Resilient Architectures - Environment setup Flashcards

1
Q

Helpful services

A
  • AWS Budget in Billings: Establish a budget and alerts
  • Global Accelerator: improve performance of users’ traffic
  • AWS Shield Standard: free service that detects distributed denial-of-service (DDoS) attacks
  • AWS Direct Connect: a network service that provides an alternative to using the Internet to utilize AWS cloud services
  • Use AWS Certificate Manager to issue a certificate to a specific domain, and create a corresponding record on Route 53
  • Use AWS CloudTrail to store events related to actions performed on AWS services
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

IAM Considerations 1

A
  • Protect root account with MFA, and don’t used it regularly
  • Create a password policy
  • Create an administrative user:
    1. Create a group
    2. Attach AdministratorAccess policy to the group
    3. Add an IAM user, and assign user to the group
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

IAM Considerations 2

A
  • PowerUserAccess policy provides full access to AWS services and resources, but does not allow management of users and groups.
  • Configure the AWS CLI by relating to a new IAM user, not the default root user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

VPC Characteristics

A
  • Reliability is AWS responsibility
  • 1 VPC (1 region) has one or more subnets (one or more AZs), and has one instance
  • Reliability is achieved by having instances in multiple subnets in different AZs
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

VPC - ENI Considerations 1

A
  • It’s a logical networking component in a VPC that represents a virtual network card
  • It has:
  • Primary private IPv4 address
  • One or more secondary private IPv4 addresses
  • One Elastic IP address per private IPv4 address
  • One public IPv4 address
  • One or more IPv6 addresses
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

VPC - ENI Considerations 2

A
  • Can attach it to an instance, then detach, and attach it again to another instance
  • Cannot detach the primary network interface of an EC2 instance. Can create additional ENIs for the same instance (the amount depends on the instance type)
  • It inherits the public IPv4 addressing attribute from the subnet. Even if it’s changed in the subnet, it maintains the original IPv4
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

VPC - Elastic IP Address 1

A
  • It allocates to an account. Maximum five EIP addresses can be associated per account
  • Supports / uses only IPv4 addresses
  • Allows an instance to retain the same public IP Address
  • Allows to move network attributes from one instance to another in one step
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

VPC - Elastic IP Address 2

A
  • It’s bound to an ENI, which is attached to an instance
  • An EIP can move to a different ENI
  • Two types: amazon owned (AWS picks the address for you), customer owned (bring your own IP or BYOIP)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

VPC - Subnets types

A
  • Public Subnet: associated with a route table that has a route with an Internet gateway as its target
  • Private Subnet: associated with a route table that has a route with an NAT gateway as its target

NOTE: If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

VPC - NAT Gateway characteristics 1

A
  • Has two interfaces: private subnet and public subnet
  • An instance in a private subnet sends Internet-bound traffic to a NAT gateway
  • It sends traffic to Internet gateway
  • Cannot route traffic to a NAT gateway through VPC peering connections, Site-to-Site VPN, Direct Connect, or VPC endpoints. If your instances need to access resources over those AWS network resources, use the private subnet’s route table to route the traffic directly to those network resources
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

VPC - NAT Gateway characteristics 2

A
  • Charged each hour it’s available and each GB it processes
  • Protocols supported: TCP, UDP, and ICMP. Aren’t supported for IPv6 traffic, for that matter use an Egress Only Internet Gateway
  • Cannot disassociate an EIP address / private IP address from a NAT gateway. Must create another one
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

VPC - NAT Gateway Public connectivity type

A
  • It’s the default connectivity type
  • Private subnets connect to the internet but cannot receive unsolicited inbound connections from the internet
  • When it’s on a public subnet must associate an EIP
  • Can route traffic to other VPCs or on-premise networks. In that case through a transit gateway or a virtual private gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

VPC - NAT Gateway Private connectivity type

A
  • Instances in private subnets can connect to other VPCs or on-premises network through a private NAT gateway. In that case through a transit gateway or a virtual private gateway
  • Cannot associate an EIP
  • When it attaches an internet gateway and a VPC, the internet gateway drops the traffic coming from that private NAT gateway
How well did you know this?
1
Not at all
2
3
4
5
Perfectly