Section 27: Networking - VPC Flashcards
A virtual network dedicated to your AWS account
Virtual Private Cloud (VPC)
A range of IP addresses within a VPC
Subnet
How many VPCs can you have within a single AWS region?
Up to 5
A redundant, horizontally scaled, and also highly available VPC component that allows communication between instances in your VPC and the internet
Internet Gateway (IGW)
An object that contains a set of rules that determine where network traffic from your subnet or gateway is directed
Route Table
What type of EC2 configuration can you use if you want to allow users to access private EC2 instances from outside of a VPC?
Bastion Hosts
Bastion Host security groups must allow inbound traffic from the internet on port ___ from restricted CIDR
22
If you want to reach a private EC2 via a Bastion Host, then the Security Group of the EC2 must allow the Security group of the Bastion host or this other attribute?
Private IP of the Bastion Host
Device launched in a public subnet to enable instances in the private subnet to initiate outbound IPv4 traffic to the internet or other AWS services, but prevent the instances from receiving inbound traffic initiated on the internet
NAT Instance
Service that can be configured to allow instances in a private subnet to connect to services outside your VPC but external services cannot initiate a connection with those instances
NAT Gateway
Networking feature that allows or denies specific inbound or outbound traffic at the subnet level; its like a firewall which controls traffic to/from subnets
Network Access Control Lists (NACL)
True/False: Network Access Control Lists are stateful so traffic does not have to be explicitly allowed or denied
False - They are stateless
True/False: Network Access Control Lists support allow and deny rules
True
A networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network
VPC Peering
True/False: To utilize VPC Peering, each VPC must have VPC Peering enabled
True
This virtual device, powered by AWS PrivateLink, allows you to connect to AWS services using a private network instead of using the public internet
VPC Endpoint
What are the two available types of VPC Endpoints?
Interface Endpoints
Gateway Endpoints
This type of VPC endpoint provisions an ENI as an entry point between private and AWS services
Interface Endpoint
A VPC endpoint type that serves as a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service
Gateway Endpoint
Which AWS Services do Gateway Endpoints support?
S3 and DynamoDB
Is a Gateway Endpoint or an Interface Endpoint a better choice when picking a VPC Endpoint to access S3?
Gateway - It only requires modification of a route table to implement and it is free
A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC
VPC Flow Logs
Which two gateways are needed to establish a Site-to-Site VPN connection?
Virtual Private Gateway
Customer Gateway
In a Site-to-Site VPN configuration, if your Customer Gateway is behind a NAT device that has NAT-T enabled, then your Customer Gateway should use the ______ IP for the ________ device
Public; NAT
A Site-to-Site VPN connection will not work until this feature is enabled for your Virtual Private Gateway in the route table that is associated with your subnets
Route Propagation
In a Site-to-Site VPN configuration, if you need to ping your EC2 instances from on-premise, make sure you add this protocol on the inbound of the EC2 security group
ICMP
A service that uses a hub-and-spoke model to create a secure connection between a Virtual Private Gateway and multiple Customer Gateways
AWS VPN CloudHub
A service that provides a dedicated private connection from a remote network to your VPC
Direct Connect (DX)
If you want to setup a Direct Connect to one more more VPC in many different regions (same account), you must use a _______________
Direct Connect Gateway
Direct Connect connection type that dedicates a physical ethernet port for a customer and provides up to 100 GBPS capacity
Dedicated Connection
Direct Connect connection type where capacity can be added or removed on demand
Hosted Connection
How long does it take for a Direct Connect connection to be established?
More than 1 month
True/False: Data-in-transit is encrypted in a Direct Connect
False - It is not encrypted but the connection is private
Resiliency mode for Direct Connect that can be described as “one connection at multiple locations”
Non-Critical Production Workloads or Development Workloads
Resiliency mode for Direct Connect that can be described as “separate connections terminating on separate devices in more than one location”
Maximum Resiliency for Critical Workloads
Service that connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub using a hub-and-spoke connection
Transit Gateway
What networking feature would you use to limit which VPCs can communicate within a Transit Gateway?
Route Table
This networking service supports IP Multicast
Transit Gateway
Feature that allows you to copy network traffic from an EC2 Elastic Network Interface and send it to a supported target
VPC Traffic Mirroring
Gateway that allows instances in your VPC to initiate outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
Egress-only Internet Gateway
What two settings do you need to enable in your VPC if you want to use a Private DNS in Route 53?
DNS Resolution
DNS Hostnames
How many IPs exist in CIDR 10.0.4.0/28?
16
How many IPs exist in CIDR 10.0.4.0/32?
1
How many IPs exist in CIDR 10.0.4.0/23?
512
What is the maximum CIDR size of an AWS VPC?
/16
If you have a /27 CIDR subnet in an AWS VPC, how many EC2 instances can you create on it?
27 -> 32 total IP addresses exist in the range, but the first 5 are reserved by AWS
You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?
NAT Gateway
True/False: You must update the route tables for both VPCs if you are connecting them using VPC Peering
True
A ________ Gateway is used mainly when you have a Direct Connect connection between a corporate data center and a VPC, but you want to access a separate VPC in a different AWS region.
Direct Connect
Direct Connect type that supports 50Mbps, 500Mbps, up to 10Gbps.
Hosted
True/False: While using a Direct Connect connection, you can access both public and private AWS resources
True
You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What type of gateway should you use to increase the throughput?
Transit Gateway
What service can you use to provide secure communication between sites if you have multiple AWS Site-to-Site VPN connections?
AWS VPN CloudHub
Term that refers to the cumulative network traffic that is sent through AWS Direct Connect to destinations outside of AWS (charged per GB)
Data Transfer Out (DTO)
What are the four configurations supported by the Amazon VPC console wizard?
VPC with a single public subnet
VPC with public and private subnets (NAT)
VPC with public and private subnets and AWS Site-to-Site VPN access
VPC with a private subnet only and AWS Site-to-Site VPN access
When considering EC2 networking, ___________ are stateful, so allowing inbound traffic to the necessary ports enables the inbound and outbound connection
Security Groups
When considering EC2 networking, ___________ are stateless, so you must explicitly allow both inbound and outbound traffic
Network ACLs
When creating a NAT Gateway, should it be created in a public or private subnet?
Public
True/False: You must associate an Elastic IP address to a NAT Gateway
True
True/False: NAT instances support port forwarding
True
True/False: NAT gateways support port forwarding
False
VPC component that provides a target in your VPC route tables for internet-routable traffic and performs network address translation (NAT) for instances that have been assigned public IPv4 addresses
Internet Gateway
True/False: Data transfer pricing over Direct Connect is lower than data transfer pricing over the internet
False - Data transfer pricing over the internet is more expensive than over Direct Connect
What two VPC settings must you set to true if you want to associate it with a Route 53 hosted zone?
enableVpcSupport
enableVpcHostnames
