Networking Flashcards

1
Q

Is a security group stateful or stateless - what does this mean?

A

Security groups are stateful. This means that opening a port in one direction automatically opens it in the other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Can a VPC span AZ’s?

A

Yes - but a subnet can’t

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

If your VPC has multiple CIDR’s, can a subnet have IP’s derived from those?

A

Yes, if the CIDR has a primary and secondary CIDR then the subnet can have IP’s derived from both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How many elastic IP’s can you have per account?

A

5 by default but can be increased if required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens to an EC2 Instances Public IP on RESTART

A

It will most likely change as its not static.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

If you need to manually assign IP’s to instances - what 3 things will restrict you?

A
  1. The IP must be in the CIDR range specified in the Subnet
  2. The IP must not be a reserved AWS IP (first 4, last 1)
  3. Can’t be assigned to anything else in the subnet.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

If you create a subnet and DON’T associate it with a route table, what is associated with that subnet automatically?

A

If you don’t associate a route table, the main route table for the VPC is associated automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What two AWS services require a VPC Endpoint GATEWAY as opposed to an Endpoint INTERFACE?

A

S3 and Dynamo DB require an Endpoint Gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How many VPC’s can you create per account?

A

The default is five, but this can be increased to hundreds if required

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Can you change the size of an IPv6 address range?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can you peer a VPC across Regions and or Accounts? Can a peered VPC reference a security group from its peer?

A

Yes to all. If you are referencing a security group across a peer in another account you must specify that account in the reference - i.e SG123/Account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can a subnet span multiple AZ’s?

A

No, subnets are locked to a region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which AWS components can an AWS WAF be deployed on?

A

ALB, Cloudfront, API Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Is inter-region peered VPC traffic encrypted?

A

Yes, with key management handled by AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How many instances at a time can an EIP be attached to?

A

Only one

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Is a bastion host typically a small or large sized instance?

A

Small

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can an EC2 instance IN a VPC communicate to an EC2 instance which is not in a VPC?

A

Yes, in a round about way. If the VPC has an internet gateway communication can traverse via that. If the VPC has a VPN or Direct Connect to a customers data centre with an egress route to the internet traffic can route through that

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the maximum and minimum CIDR block sizes in AWS?

A

/16 is the maximum, /28 is the minimum

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Do you need an internet gateway for a site to site VPN - I.e. from a VPC to a customer on prem network?

A

No. You dont need an internet gateway. This connection will be handled by a virtual private gateway on the AWS side and the customer gateway on the on prem side. The customer gateway must have a static IP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Can you use IPv6 for inter-region peering

A

No, not for inter region peering.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Is a local route mandatory for a route table?

A

Yes. It is the only mandatory route in a route table

22
Q

Can you use an EIP to mask a failure of an instance or application?

A

Yes, but not recommended as its a bad design pattern. If the instance or application fails you can remap the EIP to another working instance. You are better to use a ELB with health checks or use a random public IP and assign a DNS to it.

23
Q

If we have 2 EC2 instances communicating with each other using their public IP addresses does this traffic traverse the public web if the instances are in the same region?

A

No. Traffic between instances in the same region stays within the AWS network.

24
Q

A customer gateway must have a static, internet routable IP when setting up a site to site VPN. What do you need if the customers gateway is behind a NAT?

A

The public IP of the NAT will need to be used.

25
Q

What is an egress only internet gateway? Why would you use one?

A

You use an egress only IGW to provide similar functionality as a NAT - but for IPv6 ONLY. All IPv6 IP’s are public IP’s in AWS.

26
Q

What is the minimum and maximum sizes of an IPv4 CIDR range within a VPC?

A

The minimum is /28. The maximum is limited by the size of the VPC that they are in. The max range for a VPC is /16 so a subnet cannot go over that

27
Q

How do security groups evaluate Allow/Deny rules vs. a NACL?

A

A security group evaluates all rules before allowing/denying. A NACL evaluates rules individually and in numeric order with lower numbers having precedent.

28
Q

For an AWS Virtual Private Gateway, how many tunnels are created to the user gateway

A

2 for increased reliability

29
Q

There are 3 types of peering architectures for a VPC. What are they?

A

Flying V, Hub and Spoke, Mesh

30
Q

Can you change the size of an IPv6 subnet? How many IPv6 CIDRs can be allocated to an IPv6 subnet?

A

No you can’t change the size and you can only have ONE IPv6 CIDR per IPv6 subnet.

31
Q

What IP’s are reserved in AWS when it comes to provisioning a subnet

A

the first 4 and the last one. Make sure to take this into account when provisioning a subnet as there will always be 5 IP’s less than that in the CIDR.

32
Q

You are using Direct connect gateway to connect a data center to multiple VPC’s. Does this require a VPC peering connection (i.e. can VPC A access VPC B via the GW) AND can the VPC’s have over lapping CIDRs?

A

No to both. Direct connect does not form a peering relationship between VPC’s and CIDR’s must not overlap

33
Q

How many IGW’s can you have per VPC

A

One

34
Q

If you make a change to a security group assigned to an instance in a subnet, does this apply to traffic to that instance or to all instances in the subnet?

A

Only to that Instance. However, changes to a NACL will effect traffic to all instances in the subnet.

35
Q

When an instance with an automatically assigned public IP sends a packet to another instances EIP, what source address does the destination instance see?

A

The destination will see the sources public IP

36
Q

When can you assign a primary private IP to an EC2 instance? Can an instance have more than 1 IP and if so when can these be assigned?

A

You can assign a primary IP at launch or on ENI creation. An Ec2 instance can have multiple SECONDARY IP’s which can be assigned at any time.

37
Q

Can you peer VPC’s in the same region via IPv6?

A

You can, but it is not automatic. You need to assign IPv6 CIDR’s with each VPC and add IPv6 routes to the route tables.

38
Q

Is VPC traffic between peered VPC’s in the same region encrypted?

A

No, but it is private as it does not leave the AWS network.

39
Q

When peering 2 VPC’s - such as VPC A and VPC B do route tables in both need to be updated

A

Yes. If this is not done instances will not be able to communicate with each other.

40
Q

can you use an IPV4 public address in a vpc and have them accessible over the public web

A

Yes in a round about way. You statically assign them to a subnet and instances. Typically this would be for VPCs connecting to an on premise network. Traffic would be routed via direct connect or a vpn and addresses advertised from an on premise infrastructure to the web. (from AWS FAQ)

41
Q

Can a VPC span multiple AZ’s? Can a subnet?

A

A VPC can, but a subnet can’t as it is locked to an AZ

42
Q

How many security groups can be assigned to an ENI?

A

Multiple SG’s can be assigned to an ENI, but an ENI must have at least ONE. A security group can also be assigned to multiple ENI’s.

43
Q

Can an instance have more than one EIP within a subnet? If so, where will these be accessible from and how would you provision multiple EIP’s to the instance?

A

Yes you can. These will be accessible from the web. Each EIP will need to be assigned to a unique private IP on the instance.

44
Q

What are the 3 ways an Ec2 instance can communicate with an S3 bucket? which is preferred?

A

The recommended way is via a VPC endpoint for S3. Alternately, we can connect through an IGW over the web or via a Direct Connect/VPN connection to a client data centre with internet access

45
Q

Can you use an AMI or an EBS Snapshot within a VPC?

A

Yes. Provided it is from the same region as the VPC

46
Q

What IP does an EC2 instance have by default when created in the default VPC?

A

A public and a private. In this case, the public IP is provided as there is a route to the internet in the default VPC.

47
Q

If you disassociate an EIP with a running instance, what happens to any open connections on that instance?

A

They will continue to remain open and work for a time.

48
Q

If I have a VPC with a CIDR of 172.16.0.0/16 and I want to add a secondary CIDR, can I use 192.168.0.0/16 or 172.17.0.0/16? Why, Why not?

A

Secondary CIDR’s must not overlap the primary CIDR and must also come from the same range. So we can use 172.17.0.0/16 as this comes from the same range but does not overlap the primary, but we cannot use 192.168.0.0/16 as this does not come from the same range

49
Q

What is the calculation to determine the number of addresses in an AWS subnet CIDR?

A

(2^(32-CIDR Range))-5

50
Q

Does an NLB support weighted policies?

A

No.