Networking

Question 1

Is a security group stateful or stateless - what does this mean?

Answer 1

Security groups are stateful. This means that opening a port in one direction automatically opens it in the other.

Question 2

Can a VPC span AZ’s?

Answer 2

Yes - but a subnet can’t

Question 3

If your VPC has multiple CIDR’s, can a subnet have IP’s derived from those?

Answer 3

Yes, if the CIDR has a primary and secondary CIDR then the subnet can have IP’s derived from both.

Question 4

How many elastic IP’s can you have per account?

Answer 4

5 by default but can be increased if required.

Question 5

What happens to an EC2 Instances Public IP on RESTART

Answer 5

It will most likely change as its not static.

Question 6

If you need to manually assign IP’s to instances - what 3 things will restrict you?

Answer 6

1. The IP must be in the CIDR range specified in the Subnet
2. The IP must not be a reserved AWS IP (first 4, last 1)
3. Can’t be assigned to anything else in the subnet.

Question 7

If you create a subnet and DON’T associate it with a route table, what is associated with that subnet automatically?

Answer 7

If you don’t associate a route table, the main route table for the VPC is associated automatically.

Question 8

What two AWS services require a VPC Endpoint GATEWAY as opposed to an Endpoint INTERFACE?

Answer 8

S3 and Dynamo DB require an Endpoint Gateway.

Question 9

How many VPC’s can you create per account?

Answer 9

The default is five, but this can be increased to hundreds if required

Question 10

Can you change the size of an IPv6 address range?

Answer 10

No

Question 11

Can you peer a VPC across Regions and or Accounts? Can a peered VPC reference a security group from its peer?

Answer 11

Yes to all. If you are referencing a security group across a peer in another account you must specify that account in the reference - i.e SG123/Account

Question 12

Can a subnet span multiple AZ’s?

Answer 12

No, subnets are locked to a region

Question 13

Which AWS components can an AWS WAF be deployed on?

Answer 13

ALB, Cloudfront, API Gateway

Question 14

Is inter-region peered VPC traffic encrypted?

Answer 14

Yes, with key management handled by AWS

Question 15

How many instances at a time can an EIP be attached to?

Answer 15

Only one

Question 16

Is a bastion host typically a small or large sized instance?

Answer 16

Small

Question 17

Can an EC2 instance IN a VPC communicate to an EC2 instance which is not in a VPC?

Answer 17

Yes, in a round about way. If the VPC has an internet gateway communication can traverse via that. If the VPC has a VPN or Direct Connect to a customers data centre with an egress route to the internet traffic can route through that

Question 18

What is the maximum and minimum CIDR block sizes in AWS?

Answer 18

/16 is the maximum, /28 is the minimum

Question 19

Do you need an internet gateway for a site to site VPN - I.e. from a VPC to a customer on prem network?

Answer 19

No. You dont need an internet gateway. This connection will be handled by a virtual private gateway on the AWS side and the customer gateway on the on prem side. The customer gateway must have a static IP.

Question 20

Can you use IPv6 for inter-region peering

Answer 20

No, not for inter region peering.

Question 21

Is a local route mandatory for a route table?

Answer 21

Yes. It is the only mandatory route in a route table

Question 22

Can you use an EIP to mask a failure of an instance or application?

Answer 22

Yes, but not recommended as its a bad design pattern. If the instance or application fails you can remap the EIP to another working instance. You are better to use a ELB with health checks or use a random public IP and assign a DNS to it.

Question 23

If we have 2 EC2 instances communicating with each other using their public IP addresses does this traffic traverse the public web if the instances are in the same region?

Answer 23

No. Traffic between instances in the same region stays within the AWS network.

Question 24

A customer gateway must have a static, internet routable IP when setting up a site to site VPN. What do you need if the customers gateway is behind a NAT?

Answer 24

The public IP of the NAT will need to be used.

Question 25

What is an egress only internet gateway? Why would you use one?

Answer 25

You use an egress only IGW to provide similar functionality as a NAT - but for IPv6 ONLY. All IPv6 IP’s are public IP’s in AWS.

Question 26

What is the minimum and maximum sizes of an IPv4 CIDR range within a VPC?

Answer 26

The minimum is /28. The maximum is limited by the size of the VPC that they are in. The max range for a VPC is /16 so a subnet cannot go over that

Question 27

How do security groups evaluate Allow/Deny rules vs. a NACL?

Answer 27

A security group evaluates all rules before allowing/denying. A NACL evaluates rules individually and in numeric order with lower numbers having precedent.

Question 28

For an AWS Virtual Private Gateway, how many tunnels are created to the user gateway

Answer 28

2 for increased reliability

Question 29

There are 3 types of peering architectures for a VPC. What are they?

Answer 29

Flying V, Hub and Spoke, Mesh

Question 30

Can you change the size of an IPv6 subnet? How many IPv6 CIDRs can be allocated to an IPv6 subnet?

Answer 30

No you can’t change the size and you can only have ONE IPv6 CIDR per IPv6 subnet.

Question 31

What IP’s are reserved in AWS when it comes to provisioning a subnet

Answer 31

the first 4 and the last one. Make sure to take this into account when provisioning a subnet as there will always be 5 IP’s less than that in the CIDR.

Question 32

You are using Direct connect gateway to connect a data center to multiple VPC’s. Does this require a VPC peering connection (i.e. can VPC A access VPC B via the GW) AND can the VPC’s have over lapping CIDRs?

Answer 32

No to both. Direct connect does not form a peering relationship between VPC’s and CIDR’s must not overlap

Question 33

How many IGW’s can you have per VPC

Answer 33

One

Question 34

If you make a change to a security group assigned to an instance in a subnet, does this apply to traffic to that instance or to all instances in the subnet?

Answer 34

Only to that Instance. However, changes to a NACL will effect traffic to all instances in the subnet.

Question 35

When an instance with an automatically assigned public IP sends a packet to another instances EIP, what source address does the destination instance see?

Answer 35

The destination will see the sources public IP

Question 36

When can you assign a primary private IP to an EC2 instance? Can an instance have more than 1 IP and if so when can these be assigned?

Answer 36

You can assign a primary IP at launch or on ENI creation. An Ec2 instance can have multiple SECONDARY IP’s which can be assigned at any time.

Question 37

Can you peer VPC’s in the same region via IPv6?

Answer 37

You can, but it is not automatic. You need to assign IPv6 CIDR’s with each VPC and add IPv6 routes to the route tables.

Question 38

Is VPC traffic between peered VPC’s in the same region encrypted?

Answer 38

No, but it is private as it does not leave the AWS network.

Question 39

When peering 2 VPC’s - such as VPC A and VPC B do route tables in both need to be updated

Answer 39

Yes. If this is not done instances will not be able to communicate with each other.

Question 40

can you use an IPV4 public address in a vpc and have them accessible over the public web

Answer 40

Yes in a round about way. You statically assign them to a subnet and instances. Typically this would be for VPCs connecting to an on premise network. Traffic would be routed via direct connect or a vpn and addresses advertised from an on premise infrastructure to the web. (from AWS FAQ)

Question 41

Can a VPC span multiple AZ’s? Can a subnet?

Answer 41

A VPC can, but a subnet can’t as it is locked to an AZ

Question 42

How many security groups can be assigned to an ENI?

Answer 42

Multiple SG’s can be assigned to an ENI, but an ENI must have at least ONE. A security group can also be assigned to multiple ENI’s.

Question 43

Can an instance have more than one EIP within a subnet? If so, where will these be accessible from and how would you provision multiple EIP’s to the instance?

Answer 43

Yes you can. These will be accessible from the web. Each EIP will need to be assigned to a unique private IP on the instance.

Question 44

What are the 3 ways an Ec2 instance can communicate with an S3 bucket? which is preferred?

Answer 44

The recommended way is via a VPC endpoint for S3. Alternately, we can connect through an IGW over the web or via a Direct Connect/VPN connection to a client data centre with internet access

Question 45

Can you use an AMI or an EBS Snapshot within a VPC?

Answer 45

Yes. Provided it is from the same region as the VPC

Question 46

What IP does an EC2 instance have by default when created in the default VPC?

Answer 46

A public and a private. In this case, the public IP is provided as there is a route to the internet in the default VPC.

Question 47

If you disassociate an EIP with a running instance, what happens to any open connections on that instance?

Answer 47

They will continue to remain open and work for a time.

Question 48

If I have a VPC with a CIDR of 172.16.0.0/16 and I want to add a secondary CIDR, can I use 192.168.0.0/16 or 172.17.0.0/16? Why, Why not?

Answer 48

Secondary CIDR’s must not overlap the primary CIDR and must also come from the same range. So we can use 172.17.0.0/16 as this comes from the same range but does not overlap the primary, but we cannot use 192.168.0.0/16 as this does not come from the same range

Question 49

What is the calculation to determine the number of addresses in an AWS subnet CIDR?

Answer 49

(2^(32-CIDR Range))-5

Question 50

Does an NLB support weighted policies?

Answer 50

No.