AWS Components

Question 1

What is Virtual Private Cloud (VPC)

Answer 1

logically segmented network within AWS that allows connected resources to communicate with each other

Question 2

How does the peer relationship work for VPC?

Answer 2

permits traffic only directly between the two peers and does not provide for any transit capabilities from one peer VPC through another to an external destination

Question 3

How does the network connectivity work between two VPCs after establishing the VPC peering relationship?

Answer 3

there is two-way network connectivity between the entire IP address block of both VPCs

Question 4

How does VPC Hub-and-Spoke Model work?

Answer 4

• subscriber VPCs (spokes) use VPC peering with the central VPC (hub) to provide direct communications between the instances in the subscriber VPCs and the instances in the central VPC
• the subscriber VPCs are unable to communicate with each other because this would require transit connectivity through the central VPC, which is not a capability supported by VPC peering

Question 5

What does AWS do if it sees packets with a source or destination IP address outside of the two peered VPCs

Answer 5

it drops the traffic

Question 6

What is the role of AWS Transit Gateway?

Answer 6

enables to control communications between VPCs and to connect to on-premises networks via a single gateway

Question 7

in contrast to VPC peering, which interconnects two VPCs only, what can act as a hub in a hub-and-spoke model for interconnecting VPCs?

Answer 7

Transit Gateway

Question 8

What is Elastic Network Interface (ENI)?

Answer 8

a logical networking component in a VPC that represents a virtual network card

Question 9

With which AWS component does the VM-Series integrate to simplify the setup of centralized inspection?

Answer 9

Transit Gateway

Question 10

When integrating firewall with a Transit Gateway, what is the name of the VPC that is created?

Answer 10

security VPC

Question 11

How is the traffic inspected in security VPC?

Answer 11

firewalls are deployed in security vpc and they connect to the Transit Gateway via VPC or VPN attachments and all traffic is routed to the VM-Series firewall for inspection

Question 12

What do security groups provide?

Answer 12

an Layer 4 stateful firewall for control of the source/destination IP addresses and ports that are permitted

Question 13

How are Security Groups applied?

Answer 13

to an instance’s network interface

Question 14

Are Security Groups stateful?

Answer 14

yes

Question 15

How many security groups can be associated to an interface?

Answer 15

up to 5

Question 16

What is the default behavior of a security groups?

Answer 16

the default setting contains no inbound rule, and the outbound rule permits all traffic

Question 17

Which actions can be configured in a Security Group?

Answer 17

allow action rules only—there is no explicit deny action

Question 18

What kind of traffic can a Security Group police?

Answer 18

any protocol that has a standard protocol number

Question 19

When deploying a VPC, there is a default ACL associated with it. How does it behave?

Answer 19

permits all traffic

Question 20

What kind of traffic policing does a Network ACL provide?

Answer 20

Layer 4 control of source/destination IP addresses and ports, inbound and outbound from subnets

Question 21

How are network ACLs applied?

Answer 21

at subnet level

Question 22

What kind of actions does a network ACL have?

Answer 22

allow and deny action rules

Question 23

Are Network ACLs stateful?

Answer 23

stateless - bidirectional traffic must be permitted in both directions

Question 24

What IP address does the Internet Gateway (IGW) map?

Answer 24

a mapping of an internal VPC IP address to a public IP address owned by AWS

Question 25

How can be an IP address assigned to Internet Gateway (IGW?)

Answer 25

• random and dynamic
  
  • AWS assigns the IP address to an instance at startup and returns it to the pool when you stop the instance
• random and assigned to an instance as part of a process
  
  • the IP address stays with the instance unless you intentionally assign it to another instance or delete it and return it to the pool

Question 26

What does a VPN Gateway (VGW) provide?

Answer 26

a VPN service to a VPC for the termination of IPSec tunnels

Question 27

What is an Amazon Elastic Compute Cloud (EC2)?

Answer 27

a VM that is deployed within a VPC

Question 28

What is Amazon Machine Image (AMI)?

Answer 28

VM images available in the Amazon Marketplace for deployment as a VPC instance