Amazon Virtual Private Cloud Flashcards
What is the range of allowed IPv4 prefix lengths for a VPC CIDR block?
/16 to /28
/16 to /56
/8 to /30
/56 only
A. The allowed range of prefix lengths for a VPC CIDR is between /16 and /28 inclusive. The maximum possible prefix length for an IP subnet is /32, so /56 is not a valid length.
You’ve created a VPC with the CIDR 192.168.16.0/24. You want to assign a secondary CIDR to this VPC. Which CIDR can you use?
172.31.0.0/16
192.168.0.0/16
192.168.0.0/24
192.168.16.0/23
C. A secondary CIDR may come from the same RFC 1918 address range as the primary, but it may not overlap with the primary CIDR. 192.168.0.0/24 comes from the same address range (192.168.0.0–192.168.255.255) as the primary and does not overlap with 192.168.16.0/24; 192.168.0.0/16 and 192.168.16.0/23 both overlap with 192.168.16.0/24; and 172.31.0.0/16 is not in the same range as the primary CIDR.
You need to create two subnets in a VPC that has a CIDR of 10.0.0.0/16. Which of the following CIDRs can you assign to one of the subnets while leaving room for an additional subnet? (Choose all that apply.)
10.0.0.0/24
10.0.0.0/8
10.0.0.0/16
10.0.0.0/23
A, D. Options A and D (10.0.0.0/24 and 10.0.0.0/23) are within the VPC CIDR and leave room for a second subnet; 10.0.0.0/8 is wrong because prefix lengths less than /16 aren’t allowed; and 10.0.0.0/16 doesn’t leave room for another subnet.
What is the relationship between a subnet and an availability zone?
A subnet can exist in multiple availability zones.
An availability zone can have multiple subnets.
An availability zone can have only one subnet.
A subnet’s CIDR is derived from its availability zone.
B. Multiple subnets may exist in a single availability zone. A subnet cannot span availability zones.
Which is true regarding an elastic network interface?
It must have a private IP address from the subnet that it resides in.
It cannot exist independently of an instance.
It can be connected to multiple subnets.
It can have multiple IP addresses from different subnets.
A. Every ENI must have a primary private IP address. It can have secondary IP addresses, but all addresses must come from the subnet the ENI resides in. Once created, the ENI cannot be moved to a different subnet. An ENI can be created independently of an instance and later attached to an instance.
Which of the following statements is true of security groups?
Only one security group can be attached to an ENI.
A security group must always be attached to an ENI.
A security group can be attached to a subnet.
Every VPC contains a default security group.
D. Each VPC contains a default security group that can’t be deleted. You can create a security group by itself without attaching it to anything. But if you want to use it, you must attach it to an ENI. You also attach multiple security groups to the same ENI.
How does an NACL differ from a security group?
An NACL is stateless.
An NACL is stateful.
An NACL is attached to an ENI.
An NACL can be associated with only one subnet.
A. An NACL is stateless, meaning it doesn’t track connection state. Every inbound rule must have a corresponding outbound rule to permit traffic, and vice versa. An NACL is attached to a subnet, whereas a security group is attached to an ENI. An NACL can be associated with multiple subnets, but a subnet can have only one NACL.
What is an Internet gateway?
A resource that grants instances in multiple VPCs’ Internet access
An implied router
A physical router
A VPC resource with no management IP address
D. An Internet gateway has no management IP address. It can be associated with only one VPC at a time and so cannot grant Internet access to instances in multiple VPCs. It is a logical VPC resource and not a virtual or physical router.
What is the destination for a default IPv4 route?
0.0.0.0/0
::0/0
An Internet gateway
The IP address of the implied router
A. The destination 0.0.0.0/0 matches all IP prefixes and hence covers all publicly accessible hosts on the Internet. ::0/0 is an IPv6 prefix, not an IPv4 prefix. An Internet gateway is the target of the default route, not the destination.
You create a new route table in a VPC but perform no other configuration on it. You then create a new subnet in the same VPC. Which route table will your new subnet be associated with?
The main route table
The route table you created
The default route table
None of these
A. Every subnet is associated with the main route table by default. You can explicitly associate a subnet with another route table. There is no such thing as a default route table, but you can create a default route within a route table.
You create a Linux instance and have AWS automatically assign a private IP address but not a public IP address. What will happen when you stop and restart the instance?
You won’t be able to establish an SSH session directly to the instance from the Internet.
The instance won’t be able to access the Internet.
The instance will receive the same private IP address.
The instance will be unable to reach other instances in its subnet.
A. An instance must have a public IP address to be directly reachable from the Internet. The instance may be able to reach the Internet via a NAT device. The instance won’t necessarily receive the same private IP address because it was automatically assigned. The instance will be able to reach other instances in the subnet because a public IP is not required.
How can you assign a public IP address to a running instance that doesn’t have one?
Allocate an ENI and associate it with the instance’s primary EIP.
Allocate an EIP and associate it with the instance’s primary ENI.
Configure the instance to use an automatically assigned public IP.
Allocate an EIP and change the private IP address of the instance’s ENI to match.
B. Assigning an EIP to an instance is a two‐step process. First you must allocate an EIP, and then you must associate it with an ENI. You can’t allocate an ENI, and there’s no such thing as an instance’s primary EIP. Configuring the instance to use an automatically assigned public IP must occur at instance creation. Changing an ENI’s private IP to match an EIP doesn’t actually assign a public IP to the instance, because the ENI’s private address is still private.
When an instance with an automatically assigned public IP sends a packet to another instance’s EIP, what source address does the destination instance see?
The public IP
The EIP
The private IP
0.0.0.0
A. Internet‐bound traffic from an instance with an automatically assigned public IP will traverse an Internet gateway that will perform NAT. The source address will be the instance’s public IP. An instance with an automatically assigned public IP cannot also have an EIP. The NAT process will replace the private IP source address with the public IP. Option D, 0.0.0.0, is not a valid source address.
Why must a NAT device reside in a different subnet than an instance that uses it?
Both must use different default gateways.
Both must use different NACLs.
Both must use different security groups.
The NAT device requires a public interface and a private interface.
A. The NAT device’s default route must point to an Internet gateway, and the instance’s default route must point to the NAT device. No differing NACL configurations between subnets are required to use a NAT device. Security groups are applied at the ENI level. A NAT device doesn’t require multiple interfaces.
Which of the following is a difference between a NAT instance and NAT gateway?
There are different NAT gateway types.
A NAT instance scales automatically.
A NAT gateway can span multiple availability zones.
A NAT gateway scales automatically.
D. A NAT gateway is a VPC resource that scales automatically to accommodate increased bandwidth requirements. A NAT instance can’t do this. A NAT gateway exists in only one availability zone. There are not multiple NAT gateway types. A NAT instance is a regular EC2 instance that comes in different types.
