N10-009 Networking Concepts Study Guide for the CompTIA Network+

Cloud Concepts and Connectivity

Cloud computing involves using the internet for computing functionality. The cloud offers a wide range of computing services and methods of connection. You should be able to summarize common cloud concepts and connectivity options.

Network Functions Virtualization (NFV)

NFV is a process by which networking devices, such as routers, switches, firewalls, and load balancers, are placed in a virtual environment, allowing for multiple networking functions to exist on a single device via a hypervisor. This results in the creation of multiple virtual machines (VMs).

Virtual Private Cloud (VPC)

A VPC places all networking functions in the cloud environment using all virtual functions. A VPC, while it may be contained in a public environment, is separated from other tenants in the cloud through authentication and encryption.

Network Security Group (NSG)

An NSG is a method of filtering network traffic based on a predefined set of rules applied to a specific group of users or network placement, such as by a subnet or network interface. NSGs provide increased access control to the network by creating rules based on parameters such as port numbers, target destinations, or protocols.

Network Security List

A network security list is similar to an NSG but is applied to all virtual network interface cards (vNICs) in a subnet. The network security list functions similarly to a virtual firewall, allowing or denying network traffic based on predefined rules.

Cloud Gateways

A gateway controls access to a set of resources. A cloud gateway is used to control access between local resources and cloud resources.

Internet Gateway

An internet gateway resides between a LAN and the internet, controlling access. An internet gateway is commonly provided by an internet service provider (ISP) in homes or small businesses but may be controlled in-house for larger enterprises.

Network Address Translation (NAT) Gateway

NAT is the protocol that allows for multiple private addresses to connect to a single public IP address to gain access to devices outside of the network, such as the internet. NAT creates a logical map of all devices on a network and their corresponding private IP addresses and uses that information to direct traffic to the appropriate device. The NAT gateway is the service that allows for the connection between the private network and the public network.

Cloud Connectivity Options

Connectivity refers to how a client connects to the cloud environment. By default, the public internet is used to create this connection. However, connecting via a public internet connection is not the most secure connection method. Using a virtual private network or private-direct connection offers increased security.

Virtual Private Network (VPN)

A VPN can be used to connect a client to the cloud environment securely. A site-to-site VPN establishes a secure connection between the client and the cloud over a public internet connection. Once the connection is made and verified on both ends, a secure tunnel is created through which traffic is routed.

Direct Connect

A direct connection to a cloud provider is a dedicated physical connection between a client and a cloud provider or interconnection provider. All transmissions between the cloud and the client are sent through this direct connection.

Deployment Models

A cloud deployment model defines how cloud resources are allocated and who has access to those resources. Deployment models also define who manages the allocated cloud resources.

Public

A public cloud deployment model is managed and maintained by a third party and open for use by the entire internet. A public cloud is pay-per-use, requires very little setup or maintenance, and is highly scalable. However, it is the least secure cloud deployment model, since it is open to all users and offers little ability for customization. An example of a public cloud is Microsoft Azure or Amazon EC2.

Private

A private cloud deployment model offers the owner the highest level of control over the cloud environment. A private cloud reserves cloud space for the sole use of the owner. Private clouds also offer high security and privacy, extensive customization abilities, and support of legacy systems. A private cloud is, however, expensive and less scalable.

Hybrid

A hybrid cloud is a mixture of a private and a public cloud. In a hybrid cloud, the deployment is separated into a public and private section, allowing the user to maneuver data and applications between the two depending on their requirements. A hybrid cloud offers increased flexibility and control compared to a public cloud at a lower cost than a private cloud while also providing increased security. A hybrid cloud can be difficult to manage, however, and has slower transmission speeds due to using the public portion for data transmission.

Service Models

A cloud service model defines the responsibilities of the cloud service provider and the client. Cloud service models are referred to as “[something] as a service” (aaS). While there are numerous uses of the aaS phraseology, there are three primary cloud service models: SaaS, PaaS, and IaaS. Each service model provides different levels of control for the user with associated levels of responsibility for network security. While a cloud computing environment is a virtual networking environment, it is still prone to the same security risks as an on-premise network, including internal and external threats, social engineering and phishing threats, and data breaches.

Retrieved from: https://commons.wikimedia.org/wiki/File:Cloud_computing_layers.svg

Software as a Service (SaaS)

SaaS is a cloud service model in which the service provider is responsible for the entire cloud infrastructure. The user is only allowed to use the software (or application) provided by the cloud provider, such as in Dropbox or Microsoft Teams. SaaS gives the user the least amount of control over the infrastructure and only allows for usage and not creation.

Infrastructure as a Service (IaaS)

IaaS gives the majority of the responsibility to the client. The cloud provider is only responsible for providing hardware and virtualization to the client. The client is responsible for the OS and everything running on the OS, including security. AWS EC2 and Microsoft Azure are examples of IaaS. IaaS gives the user the most control over the infrastructure and allows for the complete creation of virtual machines, servers, load balancers, etc., from the OS up.

Platform as a Service (PaaS)

PaaS places responsibility for the infrastructure of the cloud on the cloud service provider, including the hardware and the software running on the platform. Meanwhile, the client retains responsibility for the data and applications that are loaded on the platform. AWS Elastic Beanstalk and Adobe Commerce are examples of PaaS. PaaS gives the user a moderate amount of control over the infrastructure and allows for development upon a predefined platform.

Retrieved from: https://commons.wikimedia.org/wiki/File:Figure_1-_Cloud_Service_Provider_and_Consumer_Responsibilities_for_the_Three_Service_Models_(15204857820).jpg

Scalability

Scalability is the ability to add or subtract blocks of cloud resources to meet current or projected workloads. Scalability is predictive and refers to static resources only. Scalability in the cloud can be up/down to increase the size of a server instance or out/in to add additional parallel cloud servers. For example, a website dedicated to selling Christmas ornaments knows that demand and site visits will significantly increase in November and December and significantly reduce in January. To meet this expected increase in demand, the website will scale up by purchasing additional blocks of resources during November and December and terminate the additional blocks in January.

Elasticity

Elasticity is the ability of a networking environment to dynamically allocate or terminate resources on a responsive, as-needed basis. Cloud computing offers high elasticity by providing the client with the ability to add or subtract instances, storage, and capacity very quickly based on client usage. For example, if a website goes viral with visits quadrupling in a matter of minutes, an elastic cloud environment can automatically provide additional resources to meet the sudden uptick in demand and terminate those resources when the demand falls.

Note: Do not confuse elasticity and scalability. Elasticity is for dynamic allocation, and scalability is for static allocation.

Multitenancy

Multitenancy refers to numerous clients or tenants (hundreds of thousands) accessing the same cloud at once. The individual tenant needs to be provided isolation from and access to other resources in the cloud environment regardless of the cloud deployment model.

Networking Ports, Protocols, Services, and Traffic Types

Networks are complex systems composed of numerous ports, protocols, and services as well as different types of traffic. You should be able to identify and explain the differences in these logical network components.

Protocols and Ports

In a network environment, there are numerous ports and protocols that are standardized. You will be expected to identify common protocols, their functionality, and their associated port number assignments, as well as the encrypted alternatives for the protocol. This chart lists the most relevant protocols:

Internet Protocol (IP) Types

IP is how data is sent and received over the internet at the network layer (Layer 3) of the OSI model. IP itself provides the addressing data for a data packet, while the transport protocol used with IP dictates how the data is sent across the network. There are multiple IP and transport protocols that can send data on the internet.

Internet Control Message Protocol (ICMP)

ICMP is a management and messaging protocol used by IP to provide information about a network. ICMP messages are encapsulated in IP datagrams and are commonly used to send messages such as “destination unreachable” and “buffer full.” ICMP messages are also used for tracing the route of data and pinging other machines for connectivity information.

Transmission Control Protocol (TCP)

TCP is a transport layer protocol that ensures the transport and receipt of data over a pre-established connection. TCP uses a connection-oriented session to send data, which it separates into sections with corresponding number values to indicate a position in the data stream in its entirety. TCP sends a segment of data and waits for acknowledgment that the packet has been received. If the packet is lost, TCP resends that portion until all data has been received before the connection is terminated.

User Datagram Protocol (UDP)

UDP, also known as a thin protocol, does not require a verified connection between hosts prior to transmission and does not number packet segments prior to sending. UDP sends all transmissions without verifying receipt or order of receipt on the receiving end, which makes it an unreliable protocol. UDP is used when speed is needed over accuracy, such as with voice over IP (VoIP) calls or live video streams.

Generic Routing Encapsulation (GRE)

GRE is a protocol that creates a tunnel, most commonly using IP, for other protocols to run through. While it can be used for the encapsulation of any Layer 3 protocol, GRE is stateless (doesn’t store information) and does not offer security or flow control.

Internet Protocol Security (IPSec)

IPSec is similar in functionality to GRE but is a more secure method for tunneling via IP. However, there are Layer 3 protocols, such as IP broadcasts and IP multicasts, that IPSec does not support.

Authentication Header (AH)

IPSec uses two protocols to provide security. The AH protocol creates a hash upon sending the packet, which the recipient recreates to ensure authentication. If the two hash values are the same, the packet is authenticated. AH is designed to authenticate the validity of the entire packet, not what is inside the packet. The ESP protocol (see below) provides that function.

Encapsulating Security Payload (ESP)

The ESP protocol provides confidentiality via symmetric encryption, data integrity via checksums, data origin authentication, anti-replay service by checking the sequence number field for duplication, and traffic flow confidentiality.

Internet Key Exchange (IKE)

IKE is used between endpoints to negotiate a security association (SA), which defines IPSec protocols, authentication, and encryption for IPSec connections through a management protocol. IKE uses the Internet Security Association and Key Management Protocol (ISAKMAP) for the two phases of connection. Phase one is when endpoint parameters are agreed upon, while phase two negotiates and creates the IPSec connection.

Traffic Types

A traffic type refers to the category of data being transmitted through a network, such as voice, video, or data. Traffic types can be directed through the network in different manners, including to a single endpoint, multiple endpoints, or all endpoints.

Unicast

A unicast address is a one-to-one communication that sends packets to a single specified host. Each host on a network receives its own unique unicast address. Unicast is used in both IPv4 and IPv6.

Multicast

A multicast address is a one-to-many communication that sends packets to devices assigned to an IP multicast group address. This allows for multiple recipients to receive a particular packet without sending it to all network-connected devices. The IPv4 multicast address range is 224.0.0.0 to 239.255.255.255, which is in the Class D address range. The multicast IPv6 address range is ff00::/8.

Anycast

Anycast is a one-to-one-of-many or one-to-nearest communication that sends a packet to the IPv6 anycast address with the shortest routing distance. One anycast address can be assigned to multiple interfaces, but only the interface closest in routing distance will receive the packet. Anycast is only available with IPv6.

Broadcast

Broadcast is a one-to-all communication that sends a packet to all network-attached devices. The IPv4 broadcast address is always the last address in a subnet. For example, the broadcast address for the Class B address 172.16.0.1 with subnet mask 255.255.0.0 is 172.16.255.255. IPv6 does not use broadcast addressing; instead, it uses anycast addressing.