Huawei Cloud Network Services

Questions and Answers

Which of the following best describes the primary function of a Virtual Private Cloud (VPC)?

• To provide internet access to all cloud resources.
• To provide a direct connection to the physical infrastructure of the cloud provider.
• To manage physical network hardware within a data center.
• To enable logically isolated, configurable, and manageable virtual networks within a cloud environment. (correct)

Under which of the following scenarios is using a single VPC most suitable?

• When workloads need connectivity rather than strict isolation, such as small-scale applications with low-latency requirements. (correct)
• When you need to isolate different services from each other for security reasons.
• When managing multiple projects with distinct cost management requirements.
• When resources are grouped and isolated by medium and large teams or organizations.

When should multiple VPCs be considered in a cloud environment?

• When there is a need to connect to cloud via a private network.
• When there is a need to isolate different services, such as development, production, and testing environments, from each other. (correct)
• When there is a need for simplified management and O&M.
• When there is a need for low-latency services.

Which of the following is a crucial consideration when selecting a region for a VPC?

Choosing the region nearest to your users to minimize latency, as VPCs are region-specific. (D)

What is the purpose of Classless Inter-Domain Routing (CIDR) block in VPC configuration?

To define the range of IP addresses available for resources within the VPC. (D)

When selecting an appropriate size for a VPC CIDR block, what is a key consideration?

Estimating the number of servers needed and leaving room for future growth without wasting IP addresses. (C)

What is the significance of the five reserved IP addresses in each subnet?

They are reserved for network functions such as the network address, gateway, and broadcast address. (C)

Which of the following is a key principle in planning subnets within a VPC?

Subnets should have distinct CIDR blocks within the VPC and should ideally map one-to-one with node types. (B)

How does a route table function within a VPC?

It determines where network traffic from your subnets is directed, associating a single route table with each subnet. (B)

What are the basic components needed to enable basic communication within a VPC in a single region?

VPC and Subnets (D)

Which of the following is the primary purpose of a Virtual Private Network (VPN) in cloud networking?

To secure communications between remote users and VPCs over a public network. (D)

In hybrid cloud scenarios, what role does a VPN play?

It connects an on-premises data center to a VPC, allowing secure access to cloud resources. (A)

What is a key limitation regarding local and remote subnets in a VPN connection?

The local and remote subnets should not overlap. (B)

What is the primary advantage of using Direct Connect over a VPN connection?

Direct Connect provides a stable, reliable, dedicated connection with low latency and high security. (B)

What key technologies are involved in setting up a Direct Connect?

A Connection, Virtual Gateway, and Virtual Interface (C)

What is one of the main considerations when deciding between using a VPN or Direct Connect?

If strict compliance requirements and speed and security are needed, Direct Connect may be a better fit. (A)

What is the primary function of VPC peering?

To connect multiple VPCs so that they can communicate using private IP addresses (D)

Which of the following is a constraint for VPC peering connections?

The CIDR blocks of the VPCs connected by a peering connection cannot overlap. (C)

Which of the following is a key function of a Enterprise Router?

Connecting your VPCs and on-premises networks, using BGP to learn routes and dynamically select/switch between connections. (D)

In what way does using an Enterprise Router simplify network topology compared to VPC peering?

Enterprise Routers eliminate the need for configuring numerous VPC peering connections, as they can automatically learn and manage routes. (A)

What is the primary purpose of a VPC Endpoint (VPCEP)?

To provide secure and private channels to connect VPCs to endpoint services without using EIPs. (C)

What is a key difference between VPC peering and VPC Endpoints?

VPC peering requires configuration of routes while VPC Endpoints do not. (C)

Which service is specifically designed to build stable, high-speed networks between VPCs in different geographical regions?

Cloud Connect (C)

What is a key constaint when using Cloud Connect?

By default a cloud collection cannot connect network instances in more than 6 geographical regions. (D)

Which cloud service is a public IPv4 address that enables communication with the Internet?

EIP. (D)

Which of the following is a billing option for Elastic IP (EIP) addresses?

Pay-per-use, by bandwidth, by traffic, yearly/monthly (A)

What is the function of a NAT Gateway?

To provide network address translation service for servers in a VPC, allowing multiple servers to share an EIP to access the Internet. (B)

In the context of a NAT Gateway, what does SNAT (Source Network Address Translation) achieve?

It ensures that private IP addresses of servers are not exposed when they access the Internet. (A)

In the context of a NAT Gateway, what does DNAT (Destination Network Address Translation) achieve?

It enables servers within an AZ or across AZs in a VPC to use the same EIP to provide services accessible from the Internet. (B)

Which of the following is a recommended practice for enhancing network security when connecting to the Internet?

Binds an EIP to NAT gateway. (A)

What is the purpose of Elastic Network Interfaces (ENIs)?

To provide network communications to an ECS, and can be transferred between ECSs in the same VPC across subnets. (B)

What is a key limitation with ENIs?

The primary network interface of an ECS cannot be detached from its instance. (B)

What is the primary use for virtual IP Address use-cases?

For Active/Standby ECS virtual IP address changes. (D)

What is the purpose of Domain Name Service (DNS)?

To translate domain names into IP addresses (C)

What does private DNS resolution provide?

It maps a domain name to the private IP addresses, which allows communication without using the Internet. (C)

What is the the first phase for public DNS resolution involves?

Entering a domain name and querying the domain name from the DNS server. (D)

What action happens if real-time authentication has not been done and the website is not licensed?

The website cannot be accessed. (C)

Which security tenet pertains to generally encrypting data with encryption management?

Static Data Security. (B)

Why is it important to ensure security event drills prove effectiveness?

Because effectiveness proves that this plan was adequate and can be modified based on what is seen. (C)

Why is monitoring and understanding application performance so critical?

This is critical to selecting the right components for the network architecture. (D)

What are the primary ways in being more cost-effective listed in this training?

Better understand cost of VPC and evaluate bandwidth to reduce traffic costs. (A)

Flashcards

What is a VPC?

A private virtual cloud for logically isolated resources.

When to use a Single VPC?

Use when workloads need connectivity, small teams, and low latency.

When to use Multiple VPCs?

Used for isolation between different services or different purposes or a single team

How to select a VPC region?

Select the region closest to your users for lower latency.

VPC CIDR Block

IP address range for a VPC. Subnets are ranges within.

Sizing a VPC CIDR Block

Estimate number of servers; Allocate subnets; Don't waste IPs.

Subnet Planning

Enough IP addresses to meet service needs. Five IPs are reserved per subnet.

Virtual Private Network (VPN)

End-to-end private channels. Establishes encrypted tunnels over the Internet.

VPN Application Scenarios

Site-to-cloud or inter-VPC connectivity over a private network.

VPN IP Restrictions

Remote and local subnets cannot overlap

Hybrid Cloud Deployment

Hybrid cloud by connecting on-premises to a VPC.

Direct Connect

Stable and reliable dedicated connectivity.

Direct Connect Scenario

An on-premises data center needs to access VPCs over a private network

Stable Direct Connect Performance

Provides more stable and dependable connectivity

Direct Connect Benefits

Lower latency and jitter.

Cloud Connect excellent performance

Securely transmit data over the shortest network path for ultra-low latency

VPC-Multi Communication

Provides a method to enable communication on different VPC's across many regions

VPC Peering

A network connection that connects two VPCs using private IP addresses.

Communications in VPC

Different subnets in two VPC's to communicate over routes

Enterprise Router

Connects your VPCs and on-premises networks, using BGP to learn routes.

VPC Endpoint (VPCEP)

Extends VPC capabilities enabling secure and private channels to connect VPCs to endpoint services.

Elastic IP (EIP)

Provides public IPv4 addresses and use public network bandwidth for Internet access

Bandwidth limit

You can set bandwidth sizes for your IP

EIP Allocation

Allocate an EIP and bind it to resources

NAT Gateway

The network address translation (NAT) service for servers in a VPC

Public NAT Gateway : SNAT

Private IP's shielded when accessing the internet.

Private Domain Names

Is used for access instead of IP addresses

Private DNS resolution

Maps a domain name and subdomains used within one or more VPCs to private IP addresses

Cloud Connect

Enables building stable, high-quality networks between VPCs in different regions.

Five Key Architectectual Pillars

Security, Reliability, Maintainability, Performance and Cost.

Data Security

Encryption, Data transmission encryption

Reliability

Distributed software that will not cause single points of failure

Performance

Key for network monitoring

Cost effective measures

Optimize and evaluate bandwidth

Maintain network status

Console operations to check connectivity issues

Study Notes

• The lesson covers network cloud services on Huawei Cloud.
• The lesson describes how to use services to interconnect various resources.
• These resources include communications within a VPC in a single region.
• Further resources include communications across VPCs in a single region.
• Communications between a cloud and on-premises networks, across regions are also covered.
• Communications between a cloud and the Internet is also covered.

Objectives

• Know Huawei Cloud network services.
• Get familiar with VPCs, security groups, network ACLS, EIPS, NAT gateways, and enterprise routers
• Understand the functions, architectures, and use cases of the aforementioned items.
• Recognize the appropriate network services for different scenarios.

Huawei Cloud Network Service Overview

• Cloud access network includes items like the internet. ELB, DNS, IPv4/IPv6, EIP and NAT Gateway
• Cloud network includes VPCs and Cloud Connect
• Hybrid cloud network includes VPNs, and Direct Connect and connectivity for on-premise data centers.

Cloud Network Solution Design

• Communication within a VPC in a Single Region makes use of VPC and Subnet.
• Communication Between Cloud and On-Premises Networks makes use of Direct Connect and VPN.
• Communication Across VPCs in a Single Region utilizes VPC Peering, Enterprise Router and VPC Endpoint.
• Communication Across Regions use Cloud Connects.
• The Communications Between a Cloud and the Internet use EIP, NAT Gateway, and DNS

VPC Network Planning and Design

• A VPC is a private virtual cloud.
• When it comes to Single VPC, it has limited applications, a small service volume, a small team scale.
• Single VPC also provides low latency, high-performance computing, and simplified management.
• Multiple VPCs are implemented when different services that need to be isolated from each other for a team or organization.
• When selecting a region for a VPC, select the region that is nearest to users.
• When selecting a VPC CIDR block, reserve sufficient IP addresses for workload expansion.
• Pay attention to IP address conflicts when connecting a VPC to an on-premises data center or connect two VPCs.

VPC defined

• A Virtual Private Cloud (VPC) enables logically isolated, configurable, and manageable virtual networks.
• These allow for cloud servers, containers, and databases, improving cloud service compliance.
• VPCs simplify network deployment.
• it's a software-defined network.
• VPCs allow for the configuration of IP address ranges, subnets, routes, and firewalls.
• They provide an isolated and intra-connected network on Huawei Cloud.
• An EIP is usable to connect to the Internet.

Single VPC

• Employed when workloads need connectivity rather than isolation.
• Suitable for limited applications, small service volume, and small teams
• Suitable for low-latency services, such as high-performance computing
• Best for simplified management, like security and O&M management
• Multiple VPCs are better when there are multiple projects or enterprise projects
• Multiple accounts should also make use of multiple VPCs

Multiple VPCs

• Multiple VPCs are used for Isolation.
• Employed where different services need to be isolated from each other.
• Best where different VPCs that are used for different purposes, for example, production zone and test zone are required
• Usable to implement for a single team or organization

Considerations When Creating a VPC

• Consider the region where the VPC is to be created.
• When creating a VPC, whether VPCs need to be isolated from each other is key.
• Resource allocation and VPC quota are also a consideration.

VPC Region Selection

• Select the region nearest to users, bearing in mind VPCs are region-specific.
• VPCs do not communicate with each other over a private network even if they are in the same region by default.

VPC Isolation

• Create a dedicated VPC for a service that needs to be isolated.

Resource Allocation

• Note that not all resources depend on VPCs.

VPC Quota

• Request a VPC quota increase in advance if necessary.

Selecting a VPC CIDR Block

• An IP address range for a VPC.
• A subnet is a range of IP addresses in a VPC.
• Resources in a VPC must be deployed in subnets.
• The IP address range for a VPC is defined using Classless Inter-Domain Routing (CIDR) notation.
• Recommended VPC CIDR blocks: includes 10.0.0.0/8-24, 172.16.0.0/12-24, and 192.168.0.0/16-24
• For example, 172.16.0.0/16 contains the IP addresses from 172.16.0.0 to 172.16.255.255

Selecting a Size for a VPC CIDR Block

• Estimate the number of servers in a VPC.
• Ensure the VPC has enough IP addresses for them
• Allocate subnets in different AZs from a VPC CIDR block.
• Allocate an IP address range to each subnet based on the expected number of subnets and servers.
• Select an IP address range that leaves room for future service growth.
• Add more subnets and servers when needed without redesigning the network.
• Select an IP address range based on requirements and number of servers.
• Don't select an excessively large IP address range, which will waste IP addresses.
• Don't select a range so small there are not enough IP addresses.

Subnet Planning and Design Considerations

• A subnet should have enough IP addresses to meet service requirements.
• VPC CIDR 192.168.0.0/22 has 1,024 IP addresses, allowing four subnets to be created.
• Five IP addresses are reserved for each subnet, however this has no adverse impact on a well-designed network.
• A subnet does not need to contain all IP addresses of its VPC.

Reserved IP Addresses for each subnet

• Includes 192.168.0.0, the network address, which is the beginning of the private IP address range and is not assigned.
• Includes 192.168.0.1, the gateway address.
• Includes 192.168.0.253, that acts as a system interface and is used by the VPC for external communications.
• Includes 192.168.0.254, the DHCP service address
• Includes 192.168.0.255, the broadcast address
• Use a subnet that has enough IP addresses.
• IP addresses of the subnet must belong to its VPC, but do not need to cover all IP addresses of its VPC.
• The CIDR blocks of subnets in a VPC cannot overlap, and IPs provided by a subnet can be used by resources from a different AZ.
• One-to-one mapping exists between subnets and node types, so deploy only one type of node in a given subnet.
• Deploy nodes with the same function in the same subnet and subnets are logical concepts with no traditional restrictions.
• Each subnet needs a route table and can only have one route table associated.
• Each VPC has a default route table, associated with subnets that have no route table.
• Each route table controls traffic across VPCs.
• Default routes in a route table can't be modified or deleted
• A route table can be associated with different subnets.

Virtual Private Network (VPN)

• A VPN Provides end-to-end private communications channels
• IPsec VPN establishes encrypted communications tunnels between remote users and VPCs over a public network.
• A VPN enables remote users to access resources in the VPCs.
• Application scenarios include a site-to-cloud interconnection; connecting an on-premises data center to a VPC.
• Application scenarios also include an interconnection between VPCs in different regions

Key VPN Technologies

• VPN gateway: an egress gateway created in a VPC that can be bound to a VPC.
• VPN gateway connects to one remote gateway.
• Remote gateway: a transit device for exchanging data between a local network and a remote network over VPN connections.
• The remote gateway provides different functions such as communications data transmission, data encryption, and traffic management.
• VPN Connection: a confidential and secure IPsec-encrypted communications tunnel established over the Internet.
• This tunnel secures data transmission between different networks.

VPN Constraints and Limitations

• A local subnet is a subnet of the local network the VPN connection originates from.
• A remote subnet is the subnet on the remote network which is the destination of a VPN connection.
• The local subnet and remote subnet cannot overlap
• A VPN gateway accesses multiple subnets of the associated VPC, though the remote subnets for all VPN connections of the same VPN gateway cannot overlap.
• Also, the remote subnets for the same VPN connection cannot overlap.
• The local subnets for all VPN connections of the same VPN gateway cannot overlap.
• A VPN gateway can be associated with only one VPC.
• VPNs connects an on-premises data center to a VPC, and you can easily access ECS and storage resources on the cloud.
• It Migrates applications to the cloud, adds web servers, and extends computing capacity, creating hybrid cloud architecture

Hybrid Cloud Deployment

• VPN connects multiple on-premises data centers to a VPC for easier access to ECSs and block storage on the cloud.
• VPN establishes tunnels between two VPCs in different regions, this allows VPCs to communicate with each other

Direct Connect

• Direct Connect enables a stable, reliable dedicated connection.
• Direct Connect connections are fast, secure, and low-latency.
• In an application scenario, an on-premises data center accesses VPCs over a private network, often over optical fiber.

Important Direct Connect Technologies

• A connection is a leased physical connection of a carrier to connect an on-premises data center to a Direct Connect access point.
• It creates multiple virtual interfaces to connect to VPCs
• A virtual gateway is a logical gateway to access a VPC through a Direct Connect connection.
• Multiple VPCs share one virtual gateway, and multiple connections use one virtual gateway to access the same VPC.
• A virtual interface links a connection with one or more virtual gateways, each to a VPC, so that an on-premises network access all the VPCs.
• Direct Connect allows industries or enterprises to comply with specific standards and regulations, this is known as local compliance

Performance of Direct Connect

• Provides a dedicated connection, which is stable than Internet-based connections.
• This makes Direct Connect suitable for large-scale data transmission, high-capacity network traffic, and real-time applications

VPN Compared To Direct Connect

• VPN service is easy to use, out of box, with encrypted tunnels for transmitting data over the Internet.
• Public networks are used in VPN connections
• Direct Connect has dedicated connections, and the on-premises meets user requirements for data compliance.
• Private network access is used for Direct Connect Excellent performance, low latency and jitter.
• Direct Connect is useful when connecting an on-premises data center to a VPC.
• This enables high-performance, low-latency and compliant dedicated connections.
• On-premise servers can be connected to cloud servers in a VPC.
• Direct Connect helps connect on-premises assets to more than one VPC which helps leverage compute resources in different VPCs.
• Cloud servers in multiple VPCs can be connected to the on-premise asset using this design

VPC Peering

• A VPC peering connection connects two VPCs so they can communicate using private IP addresses.
• After a VPC peering connection is created, you need to add routes for the local and peer VPCs to enable communications.
• VPC peering connections are free and easy to configure.
• VPCs connected by VPC peering connections communicate with each other over a private network instead of the Internet.
• VPC peering enables two VPCs in the same region to communicate over a private network with different accounts.
• Private IP addresses are used for communications.

Important facts for VPC Peering

• A VPC peering connection request sent to a peer account must be accepted by the account.
• Communications between different subnets in two VPCs are enabled by just adding more routes.
• Only one VPC peering connection between the same two VPCs is possible at any one time.
• VPCs can be from different accounts and projects but not from different regions.
• The CIDR blocks connected by a VPC peering connection cannot overlap. Further both ECSs in VPCs connected by a VPC peering connection can access resources at the peer end.

Enterprise Router

• An enterprise router is a cloud router that connects VPCs and on-premises networks using BGP. It dynamically selects or switches between connections, improving network scalability, efficiency, and service continuity

Key Specs For Enterprise Router

• Cluster deployment and exclusive resources ensures high performance large-scale networks.
• Multiple links share loads or work in active/standby pairs for enhanced reliability.
• Resources (such as VPCs, VPN gateways, Direct Connect virtual gateways) are attached to an enterprise router, simplifying network topology.
• O&M efficiency is improved by allowing BGP enables flexible switchover between connections and the balancing of loads.
• VPN connections can back up Direct Connect connections. Enterprise Router can connect several on-premise and cloud networks
• Several VPCs can communicate with each other with a Direct Connect connection
• The VPCs don't need to be connected
• Several links share loads or work in active/standby
• Different accounts can share internetworking through on enterprise router

Network Topology Comparison

• The enterprise router is simpler and scalable.
• If there are four VPCs, six VPC peering connections are required, with 12 total routes configured.
• Only connecting the four VPCs to an enterprise router is needed, because the enterprise router learns VPC CIDR blocks.
• Only configure routes to the enterprise router in the route table of each VPC.
• Eliminate several VPC peering connections, and reduces the workload for configuring and maintaining routes.

More on Enterprise Router

• There is no need to connect all network instances, like using Cloud Connect.
• Route learning eliminates complex configurations and simplifies maintenance.
• Direct Connect also requires integrating with VPN, so that multipleVPCs can share direct connect
• Route learning also removes need for manual routes and speeds up the network.
• Multiple links share loads or work in active/standby pairs for enhanced reliability.

VPC Endpoint (VPCEP)

• VPC Endpoint (VPCEP) is a cloud service that extends VPC capabilities.
• It provides secure and private channels to connect VPCs to endpoint services, and stable networking without using EIPs.
• VPCEP Provides two types of resources: VPC endpoint services created by service providers and VPC endpoints created by service users
• VPC Endpoints keep access isolated to the internet or to expose all network resources, but you need at least one access point to the Internet.
• VPC Endpoints are useful in cross-VPC connections, and for accessing services like Huawei Cloud over an intranet
• They are also very useful in accessing certain cloud services

Characteristics and Advantages Of VPC Endpoints

• Excellent performance: Each gateway node can handle millions of concurrent connections.
• Ready to use: VPC endpoints can be used within just a few seconds of when they were created.
• High compliance: No EIP is required, and VPC connects to a VPC endpoint service through a VPC endpoint.

VPC Peering Connections Compared To Endpoints

• Like Enterprise Router, VPC peering connections enable network-wide communications, while VPCEP exposes ports.
• VPC peering makes all resources accessible compared to VPC Endpoints A service or application, such as ECSs and load balancers is accessible.
• CIDR block overlapping is not supported on Peering Connections
• Peerings communicate with each other
• VPC Endpoints only initiate requests to a VPC endpoint service
• Peerings need VPC, where Endpoints use a local IP to access and so do not
• Peering supports VPNs where as Endpoints only expose what is needed
• Peerings provide network-wide communication and Endpoints a intranet

Cloud Connect

• Cloud Connect builds stable, high-speed, high-quality networks between VPCs in different regions.
• It enables communications between network instances in the same or different regions over a private network.
• Assign the resource an inter-region bandwidth to establish inter-connectivity.

Cloud Connect Application Scenarios

• Cross-region multi-VPC communication: VPCs in different regions communicate with each other over a compliant private network, which improves network topology flexibility.
• Interworking between data centers and VPCs: Multiple on-premises data centers communicate with VPCs in different regions so that Direct Connect enables on-premises data to access the VPCs.
• Cloud Connect connects all the VPCs

Technical aspects of Cloud Connect

• Full connectivity: Any two network nodes connected, and packages are transmitted without others.
• Ease of use: In just a few steps, cross-region network connectivity is established.
• Excellent performance: uses Huawei's global network to transmit data through the shortest path for low latency. Flexible bandwidth.
• Global compliance: Compliant with local laws, to create business success.
• Accounts: Network instances others adds with permission

Cloud Connect Constraints

• A cloud connection can connect a maximum of six network instances in each region
• A VPC can only be loaded to one cloud connection.
• Subnets must be specified
• 50 CIDR blocks per network instance are supported.

Elastic IP Addresses (EIP)

• EIPs are public IPv4 addresses. They are bound to or unbound from an ECS, and they use public network bandwidth for Internet access.

EIP Billing Options

• There is Pay-per-use, billing by bandwidth, billing by traffic, yearly/monthly, and shared data package and bandwidth add-on package
• Assign EIP and bind to ECS to communicate over Internet
• Binding and unbinding takes direct effect, and it is automatic
• You can apply a specific IP or have the system apply randomly if not allocated
• Bandwidth size has a setting

EIP Use Cases

• Connecting to the Internet requires Elastic IPs.
• Cloud servers can communicate with one another if allocated
• The Load balancer can distribute request if also applied
• Binding to a NAT gateway enables numerous cloud servers to share an IP for internet access

Important items for NAT Gateways

• This function provides network address translation (NAT) service for multiple servers in a VPC to share one EIP.
• Access the Internet and ensure that servers cannot be directly accessed, use NAT Gateway.
• Using a NAT gateway requires 42.123.115.120 is using it
• If resources need to come from and access the internet, do not bind your own EIP
• Add the SNAT rule when doing so with a subnet to that gateway

NAT Types

• If servers are reaching out the internet

• Public NAT gateway; add source rule, then route outbound.

• Private IPs and security are offered by the services

• Easy access and guaranteed availability

• Destination Translation can use a single IP in the gateway

• Public NAT gateway; add address with the port

• Enforcing architecture security can improve a network

• NATs can provide full EIP benefits

• Avoid using direct IPs on your VMs

Binding Considerations

• To allow an ECS in a VPC to be accessed from the Internet, bind an EIP to the ECS.
• To enable multiple cloud servers in a VPC to access the Internet, use an EIP and a NAT gateway together

Elastic Network Interfaces

• A network interface is attached to an ECS for network communications.
• Network interfaces can be transferred across ECSs in the same VPC and do not need to be in the same subnet
• The primary network interface of an ECS cannot be detached from its instance.
• A network interface is associated with a Private IP address, EIP, Security group and MAC address and extended settings
• Extended items are Security isolation, Failover, Authorization (license) transfer

Virtual IP Addresses

• A virtual IP address; Can be bound to or unbound from ECSs, and are assigned from a subnet and can only be bound to resources in the same subnet.
• Typical application scenarios: Active/standby ECS switchovers and virtual IP address changes
• If communication is abnormal, IP detaches from the active and binds to the other.

Domain Name Service (DNS)

• DNS translates domain names into the IP addresses required for network connection. It directs to applications.
• This service a highly available, scalable authoritative Domain Name System web service
• Offers High performance, Robust Security, resolution for Private, and Reverse options

DNS Technical Notes

• Millions of queries are handled by single nodes
• Has anti-DDOS protection
• VPC can have secure DNS
• Protect records and improve efficiency, lower latencies, and stop spoofing
• Use pointer records

DNS Use-Cases

• DNS provides private domain name resolution within VPCs to provide decoupling
• Hostnames, transitions of service, cloud resources, and nearby access are the key use-cases

DNS Resolution

• Public DNS resolution translates a domain name (like the sample) to IP addresses for routing.
• Private DNS resolution maps a domain name (such as ecs.com) and subdomains to private IPs, in one + VPCs to work without Internet.
• Also private DNSs makes it for DNS to change.

Overview Of Network Architecture

• Should always meet security, realiability, performance, cost and maintenance rules
• Static data should use encryption with management keys Static data is encrypted with keys Dynamic has encryption, tunnels (TLS) Event Response recognizes systems/architecture and have automatic alerts
• Limited connectivity as there is limited access by default
• Log flows and configuration with audits