Virtual Private Cloud Basics Flashcards

1
Q

What is the minimum size of a VPC

A

/28 = 16 IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the maximum size of a VPC

A

/16 = 65356 IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What do services use with regards to VPCs

A

Subnets, not VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Should you use Bastion hosts

A

No, they are frowned upon

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What type of service is VPC

A

Regional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can data move in and out of VPC

A

Only with explicit config, otherwise no

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How many subnets does the default VPC have

A

One per AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a dedicated tenancy

A

Uses dedicated hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What happens if you pick dedicated at VPC level

A

All ressources in VPC must be on dedicated hardware

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What happens if you enabble DNS hostnames

A

Instances with public IPs have DNS names

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What happens if you enable DNS support

A

Enables DNS resolution in VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the address of the DNS in a VPC

A

Base + 2 (e.g. if VPC is 10.0.0.0, it would be 10.0.0.2)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the nuber-to-number relationship between subnets and AZs

A

Subnet only has one AZ
AZ has 0 or more subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can subnets overlap

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

How many IPs in every subnet is reserved

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the first address in a subnet

A

The network address, it cannot be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the second address in a subnet

A

Network + 1 - VPC router, it moves data between subnets and in and out of VPC if configured to allow it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the third address in a subnet

A

Network + 2 - Reserved for DNS. Technivally, it<s the 2nd adress ovf VPC and not subnet which is used, but this address is reserved in every subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the 4th address in a subnet

A

Network + 3 - Reserved for future use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the last address in a subnet

A

It is the network broadcast address, it is reserved even if broadcast is not supported in VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What does DHCP stand for

A

Dynamic Host Configuration Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is DHCP

A

It is how computing devices receive IPs automatically

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What has a route table

A

Each subnet, and the VPC, the VPC route table is used as default

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the number relationship between route tables and subnets

A

Each subnet has one route table, each route table can be associated with many subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What are the options for route tables of a subnet
Either the main VPC one, ort a custom one
26
To what data does a route table apply
To the data leaving the subnet
27
Can local routes in a route tbale be edited
No, they are always there and uneditable
28
How do you know if something is a local route
It matches the VPC IPv$ or 6 CIDR range
29
How does a route table handle priorities
More specific (higher prefix value) = priority
30
When is the default route used
When nothing else matches
31
What resiliency does an Internet Gateway have
Regional
32
What is the number relationship between an internet gateway and a VPC
One to one
33
Where does an internet gateway run
From the AWS public zone
34
What does an internet gateway do
It is a gateway for traffic between the vpc and the internet or aws public zone
35
What type of service is an internet gateway
AWS-managed - AWS handles the performance
36
What are the steps to configure an internet gateway
1 : Create IG 2 : Attach IG to VPC (will make it available to route table) 3 : Create a custom route table 4 : Associate the route table to the dubnet 5 : Make the default route the IGW 6 : Configure the subnet to allocation public IPv4 Then the subnet is a public sbnet
37
What kind of record does an internet gateway keep
A record linking a public and private IP (in IPv4 only)
38
What IP does an EC2 instance see
Only its private IPv4 IP
39
Is the OS on an EC2 instance ever aware of its public IPv4 address
No
40
Is the OS on an EC2 instance ever aware of its public IPv6 address
Yes, since it is the same as the private one, all IPv6 address are publicly routable by default, the internet gateway does not need to do translation
41
What is a Bastion Host / Jumpbox
An instance in a public subnet, to which incoming management connections are made, and can then access internal VPC ressources. Often the only way into a VPC (historically, now there are other ways)
42
What does TCP stand for
Transport Control Protocol
43
How many parts does a connection have
2 : request and response
44
What is a stateless firewall
It is a firewall that sees a request and response as 2 individual parts
45
What do you need to do about ephemeral ports when using a stateless firewall
Often have to open the full range, which is not great
46
What is an advantage of stateful firewall
Less admin overhead, no need to allow ephemeral port range
47
What does NACL stand for
Network Access Control List
48
What is a NACL
A traditonnal firewall available for AWS VPCs
49
What is a NACL associated with
A subnet
50
What does a NACL filter
Traffic crossing subnet boundaries, in or out
51
Are connections within a subnet impacted by NACLs
No
52
Are NACL stateful or stateless
Stateless
53
What do NACL rules match
IP/CIDR range, port, protocol
54
What kinds of rules do NACL allow
Explicit allow and explicit deny
55
In what order are NACL rules treated
Processed in order of rule number, lowest number treated first. Once a match occures, the processing stops. There is an explicit deny for everything if no other rule matches
56
Are rule numbers unique (for NACL)
They are unique per rule set
57
Do you need inbound and outbound rules for NACL
Yes
58
Do VPCs have NACL by default
Yes, it allows all
59
What are custom NACLs
You create them, by default they are not associate dwith any VPC. They start off with only a deny all`
60
What can only NACLs do
Explicit deny
61
How would you usually divide security between a security group and NACL
Use security gorup to allow and NACL to deny
62
What is the number to number relationship between NACL and subnet
One subnet can only have one NACL, but a NACL can be associate dto multiple subnets
63
What is the difference between Security Groups and NACL
Security Gorups are stateful
64
Do security groups have explicit deny
No, they only have allow and implicit deny
65
What are Security Goups attached to
ENIs (Elastic Network Interfaces)
66
Which ENIs are Security Groups attached to
The primary ENI of an instance
67
What is the best practice to allow a web-tier server to connect to an app-tier server
Directly reference the web Security Group in the app instance security group
68
What does a Security Group reference apply to
Anything that has the Security Group attached
69
What can security group self-reference allow you to do
Makes it so any instance with the SG can communicate with any other instance with the same security group
70
What is an advantage of Security Group self-reference with regards to IP changes
They are handled automatically since there is no dependency on them
71
How do you generally use NACLs and Security groups^
Use NACL to explicitly block bad actors Use SG to allow traffic to VPC-based resources
72
What is NAT used for
To give a private resource outgoing only access to the internet
73
What does NAT give to a private CIDR range
It gives outgoing internet access
74
What is the IP mapping when using NAT
Many private IPs to onepublic IP
75
What kind of NAT does and Internet Gateway do
Static NAT
76
WWhat would yhou historically use to provide NAT
EC2 instance
77
What is now available to handle NAT
Managed service: NAT Gateway
78
How do you configure a NAT gateway
Put NAT gateway in public subnet Configure route table in private subnet to point to NAT Gateway in public subnet
79
Do NAT Gateways have their own public IP
No, they have to go through Internet Gateway
80
What kind of IP is used by NAT gateways
Elastic Ips (Static public IPv4, allocated to your aws account for a region)
81
What is the resilience of NAT Gateways
AZ-resilient, but HA in that AZ
82
What do EC2 instances do by default to data on its network card for which it is neither the source or the destination
It drops it
83
What do you need to do to source#destination checks on EC2 instances for NAT to work
Disable it
84
What do you do for max availability of NAT
A NAT gateway in each AZ
85
Do NAT gateways have free tier
No
86
When can a NAT EC2 instance be cheaper than a manage NAT gateway
If only a test VPC with very low volume (can yuse the smallest instance size) At high volumes
87
What are 2 advantages, besides cost (potentially) of using a NAT EC2 instance instead of a managed NAT gateway
You can use it as a Bastion Host You can filter traffic using NACLs or security groups
88
What kind of security do managed NAT Gateways
Only NACL, not Security Groups
89
Is NAT required for IPv6
No, IG works directly with all IPv6 IPs
90
How do you do bidirectional connectivity for IPv6
::/0 and Internet Gateway
91
How do you do egress only connectivity for IPv6
::/0 + Egress-only internet gateway (works only for IPv6)