Virtual Private Cloud Basics

Question 1

What is the minimum size of a VPC

Answer 1

/28 = 16 IPs

Question 2

What is the maximum size of a VPC

Answer 2

/16 = 65356 IPs

Question 3

What do services use with regards to VPCs

Answer 3

Subnets, not VPCs

Question 4

Should you use Bastion hosts

Answer 4

No, they are frowned upon

Question 5

What type of service is VPC

Answer 5

Regional

Question 6

Can data move in and out of VPC

Answer 6

Only with explicit config, otherwise no

Question 7

How many subnets does the default VPC have

Answer 7

One per AZ

Question 8

What is a dedicated tenancy

Answer 8

Uses dedicated hardware

Question 9

What happens if you pick dedicated at VPC level

Answer 9

All ressources in VPC must be on dedicated hardware

Question 10

What happens if you enabble DNS hostnames

Answer 10

Instances with public IPs have DNS names

Question 11

What happens if you enable DNS support

Answer 11

Enables DNS resolution in VPC

Question 12

What is the address of the DNS in a VPC

Answer 12

Base + 2 (e.g. if VPC is 10.0.0.0, it would be 10.0.0.2)

Question 13

What is the nuber-to-number relationship between subnets and AZs

Answer 13

Subnet only has one AZ
AZ has 0 or more subnets

Question 14

Can subnets overlap

Answer 14

No

Question 15

How many IPs in every subnet is reserved

Answer 15

5

Question 16

What is the first address in a subnet

Answer 16

The network address, it cannot be used

Question 17

What is the second address in a subnet

Answer 17

Network + 1 - VPC router, it moves data between subnets and in and out of VPC if configured to allow it

Question 18

What is the third address in a subnet

Answer 18

Network + 2 - Reserved for DNS. Technivally, it<s the 2nd adress ovf VPC and not subnet which is used, but this address is reserved in every subnet

Question 19

What is the 4th address in a subnet

Answer 19

Network + 3 - Reserved for future use

Question 20

What is the last address in a subnet

Answer 20

It is the network broadcast address, it is reserved even if broadcast is not supported in VPCs

Question 21

What does DHCP stand for

Answer 21

Dynamic Host Configuration Protocol

Question 22

What is DHCP

Answer 22

It is how computing devices receive IPs automatically

Question 23

What has a route table

Answer 23

Each subnet, and the VPC, the VPC route table is used as default

Question 24

What is the number relationship between route tables and subnets

Answer 24

Each subnet has one route table, each route table can be associated with many subnets

Question 25

What are the options for route tables of a subnet

Answer 25

Either the main VPC one, ort a custom one

Question 26

To what data does a route table apply

Answer 26

To the data leaving the subnet

Question 27

Can local routes in a route tbale be edited

Answer 27

No, they are always there and uneditable

Question 28

How do you know if something is a local route

Answer 28

It matches the VPC IPv$ or 6 CIDR range

Question 29

How does a route table handle priorities

Answer 29

More specific (higher prefix value) = priority

Question 30

When is the default route used

Answer 30

When nothing else matches

Question 31

What resiliency does an Internet Gateway have

Answer 31

Regional

Question 32

What is the number relationship between an internet gateway and a VPC

Answer 32

One to one

Question 33

Where does an internet gateway run

Answer 33

From the AWS public zone

Question 34

What does an internet gateway do

Answer 34

It is a gateway for traffic between the vpc and the internet or aws public zone

Question 35

What type of service is an internet gateway

Answer 35

AWS-managed - AWS handles the performance

Question 36

What are the steps to configure an internet gateway

Answer 36

1 : Create IG
2 : Attach IG to VPC (will make it available to route table)
3 : Create a custom route table
4 : Associate the route table to the dubnet
5 : Make the default route the IGW
6 : Configure the subnet to allocation public IPv4
Then the subnet is a public sbnet

Question 37

What kind of record does an internet gateway keep

Answer 37

A record linking a public and private IP (in IPv4 only)

Question 38

What IP does an EC2 instance see

Answer 38

Only its private IPv4 IP

Question 39

Is the OS on an EC2 instance ever aware of its public IPv4 address

Answer 39

No

Question 40

Is the OS on an EC2 instance ever aware of its public IPv6 address

Answer 40

Yes, since it is the same as the private one, all IPv6 address are publicly routable by default, the internet gateway does not need to do translation

Question 41

What is a Bastion Host / Jumpbox

Answer 41

An instance in a public subnet, to which incoming management connections are made, and can then access internal VPC ressources. Often the only way into a VPC (historically, now there are other ways)

Question 42

What does TCP stand for

Answer 42

Transport Control Protocol

Question 43

How many parts does a connection have

Answer 43

2 : request and response

Question 44

What is a stateless firewall

Answer 44

It is a firewall that sees a request and response as 2 individual parts

Question 45

What do you need to do about ephemeral ports when using a stateless firewall

Answer 45

Often have to open the full range, which is not great

Question 46

What is an advantage of stateful firewall

Answer 46

Less admin overhead, no need to allow ephemeral port range

Question 47

What does NACL stand for

Answer 47

Network Access Control List

Question 48

What is a NACL

Answer 48

A traditonnal firewall available for AWS VPCs

Question 49

What is a NACL associated with

Answer 49

A subnet

Question 50

What does a NACL filter

Answer 50

Traffic crossing subnet boundaries, in or out

Question 51

Are connections within a subnet impacted by NACLs

Answer 51

No

Question 52

Are NACL stateful or stateless

Answer 52

Stateless

Question 53

What do NACL rules match

Answer 53

IP/CIDR range, port, protocol

Question 54

What kinds of rules do NACL allow

Answer 54

Explicit allow and explicit deny

Question 55

In what order are NACL rules treated

Answer 55

Processed in order of rule number, lowest number treated first. Once a match occures, the processing stops.
There is an explicit deny for everything if no other rule matches

Question 56

Are rule numbers unique (for NACL)

Answer 56

They are unique per rule set

Question 57

Do you need inbound and outbound rules for NACL

Answer 57

Yes

Question 58

Do VPCs have NACL by default

Answer 58

Yes, it allows all

Question 59

What are custom NACLs

Answer 59

You create them, by default they are not associate dwith any VPC. They start off with only a deny all`

Question 60

What can only NACLs do

Answer 60

Explicit deny

Question 61

How would you usually divide security between a security group and NACL

Answer 61

Use security gorup to allow and NACL to deny

Question 62

What is the number to number relationship between NACL and subnet

Answer 62

One subnet can only have one NACL, but a NACL can be associate dto multiple subnets

Question 63

What is the difference between Security Groups and NACL

Answer 63

Security Gorups are stateful

Question 64

Do security groups have explicit deny

Answer 64

No, they only have allow and implicit deny

Question 65

What are Security Goups attached to

Answer 65

ENIs (Elastic Network Interfaces)

Question 66

Which ENIs are Security Groups attached to

Answer 66

The primary ENI of an instance

Question 67

What is the best practice to allow a web-tier server to connect to an app-tier server

Answer 67

Directly reference the web Security Group in the app instance security group

Question 68

What does a Security Group reference apply to

Answer 68

Anything that has the Security Group attached

Question 69

What can security group self-reference allow you to do

Answer 69

Makes it so any instance with the SG can communicate with any other instance with the same security group

Question 70

What is an advantage of Security Group self-reference with regards to IP changes

Answer 70

They are handled automatically since there is no dependency on them

Question 71

How do you generally use NACLs and Security groups^

Answer 71

Use NACL to explicitly block bad actors
Use SG to allow traffic to VPC-based resources

Question 72

What is NAT used for

Answer 72

To give a private resource outgoing only access to the internet

Question 73

What does NAT give to a private CIDR range

Answer 73

It gives outgoing internet access

Question 74

What is the IP mapping when using NAT

Answer 74

Many private IPs to onepublic IP

Question 75

What kind of NAT does and Internet Gateway do

Answer 75

Static NAT

Question 76

WWhat would yhou historically use to provide NAT

Answer 76

EC2 instance

Question 77

What is now available to handle NAT

Answer 77

Managed service: NAT Gateway

Question 78

How do you configure a NAT gateway

Answer 78

Put NAT gateway in public subnet
Configure route table in private subnet to point to NAT Gateway in public subnet

Question 79

Do NAT Gateways have their own public IP

Answer 79

No, they have to go through Internet Gateway

Question 80

What kind of IP is used by NAT gateways

Answer 80

Elastic Ips (Static public IPv4, allocated to your aws account for a region)

Question 81

What is the resilience of NAT Gateways

Answer 81

AZ-resilient, but HA in that AZ

Question 82

What do EC2 instances do by default to data on its network card for which it is neither the source or the destination

Answer 82

It drops it

Question 83

What do you need to do to source#destination checks on EC2 instances for NAT to work

Answer 83

Disable it

Question 84

What do you do for max availability of NAT

Answer 84

A NAT gateway in each AZ

Question 85

Do NAT gateways have free tier

Answer 85

No

Question 86

When can a NAT EC2 instance be cheaper than a manage NAT gateway

Answer 86

If only a test VPC with very low volume (can yuse the smallest instance size)
At high volumes

Question 87

What are 2 advantages, besides cost (potentially) of using a NAT EC2 instance instead of a managed NAT gateway

Answer 87

You can use it as a Bastion Host
You can filter traffic using NACLs or security groups

Question 88

What kind of security do managed NAT Gateways

Answer 88

Only NACL, not Security Groups

Question 89

Is NAT required for IPv6

Answer 89

No, IG works directly with all IPv6 IPs

Question 90

How do you do bidirectional connectivity for IPv6

Answer 90

::/0 and Internet Gateway

Question 91

How do you do egress only connectivity for IPv6

Answer 91

::/0 + Egress-only internet gateway (works only for IPv6)