interview questions

what aws services are you familiar with?
compute
database
network
storage
security
migration and transfer

encryption vs encapsulation what is difference?
Encapsulation means Wrapping or method in which data is encapsuled into a single frame.
and
Encryption is the process of transforming information using an algorithm to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

how is data integrity different?
Data integrity refers to the accuracy and consistency (validity) of data over its lifecycle.

DATA INTEGRITY VS. DATA SECURITY
Data security refers to the protection of data against unauthorized access or corruption and is necessary to ensure data integrity.

what is TCP three way handshake?
Syn use to initiate and establish a connection
ACK helps to confirm to the other side that it has received the SYN.
SYN-ACK is a SYN message from local device and ACK of the earlier packet.
FIN is used for terminating a connection.

what info is sent in syn message?
The packets contain a random sequence number (For example, 4321) that indicates the beginning of the sequence numbers for data that the Host X should transmit.

MTU and MSS difference?
MTU is maximum IP packet size of a given link. MSS is Maximum TCP segment size. MTU is used for fragmentation i.e packet larger than MTU is fragmented. But in case of MSS, packet larger than MSS is discarded.
MSS is normally decided in the TCP three-way handshake

why is packet fragmented?
If the packet is too big to travel in between two routing devices, it gets broken into fragments. These fragments look like IP packets in their own right and can traverse the network. They are reassembled when they reach their destination.

what is MF bit?
More fragments (MF = 1 bit) – tells if more fragments ahead of this fragment i.e. if MF = 1, more fragments are ahead of this fragment and if MF = 0, it is the last fragment.

DF bit value on Ethernet.
A DF bit is a bit within the IP header that determines whether a router is allowed to fragment a packet.

while closing TCP connection 4 steps why?
Fin-->Ack-->Fin-->Ack

How IPSEC tunnel is formed.
      Step 1     Interesting traffic initiates the IPSec process—Traffic is deemed interesting when the IPSec security policy configured in the IPSec peers starts the IKE process.
      Step 2     IKE phase one—IKE authenticates IPSec peers and negotiates IKE SAs during this phase, setting up a secure channel for negotiating IPSec SAs in phase two.
      Step 3     IKE phase two—IKE negotiates IPSec SA parameters and sets up matching IPSec SAs in the peers.
      Step 4     Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys stored in the SA database.
      Step 5     IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out.

what is NAT-T in vpn? how one device know if there is a NAT device in path? on firewall how will you see there is a NAT device in path in case of NAT-T?
NAT Traversal performs two tasks:
    Detects if both ends support NAT-T
    Detects NAT devices along the transmission path (NAT-Discovery)
Step one occurs in ISAKMP Main Mode messages one and two.  If both devices support NAT-T, then NAT-Discovery is performed in ISKAMP Main Mode messages (packets) three and four.  THe NAT-D payload sent is a hash of the original IP address and port. Devices exchange two NAT-D packets, one with source IP and port, and another with destination IP and port. The receiving device recalculates the hash and compares it with the hash it received; if they don't match a NAT device exists.
If a NAT device has been determined to exist, NAT-T will change the ISAKMP transport with ISAKMP Main Mode messages five and six, at which point all ISAKMP packets change from UDP port 500 to UDP port 4500.  NAT-T encapsulates the Quick Mode (IPsec Phase 2) exchange inside UDP 4500 as well.  After Quick Mode completes data that gets encrypted on the IPsec Security Association is encapsulated inside UDP port 4500 as well, thus providing a port to be used in the PAT device for translation.  

different kinds of NAT, why use source NAT?
static NAT:  a single private IP address is mapped with single Public IP address
dynamic NAT: multiple private IP address are mapped to a pool of public IP address
PAT: This is also known as NAT overload. In this, many local (private) IP addresses can be translated to single public IP address. Port numbers are used to distinguish the traffic

what is a typical 3 tier mobile app architecture, components, security?
presentation tier: user interface
application tier: where data is processed
data tier: where the data associated with the application is stored and managed.

how is DDOS attack known in AWS infra and how to protect.
 AWS Shield Standard is inbuilt and free.DDoS attacks are detected by a system that automatically baselines traffic, identifies anomalies, and, as necessary, creates mitigations

security services aws has against attacks?
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS

how is ddos attack protected in any firewall.
how to mitigate large scale DDOS attack.

layer3 vs layer7 load balancer?
l3
simple, fast, efficient.
more secure as packet is not opened for inspection
uses NAT,only 1 connection betn client and server so can support max TCP connections supported by server cluster.
no smart lb based on content
sticky by nature once connection is establised with 1 server.
l7
smart routing based on URL
caching support
more expensive
required decrypting
less secure as certifiates are stored on LB which can be compromised by attacker
creates multiple connections as its proxy by nature.so you are bounded by the max TCP connection on your load balancer.

what is a http 502 error?
The HyperText Transfer Protocol (HTTP) 502 Bad Gateway server error response code indicates that the server, while acting as a gateway or proxy, received an invalid response from the upstream server.
    Informational responses (100–199)
    Successful responses (200–299)
    Redirects (300–399)
    Client errors (400–499)
    Server errors (500–599)

situation where you went above and beyond what you are assigned for?

what are the technology you are learning these days?

can you discuss about anytime where you helped your colleague etc?

why do you want to join XYZ company?