Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS - Solutions Architect Associate (SAA-C02) > Section - VPC > Flashcards

Section - VPC Flashcards

1
Q

What is a VPC?

A
  • Logically isolated part of AWS cloud where you can define your own network.
  • Complete control of virtual. network, including your own IP address range, subnets, route tables, and network gateways.
  • 1 subnet is always in 1 availabilty zone.
  • Fully customizable network:
    • You can leverage multiple layers of security, including security groups and network access control lists; to help control access to amazon EC2 instances in each subnet.
  • Typical 3 tiier architecture:
    • Web Tier
      • Public-facing subnet
      • e.g. allowed ports 80, 443
    • Application Tier
      • Private subnet
      • Can only speak to. web tiier and database tier
      • Typical application server (backend)
    • Database Tier
      • Private subnet
      • Can only speak too application tier
      • e.g RDS etc.
  • Additinally, you can create a hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC and leverage the AWS Cloud as an extension of your corporate data center.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

AWS VPC CIDR Range?

A
  • Largest CDIR range is /16 = 65,536 ip addresses (10.0.0.0/16)
  • The smallest CIDR range is /28 = 16 ip addresses(10.0.0.0/28)
  • Visual DIDR range https://cidr.xyz
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What can we do with a VPC?

A
  • Launch Instances
    • Launch instances into a subnet of your choosing.
  • Custom IP addresses
    • Assign custom IP address ranges in each subnet
  • Route Tables
    • Configure route tables between subnets
  • Internet Gateway
    • Create internet gateway and action it to our VPC.
  • More Control
    • Much better security control over your AWS resources
  • Access Control Lists
    • Subnet network access control lists.
    • You can use network access control lists (NACLs) to block specific IP addresses.

NB: 1 subnet is always in 1 availabilty zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Exam Tips: How many internet gateways per VPC

A
  • Only 1 Internet gateway per VPC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is a NAT Gateway?

A

You can use a network address translation (NAT) gateway to enable instances in a prvate subnet to connect to the internet or other AWS services while preventing the internet from initiating a connection with those instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

5 Facts to remember about NAT Gateways.

A
  • Redundant inside the Availability Zone
  • Starts at 5 Gbps and scales currently to 45 Gbps
  • No need to patch
  • Not associated with security groups
  • Automatically assigned a public IP address
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a Security Group?

A
  • Security groups are virtual firewall for an EC2 instance.
  • To let everything: 0.0.0.0/0
  • You can have multiple security groups attached to EC2 instances
  • All inbound traffic is blocked by default.
  • All outbound traffic is allowed

NB: Security Groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of the inbound security group rules

Responses to allowed inbound traffic are allowed to flow out; regardless of the outbound rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a Network ACL?

A
  • The first line of defence
  • A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
  • You might set up network ACLs with rules similar to your security groups in order to add another layer of security to your VPC.
  • Your VPC autmatically comes with a Default Network ACL; and by default it allows all outbound and inbound traffic.
  • You can create Custom Network ACLs. By default, each custom network ACL denies all inbound amd outbound traffic until your add rules.
  • Each subnet in your VPC must be associated with a network ACL. if you don’y explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default netwrok ACL.
  • Block IP addresses using network ACLs; not Security Groups.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Network ACLs Tips

A
  • You can associate a network ACL with multiple subnets; however, a subnet can be associated with only 1 network ACL at time.
  • Network ACLs contain a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.
  • Network ACLs have seperate inbound and outbound rules; and each rule can either allow or deny traffic.
  • Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Blocking a specific IP address?

A
  • Use Network ACLs
  • Add rule number and Ip address e.g. 23.24.25.26/32 Deny
  • Blocking a range of Ip addresses 10.20.30.0/24 or 8.17.0.0/16
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are Ephemeral ports?

A

The example network ACL in the preceding section uses an ephemeral port range of 32768-65535. However, you might want to use a different range for your network ACLs depending on the type of client that you’re using or with which you’re communicating.

The client that initiates the request chooses the ephemeral port range. The range varies depending on the client’s operating system.

  • Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000.
  • Requests originating from Elastic Load Balancing use ports 1024-65535.
  • Windows operating systems through Windows Server 2003 use ports 1025-5000.
  • Windows Server 2008 and later versions use ports 49152-65535.
  • A NAT gateway uses ports 1024-65535.
  • AWS Lambda functions use ports 1024-65535.

For example, if a request comes into a web server in your VPC from a Windows 10 client on the internet, your network ACL must have an outbound rule to enable traffic destined for ports 49152-65535.

If an instance in your VPC is the client initiating a request, your network ACL must have an inbound rule to enable traffic destined for the ephemeral ports specific to the type of instance (Amazon Linux, Windows Server 2008, and so on).

In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the deny rules earlier in the table than theallow rules that open the wide range of ephemeral ports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are VPC End Points?

A

A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection or AWS Direct Connect connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Study Tip 1

A

Endpoints are Virtual Devices

  • They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability or bandwidth constraints on your network traffic.
  • If you have EC2 instances writing to S3 you do not want them going over the NAT gatway since they will impact your bandwidth but rather through VPC end points.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 2 types of endpoints?

A
  • OPTION 1 - Interface Endpoints
    • An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic headed to a supported service. They support a large number of AWS services.
  • OPTION 2 - Gateway Endpoints
    • Similar to NAT gateways, a gateway endpoint is a virtual device you provision. it supports connection to S3 and DynamoDB
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a AWS PrivateLink?

A
  • The best way to expose a service VPC to tens, hundreds, or thousands of customer VPCs
  • Doesn’t require VPC peering; no route tables; NAT gateways;Internet gateways, ..
  • Requires a Network Load Balancer on the service VPC and ENI on the customer VPC.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

VPC Peering?

A
  • Allows you to connect 1 VPC with another via a direct route using IP addresses.
  • Instances behave as if they were on the same private network.
  • You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
  • Peering is in a star configuration (e.g. 1 central VPC peers with 4 others). No transitive peering
  • You can peer between regions.
  • Transitive peering is not supported. must always be in a hub-and-spoke model.
17
Q

What is AWS VPN CloudHub?

A

If you have multiple sites; each with it’s own VPN connection; you can use AWS VPN CloudHub to connect those sites together.

  • Hub-and-spoke model
  • Low cost and easy to manage
  • It operates over the public internet, but all the traffic between the customer gateway and the AWS VPN CloudHub is encrypted.
18
Q

What is AWS Direct Connect?

A

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

19
Q

The 2 types of Direct Connect Connection?

A
  • Dedicated Connection: A physical Ethernet connection associated with a single customer. Customers can request a dedicated connection through the AWS Direct Connect console, the CLI or the API.
  • Hosted Connection: A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer. Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection.
20
Q

VPN vs Direct Connect

A

VPNs allow private communication, but it still tranverses the public internet to get the data delivered. While secure it can be painfully slow.

Direct Connect is:

  • Fast
  • Secure
  • Reliable
  • Able to take massive throughput
21
Q

AWS Transit Gateway?

A

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router - each connection is only made once.

22
Q

Transit Gateway Facts

A
  • Allows you to have transitive peering between thousands of VPCs and on-premises data centers.
  • works on the hub-and-spoke model.
  • Works on a regional basis, but you can have it across mulitple regions.
  • You can use it across multiple AWS accounts using RAM (Resource Access manager)
  • You can use route tables to limit how VPCs talk to one another.
  • Works with Direct Connect as well as VPN connections.
  • Supports IP Multicast (Not supported by any other AWS service)

AWS - Solutions Architect Associate (SAA-C02) (20 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions