Networking

Question 1

How are NACL rules evaluated? Ex:
100 All Traffic Allow
200 All Traffic Deny
* All Traffic Deny

Answer 1

NACL rules are evaluated by rule number from lowest to highest and executed immediately when a matching rule is found.

In this case All Traffic would be allowed

Question 1

Can you update the default NACL?

Answer 1

Yes
You can both add and remove rules

Question 2

Max # of security groups you can attach to 1 instance

Answer 2

5

Question 3

Can you delete the default security group?

Answer 3

No
But you can change the rules

Question 4

Using Route 53, which record type at the zone apex will you use to point the DNS name of the Application Load Balancer?

Answer 4

A and AAAA

Question 5

What can you attach to VPC to only allow outbound connections of IPv6 between the instance and the internet but should prevent the internet from initiating an inbound IPv6 connection?

Answer 5

egress-only internet gateway

Question 6

A managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs) traffic flows, like tracking connections and protocol identification, to enforce policies such as preventing your VPCs from accessing domains using an unauthorized protocol.

Answer 6

AWS Network Firewall

Question 7

What needs to be configured outside of the VPC for them to have a successful site-to-site VPN connection?

Answer 7

• Create Customer Gateway (on customer network)
• Internet-routable IP address (static) of the customer gateway’s external interface.
• Virtual Private Gateway

Question 8

How to create private access (not traversing public internet) to DynamoDB

Answer 8

Create a Gateway Endpoint and associate endpoint with correct route table

Question 9

What AWS Services support Gateway Enpoints

Answer 9

DynamoDB
S3

Question 10

Can you create an IPV6 subnet?

Answer 10

Yes and No

All subnets are IPv4 on creation, so would have to create an IPv4 subnet and then you can optionally assign IPv6 block to VPC and subnets

Question 11

What is a bias in Route 53 geoproximity routing?

Answer 11

A bias expands or shrinks the size of the geographic region from which traffic is routed to a resource.

Question 12

Max number of EFA you can attach to an instance

Answer 12

1

Question 13

Does Direct Connect support VPC Peering Connection?

Answer 13

FALSE

Question 14

When using VPC Peering, how can you connect each VPC to your local data center?

Answer 14

You have to attach your AWS VPN to each of the VPC’s individually

Question 15

What resources can be connected to a Transit Gateway?

Answer 15

1+ VPC
1+ VPN connections
1+ Direct Connection gateways
1+ transit peering connections

Note if you have VPCs in different regions, you will need to create a Transit Gateway in each region and connect the Transit Gateways with transit peering connections.

Question 16

If you need to upgrade the EC2 instance type (EC2 launched with Launch Configuration and connected to Autoscaling group) what steps can you do to change instance type easily?

Answer 16

Update New Launch Configuration with new instance type

Update Autoscaling group

Question 17

Can Launch Configurations be changed after creation?

Answer 17

No

Question 18

Should you use Launch Configuration or Launch template if you need versioning?

Answer 18

Launch Template

Question 19

How to allow a private subnet to access the internet?

Answer 19

Create a NAT Gateway in a public subnet

Add Route to it in the private subnet