Networking Flashcards
Is a security group stateful or stateless - what does this mean?
Security groups are stateful. This means that opening a port in one direction automatically opens it in the other.
Can a VPC span AZ’s?
Yes - but a subnet can’t
If your VPC has multiple CIDR’s, can a subnet have IP’s derived from those?
Yes, if the CIDR has a primary and secondary CIDR then the subnet can have IP’s derived from both.
How many elastic IP’s can you have per account?
5 by default but can be increased if required.
What happens to an EC2 Instances Public IP on RESTART
It will most likely change as its not static.
If you need to manually assign IP’s to instances - what 3 things will restrict you?
- The IP must be in the CIDR range specified in the Subnet
- The IP must not be a reserved AWS IP (first 4, last 1)
- Can’t be assigned to anything else in the subnet.
If you create a subnet and DON’T associate it with a route table, what is associated with that subnet automatically?
If you don’t associate a route table, the main route table for the VPC is associated automatically.
What two AWS services require a VPC Endpoint GATEWAY as opposed to an Endpoint INTERFACE?
S3 and Dynamo DB require an Endpoint Gateway.
How many VPC’s can you create per account?
The default is five, but this can be increased to hundreds if required
Can you change the size of an IPv6 address range?
No
Can you peer a VPC across Regions and or Accounts? Can a peered VPC reference a security group from its peer?
Yes to all. If you are referencing a security group across a peer in another account you must specify that account in the reference - i.e SG123/Account
Can a subnet span multiple AZ’s?
No, subnets are locked to a region
Which AWS components can an AWS WAF be deployed on?
ALB, Cloudfront, API Gateway
Is inter-region peered VPC traffic encrypted?
Yes, with key management handled by AWS
How many instances at a time can an EIP be attached to?
Only one
Is a bastion host typically a small or large sized instance?
Small
Can an EC2 instance IN a VPC communicate to an EC2 instance which is not in a VPC?
Yes, in a round about way. If the VPC has an internet gateway communication can traverse via that. If the VPC has a VPN or Direct Connect to a customers data centre with an egress route to the internet traffic can route through that
What is the maximum and minimum CIDR block sizes in AWS?
/16 is the maximum, /28 is the minimum
Do you need an internet gateway for a site to site VPN - I.e. from a VPC to a customer on prem network?
No. You dont need an internet gateway. This connection will be handled by a virtual private gateway on the AWS side and the customer gateway on the on prem side. The customer gateway must have a static IP.
Can you use IPv6 for inter-region peering
No, not for inter region peering.
Is a local route mandatory for a route table?
Yes. It is the only mandatory route in a route table
Can you use an EIP to mask a failure of an instance or application?
Yes, but not recommended as its a bad design pattern. If the instance or application fails you can remap the EIP to another working instance. You are better to use a ELB with health checks or use a random public IP and assign a DNS to it.
If we have 2 EC2 instances communicating with each other using their public IP addresses does this traffic traverse the public web if the instances are in the same region?
No. Traffic between instances in the same region stays within the AWS network.
A customer gateway must have a static, internet routable IP when setting up a site to site VPN. What do you need if the customers gateway is behind a NAT?
The public IP of the NAT will need to be used.
What is an egress only internet gateway? Why would you use one?
You use an egress only IGW to provide similar functionality as a NAT - but for IPv6 ONLY. All IPv6 IP’s are public IP’s in AWS.
What is the minimum and maximum sizes of an IPv4 CIDR range within a VPC?
The minimum is /28. The maximum is limited by the size of the VPC that they are in. The max range for a VPC is /16 so a subnet cannot go over that
How do security groups evaluate Allow/Deny rules vs. a NACL?
A security group evaluates all rules before allowing/denying. A NACL evaluates rules individually and in numeric order with lower numbers having precedent.
For an AWS Virtual Private Gateway, how many tunnels are created to the user gateway
2 for increased reliability
There are 3 types of peering architectures for a VPC. What are they?
Flying V, Hub and Spoke, Mesh
Can you change the size of an IPv6 subnet? How many IPv6 CIDRs can be allocated to an IPv6 subnet?
No you can’t change the size and you can only have ONE IPv6 CIDR per IPv6 subnet.
What IP’s are reserved in AWS when it comes to provisioning a subnet
the first 4 and the last one. Make sure to take this into account when provisioning a subnet as there will always be 5 IP’s less than that in the CIDR.
You are using Direct connect gateway to connect a data center to multiple VPC’s. Does this require a VPC peering connection (i.e. can VPC A access VPC B via the GW) AND can the VPC’s have over lapping CIDRs?
No to both. Direct connect does not form a peering relationship between VPC’s and CIDR’s must not overlap
How many IGW’s can you have per VPC
One
If you make a change to a security group assigned to an instance in a subnet, does this apply to traffic to that instance or to all instances in the subnet?
Only to that Instance. However, changes to a NACL will effect traffic to all instances in the subnet.
When an instance with an automatically assigned public IP sends a packet to another instances EIP, what source address does the destination instance see?
The destination will see the sources public IP
When can you assign a primary private IP to an EC2 instance? Can an instance have more than 1 IP and if so when can these be assigned?
You can assign a primary IP at launch or on ENI creation. An Ec2 instance can have multiple SECONDARY IP’s which can be assigned at any time.
Can you peer VPC’s in the same region via IPv6?
You can, but it is not automatic. You need to assign IPv6 CIDR’s with each VPC and add IPv6 routes to the route tables.
Is VPC traffic between peered VPC’s in the same region encrypted?
No, but it is private as it does not leave the AWS network.
When peering 2 VPC’s - such as VPC A and VPC B do route tables in both need to be updated
Yes. If this is not done instances will not be able to communicate with each other.
can you use an IPV4 public address in a vpc and have them accessible over the public web
Yes in a round about way. You statically assign them to a subnet and instances. Typically this would be for VPCs connecting to an on premise network. Traffic would be routed via direct connect or a vpn and addresses advertised from an on premise infrastructure to the web. (from AWS FAQ)
Can a VPC span multiple AZ’s? Can a subnet?
A VPC can, but a subnet can’t as it is locked to an AZ
How many security groups can be assigned to an ENI?
Multiple SG’s can be assigned to an ENI, but an ENI must have at least ONE. A security group can also be assigned to multiple ENI’s.
Can an instance have more than one EIP within a subnet? If so, where will these be accessible from and how would you provision multiple EIP’s to the instance?
Yes you can. These will be accessible from the web. Each EIP will need to be assigned to a unique private IP on the instance.
What are the 3 ways an Ec2 instance can communicate with an S3 bucket? which is preferred?
The recommended way is via a VPC endpoint for S3. Alternately, we can connect through an IGW over the web or via a Direct Connect/VPN connection to a client data centre with internet access
Can you use an AMI or an EBS Snapshot within a VPC?
Yes. Provided it is from the same region as the VPC
What IP does an EC2 instance have by default when created in the default VPC?
A public and a private. In this case, the public IP is provided as there is a route to the internet in the default VPC.
If you disassociate an EIP with a running instance, what happens to any open connections on that instance?
They will continue to remain open and work for a time.
If I have a VPC with a CIDR of 172.16.0.0/16 and I want to add a secondary CIDR, can I use 192.168.0.0/16 or 172.17.0.0/16? Why, Why not?
Secondary CIDR’s must not overlap the primary CIDR and must also come from the same range. So we can use 172.17.0.0/16 as this comes from the same range but does not overlap the primary, but we cannot use 192.168.0.0/16 as this does not come from the same range
What is the calculation to determine the number of addresses in an AWS subnet CIDR?
(2^(32-CIDR Range))-5
Does an NLB support weighted policies?
No.
