Amazon Virtual Private Cloud (VPC)

Question 1

VPC

Answer 1

Virtual Private Cloud
logically isolated virtual network in the AWS cloud
a VPC is a virtual network dedicated to your AWS account
Analogous to having your own Data Center (DC) inside AWS
logically isolated from other virtual networks in the AWS Cloud
provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways

you can launch your AWS resources, such as Amazon EC2 instances, into your VPC
When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/`6
VPC spans all the availability zones in the region
you have full control over who has access to the AWS resources inside your VPC
by default you can create up to 5 VPCs per region
a default VPC is created in each region with a subnet in each AZ
you can create a VPC, it’s an isolated area where you can create resources in (private to you and is controlled)
Coordinate with a router through a route table
You can create multiple VPC’s; each VPC has a different CIDR block

Question 2

Subnet

Answer 2

Subnets are created w/in AZ’s

segment of a VPC’s IP address range where you can place groups of isolated resources

Question 3

Internet Gateway or

Egress only Internet Gateway

Answer 3

the Amazon VPC side of a connection to the public internet for IPv4/IPv6

Question 4

Router

Answer 4

routers interconnect subnets and direct traffic between internet gateways, virtual private gateways, NAT gateways, and subnets

Question 5

Peering Connection

Answer 5

direct connection between two VPC’s; you can send data between the two directly
only between 2 VPC’s though; for connecting more, you can use AWS Transit Gateway

Question 6

VPC Endpoints

Answer 6

private connection to public AWS services

Question 7

NAT Instance

Answer 7

NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by you)

managed by you (e.e. software updates)
you create the EC2 instance and make it a NAT instance
scale up (instance type) manually and use enhanced networking
no high availability - scripted/auto-scaled HA possible using multiple NATs in multiple subnets
need to assign Security Group
Can use as a bastion host
use an Elastic IP address or a public IP address with a NAT instance
can implement port forwarding through manual customization

Question 8

NAT Gateway

Answer 8

NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by AWS)

best solution in most cases vs. NAT Instance
managed by AWS
Elastic scalability up to 45 Gbps
Provides automatic high availability within an AZ and can be placed in multiple AZs
no Security Groups
Cannot access through SSH
Choose the Elastic IP address to associate with a NAT gateway at creation
Does not support port forwarding

Question 9

Virtual Private Gateway

Answer 9

the Amazon VPC side of a Virtual Private Network (VPN) connection

Question 10

Customer Gateway

Answer 10

customer side of a VPN connection

Question 11

AWS Direct Connect

Answer 11

High speed, high bandwidth, private network connection from customer to AWS

Question 12

Security Group

Answer 12

instance-level firewall

acts as a virtual firewall for your instance to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance
Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic.

operates at the instance (interface) level
supports allow rules only; can’t make deny rules
stateful (server is required to maintain the current state and session information)
evaluates all rules
applies to an instance only if associated with a group

Question 13

Network ACL

Answer 13

subnet-level firewall

an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs operate at the subnet level not at the availability zone level.

operates at the subnet level
supports allow and deny rules
slateless (server and client are loosely coupled and can act independently)
processes rules in order
automatically applies to all instances in the subnets its associated with

Question 14

Internet Protocol (IP) Address:
Public IP Address

Answer 14

Internet Protocol (IP) Address
(3 total) 
lost when the instance is stopped; used in public subnets; no charge; associated with private IP addresses on the instance; cannot be moved between instances

Question 15

Internet Protocol (IP) Address:
Private IP Address

Answer 15

Internet Protocol (IP) Address
(3 total)
retained when the instance is stopped; used in public and private subnets

Question 16

Internet Protocol (IP) Address:
Elastic IP Address

Answer 16

Internet Protocol (IP) Address
(3 total) 
static public IP address; you are charged if not used; associated with a private IP address on the instance; can be moved between instances and Elastic Network Adaptors

Question 17

Connecting Securely to a VPC:

AWS Managed VPN

Answer 17

VPN = virtual private network
fast set up
a virtual private network connection over the public Internet

This creates an encrypted link between the on-premises network and your AWS VPC.
Another way to achieve this outcome is to provision an AWS Direct Connection which connects on-premises networks to AWS using private network links.

Question 18

Connecting Securely to a VPC:

AWS Direct Connect

Answer 18

high bandwidth, low-latency but takes weeks to months to set up
network service that provides an alternative to using the internet to connect a customer’s on premise sites to AWS
can be used to create a hybrid cloud (Exam Q)

data is transmitted through a private network connection between AWS and a customer’s datacenter or corporate network
charged by port hours and data transfer
available in 1Gbps and 10 Gbps
Speeds of 50Mbps, 100Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased through AWS Direct Connect Partners

Benefits:

• reduce cost when using large volumes of traffic
• increase reliability (predictable performance)
• increase bandwidth (predictable bandwidth)
• decrease latency

Question 19

Connecting Securely to a VPC:

VPN CloudHub

Answer 19

used for connecting multiple sites to AWS

You can connect from your on-premise data center to a VPC via Direct Connect or VPN CloudHub.

If you have multiple VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub

Question 20

Connecting Securely to a VPC:

Software VPN

Answer 20

use 3rd party software

Question 21

AWS Transit Gateway

Answer 21

connects VPCs and on-premises networks through a central hub
simplifies networks and does not need complex peering relationship
acts as a cloud router
inter-region peering connects AWS Transit Gateways together using the AWS global network
data is automatically encrypted, and never travels over the public internet