Networking

Question 1

when creating a NAT instnace, disable source/destination check on the instance

• NAT instance must be in public subnet
• There must be a route out fo teh private subnet to the NAT instance, in order for this to work
• the amount of traffic that NAT instances can support depends on the instance size. if you are bottlenecking, increase the instance size.

Answer 1

t

Question 2

NAT Gateway

• preferred by the enterprise
• scale automatically up to 10Gbps
• no need to patch
• not associated with security groups
• automatically assigned a public ip address
• remember to update your route tables
• no need to disable source/destination checks
• more secure than a NAT instance

Answer 2

t

Question 3

your VPC automatically comes a default network ACL, and by default it allows all outbound and inbound traffic

Answer 3

T

Question 4

you can create custom network ACLs. by default, each custom network ACL denies all inbounc and outbound traffic until you add rules

Answer 4

T

Question 5

each subnet in your VPC must be associated with a network ACL. if you don’t explicitly associate a subnet with a network ACL the subnet is automatically associated with teh default network ACL.

Answer 5

T

Question 6

you can associate a network ACL with multiple subnets, however, a subnet can be assocaited with only one network ACL at a time. when you associae a network ACL with a subnet, the previous association is removed.

Answer 6

T

Question 7

Network ACLs contain a numbered list fo rules that is evaluated in order, starting with teh lowest numbered rule.

Answer 7

T

Question 8

network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic

Answer 8

T

Question 9

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic.

Answer 9

t

Question 10

block IP addresses using ACLs not security groups

Answer 10

T

Question 11

VPC flow logs can be created at what 3 levels?

Answer 11

VPC

subnet

network interface level

Question 12

you cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account

Answer 12

T

Question 13

you cannot tag a flow log

Answer 13

T

Question 14

after you’ve created a flow log, you cannot change its configuration; for example, you can’t associate a different IAM role with teh flow log

Answer 14

T

Question 15

traffic generated by instances when they contact AWS DNS server. if you use your own DNS server, then all traffic to that DNS server is logged

Answer 15

T

Question 16

not monitored by vpc flow logs:

traffic generated by a windows instance for aws license activation

• traffic to and from 169.254.169.254 for instance metadata
• dhcp traffic
• traffic t the esrverd IP address for the default router

Answer 16

T

Question 17

start of authority (soa)

teh soa record stores info about:

the name of the server that supplied the data for the zone.

the administrator of the zone

the current version of the data file

the default number of seconds for the TTL file on resource records.

Answer 17

T

Question 18

NS records

ns stands for name server records. they are used by toop level domoain servers to direrct traffic to the content DNS server which contains the authoritative DNS records.

Answer 18

T

Question 19

alias records are use to map resource record sets in your hosted zone to elb, cf, s3 buckets taht are configured as websites.

they work like cnames. one dns name to another.

key difference -cname can’t be used for naked domain names.

can’t have cname for http://acloud.guru, that would have to be A creod or alias

Answer 19

T

Question 20

given choice, always use an alias over a cname

Answer 20

T

Question 21

each zone contains a single SOA record

Answer 21

T