VPC Flashcards
Definition of VPC
Virtual Private Cloud. Logically isolated data center in the cloud
Default components of VPC
Default Created: default Main Route Table, Network ACL, Security Group
Not Created: IGW, Subnets
Number of AZ to Subnet
1 Subnet = 1 AZ
Cannot have multiple AZ in a subnet.
Can have multiple subnets in an AZ
When creating a Load Balancer in a custom VPC, how many subnets are needed? Of what type?
At least 2 public subnets
Number of AWS Reserved IP’s in a Subnet
5
Can a Security Group span VPC’s?
SG’s cannot span multiple VPC’s
3 needed Configs for setting up NAT Instances
- Disable source/destination checks
- Be in a public subnet
- Route in route table from private subnet to NAT instance (dest 0.0.0.0/0, target nat instance)
How to resolve a bottleneck in network traffic on a NAT instance?
Amount of traffic supported by a NAT instance depends on the instance size. Increase size.
What level does NACL operate on?
Subnet Level in VPC
What level does Security Groups operate on?
Instance Level in VPC
NACL is considered what type of state? Why?
Stateless, as you need to add both inbound and outbound rules
Security Groups is considered what type of state? Why?
Stateful, as you can only add explicit allow inbound rules, and the outbound open to all (unless you remove otherwise)
What is the smallest subnet you can have? The largest?
smallest: /28
largest: /16
What is VPC Peering?
Vpc peering allows you to connect by private ip addrs a vpc to another vpc in the same/different account, and in the same/diff region, like they are the same network
What are 4 restrictions on VPC peering?
- CIDR Address ranges cannot overlap or match between VPCS
- There is no transitive peering
- VPC peering is one to one, can’t have more than 1 connection between 2 same VPCS
- VPC peering does not extend to Edge to Edge routing connections
How are rules in a Security group evaluated?
All rules are taken into account before evalution
How are rules in a NACL evaluated?
NACL is evaluted based on order number. If you want to Deny, it must comes before the Allow. Subsequent Deny for the same wont work.
What are the inbound rules on a default SG?
Default SG has an inbound rule to allow all traffic within the same VPC
What is a NAT Instance?
An individual EC2 instance in the public subnet allowing outbound from a private subnet to the internet
What is a NAT gateway?
A managed multi AZ gateway in the public subnet allowing outbound only connections from private to internet
What would a HA NAT instance setup need?
Autoscaling Group, automated failover script, different public subnets in diff AZ’s
What are the 2 types of VPC Endpoints?
- Interface Endpoint
2. Gateway Endpoint
What is an Gateway Endpoint?
It is a VPC endpoint that uses a private IP in a private subnet to connect to a public zone aws service without going through the internet (nat gateway, igw, vpn, etc). Uses routing with route table.
What is an Interface Endpoint?
A VPC endpoint to connect to everything else other than S3 or DynamoDB, using a private ENI ip in a private subnet without having to go through a gateway/internet. Uses DNS name, not route table routing prefix.
What 3 levels does VPC Flow Logs monitor traffic metadata on?
VPC, Subnet, Network Interface levels
How would you connect to a private subnet from a corporate datacenter?
Attach a virtual private gateway to the VPC and establish a VPN connection
How can you block specific ip addresses? Can you use SG? **
Use a NACL to explicit deny specific ips, a SG can’t be used for this and can only allow ip ranges
What IP reservations does AWS do in a subnet?
the first 4 and the last IP addresses are reserved
What IP reservations does AWS do in a subnet?
the first 4 and the last IP addresses are reserved
What is the largest subnet you can have? What is the smallest?
/16 is the largest and /28 is the smallest
How many IGW can a subnet have? Can you increase internet throughput by attaching more IGW?
A subnet can only have 1 IGW, and throughput can’t be increased by attaching more.
Why do you need auto assign ipv4 turned on in a subnet?
To be able to have any new instances in the public subnet be publicly accessible
At what level do you provision your NAT gateway? VPC, AZ, Subnet level?
You provision this in the same Subnet as the public subnet, where a subnet can be in only 1 AZ
What route table entry do you add for access to the internet by NAT Gateway?
dest: 0.0.0.0/0
target: nat gateway id
Are NAT Gateways redundant in an AZ?
Yes they are
Are NAT Gateways associated with any security groups?
No they are not
What is automatically assigned to a NAT Gateway?
A public ip address
What sequence of debugging should you take for network issues?
Check route table, NACL, Security Groups
What is a Security Group? What are the defaults for the default SG? For the custom SG?
It is a virtual firewall for an ec2 instance. Default everything is allowed. Default for custom is everything is blocked
What are Security Groups? Stateful or Stateless?
Stateful
What does it mean if SG are Stateful?
Means regardless of outbound rules set, SG will allow response traffic to flow out if the request was from the instance
What is a NACL?
It is an optional firewall layer that protects at a subnet level, controlling network traffic in and out
What rules are in the default NACL in a newly created VPC?
Allows all inbound and outbound traffic
What rules are in a newly created NACL?
All inbound and outbound traffic is denied
How many NACLS can be attached to a Subnet?
Only 1 NACL
How many Subnets can use a single NACL?
Multiple subnets can use the same NACL
What happens if a Subnet is not assigned a NACL?
The default NACL is attached, a subnet must have a NACL
What order are rules evaluted in NACL?
Evaluated starting lowest number first
Are NACLS stateless or stateful?
Stateless, separate inbound and outbound rules
Since NACLS are stateless what else needs to be added on outbound rules?
A rule for ephemeral ports needs to be add to the outbound
What happens if you associate a new NACL with a subnet that already has one associated?
the new NACL will replace the old attached one on the subnet.
What are VPC Endpoints? Are public ip’s needed?
Feature that enables you to use PrivateLink for traffic to go through the AWS backbone without going on the Internet. Instances in a VPC don’t need a public ip for this.
What are Endpoint Devices?
HA, scalable, doesn’t impose bandwidth restrictions (unlike NAT Gateway)
What are the 2 ways you can connect VPC’s?
- Open VPC’s up to the internet
2. Use VPC Peering
What are the 2 major cons of using VPC Peering?
- Peering tens to hundreds of connections is difficult to manage
- Entire VPC is accessible
What should you use if you need tens to hundreds of service VPCs to customer VPCs?
Use PrivateLink which doesn’t need VPC peering, NAT gateways, IGW, route tables
What are the 2 things you need to setup PrivateLink?
- Service VPC needs a NLB
2. Customer VPC needs a ENI
What is VPC Peering?
A way to connect a VPC with another by direct route and private ips - acts like on the same network
What topology configuration is VPC Peering? What restriction does this put?
Star configuration (hub and spoke), with no edge to edge routing and no transitive peering
What VPC’s can you peer with?
VPC in another account, same account, another region
What is the CIDR restriction for VPC peering?
Can’t have overlapping CIDR ranges
What is VPN CloudHub?
Service that aggregates multiple VPN sites together via a Hub and Spoke model over the public internet (sites can access one another)
What thing does a VPC need to use VPN Cloud Hub? What things does the customer need?
VPC needs a VPGW and customer needs a CGW
What are 2 reasons to use Direct Connect?
- need high throughput
2. need reliable/stable and secure connection
What are the 2 types of direct connections?
- Dedicated Connection - single customer
2. Hosted Connection - connection with AWS partner on behalf of customer
What does Transit Gateway used for?
Simplifying network topology of on-prem and VPCs through a central hub
What 2 things does Transit Gateway enable that vpc peering doesn’t?
- IP Multicast
2. transitive peering
What can you use to limit how VPC talk to another?
You can use route tables
** HA with NAT Gateway
you will need AZ independent architecture by having a NAT Gateway in each AZ and resources use the gateway in the AZ they are in
