6-VPCs

Question 1

What are the basic components of VPCs?

Answer 1

• The CIDR address range
• Subnets
• Route tables
• Network gateways
• NACLs

Question 2

How does the CIDR address range work?

Answer 2

It covers the private IP addresses of resources in the VPC

The smaller the number after the slash, the bigger the range

Question 3

How do subnets work?

Answer 3

They exist in a single AZ. It is common to have public and private subnets

Question 4

How do route tables work?

Answer 4

Thye control traffic between subnets and to the gateways

Question 5

How do network gateways work?

Answer 5

There are two types - there can be up to one IGW (internet gateway) which connects straight to the internet

Virtual Private Gateways create hardware VPN connections

Question 6

What is the default VPC like?

Answer 6

All subnets have a route to the internet and each instance has a public and private IP address

Question 7

How do NACLs work?

Answer 7

They act as firewalls for subnets

Question 8

How does VPC peering work?

Answer 8

Allows resources to use private IPs for resources in another VPC

Peering can be across accounts but not across regions

Transitive peering and peering with overlapping CIDR blocks is not supported

Question 9

How can EC2 instances in a private subnet access the internt?

Answer 9

with NAT in which traffic is routed through a resource in a public subnet, whose public IP is used

There are two options - NAT instances are NAT gateways

Question 10

What are NAT instances?

Answer 10

Generic EC2 instances that are placed in a public subnet.

The disable “source/destination check” option must be enabled

For high-availability, redundancy and fail-over needs to be configured

Question 11

What are NAT Gateways?

Answer 11

A managed service that are highly-available and automatically scale up to 10 GB/s

They do not use security groups

Question 12

How do VPC endpoints work?

Answer 12

The allow instances in private subnets to access AWS services i.e. S3

They must be configured in route tables

Question 13

How is security in VPCs managed?

Answer 13

With NACLs and flow logs

Question 14

How do NACLs work?

Answer 14

They define rules for inbound and outbound traffic separately - they are stateless

They consist of numbered rules that are evaluated in order, starting with the smallest number

NACLs can be shared across subnets but each subnet can only have one NACL

Question 15

How do Flow Logs work?

Answer 15

They record IP traffic at the VPC, subnet or network interface level

You can’t reconfigure them once created or enable flow-logs for VPC peering connections that span accounts

Question 16

What traffic is not included in flow logs?

Answer 16

Traffic to the Amazon DNS server. if a custom DNS is used then it is logged

Windows license activation

The EC2 metadata service

DHCP traffic

Traffic to the reserved IP of the default VPC router