Virtual Private Cloud Basics Flashcards
What is the minimum size of a VPC
/28 = 16 IPs
What is the maximum size of a VPC
/16 = 65356 IPs
What do services use with regards to VPCs
Subnets, not VPCs
Should you use Bastion hosts
No, they are frowned upon
What type of service is VPC
Regional
Can data move in and out of VPC
Only with explicit config, otherwise no
How many subnets does the default VPC have
One per AZ
What is a dedicated tenancy
Uses dedicated hardware
What happens if you pick dedicated at VPC level
All ressources in VPC must be on dedicated hardware
What happens if you enabble DNS hostnames
Instances with public IPs have DNS names
What happens if you enable DNS support
Enables DNS resolution in VPC
What is the address of the DNS in a VPC
Base + 2 (e.g. if VPC is 10.0.0.0, it would be 10.0.0.2)
What is the nuber-to-number relationship between subnets and AZs
Subnet only has one AZ
AZ has 0 or more subnets
Can subnets overlap
No
How many IPs in every subnet is reserved
5
What is the first address in a subnet
The network address, it cannot be used
What is the second address in a subnet
Network + 1 - VPC router, it moves data between subnets and in and out of VPC if configured to allow it
What is the third address in a subnet
Network + 2 - Reserved for DNS. Technivally, it<s the 2nd adress ovf VPC and not subnet which is used, but this address is reserved in every subnet
What is the 4th address in a subnet
Network + 3 - Reserved for future use
What is the last address in a subnet
It is the network broadcast address, it is reserved even if broadcast is not supported in VPCs
What does DHCP stand for
Dynamic Host Configuration Protocol
What is DHCP
It is how computing devices receive IPs automatically
What has a route table
Each subnet, and the VPC, the VPC route table is used as default
What is the number relationship between route tables and subnets
Each subnet has one route table, each route table can be associated with many subnets
What are the options for route tables of a subnet
Either the main VPC one, ort a custom one
To what data does a route table apply
To the data leaving the subnet
Can local routes in a route tbale be edited
No, they are always there and uneditable
How do you know if something is a local route
It matches the VPC IPv$ or 6 CIDR range
How does a route table handle priorities
More specific (higher prefix value) = priority
When is the default route used
When nothing else matches
What resiliency does an Internet Gateway have
Regional
What is the number relationship between an internet gateway and a VPC
One to one
Where does an internet gateway run
From the AWS public zone
What does an internet gateway do
It is a gateway for traffic between the vpc and the internet or aws public zone
What type of service is an internet gateway
AWS-managed - AWS handles the performance
What are the steps to configure an internet gateway
1 : Create IG
2 : Attach IG to VPC (will make it available to route table)
3 : Create a custom route table
4 : Associate the route table to the dubnet
5 : Make the default route the IGW
6 : Configure the subnet to allocation public IPv4
Then the subnet is a public sbnet
What kind of record does an internet gateway keep
A record linking a public and private IP (in IPv4 only)
What IP does an EC2 instance see
Only its private IPv4 IP
Is the OS on an EC2 instance ever aware of its public IPv4 address
No
Is the OS on an EC2 instance ever aware of its public IPv6 address
Yes, since it is the same as the private one, all IPv6 address are publicly routable by default, the internet gateway does not need to do translation
What is a Bastion Host / Jumpbox
An instance in a public subnet, to which incoming management connections are made, and can then access internal VPC ressources. Often the only way into a VPC (historically, now there are other ways)
What does TCP stand for
Transport Control Protocol
How many parts does a connection have
2 : request and response
What is a stateless firewall
It is a firewall that sees a request and response as 2 individual parts
What do you need to do about ephemeral ports when using a stateless firewall
Often have to open the full range, which is not great
What is an advantage of stateful firewall
Less admin overhead, no need to allow ephemeral port range
What does NACL stand for
Network Access Control List
What is a NACL
A traditonnal firewall available for AWS VPCs
What is a NACL associated with
A subnet
What does a NACL filter
Traffic crossing subnet boundaries, in or out
Are connections within a subnet impacted by NACLs
No
Are NACL stateful or stateless
Stateless
What do NACL rules match
IP/CIDR range, port, protocol
What kinds of rules do NACL allow
Explicit allow and explicit deny
In what order are NACL rules treated
Processed in order of rule number, lowest number treated first. Once a match occures, the processing stops.
There is an explicit deny for everything if no other rule matches
Are rule numbers unique (for NACL)
They are unique per rule set
Do you need inbound and outbound rules for NACL
Yes
Do VPCs have NACL by default
Yes, it allows all
What are custom NACLs
You create them, by default they are not associate dwith any VPC. They start off with only a deny all`
What can only NACLs do
Explicit deny
How would you usually divide security between a security group and NACL
Use security gorup to allow and NACL to deny
What is the number to number relationship between NACL and subnet
One subnet can only have one NACL, but a NACL can be associate dto multiple subnets
What is the difference between Security Groups and NACL
Security Gorups are stateful
Do security groups have explicit deny
No, they only have allow and implicit deny
What are Security Goups attached to
ENIs (Elastic Network Interfaces)
Which ENIs are Security Groups attached to
The primary ENI of an instance
What is the best practice to allow a web-tier server to connect to an app-tier server
Directly reference the web Security Group in the app instance security group
What does a Security Group reference apply to
Anything that has the Security Group attached
What can security group self-reference allow you to do
Makes it so any instance with the SG can communicate with any other instance with the same security group
What is an advantage of Security Group self-reference with regards to IP changes
They are handled automatically since there is no dependency on them
How do you generally use NACLs and Security groups^
Use NACL to explicitly block bad actors
Use SG to allow traffic to VPC-based resources
What is NAT used for
To give a private resource outgoing only access to the internet
What does NAT give to a private CIDR range
It gives outgoing internet access
What is the IP mapping when using NAT
Many private IPs to onepublic IP
What kind of NAT does and Internet Gateway do
Static NAT
WWhat would yhou historically use to provide NAT
EC2 instance
What is now available to handle NAT
Managed service: NAT Gateway
How do you configure a NAT gateway
Put NAT gateway in public subnet
Configure route table in private subnet to point to NAT Gateway in public subnet
Do NAT Gateways have their own public IP
No, they have to go through Internet Gateway
What kind of IP is used by NAT gateways
Elastic Ips (Static public IPv4, allocated to your aws account for a region)
What is the resilience of NAT Gateways
AZ-resilient, but HA in that AZ
What do EC2 instances do by default to data on its network card for which it is neither the source or the destination
It drops it
What do you need to do to source#destination checks on EC2 instances for NAT to work
Disable it
What do you do for max availability of NAT
A NAT gateway in each AZ
Do NAT gateways have free tier
No
When can a NAT EC2 instance be cheaper than a manage NAT gateway
If only a test VPC with very low volume (can yuse the smallest instance size)
At high volumes
What are 2 advantages, besides cost (potentially) of using a NAT EC2 instance instead of a managed NAT gateway
You can use it as a Bastion Host
You can filter traffic using NACLs or security groups
What kind of security do managed NAT Gateways
Only NACL, not Security Groups
Is NAT required for IPv6
No, IG works directly with all IPv6 IPs
How do you do bidirectional connectivity for IPv6
::/0 and Internet Gateway
How do you do egress only connectivity for IPv6
::/0 + Egress-only internet gateway (works only for IPv6)
