Networking Flashcards
Is a security group stateful or stateless - what does this mean?
Security groups are stateful. This means that opening a port in one direction automatically opens it in the other.
Can a VPC span AZ’s?
Yes - but a subnet can’t
If your VPC has multiple CIDR’s, can a subnet have IP’s derived from those?
Yes, if the CIDR has a primary and secondary CIDR then the subnet can have IP’s derived from both.
How many elastic IP’s can you have per account?
5 by default but can be increased if required.
What happens to an EC2 Instances Public IP on RESTART
It will most likely change as its not static.
If you need to manually assign IP’s to instances - what 3 things will restrict you?
- The IP must be in the CIDR range specified in the Subnet
- The IP must not be a reserved AWS IP (first 4, last 1)
- Can’t be assigned to anything else in the subnet.
If you create a subnet and DON’T associate it with a route table, what is associated with that subnet automatically?
If you don’t associate a route table, the main route table for the VPC is associated automatically.
What two AWS services require a VPC Endpoint GATEWAY as opposed to an Endpoint INTERFACE?
S3 and Dynamo DB require an Endpoint Gateway.
How many VPC’s can you create per account?
The default is five, but this can be increased to hundreds if required
Can you change the size of an IPv6 address range?
No
Can you peer a VPC across Regions and or Accounts? Can a peered VPC reference a security group from its peer?
Yes to all. If you are referencing a security group across a peer in another account you must specify that account in the reference - i.e SG123/Account
Can a subnet span multiple AZ’s?
No, subnets are locked to a region
Which AWS components can an AWS WAF be deployed on?
ALB, Cloudfront, API Gateway
Is inter-region peered VPC traffic encrypted?
Yes, with key management handled by AWS
How many instances at a time can an EIP be attached to?
Only one
Is a bastion host typically a small or large sized instance?
Small
Can an EC2 instance IN a VPC communicate to an EC2 instance which is not in a VPC?
Yes, in a round about way. If the VPC has an internet gateway communication can traverse via that. If the VPC has a VPN or Direct Connect to a customers data centre with an egress route to the internet traffic can route through that
What is the maximum and minimum CIDR block sizes in AWS?
/16 is the maximum, /28 is the minimum
Do you need an internet gateway for a site to site VPN - I.e. from a VPC to a customer on prem network?
No. You dont need an internet gateway. This connection will be handled by a virtual private gateway on the AWS side and the customer gateway on the on prem side. The customer gateway must have a static IP.
Can you use IPv6 for inter-region peering
No, not for inter region peering.