Networking - VPC Flashcards
What are the 3 common private IP ranges?
10.0.0.0
172.16.0.0
192.168.0.0
What is the maximum number of VPCs allowed per region?
5
How many different CIDRs can you have per VPC?
5
How many addresses does Amazon reserve in each subnet’s range?
5
What is the suffix for the IP address that is the broadcast address in a subnet?
.255
What does an internet gateway do?
Allows resources in a VPC to connect to the internet
What is a bastion host?
An EC2 instance in a public subnet that allows users to connect to private instances with SSH from a public place.
Normally allows connection access from the public CIDR of your organisation (NOT everyone)
What is a NAT instance?
A routing server that sends traffic from private EC2 instances onwards to the internet from a public subnet.
What are the downsides of a NAT instance?
It is not highly available and resilient out of the box
Have to manage the associated security groups and rules
What other service does a NAT gateway require to perform its function?
An internet gateway
What is a NAT gateway?
An AWS managed NAT service that has high availability, bandwidth and no requirement for an admin management out of the box
At what level do NACLs exist?
The subnet level
At what level do security groups exist?
The specific instance level
Which of NACLs and security groups have both allow and deny rules?
NACLs
Which of NACLs and security groups have rules that are evaluated in order?
NACLs
What is VPC peering?
When two VPCs are connected privately through the AWS network, making them behave as if they were part of the same single VPC
Is VPC peering transitive? What does this mean?
No. This means that if A and B are peered, and B and C are peered, A cannot connect to C ‘through’ B.
What capability do VPC endpoints enable?
Allow your instances to go through the private AWS network to connect to resources as opposed to using the public internet
What is an interface endpoint?
A type of VPC endpoint that provisions an ENI as an entry point to the network.
Supports most AWS services
Pay per hour and GB of data processed
What is a gateway endpoint?
A type of VPC endpoint that provisions a gateway that supports only DynamoDB and S3.
Free!
What services would you use to capture information about IP traffic going into your interfaces for different levels within your infrastructure?
VPC flow logs - VPC level
Subnet flow logs - Subnet level
Elastic Network Interface flow logs - Instance level
What are the two gateways on either side of a site to site VPN connection?
Customer gateway on the customer side (software or hardware that enables the connection)
Virtual private gateway on the AWS side
What is the name of the service that enables a low cost hub-and-spoke model for multiple customer gateways?
VPN CloudHub
Do site-to-site VPNs go over the internet?
Yes, but they are encrypted
What is the name of the hardware-based VPC and on-premises connection service?
Direct Connect
What are the two types of Direct Connect connections? What are the differences?
Dedicated and hosted connections.
Dedicated is much higher throughput max and is dedicated to one user, hosted is lower throughput max., but can be scaled up and down
What is the throughput maximum of a dedicated DX connection?
100Gbps
What is the throughput maximum of a hosted DX connection?
10Gbps
What types of virtual interfaces are needed for a Direct Connect connection to enable access to public and private resources in your VPC?
Public virtual interface for public, private for private
Is data in transit encrypted by default for Direct Connect connections?
No, but the connection itself is private
What service would be suitable for transitive peering between 1000s of VPCs?
Transit Gateway
At what geographical level do Transit Gateways operate?
Regional
What is equal cost multi-path routing?
A routing strategy that allows you to forward a packet over multiple best paths
How does equal cost multi-path routing relate to transit gateways?
Transit gateways enable ECMP routing over multiple site-to-site VPNs to increase the bandwidth used to connect with AWS at a higher cost
What is VPC traffic mirroring and why might one use it?
Allows you to duplicate network traffic for storage or analysis in a non-intrusive way, e.g. to put the traffic through security applications running on EC2 instances that inspect it and make sure it is ok
Can an internet gateway support both IPv4 and IPv6?
Yes
Can an egress-only internet gateway support both IPv4 and IPv6?
No! Only supports IPv6
What is an egress-only internet gateway?
An internet gateway that only allows data to flow out, but doesn’t allow data ingress
Is data moving between instances in the same AZ paid?
No
If you are moving data between two instances using their elastic IPs, would you pay data egress charges for the data moving over the internet?
Yes, because you are using the public addresses (elastic IPs) and therefore the traffic is technically leaving the VPC, going through the internet and then coming back in, using private IPs would literally halve the cost
What is the rule of thumb in terms of the cost of data ingress and egress for AWS?
Ingressing data tends to be free, egress is paid
Why can VPC endpoints be cheaper to use than NAT gateways?
Because they enable us to transfer data without having to egress from the AWS network
What is the AWS network firewall used for?
To protect your entire Amazon VPC from layer 3 to layer 7 in a centralised manner with 1000s of rules available based on IPs, ports and protocols
