VPC Flashcards

1
Q

Definition of VPC

A

Virtual Private Cloud. Logically isolated data center in the cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Default components of VPC

A

Default Created: default Main Route Table, Network ACL, Security Group

Not Created: IGW, Subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Number of AZ to Subnet

A

1 Subnet = 1 AZ
Cannot have multiple AZ in a subnet.
Can have multiple subnets in an AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

When creating a Load Balancer in a custom VPC, how many subnets are needed? Of what type?

A

At least 2 public subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Number of AWS Reserved IP’s in a Subnet

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can a Security Group span VPC’s?

A

SG’s cannot span multiple VPC’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

3 needed Configs for setting up NAT Instances

A
  1. Disable source/destination checks
  2. Be in a public subnet
  3. Route in route table from private subnet to NAT instance (dest 0.0.0.0/0, target nat instance)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How to resolve a bottleneck in network traffic on a NAT instance?

A

Amount of traffic supported by a NAT instance depends on the instance size. Increase size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What level does NACL operate on?

A

Subnet Level in VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What level does Security Groups operate on?

A

Instance Level in VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NACL is considered what type of state? Why?

A

Stateless, as you need to add both inbound and outbound rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Groups is considered what type of state? Why?

A

Stateful, as you can only add explicit allow inbound rules, and the outbound open to all (unless you remove otherwise)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the smallest subnet you can have? The largest?

A

smallest: /28
largest: /16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is VPC Peering?

A

Vpc peering allows you to connect by private ip addrs a vpc to another vpc in the same/different account, and in the same/diff region, like they are the same network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are 4 restrictions on VPC peering?

A
  1. CIDR Address ranges cannot overlap or match between VPCS
  2. There is no transitive peering
  3. VPC peering is one to one, can’t have more than 1 connection between 2 same VPCS
  4. VPC peering does not extend to Edge to Edge routing connections
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How are rules in a Security group evaluated?

A

All rules are taken into account before evalution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

How are rules in a NACL evaluated?

A

NACL is evaluted based on order number. If you want to Deny, it must comes before the Allow. Subsequent Deny for the same wont work.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the inbound rules on a default SG?

A

Default SG has an inbound rule to allow all traffic within the same VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is a NAT Instance?

A

An individual EC2 instance in the public subnet allowing outbound from a private subnet to the internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is a NAT gateway?

A

A managed multi AZ gateway in the public subnet allowing outbound only connections from private to internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What would a HA NAT instance setup need?

A

Autoscaling Group, automated failover script, different public subnets in diff AZ’s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the 2 types of VPC Endpoints?

A
  1. Interface Endpoint

2. Gateway Endpoint

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is an Gateway Endpoint?

A

It is a VPC endpoint that uses a private IP in a private subnet to connect to a public zone aws service without going through the internet (nat gateway, igw, vpn, etc). Uses routing with route table.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is an Interface Endpoint?

A

A VPC endpoint to connect to everything else other than S3 or DynamoDB, using a private ENI ip in a private subnet without having to go through a gateway/internet. Uses DNS name, not route table routing prefix.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What 3 levels does VPC Flow Logs monitor traffic metadata on?

A

VPC, Subnet, Network Interface levels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

How would you connect to a private subnet from a corporate datacenter?

A

Attach a virtual private gateway to the VPC and establish a VPN connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

How can you block specific ip addresses? Can you use SG? **

A

Use a NACL to explicit deny specific ips, a SG can’t be used for this and can only allow ip ranges

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What IP reservations does AWS do in a subnet?

A

the first 4 and the last IP addresses are reserved

29
Q

What IP reservations does AWS do in a subnet?

A

the first 4 and the last IP addresses are reserved

30
Q

What is the largest subnet you can have? What is the smallest?

A

/16 is the largest and /28 is the smallest

31
Q

How many IGW can a subnet have? Can you increase internet throughput by attaching more IGW?

A

A subnet can only have 1 IGW, and throughput can’t be increased by attaching more.

32
Q

Why do you need auto assign ipv4 turned on in a subnet?

A

To be able to have any new instances in the public subnet be publicly accessible

33
Q

At what level do you provision your NAT gateway? VPC, AZ, Subnet level?

A

You provision this in the same Subnet as the public subnet, where a subnet can be in only 1 AZ

34
Q

What route table entry do you add for access to the internet by NAT Gateway?

A

dest: 0.0.0.0/0
target: nat gateway id

35
Q

Are NAT Gateways redundant in an AZ?

A

Yes they are

36
Q

Are NAT Gateways associated with any security groups?

A

No they are not

37
Q

What is automatically assigned to a NAT Gateway?

A

A public ip address

38
Q

What sequence of debugging should you take for network issues?

A

Check route table, NACL, Security Groups

39
Q

What is a Security Group? What are the defaults for the default SG? For the custom SG?

A

It is a virtual firewall for an ec2 instance. Default everything is allowed. Default for custom is everything is blocked

40
Q

What are Security Groups? Stateful or Stateless?

A

Stateful

41
Q

What does it mean if SG are Stateful?

A

Means regardless of outbound rules set, SG will allow response traffic to flow out if the request was from the instance

42
Q

What is a NACL?

A

It is an optional firewall layer that protects at a subnet level, controlling network traffic in and out

43
Q

What rules are in the default NACL in a newly created VPC?

A

Allows all inbound and outbound traffic

44
Q

What rules are in a newly created NACL?

A

All inbound and outbound traffic is denied

45
Q

How many NACLS can be attached to a Subnet?

A

Only 1 NACL

46
Q

How many Subnets can use a single NACL?

A

Multiple subnets can use the same NACL

47
Q

What happens if a Subnet is not assigned a NACL?

A

The default NACL is attached, a subnet must have a NACL

48
Q

What order are rules evaluted in NACL?

A

Evaluated starting lowest number first

49
Q

Are NACLS stateless or stateful?

A

Stateless, separate inbound and outbound rules

50
Q

Since NACLS are stateless what else needs to be added on outbound rules?

A

A rule for ephemeral ports needs to be add to the outbound

51
Q

What happens if you associate a new NACL with a subnet that already has one associated?

A

the new NACL will replace the old attached one on the subnet.

52
Q

What are VPC Endpoints? Are public ip’s needed?

A

Feature that enables you to use PrivateLink for traffic to go through the AWS backbone without going on the Internet. Instances in a VPC don’t need a public ip for this.

53
Q

What are Endpoint Devices?

A

HA, scalable, doesn’t impose bandwidth restrictions (unlike NAT Gateway)

54
Q

What are the 2 ways you can connect VPC’s?

A
  1. Open VPC’s up to the internet

2. Use VPC Peering

55
Q

What are the 2 major cons of using VPC Peering?

A
  1. Peering tens to hundreds of connections is difficult to manage
  2. Entire VPC is accessible
56
Q

What should you use if you need tens to hundreds of service VPCs to customer VPCs?

A

Use PrivateLink which doesn’t need VPC peering, NAT gateways, IGW, route tables

57
Q

What are the 2 things you need to setup PrivateLink?

A
  1. Service VPC needs a NLB

2. Customer VPC needs a ENI

58
Q

What is VPC Peering?

A

A way to connect a VPC with another by direct route and private ips - acts like on the same network

59
Q

What topology configuration is VPC Peering? What restriction does this put?

A

Star configuration (hub and spoke), with no edge to edge routing and no transitive peering

60
Q

What VPC’s can you peer with?

A

VPC in another account, same account, another region

61
Q

What is the CIDR restriction for VPC peering?

A

Can’t have overlapping CIDR ranges

62
Q

What is VPN CloudHub?

A

Service that aggregates multiple VPN sites together via a Hub and Spoke model over the public internet (sites can access one another)

63
Q

What thing does a VPC need to use VPN Cloud Hub? What things does the customer need?

A

VPC needs a VPGW and customer needs a CGW

64
Q

What are 2 reasons to use Direct Connect?

A
  1. need high throughput

2. need reliable/stable and secure connection

65
Q

What are the 2 types of direct connections?

A
  1. Dedicated Connection - single customer

2. Hosted Connection - connection with AWS partner on behalf of customer

66
Q

What does Transit Gateway used for?

A

Simplifying network topology of on-prem and VPCs through a central hub

67
Q

What 2 things does Transit Gateway enable that vpc peering doesn’t?

A
  1. IP Multicast

2. transitive peering

68
Q

What can you use to limit how VPC talk to another?

A

You can use route tables

69
Q

** HA with NAT Gateway

A

you will need AZ independent architecture by having a NAT Gateway in each AZ and resources use the gateway in the AZ they are in