Section 27: Networking - VPC

Question 1

A virtual network dedicated to your AWS account

Answer 1

Virtual Private Cloud (VPC)

Question 2

A range of IP addresses within a VPC

Answer 2

Subnet

Question 3

How many VPCs can you have within a single AWS region?

Answer 3

Up to 5

Question 4

A redundant, horizontally scaled, and also highly available VPC component that allows communication between instances in your VPC and the internet

Answer 4

Internet Gateway (IGW)

Question 5

An object that contains a set of rules that determine where network traffic from your subnet or gateway is directed

Answer 5

Route Table

Question 6

What type of EC2 configuration can you use if you want to allow users to access private EC2 instances from outside of a VPC?

Answer 6

Bastion Hosts

Question 7

Bastion Host security groups must allow inbound traffic from the internet on port ___ from restricted CIDR

Answer 7

22

Question 8

If you want to reach a private EC2 via a Bastion Host, then the Security Group of the EC2 must allow the Security group of the Bastion host or this other attribute?

Answer 8

Private IP of the Bastion Host

Question 9

Device launched in a public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated on the internet

Answer 9

NAT Instance

Question 10

Service that can be configured to allow instances in a private subnet to connect to services outside your VPC but external services cannot initiate a connection with those instances

Answer 10

NAT Gateway

Question 11

Networking feature that allows or denies specific inbound or outbound traffic at the subnet level; its like a firewall which controls traffic to/from subnets

Answer 11

Network Access Control Lists (NACL)

Question 12

True/False: Network Access Control Lists are stateful so traffic does not have to be explicitly allowed or denied

Answer 12

False - They are stateless

Question 13

True/False: Network Access Control Lists support allow and deny rules

Answer 13

True

Question 14

A networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network

Answer 14

VPC Peering

Question 15

True/False: To utilize VPC Peering, each VPC must have VPC Peering enabled

Answer 15

True

Question 16

This virtual device, powered by AWS PrivateLink, allows you to connect to AWS services using a private network instead of using the public internet

Answer 16

VPC Endpoint

Question 17

What are the two available types of VPC Endpoints?

Answer 17

Interface Endpoints
Gateway Endpoints

Question 18

This type of VPC endpoint provisions an ENI as an entry point between private and AWS services

Answer 18

Interface Endpoint

Question 19

A VPC endpoint type that serves as a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service

Answer 19

Gateway Endpoint

Question 20

Which AWS Services do Gateway Endpoints support?

Answer 20

S3 and DynamoDB

Question 21

Is a Gateway Endpoint or an Interface Endpoint a better choice when picking a VPC Endpoint to access S3?

Answer 21

Gateway - It only requires modification of a route table to implement and it is free

Question 22

A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

Answer 22

VPC Flow Logs

Question 23

Which two gateways are needed to establish a Site-to-Site VPN connection?

Answer 23

Virtual Private Gateway
Customer Gateway

Question 24

In a Site-to-Site VPN configuration, if your Customer Gateway is behind a NAT device that has NAT-T enabled, then your Customer Gateway should use the ______ IP for the ________ device

Answer 24

Public; NAT

Question 25

A Site-to-Site VPN connection will not work until this feature is enabled for your Virtual Private Gateway in the route table that is associated with your subnets

Answer 25

Route Propagation

Question 26

In a Site-to-Site VPN configuration, if you need to ping your EC2 instances from on-premise, make sure you add this protocol on the inbound of the EC2 security group

Answer 26

ICMP

Question 27

A service that uses a hub-and-spoke model to create a secure connection between a Virtual Private Gateway and multiple Customer Gateways

Answer 27

AWS VPN CloudHub

Question 28

A service that provides a dedicated private connection from a remote network to your VPC

Answer 28

Direct Connect (DX)

Question 29

If you want to setup a Direct Connect to one more more VPC in many different regions (same account), you must use a _______________

Answer 29

Direct Connect Gateway

Question 30

Direct Connect connection type that dedicates a physical ethernet port for a customer and provides up to 100 GBPS capacity

Answer 30

Dedicated Connection

Question 31

Direct Connect connection type where capacity can be added or removed on demand

Answer 31

Hosted Connection

Question 32

How long does it take for a Direct Connect connection to be established?

Answer 32

More than 1 month

Question 33

True/False: Data-in-transit is encrypted in a Direct Connect

Answer 33

False - It is not encrypted but the connection is private

Question 34

Resiliency mode for Direct Connect that can be described as “one connection at multiple locations”

Answer 34

Non-Critical Production Workloads or Development Workloads

Question 35

Resiliency mode for Direct Connect that can be described as “separate connections terminating on separate devices in more than one location”

Answer 35

Maximum Resiliency for Critical Workloads

Question 36

Service that connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub using a hub-and-spoke connection

Answer 36

Transit Gateway

Question 37

What networking feature would you use to limit which VPCs can communicate within a Transit Gateway?

Answer 37

Route Table

Question 38

This networking service supports IP Multicast

Answer 38

Transit Gateway

Question 39

Feature that allows you to copy network traffic from an EC2 Elastic Network Interface and send it to a supported target

Answer 39

VPC Traffic Mirroring

Question 40

Gateway that allows instances in your VPC to initiate outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances

Answer 40

Egress-only Internet Gateway

Question 41

What two settings do you need to enable in your VPC if you want to use a Private DNS in Route 53?

Answer 41

DNS Resolution
DNS Hostnames

Question 42

How many IPs exist in CIDR 10.0.4.0/28?

Answer 42

16

Question 43

How many IPs exist in CIDR 10.0.4.0/32?

Answer 43

1

Question 44

How many IPs exist in CIDR 10.0.4.0/23?

Answer 44

512

Question 45

What is the maximum CIDR size of an AWS VPC?

Answer 45

/16

Question 46

If you have a /27 CIDR subnet in an AWS VPC, how many EC2 instances can you create on it?

Answer 46

27 -> 32 total IP addresses exist in the range, but the first 5 are reserved by AWS

Question 47

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?

Answer 47

NAT Gateway

Question 48

True/False: You must update the route tables for both VPCs if you are connecting them using VPC Peering

Answer 48

True

Question 49

A ________ Gateway is used mainly when you have a Direct Connect connection between a corporate data center and a VPC, but you want to access a separate VPC in a different AWS region.

Answer 49

Direct Connect

Question 50

Direct Connect type that supports 50Mbps, 500Mbps, up to 10Gbps.

Answer 50

Hosted

Question 51

True/False: While using a Direct Connect connection, you can access both public and private AWS resources

Answer 51

True

Question 52

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What type of gateway should you use to increase the throughput?

Answer 52

Transit Gateway

Question 53

What service can you use to provide secure communication between sites if you have multiple AWS Site-to-Site VPN connections?

Answer 53

AWS VPN CloudHub

Question 54

Term that refers to the cumulative network traffic that is sent through AWS Direct Connect to destinations outside of AWS (charged per GB)

Answer 54

Data Transfer Out (DTO)

Question 55

What are the four configurations supported by the Amazon VPC console wizard?

Answer 55

VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets and AWS Site-to-Site VPN access
VPC with a private subnet only and AWS Site-to-Site VPN access

Question 56

When considering EC2 networking, ___________ are stateful, so allowing inbound traffic to the necessary ports enables the inbound and outbound connection

Answer 56

Security Groups

Question 57

When considering EC2 networking, ___________ are stateless, so you must explicitly allow both inbound and outbound traffic

Answer 57

Network ACLs

Question 58

When creating a NAT Gateway, should it be created in a public or private subnet?

Answer 58

Public

Question 59

True/False: You must associate an Elastic IP address to a NAT Gateway

Answer 59

True

Question 60

True/False: NAT instances support port forwarding

Answer 60

True

Question 61

True/False: NAT gateways support port forwarding

Answer 61

False

Question 62

VPC component that provides a target in your VPC route tables for internet-routable traffic and performs network address translation (NAT) for instances that have been assigned public IPv4 addresses

Answer 62

Internet Gateway

Question 63

True/False: Data transfer pricing over Direct Connect is lower than data transfer pricing over the internet

Answer 63

False - Data transfer pricing over the internet is more expensive than over Direct Connect

Question 64

What two VPC settings must you set to true if you want to associate it with a Route 53 hosted zone?

Answer 64

enableVpcSupport
enableVpcHostnames