VIRTUAL PRIVATE CLOUD (VPC) BASICS Flashcards
What are some considerations for VPC structure before creation ?
what size should the VPC be
Are there any networks we can’t use
VPC minimum /28(16 IPs) , maximum /16(65456 IPs)
Avoid common ranges
reserved 2+ networks per region being used per account
your business Animals 4 Life has offices in 3 us regions regions, 1 Europe region, and 1 Australia region what would there total IP ranges be ?
40 IP Ranges
custom VPC
regional service All AZ in the region
isolated network
Northing in or out without explicit configuration
Default or Dedicated Tenancy
Default Tenancy
you can decide on a per resource level weather it goes on shared or dedicated hardware
Dedicated Tenancy
on a VPC level any resource that you create has to be on dedicated hardware which is a cost premium
AWS configuration Custom VPC
IPv4 Private CIDR block and Public IPS
! Primary Private IPv4 CIDR Block
Min/28(16IP) Max /16 (55,536 IP)
optional secondary IPv4 Block
optional single assigned IPv6/56 CIDR Block(IPv6 are only public)
DNS in a AWS custom VPC
provided by R53
VPC Base IP +2 address
enableDnsHostnames
gives instances DNS names
enableDnsSupport
enables DNS resolution in VPC
VPC Subnets
subnets are what services run from inside VPC’s and their are how you add structure, functionality and resilience to VPC’s
VPC Subnet resiliency
AZ resilient
Can a subnet be in Multiple AZ ?
No, one subnet is created in a specific AZ in a region and it can never be changed.
Auto Assign public IPv4
decided if the subnet assigns public IPv4 in addition to their private subnet automatically
auto assign IPv6
decides if the subnet assigns IPV6 addresses the subnet and the VPC has to have that allocated also for to work
How many subnets can a AZ have ?
One AZ can have 0 to many Subnets
How does a subnet handle networking ?
By default the subnet is allocated an IPv4 CIDR
What are the constraints of a Subnet CIDR
has to be a subset of the VPC CIDR
Can the CIDR range of two subnets in the same VPC overlap?
no, subnets can’t overlap with other subnets
Can two subnets within a VPC communicate with each other ?
free communication between subnets by default
What are the 5 unusable addresses in a subnet ?
- Network Address (start of network)
- Network +1 - VPC Router
- Network +2 - Reserved(DNS*)
- Network +3 - Reserved Future Use
- Broadcast Address (Last IP in Subnet )
DHCP option set
Dynamic Host Configuration Protocol how computing devices receive IP addresses Automatically.
Where is DHCP options sets applied ?
At the VPC level flows down through subnets
How can you update the DHCP option set configurations?
you can create option sets but you can’t change them
if you want to change the option set you would have to make a new one and attach it to VPC
VPC Router
Routes traffic between subnets controls by route table attached to subnet
VPC Route Table
the default route table that is attached to a subnet if one is not specified
How many route tables can be attached to a subnet ?
one route table
Can two subnets within a VPC have the same route table attached ?
yes, a route table can be associated with many subnets
What does a route table to ?
it controls what happens to data as it leaves the subnet or subnets that the route table is associated with.
How is data routed in a route table
The more specific the route the higher the priority
Internet Gateway
manages traffic between the VPC and the internet or AWS public zones
How are IPv4 public addresses handled through IGW ?
Public IPv4 address are attached on the IGW it maintains a record of the associated Private IPv4 address attached on a instance.
Is it possible to configure a public IPv4 address on an EC2 instance running from within a subnet ?
No, at no point is an EC2 instance aware of it’s public IPv4 address.
Bastion Host/Jump Box
An EC2 instance in a public subnet
allows connectivity to internal VPC resources
Stateless FireWall
doesn’t understand the state of connection weather it’s request or response because of this there needs to be two security rules (IN, Out)
Stateful FireWalls
knows which components are the request and response
firewall automatically picks up which port is being used and allows it.
lower admin overhead
What are NACLS?
Network Access Control List is a traditional stateless firewall within AWS
What Kind of traffic are impacted by NACLS ?
Traffic crossing the subnet boundary inbound or outbound
How are rules processed in NCAL
Rules are processed in order, lowest rule number first
What happens when the traffic entering the NACL doesn’t match any of the rules ?
explicate deny
What are the requirements for creating a NACL rule?
Each communication needs 1 request rule and 1 Response rule (application port and ephemeral port) for each communication type that occurs within a VPC, to a VPC and from a VPC.
How is the Default NACL configured for VPC
inbound and Outbound Rules have the implicit deny(*) and an Allow All rule.
The result- all traffic is allowed, the NACL has no effect.
Could a NACL be attached to AWS renounces
No, there only can be attached to subnets
How many NACLS can be associated to a Subnet
each subnet can have one NACL(default or custom)
How many subnets can be associated with a NACL
A NACL can be associated with many subnets
What are security Groups ?
Stateful firewall that detect response traffic automatically allowed(in or out)
What can security groups be attached to ?
anything that has a Elastic Network
What is one of the limitations for security Groups?
No explicitly deny only allow or implicit Deny
It can’t block specific bad actors for that NACL’s are used
What are 2 benefits of using a Security group ?
it can refence other SG in rules as well itself
can be attached to logical resources
What is Network Address Translation (NAT)
give private CIDR range outgoing internet access
Can connections be initiated from a private EC2 instance after NAT is enabled ? If Not why ?
connection can received response data but you can not imitate connections from the public internet
Where is an NAT gateway run from ?
Runs from a public subnet
What is the resiliency of a NAT Gateway by default ?
Is a NAT gateway region resilient ? and if not how would you make it region resilient ?
NATGW in each AZ
Why were NAT Gateway’s created ?
public IPv4 addressed running out
NAT is a set of proccesses reampaping src or dist ips
IP masquerading hiding CIDR Block behind IP