Virtual Private Cloud (VPC) Flashcards

1
Q

What is a virutal private cloud (VPC)?

A

VPCs can be thought of as a virutal data center in the cloud. It’s a logically isolated part of AWS Cloud where you can define your own network .
You have complete control of virtual network, including your own IP address range, security, subnets, route tables and network gateways.

So essentially it’s a fully customizable network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Are VPCs setup automatically?

A

Yes, every AWS account in each regions have a default VPC that is setup automatically.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When you create your fully customizable Network what does the architecture typically look like?

A

In the fully customizable network you can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

The architecutre typicall has 3 tiers to it:

The Web tier:

here you have web servers that need to be public-facing (meaning they are internet accessible, so people from the internet can access the wbeservers). People from the internet can acces them port 80 (HTTP) or 443 (HTTPS).

The application tier:

This is the application servers, and they usually perform somekind of business logic like rendering an image.
They are in a private sub-net and can speak to only the web tier and database tier.

The database tier:

The database is part of a private subnet and can only speak to the application tier.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Can you use AWS Cloud as an extension of your corporate data center?

A

Yes, you can create a Virutal private network (VPN) connection between your corporate data center and your VPC to achieve this goal.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is the smallest and largest network size you can have with AWS VPC?

A

The smallest network size is 10.0.0.0/28 which gives you 16 IP addresses.

The largest network size i 10.0.0.0/16 which gives you 65,536

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What would a typical Network diagram look like when creating a VPC.

A

The outer layer is our region.

So we can for instance deploy our region to us-east-1.

Then within the region you can create the vpc where you choose your IP range (10.0.0.0, 172.16.0.0 or 192.168.0.0).

When the VPC is created there will be created automatically a router -_> route tabel –> network Acess Control Lists (ACL).

Then we can create our public subnet, where we inside the subnet can create an instance (this could be a web server for instance) and a security group.

To make the instance in the public subnet available to the internet we attach an internet gateway.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What can you do with a VPC?

A
  1. Launch instances into a subnet
  2. Assign custom IP address ranges in each subnet
  3. Configure route tables between subnets
  4. Create internet gateway and attach it to our VPC
  5. Much better security control over your AWS resources
  6. Use subnet network access control lists. this can used to block specific IP addresses for instance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the main differences between the default VPC adn Custom VPC

A

Default

  • Is more user friendly due to not much setup
  • All subnets have a route out to the internet
  • Each EC2 instance has both a public and private IP address.

Custom

  • Fully customizable to each of your needs
  • Takes time to set up.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When you create a subnet how many availability zones can it be in?

A

1 subnet is always in 1 availability zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

When you create a VPC what elements are created by default?

A

Route tabel, Access control list (ACL) and security groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is best practice when naming sub-nets?

A

When creating a subnet you want to name it:

<ip> - <available>

and example would be:

10.0.1.0/24 - is-east-1a
</available></ip>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How many internet gateways can you attach to VPC?

A

You can only have one internet gateway attached to each VPC.

When you create a default VPC it will automatically have an internet gateway attached to it, and thus you can’t create an extra internet gateway for the default VPC for instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a subnet?

A

Subnets are larger networks broken down to smaller more manageable networks.

Connected devices/instances within a subnet share a common IP address identifier (or unique network number) that enables them to communicate with eachother.

For instance. If the network number is 192.168.1 Each device in that subnet will have that number in their IP address. For instance we can have four devices in the subnet that has the ip addresses :

Device 1: 192.168.1.10
Device 2: 192.168.1.11
Device 3: 192.168.1.12
Device 4: 192.168.1.13

Because they all share the same network number in their ip addresses we know they are in the same subnet and can communicate with eachother.

IN AWS VPC subnet is a range of IP addresses in your VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is a route table?

A

A route table contains a set of rules, called routes, that determine where network traffic (or packed data) from your subnet or gateway is directed.

The main purpose of a routing table is to help routers make effective routing decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a network access control list (ACL)?

A

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level.

You can create a custom network ACL for your VPC with rules that are similar to the rules for your security groups in order to add an additional layer of security to your VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a security group

A

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

The security group acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the security group rules.

17
Q

What is a network address translation (NAT) gateway

A

NAT gateways is a way to enable instances in a private subnet to connect to the internet or other AWS services while preventing the inernet from initating a connection with those instances.

Private subnets doesn’t have a route to the internet through the route table. Which means they can’t connect to the internet, but the internet can’t connect to the private subnet either.

The NAT gateway is in your public subnet, which has access to the internet. So if your private subnet needs access to the internet (maybe for a database update for instance).

So your private subnet connects to public subnet by a NAT gateway and can use the public subnets route tabel and internmet gateway to gain access to the internet, without the internet getting a direct connection to the private subnet.

18
Q

What are 5 facts to remember about NAT Gateways?

A
  1. They are redundant inside the availability zone
  2. They start a 5 gigabits per second (Gbps) and scales to 45 Gbps.
  3. You don’t need to patch NAT gateways since Amazon handles that for you, and NAT gateways are just a collection of EC2 instances provided by Amazon.
  4. They are not associated with Security groups so you don’t have to open op ports etc., for you NAT gateway.
  5. They are automatically assigned a public IP address.
19
Q

Which ports are used different communication protocols?

A
  1. SSH uses port 22
  2. RDP uses port 3389
  3. HTTP uses port 80
  4. HTTPS uses port 443
20
Q

How do you debug connectivity issues?

A
  1. Start with the route table. Do you even have a route out and into the internet to begin with?
  2. Check the Network ACL. Are you blocking traffic you shouldn’t?
  3. Check the security groups. Same as ACL are you blocking traffic you shouldn’t?
21
Q

What are the default seetings for security groups regarding traffic that is blocked, and how do you let traffic in?

A

By default all traffic is blocked by the security groups.

If you want to let everything in you open up 0.0.0.0/0 to let all ip address ranges in, and to communicate to the EC2 instances you need to open up the corrects ports like 443 if you communicate by HTTPS.

22
Q

What is meant by Security groups are statefull?

A

Statefull refers to the fact that responses from requests that are sent by your instances are allowed to flow in regardles of inbound security group rules.

The same goes the otherway around. Responses to the inbound trafic that comes from your instance’s request are allowed to flow out, regardless of the outbound rules of your security group.

23
Q

What is the default ACL seetings for the default ACL that comes with your VPC, and the custom ACL you can create?

A

The default ACL allows all outbound and inbound traffic.

The custom ACL denies all inbound and outbound traffic until you add rules.

24
Q

Must each subnet in your VPC be associated with a network ACL?

A

Yes, a subnet must always be associated with a network ACL. If you don’t explicity associate a subnet with a network ACL the subnet is automatically associated with the default ACL.

25
Q

If you want to block an IP address do you do it by the network ACLs or the security groups?

A

You block IP addresses using the network ACLs, not the security groups.

26
Q

How many subnets can an ACL be associated with and the otherway around?

A

A network ACL can be associated with multiple subnets, but a subnet can only be associated with one ACL.

If you try to add an ACL to a subnet it’s previous association will be removed.

27
Q

Are network ACLs stateless or statefull? And what does it mean?

A

Nwetwork ACLs are stateless.

This means responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)

28
Q

What is best practice when naming rule numbers in your ACL?

A

You start with a 100 and adds increment of a 100,

so Rule number 1 is 100
Rule number 2 is 200
Rule number 3 is 300

This is because the rules are executed/prioritized in ascending order from 100.

29
Q

Look up ephemeral ports

A
30
Q

What are VPC endpoints?

A

They are essentially the same thing as a NAT gateway, but they allow your VPC to internally connect to other AWS services.

This means your instances in your VPC don’t require public IP addresses to communicate with resources in the service.

Their general use case is when you want to connect to AWS services without leaving the Amazon interal network.

31
Q

What are the 2 types of VPC endpoints?

A
  1. Interface endpoints

An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic headded to supported service. They support a large number of AWS services

  1. Gateway endpoints

Similar to NAT gateways, a gateway endpoint is a virtual device you provision.

It supports connection to S3 and DynamoDB.

32
Q

What is VPC peering?

A

VPC peering is a way to connect 1 VPC with another by a direct network route using private IP addresses.

You can al peer VPCs with other AWS accounts and between regions.

For a VPCs to peer together it has to be a direct connection. So if VPC A wants to communicate with VPC B, A needs a direct connection to B and can’t do it through VPC C for instance if C has a connection to B.

33
Q

What are the different ways you can open op your VPC to other VPCs.

A
  1. Open the VPC to the internet
    - Security considerations
    - A lot more to manage
  2. Use VPC peering
    - You have to create and manage many different peering relationships
    - The whole network will be accesible. This isn’t good if you have multiple applications within your VPC.
  3. Privatelink
    - The best way to expose a service VPC to tens, hundred or thousands of customer VPCs
    - Requires a network load balancer on the service VPC and an elastic network interface (ENI) on the customer VPC.
34
Q

What is Privatelink?

A

AWS PrivateLink provides private connectivity between virtual private clouds (VPCs), supported AWS services, and your on-premises networks without exposing your traffic to the public internet. Interface VPC endpoints, powered by PrivateLink, connect you to services hosted by AWS Partners and supported solutions available in AWS Marketplace

35
Q

What is AWS VPN cloudhub?

A

AWS VPN Cloudhub is a way where you can securely communicate from one site to another if each site has their own VPN connection.

AWS VPN Cloudhub is low cost and easy to manage. Though it operates over the public internet, all traffic between the customer gateway and the AWS VPN Cloudhub is encrypted.

36
Q

What is direct connect?

A

AWS direct connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises/data center to AWS.

The advantages for direct connect are:
- It’s fast than VPN and other connections since it’s a direct connection with ethernet cables.

  • It’s secure
  • Reliable
  • Able to take massive throughput since it’s a direct physical connection.
37
Q

What are the 2 types of direct connect connections?

A
  1. Dedicated connection
    A physical Ethernet connection associated with a single customer.
    Customers can request a dedicated connection through the AWS direct connect console, the CLI, or the API.
  2. Hosted connection
    A physical ethernet connection that an AWS direct connection partner provisions on behalf of a customer. Customers request a hosted connection by contacting a partner in the AWS direct connect partner program who provisions the connection.
38
Q

What is a transit gateway?

A

A transit gateway is a way to simplify connections between VPCs, connections, data center etc. in AWS.

Instead of making a peering connection to every VPC to make them talk to each other you can use a transit gateway. With the transit gateway every VPC that is connected to the transit gateway can talk to each other.

You can use route tables to limit how VPCs talk to each other.

You can have it across regions, and AWS accounts. Across AWS account you use RAM.

39
Q

What is AWS wavelenght?

A

AWS wavelenght embeds AWS compute and storage services within 5g networks.

This provides mobile edge computing infrastructure for develoåing, deploying and scaling ultra low latency applications.