Networking

Question 1

What configuration needs to be done on a NAT instance for it to be able to do NAT?

Answer 1

Disable Source/Destination check on the instance.

Question 2

Where does the NAT instance need to be placed? In a private or public subnet?

Answer 2

NAT instances must be in a public subnet.

Question 3

What needs to be done on the private subnet for it to be able to use a NAT instance in the public subnet?

Answer 3

There must be a route out of the private subnet to the NAT instance.

Question 4

What depends on the amount of traffic that NAT instances can support?

Answer 4

It depends on the NAT instance size.

Question 5

How can high availability for the NAT instance be achieved?

Answer 5

You can create high availability using Auto Scaling groups, multiple subnets in different AZs, and a script to automate failover.

Question 6

What security consideration do I need to have with NAT instances?

Answer 6

The NAT instance must be behind a security group.

Question 7

What are the advantages of NAT Gateways over NAT instances?

Answer 7

• Scale automatically up to 10Gbps - No need to patch - Not associated with Security Groups - Automatically assigned a public IP address - No need to disable Source/Destination checks (do need to update the route tables of course) - More secure than NAT instances

Question 8

What is allowed/disallowed in the default network ACL of a VPC?

Answer 8

By default, it allows all outbound and inbound traffic

Question 9

Does a subnet need to be associated with an network ACL?

Answer 9

Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

Question 10

Can a subnet be associated with multiple network ACLs?

Answer 10

No, only with one. When you associate a network ACL with a subnet, the previous association is removed.

Question 11

Can an ACL be associated with multiple subnets?

Answer 11

Yes

Question 12

How do the rules of a network ACL work?

Answer 12

Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

Question 13

Are network ACLs stateful or stateless?

Answer 13

Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

Question 14

Can I block specific IP address with Security Groups or network ACLs?

Answer 14

Block IP addresses with network ACLs, not Security Groups.

Question 15

How many public subnets are needed to deploy an application load balancer?

Answer 15

At least 2

Question 16

Can I enable Flow Logs for VPCs peered with my VPC?

Answer 16

Only if the peered VPC is in my account.

Question 17

Can I tag Flow Logs?

Answer 17

No

Question 18

Can I change a VPC Flow Log configuration after its creation?

Answer 18

No (example: can’t associate a different IAM role)

Question 19

What traffic is not monitored in VPC Flow Logs?

Answer 19

The following traffic is not monitored. - Traffic from instances to Amazon DNS servers. - Traffic generated by a Windows instance for Windows license activation. - Traffic to and from 169.254.169.254 for instance metadata. - DHCP traffic. Traffic to reserved IP address for the default VPC router.

Question 20

How many Internet Gateways can I attach to my custom VPC?

Answer 20

1

Question 21

Are you permitted to conduct your own vulnerability scans on your VPC without contacting AWS first?

Answer 21

No

Question 22

Are network ACLs a layer of security for instances or subnets?

Answer 22

Security Groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

Question 23

By default, how many VPCs am I allowed in each region?

Answer 23

5

Question 24

Can a subnet span multiple AZs?

Answer 24

No

Question 25

Which is a chief advantage of using VPC endpoints?

Answer 25

Traffic between your VPC and the other service foes not leave the Amazon network.

Question 26

What is created automatically when a VPC is created?

Answer 26

• Security Group - Network ACL - Route Table

Question 27

Which suffix offers the largest range of internal IP addresses? (/16, /20, /24, /28)

Answer 27

/16

Question 28

When peering VPCs, can I peer with VPCs in another account?

Answer 28

Yes

Question 29

By default, can new subnets in a custom VPC communicate with each other across AZs?

Answer 29

Yes

Question 30

How to allow an application in a custom VPC to communicate back to an on-premise data center?

Answer 30

Either: - Using a site-to-site VPN (requiring the VPC to have an Internet Gateway attached), or - Using Direct Connect The VPC in which the application sits, must be configured so that it does not have an IP address range that conflicts with that of the on-premise VLAN in which the back-end services sit.

Question 31

What is Customer Gateway?

Answer 31

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.

Question 32

What is a Virtual Private Gateway?

Answer 32

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection. A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance.

Question 33

Are these valid options to combine and configure to establish a successful site-to-site VPN connection from your on-premise network to an AWS VPC? - An on-premise Customer Gateway - A private subnet in your VPC - A Virtual Private Gateway - A VPC with hardware VPN access

Answer 33

Yes

Question 34

Which IPs in each subnet’s CIDR block are reserved by Amazon?

Answer 34

AWS reserve both the first four and the last IP addresses. First four: - 10.0.0.0: Network address. - 10.0.0.1: VPC router- - 10.0.0.2: DNS… - 10.0.0.3: Future use. Last: - 10.0.0.255: broadcast.

Question 35

Does the private IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

Answer 35

Yes. The private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.

Question 36

Does the public IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

Answer 36

No. We release the public IPv4 address and assign a new one when you restart it. The instance retains, however, its associated Elastic IP addresses (if any).

Question 37

At what levels can VPC Flow Logs be created?

Answer 37

• Network interface levels - Subnet - VPC

Question 38

Which component allows me to SSH or RDP into an EC2 instance located in a private subnet?

Answer 38

Bastion Host

Question 39

Can a subnet span AZ’s ?

Answer 39

No

Question 40

NAT gw characteristics?

Answer 40

Redundant inside AZ preferred by enterprise No patching Not associated with security groups automatically assigned a public IP No need to disable source and destination checks

Question 41

Can a NACL be associated with multiple subnets?

Answer 41

Yes, but a subnet can only be associated with one ACL

Question 42

Can you enable VPC flow logs for peered VPC’s?

Answer 42

Only if the the peered VPC is in your account

Question 43

Can you tag a flow log?

Answer 43

No

Question 44

Can you change a flow log configuration after its created?

Answer 44

No. You can associate a different IAM role

Question 45

What is not logged in VPC flow logs?

Answer 45

DNS traffic, windows licensing, and 169.254.169.254, DHCP, traffic to default VPC router

Question 46

What is direct connect?

Answer 46

connect your DC to AWS Useful for high throughput and need stable secure connection

Question 47

What can you use to connect your VPC to some AWS service privately without a gateway, NAT, VPN connection or AWS direct connection, without traffic leaving the AWS network?

Answer 47

VPC endpoint

Question 48

What are the two types of VPC end points?

Answer 48

Interface and Gateway

Question 49

What services do gateway endpoints support?

Answer 49

Amazon S3 DynamoDB

Question 50

Does Route53 require region selection?

Answer 50

No

Question 51

What is an A record?

Answer 51

Is the fundamental type of DNS record (A stands for Address). Translates a domain name to an its IP address.

Question 52

What is a CNAME record?

Answer 52

Canonical Name. It’s a record that can be used to resolve one domain name to another.

Question 53

What is an Alias record?

Answer 53

Alias Record are a record type created by Amazon for AWS, similar to CNAMEs, but with the difference

Question 54

How do you find the IP address for an ELB?

Answer 54

ELB’s do not have pre-defined IPv4 addresses, you resolve to them using a DNS name.

Question 55

Which one will be preferred “always”? A CNAME or an Alias record?

Answer 55

Always choose an Alias record over a CNAME

Question 56

How can you map a naked domain name (zone apex) to an ELB?

Answer 56

Using an Alias Record, which allows to resolve a naked domain name (a zone apex record) to an ELB DNS address.

Question 57

Are there charge differences between CNAMES and Alias record?

Answer 57

Yes. CNAMEs are charged, Alias records are free.

Question 58

What is the first step of using Route53?

Answer 58

Create a Hosted Zone

Question 59

What are the available routing policies in Route53?

Answer 59

Simple Weighted Latency Failover Geolocation

Question 60

How does the Weighted routing policy work?

Answer 60

Weighted Routing Policies let you split your traffic between regions based on different weights (traffic percentages) assigned (ex: 30% to US-EAST-1, 70% to US-WEST-1)

Question 61

How does the Latency routing policy work?

Answer 61

Latency based routing allows you to route your traffic based on the lowest network latency for your end user (i.e. which region will give them the fastest response time)

Question 62

How does the Failover routing policy work?

Answer 62

Failover routing policy are used when you want to create an active/passive set up (Route53 will monitor the health of the primary site using a health check)

Question 63

How does the Geolocation routing policy work?

Answer 63

Geolocation routing lets you choose where your traffic will be sent based on the geographic location of your users.

Question 64

Does Route53 supports MX records?

Answer 64

Yes (A, CNAME, MX, NS, SOA,…, AAAA, NAPTR, PTR, SPF, SRV and TXT)

Question 65

Why is Route53 named so?

Answer 65

The DNS port is 53

Question 66

Does Route53 support zone apex records? (naked domain names)

Answer 66

Yes

Question 67

Is there a limit in the number of domain names that you can manage using Route53?

Answer 67

There is a soft limit of 50 domain names, however this limit can be raised by contacting AWS support.

Question 68

How long can it take to register a domain?

Answer 68

up to 3 days

Question 69

How does a simple routing policy work?

Answer 69

one record with multiple IP’s. R53 will randomly return values

Question 70

Can you resolve an ELB by IP address?

Answer 70

No, it will always be a DNS name

Question 71

What happens if a record fails a health check?

Answer 71

record will be removed until it passes

Question 72

What is the maximum size of a VPC subnet?

Answer 72

/16

Question 73

What is the minimum size of a VPC subnet?

Answer 73

/28

Question 74

How many IP addresses does AWS reserve?

Question 75

What version of direct connect is used to connect VPC 2 VPC?

Answer 75

Direct connect gateway

Question 76

When should yuo select direct connect gateway?

Answer 76

When you need the reliability and security of direct connect to connect to another VPC in another region

Question 77

What HTTP status code should be returned for R53 to indicate healthy resources

Answer 77

2XX, 3XX