Module 3 - Networking

Question 1

What is a CIDR block?

Answer 1

This is how you tell the network how many IP addresses to allocate. Go for more so you don’t run out of addresses.

Question 2

What is Amazon VPC?

Answer 2

Amazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a logically isolated virtual network. You deploy into ONE of the Regions and can host resources from any Availability Zone within its Region. It’s like your own personal data center.

Question 3

What is a subnet?

Answer 3

A range of IP addresses in your VPC. It lives in one AZ. It must be associated with only ONE route table but subnets can share a route table.

Question 4

What is CIDR?

Answer 4

Classless Inter-Domain Routing. It’s a method of allocating IP addresses and IP routing.

Question 5

What does an Internet Gateway do?

Answer 5

Allows instances in your VPC to talk to the internet. It has 2 jobs:

• Provides a target in your VPC route tables for internet-routable traffic
• Performs network address translation (NAT) for instances that have been assigned public IPv4 addresses

Question 6

How does a subnet get on a route table?

Answer 6

Every subnet in your network must be on a route table. (and only one route table). It will be on the main one if you don’t specify.

Question 7

How would you set up multiple environments, like dev, qa, prod?

Answer 7

Create multiple VPCs. For extra security, use multiple accounts also.

Question 8

How do you make an instance publicly accessible within a VPC?

Answer 8

1) Attach an internet gateway to the VPC (this creates a public subnet)
2) Update the public route table pointing to the gateway.
3) Assign the instance a public IP address.

Question 9

What is an Elastic IP address?

Answer 9

An IP address that you can move around to any instance. You access it through the Internet Gateway.

Question 10

What’s the point of an Elastic IP?

Answer 10

You can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.

Question 11

What are the limitations of an Elastic IP?

Answer 11

Does not work on VPN (because there is no Internet Gateway), limited to 5 addresses.

Question 12

What is an Elastic Network Interface?

Answer 12

An interface you can attach to an instance, then detach and attach to a different instance, all the while keeping its Elastic IP, private IP, elastic address and MAC address.

Question 13

What is the purpose of NAT?

Answer 13

Network Address Translation is for conserving IP addresses. This lets your private IP networks connect to the internet. Not needed for IPv6.

Question 14

What is a NAT gateway?

Answer 14

A one-way (outbound) connection between private subnet instances and the internet. The NAT gateway uses its Elastic IP address as the source IP for traffic from the private subnet. Not needed for IPv6.

Question 15

What is a network ACL?

Answer 15

Network Access Control List. It’s an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more SUBNETS. It contains a list of rules evaluated in order to determine if traffic is allowed.

Question 16

What is the setting of the default network ACL?

Answer 16

VPCs automatically get a default NACL. It allows all inbound and outbound IPv4 traffic. CUSTOM ACLs deny all traffic by default.

Question 17

What are the components of an ACL rule?

Answer 17

• Rule number – As soon as a rule matches traffic, it is applied regardless of any higher-numbered rule that might contradict it.
• Type – e.g., Secure Shell (SSH). You can also specify all traffic or a custom range.
• Protocol – You can specify any protocol that has a standard protocol number.
• Port range – e.g., 80 for HTTP traffic.
• Source – For inbound rules only, the source of the traffic (CIDR range).
• Destination – For outbound rules only, the destination for the traffic (CIDR range).
• Allow or Deny – Whether to allow or deny the specified traffic
STATELESS

Question 18

What is a security group?

Answer 18

A virtual firewall for your EC2 instance to control inbound and outbound traffic. Works at the instance level. Supports only allow rules. STATEFUL (response to a request will be allowed).

Question 19

What is the default setting for a security group?

Answer 19

Allow all outbound traffic. Block all inbound traffic.

Question 20

What is security group chaining?

Answer 20

The inbound and outbound rules are set up in a way that traffic can only flow from the top tier to the bottom tier and back up again. Prevents security breaches in one tier from compromising other tiers.

Question 21

Describe a multilayer defense

Answer 21

• Run in VPC (control which instances are exposed to internet)
• Network ACL at the subnet level
• Security groups (most common)

Question 22

How many VPCs can you have per region? How many subnets per VPC?

Answer 22

5 VPCs per region.

200 Subnets per VPC.

Question 23

What parts of a VPC cost you money?

Answer 23

NAT gateway, VPC endpoints, VPN gateway, customer gateway

Question 24

I created an EC2 instance in my VPC but I don’t see its public DNS.

Answer 24

You have to enable DNS hostnames. They are off by default.

Question 25

There is a default VPC in every region. What are its features/configurations?

Answer 25

• CIDR block size /16. (172.31.0.0/16)
• Size /20 default subnet in each AZ in the region.
• Internet Gateway connected to default VPC
• Default security group (associated with default VPC)
• Default Network Access Control List (NACL) associated with default VPC
• Default DHCP options
• Main route table

Question 26

0.0.0.0/0

Answer 26

DEFAULT, represents all possible IP addresses.

Question 27

What is AWS Direct Connect? Why would you use it?

Answer 27

A dedicated network connection from on-prem to AWS. Super fast, in low or high bandwidth.

Reduces network costs; increases bandwidth throughput.
More consistent network (reliable, secure)

Question 28

Where does the NAT gateway live?

Answer 28

The PUBLIC subnet

Question 29

What is a NAT instance and what’s the one thing you need to remember about it?

Answer 29

It’s just an EC2 instance configured a certain way. Not used much anymore. Managed by YOU, not AWS.

** You must disable source/destination checks ** so that it can work as a NA translator.

Question 30

A company plans to launch an Amazon EC2 instance in a private subnet for its internal corporate web portal. For security purposes, the EC2 instance must send data to Amazon DynamoDB and Amazon S3 via private endpoints that don’t pass through the public Internet.

Which of the following can meet the above requirements?

Answer 30

Use VPC endpoints to route all access to S3 and DynamoDB through private endpoints.

Question 31

A Solutions Architect needs to make sure that the On-Demand EC2 instance can only be accessed from this IP address (110.238.98.71) via an SSH connection. Which configuration below will satisfy this requirement? What goes in the ??

Security Group Inbound Rule: Protocol -??? Port Range -?? Source 110.238.98.71/??

Answer 31

TCP (because that’s for SSH)
22 (ditto)
32 (denotes one IP address. /0 would be the entire network.)

Question 32

Which components are required to build a site-to-site VPN connection on AWS? (Select TWO.)

Answer 32

A customer gateway is required for the VPN connection to be established. A customer gateway device is set up and configured in the customer’s data center.

A virtual private gateway is attached to a VPC to create a site-to-site VPN connection on AWS. You can accept private encrypted network traffic from an on-premises data center into your VPC without the need to traverse the open public internet.

Question 33

A company has multiple VPCs with IPv6 enabled for its suite of web applications. The Solutions Architect tried to deploy a new Amazon EC2 instance but she received an error saying that there is no IP address available on the subnet.

How should the Solutions Architect resolve this problem?

Answer 33

Set up a new IPv4 subnet with a larger CIDR range. Associate the new subnet with the VPC and then launch the instance.

Not IPv6 only because you need to add an IPv4 subnet first before you can create an IPv6 subnet.

Question 34

Your EC2 instance cannot be accessed from the Internet (or vice versa). What could be the problem?

Answer 34

• Does it have an EIP or public IP address?

- Is the route table properly configured?