AWS Networking Services

Question 1

What is Amazon Virtual Private Cloud (VPC)?

Answer 1

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account.

It is logically isolated from other virtual networks in the AWS Cloud.

Question 2

VPC Diagram

Answer 2

Subnet reside in Availability Zone
Multiple AZs reside in VPC
One VPC in a region

Router on AZ level
Internet Gateway on VPC level

Route table used to configure VPC router

Question 3

What must you specify when you create a VPC?

Answer 3

When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16.

This is the primary CIDR block for your VPC.

Question 4

What does VPC allow control of?

Answer 4

Provides complete control over the virtual networking environment including selection of IP ranges, creation of subnets, and configuration of route tables and gateways.

You can create your own IP address ranges, and create subnets, route tables and network gateways.

You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

You have full control over who has access to the AWS resources inside your VPC.

Question 5

What AZs does a VPC span across in a region?

Answer 5

A VPC spans all the Availability Zones in the region.

Question 6

Is default VPC created upon AWS account creation?

Answer 6

When you first create your AWS account a default VPC is created for you in each AWS region.

Question 7

Where are default VPCs created in a region?

Answer 7

A default VPC is created in each region with a subnet in each AZ.

Question 8

How many VPCs can be created in a region?

Answer 8

By default you can create up to 5 VPCs per region.

Question 9

Is it possible to specify instances to launch on dedicated hardware in a VPC?

Answer 9

You can define dedicated tenancy for a VPC to ensure instances are launched on dedicated hardware (overrides the configuration specified at launch).

Question 10

Does default VPC have all public subnets?

Answer 10

The default VPC has all-public subnets.

Question 11

What are public subnets in VPCs?

Answer 11

Public subnets are subnets that have:

• “Auto-assign public IPv4 address” set to “Yes”.
• The subnet route table has an attached Internet Gateway.

Question 12

What IP addresses does an instance in a VPC have?

Answer 12

Instances in the default VPC always have both a public and private IP address.

Question 13

How are AZ names mapped in a VPC?

Answer 13

AZs names are mapped to different zones for different users (i.e. the AZ “ap-southeast-2a” may map to a different physical zone for a different user).

Question 14

What are the components of a VPC?

Answer 14

A Virtual Private Cloud
Subnet
Internet Gateway
NAT Gateway
Hardware VPN Connection
Virtual Private Gateway
Customer Gateway
Router
Peering Connection
VPC Endpoints
Egress-only Internet Gateway

Question 15

VPC Component: Virtual Private Cloud

Answer 15

A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.

Question 16

VPC Component: Subnet

Answer 16

Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources (maps to an AZ, 1:1).

Question 17

VPC Component: Internet Gateway

Answer 17

Internet Gateway: The Amazon VPC side of a connection to the public Internet.

Question 18

VPC Component: NAT Gateway

Answer 18

NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

Question 19

VPC Component: Hardware VPN Connection

Answer 19

Hardware VPN Connection: A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.

Question 20

VPC Compnent: Virtual Private Gateway

Answer 20

Virtual Private Gateway: The Amazon VPC side of a VPN connection.

Question 21

VPC Component: Customer Gateway

Answer 21

Customer Gateway: Your side of a VPN connection.

Question 22

VPC Component: Customer Gateway

Answer 22

Customer Gateway: Your side of a VPN connection.

Question 23

VPC Component: Router

Answer 23

Router: Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.

Question 24

VPC Component: Peering Connection

Answer 24

Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.

Question 25

VPC Component: VPC Endpoints

Answer 25

VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.

Question 26

VPC Egress-only Internet Gateway

Answer 26

Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

Question 27

What are the options to securely connect to VPN?

Answer 27

AWS managed VPN – fast to setup.

Direct Connect – high bandwidth, low-latency but takes weeks to months to setup.

VPN CloudHub – used for connecting multiple sites to AWS.

Software VPN – use 3rd party software.

Question 28

What is an ENI in VPC?

Answer 28

An Elastic Network Interface (ENI) is a logical networking component that represents a NIC.

ENIs can be attached and detached from EC2 instances, and the configuration of the ENI will be maintained.

Question 29

What are Flow Logs in VPC?

Answer 29

Flow Logs capture information about the IP traffic going to and from network interfaces in a VPC.

Flow log data is stored using Amazon CloudWatch Logs.

Question 30

Where can Flow Logs be created?

Answer 30

Flow logs can be created at the following levels:

• VPC.
• Subnet.
• Network interface.

Question 31

How can peering connections be created?

Answer 31

Peering connections can be created with VPCs in different regions (available in most regions now).

Question 32

What is the process of adding subnet in a VPC?

Answer 32

After creating a VPC, you can add one or more subnets in each Availability Zone.

When you create a subnet, you specify the CIDR block for the subnet, which is a subset of the VPC CIDR block.

Question 33

What geographical restrictions does subnets have in VPCs?

Answer 33

Each subnet must reside entirely within one Availability Zone and cannot span zones.

Question 34

What different types of subnets are there in VPC?

Answer 34

• public subnet
• private subnet
• VPN only subnet

Question 35

What is a public subnet in VPC?

Answer 35

If a subnet’s traffic is routed to an internet gateway, the subnet is known as a public subnet.

Question 36

What is a private subnet in VPC?

Answer 36

If a subnet doesn’t have a route to the internet gateway, the subnet is known as a private subnet.

Question 37

What is a VPN only subnet in VPC?

Answer 37

If a subnet doesn’t have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a VPN connection, the subnet is known as a VPN-only subnet.

Question 38

What is an Internet Gateway in VPC?

Answer 38

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

Question 39

What level does Network Access Control List (ACL) operate in?

Answer 39

Network Access Control Lists (ACLs) provide a firewall/security layer at the subnet level.

Question 40

What level does Security Group operate in?

Answer 40

Security Groups provide a firewall/security layer at the instance level.

Question 41

Network ACL details

Answer 41

Operates at the subnet level

Supports allow and deny rules

Stateless

Processes rules in order

Automatically applies to all instances in the subnets its associated with

Question 42

Security Group Details

Answer 42

Operates at the instance (interface) level

Supports allow rules only

Stateful

Evaluates all rules

Applies to an instance only if associated with a group

Question 43

What four configurations can a VPC Wizard create?

Answer 43

• VPC with a Single Public Subnet:
• VPC with Public and Private Subnets:
• VPC with Public and Private Subnets and Hardware VPN Access:
• VPC with a Private Subnet Only and Hardware VPN Access:

Question 44

What is VPC with a Single Public Subnet?

Answer 44

Your instances run in a private, isolated section of the AWS cloud with direct access to the Internet.

Network access control lists and security groups can be used to provide strict control over inbound and outbound network traffic to your instances.

Creates a /16 network with a /24 subnet. Public subnet instances use Elastic IPs or Public IPs to access the Internet.

Question 45

What is VPC with Public and Private Subnets?

Answer 45

In addition to containing a public subnet, this configuration adds a private subnet whose instances are not addressable from the Internet.

Instances in the private subnet can establish outbound connections to the Internet via the public subnet using Network Address Translation (NAT).

Creates a /16 network with two /24 subnets.
Public subnet instances use Elastic IPs to access the Internet.

Private subnet instances access the Internet via Network Address Translation (NAT).

Question 46

What is VPC with Public and Private Subnets and Hardware VPN Access?

Answer 46

This configuration adds an IPsec Virtual Private Network (VPN) connection between your Amazon VPC and your data center – effectively extending your data center to the cloud while also providing direct access to the Internet for public subnet instances in your Amazon VPC.

Creates a /16 network with two /24 subnets.

One subnet is directly connected to the Internet while the other subnet is connected to your corporate network via an IPsec VPN tunnel.

Question 47

What is VPC with a Private Subnet Only and Hardware VPN Access?

Answer 47

Your instances run in a private, isolated section of the AWS cloud with a private subnet whose instances are not addressable from the Internet.

You can connect this private subnet to your corporate data center via an IPsec Virtual Private Network (VPN) tunnel.

Creates a /16 network with a /24 subnet and provisions an IPsec VPN tunnel between your Amazon VPC and your corporate network.

Question 48

Who is responsible for managing NAT instances?

Answer 48

NAT instances are managed by you.

Question 49

What are NAT instances used for?

Answer 49

Used to enable private subnet instances to access the Internet.

Question 50

What must you do when creating NAT instances?

Answer 50

When creating NAT instances always disable the source/destination check on the instance.

Question 51

What subnet must NAT instances be in?

Answer 51

NAT instances must be in a single public subnet.

Question 52

What security settings must NAT instances have?

Answer 52

NAT instances need to be assigned to security groups.

Question 53

Who is responsible for NAT Gateways?

Answer 53

NAT gateways are managed for you by AWS.

Question 54

Where are NAT gateways highly available?

Answer 54

NAT gateways are highly available in each AZ into which they are deployed.

Question 55

Who prefers NAT Gateways over NAT Instances?

Answer 55

NAT Gateways are preferred by enterprises.

Question 56

How much can NAT Gateways scale up to?

Answer 56

NAT Gateways an scale automatically up to 45Gbps.

Question 57

What security settings must NAT Gateways have?

Answer 57

NAT Gateways are not associated with any security groups.

No need to patch.

Question 58

NAT Instance Details

Answer 58

Managed by you (e.g. software updates)

Scale up (instance type) manually and use enhanced networking

No high availability – scripted/auto-scaled HA possible using multiple NATs in multiple subnets

Need to assign Security Group

Can use as a bastion host

Question 59

NAT Gateway Details

Answer 59

Managed by AWS

Elastic scalability up to 45 Gbps

Provides automatic high availability within an AZ and can be placed in multiple AZs

No Security Groups

Cannot access through SSH

Question 60

What is AWS Direct Connect (DX)?

Answer 60

AWS Direct Connect is a network service that provides an alternative to using the Internet to connect a customer’s on-premises sites to AWS.

Question 61

How does AWS Direct Connect work?

Answer 61

Data is transmitted through a private network connection between AWS and a customer’s data center or corporate network.

Question 62

What are the benefits of Direct Connect?

Answer 62

Reduce cost when using large volumes of traffic.

Increase reliability (predictable performance).

Increase bandwidth (predictable bandwidth).

Decrease latency.

Question 63

What can each AWS DX connection be configured with?

Answer 63

Each AWS Direct Connect connection can be configured with one or more virtual interfaces (VIFs).

Question 64

What does Public VIFs allow in AWS DX?

Answer 64

Public VIFs allow access to public services such as S3, EC2, and DynamoDB.

Question 65

What does Private VIFs allow in AWS DX?

Answer 65

Private VIFs allow access to your VPC.

Question 66

What AZs can you connect to with AWS DX?

Answer 66

From Direct Connect you can connect to all AZs within the Region.

Question 67

What connections can you establish over public VIFs in AWS DX?

Answer 67

You can establish IPSec connections over public VIFs to remote regions.

Question 68

What metrics are used to charge for using AWS DX?

Answer 68

Direct Connect is charged by port hours and data transfer.

Question 69

What speeds is AWS DX available in?

Answer 69

Available in 1Gbps and 10Gbps.

Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be purchased through AWS Direct Connect Partners.

Question 70

What connections are needed between ports in AWS DX?

Answer 70

Each connection consists of a single dedicated connection between ports on the customer router and an Amazon router.

Question 71

What is required to allow HA for AWS DX?

Answer 71

for HA you must have 2 DX connections – can be active/active or active/standby.

Question 72

What must be done to route tables to allow AWS DX?

Answer 72

Route tables need to be updated to point to a Direct Connect connection.

Question 72

What must be done to route tables to allow AWS DX?

Answer 72

Route tables need to be updated to point to a Direct Connect connection.

Question 73

What is AWS Global Accelerator?

Answer 73

AWS Global Accelerator is a service that improves the availability and performance of applications with local or global users.

Question 74

What does AWS Global Accelerator provide?

Answer 74

It provides static IP addresses that act as a fixed entry point to application endpoints in a single or multiple AWS Regions, such as Application Load Balancers, Network Load Balancers or EC2 instances.

Question 75

What is the use of AWS Global Accelerator?

Answer 75

Uses the AWS global network to optimize the path from users to applications, improving the performance of TCP and UDP traffic.

AWS Global Accelerator continually monitors the health of application endpoints and will detect an unhealthy endpoint and redirect traffic to healthy endpoints in less than 1 minute.

Question 76

Wbat does AWS Global Accelerator use?

Answer 76

Uses redundant (two) static anycast IP addresses in different network zones (A and B).

The redundant pair are globally advertised.

Uses AWS Edge Locations – addresses are announced from multiple edge locations at the same time.

Question 77

Where are the addresses associated in AWS Global Accelerator?

Answer 77

Addresses are associated to regional AWS resources or endpoints.

Question 78

What do IP addresses serve as in AWS Global Accelerator?

Answer 78

AWS Global Accelerator’s IP addresses serve as the frontend interface of applications.

Question 79

What is Intelligent Traffic Distribution in AWS Global Accelerator?

Answer 79

Intelligent traffic distribution: Routes connections to the closest point of presence for applications.

Question 80

What are the targets in AWS Global Accelerator?

Answer 80

Targets can be Amazon EC2 instances or Elastic Load Balancers (ALB and NLB).

Question 81

What does using static IP addresses help with when using AWS Global Accelerator?

Answer 81

By using the static IP addresses, you don’t need to make any client-facing changes or update DNS records as you modify or replace endpoints.

The addresses are assigned to your accelerator for as long as it exists, even if you disable the accelerator and it no longer accepts or routes traffic.

Question 82

What is AWS Outpost?

Answer 82

AWS Outposts is a fully managed service that offers the same AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience.

Question 83

What is AWS outpost ideal for?

Answer 83

AWS Outposts is ideal for workloads that require low latency access to on-premises systems, local data processing, data residency, and migration of applications with local system interdependencies.

Question 84

What services are available on AWS Outpost?

Answer 84

AWS compute, storage, database, and other services run locally on Outposts

You can access the full range of AWS services available in the Region to build, manage, and scale your on-premises applications using familiar AWS services and tools.

Question 85

What racks are available for AWS Outposts?

Answer 85

Outposts is available as a 42U rack that can scale from 1 rack to 96 racks to create pools of compute and storage capacity.

Question 86

What are some examples of services that can run on AWS Outpost?

Answer 86

Services you can run on AWS Outposts include:

Amazon EC2.
Amazon EBS.
Amazon S3.
Amazon VPC.
Amazon ECS/EKS.
Amazon RDS.
Amazon EMR