Amazon Virtual Private Cloud Flashcards

1
Q

What is the range of allowed IPv4 prefix lengths for a VPC CIDR block?
/16 to /28
/16 to /56
/8 to /30
/56 only

A

A. The allowed range of prefix lengths for a VPC CIDR is between /16 and /28 inclusive. The maximum possible prefix length for an IP subnet is /32, so /56 is not a valid length.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

You’ve created a VPC with the CIDR 192.168.16.0/24. You want to assign a secondary CIDR to this VPC. Which CIDR can you use?
172.31.0.0/16
192.168.0.0/16
192.168.0.0/24
192.168.16.0/23

A

C. A secondary CIDR may come from the same RFC 1918 address range as the primary, but it may not overlap with the primary CIDR. 192.168.0.0/24 comes from the same address range (192.168.0.0–192.168.255.255) as the primary and does not overlap with 192.168.16.0/24; 192.168.0.0/16 and 192.168.16.0/23 both overlap with 192.168.16.0/24; and 172.31.0.0/16 is not in the same range as the primary CIDR.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You need to create two subnets in a VPC that has a CIDR of 10.0.0.0/16. Which of the following CIDRs can you assign to one of the subnets while leaving room for an additional subnet? (Choose all that apply.)
10.0.0.0/24
10.0.0.0/8
10.0.0.0/16
10.0.0.0/23

A

A, D. Options A and D (10.0.0.0/24 and 10.0.0.0/23) are within the VPC CIDR and leave room for a second subnet; 10.0.0.0/8 is wrong because prefix lengths less than /16 aren’t allowed; and 10.0.0.0/16 doesn’t leave room for another subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the relationship between a subnet and an availability zone?
A subnet can exist in multiple availability zones.
An availability zone can have multiple subnets.
An availability zone can have only one subnet.
A subnet’s CIDR is derived from its availability zone.

A

B. Multiple subnets may exist in a single availability zone. A subnet cannot span availability zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which is true regarding an elastic network interface?
It must have a private IP address from the subnet that it resides in.
It cannot exist independently of an instance.
It can be connected to multiple subnets.
It can have multiple IP addresses from different subnets.

A

A. Every ENI must have a primary private IP address. It can have secondary IP addresses, but all addresses must come from the subnet the ENI resides in. Once created, the ENI cannot be moved to a different subnet. An ENI can be created independently of an instance and later attached to an instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following statements is true of security groups?
Only one security group can be attached to an ENI.
A security group must always be attached to an ENI.
A security group can be attached to a subnet.
Every VPC contains a default security group.

A

D. Each VPC contains a default security group that can’t be deleted. You can create a security group by itself without attaching it to anything. But if you want to use it, you must attach it to an ENI. You also attach multiple security groups to the same ENI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How does an NACL differ from a security group?
An NACL is stateless.
An NACL is stateful.
An NACL is attached to an ENI.
An NACL can be associated with only one subnet.

A

A. An NACL is stateless, meaning it doesn’t track connection state. Every inbound rule must have a corresponding outbound rule to permit traffic, and vice versa. An NACL is attached to a subnet, whereas a security group is attached to an ENI. An NACL can be associated with multiple subnets, but a subnet can have only one NACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is an Internet gateway?
A resource that grants instances in multiple VPCs’ Internet access
An implied router
A physical router
A VPC resource with no management IP address

A

D. An Internet gateway has no management IP address. It can be associated with only one VPC at a time and so cannot grant Internet access to instances in multiple VPCs. It is a logical VPC resource and not a virtual or physical router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the destination for a default IPv4 route?
0.0.0.0/0
::0/0
An Internet gateway
The IP address of the implied router

A

A. The destination 0.0.0.0/0 matches all IP prefixes and hence covers all publicly accessible hosts on the Internet. ::0/0 is an IPv6 prefix, not an IPv4 prefix. An Internet gateway is the target of the default route, not the destination.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You create a new route table in a VPC but perform no other configuration on it. You then create a new subnet in the same VPC. Which route table will your new subnet be associated with?
The main route table
The route table you created
The default route table
None of these

A

A. Every subnet is associated with the main route table by default. You can explicitly associate a subnet with another route table. There is no such thing as a default route table, but you can create a default route within a route table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

You create a Linux instance and have AWS automatically assign a private IP address but not a public IP address. What will happen when you stop and restart the instance?
You won’t be able to establish an SSH session directly to the instance from the Internet.
The instance won’t be able to access the Internet.
The instance will receive the same private IP address.
The instance will be unable to reach other instances in its subnet.

A

A. An instance must have a public IP address to be directly reachable from the Internet. The instance may be able to reach the Internet via a NAT device. The instance won’t necessarily receive the same private IP address because it was automatically assigned. The instance will be able to reach other instances in the subnet because a public IP is not required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How can you assign a public IP address to a running instance that doesn’t have one?
Allocate an ENI and associate it with the instance’s primary EIP.
Allocate an EIP and associate it with the instance’s primary ENI.
Configure the instance to use an automatically assigned public IP.
Allocate an EIP and change the private IP address of the instance’s ENI to match.

A

B. Assigning an EIP to an instance is a two‐step process. First you must allocate an EIP, and then you must associate it with an ENI. You can’t allocate an ENI, and there’s no such thing as an instance’s primary EIP. Configuring the instance to use an automatically assigned public IP must occur at instance creation. Changing an ENI’s private IP to match an EIP doesn’t actually assign a public IP to the instance, because the ENI’s private address is still private.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When an instance with an automatically assigned public IP sends a packet to another instance’s EIP, what source address does the destination instance see?
The public IP
The EIP
The private IP
0.0.0.0

A

A. Internet‐bound traffic from an instance with an automatically assigned public IP will traverse an Internet gateway that will perform NAT. The source address will be the instance’s public IP. An instance with an automatically assigned public IP cannot also have an EIP. The NAT process will replace the private IP source address with the public IP. Option D, 0.0.0.0, is not a valid source address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Why must a NAT device reside in a different subnet than an instance that uses it?
Both must use different default gateways.
Both must use different NACLs.
Both must use different security groups.
The NAT device requires a public interface and a private interface.

A

A. The NAT device’s default route must point to an Internet gateway, and the instance’s default route must point to the NAT device. No differing NACL configurations between subnets are required to use a NAT device. Security groups are applied at the ENI level. A NAT device doesn’t require multiple interfaces.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is a difference between a NAT instance and NAT gateway?
There are different NAT gateway types.
A NAT instance scales automatically.
A NAT gateway can span multiple availability zones.
A NAT gateway scales automatically.

A

D. A NAT gateway is a VPC resource that scales automatically to accommodate increased bandwidth requirements. A NAT instance can’t do this. A NAT gateway exists in only one availability zone. There are not multiple NAT gateway types. A NAT instance is a regular EC2 instance that comes in different types.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which VPC resource performs network address translation?
Internet gateway
Route table
EIP
ENI

A

A. An Internet gateway performs NAT for instances that have a public IP address. A route table defines how traffic from instances is forwarded. An EIP is a public IP address and can’t perform NAT. An ENI is a network interface and doesn’t perform NAT.

17
Q

What must you do to configure a NAT instance after creating it?
Disable the source/destination check on its ENI.
Enable the source/destination check on its ENI.
Create a default route in its route table with a NAT gateway as the target.
Assign a primary private IP address to the instance.

A

A. The source/destination check on the NAT instance’s ENI must be disabled to allow the instance to receive traffic not destined for its IP and to send traffic using a source address that it doesn’t own. The NAT instance’s default route must point to an Internet gateway as the target. You can’t assign a primary private IP address after the instance is created.

18
Q

Which of the following is true regarding VPC peering?
Transitive routing is not supported.
A VPC peering connection requires a public IP address.
You can peer up to three VPCs using a single peering connection.
You can use a peering connection to share an Internet gateway among multiple VPCs.

A

A. You cannot route through a VPC using transitive routing. Instead, you must directly peer the VPCs containing the instances that need to communicate. A VPC peering connection uses the AWS internal network and requires no public IP address. Because a peering connection is a point‐to‐point connection, it can connect only two VPCs. A peering connection can be used only for instance‐to‐instance communication. You can’t use it to share other VPC resources.

19
Q

You’ve created one VPC peering connection between two VPCs. What must you do to use this connection for bidirectional instance‐to‐instance communication? (Choose all that apply.)
Create two routes with the peering connection as the target.
Create only one default route with the peering connection as the target.
Create another peering connection between the VPCs.
Configure the instances’ security groups correctly.

A

A, D. Each peered VPC needs a route to the CIDR of its peer; therefore, you must create two routes with the peering connection as the target. Creating only one route is not sufficient to enable bidirectional communication. Additionally, the instances’ security groups must allow for bidirectional communication. You can’t create more than one peering connection between a pair of VPCs.

20
Q

Which of the following is a not a limitation of interregion VPC peering?
It’s not supported in some regions.
The maximum MTU is 1,500 bytes.
You can’t use IPv4.
You can’t use IPv6.

A

C. Interregion VPC peering connections aren’t available in all regions and support a maximum MTU of 1,500 bytes. You can use IPv4 across an inter‐region peering connection but not IPv6.

21
Q

Which over which of the following connection types is always encrypted?
Direct Connect
VPN
VPC peering
Transit gateway

A

B. VPN connections are always encrypted.

22
Q

Which of the following allows EC2 instances in different regions to communicate using private IP addresses? (Choose three.)
VPN
Direct Connect
VPC peering
Transit gateway

A

A, C, D. VPC peering, transit gateways, and VPNs all allow EC2 instances in different regions to communicate using private IP addresses. Direct Connect is for connecting VPCs to on‐premises networks, not for connecting VPCs together.

23
Q

Which of the following is true of a route in a transit gateway route table?
It can be multicast.
It can be a blackhole route.
It can have an Internet gateway as a target.
It can have an ENI as a target.

A

B. A transit gateway route table can hold a blackhole route. If the transit gateway receives traffic that matches the route, it will drop the traffic.

24
Q

Which of the following is an example of a tightly coupled HPC workload?
Image processing
Audio processing
DNA sequencing
Hurricane track forecasting
Video processing

A