VPC

Question 1

Abbreviation of VPC?

Answer 1

Virtual Private Cloud

Question 2

What is VPC?

Answer 2

VPC can isolate a section of AWS cloud where we can launch AWS resources.

Question 3

Can we Deny specific IP using Network ACL?

Answer 3

Yes

Question 4

How to connect EC2 in private subnets which has no internet?

Answer 4

Internet Gateway -> Router ->Routing Tables ->Network ACL -> Public Subnet -> Security Group -> EC2 -> Private Subnet ->EC2

Question 5

What is Bastion Host?

Answer 5

EC2 instance of Public Subnet -connect to EC2 instance of Private Subnet.

Question 6

Private reserved IP?

Answer 6

10. 0.0.0
11. 0.0.0
12. 0.0.0

Question 7

Default VPC vs Custom VPC?

Answer 7

Default VPC subnet has access to interest by default.

Each EC2 instance in default vpc has private & public IP address.

Question 8

Default VPC have Internet access?

Answer 8

Yes

Question 9

What is VPC peering?

Answer 9

Connect 1 VPC to another VPC.

Question 10

Main components of VPC?

Answer 10

Internet Gateway
Routing Tables
Network Access Control List
Subnets
Security Groups

Question 11

1 subnet - 1 AZ?

Answer 11

Yes

Question 12

1 subnet - Many AZ?

Answer 12

No

Question 13

Many subnet - 1 AZ?

Answer 13

Yes

Question 14

What is Transitive peering?

Answer 14

VPC - A -> VPC B - A can connect to B.
VPC - A -> VPC B -> VPC C A can not connect to C.
VPC - A -> VPC C - A can connect to C.

Question 15

can we Launch EC2 instance on any of our subnets using VPC?

Answer 15

Yes

Question 16

Can we assign custom IP address for each subnet using VPC?

Answer 16

Yes

Question 17

How we can configure route tables between subnet?

Answer 17

Using VPC

Question 18

Can we create internet gateway & attach to VPC?

Answer 18

Yes

Question 19

Can we enhance security using VPC?

Answer 19

Yes

Question 20

Can we create network Access control list using VPC?

Answer 20

Yes

Question 21

Can we create network Access control list using VPC?

Answer 21

Networking & Content delivery

Question 22

After creating VPC what other components added to new VPC?

Answer 22

Route Table, Network ACL,Security group

Question 23

After creating VPC what other components not added to new VPC?

Answer 23

Subnet, Internet Gateway

Question 24

How many IP AWS reserves for internal purpose?

Answer 24

5

Question 25

10.0.0.0 used for?

Answer 25

Network address

Question 26

10.0.0.1 used for?

Answer 26

VPC Router

Question 27

10.0.0.2 used for?

Answer 27

DNS Server

Question 28

10.0.0.3 used for?

Answer 28

Future use

Question 29

10.0.0.255 used for?

Answer 29

Network broadcast

Question 30

how many Internet gateway can be associated with a VPC?

Answer 30

1

Question 31

Any new subnet will be auto associated with which Route table?

Answer 31

Default Route table

Question 32

Advisable settings for Main route table public accessible/private ?

Answer 32

Private

Question 33

To enable route table to internet what IP need to added with gateway?

Answer 33

“0.0.0.0/0

::/0”

Question 34

IPV6 start with ?

Answer 34

::

Question 35

How to enable internet for subnet?

Answer 35

associate subnet with public route table.

Question 36

To enable IP ping what need to be configured?

Answer 36

ICMP

Question 37

HTTP port

Answer 37

80

Question 38

HTTPS port

Answer 38

443

Question 39

SSH port

Answer 39

22

Question 40

MySQL port

Answer 40

3306

Question 41

Abbreviation of NAT?

Answer 41

Network address translation

Question 42

Purpose of NAT Instance/gateway?

Answer 42

NAT Instance / NAT gateways allows EC2 instance in private subnet to access internet through NAT Instance/gateway.

Question 43

What is NAT Instance?

Answer 43

Single EC2 instance

Question 44

What is NAT Gateway?

Answer 44

Highly available gateway

Question 45

In which subnet we need to provision NAT Instances/gateway?

Answer 45

Public Subnet

Question 46

NAT Instances use which security group?

Answer 46

Public Security Group

Question 47

Can we have Source Destination Check enabled for NAT Instance?

Answer 47

NO it should be turned off for NAT Instance EC2.

Question 48

In which route table we need to map NAT instance/gateway for Internet?

Answer 48

Private Route table to NAT Instance

Question 49

Disadvantage of NAT Instance?

Answer 49

Performance issue & availability is low.

Question 50

Advantage of NAT Gateway?

Answer 50

Highly available & High performance

Question 51

AZ can have many NAT Gateway?

Answer 51

No Only 1.

Question 52

Can NET Gateway auto scale?

Answer 52

Yes

Question 53

Can NET Instance auto scale?

Answer 53

No

Question 54

Can we have Source Destination Check enabled for NAT Gateway?

Answer 54

Not Applicable

Question 55

AZ can have many NAT Instance?

Answer 55

Yes

Question 56

NAT Gateway use which security group?

Answer 56

Security group not involved in NAT Gateway

Question 57

NAT Gateway scale range?

Answer 57

5 Gbps to 45 Gbps

Question 58

Do we get NACL when we create VPC?

Answer 58

Yes

Question 59

What permission do we have when we create NACL?

Answer 59

Allow All

Question 60

All subnet need to linked with NACL?

Answer 60

yes

Question 61

Which NACL will be mapped when we create subnet?

Answer 61

default NACL

Question 62

Can we block IP in NACL?

Answer 62

yes

Question 63

Can we block IP in security groups?

Answer 63

NO

Question 64

1 NACL can hold many subnets?

Answer 64

Yes

Question 65

1 subnet can link multi NACL?

Answer 65

no

Question 66

what is first defense before security group?

Answer 66

NACL

Question 67

How NACL inbound/outbound rules are evaluated?

Answer 67

Chronological order; Rule 100 take precedence of rule 400

Question 68

Load Balancing available in which service?

Answer 68

EC2

Question 69

How many type of Load balancer available in AWS?

Answer 69

3

Question 70

What are the three types of Load balancer available in AWS?

Answer 70

“Application Load Balancer
Network Load Balancer
Classic Load balancer”

Question 71

How many subnet we need to provision load balancer?

Answer 71

We need 2 public facing subnet to create load balancer

Question 72

What is VPC flow log?

Answer 72

VPC flow log allows you to log all IP traffic in & out of VPC

Question 73

Which service is used for VPC flow log?

Answer 73

AWS Cloud watch is used for VPC flow log

Question 74

What are the 3 location where we can create flow log?

Answer 74

“VPC
Subnet
Network Interface level-ENI”

Question 75

Can we store VPC flow log to S3

Answer 75

Yes

Question 76

Can you enable VPC flow log for VPC peer with VPC with other AWS accounts?

Answer 76

No you can once create flow log for VPC peer with in your account.

Question 77

Can you change config of flow log?

Answer 77

No not after creation.

Question 78

Can we monitor all IP traffic in VPC flow log?

Answer 78

No not all traffic is monitored in VPC flow log

Question 79

What IP traffic is not monitor in VPC flow log?

Answer 79

“Traffic related to windows license check
Traffic related to AWS DNS server
Traffic related to 169.254.169.254
traffic related to reserved IP for default VPC router.”

Question 80

What is Bastion Host?

Answer 80

“Bastion host are special purpose computer which are configured to withstand attacks.
It host only proxy server & all other services are removed.”

Question 81

Bastion Host VS NAT Gateway?

Answer 81

“Bastion host can do SSH/RDP

NAT Gate way can do only HTTP/HTTPS”

Question 82

Where we can get Bastion host template?

Answer 82

AWS AMI Marketplace

Question 83

What is Direct Connect?

Answer 83

AWS Direct connect allows you establish dedicated network connect between your datacenter to AWS datacenter

Question 84

Which scenario we need AWS Direct Connect?

Answer 84

Scenario where we have high network traffic between AWS & on premise infrastructure

Question 85

Steps to setup direct connect?

Answer 85

“Create a virtual interface in the direct connect console. This is a PUBLIC Virtual Interface.
Go to VPC console and then VPN connections. Create a Customer gateway.
Create a Virtual Private gateway.
Attach the virtual private gateway to the desired VPC.
select VPN connections and create new VPN connections.
Select the virtual private gateway and the Customer gateway.
Once the VPN is available set up the VPN on the customer gateway or firewall.”

Question 86

What is Global Accelerator?

Answer 86

AWS Global Accelerator is a service which accelerate performance of your application for local & global users.

Question 87

How global Accelerator operates?

Answer 87

AWS Global accelerator direct traffic to optimal end points in AWS network. That improve performance of application for global audience.

Question 88

By default how many static IP will be provided?

Answer 88

2

Question 89

What are the list of component involved in Goal Accelerator?

Answer 89

"Static IP
Accelerator
DNS Name
Network Zone
Listener
Endpoint Group
Endpoint
"

Question 90

What is AWS Global Accelerator-Static IP?

Answer 90

Global Accelerator provide 2 static IP which we can associate with Accelerator.

Question 91

What is AWS Global Accelerator-Accelerator?

Answer 91

Accelerator direct traffic to optimal endpoints over aws global network

Question 92

What is AWS Global Accelerator-DNS Name?

Answer 92

Global Accelerator assign DNA name to each accelerator.

Question 93

What is AWS Global Accelerator-Network Zone?

Answer 93

Its is like AZ; If IP of Network zone is unavailable you can use IP of another Network zone

Question 94

What is AWS Global Accelerator-Listener?

Answer 94

Listener process inbound connection from client to Global Accelerator.

Question 95

What is AWS Global Accelerator-Endpoint Group?

Answer 95

“End point group is associated with a Region;

It contain one or more end points”

Question 96

What is AWS Global Accelerator-Endpoint?

Answer 96

It can be Load balancer, EC2 or Elastic IP.

Question 97

What is traffic dial?

Answer 97

It allocate amount of traffic for end point group.

Question 98

What is client affinity?

Answer 98

User for stateful application. Redirect to same end point

Question 99

What is VPC Endpoint?

Answer 99

“VPC end point allows you to privately connect VPC to Supported AWS Services.
You can access AWS services internally without going to internet.”

Question 100

What runs VPC endpoint?

Answer 100

Private Link

Question 101

What is advantage of VPC endpoint?

Answer 101

Internet gateway, NAT device connection, AWS Direct connect not required to connect VPC to aws service.

Question 102

What type of scaling is supported at VPC endpoint?

Answer 102

Horizontal scaling

Question 103

What are the two types of VPC endpoints?

Answer 103

“Interface Endpoint

Gateway Endpoint”

Question 104

What is interface endpoint?

Answer 104

Interface endpoint is an ENI with private IP that serves as entry point for aws services.

Question 105

What is gateway endpoint?

Answer 105

Its like Net gateway

Question 106

Which services support gateway endpoint?

Answer 106

S3 & dynamo db.

Question 107

What is AWS Private Link?

Answer 107

AWS Private link allows you to securely connect your VPC to 10, 100, 1000 or even more VPC.

Question 108

What are the ways we have to connect our VPC to other VPC?

Answer 108

“Connect to Internet
VPC Peering
AWS Private Link”

Question 109

Disadvantage of connecting VPC to internet ?

Answer 109

Security is compromised

Question 110

Disadvantage of connecting VPC to VPC Peering ?

Answer 110

It is feasible for connecting < 10 VPC

Question 111

what are the requirements for AWS Private link?

Answer 111

You need Network load balancer & your connecting VPC need ENI.

Question 112

What is AWS Transit Gateway?

Answer 112

It allows you to have transitive peering between thousands of VPC and on-premise data center.

Question 113

AWS Transit Gateway works on which model?

Answer 113

Hub-and-Spoke model.

Question 114

What is VPN Cloud Hub?

Answer 114

If you have multiple sites each with its ownVPN connection you can use awsvpn cloud hub to connect those sites together

Question 115

Is Security group is Statefull?

Answer 115

Yes

Question 116

Is NACL is Stateless?

Answer 116

Yes

Question 117

Does AWS support transitive peering?

Answer 117

NO

Question 118

US East 1 A of one Account is different to US East 1 A another account?

Answer 118

Yes

Question 119

Can we span security group across VPC?

Answer 119

NO

Question 120

Does NAT Instance works behind a Security group?

Answer 120

Yes

Question 121

How to improve NAT Instance performance & Availability?

Answer 121

Auto scale group,Multi subnet in different AZ

Question 122

Which of these is NOT a component of the AWS Global Accelerator service?

Answer 122

CloudFront

Question 123

“How many Amazon VPCs are allowed per AWS account per AWS Region? (Before any support requests to increase the number).
“

Answer 123

You can have up to five Amazon VPCs per AWS account per AWS Region, but you can place a support request to increase the number.

Question 124

By default, EC2 instances in new subnets in a custom VPC can communicate with each other across Availability Zones.

Answer 124

In a custom VPC with new subnets in each AZ, there is a route within the route table that supports communication across all subnets/AZs. Additionally, it has a Default SG with an “allow” rule: all traffic, all protocols, all ports, from resource using this default security group.

Question 125

Which of the following offers the largest range of internal IP addresses?

Answer 125

The /16 offers 65,536 possible addresses.

Question 126

You have created a new VPC and launched an EC2 instance into a public subnet. However, you did not assign a public IP to the instance during its creation. What is the easiest way to make your instance reachable from the internet?

Answer 126

An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet. For example, this allows you to connect to your instance from your local computer. Elastic IP addresses.

Question 127

To save administration headaches, a consultant advises that you leave all security groups in web-facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. Is this a good security design?

Answer 127

0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase ‘web-facing subnets’ does not mean just web servers. It would include any instances in that subnet some of which you may not want strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to connect to your public-facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security white paper for complete details.

Question 128

A VPN connection consists of which of the following components?

Answer 128

“A Virtual Private Gateway sits at the edge of your VPC and is a key component when using a VPN. It’s responsible for site-to-site connection from on-premises to a VPC.

A customer gateway is a resource that is installed on the customer side and provides a customer gateway inside a VPC.”

Question 129

How many internet gateways can be attached to a custom VPC?

Answer 129

Since an internet gateway is a highly available VPC component, only one is attachable to a custom VPC.

Question 130

“True or False: You can accelerate your application by adding a second Internet Gateway to your VPC.
“

Answer 130

You can only have one Internet Gateway per VPC.

Question 131

At which of the following levels can VPC Flow Logs be created?

Answer 131

VPC Flow Logs can be created at the VPC, subnet, and network interface levels. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Question 132

Which of the following is a chief advantage of using VPC gateway endpoints to connect your VPC to services such as S3 and DynamoDB?

Answer 132

In contrast to a NAT gateway, traffic between your VPC and the other services does not leave the Amazon network when using VPC gateway endpoints. A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service (S3 and DynamoDB).

Question 133

Which of the following options allows you to securely administer an EC2 instance located in a private subnet?

Answer 133

A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don’t confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.

Question 134

Which of the following statements are NOT true of EC2 instances in a VPC?

Answer 134

AWS releases your instance’s public IP address when it is stopped, hibernated, or terminated. Your stopped or hibernated instance receives a new public IP address when it is started.

Question 135

Which of the following are true for security groups?

Answer 135

“Security groups control access at the instance-level (as they are associated with network interfaces), they support ““allow”” rules only, and they evaluate all rules before deciding whether to allow traffic into the instance(s).

Security groups operate at the instance level (as they are associated with network interfaces), they support ““allow”” rules only, and they evaluate all rules before deciding whether to allow traffic.”

Question 136

Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level. (Fill in the blank with the correct answer.)

Answer 136

NACLs act on the subnet level, while security groups act on the instance level.

Question 137

When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.

Answer 137

You may peer a VPC to another VPC that’s in your same account, or to any VPC in any other account.

Question 138

True or False: An Application Load Balancer must be deployed into at least two Availability Zone subnets.

Answer 138

An Application Load Balancer must be deployed into at least two Availability Zone subnets.

Question 139

What is the purpose of an egress-only internet gateway?

Answer 139

The purpose of an egress-only internet gateway is to allow IPv6 based traffic within a VPC to access the internet, whilst denying any internet based resources to connection back into the VPC.

Question 140

What is the advantage of running your AWS VPN connection through your Direct Connect connection over using the ordinary Internet?

Answer 140

It is likely that if you choose to run your VPN through a Direct Connect from your datacenter to the AWS network that your VPN connection will be both faster, and more secure. However data charges are still incurred whilst using Direct Connect. Additionally Transit Gateway attachments may be made to VPN regardless of if it is through DX or not.

Question 141

You have five VPCs in a ‘hub and spoke’ configuration, with VPC ‘A’ in the center and individually peered with VPCs ‘B’, ‘C’, ‘D’, and ‘E’, which make up the spokes. There are no other VPC connections. Which of the following VPCs can VPC ‘B’ communicate with directly?

Answer 141

As transitive peering is not allowed, VPC ‘B’ can communicate directly only with VPC ‘A’.

Question 142

“True or False: A subnet can span multiple Availability Zones.
“

Answer 142

Each subnet must reside entirely within one Availability Zone and cannot span across zones.

Question 143

When I create a new security group, all outbound traffic is allowed by default.

Answer 143

“By default, a security group includes an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only. If your security group has no outbound rules, no outbound traffic originating from your instance is allowed.
“

Question 144

Which of the following is true?

Answer 144

Security groups are stateful and Network Access Control Lists are stateless. Stateful means if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Question 145

What is the name of the AWS Global Accelerator component that services the static IP addresses for your accelerator from a unique IP subnet?

Answer 145

A network zone services the static IP addresses for your accelerator from a unique IP subnet. Similar to an AWS Availability Zone, a network zone is an isolated unit with its own set of physical infrastructure. When you configure an accelerator, by default, Global Accelerator allocates two IPv4 addresses for it. If one IP address from a network zone becomes unavailable due to IP address blocking by certain client networks, or network disruptions, then client applications can retry on the healthy static IP address from the other isolated network zone.

Question 146

When you create a custom VPC, which of the following are created automatically?

Answer 146

When you create a custom VPC, a default Security Group, network access control list (ACL), and route table are created automatically. You must create your own subnets, internet gateway, and NAT gateway (if you need one).

Question 147

“Are you permitted to conduct your own security assessments or penetration tests on your own VPC without alerting AWS first?
“

Answer 147

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services only. You should request authorization for other simulated events

Question 148

In a default VPC, when you launch an EC2 instance and don’t specify a subnet, the EC2 instances are assigned 2 IP addresses at launch. What are they?

Answer 148

“In a default VPC, when you launch an EC2 instance and don’t specify a subnet, it’s automatically launched into a default subnet in your default VPC. The default subnet may MapPublicIPOnLaunch set to the value of true. So when it is launched, a public and private IP is available for the instance.
“