Section 6: Virtual Private Cloud (VPC)

Question 1

What is a VPC

Answer 1

A Virtual Private Cloud is a logically isolated portion of the AWS cloud within a region where you can launch AWS resources (e.g. EC2 instances) in a virtual network that you define.

https://digitalcloud.training/amazon-vpc/

Question 2

What is a Region

Answer 2

A Region is a physical location in the world. E.g. us-eat-1, eu-west-1, ap-southeast-2

Each region consists of multiple availability zones which sit inside each region.

https://aws.amazon.com/about-aws/global-infrastructure/

Question 3

Availability Zones

Answer 3

An Availability Zone sits inside a Region.

An Availability Zone can consist of both a Public subnet and a Private subnet

Amazon encourages you to deploy your application into more than 1 availability zone for resilience.

Question 4

AWS CloudFront

Answer 4

AWS CloudFront is a CDN

CloudFront is a good choice for distributing frequently access static data content from edge delivery (geographically closer to users). Regional Edge Cache -> Edge Location -> User.

Question 5

IPv4 address

Answer 5

IPv4 address is the address which the server can use to read a web address.

E.g. example.com –> 192.168.0.1

Network ID = 192.168.0 (first 3 octets)
Host ID = 1 (last octet)

Question 6

Regions and VPC’s

Answer 6

Each Region allows up to 5 VPC’s inside a region.

Question 7

VPC CIDR block and subnet planning

Answer 7

Use tool https://www.site24x7.com/tools/ipv4-subnetcalculator.html

Question 8

Network Access Control (Network ACL)

Answer 8

Network Access Control Lists get applied at the subnet level.

NACL’s apply only to traffic entering/exiting the subnet, filtering the traffic entering/existing

Question 9

Security Group vs Network Access Control List

Answer 9

Security Group = statefull firewall. Allows return traffic automatically. Meaning only need to define the inbound rule, as the outbound will accept it.

Network Access Control List = stateless firewall, you have to explicitly define both outbound and inbound rule.

Rules are defined using port range, IP address or subnet group ID

Rules are processed in order, bare in mind how that impacts rules being applied

Question 10

What is Virtual Private Cloud Peering?

Answer 10

VPC (Virtual Private Cloud) Peering is a network connection betwn two VPC’s that enable you to route traffic between them using privde IPv4 or IPv6 addresses.

CIDR blocks (10.1.0.0/16 for example) can not overlap between VPC’s.

https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html

Question 11

VPC interface endpoint

Answer 11

VPC interface endpoint is an Elastic Network Interface (ENI). Using this you can connect your private IP address (subnet) to other AWS services like ELB, CloudFormation, SNS, S3 etc.

https://digitalcloud.training/vpc-interface-endpoint-vs-gateway-endpoint-in-aws/

Question 12

Elastic Network Interface (ENI) vs Gateway Endpoint

Answer 12

Interface endpoint is done from within subnet/security group. Gateway endpoint is from within VPC (higher up) and uses the route table.

Interface Endpoint (Elastic Network Interface) - Interface Endpoints are powered by AWS PrivateLink, which creates a secure and private network connection between your VPC and the AWS service.

Gateway Endpoint - Gateway endpoints are route table entries that route your traffic directly from the subnet where traffic is originating to the service.

Question 13

AWS Client VPN

Answer 13

AWS Client VPN is a managed client-based VPN service that enables you to securely access your AWS resources and resources in your on-premises network. With Client VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Meaning you can allow another non-AWS servers/computers to connect securely to your AWS services

Question 14

AWS Direct Connect (DX)

Answer 14

AWS Direct Connect makes it easy to establish a dedicated connection from an on-premises network to one or more VPCs.

AWS Direct Connect can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.

Note: connections are NOT encrypted.

https://digitalcloud.training/aws-direct-connect/

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect.html

Question 15

AWS Direct Connect Gateway

Answer 15

Use AWS Direct Connect Gateway when you want to connect multiple AWS regions together with an on-prem service / another provider. This is more cost effective than just using AWS Direct Connect.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html

Question 16

AWS Transit Gateway

Answer 16

AWS Transit Gateway provides a hub and spoke design for connecting VPCs and on-premises networks as a fully managed service without requiring you to provision virtual appliances like the Cisco CSRs. No VPN overlay is required, and AWS manages high availability and scalability.

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-gateway.html

Question 17

What are VPC flow logs?

Answer 17

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

Question 18

Lots of info….

Answer 18

Subnet - a segment of a VPC’s IP address range where you can place groups of isolated resources (maps to a single AZ)

Internet Gateway - a highly available, managed Network Address Translation (NAT) service for your resources in a provide subnet to access the internet.

Router: routers inerconnect subnets and direct traffice between Internet Gateways, virtual private gateways, NAT gateways and subnets

Peering Connection - a peering connection enables you to route traffic via private IP addresses between two peered VPCs.

VPC Endpoints - enables private connectivity to services hosted in AWS

Virtual Private Gateway - The Amazon VPC side of the VPC connection

Egress-only Internet Gateway - a staeful gateway to provide egress only access for IPv6 traffice from the VPC to the internet

Hardware VPN Connection: a hardware-based VPN connection between your Amazon VPC and your datacenter, home network or co-location facility

Question 19

What is the scope of a Virtual Private Cloud (VPC)?

Answer 19

VPCs are regional. You create VPCs in each region separately.

Question 20

You need to apply a firewall to a group of EC2 instances launched in multiple subnets. Which option should be used?

Answer 20

Security Group: A Security Group can be applied to the group of EC2 instances. You can specify what ports and protocols are allowed to reach the instances and from what sources.

Question 21

An organization needs a private, high-bandwidth, low-latency connection to the AWS Cloud in order to establish hybrid cloud configuration with their on-premises cloud. What type of connection should they use?

Answer 21

AWS Direct Connect: AWS Direct Connect uses private network connections into the AWS Cloud and is high-bandwidth and low-latency. This is good for establishing hybrid cloud configurations.

Question 22

Can subnets span multiple AZ?

Answer 22

Can subnets span multiple AZ?

No

Question 23

How should subnets be used for fault tolerance?

Answer 23

Q: How should subnets be used for fault tolerance?

A: Launch EC2 instances into subnets created in different availability zones

Question 24

Your organization has a pre-production VPC and production VPC. You need to be able to setup routing between these VPCs using private IP addresses. How can this be done?

Answer 24

Configure a peering connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.

Question 25

At which level do you attach an Internet gateway?

Answer 25

VPC: Internet Gateways are attached to the VPC. You then need to add entries to the route tables for your public subnets to point to the IGW.