AWS VPC

Question 1

What is AWS VPC?

Answer 1

AWS VPC (Virtual Private Cloud) is a logically isolated virtual network that resembles a traditional data center network.

Question 2

Are VPCs region-specific, and can they connect across regions?

Answer 2

Yes, VPCs are region-specific but can be connected across regions using VPC Peering.

Question 3

How many VPCs can you create per region by default?

Answer 3

By default, you can create up to 5 VPCs per region.

Question 4

How many subnets are allowed per VPC?

Answer 4

Up to 200 subnets per VPC.

Question 5

How many CIDR blocks can a VPC have per IPv4/6?

Answer 5

Up to 5 CIDR blocks per VPC per IPv4/6.

Question 6

What is the default IPv4 CIDR block for a default VPC?

Answer 6

172.31.0.0/16

Question 7

What is included in the default VPC configuration?

Answer 7

One subnet per Availability Zone, Internet Gateway (IGW), Default Security Group (SG), Network Access Control List (NACL), DHCP options set, and Route Table with a route to the internet via IGW.

Question 8

Can the default VPC be deleted and restored?

Answer 8

The default VPC can be deleted, but it cannot be restored; it must be recreated through AWS CLI.

Question 9

How does the AWS Management Console handle VPC deletion?

Answer 9

The AWS Management Console will automatically delete the VPC along with its resources.

Question 10

What is a Default Route or Catch-All-Route?

Answer 10

It represents all possible IP addresses, essentially allowing access from anywhere or to the internet without restriction.

Question 11

What is AWS RAM, and how does it relate to VPCs?

Answer 11

AWS RAM (Resource Access Manager) allows sharing of resources across AWS Accounts. Shared VPCs help reduce the number of VPCs and separate accounts for billing and access control.

Question 12

How do you share VPCs with other AWS Accounts using AWS RAM?

Answer 12

Share VPCs by sharing only non-default subnets, creating a resource share in RAM for what you are sharing, and creating shared principals in RAM for who you are sharing with.

Question 13

What type of firewall is a Network Access Control List (NACL)?

Answer 13

Stateless

Question 14

At what level does a Network Access Control List (NACL) operate?

Answer 14

Subnet level

Question 15

What rules/actions do NACL support?

Answer 15

Allow and Deny

Question 16

How are NACL rules evaluated?

Answer 16

Based on their number, from lowest to highest

Question 17

At what level does a Security Group (SG) operate?

Answer 17

Instance level

Question 18

By what are Security Groups bound?

Answer 18

By a VPC

Question 19

Are there exceptions from filtering in Security Groups?

Answer 19

YES
For Example:
Amazon DNS, Amazon DHCP, License activation for Windows instances, Reserved IP addresses used by the default VPC route

Question 20

What does it mean if a firewall is stateful?
Which one is stateful Security Group or NACL?

Answer 20

It tracks the state of connections and automatically manages return traffic.
Security Group is stateful.

Question 21

What does it mean if a firewall is stateless?
Which one is stateless Security Group or NACL?

Answer 21

It does not track the state of connections; each packet is evaluated independently. Explicit rules are needed for both directions.

NACL is stateless.

Question 22

What is the function of a Route Table in a VPC?

Answer 22

To determine where network traffic is directed.

Question 23

What must each subnet in a VPC be associated with?

Answer 23

A Route Table

Question 24

Can one Route Table be associated with multiple subnets?

Answer 24

Yes

Question 25

What does a local target in a Route Table signify?

Answer 25

Traffic remains within the VPC

Question 26

What is an example of a target in a Route Table for public subnet traffic?
What does a Target mean?

Answer 26

igw-abc123 (Internet Gateway) can be used as a target.
Target means next hop from a source (e.g. a subnet or EC2 instance) to which traffic needs to be directed in order to reach Destination

Question 27

When is the Main Route Table created?
Can it be deleted?

Answer 27

It is created with VPC and it cannot be deleted.

Question 28

What is a Gateway in networking?

Answer 28

A Gateway is a networking service that sits between two different networks.

Question 29

What is the function of an Internet Gateway (IGW)?

Answer 29

An Internet Gateway handles inbound and outbound traffic for IPv4 and IPv6.

Question 30

What does an Egress-Only Internet Gateway do?

Answer 30

It handles outbound-only private traffic for IPv6.

Question 31

What is the purpose of a NAT Gateway?

Answer 31

It handles outbound-only private traffic for IPv4.

Question 32

What is a Carrier Gateway used for?

Answer 32

It is used to connect to a telecom network.

Question 33

What is the difference between a Customer Gateway (CGW) and a Virtual Private Gateway (VGW)?

Answer 33

CGW is on-premise or external network side (not AWS side).
VGW is on the AWS side, within a specific VPC.

Question 34

What are the roles of CGW and VGW in a VPN connection?

Answer 34

CGW manages the VPN connection on your end.
VGW manages the VPN connection on the AWS end.

Question 35

What is a Gateway Load Balancer (GWLB)?

Answer 35

A Network Load Balancer that enables the use of third-party virtual appliances like firewalls or IDS/IPS.

Question 36

What is a Direct Connect Gateway used for?

Answer 36

It serves as the endpoint for a fiber optic connection at a co-location data center.

Question 37

What is a Backup Gateway?

Answer 37

It is an endpoint connection for AWS managed backups.

Question 38

What does an IoT Device Gateway do?

Answer 38

It provides endpoint connection for IoT data.

Question 39

What is the purpose of a Transit Gateway?

Answer 39

It simplifies VPC peering.

Question 40

What is an API Gateway used for?

Answer 40

It abstracts API endpoints to services.

Question 41

What is the function of a Storage Gateway?

Answer 41

It connects local storage to cloud storage.

Question 42

What is an Elastic IP (EIP) address?

Answer 42

An Elastic IP address is a static IPv4 address in AWS.

Question 43

What is Direct Connect?

Answer 43

Direct Connect is a solution for establishing dedicated network connections from on-premise locations to AWS.

Question 44

What do VPC Endpoints allow?

Answer 44

They allow private connections between a VPC and other services, with all communication occurring within the AWS network.

Question 45

What does AWS PrivateLink enable?

Answer 45

It enables secure connections between a VPC and supported AWS services, AWS services hosted in other AWS accounts, and supported AWS Marketplace services, without using public IPs.

Question 46

What are Interface Endpoints?

Answer 46

nterface Endpoints are Elastic Network Interfaces (ENIs) with private IP addresses that serve as an entry point for traffic going to supported services.

Question 47

What is an Elastic Network Interface (ENI)?

Answer 47

An Elastic Network Interface (ENI) is a logical network interface representing a virtual network card that can be attached to resources like an EC2 instance.

Question 48

What does a Gateway Endpoint provide connectivity to without using an Internet Gateway or NAT device?

Answer 48

Amazon S3 and DynamoDB.

Question 49

Do Gateway Endpoints use AWS PrivateLink?

Answer 49

No, Gateway Endpoints do not use AWS PrivateLink.

Question 50

What information do VPC Flow Logs capture?

Answer 50

IP information about traffic that goes through your VPC.

Question 51

What scopes can VPC Flow Logs capture information for?

Answer 51

VPC, Subnet, ENI, Transit Gateway, Transit Gateway Attachments.

Question 52

What traffic types can be monitored by VPC Flow Logs?

Answer 52

ALL (all traffic), ACCEPT (only accepted traffic), REJECT (only rejected traffic).

Question 53

Where can VPC Flow Logs be stored?

Answer 53

S3 Bucket, CloudWatch Logs, Amazon Kinesis Data Firehose.

Question 54

What does AWS VPN establish?

Answer 54

A secure and private tunnel from your network to AWS global network.

Question 55

What gateways does AWS VPN utilize?

Answer 55

Virtual Private Gateway (VGW) or Transit Gateway (TGW), and Customer Gateway (CGW).

Question 56

What are the two types of AWS VPN?

Answer 56

Site-to-Site VPN and Client VPN.

Question 57

What is a Virtual Private Gateway (VGW)?

Answer 57

Amazon’s side endpoint of a Site-to-Site VPN connection, attachable to a single VPC.

Question 58

What must be assigned to a Virtual Private Gateway (VGW) for it to function?

Answer 58

An Autonomous System Number (ASN), with 64512 as the default if not specified.

Question 59

What is a Customer Gateway (CGW)?

Answer 59

An AWS resource representing a device in an on-premise network for VPN connection.

Question 60

What does a Client VPN allow?

Answer 60

Secure access to AWS resources outside of the AWS network.

Question 61

What are the authentication methods supported by Client VPN?

Answer 61

Certificate-based authentication, Active Directory authentication, Federation authentication (Single-Sign-On, SAML).

Question 62

What is a NAT Gateway?

Answer 62

A NAT service that allows instances in private subnets to establish outbound connections.

Question 63

Does a NAT Gateway support IPv6 to IPv4 translation?

Answer 63

Yes, it supports translation from IPv6 to IPv4, known as NAT64.

Question 64

What is a NAT Instance?

Answer 64

A legacy feature for launching NAT on individual EC2 instances, with customer-managed scaling.

Question 65

What is a Jumpbox/Bastion?

Answer 65

Security-hardened virtual machines (EC2 instances) for secure access to private subnets.

Question 66

What is VPC Lattice?

Answer 66

A fully managed networking service that simplifies and secures communication between services running in VPCs.

Question 67

What are the components of VPC Lattice?

Answer 67

Service Network, Listener, Target Group, Service Directory.

Question 68

What is AWS Transit Gateway (TGW)?

Answer 68

A network transit hub that allows for the interconnection of VPCs and on-premise networks.

Question 69

What are some key features of Transit Gateway (TGW)?

Answer 69

Leverages AWS RAM, serves as a virtual router at regional level, and supports attachments of VPN connections, Direct Connect, and third-party appliances.

Question 70

What does Traffic Mirroring do?

Answer 70

Sends a copy of network traffic from a source ENI to a target ENI or UDP-enabled NLB or GWLB.

Question 71

What is the Route 53 Resolver DNS Firewall?

Answer 71

A feature of Route 53 Resolver that enhances security by filtering DNS queries in VPC.

Question 72

What is AWS Network Firewall?

Answer 72

A stateful, managed network firewall and IDS/IPS for VPCs, utilizing Suricata software.

Question 73

What is VPC Peering?

Answer 73

A one-to-one network connection between two VPCs that enables direct routing of traffic between them using private IP addresses.

Question 74

What is a key difference between VPC Peering and Transit Gateway?

Answer 74

VPC Peering is less scalable and does not support transitive routing, while Transit Gateway is highly scalable and supports transitive routing.

Question 75

What is Network Address Usage (NAU)?

Answer 75

A metric applied to resources in VPC to help plan and monitor the size of the VPC.