Section 10: VPC Fundamentals Flashcards
VPC
* Virtual Private Cloud - private network to deploy you resources (regional resource)
* Subnets allow you to partition your network inside your VPC (aavailbility Zone resources)
* A public subnet is a subnet that is accessible from the internet
* a private subnet is a subnet that is not accessible from the internet
* to define acccess to the internet and between subnets we use Route Tables
* looks like one public subnet per AZ
True
Subsection: VPC Fundamentals
1-3 exam questions for section 10
True/False: Internet Gateway & NAT Gateway
- IG helps our VPC instances connect with the internet. So www can connect to IG and your IG connects to your public subnet.
- NAT Gateway managed by AWS
- NAT instances self-managed
- both NAT Gateway and NAT instance allow your instances in your Private subnet to access internet in a private way. In the NAT model, www connects to IG and your IG is connected to your NAT and your NAT can connect to your private subnet
all True
Subsection: VPC, Subets, IGW and NAT
1-3 exam questions for section 10
Network ACL & Security Groups
Network ACL
True/False:
* A firewall which controls traffic from and to subnet
* can have ALLOW and DENY rules
* are attached at subnet level
* rules only include IP addresses
—
Security Groups
*A firewall that controls traffic to and from an ENI / an EC2 instance
can hae conly ALLOW rules
rules include IP addresses and other security groups
True
Subsection: NACL, SG, VPC Flow Logs
1-3 exam questions for SEction 10
VPC Flow Logs
True/False
* Capture info about IP traffic going into VPC FLow Logs, Subnet FLow Logs, Elastic Network Interface (ENI) FLow Logs
* Helps to minotir and troubleshoot connectivity issues (subnet to internet, subnet to subnet, internet to subnet)
* capture network information from AWS managed interfaces to ELB, ElastiCache, RDS, Auorira
* VPC FLow logs data can go to S2, CloudWatch Logs, and Kinesis Data Firehose
True
Subsection: NACL, SG, VPC Flow Logs
VPC Peering, Endpoints, VPN, DX
True/False
VPC Peering
* connect two VPC privately using AWS network to make them behave like they’re in the same network
* must not have overlapping CIDR (IP range)
* must not be transitive (If VPC A can talk with VPC B and VPC C, VPC B and VPC C still cannot talk with each other. You have to do the whole thing to get VPC C and VPC B to talk with each other)
True
Subsection VPC Peering, Endpoints, VPN, DX
VPC Endpoints
True/False
* Endpoints allow you to connect to AWS Services using a proviate network instead of a public www network
* gives ou enhanced sercurity and lower latency to access AWS services
* VPC endpoint gateway: S2 and DynamoDB
* VPC Endpoint Interface: teh rest
* Only used within your VPC
* anytime you’re asked to private connect to an AWS service, then VPC endpoint is going to be the way (most important note from this slide)
* cloudwatch (outside VPC) chats with VPC endpoint interface (ENI) (inside your VPC and private subnet) which chats with ec2 instance (inside your VPC and private subnet) which chats with VPC Endpoint Gateway (inside VPC) which can chat directly with both S3 (outside VPC) and DynamoDB (outside VPC)
True
Subsection: VPC Peering, Endpoints, VPN, DX
Subsection: VPN, Direct Connect (DX)
True / False
Site to Site VPN
* connect to an on premise VPN to AWS
* connection is automatically encrypted
* goes over public internet
Direct Connect
* establish a physical connectoin between on premise and AWS
* connection is private, secure and false
* goes over private netwoprk
* takes at least a month to establish (because it’s an actual wired connection, i imagine digging is needec)
True
Subsection: VPC Peering, Endpoints, VPN, DX
Summary Slide: VPC
True/False
* VPC Virtual Private Cloud
* Subnets: tied to AZ, represent a network partition of the VPC
* Internet Gateway: gives internet access to public subnets
* NAT Gateway/instances give internet access to private subnets (i think by chatting with an IG)
* NACL: stateless, subnet rules for inbound and outbound
* Security Groups: stateful, operate at EC2 instance level or ENI
* VPC peering: connect two VPC with non overlapping IP ranges, non transitive
* VPC endpoints: provide private access to AWS Services within VPC
* VPC Flow Logs: network traffic logs
* Site to Site VPN: VPN over public internet between on-premise DC and AWS
* Direct connect: direct private connection to AWS
True
Subsection: VPC Peering, Endpoints, VPN, DX
True/False
Typical 3 tier solution architecture:
- user chats with Route 53 (public subnet) to find your app
- user tries to get to your app, ends up going to a multi az ELB (public subnet).
- Your ELB directs traffic to your auto scaling group which handles (in the diagram it “houses” or “contains”)your three ec2 instances (Auto scaling group/ec2 instances are in the private subnet, if you’ve configured your ec2 instances so that they don’t allow traffic from the internet, which I have).
- To handle the data your app needs, your ec2 instances communicate with EliastCache (in the data subnet) and Amazon RDS (also in the data subnet)
- that’s 3 tier arch.
True
Subsection: Three Tier Architecture
LAMP Stack on EC2
True/False
* Linux (on EC2), Apache Web Server (which I think serves HTML, also on EC2), MySQL (on EC2), PHP (also on EC2), can add Redis, Memcached and and EBS drive (EBS drive if you want to store data locally)
True
Subsection: Three Tier Architecture
Wordpress on AWS - Route 53
True/False
* user sends image to ec2 instances through a load balancer. EFS is perfect for this. EC2 instanes can share images to an EFS by using an ENI (super simplified)
True
Subsection: Three Tier Architecture
EC2 Instance, Subnet. No correct or incorrect notes.
VPC Quiz
Security Group DOes not allow traffic in.
success alert
Good job!
Security groups are stateful and if traffic can go out, then it can go back in.
incorrect answers have no notes. (check the last one, actually)
VPC Quiz
Correct: NAT Gateway - no notes
Incorrect:
* NAT instances with Source/ Destination check flag off-This means creating a NAT EC2 Instance and although this would work, it would require some integration and would not scale seamlessly.
* Egress only IG - This is for IPv6 only.
VPC Quiz
Amazon S3 and Dynamo DB -
These two services have a VPC Gateway Endpoint (remember it), all the other ones have an Interface endpoint (powered by Private Link - means a private IP).
Incorrect answers have no notes.
VPZ Quiz
A) Establish 3 VPC Peering Connections. A-B, A-C, B-C
Correct:
* B) Enable VPC Flow Logs - VPC Flow Logs is a VPC feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
Incorrect:
* A) Establish VPC Traffic Monitoring - VPC Traffic Mirroring is a VPC feature that you can use to copy network traffic from an Elastic Network Interface (ENI). Use cases include content inspection, threat monitoring, and troubleshooting.
* C) Enable CloudWatch Traffic Logs - There’s no such feature.
Correct answer:
D) AWS Direct Connect
Incorrect Answers:
* A) This would not be suitable, as traffic travels through the public Internet.
others don’t have notes
VPC Quiz
Correct:
* C) Add an inbound rule with port 80 and ALB’s security group as the source - This is the most secure way of ensuring only the ALB can access the EC2 instances. Referencing by security groups in rules is an extremely powerful rule and many questions at the exam rely on it. Make sure you fully master the concepts behind it!
Incorrect:
No other answers have notes.
