A Cantrill - VPC Basics

Question 1

t or f : VPCs by default allow nothing in or out without explicit configuration

Answer 1

True. VPCs by default allow nothing in or out without explicit configuration

Question 2

What hardware device would an IGW be ?

Answer 2

Router.

Question 3

What is a Stateless firewall?

Answer 3

A firewall that treats each request as a new connection. It doesnt keep track of state, so each inbound and outbound connection need inbound/outbound defined rules to allow traffic.

Question 4

What is a Stateful firewall?

Answer 4

A firewall that is “smart” enough to identify the Request and Response of a connection as being RELATED. Does NOT treat them like separate connections (like a Stateless firewall) so only requires an inbound rule.

Allowing the REQUEST (inbound or outbound), means the RESPONSE (in or out) is automatically allowed.

Reduces overhead, doesnt need to allow a full ephemeral port range (49152 to 65535)

Question 5

true or false: For rules in a NACL, Connections within a subnet that is associated with the NACL are impacted.

ex., two ec2s in the same subnet talking back and forth

Answer 5

False. Connections within a subnet are NOT impacted by NACLs

Question 6

What type of firewall is a NACL?

Answer 6

A NACL is a STATELESS, network firewall.

Both the request and response parts of EVERY communication need individual rules
(1 x INBOUND rule & 1 x OUTBOUND rule)

Question 7

What is the default NACL access behavior?

Answer 7

Default NACL allows all access. Has no effect whatsoever

Question 8

What is the custom (created by user) NACL access behavior ?

Answer 8

Custom NACLs deny all inbound and outbound by default.

Question 9

What type of a firewall is a Security Group?

Answer 9

Stateful firewall at the subnet level, attached to ENIs. Has NO EXPLICIT DENY.

Allow rules ONLY

Question 10

How do SGs and NACLs work together?

Answer 10

Use NACLs for EXPLICIT DENY
Use SGs for EXPLICIT allow

Question 11

What are Security Groups attached to? EC2s or ENIs?

Answer 11

SGs are attached to the ENI of the EC2. SG is NOT directly attached to the EC2 instance

Question 12

What is best practice for a WEB instance in a PUBLIC SG to interact with an APP instance in a PRIVATE SG?

Answer 12

Create an Inbound rule on the APP SG and set the source as the WEB SG.

Dont have to worry about IPs or CIDR ranges here. Scales really well, reduces admin overhead.

Question 13

What is the difference between SGs and NACLS?

Answer 13

Use the SG to EXPLICITLY ALLOW
Use the NACL to EXPLICITLY DENY

Question 14

Difference between NAT gateway and IGW?

Answer 14

NAT GW does IP masquerading - Hiding CIDR blocks behind ONE IP. Many private IPs –> ONE public IP

IGW does a 1-to-1 Private IP to Public IP translation

Question 15

What type of subnet does an NAT GW need to run from?

Answer 15

NAT GWs need to run from a public subnet.

Question 16

What type of IP does a NAT GW use?

Answer 16

NAT GWs use Elastic IPs (Static IPv4 Public)

Question 17

At what level is a NAT gateway resilient?

Answer 17

Resilient at the AZ level

Maximum level of resilience for NAT GW = 1 NAT GW per AZ

Question 18

How is traffic flow supported in a NAT GW? NACL or SG?

Answer 18

NAT GWs support only NACLs, NOT a SG.

Question 19

What type of IP addressing does NOT work with a NAT GW?

Answer 19

NAT Gateways do NOT work with IPv6.

Question 20

What happens if the Default VPC is deleted (doesn’t exist) ?

Answer 20

Some services can behave oddly

Question 21

What happens if you accidentally delete the default VPC?

Answer 21

Default VPCs can be recreated.

Question 22

What is the Minimum and Maximum Size of a VPC Subnet?

Answer 22

Minimum: /28
Maximum: /16

Question 23

How can an Internet Gateway (IGW) be configured to be highly available?

Answer 23

IGW is HA by default - Attached to a VPC

Question 24

What AWS service and its features allow for traffic inspection and traffic filtering?

Answer 24

AWS VPC –> Network Firewall (Stateful) –> can incorporate context from traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol.

IPS, web filtering for known bad URLs

Question 25

What is the best option for when you want IPV6 traffic outbound to internet but no inbound?

Answer 25

Egress-Only IGW allows outbound communication over IPv6 from instances in your VPC to the internet and prevents it from initiating an IPv6 connection with your instances.