VPC Flashcards
Definition of VPC
Virtual Private Cloud. Logically isolated data center in the cloud
Default components of VPC
Default Created: default Main Route Table, Network ACL, Security Group
Not Created: IGW, Subnets
Number of AZ to Subnet
1 Subnet = 1 AZ
Cannot have multiple AZ in a subnet.
Can have multiple subnets in an AZ
When creating a Load Balancer in a custom VPC, how many subnets are needed? Of what type?
At least 2 public subnets
Number of AWS Reserved IP’s in a Subnet
5
Can a Security Group span VPC’s?
SG’s cannot span multiple VPC’s
3 needed Configs for setting up NAT Instances
- Disable source/destination checks
- Be in a public subnet
- Route in route table from private subnet to NAT instance (dest 0.0.0.0/0, target nat instance)
How to resolve a bottleneck in network traffic on a NAT instance?
Amount of traffic supported by a NAT instance depends on the instance size. Increase size.
What level does NACL operate on?
Subnet Level in VPC
What level does Security Groups operate on?
Instance Level in VPC
NACL is considered what type of state? Why?
Stateless, as you need to add both inbound and outbound rules
Security Groups is considered what type of state? Why?
Stateful, as you can only add explicit allow inbound rules, and the outbound open to all (unless you remove otherwise)
What is the smallest subnet you can have? The largest?
smallest: /28
largest: /16
What is VPC Peering?
Vpc peering allows you to connect by private ip addrs a vpc to another vpc in the same/different account, and in the same/diff region, like they are the same network
What are 4 restrictions on VPC peering?
- CIDR Address ranges cannot overlap or match between VPCS
- There is no transitive peering
- VPC peering is one to one, can’t have more than 1 connection between 2 same VPCS
- VPC peering does not extend to Edge to Edge routing connections
How are rules in a Security group evaluated?
All rules are taken into account before evalution
How are rules in a NACL evaluated?
NACL is evaluted based on order number. If you want to Deny, it must comes before the Allow. Subsequent Deny for the same wont work.
What are the inbound rules on a default SG?
Default SG has an inbound rule to allow all traffic within the same VPC
What is a NAT Instance?
An individual EC2 instance in the public subnet allowing outbound from a private subnet to the internet
What is a NAT gateway?
A managed multi AZ gateway in the public subnet allowing outbound only connections from private to internet
What would a HA NAT instance setup need?
Autoscaling Group, automated failover script, different public subnets in diff AZ’s
What are the 2 types of VPC Endpoints?
- Interface Endpoint
2. Gateway Endpoint
What is an Gateway Endpoint?
It is a VPC endpoint that uses a private IP in a private subnet to connect to a public zone aws service without going through the internet (nat gateway, igw, vpn, etc). Uses routing with route table.
What is an Interface Endpoint?
A VPC endpoint to connect to everything else other than S3 or DynamoDB, using a private ENI ip in a private subnet without having to go through a gateway/internet. Uses DNS name, not route table routing prefix.
What 3 levels does VPC Flow Logs monitor traffic metadata on?
VPC, Subnet, Network Interface levels
How would you connect to a private subnet from a corporate datacenter?
Attach a virtual private gateway to the VPC and establish a VPN connection
How can you block specific ip addresses? Can you use SG? **
Use a NACL to explicit deny specific ips, a SG can’t be used for this and can only allow ip ranges