Networking Basics and Amazon VPC

Questions and Answers

What is the term for the protocol used to assign IP addresses dynamically within a network?

DHCP (Dynamic Host Configuration Protocol)

What does CIDR stand for?

Classless Inter-Domain Routing

Match the OSI model layer to its primary function:

Application (Layer 7) = Means for an application to access a computer network Presentation (Layer 6) = Ensures application layer data is readable; handles encryption Session (Layer 5) = Enables orderly exchange of data Transport (Layer 4) = Provides protocols for host-to-host communication (e.g., TCP, UDP) Network (Layer 3) = Routing and packet forwarding (e.g., IP) Data Link (Layer 2) = Transfer data in the same LAN (e.g., MAC addresses, switches) Physical (Layer 1) = Transmission of raw bitstreams over a physical medium

What AWS service allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources?

Amazon VPC (Virtual Private Cloud)

A single Amazon VPC can span multiple AWS Regions.

False (B)

Subnets within a VPC belong to a single Availability Zone.

True (A)

What is the largest IPv4 CIDR block size you can assign to a VPC?

/16

What is the smallest IPv4 CIDR block size you can assign to a VPC?

/28

The CIDR blocks of subnets within the same VPC are allowed to overlap.

False (B)

How many IP addresses are reserved by AWS in each subnet?

5

What type of public IP address is associated with an AWS account and can be allocated and remapped between instances?

Elastic IP address

What is the term for a virtual network interface that can be attached to and detached from EC2 instances?

Elastic Network Interface (ENI)

What component contains rules (routes) to direct network traffic from your subnet?

Route Table

What component allows communication between instances in your VPC and the internet?

Internet Gateway (IGW)

What AWS service enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances?

NAT Gateway

VPC Peering allows connections between VPCs even if their IP address spaces overlap.

False (B)

VPC Peering supports transitive routing (e.g., VPC A peered with B, and B peered with C, does not automatically allow A to talk to C).

True (A)

What service establishes a secure, private connection between your data center or corporate network and your VPC over the public internet?

AWS Site-to-Site VPN

What service provides a dedicated private network connection from your premises to AWS?

AWS Direct Connect

What service acts as a central hub to interconnect multiple VPCs and on-premises networks?

AWS Transit Gateway

What type of firewall operates at the EC2 instance level?

Security Group

Security groups are stateful.

True (A)

Security groups support both allow and deny rules.

False (B)

What type of firewall operates at the subnet level?

Network Access Control List (Network ACL)

Network ACLs are stateful.

False (B)

Network ACLs support both allow and deny rules.

True (A)

Match the firewall type with its characteristics:

Security Group = Instance level, Stateful, Allow rules only Network ACL = Subnet level, Stateless, Allow and Deny rules

What AWS service provides a scalable Domain Name System (DNS) web service?

Amazon Route 53

Which Route 53 routing policy is used to route traffic based on the location of your users?

Geolocation routing

Which Route 53 routing policy allows you to configure a backup site to handle traffic if your primary site becomes unreachable?

Failover routing

What is the general term for a globally distributed system of caching servers used to deliver content faster to users?

Content Delivery Network (CDN)

What is AWS's fast, global, and secure Content Delivery Network (CDN) service?

Amazon CloudFront

What are the global network points within the CloudFront infrastructure where content is cached and served to users?

Edge locations

Which AWS networking service enables a company to create a virtual network within AWS?

Amazon VPC (D)

Flashcards

What is a Network?

A set of computers connected to share resources.

What is an IP address?

A unique numerical label assigned to each device in a network that uses the Internet Protocol for communication.

What is an IPv4 address?

A 32-bit numerical label assigned to each device in a network that uses the Internet Protocol for communication.

What is an IPv6 address?

A 128-bit numerical label assigned to each device in a network that uses the Internet Protocol for communication.

What is CIDR?

A concise way to represent an IP address and its associated routing prefix.

What is the OSI model?

A conceptual model that standardizes the communication functions of a telecommunication or computing system without regard to its underlying internal structure and technology.

What is Amazon VPC?

Provides a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Are VPCs isolated?

Logically isolated from other VPCs.

What are subnets?

Range of IP addresses that divide a VPC.

What is a CIDR block?

When creating a VPC, you assign it to an IPv4 CIDR block. the range of private IPv4 addresses.

Can I change the address range of a VPC?

Cannot change after VPC creation.

What is a Network Interface?

An abstraction representing the virtual network interface that an instance uses.

What is a Route Table?

Contains a set of rules to direct network traffic from subnets.

What is a local route?

A table that contains a built-in local route for communication within the VPC.

What does an Internet Gateway enable?

Allows communication between your VPC and the internet.

What does a NAT gateway do?

Enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with the instances.

What is a VPC Peering?

Enables you to connect one VPC with another.

What does a Site-to-Site VPN enable?

Enables you to connect your VPC to your on-premises data center.

What does AWS Direct Connect enable?

Enables you to directly connect your networks to AWS, inside your VPC.

What is a Transit Gateway?

Provides scalable connectivity between VPCs and on-premises networks.

What do VPC Endpoints enable?

Allow you to privately connect to AWS services without requiring internet gateways, NAT devices, VPN connections, or Direct Connect connections.

What do Security Groups control?

Act as a virtual firewall for controlling inbound and outbound traffic on instances.

What do Network ACLs control?

Act as a firewall for controlling inbound and outbound traffic on subnets.

What is Amazon Route 53?

A highly available and scalable Domain Name System (DNS) web service.

What does Weighted Round Robin routing do?

Use weights to resource record sets to specify the frequency.

What does Latency routing do?

Help improve your global applications.

What does Geolocation routing do?

Route traffic based on location of your users.

What is Failover routing?

Fail over to a backup site if your primary site becomes unreachable.

What is a CDN?

A globally distributed system of caching servers.

What is Amazon CloudFront?

A fast, global, and secure CDN service.

Study Notes

Networking Basics

• A network consists of subnets and routers
• IP addresses are numerical labels assigned to each device participating in a computer network for communication
• IPv4 is a 32-bit address, represented in dotted decimal format (e.g., 192.0.2.0)
• IPv6 is a 128-bit address, represented in hexadecimal format (e.g., 2600:1f18:22ba:8c00:ba86:a05e:a5ba:00FF)
• Classless Inter-Domain Routing (CIDR) is an IP addressing scheme that specifies both the network and host portions of an IP address
  • A CIDR block looks like this: 192.0.2.0/24
  • 192. 0. 2 is the network identifier (routing prefix)
  • The 24 indicates that the first 24 bits are fixed
• The Open Systems Interconnection (OSI) model is a conceptual framework that standardizes the functions of a telecommunication or computing system into seven abstraction layers:
  • Physical
  • Data Link
  • Network
  • Transport
  • Session
  • Presentation
  • Application

Amazon VPC

• Enables you to provision a logically isolated section of the AWS Cloud to launch AWS resources in a virtual network that you define.
• Gives you control over your virtual networking resources, including selection of IP address range, creation of subnets, and configuration of route tables and network gateways.
• Allows you to customize the network configuration and use multiple layers of security.
• VPCs are logically isolated and dedicated to your AWS account and belong to a single AWS Region. They can span multiple Availability Zones.
• Each VPC has a range of IP addresses that divide a VPC.
• Subnets belong to a single Availability Zone and are classified as public or private
• When creating a VPC, assign it to an IPv4 CIDR block (range of private IPv4 addresses).
• After creating the VPC, the address range cannot be changed.
• The largest IPv4 CIDR block size is /16 with 65,536 addresses
• IPv6 is also supported with a different black size limit.
• IPv4 CIDR blocks overlap
• For a VPC with an IPv4 CIDR block of 10.0.0.0/16, there are 65,536 total IP addresses with four equal-sized subnets
• Only 251 IP addresses are available for use by each subnet.
• A public IPv4 address can be manually assigned through a Elastic IP address.
• Public IPv4 addresses are automatically assigned through the auto-assign public IP address settings at the subnet level
• Elastic IP addresses are associated with an AWS account
• Elastic IP addresses can be allocated and remapped anytime and additional costs might apply.
• Elastic network interface is a virtual network interface that can be attached to an instance or detached to another instance to redirect network traffic
• Attributes of the network interface follow when it is reattached to a new instance
• Each instance in a VPC has a default network interface that is assigned a private IPv4 address from the IPv4 address range of your VPC.
• A route table contains a set of rules (or routes) that direct network traffic from your subnet
• Each route specifies a destination and a target.
• By default, every route table contains a local route for communication within the VPC.
• Subnets have to be associated with a route table, at most, only one.

VPC Networking

• Different VPC networking options:
  • Internet gateway
  • NAT gateway
  • VPC endpoint
  • VPC peering
  • VPC sharing
  • AWS Site-to-Site VPN
  • AWS Direct Connect
  • AWS Transit Gateway

VPC Security

• Security groups provides rules that control inbound and outbound instance traffic, denying all inbound traffic and allowing all outbound traffic by default
• Security groups are stateful.
• Rules evaluated before a decision is made to allow traffic.
• Network access control lists (ACLs) are security layers at the subnet level
• They have separate inbound/outbound rules that either allow/deny traffic
• Default network ACLs allow all inbound and outbound IPv4 traffic
• Custom network ACLs deny all inbound and outbound traffic until rules are added.
• Network ACLs are stateless

Amazon Route 53

• It is a highly available and scalable Domain Name System (DNS) web service used to route end users to internet applications by translating names (like www.example.com) into numeric IP addresses (like 192.0.2.1) that computers use to connect to each other
• Route 53 is fully compliant with IPv4 and IPv6 and connects user requests to infrastructure running in AWS and outside of AWS
• Features include healthchecks, traffic flow and the ability to register domain names.
• Route 53 supports the following routing policies:
  • Simple routing
  • Weighted round robin routing
  • Latency routing
  • Geolocation routing
  • Geoproximity routing
  • Failover routing
  • Multivalue answer routing

Amazon CloudFront

• It is a fast, global, and secure Content Delivery Network(CDN) service, comprised of global networks of edge locations, and regional edge caches
• Benefits include:
  • Fast and global
  • Security at the edge
  • Highly programmable
  • Deeply integrated with AWS
  • Cost-effective
• Edge locations are a network of data centers that store content that CloudFront uses to serve popular content quickly to customers.
• Regional edge caches cache content that is not popular enough to stay at an edge location.