13. VPC

Question 1

What is a VPC in AWS?

Answer 1

A Virtual Private Cloud (VPC) is a private network for deploying resources in AWS, providing isolation and security.

Question 2

What is the main purpose of a subnet in a VPC?

Answer 2

Subnets partition the network within a VPC, and each subnet is associated with a specific Availability Zone.

Question 3

True or False: A private subnet can access the internet directly by default.

Answer 3

False

Question 4

What is the role of an Internet Gateway in a VPC?

Answer 4

It enables internet access for instances in public subnets.

Question 5

Define Elastic IP in the context of AWS.

Answer 5

An Elastic IP is a fixed public IPv4 address that can be attached to an EC2 instance and retained across reboots.

Question 6

Why would you use a NAT Gateway?

Answer 6

To allow instances in a private subnet to access the internet without exposing them to incoming internet traffic.

Question 7

Which IP protocol version is private only in AWS, IPv4 or IPv6?

Answer 7

IPv4

Question 8

Fill in the blank: A _______ is a firewall for controlling traffic at the instance level in AWS.

Answer 8

Security Group

Question 9

How does a Network ACL differ from a Security Group?

Answer 9

Network ACLs control traffic at the subnet level and allow both ALLOW and DENY rules, while Security Groups control traffic at the instance level and allow only ALLOW rules.

Question 10

What is the main function of VPC Flow Logs?

Answer 10

To capture information about IP traffic entering and exiting network interfaces, helping monitor and troubleshoot connectivity.

Question 11

True or False: VPC Peering connections are transitive.

Answer 11

False

Question 12

What is required for a VPC Peering connection between two VPCs?

Answer 12

They must have non-overlapping CIDR (IP address) ranges.

Question 13

Explain the purpose of VPC Endpoints.

Answer 13

They enable private connectivity to AWS services within a VPC, bypassing the public internet.

Question 14

What is AWS PrivateLink used for?

Answer 14

To securely expose services to multiple VPCs without VPC peering or internet connectivity.

Question 15

True or False: Direct Connect provides a secure, private connection between on-premises and AWS.

Answer 15

True

Question 16

How does Site-to-Site VPN differ from Direct Connect?

Answer 16

Site-to-Site VPN uses an encrypted internet connection, while Direct Connect uses a private network connection.

Question 17

Fill in the blank: A _______ allows computers to connect securely to a private network over the internet using OpenVPN.

Answer 17

Client VPN

Question 18

What is the role of a Transit Gateway?

Answer 18

It enables hub-and-spoke network topologies, connecting thousands of VPCs and on-premises networks together.

Question 19

True or False: AWS charges for public IPv4 addresses, including Elastic IPs, when they are not in use.

Answer 19

True

Question 20

What AWS service logs network traffic and can send data to S3 or CloudWatch?

Answer 20

VPC Flow Logs

Question 21

Compare: Public Subnet vs Private Subnet

Answer 21

Public subnets have a route to an internet gateway and can access the internet directly, while private subnets do not have this route and remain isolated.

Question 22

What must be established for a Site-to-Site VPN to function?

Answer 22

A Customer Gateway on-premises and a Virtual Private Gateway in AWS.

Question 23

What AWS feature would you use for private access to S3 or DynamoDB?

Answer 23

VPC Endpoint Gateway

Question 24

Fill in the blank: _______ connects two VPCs to behave as if they are in the same network.

Answer 24

VPC Peering

Question 25

What does a Customer Gateway represent?

Answer 25

A physical or software appliance in an on-premises data center that connects to a Virtual Private Gateway for Site-to-Site VPN.

Question 26

Explain a use case for NAT Instances.

Answer 26

NAT Instances can be used to provide internet access to private subnets if NAT Gateways are not feasible.

Question 27

True or False: Every IPv6 address in AWS is private.

Answer 27

False

Question 28

How does a VPC Endpoint Interface differ from a VPC Endpoint Gateway?

Answer 28

The Endpoint Interface connects to most AWS services, while the Endpoint Gateway connects specifically to S3 and DynamoDB.

Question 29

Which AWS service enables cross-account access without internet exposure?

Answer 29

AWS PrivateLink

Question 30

What is the primary benefit of using Transit Gateway in complex architectures?

Answer 30

It simplifies network connectivity by acting as a single hub for thousands of VPC and on-premises connections.

Question 31

Fill in the blank: ________ is required in a VPC to control inbound and outbound rules at the subnet level.

Answer 31

Network ACL

Question 32

What are the two primary types of IP addresses in AWS?

Answer 32

Public IP addresses (for internet) and Private IP addresses (for internal networks).

Question 33

True or False: Security Groups can have DENY rules.

Answer 33

False

Question 34

Why would you use an Elastic IP with an EC2 instance?

Answer 34

To provide a static public IP that does not change across instance restarts.

Question 35

What service enables encrypted connections between on-premises infrastructure and AWS over the internet?

Answer 35

Site-to-Site VPN

Question 36

Fill in the blank: ______ allows secure VPN connection from individual computers to AWS VPCs.

Answer 36

AWS Client VPN

Question 37

What is a common CIDR block for VPCs in AWS?

Answer 37

10.0.0.0/16

Question 38

Describe how a default VPC differs from a custom VPC.

Answer 38

A default VPC is pre-configured by AWS with public subnets, while a custom VPC requires manual setup of subnets and configurations.

Question 39

What does an ENI represent in the context of VPC networking?

Answer 39

An Elastic Network Interface is a virtual network card for connecting EC2 instances within a VPC.

Question 40

True or False: A private subnet cannot access AWS services without a VPC Endpoint.

Answer 40

True

Question 41

Which AWS service is known as the ‘network firewall’ at the instance level?

Answer 41

Security Group