Network

Question 1

f

Question 2

How to connect two VPCs together

Answer 2

VPC PEERING

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

Question 3

Max VPCs per account/region

Answer 3

you can have up to 5 VPCs per region per AWS account.

Question 5

How are NACL rules evaluated

Answer 5

In Order. Rules are given a number and first rule to apply (Allow or Deny) is applied and no subsequent rules considered.

so to block a single IP, you would make this a low RULE number to get considered first.

NACL RULES ARE STATELESS. You must define both incoming and outgoing rules.

Question 6

VPC ENDPOINT

Answer 6

Some services (like S3) live in AWS Public VPC. To access those, you need to go over the internet.

If you don’t want to use the internet due to sensitive data, you can use VPC END POINTS which allows your private subnets to talk direct to AWS Public Services like S3.

THere are two types of VPC endpoint - EndPoint Gateway or Endpoint Interface. DynamoDB and S3 can use either - everything else must use Endpoint Interface. Gateway is FREE but has restrictions (cant use private ip, cant access from another region).

Question 7

How would you connect On Prem to VPC

Answer 7

THere are TWO ways to do this:

Site To Site VPN -> Encrypted conncetion but goes over public internet.

DIrect Connect (DX) -> Physical connection between your DC and AWS. PRIVATE & FAST.

Question 8

How would you connect VPC to VPC?

Answer 8

Using VPC Peering. There must be no overlapping IPs.

Question 10

Default SG rules

Answer 10

all subnets come with a default SG which allows NO inbound traffic but ALL outbound traffic. SG can only have ALLOW rules.

Question 11

If VPC Region or Global?

Answer 11

Within each region, you can have multiple Virtual Private Clouds (VPCs). Each VPC exists within a single region and cannot span multiple regions.

Question 12

Is VPC Global or Regional ?

Answer 12

REGIONAL.

This means that a VPC exists within a specific AWS region and is isolated from VPCs in other regions.

Within a region, a VPC can span multiple Availability Zones (AZs),

Question 13

How to connect VPC across Regions

Answer 13

Inter-Region Connectivity:

If you need to connect VPCs in different regions, you can use AWS services like VPC Peering, AWS Transit Gateway, or AWS VPN.

These services allow for secure connections between VPCs, even across regions,

Transit Gateway (Hub And Spoke) is a more powerful and flexible solution for connecting VPCs, but it is also more complex to set up and manage.

VPC peering is simpler to set up and manage but has more limitations (max 125 connections, complex at scale)

Question 14

How many VPCs per region can you create by default ?

Answer 14

5

Question 15

What type of subnets does deault VPC have

Answer 15

public

Question 16

What makes a subnet public ?

Answer 16

A subnet is public if …

Auto Assign Public IP4 = YES
Route Table has IGW

Question 17

How can a private subnet access the internet ?

Answer 17

either
NAT GATEWAY (AWS MANAGED) or NAT INSTANCE (SELF MANAGED).

The NAT Gateway/Instance is installed in the PUBLIC subnet and the private subnet is given a route to the public subnet

Question 18

How can the domain’s zone apex for example “myzoneapexdomain com” be pointed towards an Elastic Load Balancer?

Answer 18

use route53 ALIAS Record

A CName points a hostname to any other hostname (app.mydomain.com => bob.bob.com)

CNAME can only point to NONE ROOT domains. (i.e must be xxx.mydomain.com)

Alias points a hostname to an AWS resource (app.mydomain.com => xxx.amazonaws.com)

ALIAS works for ROOT and NONE ROOT domains (i.e could point mydomain.com)

ALIAS is also FREE and has built in Health Checks
Cant set the TLS for ALIAS
Used for: ELBs, CloudFront, API Gateway, S3 Websites ….
CANNOT be used for a direct EC2 DNS name.

Question 19

Which Route53 routing policy can direction traffic based on %

Answer 19

Weighted.

Control % of traffic to each resource. Good for load balancing or testing small amount of traffic to a new version of code.

Question 20

You have updated a Route 53 Record’s myapp.mydomain.com value to point to a new Elastic Load Balancer, but it looks like users are still redirected to the old ELB. What is a possible cause for this behavior?

Answer 20

TTL. Time To LIve.

Each DNS record has a TTL (Time To Live) which orders clients for how long to cache these values and not overload the DNS Resolver with DNS requests. The TTL value should be set to strike a balance between how long the value should be cached vs. how many requests should go to the DNS Resolver.

Question 21

Route 53 Latency v GeoLocaion Routing Policy

Answer 21

Latency will evaluate the latency between your users and AWS Regions

GeoLocation is more for routing based on where the users are (for example language specific websites or you want to deny traffic from certain country)

Question 22

You have purchased a domain on GoDaddy and would like to use Route 53 as the DNS Service Provider. What should you do to make this work?

Answer 22

Create a public hosted zone and update 3rd party registrar NS record.

Question 23

NACL and SG Defaults Rules.

Answer 23

AWS provides default NACL and SG.

By default, SG allows all traffic In and thus all traffic out (its stateless)

By default, NACL allows all traffic In and explicitly all traffic out.

However, if you CREATE a custom SG or ACL, they will have NO default In or Out rules.

Question 24

What is an AWS Partition ?

Answer 24

A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

aws - AWS Regions
aws-cn - China Regions
aws-us-gov - AWS GovCloud (US) Regions

NOTE THAT IAM POLICIES DONT WORK ACROSS PARTITIONS.

Question 25

When would you use a Gateway Endpoint?

Answer 25

With a gateway endpoint, you can access Amazon S3 from your VPC, without requiring an internet gateway or NAT device for your VPC

must be in same region as S3 bucket

Your account has a default quota of 20 gateway endpoints per Region, which is adjustable. There is also a limit of 255 gateway endpoints per VPC.

Question 26

What are the 2 EndPoint Types?

Answer 26

Interface (all other services)
Gateway. (s3/dynamo + free, single region)

Allow you to connect to AWS services using a private network instead of www. This is for public services such as S3 or dyamodb. This gives enhbanced security and lower latency to AWS Services.

THere are two types of VPC endpoint - EndPoint Gateway or Endpoint Interface. DynamoDB and S3 can use either - everything else must use Endpoint Interface. Gateway is FREE but has restrictions (cant use private ip, cant access from another region).

Question 27

CloudFront - how many active key pairs can you have ?

Answer 27

When you use the root user to manage CloudFront key pairs, you can only have up to two active CloudFront key pairs per AWS account.

Whereas, with CloudFront key groups, you can associate a higher number of public keys with your CloudFront distribution, giving you more flexibility in how you use and manage the public keys. By default, you can associate up to four key groups with a single distribution, and you can have up to five public keys in a key group.

Question 28

Is eu-west-2 an AZ or Region ?

Answer 28

Region. AZ’s have a letter such as

eu-west-2a, eu-west-2b

eu-west-2 is the Region but 2a is the AZ

Question 29

How many EIPS can a Region have ?

Answer 29

By default, all AWS accounts are limited to 5 Elastic IP addresses per Region.

Question 30

Can ALB have an Elastic IP Address?

Answer 30

No. NLB can have one and its possible to have a NLB in front of a ALB.

Question 31

Do you pay for EIP

Answer 31

Elastic IPs are free if they are attached to a running instance. You will be charged only if you are not using it

Question 31

When would you want an EIP?

Answer 31

If you need to keep the same IP forever. Public IPs will change if you stop/start instances. Sometimes this is required for IP whitelisting or for a Bastion Host where you want same IP each time.

Question 33

Nat gateway v Nat instance

Answer 33

Gateway provides high availability and auto scaling and handles higher traffic throughput but is more expensive as incurs additional hourly charge. It’s fully managed.

Nat Instance is cheaper. Gives you more control but requires manual handling of scaling / patching etc.

Question 34

What level do you attach IGW?
Vpc/subnet/

Answer 34

Vpc