Virtual Private Cloud (VPC)

Question 1

What does CIDR stand for?

Answer 1

Classless Inter-Domain Routing

Question 2

a method for allocating IP addresses

Answer 2

CIDR - Classless Inter-Domain Routing

Question 3

A CIDR consists of two components

Answer 3

Base IP
Subnet Mask

Question 4

• Represents an IP contained in the range (XX.XX.XX.XX)
• Example:10.0.0.0,192.168.0.0,…

Answer 4

Base IP

Question 5

• Defines how many bits can change in the IP
• Example:/0,/24,/32
• Can take two forms:
  
  • /8ó255.0.0.0
  • /16ó255.255.0.0
  • /24ó255.255.255.0
  • /32ó255.255.255.255

Answer 5

Subnet Mask

Question 6

basically allows part of the underlying IP to get additional next values from the base IP

Answer 6

CIDR - The Subnet Mask

Question 7

New EC2 instances are launched into the default VPC if no ______ is specified

Answer 7

subnet

Question 8

Default VPC has Internet connectivity and all EC2 instances inside it have public ________ addresses

Answer 8

IPv4

Question 9

Default VPC in new EC2 instances, we also get a public and a private ____________ names

Answer 9

IPv4 DNS

Question 10

Can you have multiple VPCs in an AWS region?

Answer 10

YES (max. 5 per region – soft limit)

Question 11

Max. CIDR per VPC is ______ , for each CIDR:
* Min. size is
* Max. size is

Answer 11

5
/28 (16 IP addresses)
/16 (65536 IP addresses)

Question 12

Because VPC is private, only the ________ ranges are allowed:
* 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
* 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
* 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

Answer 12

Private IPv4

Question 13

Your VPC CIDR should ________ overlap with your other networks

Answer 13

NOT

Question 14

AWS reserves ______ IP addresses (first 4 & last 1) in each subnet

Answer 14

5

Question 15

These 5 IP addresses are __________ for use and can’t be assigned to an EC2 instance

Answer 15

not available

Question 16

What does IGW stand for??

Answer 16

Internet Gateway

Question 17

• Allows resources (e.g., EC2 instances) in a VPC connect to the Internet
• It scales horizontally and is highly available and redundant
• Must be created separately from a VPC
• OneVPC can only be attached to one IGW and vice versa

Answer 17

Internet Gateway (IGW)

Question 18

Internet Gateways on their own __________ allow Internet access

Answer 18

do not

Question 19

We can use a ________ to SSH into our private EC2 instances

Answer 19

Bastion Host

Question 20

The bastion is in the _______ which is then connected to all other ___________

Answer 20

public subnet
private subnets

Question 21

Bastion Host security group must allow inbound from the internet on _________ from restricted CIDR, for example the public CIDR of your corporation

Answer 21

port 22

Question 22

Security Group of the EC2 Instances must allow the Security Group of the Bastion Host, or the __________ of the Bastion host

Answer 22

private IP

Question 23

What does NAT stand for?

Answer 23

Network Address Translation

Question 24

• Allows EC2 instances in private subnets to
  connect to the Internet
• Must be launched in a public subnet
• Must disable EC2 setting: Source / destination Check
• Must have Elastic IP attached to it
• RouteTables must be configured to route traffic from private subnets to the NAT Instance

Answer 24

NAT Instance

Question 25

• AWS-managed NAT, higher bandwidth, high availability, no administration
• Pay per hour for usage and bandwidth
• NATGW is created in a specific Availability Zone, uses an Elastic IP
• Can’t be used by EC2 instance in the same subnet (only from other subnets)
• Requires an IGW (Private Subnet => NATGW => IGW)
• 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
• No Security Groups to manage / required

Answer 25

NAT Gateway

Question 26

NAT Gateway is resilient within a ___________

Answer 26

single Availability Zone

Question 27

NAT Gateway with High Availability - Must create __________ in multiple AZs for fault-tolerance

Answer 27

multiple NAT Gateways

Question 28

There is no cross-AZ failover needed because if an AZ goes down it _______

Answer 28

doesn’t need NAT

Question 29

Availability
Highly available within AZ (create in another AZ)

Answer 29

NAT Gateway

Question 30

Bandwidth
Up to 45 Gbps

Answer 30

NAT Gateway

Question 31

Maintenance
Managed by AWS

Answer 31

NAT Gateway

Question 32

Cost
Per hour & amount of data transferred

Answer 32

NAT Gateway

Question 33

Availability
Use a script to manage failover between instances

Answer 33

NAT Instance

Question 34

Bandwidth
Depends on EC2 instance type

Answer 34

NAT Instance

Question 35

Maintenance
Managed by you (e.g., software, OS patches, …)

Answer 35

NAT Instance

Question 36

Cost
Per hour, EC2 instance type and size, + network $

Answer 36

NAT Instance

Question 37

Public IPv4 - Yes

Answer 37

NAT Gateway

Question 38

Public IPv4 - Yes

Answer 38

NAT Instance

Question 39

Private IPv4 - Yes

Answer 39

Nat Gateway

Question 40

Private IPv4 - Yes

Answer 40

Nat Instance

Question 41

Security Group - No

Answer 41

Nat Gateway

Question 42

Security Group - Yes

Answer 42

Nat Instance

Question 43

Use as Bastion Host - No

Answer 43

Nat Gateway

Question 44

Use as Bastion Host - Yes

Answer 44

Nat Instance

Question 45

What does NACL stand for?

Answer 45

Network Access Control List

Question 46

are like a firewall which control traffic from and to subnets

Answer 46

Network Access Control List (NACL)

Question 47

One NACL per ________, new subnets are assigned the ________

Answer 47

subnet
Default NACL

Question 48

• Rules have a number (1-32766), higher precedence with a lower number
• First rule match will drive the decision
• Example: if you define #100 ALLOW 10.0.0.10/32 and #200 DENY 10.0.0.10/32, the IP address will be allowed because 100 has a higher precedence over 200
• The last rule is an asterisk (*) and denies a request in case of no rule match
• AWS recommends adding rules by increment of 100

Answer 48

NACL Rules

Question 49

Newly created NACLs will ________ everything

Answer 49

deny

Question 50

NACL are a great way of __________?

Answer 50

blocking a specific IP address at the subnet level

Question 51

Accepts everything inbound/outbound with the subnets it’s associated with

Answer 51

Default NACL

Question 52

Instead of modifying the default NACL, instead you want to _______?

Answer 52

create custom NACLs

Question 53

• For any two endpoints to establish a connection, they must use ports
• Clients connect to a defined port, and expect a response on ________
• Different Operating Systems use different port ranges, examples:
  
  • IANA&MSWindows10è49152–65535
  • Many Linux Kernelsè32768 – 60999

Answer 53

Ephemeral Ports

Question 54

Security Group vs. NACLs
Operates at the instance level

Answer 54

Security Group

Question 55

Security Group vs. NACLs
Supports allow rules only

Answer 55

Security Group

Question 56

Security Group vs. NACLs
Stateful: return traffic is automatically allowed, regardless of any rules

Answer 56

Security Group

Question 57

Security Group vs. NACLs
All rules are evaluated before deciding whether to allow traffic

Answer 57

Security Group

Question 58

Security Group vs. NACLs
Applies to an EC2 instance when specified by someone

Answer 58

Security Group

Question 59

Security Group vs. NACLs
Operates at the subnet level

Answer 59

NACL

Question 60

Security Group vs. NACLs
Supports allow rules and deny rules

Answer 60

NACL

Question 61

Security Group vs. NACLs
Stateless: return traffic must be explicitly allowed by rules (think of ephemeral ports)

Answer 61

NACL

Question 62

Security Group vs. NACLs
Rules are evaluated in order (lowest to highest) when deciding whether to allow traffic, first match wins

Answer 62

NACL

Question 63

Security Group vs. NACLs
Automatically applies to all EC2 instances in the subnet that it’s associated with

Answer 63

NACL

Question 64

Privately connect two VPCs using AWS’ network

Answer 64

VPC Peering

Question 65

Make them behave as if they were in the same network

Answer 65

VPC Peering

Question 66

Must not have overlapping CIDRs

Answer 66

VPC Peering

Question 67

connection is NOT transitive
(must be established for each VPC that need to communicate with one another)

Answer 67

VPC Peering

Question 68

You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other

Answer 68

VPC Peering

Question 69

You can create VPC Peering connection between VPCs in different _____?

Answer 69

AWS accounts/regions

Question 70

You can reference a security group in a peered VPC _______

Answer 70

(works cross accounts – same region)

Question 71

Every AWS service is publicly exposed (public URL)

Answer 71

VPC Endpoints (AWS PrivateLink)

Question 72

allows you to connect to AWS services using a private network instead of using the public Internet

Answer 72

VPC Endpoints (AWS PrivateLink)

Question 73

They’re redundant and scale horizontally

Answer 73

VPC Endpoints (AWS PrivateLink)

Question 74

They remove the need of IGW, NATGW, …
to access AWS Services

Answer 74

VPC Endpoints (AWS PrivateLink)

Question 75

In case of issues:
* Check DNS Setting Resolution in your VPC
* CheckRouteTables

Answer 75

VPC Endpoints (AWS PrivateLink)

Question 76

2 types of VPC Endpoints (AWS PrivateLink)

Answer 76

Interface Endpoints (powered by PrivateLink)
Gateway Endpoints

Question 77

• Provisions an ENI (private IP address) as an entry
  point (must attach a Security Group)
• Supports most AWS services
• $ per hour + $ per GB of data processed

Answer 77

Interface Endpoints (powered by PrivateLink)

Question 78

• Provisions a gateway and must be used as a target in a route table (does not use security groups)
• Supports both S3 and DynamoDB
• Free

Answer 78

Gateway Endpoints

Question 79

VPC Endpoints - ___________ is most likely going to be preferred all the time at the exam

Answer 79

Gateway

Question 80

is preferred access is required from on- premises (Site to Site VPN or Direct Connect), a different VPC or a different region

Answer 80

Interface Endpoint

Question 81

2 ways for Lambda in VPC accessing DynamoDB

Answer 81

Option1: Access from the public internet
Option 2 (better & free): Access from the private VPC network

Question 82

Because Lambda is in a VPC, it needs a NAT Gateway in a public subnet and an internet gateway

Answer 82

Option1: Access from the public internet

Question 83

• Deploy a VPC Gateway endpoint for DynamoDB
• Change the Route Tables

Answer 83

Option 2 (better & free): Access from the private VPC network

Question 84

• Capture information about IP traffic going into your interfaces:
  
  • VPC Flow Logs
  • Subnet Flow Logs
  • Elastic Network Interface (ENI) Flow Logs
• Helps to monitor & troubleshoot connectivity issues
• Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
• Captures network information from AWS managed interfaces too: ELB, RDS, ElastiCache, Redshift,WorkSpaces, NATGW,Transit Gateway…

Answer 84

VPC Flow Logs

Question 85

• VPN concentrator on the AWS side of the VPN connection
• VGW is created and attached to the VPC from which you want to create the Site-to-Site VPN connection
• Possibility to customize the ASN (Autonomous System Number)

Answer 85

Virtual Private Gateway (VGW)

Question 85

2 types of AWS Site-to-Site VPN

Answer 85

Virtual Private Gateway (VGW)
Customer Gateway (CGW)

Question 86

Software application or physical device on customer side of the VPN connection

Answer 86

Customer Gateway (CGW)

Question 87

Provide secure communication between multiple sites, if you have multiple VPN connections

Answer 87

AWS VPN CloudHub

Question 88

Low-cost hub-and-spoke model for primary or secondary network connectivity between different locations (VPN only)

Answer 88

AWS VPN CloudHub

Question 89

It’s a VPN connection so it goes over the public Internet

Answer 89

AWS VPN CloudHub

Question 90

To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables

Answer 90

AWS VPN CloudHub

Question 91

Provides a dedicated private connection from a remote network to your VPC

Answer 91

Direct Connect (DX)

Question 92

Dedicated connection must be setup between your ________ and AWS Direct Connect locations

Answer 92

DC

Question 93

You need to setup aVirtual Private Gateway on yourVPC

Answer 93

Direct Connect (DX)

Question 94

Access public resources (S3) and private (EC2) on same connection

Answer 94

Direct Connect (DX)

Question 95

Use Cases:
* Increase bandwidth throughput - working with large data sets – lower cost
* More consistent network experience - applications using real-time data feeds * Hybrid Environments (on prem + cloud)

Answer 95

Direct Connect (DX)

Question 96

Does Direct Connect (DX) Supports both IPv4 and IPv6

Answer 96

YES

Question 97

If you want to setup a Direct Connect to one or more VPC in many different regions (same account), you must use a __________?

Answer 97

Direct Connect Gateway

Question 98

2 Direct Connect – Connection Types

Answer 98

Dedicated Connections
Hosted Connections

Question 99

• 1Gbps,10 Gbps and 100 Gbps capacity
• Physical ethernet port dedicated to a customer
• Request made to AWS first, then completed by AWS Direct Connect Partners

Answer 99

Dedicated Connections

Question 100

• 50Mbps, 500 Mbps, to 10 Gbps
• Connection requests are made via AWS Direct Connect Partners
• Capacity can be added or removed on demand
• 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners

Answer 100

Hosted Connections

Question 101

For Direct Connect – Connection, Lead times are often longer than __________ to establish a new connection

Answer 101

1 month

Question 102

Direct Connect, Data in transit is _________ but is private

Answer 102

not encrypted

Question 103

AWS Direct Connect + VPN provides an ________

Answer 103

IPsec-encrypted private connection

Question 104

• For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
• Regional resource, can work cross-region
• Share cross-account using Resource Access Manager (RAM)
• You can peer this across regions
• RouteTables: limit which VPC can talk with othe rVPC
• Works with Direct Connect Gateway,VPN connections
• Supports IP Multicast (not supported by any other AWS ser vice)

Answer 104

Transit Gateway

Question 105

Used for IPv6 only

Answer 105

Egress-only Internet Gateway

Question 106

similar to a NAT Gateway but for IPv6

Answer 106

Egress-only Internet Gateway

Question 107

Allows instances in your VPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances

Answer 107

Egress-only Internet Gateway

Question 108

IP Range

Answer 108

CIDR

Question 109

Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR

Answer 109

VPC

Question 110

tied to an AZ, we define a CIDR

Answer 110

Subnets

Question 111

at the VPC level, provide IPv4 & IPv6 Internet Access

Answer 111

Internet Gateway

Question 112

must be edited to add routes from subnets to the IGW,VPC Peering Connections,VPC Endpoints, …

Answer 112

RouteTables

Question 113

public EC2 instance to SSH into, that has SSH connectivity to EC2 instances in private subnets

Answer 113

Bastion Host

Question 114

gives Internet access to EC2 instances in private subnets. Old, must be setup in a public subnet, disable Source / Destination check flag

Answer 114

NAT Instances

Question 115

managed by AWS, provides scalable Internet access to private EC2 instances, IPv4 only

Answer 115

NAT Gateway

Question 116

stateless, subnet rules for inbound and outbound, don’t forget Ephemeral Ports

Answer 116

NACL

Question 117

stateful, operate at the EC2 instance level

Answer 117

Security Groups

Question 118

connect two VPCs with non overlapping CIDR, non-transitive

Answer 118

VPC Peering

Question 119

provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC

Answer 119

VPC Endpoints

Question 120

can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights

Answer 120

VPC Flow Logs

Question 121

setup a Customer Gateway on DC,aVirtual Private Gateway on VPC, and site-to-site VPN over public Internet

Answer 121

Site-to-SiteVPN

Question 122

hub-and-spoke VPN model to connect your sites

Answer 122

AWS VPN CloudHub

Question 123

setup a Virtual Private Gateway on VPC, and establish a direct private connection to an AWS Direct Connect Location

Answer 123

Direct Connect

Question 124

setup a Direct Connect to many VPCs in different AWS regions

Answer 124

Direct Connect Gateway

Question 125

• Connect services privately from your service VPC to customers VPC
• Doesn’t need VPC Peering, public Internet, NAT Gateway, Route Tables
• Must be used with Network Load Balancer & ENI

Answer 125

AWS PrivateLink / VPC Endpoint Services

Question 126

connect EC2-Classic EC2 instances privately to your VPC

Answer 126

ClassicLink

Question 127

transitive peering connections forVPC,VPN & DX

Answer 127

Transit Gateway

Question 128

copy network traffic from ENIs for further analysis

Answer 128

Traffic Mirroring

Question 129

like a NAT Gateway, but for IPv6

Answer 129

Egress-only Internet Gateway

Question 130

Protect your entire Amazon VPC

Answer 130

AWS Network Firewall

Question 131

From Layer 3 to Layer 7 protection

Answer 131

AWS Network Firewall

Question 132

Any direction, you can inspect
* VPCtoVPCtraffic
* Outbound to internet
* Inbound from internet
* To/fromDirectConnect&Site-to-SiteVPN

Answer 132

AWS Network Firewall

Question 133

Uses the AWS Gateway Load Balancer

Answer 133

AWS Network Firewall

Question 134

Rules can be centrally managed cross- account by AWS Firewall Manager to apply to many ________?

Answer 134

VPCs

Question 135

Supports 1000s of rules
* IP & port - example: 10,000s of IPs filtering
* Protocol – example: block the SMB protocol for outbound communications
* Stateful domain list rule groups: only allow outbound traffic to*.mycorp.com or third-party software repo
* General pattern matching using regex

Answer 135

AWS Network Firewall

Question 136

Traffic filtering: Allow, drop, or alert for the traffic that matches the rules

Answer 136

AWS Network Firewall

Question 137

Active flow inspection to protect against network threats with intrusion-prevention capabilities (like Gateway Load Balancer, but all managed by AWS)

Answer 137

AWS Network Firewall

Question 138

AWS Network Firewall send logs of rule matches to ___________? (3)

Answer 138

Amazon S3
CloudWatch Logs
Kinesis Data Firehose