aws networking

Question 1

what is an availability zone meant to represent?

Answer 1

a data center in a region, basically. could be one building (it’s not, really)

Question 2

what partitions does a VPC encompass?

Answer 2

one region with a number of availability zones

Question 3

what do subnets encompass?

Answer 3

one availability zone with a number of instances

Question 4

what is the ip range of a VPC

Answer 4

the internal IP addresses available to instances

Question 5

what IPs do instances receive?

Answer 5

both internal IP for internal routing, and public IP

Question 6

how does internet access happen into instances in VPC?

Answer 6

through an internet gateway

Question 7

what do security groups help with?

Answer 7

controlling what traffic can go to instances, and what traffic can go from instances.
they control traffic between instances.
they can be applied to many instances, across subnets.
they can control access to instances by ID, or by other security groups
they only have allow rules, implicit deny rule at end of rule set

Question 8

what do network access control lists (NACLs) work with?

Answer 8

they control what traffic goes to subnets

Question 9

what is a route table for?

Answer 9

specific routing of network traffic on subnets within the vpc, I think for just outgoing requests. also, assignment of public IPs here?

Question 10

how is a subnet made private?

Answer 10

it blocks outgoing traffic, and does not have public IPs

Question 11

why would a subnet want to talk to the internet?

Answer 11

by redirecting outgoing traffic via the route table to a network address translation (NAT) gateway. the NAT gateway translates private IP to public

Question 12

what is the purpose of a CIDR block?

Answer 12

classless interdomain routing (CIDR) is notation for IP address ranges. it defines the IP addresses for the subnet. CIDR binary calculator

Question 13

what does 192.168.0.1/X do?

Answer 13

X is the number of IP addresses that are fixed

Question 14

what does 192.168.0.1/16 map to?

Answer 14

the whole range of 192.168.x.x

Question 15

if I have a private subnet, why does it have routes to 0.0.0.0 in the route table? (mine go to an elastic network interface)

Answer 15

I dunno, subnet: https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#SubnetDetails:subnetId=subnet-e25377ed

Question 16

what do 0’s in IP addresses mean? e.g. 172.31.0.0, or 0.0.0.0. also, is 0.0.0.0 special?

Answer 16

dunno

Question 17

what is the network ID and host ID of 192.168.0.1?

Answer 17

network ID: 192.168.0, host ID 1

Question 18

what subnet mask/network mask/netmask is 24 equivalent to?

Answer 18

255.255.255.0

Question 19

what are the addresses you can use for hosts?

Answer 19

1 to 254. you can’t assign 0 to a host, and 255 is the broadcast address.
I think the host depends on the size of the subnet mask though, because /16 in CIDR means you can have 65,534 hosts

Question 20

why can you have 126 networks in a class A network?

Answer 20

dunno

Question 21

can you characterize IPv4 address classes?

Answer 21

subnet masks go 255.0.0.0 for A, 255.255.0.0 for B, 255.255.255.0 for C
Class A: total of 126 networks, 16,777,214 usable addresses (hosts?)
Class B: total of 16,382 networks, 65,534 usable addresses (hosts?)
Class C: 2,097,150 networks, 254 usable addresses

Question 22

what address ranges are reserved for private use according to IETF RFC-1918?

Answer 22

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.32.255.255
192.168.0.0 to 192.168.0.255

Question 23

what do the subnet masks for address classes usually look like?

Answer 23

they usually correspond to the number of networks available in that class, e.g. 24 for class C (192.168.0.0 to 192.168.0.255)

Question 24

what does classless interdomain routing use?

Answer 24

variable length subnets masks. it is used to deviate from the standard classes of addresses, I guess

Question 25

what is the router of a VPC tasked with? how is it related to a route table?

Answer 25

router coordinates traffic going outside of subnets. route table abstracts what the router is doing.

Question 26

how does a VPC know what IP addresses it contains?

Answer 26

each VPC is given one CIDR block of addresses

Question 27

what is a subnet?

Answer 27

a segment of a VPC’s IP address range, deployed in one availability zone, where you can place groups of isolated resources

Question 28

what is an Internet Gateway/Egress-only Internet Gateway

Answer 28

the amazon VPC side of a connection to the public internet for IPv4/IPv6

Question 29

what is a VPC router?

Answer 29

Routers interconnect subnets and direct traffic between Internet gateways, virtual private gareways, NAT gateways, and subnets

Question 30

what is a Peering Connection?

Answer 30

Direct connection between two VPCs

Question 31

what are VPC endpoints?

Answer 31

private connection to public AWS services

Question 32

what is a NAT gateway?

Answer 32

enables internet access for EC2 instances in private subnets, managed by AWS. one subnet per NAT gateway.

Question 33

what is a Virtual Private Gateway?

Answer 33

the amazon VPC side of a VPN connection

Question 34

what is a Customer Gateway?

Answer 34

customer side of a VPN connection

Question 35

What is AWS Direct Connect?

Answer 35

High speed, high bandwidth, private network connection from customer to aws

Question 36

what is a security group?

Answer 36

instance-level firewall

Question 37

what is a Network ACL?

Answer 37

subnet-level firewall

Question 38

what is VPC an abstraction for?

Answer 38

you own data center

Question 39

what are the rules for AWS VPC CIDR blocks?

Answer 39

• Size: /16 to /28
• CIDR block can’t overlap with any existing CIDR block associated with the VPC
• you can’t change the size of an existing CIDR block
• the first four and last IP addresses are not available
• recommended to choose from RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
• (note that with VPC peering, CIDR blocks can’t overlap)

Question 40

how can multiple VPCs for multiple clients have the same exact CIDR blocks?

Answer 40

assuming they can, I think it’s because these are private IPs, not exposed to internet, so we’re not really taking them away

Question 41

seven tips for creating a VPC’s CIDR block

Answer 41

• ensure you have enough networks and hosts
• bigger CIDR blocks are better for flexibility
• smaller subnets are ok most of the time
• consider deploying application tiers per subnet
• split your high-availability resources across subnets in different AZs
• VPC peering requires non-overlapping CIDR blocks, across all VPCs in all regions/accounts you want to connect
• avoid overlapping CIDR blocks as much as possible

Question 42

what are the differences between public/private subnets?

Answer 42

as far as I know:
private subnets have:
- private route table entry (looks like one route table can handle multiple subnets)
- no auto-assigned public IPs
public subnets have:
- public route tables (with internet gateways)
- auto-assigned public IPs

Question 43

characterize route tables

Answer 43

• associated with up to several subnets, but a subnet can only be associated with one route table
• there is always one main route table for a vpc, and all subnets in the VPC that don’t have explicit associations will be associated with it

Question 44

if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target internet gateway 1234

Answer 44

traffic in the internal CIDR will be sent to local, all other traffic will be sent to the internet gateway

Question 45

if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target NAT gateway 1234

Answer 45

traffic in the internal CIDR will be sent to local, all other traffic will be sent to the NAT gateway
- remember, NAT gateways allow internet access to private instances

Question 46

how does a security group differ from a NACL?

Answer 46

security group applies at the instance level, NACL applies at the subnet level

Question 47

between NACLs and security groups, which are stateless and which are stateful?

Answer 47

NACL is stateless, security is stateful

Question 48

what do stateful and stateless firewalls mean?

Answer 48

stateful: allows traffic to return automatically
stateless: checks for an allow rule for both connections

Question 49

how is the traffic returned to the client here? https://www.youtube.com/watch?v=g2JOHLHh4rI&t=2715s

Answer 49

dunno

Question 50

what are some differences between NACLs and security groups?

Answer 50

• NACLs have an explicit allow list
• rules are processed in order (not sure if this is different from security groups, actually), meaning the first rule to match a given request wins