Skip to content

Latest commit

 

History

History
733 lines (587 loc) · 20.6 KB

README.md

File metadata and controls

733 lines (587 loc) · 20.6 KB

Networking

Can an instance on a public subnet (e.g. has an IGW) browse the web (i.e. outbound traffic) if it doesn't have a public IP? No. (Tested this)
CloudFront Are the choice of edge location chosen for a user's request is dependent on a DNS check? Yes
How does CloudFront determine which edge location to use for a user? Latency Based Routing (DNS)
Are CloudFront template names unique within your entire AWS account? Yes
In Route 53, why might a CloudFront distribution not be showing up as an available endpoint? Your CF distribution has no "Alternate Domain Name"
Can DNS issue cause perf issues? Yes
VPCCan have ____ IGWs 1
ELBWhat may cause it to stop sending traffic to instances in multiple AZ's? AZ's not added to the ELB.  

Cross-AZ load balancing disabled.

How is inbound traffic in AWS ensured it's coming from the real source? Packet Filtering
Do placement groups require instances to have Ehanced Networking enabled? Yes
ELB PublicNeeds at least ____ subnets added to work 2
ELB Connection draining is... ELB waits for connections to the EC2 instance to close before removing the instance
In a default AWS VPC, does any subnet automatically has a route to all other subnets regardless whether private/public? Yes
To browse the web, a machine on a private subnet with a public IP needs: An Internet Gateway and NAT Gateway
A NAT instance can forward traffic from other instances if... Source/Destination checks are disabled
VPC Where to define your on-premise firewall/router public IP? Customer Gateway
Direct ConnectHas VPC Peering No It connects on-prem to a VPC
ELBHow can you point the root of your domain to an ELB? Route53 alias
Direct Connect Requires hardware in your data center? No, just a participating backbone provider (e.g. Verizon)
Direct Connect Requires a _________ per VPC you're connecting to. Private Virtual Interface
Route53 Weighted Routing Policy Route traffic by percentages
What is VPN CloudHub? A hub for on-prem datacenters
Direct Connect Requires ____ protocol routing Border Gateway (BGP)
Route tablesHow to route connections to the Internet from your subnet? Destination: 0.0.0.0/0 Target: IGW
Route53 Latency Based RoutingUse cases Choosing AWS Regions with the best latency

Multi-regional apps Multi-regional failover

Can a placement group span multiple VPCs? Yes
A Virtual Private Gateway can be referenced by ____ VPN connections 10
ELBAre just EC2 instances auto-scaling based on traffic, with load balancing software installed? Yes
SubnetsAre configured in... The Auto-Scaling Group
ELB caps the number of connections sent to your internal web servers? No
If you want an EC2 instance to have a public IP address, you can attach _____ An Elastic IP
To establish a VPN connection between an on-premises data center and an Amazon VPC virtual private gateway, you might assigned a public, static IP address to an Amazon _____ gateway. Customer
Can new subnets communicate with each other across Availability Zones in a custom AWS VPC? By default yes
Amazon VPC is the networking layer for ____ EC2
Enable Internet access to an instance Attach IGW to VPC Add a route between subnet and IGW Check ACLs / security groups rules if still no good
Direct Connect You can hit public endpoints over a private connection and AWS's backbone only without hitting the internet using Public Virtual Interfaces
Direct ConnectEnables connectivity to the closest geographic region and others? Yes
For Route53 to direct your "www." sub-domain to an ELB in front your web servers, you should set a _____ record. CNAME
A VPC subnet is considered "public" if it has at least one route in its associate _____ that uses an Internet Gateway. routing table
A _____ acts as a firewall that controls the traffic allowed to reach one or more instances.  Security Group
Which Amazon service can I use to define a virtual network that resembles a data center? Amazon VPC
Route tablespurpose Sets rulesDetermining where traffic from subnets / gateways is directed
AWS Provide port scanning protection? Yes
An _____ can be attached to a VPC to enable traffic between resources and the Internet Internet Gateway
Can you launch AWS resources into a specific subnet? Yes
VPCHow to enable IPV4 outbound-only communication? NAT Gateway
In a VPC What is the Route 53 DNS IP? VPC CIDR range + 2   Ex.:VPC CIDR 172.31.0.0/16  DNS Server172.31.0.2
VPCA security group can have ____ rules 50
Can you peer VPC's across regions? No
An AWS region can have ____ VPCs 5
VPC CustomAn instance launched into a custom VPC receives a public ip by default No
AWS Route53 can have ____ max domain names 50 (upgradable)
Can a placement group span multiple regions? No
A VPC can have ____ subnets 20
A VPC can have ____ VPN connections. 10
Direct Connect Can connect VPCs in different regions? Yes
Can a subnet span multiple AWS availability zones? No
An AWS Region can have ____ VPCs 5
Does VPC support ipv6? No
An AWS VPC can have ____ Virtual Private Gateways 1
VPC A region can have ____ security groups 500
Route53 Supports Apex records (naked domain names)? Yes
A VPC can have ____ security groups 500
Does an instance launched into the default VPC receive a public IP? Yes
AWS AZ means Availability Zone
ELB Supports ipv6? Yes
What is a public subnet in an AWS VPC? One with atleast one IGW route in its table
VPC Default Does it have a default IGW attached to all 4 default subnets? Yes
Where are Instance size, AMIs, security groups configured? Launch Configuration
You have an EC2 security group with several EC2 instances running inside it. You change the security group rules to allow inbound traffic on port 443 and you then launch several new instances in the same security group. How and when do the new rules apply? Straight away to all instances within the security group.
If you are unable to access your EC2 linux instance via SSH, it could be because the port 22 is closed on the _____ for incoming traffic. Security Group
Can you restrict who has access to specific EC2 instances via security groups? Yes
An EC2 security group has several running EC2 instances. You change the security group rules to allow inbound traffic on a new port and protocol, and launch several new instance in the same security group. How and when do the new rules apply? Immediately to all present and future instances in the security group.
Can an S3 Bucket be a CloudFront origin? Yes
Can a CloudFront signed url be set to expire after a configurable timeout? Yes
You need to deploy EC2 instances in to multiple availability zones. What is the minimum number of VPC subnets required? One subnet for each AZ
A wordpress site is running on an EC2 instance with Route53 and ELBs. When you browse the URL, nothing happens. What are some potential causes? EC2 instance's security group ports 80/443 are closed ELB health checks a webpage that does not exist, refusing service. Missing ALIAS for your A record to point to the ELB
A custom VPC has a private subnet with one EC2 instance, and a public subnet with 3 EC2 instances, each with an Elastic IP attached. To give Internet access to the private subnet's instance, you can deploy _____ and then update the main route table to send traffic to the private subnet via it. NAT
Can peering connections be created across regions? No
A VPC's rules are as follows: ALLOW port 80, DENY port 80. What happens? Port 80 will be allowed. A DENY will have no affect if something is specifically allowed before it.
Does Cloudfront allow you to specify an origin based on the kind of device accessing it. Yes
In CloudFront can you upload to an edge location and have it sync back to the origin? Yes - by allowing PUT/POST in "Allowed HTTP Methods"
The SR-IOV driver required for Enhanced Networking stands for _____.  This driver is in the Amazon HVM Linux AMI's by default. For AMI's that don't have it you can install the driver yourself. Single Root I/O Virtualization
Can Network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs)? Yes
What could you use to establish a VPN connection between your data center and a VPC virtual private gateway? VPC Customer Gateway
What's a VPC? A virtual network
Does an Elastic Network Interface support security groups? Yes
Can a VPC's subnets communicate with each other across Availability Zones by default? Yes - using the main route table
Can an ELB be a CloudFront origin? Yes
_____ URLs can be created to access objects from CloudFront edge locations Signed
Can a subnet span multiple regions? No
Can Glacier be used as a CloudFront origin server? No
You are designing an image sharing website that will distribute images across the world. You need maximise performance so that your end users can download frequently accessed images as fast as possible. What AWS technology should you implement? CloudFront
When are CloudFront edge location caches updated? When something is requested
How do you point your website's apex record to the public DNS of an ELB? ALIAS
You have created 4 weighted resource record sets with weights 1, 2, 3 and 4. The 3rd record set is selected by Route53 _____% of the time. 30%
Can a personal webserver be used as an origin server in CloudFront? Yes
When content is missing at a CloudFront edge location and a request is made to it, CloudFront delivers content from _____ and caches it the origin
The best way to route a website�s traffic to an ELB is to create a Route53 _____ record for the website, pointing it to the ELB's DNS name. CNAME
A subnet is a range of _____ in a VPC IP addresses
CloudFront optimises video livestreams by cache media at the edges and combining them in the _____ client
Network ACLs restrict traffic to a _____ subnet
Does a VPC always exist across multiple AZ's in a region? Yes
Can a CloudFront signed url be set to expire after a certain number of uses? Yes
Direct access to S3 URLs can be _____ therefore allowing access only through CloudFront URLs removed 
Can an S3 bucket be used as a CloudFront origin server? Yes
A user requests a file in CloudFront, which routes them to the nearest _____ via DNS. edge location
You can override S3 bucket permissions in CloudFront by using an _____ identity. origin access
In CloudFront you can create different behaviors like cache timeout using _____ Patterns
Auto Scaling health checks use the ____ status checks by default. instance
A limitation of using S3 for a failover page is that the bucket name needs to match the domain name. But with _____ you can configure multiple alternate domain names on the distribution. CloudFront
Can it be cheaper and faster to deliver content via CloudFront than directly from S3? Yes
Is there an additional charge for enhanced networking? No
Using CloudFront, to serve content that is stored in S3, but not publically accessible from S3 directly, you could create an _____ and grant it access to your S3 bucket objects. Origin Access Identity (OAI)
A VPC network must support two applications: one internet-facing and one only accessible internally over VPN. Both applications must leverage at least three AZs for high availability. How many subnets must you create within your VPC to accommodate these requirement at minimum? 6
To ensure failover capabilities, consider using a secondary _____ IP for incoming traffic on a network interface. private
Peforming NAT for instances assigned a Public IP and providing a target for route tables are some of the purposes of an _____ Internet Gateway
Link your infrastructure to AWS directly via fiber, you could use _____ Direct Connect
In a default VPC, each EC2 instance is assigned a _____ IP and a _____ IP.
 Private IP and Public IP
Can you put a CNAME on the apex of a domain? No
To enable outbound-only IPV6 communication, you could use an Egress _____ Egress Internet Gateway
Can Security Groups be nested? No
Can Security Groups work outside of a VPC? Yes
In Amazon VPC, does an instance retain its private IP address when the instance is stopped? Yes
Default subnets are assigned a /_____ netblocks /20
Can a subnet span multiple availability zones? No
When adding a rule to an RDS security group, do you need to specify the protocol and port? Yes
In a newly created security group, all outbound traffic is _____ by default. allowed
A public subnet has EC2 instances running inside an autoscaling group, all of which are in the same security group. An application running on these instances requires a specific port to be opened in order to be globally accessible to devices on the Internet. What could you do to allow these instances to communicate over this port immediately? Open the required port on the security group.
In an EC2 instance, how can you find your own IP address? curl http://169.254.169.254/latest/meta-data/
Security Groups restrict access to _____ EC2
For an EC2 instance to become accessible from the Internet, you could attach _____ an Elastic IP
Network ACLs are _____ and any return ports must be specifically allowed. stateless
In a newly created security group, all inbound traffic is _____ by default. forbidden
You have an EC2 instance with Internet access, running inside a public subnet. You launch a second instance in the subnet using the same AMI (Amazon Machine Image) and security group configuration, but this instance cannot be accessed fro the Internet. To enable Internet access, you should _____ Assign an elastic IP address to the second instance.
Is transitive VPC peering possible? No. Any two pairs need their own peering connections.
Is the data transferred over Direct Connect billed at a lower rate? Yes
A Security Group default settings are to _____ inbound traffic and _____ outbound traffic. DENY inbound traffic ALLOW outbound traffic
Is it mandatory to assign at least one Security Group to your server? Yes
When an EC2 instance is stopped, does it retain its private IP address indefinitely? Yes
When an S3 bucket is marked private, you can create an _____ to access the objects via CloudFront Origin Access Identity
Security groups are _____, meaning they track inbound sessions to allow outgoing over any port. stateful
Is an Internet Gateway horizontally scalable? Yes