search

Using multiple overlapping layers to secure data and resources is known as which of the following?

1 Jahrs vor
Kommentare: 0
Ansichten: 184

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the internet.

Show

To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACL).

Contents

  • Subnet basics
  • Subnet sizing
  • Subnet routing
  • Subnet security
  • Work with subnets
  • Use subnet CIDR reservations
  • Group CIDR blocks using managed prefix lists
  • Configure route tables
  • Control traffic to subnets using Network ACLs

Subnet basics

A subnet is a range of IP addresses in your VPC. You can launch AWS resources, such as EC2 instances, into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single zone.

You can optionally add subnets in a Local Zone, which is an AWS infrastructure deployment that places compute, storage, database, and other select services closer to your end users. A Local Zone enables your end users to run applications that require single-digit millisecond latencies. For more information, see Local Zones in the Amazon EC2 User Guide for Linux Instances.

Subnet types

Depending on how you configure your VPC, subnets are considered public, private, or VPN-only:

  • Public subnet: The subnet traffic is routed to the public internet through an internet gateway or an egress-only internet gateway. For more information, see Connect to the internet using an internet gateway.

  • Private subnet: The subnet traffic can't reach the public internet through an internet gateway or egress-only internet gateway. Access to the public internet requires a NAT device.

  • VPN-only subnet: The subnet traffic is routed to a Site-to-Site VPN connection through a virtual private gateway. The subnet traffic can't reach the public internet through an internet gateway. For more information, see the AWS Site-to-Site VPN User Guide.

When you create a subnet, you specify its IP addresses, depending on the configuration of the VPC:

  • IPv4 only: The subnet has an IPv4 CIDR block but does not have an IPv6 CIDR block. Resources in an IPv4-only subnet must communicate over IPv4.

  • Dual stack: The subnet has both an IPv4 CIDR block and an IPv6 CIDR block. The VPC must have both an IPv4 CIDR block and an IPv6 CIDR block. Resources in a dual-stack subnet can communicate over IPv4 and IPv6.

  • IPv6 only: The subnet has an IPv6 CIDR block but does not have an IPv4 CIDR block. The VPC must have an IPv6 CIDR block. Resources in an IPv6-only subnet must communicate over IPv6.

Regardless of the type of subnet, the internal IPv4 address range of the subnet is always private—we do not announce the address block to the internet. For more information about private IP addressing in VPCs, see IP addressing.

Subnet settings

All subnets have a modifiable attribute that determines whether a network interface created in that subnet is assigned a public IPv4 address and, if applicable, an IPv6 address. This includes the primary network interface (eth0) that's created for an instance when you launch an instance in that subnet. Regardless of the subnet attribute, you can still override this setting for a specific instance during launch.

After you create a subnet, you can modify the following settings for the subnet.

  • Auto-assign IP settings: Enables you to configure the auto-assign IP settings to automatically request a public IPv4 or IPv6 address for a new network interface in this subnet.

  • Resource-based Name (RBN) settings: Enables you to specify the hostname type for EC2 instances in this subnet and configure how DNS A and AAAA record queries are handled. For more information about these settings, see Amazon EC2 instance hostname types in the Amazon EC2 User Guide for Linux Instances.

Subnet diagram

The following diagram shows two VPCs in a Region. Each VPC has public and private subnets and an internet gateway. The VPC also spans a Local Zone.

Using multiple overlapping layers to secure data and resources is known as which of the following?

Subnet sizing

The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset of the CIDR block for the VPC (to create multiple subnets in the VPC). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.

For example, if you create a VPC with CIDR block 10.0.0.0/24, it supports 256 IP addresses. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 - 10.0.0.127) and the other uses CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 - 10.0.0.255).

There are tools available on the internet to help you calculate and create IPv4 subnet CIDR blocks. You can find tools that suit your needs by searching for terms such as 'subnet calculator' or 'CIDR calculator'. Your network engineering group can also help you determine the CIDR blocks to specify for your subnets.

The first four IP addresses and the last IP address in each subnet CIDR block are not available for your use, and they cannot be assigned to a resource, such as an EC2 instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:

  • 10.0.0.0: Network address.

  • 10.0.0.1: Reserved by AWS for the VPC router.

  • 10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.

  • 10.0.0.3: Reserved by AWS for future use.

  • 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

If you create a subnet using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR block, we create a CIDR block of 100.68.0.0/18.

Subnet sizing for IPv6

If you've associated an IPv6 CIDR block with your VPC, you can associate an IPv6 CIDR block with an existing subnet in your VPC, or when you create a new subnet. A subnet's IPv6 CIDR block is a fixed prefix length of /64.

There are tools available on the internet to help you calculate and create IPv6 subnet CIDR blocks; for example, IPv6 Address Planner. You can find other tools that suit your needs by searching for terms such as 'IPv6 subnet calculator' or 'IPv6 CIDR calculator'. Your network engineering group can also help you determine the IPv6 CIDR blocks to specify for your subnets.

The first four IPv6 addresses and the last IPv6 address in each subnet CIDR block are not available for your use, and they cannot be assigned to an EC2 instance. For example, in a subnet with CIDR block 2001:db8:1234:1a00/64, the following five IP addresses are reserved:

  • 2001:db8:1234:1a00::

  • 2001:db8:1234:1a00::1

  • 2001:db8:1234:1a00::2

  • 2001:db8:1234:1a00::3

  • 2001:db8:1234:1a00:ffff:ffff:ffff:ffff

Subnet routing

Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table. For more information, see Configure route tables.

Subnet security

AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Security groups control inbound and outbound traffic for your instances, and network ACLs control inbound and outbound traffic for your subnets. In most cases, security groups can meet your needs; however, you can also use network ACLs if you want an additional layer of security for your VPC. For more information, see Internetwork traffic privacy in Amazon VPC.

By design, each subnet must be associated with a network ACL. Every subnet that you create is automatically associated with the default network ACL for the VPC. You can change the association, and you can change the contents of the default network ACL. For more information, see Control traffic to subnets using Network ACLs.

You can create a flow log on your VPC or subnet to capture the traffic that flows to and from the network interfaces in your VPC or subnet. You can also create a flow log on an individual network interface. For more information, see Logging IP traffic using VPC Flow Logs.

What are the 3 elements of network security?

The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability. Each component represents a fundamental objective of information security.

Which of the following is a security approach that combines multiple security controls and defenses?

Layered security, sometimes called defense in depth security is a security approach that combines multiple security controls and defenses to create a cumulative effect.

Which of the following items would be implemented at the network layer of the security model?

Which of the following items would be implemented at the Network layer of the security model? EXPLANATION The installation and configuration of switches and routers, the implementation of VLANs, penetration testing, and virtualization are implemented at the Network layer.

Which of the following is an example of technical controls that can be used for physical security?

Examples include physical controls such as fences, locks, and alarm systems; technical controls such as antivirus software, firewalls, and IPSs; and administrative controls like separation of duties, data classification, and auditing.

multiple overlapping layers secure data resources CIA triad Confidentiality, integrity, availability

zusammenhängende Posts

A nurse is teaching a client who has multiple sclerosis about a new prescription for dantrolene
A nurse is teaching a client who has multiple sclerosis about a new prescription for dantrolene

What is the maximum reimbursement that can be paid from the Florida real estate Recovery Fund if multiple Judgements?
What is the maximum reimbursement that can be paid from the Florida real estate Recovery Fund if multiple Judgements?

What is the term for a comprehensive communication that conveys multiple points designed to persuade the customer to make a purchase?
What is the term for a comprehensive communication that conveys multiple points designed to persuade the customer to make a purchase?

Why do companies use a predetermined overhead rate rather than an actual overhead rate multiple choice question?
Why do companies use a predetermined overhead rate rather than an actual overhead rate multiple choice question?

Which of the following is a determinant of demand multiple choice question producer expectations technology income resource prices?
Which of the following is a determinant of demand multiple choice question producer expectations technology income resource prices?

If a class has multiple methods having same name but different in parameters, it is known as
If a class has multiple methods having same name but different in parameters, it is known as

When a method is mean that multiple methods in the same class have the same name but use different types of parameters?
When a method is mean that multiple methods in the same class have the same name but use different types of parameters?

Which of the following provides a suite of integrated software modules in a common central database that allows data to be used by multiple functions in business processes?
Which of the following provides a suite of integrated software modules in a common central database that allows data to be used by multiple functions in business processes?

What is it called when Multiple independent research studies are summarized in a systematic way?
What is it called when Multiple independent research studies are summarized in a systematic way?

What is the term for the statistical approach that calculates and then combines the effect sizes from multiple studies?
What is the term for the statistical approach that calculates and then combines the effect sizes from multiple studies?

NEUESTEN NACHRICHTEN

Kann ich sehen wer auf mein Profil geht?
1 Jahrs vor . durch HabitualShopping
Baustatik gleich angewandte phsyik
1 Jahrs vor . durch ExasperatedParadox
What are the steps in the planning process Why is it important to follow it?
1 Jahrs vor . durch Eighteenth-centuryLeasing
Why is it important to have unity of command in an organizational structure?
1 Jahrs vor . durch BulgingStairway
Wie nennt man einen weiblichen Gourmet?
1 Jahrs vor . durch UninformedBroth
Was bedeutet es wenn man nach rechts schaut?
1 Jahrs vor . durch TranquilLustre
Wie ist zurzeit der Stand in der Formel 1?
1 Jahrs vor . durch SultryExaggeration
Was ist der unterschied zwischen hurricane und tornado
1 Jahrs vor . durch RoyalBuilding
Which of the following researchers developed the Thematic Apperception Test?
1 Jahrs vor . durch MountainousHoarding
Siemens Waschmaschine schleudert nicht und pumpt nicht ab
1 Jahrs vor . durch RestrainingVariation

Populer

Um

Legal

Hilfe

Sozial

Urheberrechte © © 2024 WIKIFI Inc.