Discussion: VPC - Introduction and Overview Flashcards
You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers
A> Configure web server VPC security groups to allow traffic from your customers’ IPs
B> Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
C> Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
D> Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
A> Configure web server VPC security groups to allow traffic from your customers’ IPs
B> Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
A is obviously correct as security group can be configured to accept traffic from predefined customer IPs
You can leverage AWS WAF to configure your webserver and filter the traffic based of HTTP header passed by load balancer. Hence #B is correct
The security group can be configured to only allow the inbound or outbound traffic. When you allow certain inbound traffic in security group, the outbound traffic is automatically allowed because of the stateful nature. Hence #C is wrong
In case if you deny all outbound traffic in NACL it will accept the inbound traffic but outbound hence #D is wrong.
In the VPC Lab it states that AWS won’t allow you to use more than /16 on a VPC. But then later on when you go to the ‘Create Subnet’ wizard, in the demo you entered 10.0.1.0/24. So why can you now exceed the /16?
This can be summed up quite simply. The /16 or /24 is the number of mask bits in the CIDR address. The 16 signifies that should mask the first two octets. Leaving two additional octets for addressing needs. Each octet contains 255 addresses. Therefore a mask of /16 is 255 X 255 addresses or 65535.
A /24 address is only masking 8 bits or 255 addresses. So in essense a mask of /16 is a lot more than a mask of /24.
Can a vpc of any size be created?
a) amazon vpc supports vpcs from /16 to /28(in cidr)
b) there is no size limit
c) amazon vpc supports vpcs with any subnet smaller than /16
d) amazon vpc supports vpcs with any subnet greater than /28
a)amazon vpc supports vpcs from /16 to /28(in cidr)
which of the following is true abou route table in vpc(multiple)
a) main route table is created along with with vpc
b) the main route table can be replaced with a custom route table
c) route tables are automatically created and cannot be edited
d) a subnet can exist without association with route table .
a) main route table is created along with with vpc
b) the main route table can be replaced with a custom route table
Explanations:
A is correct, as per AWS doc: “When you create a VPC, it automatically has a main route table.”
B is correct, as per AWS doc: “You cannot delete the main route table, but you can replace the main route table with a custom table that you’ve created”
C is totally wrong
D is wrong, as per AWS doc: “Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet is implicitly associated with the main route table.”
Through the training I was continuously told that Security Groups are stateful, and any rule created inbound is automatically created outbound. However, upon going through the Wordpress portion of the training, you create a Security Group and I see a Outbound Rules tab. So now I’m confused, did Security Groups change since they released the training or am I confusing it with something else?
The outbound tab is relevant where traffic originates from within the security group, whereas inbound rules are relevant from traffic originating from clients outside the security group.
Taking your wordpress site example, assuming it is deployed on an instance secured by a security group for inbound traffic, say from a web browser you would want http 80 and https 443 open on inbound part of the security group whereas for Wordpress to pull updates to plugins you would want http 80 open on the outbound portion of the security group so it can poll remote plugin sites (either directly or via a nat). By default, there are no restrictions on outbound traffic, but if you wanted to limit the way in which your instance could reach out to the internet the this is one area in which you could do it.
I’m in the middle of preparing for my Architect Associate exam and I have a question on VPC. I’ve created an exercise for myself where the following infrastructure should be created:
2 Frontend servers with an Apache HTTP server
2 Backend servers with Tomcat (and a simple web application that allows you to upload files to S3).
I’m a bit “stuck” on the VPC configuration, where I had the following in mind:
- Create 4 subnets, 1 for each server. Not per se to assign 1 subnet per server, but more to spread them throughout the availability zones.
- Add a Load Balancer between Frontend and Backend servers to divide the load between the 2.
I know you can go a lot further than that, but the main idea is to tinker a bit with VPC stuff, not to provide a small enterprise with a full blown infrastructure.
The reason why I would create 4 different subnets is to provide high availability, since you can put your EC2 instances in different availability zones. But is that reasoning correct? Or are there better ways of handling that problem.
Your approach to achieve HA for the use case you have described is ideal. if you wanted to take it a step further I’d also add an auto-scaling group so that if an instance dies in an AZ the auto-scaling group will recover it, but you’ll discover that anyway as you go through the course.
Given you want to load-balance the backend instances, you have to think about which subnet(s) you’ll be launching them into, and here are 2 possible ways I have seen done:
1 - launch them into the frontend subnets; give the frontend instances access to hit the LBs via the LB security group, and give the LBs access to the backend instances via the backend’s SG.
2 - have another pair of subnets just for the LBs, and again do something similar with the SGs. You’ll need to adjust your route tables in order to put these new subnets in-between the other 2 sets. This of course presumes your VPC has enough spare IPs to allow for more subnets.
Similar to 1, it is possible to launch the LBs into the backend subnets. Usually it depends on which subnets you have room free for the LBs. Don’t forget to lock everything down security-wise with your SGs and network ACLs.
amazon gurantees hardware isolation in vpc , is this true
a) yes but only dedicated placement option which is seperately billable
b) no guarantee that hardware will be shared by another account
c) yes it comes free with vpc
d) yes but only with virtual private gateway feature
a) yes but only dedicated placement option which is seperately billable