VIRTUAL PRIVATE CLOUD (VPC) BASICS

Question 1

What are some considerations for VPC structure before creation ?

Answer 1

what size should the VPC be

Are there any networks we can’t use

VPC minimum /28(16 IPs) , maximum /16(65456 IPs)

Avoid common ranges

reserved 2+ networks per region being used per account

Question 2

your business Animals 4 Life has offices in 3 us regions regions, 1 Europe region, and 1 Australia region what would there total IP ranges be ?

Answer 2

40 IP Ranges

Question 3

custom VPC

Answer 3

regional service All AZ in the region

isolated network

Northing in or out without explicit configuration

Default or Dedicated Tenancy

Question 4

Default Tenancy

Answer 4

you can decide on a per resource level weather it goes on shared or dedicated hardware

Question 5

Dedicated Tenancy

Answer 5

on a VPC level any resource that you create has to be on dedicated hardware which is a cost premium

Question 6

AWS configuration Custom VPC

Answer 6

IPv4 Private CIDR block and Public IPS

! Primary Private IPv4 CIDR Block

Min/28(16IP) Max /16 (55,536 IP)

optional secondary IPv4 Block

optional single assigned IPv6/56 CIDR Block(IPv6 are only public)

Question 7

DNS in a AWS custom VPC

Answer 7

provided by R53

VPC Base IP +2 address

Question 8

enableDnsHostnames

Answer 8

gives instances DNS names

Question 9

enableDnsSupport

Answer 9

enables DNS resolution in VPC

Question 10

VPC Subnets

Answer 10

subnets are what services run from inside VPC’s and their are how you add structure, functionality and resilience to VPC’s

Question 11

VPC Subnet resiliency

Answer 11

AZ resilient

Question 12

Can a subnet be in Multiple AZ ?

Answer 12

No, one subnet is created in a specific AZ in a region and it can never be changed.

Question 13

Auto Assign public IPv4

Answer 13

decided if the subnet assigns public IPv4 in addition to their private subnet automatically

Question 14

auto assign IPv6

Answer 14

decides if the subnet assigns IPV6 addresses the subnet and the VPC has to have that allocated also for to work

Question 15

How many subnets can a AZ have ?

Answer 15

One AZ can have 0 to many Subnets

Question 16

How does a subnet handle networking ?

Answer 16

By default the subnet is allocated an IPv4 CIDR

Question 17

What are the constraints of a Subnet CIDR

Answer 17

has to be a subset of the VPC CIDR

Question 18

Can the CIDR range of two subnets in the same VPC overlap?

Answer 18

no, subnets can’t overlap with other subnets

Question 19

Can two subnets within a VPC communicate with each other ?

Answer 19

free communication between subnets by default

Question 20

What are the 5 unusable addresses in a subnet ?

Answer 20

1. Network Address (start of network)
2. Network +1 - VPC Router
3. Network +2 - Reserved(DNS*)
4. Network +3 - Reserved Future Use
5. Broadcast Address (Last IP in Subnet )

Question 21

DHCP option set

Answer 21

Dynamic Host Configuration Protocol how computing devices receive IP addresses Automatically.

Question 22

Where is DHCP options sets applied ?

Answer 22

At the VPC level flows down through subnets

Question 23

How can you update the DHCP option set configurations?

Answer 23

you can create option sets but you can’t change them

if you want to change the option set you would have to make a new one and attach it to VPC

Question 24

VPC Router

Answer 24

Routes traffic between subnets controls by route table attached to subnet

Question 25

VPC Route Table

Answer 25

the default route table that is attached to a subnet if one is not specified

Question 26

How many route tables can be attached to a subnet ?

Answer 26

one route table

Question 27

Can two subnets within a VPC have the same route table attached ?

Answer 27

yes, a route table can be associated with many subnets

Question 28

What does a route table to ?

Answer 28

it controls what happens to data as it leaves the subnet or subnets that the route table is associated with.

Question 29

How is data routed in a route table

Answer 29

The more specific the route the higher the priority

Question 30

Internet Gateway

Answer 30

manages traffic between the VPC and the internet or AWS public zones

Question 31

How are IPv4 public addresses handled through IGW ?

Answer 31

Public IPv4 address are attached on the IGW it maintains a record of the associated Private IPv4 address attached on a instance.

Question 32

Is it possible to configure a public IPv4 address on an EC2 instance running from within a subnet ?

Answer 32

No, at no point is an EC2 instance aware of it’s public IPv4 address.

Question 33

Bastion Host/Jump Box

Answer 33

An EC2 instance in a public subnet

allows connectivity to internal VPC resources

Question 34

Stateless FireWall

Answer 34

doesn’t understand the state of connection weather it’s request or response because of this there needs to be two security rules (IN, Out)

Question 35

Stateful FireWalls

Answer 35

knows which components are the request and response

firewall automatically picks up which port is being used and allows it.

lower admin overhead

Question 36

What are NACLS?

Answer 36

Network Access Control List is a traditional stateless firewall within AWS

Question 37

What Kind of traffic are impacted by NACLS ?

Answer 37

Traffic crossing the subnet boundary inbound or outbound

Question 38

How are rules processed in NCAL

Answer 38

Rules are processed in order, lowest rule number first

Question 39

What happens when the traffic entering the NACL doesn’t match any of the rules ?

Answer 39

explicate deny

Question 40

What are the requirements for creating a NACL rule?

Answer 40

Each communication needs 1 request rule and 1 Response rule (application port and ephemeral port) for each communication type that occurs within a VPC, to a VPC and from a VPC.

Question 41

How is the Default NACL configured for VPC

Answer 41

inbound and Outbound Rules have the implicit deny(*) and an Allow All rule.

The result- all traffic is allowed, the NACL has no effect.

Question 42

Could a NACL be attached to AWS renounces

Answer 42

No, there only can be attached to subnets

Question 43

How many NACLS can be associated to a Subnet

Answer 43

each subnet can have one NACL(default or custom)

Question 44

How many subnets can be associated with a NACL

Answer 44

A NACL can be associated with many subnets

Question 45

What are security Groups ?

Answer 45

Stateful firewall that detect response traffic automatically allowed(in or out)

Question 46

What can security groups be attached to ?

Answer 46

anything that has a Elastic Network

Question 47

What is one of the limitations for security Groups?

Answer 47

No explicitly deny only allow or implicit Deny

It can’t block specific bad actors for that NACL’s are used

Question 48

What are 2 benefits of using a Security group ?

Answer 48

it can refence other SG in rules as well itself

can be attached to logical resources

Question 49

What is Network Address Translation (NAT)

Answer 49

give private CIDR range outgoing internet access

Question 50

Can connections be initiated from a private EC2 instance after NAT is enabled ? If Not why ?

Answer 50

connection can received response data but you can not imitate connections from the public internet

Question 51

Where is an NAT gateway run from ?

Answer 51

Runs from a public subnet

Question 52

What is the resiliency of a NAT Gateway by default ?

Question 53

Is a NAT gateway region resilient ? and if not how would you make it region resilient ?

Answer 53

NATGW in each AZ

Question 54

Why were NAT Gateway’s created ?

Answer 54

public IPv4 addressed running out

NAT is a set of proccesses reampaping src or dist ips

IP masquerading hiding CIDR Block behind IP