Virtual Private Cloud Basics Flashcards by k l

What is the minimum size of a VPC

/28 = 16 IPs

How well did you know this?

Not at all

Perfectly

What is the maximum size of a VPC

/16 = 65356 IPs

How well did you know this?

Not at all

Perfectly

What do services use with regards to VPCs

Subnets, not VPCs

How well did you know this?

Not at all

Perfectly

Should you use Bastion hosts

No, they are frowned upon

How well did you know this?

Not at all

Perfectly

What type of service is VPC

Regional

How well did you know this?

Not at all

Perfectly

Can data move in and out of VPC

Only with explicit config, otherwise no

How well did you know this?

Not at all

Perfectly

How many subnets does the default VPC have

One per AZ

How well did you know this?

Not at all

Perfectly

What is a dedicated tenancy

Uses dedicated hardware

How well did you know this?

Not at all

Perfectly

What happens if you pick dedicated at VPC level

All ressources in VPC must be on dedicated hardware

How well did you know this?

Not at all

Perfectly

What happens if you enabble DNS hostnames

Instances with public IPs have DNS names

How well did you know this?

Not at all

Perfectly

What happens if you enable DNS support

Enables DNS resolution in VPC

How well did you know this?

Not at all

Perfectly

What is the address of the DNS in a VPC

Base + 2 (e.g. if VPC is 10.0.0.0, it would be 10.0.0.2)

How well did you know this?

Not at all

Perfectly

What is the nuber-to-number relationship between subnets and AZs

Subnet only has one AZ
AZ has 0 or more subnets

How well did you know this?

Not at all

Perfectly

Can subnets overlap

How well did you know this?

Not at all

Perfectly

How many IPs in every subnet is reserved

How well did you know this?

Not at all

Perfectly

What is the first address in a subnet

The network address, it cannot be used

How well did you know this?

Not at all

Perfectly

What is the second address in a subnet

Network + 1 - VPC router, it moves data between subnets and in and out of VPC if configured to allow it

How well did you know this?

Not at all

Perfectly

What is the third address in a subnet

Network + 2 - Reserved for DNS. Technivally, it<s the 2nd adress ovf VPC and not subnet which is used, but this address is reserved in every subnet

How well did you know this?

Not at all

Perfectly

What is the 4th address in a subnet

Network + 3 - Reserved for future use

How well did you know this?

Not at all

Perfectly

What is the last address in a subnet

It is the network broadcast address, it is reserved even if broadcast is not supported in VPCs

How well did you know this?

Not at all

Perfectly

What does DHCP stand for

Dynamic Host Configuration Protocol

How well did you know this?

Not at all

Perfectly

What is DHCP

It is how computing devices receive IPs automatically

How well did you know this?

Not at all

Perfectly

What has a route table

Each subnet, and the VPC, the VPC route table is used as default

How well did you know this?

Not at all

Perfectly

What is the number relationship between route tables and subnets

Each subnet has one route table, each route table can be associated with many subnets

How well did you know this?

Not at all

Perfectly

What are the options for route tables of a subnet

Either the main VPC one, ort a custom one

To what data does a route table apply

To the data leaving the subnet

Can local routes in a route tbale be edited

No, they are always there and uneditable

How do you know if something is a local route

It matches the VPC IPv$ or 6 CIDR range

How does a route table handle priorities

More specific (higher prefix value) = priority

When is the default route used

When nothing else matches

What resiliency does an Internet Gateway have

Regional

What is the number relationship between an internet gateway and a VPC

One to one

Where does an internet gateway run

From the AWS public zone

What does an internet gateway do

It is a gateway for traffic between the vpc and the internet or aws public zone

What type of service is an internet gateway

AWS-managed - AWS handles the performance

What are the steps to configure an internet gateway

1 : Create IG 2 : Attach IG to VPC (will make it available to route table) 3 : Create a custom route table 4 : Associate the route table to the dubnet 5 : Make the default route the IGW 6 : Configure the subnet to allocation public IPv4 Then the subnet is a public sbnet

What kind of record does an internet gateway keep

A record linking a public and private IP (in IPv4 only)

What IP does an EC2 instance see

Only its private IPv4 IP

Is the OS on an EC2 instance ever aware of its public IPv4 address

Is the OS on an EC2 instance ever aware of its public IPv6 address

Yes, since it is the same as the private one, all IPv6 address are publicly routable by default, the internet gateway does not need to do translation

What is a Bastion Host / Jumpbox

An instance in a public subnet, to which incoming management connections are made, and can then access internal VPC ressources. Often the only way into a VPC (historically, now there are other ways)

What does TCP stand for

Transport Control Protocol

How many parts does a connection have

2 : request and response

What is a stateless firewall

It is a firewall that sees a request and response as 2 individual parts

What do you need to do about ephemeral ports when using a stateless firewall

Often have to open the full range, which is not great

What is an advantage of stateful firewall

Less admin overhead, no need to allow ephemeral port range

What does NACL stand for

Network Access Control List

What is a NACL

A traditonnal firewall available for AWS VPCs

What is a NACL associated with

A subnet

What does a NACL filter

Traffic crossing subnet boundaries, in or out

Are connections within a subnet impacted by NACLs

Are NACL stateful or stateless

Stateless

What do NACL rules match

IP/CIDR range, port, protocol

What kinds of rules do NACL allow

Explicit allow and explicit deny

In what order are NACL rules treated

Processed in order of rule number, lowest number treated first. Once a match occures, the processing stops. There is an explicit deny for everything if no other rule matches

Are rule numbers unique (for NACL)

They are unique per rule set

Do you need inbound and outbound rules for NACL

Yes

Do VPCs have NACL by default

Yes, it allows all

What are custom NACLs

You create them, by default they are not associate dwith any VPC. They start off with only a deny all`

What can only NACLs do

Explicit deny

How would you usually divide security between a security group and NACL

Use security gorup to allow and NACL to deny

What is the number to number relationship between NACL and subnet

One subnet can only have one NACL, but a NACL can be associate dto multiple subnets

What is the difference between Security Groups and NACL

Security Gorups are stateful

Do security groups have explicit deny

No, they only have allow and implicit deny

What are Security Goups attached to

ENIs (Elastic Network Interfaces)

Which ENIs are Security Groups attached to

The primary ENI of an instance

What is the best practice to allow a web-tier server to connect to an app-tier server

Directly reference the web Security Group in the app instance security group

What does a Security Group reference apply to

Anything that has the Security Group attached

What can security group self-reference allow you to do

Makes it so any instance with the SG can communicate with any other instance with the same security group

What is an advantage of Security Group self-reference with regards to IP changes

They are handled automatically since there is no dependency on them

How do you generally use NACLs and Security groups^

Use NACL to explicitly block bad actors Use SG to allow traffic to VPC-based resources

What is NAT used for

To give a private resource outgoing only access to the internet

What does NAT give to a private CIDR range

It gives outgoing internet access

What is the IP mapping when using NAT

Many private IPs to onepublic IP

What kind of NAT does and Internet Gateway do

Static NAT

WWhat would yhou historically use to provide NAT

EC2 instance

What is now available to handle NAT

Managed service: NAT Gateway

How do you configure a NAT gateway

Put NAT gateway in public subnet Configure route table in private subnet to point to NAT Gateway in public subnet

Do NAT Gateways have their own public IP

No, they have to go through Internet Gateway

What kind of IP is used by NAT gateways

Elastic Ips (Static public IPv4, allocated to your aws account for a region)

What is the resilience of NAT Gateways

AZ-resilient, but HA in that AZ

What do EC2 instances do by default to data on its network card for which it is neither the source or the destination

It drops it

What do you need to do to source#destination checks on EC2 instances for NAT to work

Disable it

What do you do for max availability of NAT

A NAT gateway in each AZ

Do NAT gateways have free tier

When can a NAT EC2 instance be cheaper than a manage NAT gateway

If only a test VPC with very low volume (can yuse the smallest instance size) At high volumes

What are 2 advantages, besides cost (potentially) of using a NAT EC2 instance instead of a managed NAT gateway

You can use it as a Bastion Host You can filter traffic using NACLs or security groups

What kind of security do managed NAT Gateways

Only NACL, not Security Groups

Is NAT required for IPv6

No, IG works directly with all IPv6 IPs

How do you do bidirectional connectivity for IPv6

::/0 and Internet Gateway

How do you do egress only connectivity for IPv6

::/0 + Egress-only internet gateway (works only for IPv6)