AWS Components Flashcards
What is Virtual Private Cloud (VPC)
logically segmented network within AWS that allows connected resources to communicate with each other
How does the peer relationship work for VPC?
permits traffic only directly between the two peers and does not provide for any transit capabilities from one peer VPC through another to an external destination
How does the network connectivity work between two VPCs after establishing the VPC peering relationship?
there is two-way network connectivity between the entire IP address block of both VPCs
How does VPC Hub-and-Spoke Model work?
- subscriber VPCs (spokes) use VPC peering with the central VPC (hub) to provide direct communications between the instances in the subscriber VPCs and the instances in the central VPC
- the subscriber VPCs are unable to communicate with each other because this would require transit connectivity through the central VPC, which is not a capability supported by VPC peering
What does AWS do if it sees packets with a source or destination IP address outside of the two peered VPCs
it drops the traffic
What is the role of AWS Transit Gateway?
enables to control communications between VPCs and to connect to on-premises networks via a single gateway
in contrast to VPC peering, which interconnects two VPCs only, what can act as a hub in a hub-and-spoke model for interconnecting VPCs?
Transit Gateway
What is Elastic Network Interface (ENI)?
a logical networking component in a VPC that represents a virtual network card
With which AWS component does the VM-Series integrate to simplify the setup of centralized inspection?
Transit Gateway
When integrating firewall with a Transit Gateway, what is the name of the VPC that is created?
security VPC
How is the traffic inspected in security VPC?
firewalls are deployed in security vpc and they connect to the Transit Gateway via VPC or VPN attachments and all traffic is routed to the VM-Series firewall for inspection
What do security groups provide?
an Layer 4 stateful firewall for control of the source/destination IP addresses and ports that are permitted
How are Security Groups applied?
to an instance’s network interface
Are Security Groups stateful?
yes
How many security groups can be associated to an interface?
up to 5
What is the default behavior of a security groups?
the default setting contains no inbound rule, and the outbound rule permits all traffic
Which actions can be configured in a Security Group?
allow action rules only—there is no explicit deny action
What kind of traffic can a Security Group police?
any protocol that has a standard protocol number
When deploying a VPC, there is a default ACL associated with it. How does it behave?
permits all traffic
What kind of traffic policing does a Network ACL provide?
Layer 4 control of source/destination IP addresses and ports, inbound and outbound from subnets
How are network ACLs applied?
at subnet level
What kind of actions does a network ACL have?
allow and deny action rules
Are Network ACLs stateful?
stateless - bidirectional traffic must be permitted in both directions
What IP address does the Internet Gateway (IGW) map?
a mapping of an internal VPC IP address to a public IP address owned by AWS
How can be an IP address assigned to Internet Gateway (IGW?)
-
random and dynamic
- AWS assigns the IP address to an instance at startup and returns it to the pool when you stop the instance
-
random and assigned to an instance as part of a process
- the IP address stays with the instance unless you intentionally assign it to another instance or delete it and return it to the pool
What does a VPN Gateway (VGW) provide?
a VPN service to a VPC for the termination of IPSec tunnels
What is an Amazon Elastic Compute Cloud (EC2)?
a VM that is deployed within a VPC
What is Amazon Machine Image (AMI)?
VM images available in the Amazon Marketplace for deployment as a VPC instance
