Skip to content

Aws Networking

← Back to all decks

130 cards — 🟢 20 easy | 🟡 77 medium | 🔴 27 hard

🟢 Easy (20)

1. What is AWS Route 53 and what DNS capabilities does it provide?

Show answer [AWS Route 53](https://aws.amazon.com/route53): "Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service..."

Some of Route 53 features:
* Register domains
* DNS service - domain name translations
* Health checks - verify your app is available
* Not a feature but its SLA is 100% availability

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

2. What is an "Amazon VPC"?

Show answer A service to launch AWS resources in a logically isolated network.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

3. What is one possible use case for using calculated health checks?

Show answer Performing maintenance for a website without causing all the health checks to fail.

Remember: ELB health checks: interval (how often), threshold (consecutive successes/failures), timeout (how long to wait). Unhealthy targets are removed from rotation until they recover.

4. What is VPC peering and how does it enable cross-VPC communication?

Show answer [docs.aws](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html): "A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses."

Remember: VPC peering = direct, non-transitive connection between two VPCs. Traffic stays on the AWS backbone. No transitive routing (A-B-C won't work).

5. What is an Internet Gateway?

Show answer [AWS Docs](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html): "component that allows communication between instances in your VPC and the internet"

In addition it's good to know that IGW is:
* Highly available and redundant
* Not porivding internet access by its own (you need route tables to be edited)
* Created separately from VPC

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

6. What is Amazon Route 53?

Show answer Route 53 is AWS's scalable Domain Name System (DNS) web service. It's used for domain registration, DNS routing (translating domain names to IP addresses of AWS or non-AWS resources), and health checking.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

7. You have noticed your VPC's subnets (which use x.x.x.x/20 CIDR) have 4096 available IP addresses although this CIDR should have 4096 addresses. What is the reason for that?

Show answer AWS reserves 5 IP addresses in each subnet - first 4 and the last one, and so they aren't available for use.

Remember: /16 = 65,536 IPs, /24 = 256 IPs, /28 = 16 IPs. AWS reserves 5 IPs per subnet (network, router, DNS, future, broadcast).

8. What is AWS Direct Connect?

Show answer Allows you to connect your corporate network to AWS network.

Remember: Direct Connect = dedicated physical link from your datacenter to AWS. Lower latency, consistent bandwidth vs. VPN over internet.

9. What is a routing policy in regards to AWS Route 53?

Show answer A routing policy routing defines how Route 53 responds to DNS queries.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

10. Explain what is CloudFront

Show answer AWS definition: "Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment."

More on CloudFront [here](https://aws.amazon.com/cloudfront)

Remember: CloudFront = AWS CDN. Edge locations cache content globally. Origin can be S3, ALB, or custom HTTP server. Use Origin Access Control (OAC) to restrict S3 access to CloudFront only.

11. What is ELB (Elastic Load Balancing)?

Show answer [AWS Docs](https://aws.amazon.com/elasticloadbalancing): "Elastic Load Balancing automatically distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions."

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

12. What is a "Security Group"?

Show answer A virtual firewall controlling traffic for EC2 instances.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

13. What is an Elastic IP address?

Show answer [AWS Docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html): "An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and is yours until you release it. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account."

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

14. What is a VPC (Virtual Private Cloud) in AWS networking?

Show answer A logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define
Read more about it [here](https://aws.amazon.com/vpc).

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

15. What is the difference between CNAME record and an Alias record?

Show answer CNAME is used for mapping one hostname to any other hostname while Alias is used to map an hostname to an AWS resource.

In addition, Alias work for both root domain (somedomain.com) and non-root domain, while CNAME works only with non-root domain (foo.somedomain.com)

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

16. What is AWS Global Accelerator?

Show answer Amazon definition: "AWS Global Accelerator is a service that improves the availability and performance of your applications with local or global users..."

Learn more [here](https://aws.amazon.com/global-accelerator)

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

17. What is Amazon VPC and how does it provide network isolation in AWS?

Show answer Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated virtual network in AWS where you can launch resources with your defined IP ranges, subnets, route tables, etc. It's like having your own network in the cloud, with full control over network settings.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

18. What is an "Elastic IP"?

Show answer A static public IP address that can be moved between instances.

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

19. When creating a new VPC, there is an option called "Tenancy". What is it used for?

Show answer [AWS Docs](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html): `Tenancy` option defines if EC2 instances that you launch into the VPC will run on hardware that's shared with other AWS accounts or on hardware that's dedicated for your use only.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

20. What is the advantage of referencing security groups from a given security group?

Show answer Imagine you have an instance referencing two security groups, allowing to get inbound traffic from them.
Now imagine you have two instances, each using one of the security groups referenced in the instance we've just mentioned. This means you can get traffic from these two instances because they use security groups which referenced in the instance mentioned at the beginning. No need to use IPs.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

🟡 Medium (77)

1. Explain "health checks" in the context of AWS ELB

Show answer Health checks used by ELB to check whether EC2 instance(s) are properly working.
If health checks fail, ELB knows to not forward traffic to that specific EC2 instance where the health checks failed.

Remember: ELB health checks: interval (how often), threshold (consecutive successes/failures), timeout (how long to wait). Unhealthy targets are removed from rotation until they recover.

2. True or False? AWS ELB health checks are done on a port and a route

Show answer True.

For example, port `2017` and endpoint `/health`.

Remember: ELB health checks: interval (how often), threshold (consecutive successes/failures), timeout (how long to wait). Unhealthy targets are removed from rotation until they recover.

3. Explain the significance of Security Groups and NACLs in AWS.

Show answer Security Groups: Act as virtual firewalls for EC2 instances to control inbound and outbound traffic. They're stateful and evaluate traffic rules at the instance level.
Network Access Control Lists (NACLs): They're an additional layer of security, acting as a firewall for controlling traffic in and out of subnets. NACLs are stateless and work at the subnet level.

Remember: NACLs are stateless (rules for inbound AND outbound needed), evaluated by rule number (lowest first), allow AND deny rules. Security groups are stateful, allow-only.

Remember: SG = stateful allow-only (return traffic auto-allowed). NACL = stateless allow+deny (must explicitly allow return traffic). SG at instance level, NACL at subnet level.

4. You get time out when trying reach your application which runs on an EC2 instance. Specify one reason why it would possibly happen

Show answer Security group isn't configured properly.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

5. At what network level/layer a Network Load Balancer operates?

Show answer Layer 4 (Transport). NLB routes TCP/UDP connections based on IP and port, offering ultra-low latency and millions of requests per second — but no HTTP-level inspection.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

6. What are the best practices around Elastic IP?

Show answer The best practice is actually not using them in the first place. It's more common to use a load balancer without a public IP or use a random public IP and register a DNS record to it

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

7. True or False? Fargate creates an ENI for every task it runs

Show answer True. Fargate creates a dedicated ENI (Elastic Network Interface) for each task, giving it its own private IP within the VPC.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

8. True or False? Multiple Internet Gateways can be attached to one VPC

Show answer False. Only one internet gateway can be attached to a single VPC.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

9. True or False? Subnets belong to the same VPC, can be in different availability zones

Show answer True. Just to clarify, a single subnet resides entirely in one AZ.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

10. What's the difference between Security Groups and Network ACLs in AWS?

Show answer Security Groups are stateful firewalls that act at the instance level (controlling inbound/outbound traffic for EC2 instances, etc.), while Network ACLs are stateless firewalls at the subnet level (controlling traffic in and out of subnets). Security Groups remember connections (stateful) and apply to associated instances; NACLs apply to all traffic in a subnet and evaluate rules in order for every packet (stateless).

Remember: NACLs are stateless (rules for inbound AND outbound needed), evaluated by rule number (lowest first), allow AND deny rules. Security groups are stateful, allow-only.

11. You would like to use a routing policy based on the user location. Which one would you use?

Show answer Geolocation routing policy. It's based on user location.

Don't confuse it with latency-based routing policy. While shorter distance may result in lower latency, this is not the requirement in the question.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

12. What types of AWS load balancers are there?

Show answer * Classic Load Balancer (CLB): Mainly for TCP (layer 4) and HTTP, HTTPS (layer 7)
* Application Load Balancer (ALB): Mainly for HTTP, HTTPS and WebSocket
* Network Load Balancer (NLB): Mainly for TCP, TLS and UDP
* Gateway Load Balancer (GWLB): Mainly for layer 3 operations (IP protocol)

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

13. How does AWS CloudFront work and what are its features?

Show answer CloudFront: It's a content delivery network (CDN) service, distributing content globally with low latency and high data transfer speeds.
Features: Edge locations, caching, and origin fetch optimization are key functionalities. projects/knowledge/interview/aws/445-how-does-aws-cloudfront-work-and-what-are-its-feat.txt

Remember: CloudFront = AWS CDN. Edge locations cache content globally. Origin can be S3, ALB, or custom HTTP server. Use Origin Access Control (OAC) to restrict S3 access to CloudFront only.

14. True or False? Domain registrar and DNS service is inherently the same thing

Show answer False. DNS service can be Route 53 (where you manage DNS records) while the domain itself can be purchased from other sources that aren't Amazon related (e.g. GoDadday).

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

15. Describe AWS Direct Connect and its benefits.

Show answer AWS Direct Connect: It's a dedicated network connection from on-premises networks to AWS. It's used to reduce network costs, increase bandwidth throughput, and provide a consistent network experience.

Remember: Direct Connect = dedicated physical link from your datacenter to AWS. Lower latency, consistent bandwidth vs. VPN over internet.

16. True or False? Based on the shared responsibility model, Amazon is responsible for physical CPUs and security groups on instances

Show answer False. It is responsible for Hardware in its sites but not for security groups which created and managed by the users.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

17. Why would you use an Elastic IP address?

Show answer Let's say you have an instance that you need to shutdown or perform some maintenance on. In that case, what you would want to do is to move the Elastic IP address to another instance that is operational, until you finish to perform the maintenance and then you can move it back to the original instance (or keep it assigned to the second one).

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

18. What it means that "Route 53 is an Authoritative DNS"?

Show answer The customer can update DNS records

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

19. Explain subnets and regions to management body.

Show answer Subnets are like different sections within your office building (VPC). Each section is for different departments or teams. Regions, on the other hand, are like different cities where you can have your office. Each city can have its own set of office buildings (VPCs).
Subnets are partitions within a VPC and are associated with a specific Availability Zone. Regions are separate geographic areas where AWS data centers are located.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

20. True or False? Network load balancers operate in layer 4

Show answer True. They forward TCP, UDP traffic.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

21. What are possible target groups for ALB (Application Load Balancer)?

Show answer * EC2 tasks
* ECS instances
* Lambda functions
* Private IP Addresses

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

22. True or False? Security groups only contain deny rules

Show answer False. Security groups only contain allow rules.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

23. True or False? Route 53 simple routing policy supports both single and multiple values

Show answer True.

If multiple values are returned from Route 53 then, the client chooses a single value to use.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

24. True or False? Network load balancer has one static IP per availability zone

Show answer True. NLB provides one static IP per AZ, making it ideal for whitelisting. ALB, by contrast, uses dynamic IPs behind a DNS name.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

25. You would like to use a routing policy that will take latency into account and will route to the resource with the lowest latency. Which routing policy would you use?

Show answer Latency-based routing policy.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

26. True or False? In weighted routing DNS records must have the same name but not the same type

Show answer False. They must have the same name AND type.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

27. Suppose you need to route % of your traffic to a certain instance and the rest of the traffic, to another instance. Which routing policy would you choose?

Show answer Weighted routing policy.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

28. True or False? Security groups are not locked down to a region and VPC (meaning you don't have to create a new one when switching regions)

Show answer False. They are locked down to regions and VPC.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

29. What types of load balancers are supported in EC2 and what are they used for?

Show answer * Application LB - layer 7 traffic
* Network LB - ultra-high performances or static IP address (layer 4)
* Classic LB - low costs, good for test or dev environments (retired by August 15, 2022)
* Gateway LB - transparent network gateway and distributes traffic such as firewalls, intrusion detection and prevention systems, and deep packet inspection systems. (layer 3)

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

30. Which service would you use for creating DNS record?

Show answer Amazon Route 53. It provides DNS hosting, domain registration, health checks, and routing policies (latency-based, geo, weighted, failover).

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

31. True or False? VPC spans multiple regions

Show answer False. A VPC spans a single region. It can span multiple Availability Zones within that region, but not across regions. For cross-region connectivity, use VPC peering or Transit Gateway.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

32. Which type of AWS load balancer is used in the following drawing?

Show answer Application Load Balancer (routing based on different endpoints + HTTP is used).

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

33. You've restarted your EC2 instance and the public IP has changed. How would you deal with it so it won't happen?

Show answer Use Elastic IP which provides you a fixed IP address.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

34. True or False? ENI are not bound to a specific availability zone

Show answer False. ENI are bound to specific availability zone.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

35. Describe AWS Route 53 and its key features.

Show answer Route 53: It's a scalable domain name system (DNS) web service providing domain registration and routing internet traffic to resources.
Key Features: Health checks, traffic flow, domain registration, and global data propagation are significant functionalities. projects/knowledge/interview/aws/440-describe-aws-route-53-and-its-key-features.txt

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

36. True or False? With ALB (Application Load Balancer) it's possible to do routing based on query string and/or headers

Show answer True. ALB supports advanced routing rules based on path, host header, query strings, HTTP headers, and source IP — enabling microservice-style routing.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

37. Explain Elastic Network Interfaces (ENI)

Show answer [AWS Docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html): "An elastic network interface is a logical networking component in a VPC that represents a virtual network card."

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

38. What are some of the properties/configuration options of EC2 instances that can be set or modified?

Show answer * OS (Linux, Windows)
* RAM and CPU
* Networking - IP, Card properties like speed
* Storage Space - (EBS, EFS, EC2 Instance Store)
* EC2 User Data
* Security groups

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

39. True or False? Elastic Load Balancer is a managed resource (= AWS takes care of it)

Show answer True. AWS responsible for making sure ELB is operational and takes care of lifecycle operations like upgrades, maintenance and high availability.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

40. True or False? Alias record can be set up for an EC2 DNS name

Show answer False. Alias records cannot target EC2 instance DNS names directly. They work with AWS resources like ELB, CloudFront, S3, and API Gateway. Use a CNAME or A record for EC2.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

41. What are the supported target groups for gateway load balancer?

Show answer * EC2 instance
* IP addresses (must be private IPs)

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

42. True or False? It's possible to have multiple VPCs in one region

Show answer True. As of today, the soft limit is 5.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

43. What would you use if you need a fixed public IP for your EC2 instance?

Show answer Elastic IP. It's a static public IPv4 address you allocate to your account and associate with an instance or NAT gateway. It persists across stop/start cycles.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

44. True or False? By default, any new account has a default VPC

Show answer True. Every new AWS account comes with a default VPC in each region, pre-configured with a public subnet per AZ, internet gateway, and route table.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

45. Explain the geolocation routing policy

Show answer * Routing based on user location
* Location can be specified by continent, country or US state
* It's recommended to have a default record in case there is no match on location

Remember: geolocation routes by user location (continent/country). Geoproximity routes by resource location with adjustable bias to shift traffic between regions.

46. True or False? ALB can route only to a single route group

Show answer False. ALB can route to multiple target groups.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

47. True or False? Route Tables used to allow or deny traffic from the internet to AWS instances

Show answer False. Route tables control where network traffic is directed (routing), not access control. Security Groups and Network ACLs handle allow/deny decisions.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

48. Explain the concept of VPC (Virtual Private Cloud) in AWS.

Show answer **VPC:** Imagine a VPC as your own virtual space in the cloud. It's like your personal office building in a city full of skyscrapers. Your VPC is where you control your network, your own space with its own address and security. You decide who can come in, what rooms they can access, and how they move around. It's a virtual network dedicated to your AWS account. It allows you to select your IP address range, create subnets, and configure route tables and network gateways. VPC provides isolation and control over your network environment.

49. Suppose you need to route traffic to a single source with Route 53, without any other requirements, which routing policy would you choose?

Show answer The `simple` routing policy

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

50. What are some use cases for using geolocation routing policy?

Show answer * Restrict content distribution
* App localization
* Load balancing

Remember: geolocation routes by user location (continent/country). Geoproximity routes by resource location with adjustable bias to shift traffic between regions.

51. what all algorithms are supported by Route53 ?

Show answer Route 53 is like a guide giving directions. It supports different methods of directing traffic to the right places, ensuring the quickest and most efficient routes for your services. It supports a variety of DNS routing algorithms like Simple, Weighted, Latency-based, and Geolocation routing.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

52. What would you use to check how many unassociated Elastic IP address you have?

Show answer Trusted Advisor

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

53. What DNS record types does Route 53 supports?

Show answer * A
* AAAA
* CNAME
* NS
* DS
* CAA
* SOA
* MX
* TXT
* SPF
* SRV
* NAPTR
* PTR

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

54. Which services are involved in getting a custom string (based on the input) when inserting a URL in the browser?

Show answer Lambda - to define a function that gets an input and returns a certain string
API Gateway - to define the URL trigger (= when you insert the URL, the function is invoked).

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

55. Which of the following is included with default VPC?

Show answer All of the listed items are included with the default VPC: a public subnet in each Availability Zone, an internet gateway, a default route table with a route to the internet gateway, a default security group, and a default network ACL.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

56. What Route 53 routing policies are there?

Show answer * Simple
* Geolocation
* Failover
* Latency based
* Geoproximity
* Multi-Value Answer
* Weighted

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

57. Which load balancer would you use for services which use HTTP or HTTPS traffic?

Show answer Application Load Balancer (ALB).

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

58. What is an ec2 instance ?

Show answer An EC2 instance is like a computer that lives in your virtual office (VPC). It's where you can run programs, websites, or anything you'd usually do on your computer, but it's located in the cloud.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

59. You would like to use a routing policy based on the resource location and be able to shift more traffic to some resources. Which one would you use?

Show answer Geoproximity routing policy

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

60. What are hosted zones?

Show answer A container that includes records for defining how to route traffic from a domain and its subdomains

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

61. True or False? A user is not allowed to perform penetration testing on any of the AWS services

Show answer False. On some services, like EC2, CloudFront and RDS, penetration testing is allowed.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

62. What are some use cases for using Network Load Balancer?

Show answer * TCP, UDP traffic
* Extreme performance

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

63. True or False? One or more VPCs can be attached to one Internet Gateway

Show answer False. Only one VPC can be attached to one IGW and vice versa

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

64. True or False? It's possible to enable sticky session for network load balancer so the same client is always redirected to the same instance

Show answer False. This is only supported in Classic Load Balancer and Application Load Balancer.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

65. What are Security Groups?

Show answer A security group acts as a virtual firewall that controls the traffic for one or more instances
More on this subject [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html)

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

66. What allows you to control inbound and outbound instance traffic?

Show answer Security Groups

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

67. What are some use cases for weighted routing policy?

Show answer * Load balancing between regions
* Testing new applications versions

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

68. What AWS uses the 5 reserved IP addresses for?

Show answer x.x.x.0 - network address
x.x.x.1 - VPC router
x.x.x.2 - DNS mapping
x.x.x.3 - future use
x.x.x.255 - broadcast address

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

69. What types of hosted zones are there?

Show answer * Public Hosted Zones - include records to specify how to route traffic on the internet
* Private Hosted Zones - contain records that specify how you traffic within VPC(s)

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

70. True or False? ENI can be created independently of EC2 instances

Show answer True. They can be attached later on and on the fly (for failover purposes).

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

71. What are some metrics/rules used for auto scaling

Show answer * Network In/Out
* Number of requests on ELB per instance
* Average CPU, RAM usage

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

72. True or False? An Elastic IP is free, as long it's not associated with an EC2 instance

Show answer False. An Elastic IP is free of charge as long as **it is ** associated with an EC2 instance. This instance should be running and should have only one Elastic IP.

Remember: EIP = static public IPv4 address. Free when attached to a running instance. Charges apply when unattached (to discourage hoarding).

73. What each Route 53 record contains?

Show answer * Domain/subdomain name (e.g. blipblop.com)
* Value (e.g. 201.7.202.2)
* Record type (e.g. A, AAAA, MX)
* TTL: amount of time the record is going to be cached
* Routing Policy: how to respond to queries

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

74. Explain Security Groups and Network ACLs

Show answer * NACL - security layer on the subnet level.
* Security Group - security layer on the instance level.

Read more about it [here](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) and [here](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html)

Remember: NACLs are stateless (rules for inbound AND outbound needed), evaluated by rule number (lowest first), allow AND deny rules. Security groups are stateful, allow-only.

75. Explain Cross Zone Load Balancing

Show answer With cross zone load balancing, traffic distributed evenly across all (registered) instances in all the availability zones.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

76. Name at least three attributes the Elastic Network Interfaces (ENI) can include

Show answer 1. One public IPv4 address
2. Mac Address
3. A primary private IPv4 address (from the address range of your VPC)

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

77. What are the supported target groups for network load balancer?

Show answer * EC2 instance
* IP addresses
* Application Load Balancer

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

🔴 Hard (27)

1. Explain the geoproximity routing policy

Show answer * Route based on the geographic location of resources
* Shifting routing is done based on the `bias` value
* Resources can be of AWS and non-AWS type
* For non-AWS you have to specify latitude and longitude in addition to AWS region as done in AWS-based resources
* To use it, you have to use Route 53 traffic flow

Remember: geolocation routes by user location (continent/country). Geoproximity routes by resource location with adjustable bias to shift traffic between regions.

2. You are running an ALB that routes traffic using two hostnames: a.b.com and d.e.com. Is it possible to configure HTTPS for both of the hostnames?

Show answer Yes, using SNI (Server Name Indication) each application can has its own SSL certificate (This is supported from 2017).

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

3. What is AWS Private Link ?

Show answer Allows secure connectivity between VPCs and supported AWS services without traversing the internet.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

4. Explain Deregistration Delay (or Connection Draining) in regards to ELB

Show answer The period of time or process of "draining" instances from requests/traffic (basically let it complete all active connections but don't start new ones) so it can be de-registered eventually and ELB won't send requests/traffic to it anymore.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

5. You have a load balancer running and behind it 5 web servers. Users complain that some times when they try to use the application it doesn't works. You've found out that sometimes some of the instances crash. How would you deal with it?

Show answer One possible way is to use health checks with the load balancer to ensure the instances are ready to be used before forwarding traffic to them.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

6. Who has better latency? Application Load Balancer or Network Load Balancer?

Show answer Network Load Balancer (~100 ms) as ALB has a latency of ~400 ms

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

7. You have a load balancer running and behind it 5 web servers. Users complain that every time they move to a new page, they have to authenticate, instead of doing it once. How can you solve it?

Show answer Enable sticky sessions. This way, the user keep working against the same instance, instead of being redirected to a different instance every request.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

8. What is a VPC analyzer ?

Show answer A tool for monitoring and identifying risks and threats in VPC flow logs.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

9. How can a company ensure their web application continues to operate if it becomes unavailable in its current single region?

Show answer Deploy the application in multiple Regions. Use Amazon Route 53 DNS health checks to route traffic to a healthy Region

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

10. What's one of the issues with the current architecture?

Show answer Users shouldn't access directly AWS Lambda directly. If you'd to like to expose your Lambda function to users a better approach would be to set up API Gateway endpoint between the users and the Lambda function.

This not only provides enhanced security but also easier access for the user where he can use HTTP or HTTPS for accessing the function.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

11. If you wanted to analyze network traffic, you would use the ____ load balancer

Show answer Gateway Load Balancer

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

12. True or False? In regards to cross zone load balancing, AWS charges you for inter AZ data in network load balancer but no in application load balancer

Show answer True. It charges for inter AZ data in network load balancer, but not in application load balancer

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

13. True or False? Default VPC doesn't have internet connectivity and any launched EC2 will only have a private IP assigned

Show answer False. The default VPC has internet connectivity and any launched EC2 instance gets a public IPv4 address.

In addition, any launched EC2 instance gets a public and private DNS names.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

14. True or False? Route 53 Multi Value is a substitute for those who want cheaper solution than ELB

Show answer False. Route 53 Multi Value is not a substitute for ELB. It's focused on client-side load balancing as opposed to ELB.

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

15. You've been asked to design an architecture for high performance and low-latency application (millions of requests per second). Which load balancer would you use?

Show answer Network Load Balancer

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

16. If security groups are there then why do we need NACLs or vice versa.

Show answer Security groups are like bouncers at the entrance of your office building, deciding who gets in or out of the entire building. NACLs are more like security guards stationed in different sections of the building (subnets), controlling movement within. Thus Security Groups act at the instance level, while NACLs act at the subnet level, offering an additional layer of security.

Remember: NACLs are stateless (rules for inbound AND outbound needed), evaluated by rule number (lowest first), allow AND deny rules. Security groups are stateful, allow-only.

Remember: SG = stateful allow-only (return traffic auto-allowed). NACL = stateless allow+deny (must explicitly allow return traffic). SG at instance level, NACL at subnet level.

17. What are some use cases for using Gateway Load Balancer?

Show answer * Intrusion Detection
* Firewall
* Payload manipulation

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

18. What are calculated health checks?

Show answer When you combine the results of multiple health checks into a single health check.

Remember: ELB health checks: interval (how often), threshold (consecutive successes/failures), timeout (how long to wait). Unhealthy targets are removed from rotation until they recover.

19. Describe in high-level how to upgrade a system on AWS with (near) zero downtime

Show answer One way is through launching a new instance. In more detail:

1. Launch a new instance
2. Install all the updates and applications
3. Test the instance
4. If all tests passed successfully, you can start using the new instance and perform the switch with the old one, in one of various ways:
1. Go to route53 and update the record with the IP of the new instance
2. If you are using an Elastic IP then move it to the new instance
...

20. Name one use case for using application load balancer as a target group for network load balancer

Show answer You might want to have a fixed IP address (NLB) and then forward HTTP traffic based on path, query, ... which is then done by ALB

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

21. You run your application on 5 EC2 instances on one AZ and on 10 EC2 instances in another AZ. You distribute traffic between all of them using a network load balancer, but it seems that instances in one AZ have higher CPU rates than the instances in the other AZ. What might be the issue and how to solve it?

Show answer It's possible that traffic is distributed evenly between the AZs but that doesn't mean it's distributed equally across all instances evenly.

To distribute it evenly between all the instances, you have to enable cross-zone load balancing.

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

22. You've created a network load balancer but it doesn't work (you can't reach your app on your EC2 instance). What might be a possible reason?

Show answer Missing security group or misconfigured one.
For example, if you go to your instances in the AWS console you might see that the instances under your NLB are in "unhealthy status" and if you didn't create a dedicated security group for your NLB, that means that the security group used is the one attached to the EC2 instances.

Go to the security group of your instance(s) and enable the traffic that NLB should forward (e.g. TCP on port 80).

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.

23. What is Transit VPC ?

Show answer A method to interconnect multiple VPCs, enabling connectivity between them.

Remember: AWS networking troubleshooting flow: VPC Flow Logs show allowed/denied traffic. Reachability Analyzer tests paths. Security groups and NACLs are the most common culprits.

24. Kratos, your colleague, decided to use a subnet of /27 because he needs 29 IP addresses for EC2 instances. Is Kratos right?

Show answer No. Since AWS reserves 5 IP addresses for every subnet, Kratos will have 32-5=27 addresses and this is less than what he needs (29).

It's better if Kratos uses a subnet of size /26 but good luck telling him that.

Gotcha: always test networking changes in a non-production VPC first. A misconfigured route table or NACL can instantly isolate your entire application.

25. Explain Route 53 Traffic Flow feature

Show answer It's a visual editor for managing complex routing decision trees. It allows you to simplify the process of managing records.

Configuration can be saved (as Traffic Flow Policy) and applied to different domains/hosted zones. In addition, it supports versioning

Remember: Route 53 = AWS DNS. Supports A, AAAA, CNAME, MX, TXT, and alias records. Routing policies: Simple, Weighted, Latency, Failover, Geolocation.

Name origin: port 53 is the DNS port. Route 53 = DNS routing on port 53.

26. What happens when you set all records to weight 0 when using Weighted routing policy?

Show answer All records are used equally.

Gotcha: AWS networking issues are almost always security group or route table misconfigurations. Check these first before investigating application-level problems.

Remember: AWS networking debug flow: Security Group -> NACL -> Route Table -> IGW/NAT -> DNS resolution. Work from most specific to broadest.

27. True or False? For network load balancer, cross zone load balancing is always on and can't be disabled

Show answer False. It's disabled by default

Remember: ALB = Layer 7 (HTTP/HTTPS, path/host routing). NLB = Layer 4 (TCP/UDP, ultra-low latency). CLB = legacy, avoid for new deployments.