Networking - VPC

Question 1

What are the 3 common private IP ranges?

Answer 1

10.0.0.0
172.16.0.0
192.168.0.0

Question 2

What is the maximum number of VPCs allowed per region?

Answer 2

5

Question 3

How many different CIDRs can you have per VPC?

Answer 3

5

Question 4

How many addresses does Amazon reserve in each subnet’s range?

Answer 4

5

Question 5

What is the suffix for the IP address that is the broadcast address in a subnet?

Answer 5

.255

Question 6

What does an internet gateway do?

Answer 6

Allows resources in a VPC to connect to the internet

Question 7

What is a bastion host?

Answer 7

An EC2 instance in a public subnet that allows users to connect to private instances with SSH from a public place.
Normally allows connection access from the public CIDR of your organisation (NOT everyone)

Question 8

What is a NAT instance?

Answer 8

A routing server that sends traffic from private EC2 instances onwards to the internet from a public subnet.

Question 9

What are the downsides of a NAT instance?

Answer 9

It is not highly available and resilient out of the box
Have to manage the associated security groups and rules

Question 10

What other service does a NAT gateway require to perform its function?

Answer 10

An internet gateway

Question 11

What is a NAT gateway?

Answer 11

An AWS managed NAT service that has high availability, bandwidth and no requirement for an admin management out of the box

Question 12

At what level do NACLs exist?

Answer 12

The subnet level

Question 13

At what level do security groups exist?

Answer 13

The specific instance level

Question 14

Which of NACLs and security groups have both allow and deny rules?

Answer 14

NACLs

Question 15

Which of NACLs and security groups have rules that are evaluated in order?

Answer 15

NACLs

Question 16

What is VPC peering?

Answer 16

When two VPCs are connected privately through the AWS network, making them behave as if they were part of the same single VPC

Question 17

Is VPC peering transitive? What does this mean?

Answer 17

No. This means that if A and B are peered, and B and C are peered, A cannot connect to C ‘through’ B.

Question 18

What capability do VPC endpoints enable?

Answer 18

Allow your instances to go through the private AWS network to connect to resources as opposed to using the public internet

Question 19

What is an interface endpoint?

Answer 19

A type of VPC endpoint that provisions an ENI as an entry point to the network.
Supports most AWS services
Pay per hour and GB of data processed

Question 20

What is a gateway endpoint?

Answer 20

A type of VPC endpoint that provisions a gateway that supports only DynamoDB and S3.
Free!

Question 21

What services would you use to capture information about IP traffic going into your interfaces for different levels within your infrastructure?

Answer 21

VPC flow logs - VPC level
Subnet flow logs - Subnet level
Elastic Network Interface flow logs - Instance level

Question 22

What are the two gateways on either side of a site to site VPN connection?

Answer 22

Customer gateway on the customer side (software or hardware that enables the connection)
Virtual private gateway on the AWS side

Question 23

What is the name of the service that enables a low cost hub-and-spoke model for multiple customer gateways?

Answer 23

VPN CloudHub

Question 24

Do site-to-site VPNs go over the internet?

Answer 24

Yes, but they are encrypted

Question 25

What is the name of the hardware-based VPC and on-premises connection service?

Answer 25

Direct Connect

Question 26

What are the two types of Direct Connect connections? What are the differences?

Answer 26

Dedicated and hosted connections.
Dedicated is much higher throughput max and is dedicated to one user, hosted is lower throughput max., but can be scaled up and down

Question 27

What is the throughput maximum of a dedicated DX connection?

Answer 27

100Gbps

Question 28

What is the throughput maximum of a hosted DX connection?

Answer 28

10Gbps

Question 29

What types of virtual interfaces are needed for a Direct Connect connection to enable access to public and private resources in your VPC?

Answer 29

Public virtual interface for public, private for private

Question 30

Is data in transit encrypted by default for Direct Connect connections?

Answer 30

No, but the connection itself is private

Question 31

What service would be suitable for transitive peering between 1000s of VPCs?

Answer 31

Transit Gateway

Question 32

At what geographical level do Transit Gateways operate?

Answer 32

Regional

Question 33

What is equal cost multi-path routing?

Answer 33

A routing strategy that allows you to forward a packet over multiple best paths

Question 34

How does equal cost multi-path routing relate to transit gateways?

Answer 34

Transit gateways enable ECMP routing over multiple site-to-site VPNs to increase the bandwidth used to connect with AWS at a higher cost

Question 35

What is VPC traffic mirroring and why might one use it?

Answer 35

Allows you to duplicate network traffic for storage or analysis in a non-intrusive way, e.g. to put the traffic through security applications running on EC2 instances that inspect it and make sure it is ok

Question 36

Can an internet gateway support both IPv4 and IPv6?

Answer 36

Yes

Question 37

Can an egress-only internet gateway support both IPv4 and IPv6?

Answer 37

No! Only supports IPv6

Question 38

What is an egress-only internet gateway?

Answer 38

An internet gateway that only allows data to flow out, but doesn’t allow data ingress

Question 39

Is data moving between instances in the same AZ paid?

Answer 39

No

Question 40

If you are moving data between two instances using their elastic IPs, would you pay data egress charges for the data moving over the internet?

Answer 40

Yes, because you are using the public addresses (elastic IPs) and therefore the traffic is technically leaving the VPC, going through the internet and then coming back in, using private IPs would literally halve the cost

Question 41

What is the rule of thumb in terms of the cost of data ingress and egress for AWS?

Answer 41

Ingressing data tends to be free, egress is paid

Question 42

Why can VPC endpoints be cheaper to use than NAT gateways?

Answer 42

Because they enable us to transfer data without having to egress from the AWS network

Question 43

What is the AWS network firewall used for?

Answer 43

To protect your entire Amazon VPC from layer 3 to layer 7 in a centralised manner with 1000s of rules available based on IPs, ports and protocols