By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, deploy cloud networking solutions. This guide focuses on the different resources and components that you will typically deploy in a cloud network environment. You will first learn about some commonly deployed services, including DHCP, NTP, DNS, CDN, and IPAM. Next, you will learn about some of the concepts behind virtual private networks (VPNs), including the differences between site-to-site, point-to-point, and point-to-site. Included in this section is a discussion on IPsec and MPLS. The last few sections of this guide will cover virtual routing concepts, network appliances, and the concept of a virtual private cloud (VPC). Topics: - Services - Virtual Private Networks (VPNs) - Virtual Routing - Network Appliances - Virtual Private Cloud (VPC) - VLAN/VxLAN/GENEVE - Single Root Input/Output Virtualization (SR-IOV) - Software-Defined Network (SDN) 1. _____ is designed to resolve issues regarding the system time synchronization of server and client systems. 2. The domains .com, .org, and .net are examples of _____-level domains. 3. A(n) _____ VPN is used to connect two networks via a VPN. 4. In _____ routing the routing table is updated based on near-real-time changes made in the network.
Answers:
1. Network Time Protocol (NTP) 2. Top 3. Site-to-site 4. Dynamic Services In cloud computing, you can configure different types of network services. For the purposes of the exam objectives described in this guide, we will cover the DHCP, DNS, NTP, CDN, and IPAM network services. Dynamic Host Configuration Protocol (DHCP) Dynamic Host Configuration Protocol enables you to dynamically assign network-related information to client systems. This information can include providing a system with an IP address, subnet mask, and DNS server information. A DHCP server provides DHCP client systems with this network information automatically. When a system is configured as a DHCP client, it sends a request for DHCP servers to provide this network information. When this data is received, the client automatically configures itself, enabling the system to communicate on the network. Network Time Protocol is designed to resolve issues regarding the system time synchronization of server and client systems. Having an accurate system time is important for several reasons, including: - Log files: These files have timestamps embedded within log entries. These timestamps are often critical to determine exactly when an error or security breach occurred. Inaccurate system times will result in inaccurate timestamps, which can lead to problems both in determining the cause of problems as well as potential legal issues (log files are sometimes used in legal cases but can be disregarded by the court system if the timestamps are not accurate). - Client/server interactions: Some services require the client and server systems to be in sync regarding system time. If these systems are not in sync, the service may fail completely. For example, the server and client negotiating a secure connection using digital certificates should have the right system time. - Searches for file by timestamp: Users and administrators will often search for lost or missing files using timestamps. If the system time isn’t accurate, the file timestamps won’t be accurate, making it difficult to find files. - Transaction log timestamps: Many transaction operations include timestamps. For example, each email that is sent or received has a timestamp of these actions. Another example is banking and credit card transactions. It is critical to ensure these timestamps are as accurate as possible for both security and reliability of the transactions. The purpose of NTP is to ensure accurate system times. A system is configured as an NTP client, which will set the system time based on data received from one or more NTP servers. Typically, three or more NTP servers are used to best ensure the most accurate time. Organizations may deploy their own NTP servers, but there are also publicly available servers on pool.ntp.org. Servers are categorized by how accurate they are. This is done by assigning a “stratum” value to the server. This is a numeric value from 0 to 15, in which the lower the value, the more accurate the clock is considered to be. A clock that advertises itself as a “stratum-0” is one that likely gets its timestamps from an atomic clock and has very little delay in responding to NTP requests. A clock that advertises itself as a “stratum-1” gets its timestamps from “stratum-0” servers. Domain Name Service is a protocol designed to provide name-to-IP address resolution. It is part of the standard TCP/IP protocol suite and one of several protocols that can provide this functionality; others include NIS and LDAP. What distinguishes DNS from other similar protocols is that the sole focus of DNS is name resolution; NIS and LDAP provide other resolution operations, such as network user and group accounts. DNS is also the de facto standard name resolution solution for the majority of systems connected to the Internet. The following important terms are associated with DNS: - Host: Typically, a host is a computer that is attached to a network. Another way of looking at the term is that a host is a device that can communicate on a network. - Domain Name: Hosts on the Internet address each other by using IP address numbers. These numbers are difficult for humans to remember, so a unique name is often assigned to a host. When this name is registered on an authorized DNS server, the name is considered a domain name. - Top-Level Domain: Domain names are organized in a tree-like structure, much like files are organized in a virtual filesystem structure. The top level of the DNS structure is simply referred to as “dot” and symbolized by the . character. The domains directly beneath . are the top-level domains, or TLDs. The original top-level domains were .com, .org, .net, .int, .edu, .gov, and .mil. Many others have been added in recent years. - FQDN: A fully qualified domain name is the domain name of a host starting from the top of the DNS structure. For example, the name www.onecoursesource.com. would be a FQDN. Notice the . character at the end of the FQDN. It is the domain above the top-level. This character is often omitted when regular users provide a domain name because the. is assumed to be the last character of the FQDN in most cases. However, you should get used to including the . character if you are going to administer DNS servers because it will be required in some of the DNS server configuration files. - Subdomain: A subdomain is any domain that is a component of a larger domain. For example, suppose you wanted to have three domains in your organization to functionally organize the hosts. You might call these domains sales, eng, and support. If your company’s domain is onecourse-source.com., these three subdomains would be called sales.onecoursesource.com. eng.onecoursesource.com. support.onecoursesource.com. - Name server: A name server is a system that responds to DNS client requests. Name servers provide the translation from IP address to domain names (and sometimes provide the opposite: domain name to IP address translation). Note: A name server either has a copy of this information stored locally (called a zone file) or stores information obtained by other name servers temporarily in memory or passes on the query to another server (or servers) that has the information. - Authoritative name server: An authoritative name server is one that returns results based on information stored locally on the system (the original master records). - Zone file: The zone file is the name of the file that is used to store IP address to domain name translation information (that is, the DNS records). This file also contains information that is used to define the domain itself. - Record: Within the zone file, a record is an entry that defines a single chunk of information for the zone, such as the data that would translate an IP address to domain name. - Caching name server: A caching name server is one that returns results based on information obtained from another name server, such as an authoritative name server. The primary advantage of a caching name server is that it can speed up the IP address to domain name resolution because it will cache results and be able to respond to future requests using the information in this cache. - TTL: The data stored in a caching name server is typically not stored permanently. The name server that provides the data also provided the caching name server with a time to live (TTL). The caching name server will store the information in memory until this TTL period ends. Typically, this period of time is 24 hours, but it can vary depending on how often the records in the authoritative name server are updated. - DNS forwarder: A DNS forwarder is a DNS server designed to take DNS queries from an internal network and send the queries to an external DNS server. - Forward lookup: This is the process of translating an IP address into a domain name. Most DNS servers provide this functionality. - Reverse lookup: This is the process of translating a domain name into an IP address. While many DNS servers provide this functionality, it is less common than a forward lookup. Content Delivery Network (CDN) Imagine a scenario in which your organization services customers that are primarily located in the United States. One of your most popular services is located on a server located in a cloud environment that is geographically located on the East Coast of the United States. Most of your customers are in the same geographic area, so having the service located close to the customers reduces latency and provides faster access to your service. However, the board of directors has just approved a new initiative that is designed to expand your customer base internationally. There are now plans in place to service customers in Europe and Asia, with the possibility to expand to other geographic regions in the future. Having a service that is geographically based on the East Coast of the United States only means that these new customers will likely experience lower response times. This is a scenario in which a Content Delivery Network (CDN) would provide a better solution. Content is distributed geographically, and proxy servers are used to “point” the client to the closest source (or edge) for the content. Examples of CDN solutions include Amazon CloudFront, Google App Engine, and Azure CDN. IP Address Management (IPAM) IP Address Management is a collection of tools, including DNS and DHCP, that enable you to deploy and manage an IP address infrastructure. Virtual Private Networks (VPNs) A virtual private network is a service that allows for a virtual network over a public network. This allows data to be shared across public networks in a secure manner. Site-to-site A site-to-site VPN is used to connect two sites via a VPN, where sites can be, for example, a headquarters (HQ) office and a remote office or two HQ offices. This type of network is typically used when an organization has remote offices (sites) that are a great distance apart (further apart than a LAN). The expense of a dedicated network connection between the remote offices is too great, but a secure means of communication is required. When a VPN is established between the different sites across the Internet, the communications are secured at a reasonable cost. Point-to-Point In a point-to-point VPN, a VPN connection is established between two specific hosts. An example of this would be when you use a VPN service (like Nord-VPN or ExpressVPN) to ensure your privacy when surfing the Internet. Some organizations may also set up a point-to-point VPN for a remote employee or customer to access a specific system, such as an internal web server or database. Point-to-Site In a point-to-site VPN, a VPN connection is established between a host and a network. Many organizations use this technique to allow employees to remotely connect to the organization’s private network. This is also known as remote-access VPN, and these VPNs can leverage IPsec or SSL/TLS as protocols. IPsec Internet Protocol Security is a collection of protocols designed to allow for encrypted connections between different hosts. A common use of IPsec is to create a VPN between two hosts. IPsec is used both for site-to-site and point-to-site VPN connectivity. Multiprotocol Label Switching (MPLS) Multiprotocol Label Switching is a technique that routes network packets from one network to another. Because the technique isn’t associated with any specific protocol, it can be used to route network traffic for many different protocols. MPLS VPN allows for VPN connections across an MPLS environment. There are three different types of MPLS VPNs: point-to-point, Layer 2, and Layer 3. Virtual Routing One of the challenges of a cloud environment is that within a single physical network, there may be resources for many different customers. All customers will expect that their network data will be kept separate from other customers. Normally, in a physical network, data is broadcast and visible to all hosts on the network because all hosts are within the same IP network (see more about IP networks in the “Subnetting” section later in this guide). To avoid a scenario in which one customer can see another customer’s data, each customer is placed with a different IP network. This works fine while data stays within the physical network but poses a problem when the data needs to leave the physical network. Normally, a router is used to handle this situation, but routers typically have a single routing table that applies to the entire network. The routing table informs the router of how to handle network traffic between two networks. Virtual routing (also called Virtual Route Forwarding, or VRF) is a technology that allows for a router to have multiple instances of a routing table. This technology allows for multiple IP networks to use the router (that is, the gateway). Dynamic and Static Routing In dynamic routing the routing table is updated based on changes made in the network. A dynamic routing system can “self-heal” when routes become slow or unavailable. With static routing, the routing table is managed manually. An administrator must manually edit the routing table. Because of how often cloud environments change, virtual routing is often dynamic. As new IP networks are implemented by customers, virtual routing tables must be automatically updated to handle the changes in the network. Virtual Network Interface Controller (vNIC) A network interface controller (NIC) is a physical device that allows a host to communicate on the network. Most resources in the cloud are virtual in nature and need to share the NIC in order to communicate on the network. The resource is provided a vNIC that is associated with the physical NIC. Subnetting To understand subnetting, you first need to understand some basics of IPv4 addresses. An IPv4 address consists of four numbers separated by a dot character—for example, 192.168.100.25. Each number reprints an octet, a number that can be represented by a binary value: 11000000.10101000.01100100.00011001 The number 192 can be represented by the binary number 11000000 because each binary value represents a numeric value, as shown in the figure below. Binary Representation of Numeric Values
IPv4 addresses are divided into classes. There are five classes total. These classes are defined by the first octet (the first number of the IP address). For example, the IP address of 192.168.100.25 uses the 192 value to define which of the five primary classes the IP resides within. Table 13.1 describes these standard IPv4 address classes.
TABLE: IPv4 Classes
Class
Description
A
Ranges from 1.x.x.x to 126.x.x.x. Allows for 127 networks, each with up to 16 million hosts. The first octet defines the network address, and the remaining octets define the host addresses.
B
Ranges from 128.x.x.x to 191.x.x.x. Allows for approximately 16,000 networks, each with up to 65,000 hosts.
C
Ranges from 192.x.x.x to 223.x.x.x. Allows for approximately 2 million networks, each with up to 254 million hosts.
D
Ranges from 224.x.x.x to 239.x.x.x. Only used for multicast groups.
E
Ranges from 240.x.x.x to 254.x.x.x. Only used for research and development.
So, a class A network of 55.x.x.x can have up to 16 million host IP addresses that run from 55.0.0.1 (55.0.0.0 is reserved for the network itself) to 55.254.254.254 (technically, the highest value is 255, but those IP addresses are reserved for broadcasting messages to the entire network). Organizations that have been assigned large networks (class A or B, although even class C networks apply here) do not want to have millions or even thousands of hosts on a single network. Subnetting provides a method of dividing a large network into smaller sections. This is accomplished by making smaller networks (subnetworks) by using IP addresses that are normally used by hosts to define the network and broadcast IP addresses. There are two common network situations in which you should know how subnets work: - When a system already has an IP address and a subnet address, you want to know how to determine the subnetwork that is created. - When you have a larger IP network and want to know how to divide it into smaller networks. This is important if you have several smaller physical networks in your organization because each physical network must be on a separate subnetwork.
In both of these situations, there are many IP address calculators freely available on the Internet to aid you in the process. The purpose of showing you how to perform these tasks by hand is to aid you in understanding how subnetting works. Suppose you were using a full Class C network of 192.168.100.0. This means that the first three octets (192.168.100.0) are used for the network address, the last possible IP address is the broadcast address (192.168.100.255), and all other IP addresses (192.168.100.1 to 192.168.1.254) can be assigned to hosts on the network. Perhaps having 254 hosts in a single physical network does not work for your situation and you want to divide this class C network into smaller networks. Before doing this, consider how the network is defined in the first place by looking at Table 13.2.
TABLE: Class C Network Definition
Category
IP Address
Binary Format of IP Address
Address
192.168.100.25
11000000.10101000.01100100.00011001
Netmask
255.255.255.0 or 24
11111111.11111111.11111111.00000000
Network
192.168.100.0
11000000.10101000.01100100.00000000
Broadcast
192.168.100.255
11000000.10101000.01100100.00011111
First IP
192.168.100.1
11000000.10101000.01100100.00010001
Last IP
192.168.100.254
11000000.10101000.01100100.00011110
Maximum hosts in network
254
In the table above, the IP address is displayed in both dotted decimal notation (192.168.100.25) and binary format. The subnet mask is displayed in three formats: - VLSM (Variable Length Subnet Mask), essentially the same format as dotted decimal notation. - Table 13.2). - Binary format. To determine which part of the IP address represents the network, just look at all of the bits in the binary format that are a value of “1” for both the IP address and the subnet mask. To make this easier to see, this has been highlighted in gray in Table 13.2. The first possible address in this network defines the network itself (192.168.100.0 in Table 13.2), and the last possible address in this network defines the broadcast address (192.168.100.255 in Table 13.2). The example in Table 13.2 is straightforward because it is one of the standard classes. Look at the example in Table 13.3 to see how a different, nonstandard subnet (255.255.255.240) would affect the various IP addresses.
TABLE: Nonstandard Subnet Mask Example
255.255.255.240 or 28
11111111.11111111.11111111.11110000
192.168.100.31
11000000.10101000.01100100.00001111
192.168.100.17
192.168.100.30
14
It may take some time to understand the process of subnetting. We highly encourage you to practice by using one of the many subnet calculators freely available on the Internet, such as the one found at the following address: https://www.adminsub.net/ipv4-subnet-calculator. Network Appliances A network appliance is any device that is designed to manage the flow of network traffic from and to a network segment. There are many different types of network appliances, but for the CompTIA Cloud+ exam objective, the two network appliances you should know about are load balancers and firewalls. Consider a scenario in which you need to access the website of a large organization. This website responds to millions of requests daily. If there really was just a single web server in this situation, it would cause several potential problems, including the following: - Single point of failure: If the web server were to go down, experience an error, or have a network connectivity issue, the entire company’s website would no longer be available. - Too many requests: A single website can handle only so many requests before it becomes unable to respond to all client requests. - Latency issues: The single web server can only be physically located in a single place. For example, suppose the web server is located in Germany. That would result in good response times for that country and others that are geographically close, but clients that are geographically further away, in New Zealand, for example, would experience latency issues.
A better solution would be to have multiple, identical web servers located in different geographic regions in the world. However, it would be difficult to tell the client system which specific web server to send requests to. This is where a load balancer comes in handy. With a load balancer, the client request is sent to the load balancer resource. Then the load balancer will forward the request to a specific web server. Note: While a web server is given as an example here, the server can be other types. The load balancer can check for the health of server instances by sending periodic keep-alive packets, and if an instance is not available, it can redirect incoming requests from a client to another active instance. There are different types of load balancers. Each cloud vendor offers its own specific types, but generally they fall into one of the following categories: - Round robin: The load balancer sends client requests equally to the servers in a rotation system. - IP hash: Client requests are sent to a specific server based on the client IP address. - Least connections: The load balancer monitors client/server connections and sends the next client request to the server that has the least number of current connections. This is also known as least busy or least used. - Least response time: The load balancer monitors client/server connections and sends the next client request to the server that has the least number of current connections and the lowest average response time. - Least bandwidth: The load balancer monitors client/server connection bandwidth and sends the request to the server that has the least amount of traffic.
A cloud firewall (sometimes referred to as a Firewall as a Service, or FaaS) is a resource that performs the same function as a regular firewall. These firewalls are commonly deployed in a VPC (see the “Virtual Private Cloud (VPC)” section next). The goal of a firewall is to inspect network traffic and determine if the traffic should be forwarded on to another network (or, in the case of host-based firewalls, a firewall determines if network traffic should be sent to the local operating system). Firewalls are typically used to protect a network from malicious traffic, but they can also be used to block network traffic from leaving an internal network. Virtual Private Cloud (VPC) A virtual private cloud is a feature provided by many cloud vendors (like Google Cloud and AWS) that enables you to create a virtual network within your cloud account. Note: Microsoft Azure’s equivalent to VPC is called Azure VNet (Virtual Network). Each cloud vendor will provide slightly different components in their VPC environment, but the following components are the most common: - Subnet: This component defines the IP address range of the resources within the VPC. - Routing table: Just as with a regular routing table, this table contains a set of rules that are used to determine how to route network traffic. - Gateway: This router is used to communicate between the VPC resources and a network outside the VPC. It is often referred to as the Internet gateway because this router typically provides access to the Internet for your VPC resources. - Firewall: See the preceding “Firewalls” section for more information. - Endpoint: This optional feature is used to allow a direct or private connection between two VPCs or between the VPC and an on-premises network. Hub and Spoke In situations in which the VPCs of an organization need to communicate with each other internally (not via the Internet), there are two primary ways to configure this communication. One method, hub and spoke, uses a primary or central VPC (the hub VPC) that is configured to communicate with each of the other VPCs (the spoke VPCs). The spoke VPCs have no direct communication between each other, but the hub VPC can be configured to allow communication to pass through the hub, enabling spoke VPCs to communicate. The advantage of this method is that the hub VPC can control all communication, making it easier to allow or block communication between the VPCs. The disadvantage is that it creates a single point of failure. An alternative to hub-and-spoke VPC is peering VPC, which is covered next. Peering When using peering, VPCs are configured to directly communicate between each other, without requiring any access to the Internet. In an environment with many VPCs, peering can be very complex and difficult to manage, making hub and spoke a better solution. VLAN/VxLAN/GENEVE For more information about VLAN, VxLAN, and GENEVE, see “Network Segmentation” in “Secure a Network in a Cloud Environment.” Single Root Input/Output Virtualization (SR-IOV) On physical systems there is a connection called Peripheral Component Interconnect Express (PCIe). This connection allows you to connect devices like graphic cards, network cards, sound cards, and other similar devices. In a virtual environment, SR-IOV can be used to represent a PCIe device as multiple virtual devices. This is done by providing virtual functions, allowing for separate configurations for each virtual machine. For example, an SR-IOV network card could be presented as four separate network cards, each with its own network port that can be configured differently for four different virtual machines. Software-Defined Network (SDN) Software-Defined Networking (SDN) is an approach to networking that uses software-based controllers or application programming interfaces (APIs) to communicate with underlying hardware infrastructure and direct traffic on a network.This model differs from that of traditional networks, which use dedicated hardware devices (i.e., routers and switches) to control network traffic. SDN can create and control a virtual network – or control a traditional hardware – via software. Quiz: 1. The caching name server will store the information in memory until the _____ period ends. A.TTL B.Zone record C.FQDN D.Domain 2. _____ is a technique that routes network packets from one network to another. A.IPsec B.MPLS C.VPN D.IPAM 3. Which IP class is the following IP address: 132.99.85.107? A.A B.B C.C D.D 4. What is the maximum number of hosts in the network 192.168.100.25/26? A.56 B.60 C.62 D.66 5. Which type of load balancer would consider both the number of connections and the server response time? A.IP hash B.Least connections C.Least bandwidth Answers: 1. TTL 2. MPLS 3. B 4. 62 5. None of these answers are correct (Least response time is correct.)
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.