Network And VPC Flashcards
How many IPs are in the following CIDR
10.0.0.0/24 ?
256-5=251 based on
(2^(32-24))-5
256-5
251
What would the INBOUND an OUTBOUND CIDR be for a web server serving http and https traffic? What will the ports be for in and outbound traffice? Why?
Inbound and 0.0.0.0/0 on port 80 and 443 and outbound 0.0.0.0/0 to all ports. Port 80 and 443 will restrict inbound to http/s from all IP addresses. Outbound is to all ports to all IP addresses (ephemeral ports)
What does a source and destination check enforce on an EC2 instance and why would you disable it?
The source and destination check ensures that the ec2 instance is the source or destination of any traffic that it receives- i.e it must have requested the traffic that it is getting the response for. You would disable if you were creating a NAT INSTANCE
Which type of subnet would you deploy a NAT instance or gateway in? What else would be needed?
You would deploy a NAT instance or gateway into a public subnet. The public subnet will need an internet gateway.
What is the role of the AWS firewall manager?
Firewall manager manages rules on all accounts in an AWS Org including:
WAF Rules
Shield Advance Rules
Security groups for EC2 and ENI’s
If someone needed to audit all your firewall rules, this is a good place to start.
Is direct connect encrypted? If it isn’t, can it be and how?
No. If you need it to be encrypted then use Direct Connect + VPN which will give you an IPSec encrypted connection.
You have set up an internet gateway in your VPC, but your EC2 instances still don’t have access to the internet.
Which of the following is NOT a possible issue?
- Route Tables are missing entries
- The security group does not allow network traffic out
- The NACL does not allow network out
The security group does not allow network traffic out is not a possible issue - security groups are stateful and if traffic can go out, then it can go back in
Can a subnet span AZ’s?
No. A Subnet is locked to an AZ
Does a NACL provide firewall capabilities at the subnet or at the instance/ENI level?
At the subnet level.
Does a NACL have allow/deny rules - what about security groups?`
NACL has both, security groups only have allow rules
There are 2 services that use endpoint gateways. What are they? How do they differ from an interface endpoint?
S3 and DynamoDB
Gateway Endpoints rely on creating entries in a route table and pointing them to private endpoints used for S3 or DynamoDB. Interface Endpoints use AWS PrivateLink and leverages the new Network Load Balancer capabilities.
What do VPC endpoints allow for? Can these be accessed outside of the VPC (such as Direct Connect)?
The allow for a connection to aws resources via a private network bypassing the public web - specifically if we need to connect to an aws resource from within a private subnet we can use an endpoint gateway or interface. Allows connectivity from within the AWS VPC ONLY. Cannot be accessed via direct connect or VPN
What two technologies can be used to connect an onpremises data centre or network to a VPC? What is the difference between the two? Can either of them access VPC endpoints and how long does it take to provision either of them?
Site to Site VPN: Encrypted connection over public web
Direct Connect: Physical connection between on prem and AWS. Private low latency. Takes at least a month to establish.
Neither can access a VPC endpoint.
I have a set of instances in a private sub net which need access to the internet to be able to download patches, but I don’t want the subnet opened to internet. There is an internet gateway in the public subnet. What can I do to give my private instances internet access?
We deploy a NAT instance or gateway to the public S/N and then ensure that there is a route entry in our private subnet routing requests to 0.0.0.0/0 will need a route to the NAT in the public subnet.
