Virtual Private Cloud (VPC)

Question 1

What is a VPC?

Answer 1

A virtual private data center in the cloud.

1. A logically isolated part of the AWS cloud where you can define your own network
2. Complete control of virtual network, including your own IP address range, subnets, route tables and network gateways
3. You can leverage multiple layers of security (public subnet, private subnets), including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet
4. You can create a hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC and leverage the AWS cloud as an extension of your corporate data center

http://cidr.xyz

Question 2

What is the maximum addressable size of IPs you can have with a CIDR block in AWS?

Answer 2

/16 which gives 65,556 network addresses

Question 3

What can we do with a VPC?

Answer 3

1. Launch instances into a subnet of your choosing
2. Assign custom IP addresses in each subnet
3. Configure route tables between subnets
4. Create an Internet Gateway and attach it to a VPC
5. Gives much better control over your AWS resources
6. Provision access control lists (you can use network access control lists to block specific IP addresses)

Question 4

What tool in a VPC do you use to block specific IP addresses from gaining access to a VPC?

Answer 4

Network ACL (NACL), not security groups

Question 5

What are the things you can expect with the default VPC?

Answer 5

1. The default VPC is user friendly
2. All subnets in the default VPC have a route out to the internet (all public)
3. Each EC2 instance has both a public and a private IP address in the default VPC

Question 6

What are the main components of a VPC?

Answer 6

1. Internet gateways (or virtual private gateways)
2. Route tables
3. Network access control lists (NACLs)
4. Subnets
5. Security groups

Question 7

When you create a subnet, where is it created?

Answer 7

In one availability zone, it cannot span multiple availability zones

Question 8

What are the steps to creating a custom VPC?

Answer 8

1. Navigate to VPC service
2. Click “Create VPC” button
3. Optionally give it a name
4. Select IPv4 CIDR block manual input of 10.0.0.0/16 (largest)
5. Do not select IPv6 CIDR block
6. Select the default tenancy (as opposed to dedicated, which is very expensive)
7. Click “Create VPC” button

Question 9

When you create a VPC, what three things are created by default?

Answer 9

1. Main route table
2. Main network ACL (NACL)
3. Security group

Question 10

What is a subnet in a VPC?

Answer 10

A virtual firewall

Question 11

What are the two accessibility options when creating a subnet?

Answer 11

1. Public (internet accessible)
2. Private (not internet accessible)

Question 12

What are the steps to creating a new subnet?

Answer 12

1. Select a VPC
2. Give the subnet a name (e.g. 10.0.1.0/24 - us-east-1a)
3. Select the availability zone
4. Enter the CIDR block range (10.0.1.0/24) - give 251 available IP addresses with 5 reserved for AWS (10.0.1.0, 10.0.1.1, 10.0.1.2, 10.0.1.3, and 10.0.1.255)
5. Click “Create Subnet” button

Question 13

What are the steps to making a subnet public and internet accessible?

Answer 13

1. Select the subnet and click “Edit”
2. Check the box labeled “Enable auto-assign public IPv4 address”
3. Click “Save”.
4. Select the option to create a new Internet Gateway
5. Give it a name
6. Click “Create”
7. Select the newly created Internet Gateway
8. Click “Attach to VPC” button
9. Select the VPC
10. Click “Attach Internet Gateway”

Next, create a new route table with a route in from the internet. If we had used the main route table to create the public route, then any new subnet would be public facing by default.
1. Click “Create Route Table” button
2. Give it a name
3. Select the VPC
4. Click “Create Route Table” button

1. Select the new Route Table
2. Click “Edit Routes” button
3. Click “Add Route”
4. Enter the Destination 0.0.0.0/0
5. Select the new Internet Gateway as the Target
6. Click “Save Changes”
7. Select the new Route Table
8. Select “Subnet associations” tab
9. Click “Edit subnet associations” button
10. Select the public subnet
11. Click “Save associations” button

Question 14

What is a NAT Gateway?

Answer 14

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services while preventing the internet from initiating a connection to those instances.

Question 15

How can an instance in a public subnet get access to the internet?

Answer 15

It sends traffic through the Network ACLs, Route Table, Router and Internet Gateway

Question 16

How can an instance in a private subnet get access to the internet (if the route table prevents it)?

Answer 16

Provision a NAT Gateway in the public subnet that acts as a means for internet traffic to go out through the NAT Gateway, through the public Network ACL, Route Table, Router and Internet Gateway.

Question 17

What are the key features of a NAT Gateway?

Answer 17

1. It is redundant within an AZ for high-availability
2. Starts at 5 Gbps and scales to 45 Gbps
3. No need to patch
4. Not associated with security groups
5. Automatically assigned a public IP address

Question 18

What are the steps to making a NAT Gateway and creating a route out from a private subnet?

Answer 18

1. Click “Create NAT Gateway”
2. Give it a name
3. Select the public subnet
4. Click “Allocate Elastic IP” button
5. Click “Create NAT Gateway” button
6. Select the main route table (that doesn’t have a route out to the internet)
7. Click “Edit Routes” button
8. Click “Add Route” button
9. Enter 0.0.0.0/0 as the Destination
10. Select NAT Gateway as the Target
11. Click “Save Routes” button

Question 19

What are Security Groups in VPC?

Answer 19

Virtual firewalls for a VPC

They are the last line of defense of inbound traffic.

Question 20

If you have a scenario where you have connectivity problems, what things should you look at (and in what order)?

Answer 20

1. Look at Route Tables
2. Look at Network ACLs
3. Check the Security Groups

Question 21

In Security Groups, by default is all traffic blocked or open?

Answer 21

By default, all traffic is blocked (to let everything in, use 0.0.0.0/0)

Question 22

Are security groups stateless or stateful?

Answer 22

Security groups are stateful – if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules, and visa versa.

Question 23

What is a Network ACL?

Answer 23

An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

They are the first line of defense of inbound traffic.

Question 24

In Network ACLs, by default, is all traffic blocked or open?

Answer 24

By default, all traffic is allowed, both outbound and inbound.

Question 25

When you create a custom Network ACL for a VPC, by default, is all traffic blocked or allowed?

Answer 25

By default, each custom network ACL denies all inbound and outbound traffic until you add rules.

Question 26

Does a subnet have to be associated with a Network ACL?

Answer 26

Yes, each subnet in your VPC must be associated with a Network ACL. If you don’t explicitly associate a subnet with a Network ACL, the subnet is automatically associated with the default Network ACL.

Question 27

Does a subnet have to be associated with a Network ACL?

Answer 27

Yes, each subnet in your VPC must be associated with a Network ACL. If you don’t explicitly associate a subnet with a Network ACL, the subnet is automatically associated with the default Network ACL.

Question 28

What is the relationship between a subnet and a Network ACL?

Answer 28

A Network ACL may be associated to multiple subnets but a subnet may be associated with only one Network ACL.

Question 29

How are Network ACLs evaluated?

Answer 29

Network ACLs contain a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.

They have separate inbound and outbound rules, and each rule can either allow or deny traffic.

Question 30

Are Network ACLs stateless or stateful?

Answer 30

Network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and visa versa).

Question 31

What are VPC Endpoints?

Answer 31

Enable you to privately connect to your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an Internet Gateway, NAT device, VPN connection or AWS Direct Connection.

1. They are virtual devices
   2, They are horizontally scaled, redundant and highly available VPC components that allow communication between instances in your VPC and AWS services (without imposing security risks or bandwidth constraints on your network traffic)

Question 32

Do instances in your VPC require a public IP address to communicate with resources in the Amazon network?

Answer 32

No, you only need to configure a VPC endpoint.

Question 33

When connecting to AWS services, do you want to use a NAT Gateway or VPC Endpoints to provide the connection?

Answer 33

You want to use VPC Endpoints because they are infinitely scalable and NAT Gateways have limitations.

Question 34

What are the two different options for VPC Endpoints?

Answer 34

1. Interface Endpoints (elastic network interface with a private IP address that serves as an entry point for traffic headed to a supported service, and they support a large number of AWS services)
2. Gateway Endpoints (similar to NAT gateways, in that it is a virtual device you provision; it supports connections to S3 and DynamoDB)

Question 35

What is the use case for a VPC Endpoint?

Answer 35

When you want to connect to AWS services without leaving the Amazon internal network.

Question 36

When you have multiple VPCs and you want to connect the VPCs together, what service would you use?

Answer 36

VPC peering

Question 37

What is VPC Peering?

Answer 37

1. It allows you to connect one VPC to another via a direct network route using private IP addresses
2. Instances behave as if they were on the same private network
3. You can peer VPCs with other AWS accounts as well as with other VPCs in the same account
4. You can peer between regions
5. Peering is in a star configuration (e.g. one central VPC peers with four others, no transitive peering meaning that you cannot connect to a VPC through another VPC)

Question 38

What is the rule with CIDR addresses and VPC Peering?

Answer 38

You cannot have overlapping CIDR addresses when peering VPCs

Question 39

What are the two ways you can open up a VPC to connectivity to another VPC?

Answer 39

1. Open the VPC up the the internet via an Internet Gateway
2. Using VPC Peering

Question 40

What is the best way to expose a service VPC to tens, hundreds or thousands of customer VPCs?

Answer 40

Using VPC PrivateLink

Question 41

What is VPC PrivateLink?

Answer 41

1. Does not require VPC Peering;
2. No route tables, NAT Gateways, Internet Gateways, etc.
3. Requires a Network Load Balancer on the service VPC and an ENI on the customer VPC

Question 42

What is AWS VPN CloudHub?

Answer 42

If you have multiple sites, each with its own VPN connection, you can use AWS VPN CloudHub to connect those sites together.

1. It works on a hub-and-spoke model
2. Low cost and easy to manage
3. It operates over the public internet, but all traffic between the customer gateway and the AWS VPN CloudHub is encrypted

Question 43

If you have a scenario where you are asked how you can aggregate multiple VPN connections together from different customer sites or all over the world, what service would you recommend?

Answer 43

AWS VPN CloudHub

Question 44

What is AWS Direct Connect?

Answer 44

A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS.

Question 45

How can you establish private connectivity between AWS and your data center or office?

Answer 45

Using AWS Direct Connect

In many cases you can reduce network costs, increase bandwidth throughput and provide a more consistent network experience than internet-based connections.

Question 46

What are the two types of AWS Direct Connect connections?

Answer 46

1. Dedicated connection (a physical ethernet connection associated with a single customer; you can request a dedicated connection through the AWS Direct Connect console, the CLI or the API)
2. Hosted connection (a physical ethernet connection that an AWS Direct Connect Partner, like Verizon or AT&T, who provisions on behalf of a customer; you can request by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection)

Question 47

How is AWS Direct Connect an improvement over VPC?

Answer 47

VPNs traverse the public internet to get the data delivered (although it is still secure) while AWS Direct Connect uses a dedicated connection making it:

1. Fast
2. Reliable
3. Secure
4. Able to take massive throughput

Question 48

What use cases would you consider using AWS Direct Connect?

Answer 48

When you have high throughput workloads or that require a stable, secure connection.

Question 49

If you have a scenario where the VPN connection to AWS keeps dropping out and you need to reduce costs and you need to increase your network throughput, what AWS service would you recommend?

Answer 49

AWS Direct Connect

Question 50

What is AWS Transit Gateway?

Answer 50

It connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

Question 51

What are the features of AWS Transit Gateway?

Answer 51

1. It allow you to have transitive peering between thousands of VPCs and on-premises data centers
2. Works on a hub-and-spoke model
3. Works on a regional basis but you can have it across multiple regions
4. You can use it across multiple AWS accounts using RAM (Resource Access Manager)

Question 52

How can you limit how VPCs talk to one another when using AWS Transit Gateway

Answer 52

Using Route Tables

Question 53

Does AWS Transit Gateway work with both VPN and AWS Direct Connect or only one of them?

Answer 53

It works with both

Question 54

Does AWS Transit Gateway support IP multicast (which allows a host to send a single packet to thousands of hosts across a routed network)?

Answer 54

Yes (but it is not supported by any other AWS services)

Question 55

If you have a scenario where it mentions needing to simply the network topology, what service would you recommend?

Answer 55

AWS Transit Gateway

Question 56

What are 5G networks?

Answer 56

5G provides mobile devices with higher speed, lower latency and greater capacity than 4G LTE networks

Question 57

What is AWS Wavelength?

Answer 57

Embeds AWS compute and storage services within 5G networks, providing mobile edge computing infrastructure for developing, deploying and scaling ultra-low-latency applications.

Question 58

If you have a scenario about mobile edge computing, what service would you recommend?

Answer 58

AWS Wavelength

Question 59

If you have resources in multiple AZs and they share a NAT gateway, in the event that the NAT Gateways AZ is down, resources in the other AZs will lose internet access. How do you avoid this?

Answer 59

To create an AZ-independent architecture, create a NAT Gateway in each AZ and configure your routing to ensure resources use the NAT Gateway in the same AZ.