aws networking Flashcards
what is an availability zone meant to represent?
a data center in a region, basically. could be one building (it’s not, really)
what partitions does a VPC encompass?
one region with a number of availability zones
what do subnets encompass?
one availability zone with a number of instances
what is the ip range of a VPC
the internal IP addresses available to instances
what IPs do instances receive?
both internal IP for internal routing, and public IP
how does internet access happen into instances in VPC?
through an internet gateway
what do security groups help with?
controlling what traffic can go to instances, and what traffic can go from instances.
they control traffic between instances.
they can be applied to many instances, across subnets.
they can control access to instances by ID, or by other security groups
they only have allow rules, implicit deny rule at end of rule set
what do network access control lists (NACLs) work with?
they control what traffic goes to subnets
what is a route table for?
specific routing of network traffic on subnets within the vpc, I think for just outgoing requests. also, assignment of public IPs here?
how is a subnet made private?
it blocks outgoing traffic, and does not have public IPs
why would a subnet want to talk to the internet?
by redirecting outgoing traffic via the route table to a network address translation (NAT) gateway. the NAT gateway translates private IP to public
what is the purpose of a CIDR block?
classless interdomain routing (CIDR) is notation for IP address ranges. it defines the IP addresses for the subnet. CIDR binary calculator
what does 192.168.0.1/X do?
X is the number of IP addresses that are fixed
what does 192.168.0.1/16 map to?
the whole range of 192.168.x.x
if I have a private subnet, why does it have routes to 0.0.0.0 in the route table? (mine go to an elastic network interface)
I dunno, subnet: https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#SubnetDetails:subnetId=subnet-e25377ed
what do 0’s in IP addresses mean? e.g. 172.31.0.0, or 0.0.0.0. also, is 0.0.0.0 special?
dunno
what is the network ID and host ID of 192.168.0.1?
network ID: 192.168.0, host ID 1
what subnet mask/network mask/netmask is 24 equivalent to?
255.255.255.0
what are the addresses you can use for hosts?
1 to 254. you can’t assign 0 to a host, and 255 is the broadcast address.
I think the host depends on the size of the subnet mask though, because /16 in CIDR means you can have 65,534 hosts
why can you have 126 networks in a class A network?
dunno
can you characterize IPv4 address classes?
subnet masks go 255.0.0.0 for A, 255.255.0.0 for B, 255.255.255.0 for C
Class A: total of 126 networks, 16,777,214 usable addresses (hosts?)
Class B: total of 16,382 networks, 65,534 usable addresses (hosts?)
Class C: 2,097,150 networks, 254 usable addresses
what address ranges are reserved for private use according to IETF RFC-1918?
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.32.255.255
192.168.0.0 to 192.168.0.255
what do the subnet masks for address classes usually look like?
they usually correspond to the number of networks available in that class, e.g. 24 for class C (192.168.0.0 to 192.168.0.255)
what does classless interdomain routing use?
variable length subnets masks. it is used to deviate from the standard classes of addresses, I guess
what is the router of a VPC tasked with? how is it related to a route table?
router coordinates traffic going outside of subnets. route table abstracts what the router is doing.
how does a VPC know what IP addresses it contains?
each VPC is given one CIDR block of addresses
what is a subnet?
a segment of a VPC’s IP address range, deployed in one availability zone, where you can place groups of isolated resources
what is an Internet Gateway/Egress-only Internet Gateway
the amazon VPC side of a connection to the public internet for IPv4/IPv6
what is a VPC router?
Routers interconnect subnets and direct traffic between Internet gateways, virtual private gareways, NAT gateways, and subnets
what is a Peering Connection?
Direct connection between two VPCs
what are VPC endpoints?
private connection to public AWS services
what is a NAT gateway?
enables internet access for EC2 instances in private subnets, managed by AWS. one subnet per NAT gateway.
what is a Virtual Private Gateway?
the amazon VPC side of a VPN connection
what is a Customer Gateway?
customer side of a VPN connection
What is AWS Direct Connect?
High speed, high bandwidth, private network connection from customer to aws
what is a security group?
instance-level firewall
what is a Network ACL?
subnet-level firewall
what is VPC an abstraction for?
you own data center
what are the rules for AWS VPC CIDR blocks?
- Size: /16 to /28
- CIDR block can’t overlap with any existing CIDR block associated with the VPC
- you can’t change the size of an existing CIDR block
- the first four and last IP addresses are not available
- recommended to choose from RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
- (note that with VPC peering, CIDR blocks can’t overlap)
how can multiple VPCs for multiple clients have the same exact CIDR blocks?
assuming they can, I think it’s because these are private IPs, not exposed to internet, so we’re not really taking them away
seven tips for creating a VPC’s CIDR block
- ensure you have enough networks and hosts
- bigger CIDR blocks are better for flexibility
- smaller subnets are ok most of the time
- consider deploying application tiers per subnet
- split your high-availability resources across subnets in different AZs
- VPC peering requires non-overlapping CIDR blocks, across all VPCs in all regions/accounts you want to connect
- avoid overlapping CIDR blocks as much as possible
what are the differences between public/private subnets?
as far as I know:
private subnets have:
- private route table entry (looks like one route table can handle multiple subnets)
- no auto-assigned public IPs
public subnets have:
- public route tables (with internet gateways)
- auto-assigned public IPs
characterize route tables
- associated with up to several subnets, but a subnet can only be associated with one route table
- there is always one main route table for a vpc, and all subnets in the VPC that don’t have explicit associations will be associated with it
if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target internet gateway 1234
traffic in the internal CIDR will be sent to local, all other traffic will be sent to the internet gateway
if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target NAT gateway 1234
traffic in the internal CIDR will be sent to local, all other traffic will be sent to the NAT gateway
- remember, NAT gateways allow internet access to private instances
how does a security group differ from a NACL?
security group applies at the instance level, NACL applies at the subnet level
between NACLs and security groups, which are stateless and which are stateful?
NACL is stateless, security is stateful
what do stateful and stateless firewalls mean?
stateful: allows traffic to return automatically
stateless: checks for an allow rule for both connections
how is the traffic returned to the client here? https://www.youtube.com/watch?v=g2JOHLHh4rI&t=2715s
dunno
what are some differences between NACLs and security groups?
- NACLs have an explicit allow list
- rules are processed in order (not sure if this is different from security groups, actually), meaning the first rule to match a given request wins
