Amazon Virtual Private Cloud (VPC) Flashcards

1
Q

VPC

A

Virtual Private Cloud
logically isolated virtual network in the AWS cloud
a VPC is a virtual network dedicated to your AWS account
Analogous to having your own Data Center (DC) inside AWS
logically isolated from other virtual networks in the AWS Cloud
provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways

you can launch your AWS resources, such as Amazon EC2 instances, into your VPC
When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/`6
VPC spans all the availability zones in the region
you have full control over who has access to the AWS resources inside your VPC
by default you can create up to 5 VPCs per region
a default VPC is created in each region with a subnet in each AZ
you can create a VPC, it’s an isolated area where you can create resources in (private to you and is controlled)
Coordinate with a router through a route table
You can create multiple VPC’s; each VPC has a different CIDR block

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Subnet

A

Subnets are created w/in AZ’s

segment of a VPC’s IP address range where you can place groups of isolated resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Internet Gateway or

Egress only Internet Gateway

A

the Amazon VPC side of a connection to the public internet for IPv4/IPv6

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Router

A

routers interconnect subnets and direct traffic between internet gateways, virtual private gateways, NAT gateways, and subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Peering Connection

A

direct connection between two VPC’s; you can send data between the two directly
only between 2 VPC’s though; for connecting more, you can use AWS Transit Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

VPC Endpoints

A

private connection to public AWS services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NAT Instance

A

NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by you)

managed by you (e.e. software updates)
you create the EC2 instance and make it a NAT instance
scale up (instance type) manually and use enhanced networking
no high availability - scripted/auto-scaled HA possible using multiple NATs in multiple subnets
need to assign Security Group
Can use as a bastion host
use an Elastic IP address or a public IP address with a NAT instance
can implement port forwarding through manual customization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NAT Gateway

A

NAT = network address translation
enables internet access for EC2 instances in private subnets (managed by AWS)

best solution in most cases vs. NAT Instance
managed by AWS
Elastic scalability up to 45 Gbps
Provides automatic high availability within an AZ and can be placed in multiple AZs
no Security Groups
Cannot access through SSH
Choose the Elastic IP address to associate with a NAT gateway at creation
Does not support port forwarding

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Virtual Private Gateway

A

the Amazon VPC side of a Virtual Private Network (VPN) connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Customer Gateway

A

customer side of a VPN connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

AWS Direct Connect

A

High speed, high bandwidth, private network connection from customer to AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Group

A

instance-level firewall

acts as a virtual firewall for your instance to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance
Security groups are stateful meaning that if traffic is allowed in one direction, the return traffic is automatically allowed regardless of whether there is a matching rule for the traffic.

operates at the instance (interface) level
supports allow rules only; can’t make deny rules
stateful (server is required to maintain the current state and session information)
evaluates all rules
applies to an instance only if associated with a group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Network ACL

A

subnet-level firewall

an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Network ACLs operate at the subnet level not at the availability zone level.

operates at the subnet level
supports allow and deny rules
slateless (server and client are loosely coupled and can act independently)
processes rules in order
automatically applies to all instances in the subnets its associated with

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Internet Protocol (IP) Address:
Public IP Address
A
Internet Protocol (IP) Address
(3 total) 
lost when the instance is stopped; used in public subnets; no charge; associated with private IP addresses on the instance; cannot be moved between instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
Internet Protocol (IP) Address:
Private IP Address
A

Internet Protocol (IP) Address
(3 total)
retained when the instance is stopped; used in public and private subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
Internet Protocol (IP) Address:
Elastic IP Address
A
Internet Protocol (IP) Address
(3 total) 
static public IP address; you are charged if not used; associated with a private IP address on the instance; can be moved between instances and Elastic Network Adaptors
17
Q

Connecting Securely to a VPC:

AWS Managed VPN

A

VPN = virtual private network
fast set up
a virtual private network connection over the public Internet

This creates an encrypted link between the on-premises network and your AWS VPC.
Another way to achieve this outcome is to provision an AWS Direct Connection which connects on-premises networks to AWS using private network links.

18
Q

Connecting Securely to a VPC:

AWS Direct Connect

A

high bandwidth, low-latency but takes weeks to months to set up
network service that provides an alternative to using the internet to connect a customer’s on premise sites to AWS
can be used to create a hybrid cloud (Exam Q)

data is transmitted through a private network connection between AWS and a customer’s datacenter or corporate network
charged by port hours and data transfer
available in 1Gbps and 10 Gbps
Speeds of 50Mbps, 100Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased through AWS Direct Connect Partners

Benefits:

  • reduce cost when using large volumes of traffic
  • increase reliability (predictable performance)
  • increase bandwidth (predictable bandwidth)
  • decrease latency
19
Q

Connecting Securely to a VPC:

VPN CloudHub

A

used for connecting multiple sites to AWS

You can connect from your on-premise data center to a VPC via Direct Connect or VPN CloudHub.

If you have multiple VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub

20
Q

Connecting Securely to a VPC:

Software VPN

A

use 3rd party software

21
Q

AWS Transit Gateway

A

connects VPCs and on-premises networks through a central hub
simplifies networks and does not need complex peering relationship
acts as a cloud router
inter-region peering connects AWS Transit Gateways together using the AWS global network
data is automatically encrypted, and never travels over the public internet