can be terminated on VGW (Virtual Private Gateway) or Direct Connect Gateway - Can use Jumbo Frames - Max 100 prefixes can be advertised on private VIF

Answer 16

- Used to access AWS public zone services. No access to the private VPC IP ranges. Not limited to the same region. - Your prefixes no leave AWS (are not transitive) - Supports bi-directional communities

Answer 17

Feature of Amazon CloudFront that lets you run code closer to users of your application, which improves performance and reduces latency

Answer 18

Virtual private gateway prioritizes routes as follows, from MOST preferred to LEAST preferred: -BGP propagated routes from an AWS Direct Connect connection -Manually added static routes for a Site-to-Site VPN connection -BGP propagated routes from a Site-to-Site VPN connection -For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred. Alternatively, you can prepend AS_PATH, so that the path is less preferred. -When the AS PATHs are the same length and if the first AS in the AS_SEQUENCE is the same across multiple paths, multi-exit discriminators (MEDs) are compared. The path with the lowest MED value is preferred.

Answer 19

- Scans EC2 OS and containers for vulnerabilities and deviations from best security practices. - Network assessment - OS/host assessment (requires agent) - Assessment is running at the regular interval (15m, 30min etc)

Answer 20

AWS published structure of all public service IP range usage for all AWS regions. SNS topic is upgraded when update is made in the file.

Answer 21

- Can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure. - Logs API calls, is NOT real time. Action taken by user, role or a service. - Stores 90 days of history. - By default only logs management events. - Is regional service. - Can be configured as one region or all regions (adds other regions automatically). Global services leave records in us-east-1 region.

Answer 22

- AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. - Can be Professional (paid) or Std version.

Answer 23

Data security service that discovers sensitive data (in S3) using machine learning and pattern matching, provides visibility into data security risks, and enables automated protection against those risks.

Answer 24

Network address translation from IPv6 to IPv4. NAT gateway supports NAT64.

Answer 25

- Open source, distributed search and analytics suite derived from Elasticsearch.

Answer 26

Threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior.

Answer 27

- VPC CNI plugin for Kubernetes add-on is deployed on each Amazon EC2 node in your Amazon EKS cluster. The add-on creates elastic network interfaces and attaches them to your Amazon EC2 nodes. The add-on also assigns a private IPv4 or IPv6 address from your VPC to each Pod and service.

Answer 28

Enabling BFD for your Direct Connect connection allows the Border Gateway Protocol (BGP) neighbor relationship to be quickly torn down. Otherwise, by default, BGP waits for three keep-alives to fail at a hold-down time of 90 seconds. Asynchronous BFD is automatically enabled for Direct Connect virtual interfaces on the AWS side. However, you must configure your router to enable asynchronous BFD for your connection.

Answer 29

Amazon EC2 feature that provides higher bandwidth, higher packet-per-second (PPS) performance, and consistently lower inter-instance latencies.

Answer 30

Web Application Firewall configuration unit

Answer 31

- Record changes in the resources config - Auditing changes - Doesn't prevent changes - Is regional service, can be configured in cross-region or cross-account setup - Config Rules can be created, criteria matching

Answer 32

Operations hub for your AWS applications and resources, and is broken into four core feature groups: - Operations Management - Application Management - Change Management - Node Management

Answer 33

- Hardware Security Module - True "single tenant" HSM, not shared with the other accounts. - Don't have native integration with other AWS services (e.g. S3 SSE). - Can be used to offload SSL/TLS processing from the Web servers. - Can transparently encrypt data on Oracle DB. - Protect Private keys for CA (Certificate Authority). - AWS have no access to the module itself. If customer loses access to the module- game over. - FIPS 140-2 Level 3, PKCS#11, Java Cryptography Extensions (JCE), Microsoft CryptoNG. - KMS (key management Service) is shared service, AWS have some degree of access to the keys.

Answer 34

- Common Vulnerabilities and Exposures - Rule set for Cloud Inspector to check against

Answer 35

- Center of Internet Security benchmarks - Rule set for Cloud Inspector to check against

Answer 36

- Allow quick and easy setup for for multi account environments - Orchestrates the capabilities of other services, including AWS Organizations, AWS Service Catalog, and AWS IAM Identity Center, to build a landing zone in less than an hour. - Landing Zone is multiaccount environment - Guard Rails enforces/detects rules across accounts - Accounts Factory - Dashboard

Answer 37

- Capture information about the IP traffic going to and from network interfaces in your VPC that is published to CloudWatch Logs. - Does not affect network throughput or latency. - Do not capture real-time log streams for your network interfaces.

Answer 38

Equal Cost Multi-Path (ECMP). AWS Transit Gateway enables you to scale the IPsec VPN throughput with ECMP routing support over multiple VPN tunnels. - If you establish multiple VPN tunnels to an ECMP-enabled transit gateway, it can scale beyond the default maximum limit of 1.25 Gbps.

Answer 39

- Choose outbound paths - Local preference wins over AS path when choosing the route! - Is advertised to local AS only, not advertised to external BGP AS

Answer 40

- Multi Exit Discriminator - Lower value is preferred route - Is advertised to external AS - You can influence which path is choosen - Path preference wins over MED - Increase MED you deprioritise path.

Answer 41

Runs under 169.254.169.123

Answer 42

- Highly available - Supports UDP packet fragmentation - Don't support TCP and ICMP packet fragmentation - Security Group cannot be associated

Answer 43

- Security Group can be associated - Supports reassembly of TCP, UDP and ICMP packets

Answer 44

You can use the following BGP communities for your prefixes: - 7224:9100—Local AWS Region - 7224:9200—All AWS Regions for a continent (North America–wide, Asia Pacific, Europe, the Middle East, and Africa) - 7224:9300—Global (all public AWS Regions) AWS Direct Connect applies the following BGP communities to its advertised routes: -7224:8100—Routes that originate from the same AWS Region in which the AWS Direct Connect point of presence is associated. -7224:8200—Routes that originate from the same continent with which the AWS Direct Connect point of presence is associated. -No tag—Global (all public AWS Regions).

Answer 45

Cloud Map allows you to register any application resources, such as databases, queues, microservices, and other cloud resources, with custom names. Cloud Map then constantly checks the health of resources to make sure the location is up-to-date. The application can then query the registry for the location of the resources needed based on the application version and deployment environment.

Answer 46

- Communication framework - Works over HTTP/S - Can handle multiple communications over one TCP stream - Uses "protocol buffers"

Answer 47

- Can have several records pointing at the same name and associated with the health check. If target is marked unhealthy, record is not returned. - Improves availability, is not replacement for the load balancer.

Answer 48

- Can be used as simple load balancer. - Can be used to test new software versions

Answer 49

- Trying to optimise performance and user experience - Specify region for each record where the resource is located - Database (not real time!) of latencies between user IP and region is evaluated, record with the lowest latency is returned.

Answer 50

- Similar to latency, but location is used as selection criteria - Matching record is returned in order of state, country, continent, default - Can be used to restrict content based on location. - It is not about proximity, it is about relevant record!

Answer 51

- Routing is based on the proximity to the location - Bias can be added/removed to bias towards specific location

Answer 52

- Rules can be configured to route specific domain to the on premises DNS

Answer 53

Get attribute, only returns default attribute

Answer 54

Get attribute, can select which attribute is returned

Answer 55

Substitutes value in the text from function e.g. ${VPC.CidrBlock}

Answer 56

!Cidr [ ipBlock, count, cidrBits ] - "ipBlock" The user-specified CIDR address block to be split into smaller CIDR blocks. - "count" The number of CIDRs to generate. Valid range is between 1 and 256. - "cidrBits" The number of subnet bits for the CIDR. For example, specifying a value "8" for this parameter will create a CIDR with a mask of "/24".

Answer 57

Finds value in the pre-created map: !FindInMap [ MapName, TopLevelKey, SecondLevelKey ]

Answer 58

- Visible as CLI or console UI output - Accessible from the parent stack when using nesting - Can be exported for cross-stack reference

Answer 59

- Evaluated first, before template is applied

Answer 60

- By default resources are created in parallel - Tries to determine dependency order - To explicitly define dependencies DependsOn is used

Answer 61

- Resources in single stack share lifecycle - 500 resources per stack limit - Stacks are isolated - Root stack have resource type "Type: AWS:: CloudFormation:: Stack" - Reusing code, not the stack!

Answer 62

- Outputs can be exported to be visible for other stacks - Exports must have unique name in that region - !ImportValue can be used to import values from different stacks, !Ref can be used to import value from the same stack.

Answer 63

- AWS Cloud WAN is a managed wide-area networking service that simplifies a global network’s setup, management, and operation using the AWS cloud infrastructure. - A key feature of AWS Cloud WAN is using segments, which are logical network partitions within the WAN. Each segment can represent different departments, business units, or workloads, providing isolated environments for security and compliance purposes. With segment actions, administrators can define policies to control traffic flow between segments, ensuring only authorized communication occurs between network parts.

Answer 64

- Internet Key Exchange - Diffie–Hellman is used (DH) - Asymmetric encryption used to exchange keys - Slow.

Answer 65

- Uses keys agreed in Phase 1 - Fast and agile

Answer 66

- Rules to match the traffic. Matched traffic is sent to SA (security association) - Can be used to precisely define policy. - Many Phase 2 tunnels inside Phase 1 tunnel

Answer 67

- Route traffic based on prefix. - One Phase 2 tunnel inside Phase 1 tunnel

Answer 68

- Feature of VGW (Virtual Private Gateway) - Can be used to move traffic between VPN peers as well (e.g. between remote offices) - Each remote site should have unique BGP ASN.

Answer 69

- Only 1 Transit VIF per DX location - Each transit VIF supports up to 3 TGW - In the DX location DX gateway can be used with transit VIF or private VIF, not both!

Answer 70

Encrypt stored data on your DB instances running Microsoft SQL Server. TDE automatically encrypts data before it is written to storage and automatically decrypts data when the data is read from storage.

Answer 71

VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. You can use IPAM automated workflows to more efficiently manage IP addresses.

Answer 72

Condition is used to specify from which Endpoint traffic is coming

Answer 73

Condition is used to specify the VPC ID.

Answer 74

Document you get after configuring Direct Connect

Answer 75

- CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery) - Content delivery platform - "Distribution" is configuration unit. - Self signed certificates will not work.

Answer 76

- VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC - Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.

Answer 77

- Elastic Beanstalk is a service for deploying and scaling web applications and services. Upload your code and Elastic Beanstalk automatically handles the deployment—from capacity provisioning, load balancing, and auto scaling to application health monitoring.

Answer 78

AWS Resource Access Manager (AWS RAM) helps you securely share your resources across AWS accounts, within your organization or organizational units (OUs) and with IAM roles and users for supported resource types.

Answer 79

- Managed service for HTTP, REST and WebSockets - Can be public or private

Answer 80

- Network Access Analyzer is a feature that identifies unintended network access to your resources on AWS. - You can use Network Access Analyzer to specify your network access requirements and to identify potential network paths that do not meet your specified requirements. - Network Access Analyzer uses automated reasoning algorithms to analyze the network paths that a packet can take between resources in an AWS network. It then produces findings for paths that match a customer defined Network Access Scope. Network Access Analyzer performs a static analysis of a network configuration, meaning that no packets are transmitted in the network as part of this analysis.

Answer 81

- Driver for AKS (Kubernetes cluster) to load balance to pods?

Answer 82

- DNS Firewall provides filtering for outbound DNS queries that pass through the Route 53 Resolver from applications within your VPCs. You can also configure DNS Firewall to send custom responses for queries to blocked domain names. AWS Network Firewall provides filtering for both network and application layer traffic, but does not have visibility into queries made to the Route 53 Resolver.

Answer 83

AWS App Mesh is a service mesh that makes it easy to monitor and control services. A service mesh is an infrastructure layer dedicated to handling service-to-service communication, usually through an array of lightweight network proxies deployed alongside the application code.

Answer 84

AWS X-Ray provides a complete view of requests as they travel through your application and filters visual data across payloads, functions, traces, services, APIs, and more with no-code and low-code motions.

Answer 85

- Collect, process, and analyze real-time, streaming data so you can get timely insights and react quickly to new information. - Ingest real-time data such as video, audio, application logs, website clickstreams, and IoT telemetry data for machine learning, analytics, and other applications. - Process and analyze data as it arrives and respond instantly instead of having to wait until all your data is collected before the processing can begin.

Answer 86

You set up a stream with a source, destination, and required transformations. Amazon Data Firehose continuously processes the stream, automatically scales based on the amount of data available, and delivers it within seconds.

Answer 87

VPN NAT packets, 4500 UDP port needs to be open

Answer 88

The values for the srcaddr and pkt-srcaddr fields are different. The srcaddr field displays the private IP address of the NAT gateway network interface, and the pkt-srcaddr field displays the IP address of the host on the internet.

Answer 89

Fully managed application streaming service that provides users with instant access to their desktop applications from anywhere. AppStream 2.0 manages the AWS resources required to host and run your applications, scales automatically, and provides access to your users on demand.

Answer 90

To load balance traffic across multiple AWS Direct Connect connections, apply the same community tag across the prefixes for the connections. To support failover across multiple AWS Direct Connect connections, apply a community tag with a higher preference to the prefixes for the primary or active virtual interface. For example, set the BGP community tags for your primary or active virtual interfaces to 7224:7300 (high preference). -7224:7100 — Low preference -7224:7200 — Medium preference -7224:7300 — High preference

Answer 91

DPD is primarily used in a VPN connection only. It enables VPN devices to rapidly identify when a network condition prevents the delivery of packets across the public Internet.

Answer 92

Uses DX connection to establish VPN. Should use public interface to access Virtual Private Gateway.

Answer 93

- Can include one or more containers - Represents application as a whole - Define what role can be assumed by the task - Is not by itself highly scalable and available

Answer 94

- Defines how ECS tasks should scale, how many copies should run - LB can be deployed in front of ECS Service

Answer 95

- Container (Images and ports) - Task (Task role, containers, resources) - Service (How many copies, HA, restarts)

Answer 96

- DNSSEC private/public pair to sign Resource Record Sets

Answer 97

- Stores public key for signature verification in DNSSEC

Answer 98

- Used to sign zone signing keys

Answer 99

- Delegated Signer record - Stores child domain public key hash

Answer 100

New attachment type that supports Generic Routing Encapsulation (GRE) for higher bandwidth performance compared to a VPN connection. Used for SD-WAN integration

Answer 101

Container Network Interface

Answer 102

Server Name Indication. Extension to the TLS protocol. It allows a client or browser to indicate which hostname it is trying to connect to at the start of the TLS handshake. This allows the server to present multiple certificates on the same IP address and port number.

Answer 103

Virtual buckets to control policies.

Networks Flashcards

(127 cards)