Networking and VPC Flashcards
Main difference between Transit Gateway and VPC peering?
Both can be used to peer multiple VPCs. Transit Gateway is transitive, while VPC peering isn’t.
Transit Gateway can also be shared cross-account with Resource Access Manager
What are VPC endpoint useful for?
Access AWS resources from a VPC using a private network instead of internet
How many IPs are reserved from each subnet in a VPC?
5 IPs, first 4 and last 1 of the IP range specified for the subnet
You need to take this into account to specify the correct IP range size to provide your instances with enough IPs
What is Internet Gateway?
It allows resources in a VPC to connect to the internet
It’s highly available, and needs Route Tables for internet access
A VPC can only be attached to one IGW and vice versa
What is Bastion Host?
It’s an EC2 instance located in a public subnet, that allows you to SSH into your EC2 instances in private subnets
What’s the disadvantage of using a NAT Instance?
You have to manage the EC2 instance, so launching EC2 with a NAT AMI. It’s not resilient and not HA (unless you create multiple instances by yourself)
You have to manage the security groups, so allow traffic from private subnets and allow traffic to the internet
You have to disable Source/Destination Check on the EC2 instance
What’s the advantage of NAT Gateway?
Highly available, higher bandwith (5 Gbps scaling up to 45 Gbps automatically)
No security groups to manage
Can I use a NAT Gateway from an EC2 Instance deployed in the same subnet?
No
What’s the difference between NACL and Security Groups?
NACLs are stateless, security groups are stateful
If there is an incoming request, NACLs will evaluate the rule on both inbound and outbound, while security groups will evaluate only inbound and allow outbound by default. Viceversa for outgoing requests
How are NACLs set by default?
NACLs are set for each subnet and their default rules allow all IPs for inbound and outbound
What’s VPC peering?
You can privately connect two VPCs, even if they are from different accounts or are in different regions
You must update route tables in each VPC subnets to ensure the EC2 instances can communicate with each other
Which service supports equal cost multi-path (ECMP)?
Transit Gateway
You can route into the Transit Gateway through multiple VPN tunnels, therefore enhancing the connectivity to be over the default limit of 1.25 Gbps
You must enable dynamic routing option on Transit Gateway to take advantage of it
What’s the connection speed of Direct Connect?
Dedicated Connections: 1 Gbps, 10 Gbps or 100 Gbps
Hosted Connections: 50 Mbps, 500 Mbps, to 10 Gbps
What is Direct Connect Gateway?
It allows to use a single Direct Connect to connect into multiple VPCs in different regions
What’s the allowed CIDR block size in a VPC?
Between /16 and /28
