Networking Flashcards
when creating a NAT instnace, disable source/destination check on the instance
- NAT instance must be in public subnet
- There must be a route out fo teh private subnet to the NAT instance, in order for this to work
- the amount of traffic that NAT instances can support depends on the instance size. if you are bottlenecking, increase the instance size.
t
NAT Gateway
- preferred by the enterprise
- scale automatically up to 10Gbps
- no need to patch
- not associated with security groups
- automatically assigned a public ip address
- remember to update your route tables
- no need to disable source/destination checks
- more secure than a NAT instance
t
your VPC automatically comes a default network ACL, and by default it allows all outbound and inbound traffic
T
you can create custom network ACLs. by default, each custom network ACL denies all inbounc and outbound traffic until you add rules
T
each subnet in your VPC must be associated with a network ACL. if you don’t explicitly associate a subnet with a network ACL the subnet is automatically associated with teh default network ACL.
T
you can associate a network ACL with multiple subnets, however, a subnet can be assocaited with only one network ACL at a time. when you associae a network ACL with a subnet, the previous association is removed.
T
Network ACLs contain a numbered list fo rules that is evaluated in order, starting with teh lowest numbered rule.
T
network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic
T
Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic.
t
block IP addresses using ACLs not security groups
T
VPC flow logs can be created at what 3 levels?
VPC
subnet
network interface level
you cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account
T
you cannot tag a flow log
T
after you’ve created a flow log, you cannot change its configuration; for example, you can’t associate a different IAM role with teh flow log
T
traffic generated by instances when they contact AWS DNS server. if you use your own DNS server, then all traffic to that DNS server is logged
T