VPC

Question 1

What is CIDR

What are the 2 pieces of CIDR?

Answer 1

A method for defining IP ranges

The IP and the subnet mask /0 - /32

Question 2

How do the ranges for subnet masks work when Starting at 192.168.0.0

Answer 2

/32 => Allows for 1 IP (2^0) –> 192.168.0.0
/31 => Allows for 2 IP (2^1) –> 192.168.0.0 - 192.168.0.1
/30 => Allows for 4 IP (2^2) –> 192.168.0.0 - 192.168.0.3
/29 => Allows for 4 IP (2^2) –> 192.168.0.0 - 192.168.0.8

/28 - 16
/27 - 32
/26 - 64
/25 - 128
/24 - 256 (2 ^ 8)

/16 - (2^ 16) –> 192.168.0.0 - 192.168.255.255

/0 - All IPs

Question 3

In terms of Octets, how do CIDR ranges work?

Answer 3

If you break the IP down in to 4 Octets from left to write

/32 means no octet can change (1 IP)
/24 means last octet can change (256 IPs)
/16 means last 2 octets can change (65,536 IPs)
/8 means last 3 octets can change
/0 means all octets can change.

Question 4

What are some of the important ranges for private IP addresses?

What are the min and max ranges for CIDR on a VPC?

What is the maximum number or CIDRs you can have on a VPC?

What should you be careful of when creating CIDRs

Answer 4

10. 0.0.0/8 - Big private netowrks
11. 16.0.0/12 - AWS default VPC range
12. 168.0.0/16 - Home networks

/28 - /16 (16 - 65,536)

5

That they do not overlap with other IP ranges you have defined for your other private networks, otherwise they will not be able to communicate.

Question 5

How many IPs are reserved by AWS per CIDR range?

Exam tip, if you need 29 IP addresses, what CIDR range would you choose?

Answer 5

5

/27

Question 6

What is an internet gateway?

How many internet gateways can a VPC be attached to?

How many VPCs can an internet gateway be attached to?

Answer 6

It allows resources like EC2 in a VPC to connect to the internet. However this isn’t enough to provide internet access. The route tables must also be edited.

1

1

Question 7

What is the AWS default VPC CIDR Range

Answer 7

172.16.0.0/12 - AWS default VPC range

Question 8

What is a bastian host?

Answer 8

An instance you forward traffic from to reach a host on a private network

Question 9

What is s Network Address Translation (NAT)?

Where must the NAT be launched from?

What setting must be disabled on EC2

What else must it have?

Answer 9

Allows an EC2 instance in a private network to connect to the internet

A public subnet

Source/destination check

An elastic IP address associated with it

Question 10

What is a NAT gateway?

Who manages security groups for a NAT gateway?

Answer 10

AWS Managed NAT with higher bandwidth, and HA (Within a Single AZ)

There are no security groups for a NAT gateway

Question 11

How do you configure an NAT Gateway for HA

In terms of a Bastian host, what is the difference between the NAT Gateway and a NAT instance?

Does a NAT gateway work with IPv6?

Answer 11

Must create multiple NAT Gateways in multiple AZs for fault-tolerance.

A NAT gateway cannot be used as a bastian host, but a NAT instance can.

No

Question 12

What is the maximum bandwidth for a NAT Gateway?

What about for an EC2 instance?

Answer 12

45GBps

Depends on the instance type.

Question 13

What is DNS Resolution (enableDNSSupport)?

What will your application query if this is turned on?

What does the DNS Hostname setting (enableDnsHosnames) do?

What does setting these both to true enable?

Answer 13

Allows you to resolve the public DNS names within the internet via Route53.

The AWS DNS server or the reserved IP address at the base of the VPC IPv4 network range

If it is not enabled, your public instance will only have a private DNS name. If it is enabled, it will also have a public DNS name

It enables your to reach instances on a private network via a private domain name like web.mycompany.private (intranet)

Question 14

What is a NACL?

What does it mean for a NACL to be stateless?

What does it mean for a Security Group to be stateful?

What does the default NACL allow?

How many NACLs can a subnet be associated with?

How many subnets can a NACL be associated with?

What changes are needed to a NACL when adding subnets within a NACL?

How does priority work on a NACL rule?

Answer 14

It’s like a firewall at the subnet level

It means that both requests and responses will be evaluated based on the NACL rules regardless of if a request was initially allowed or not.

It mean that the SG will remember if a network request is a response to a request that was already allowed to cross the security group. In this case the response will not be evaluated against the security group

It allows everything in and everything out

1

Many

You must update the NACL rules

It is based on the rule number? The lower the number, the higher the priority. HIGHER PRIORITY RULES WILL OVERRIDE LOWER PRIORITY RULES

Question 15

What is an ephemeral port and how does it work?

Answer 15

Clients connect to a host like a webserver on a fixed port. Ex port 80. This request is coming from an ephemeral port. The client will also receive a response on this port

Question 16

How can you troubleshoot network connectivity between 2 endpoints?

Answer 16

By using the VPC Reachability Analyzer

Question 17

What is VPC peering?

Can 2 VPCs that are transitively connected communicate?

What else must you update in order for the VPCs to communicate?

Answer 17

Privately connect 2 VPCs using AWS network and make them behave as if they were in the same network.

No, only VPCs that are directly connected can communicate

The route tables

Question 18

What is a VPC endpoint? (Private link)

What about HA for a VPC endpoint?

What must be used with VPC endpoints?

Answer 18

Endpoints within your VPC that allow you to initiate a private connection to AWS services.

They’re redundant and scale horizontally

Network load balancer & ENI

Question 19

What are the types of VPC endpoints?

Answer 19

Elastic network interface that has a private IP address with an attached security group. Most AWS services are supported by this.

Gateway Endpoints - Provisions a gateway and must be used as a target in a route table. Only supports S3 and Dynamo DB

Question 20

Where would you look to see a record of requests travelling through your VPC?

What’s another example of something you could check in these logs?

What are the 2 locations where these logs can be output to?

Why would you choose one output location over the other?

Answer 20

VPC flow logs.

If a request is denied.

S3 or Cloudwatch Logs

If you put the data in S3, you could analyze it with Athena in cloudwatch logs, you could do a quick visual inspection

Question 21

What is VPN site to site?

How do you set up a site to site VPN?

How if the customer gateway is public, which IP address should you use to connect to it?

If the customer gateway is private, which IP address should you use to connect to it?

Answer 21

A connection from your VPC to an on prem network. It goes over the public internet, but the traffic is encrypted.

On the AWS side you must set up a VPN a virtual private gateway (VGW) on the on-prem side, you must set up a customer gateway.

The public IP address.

A NAT must be set up on the customer side and the VGW must connect to that.

Question 22

What is one key step when creating a s2s VPC?

What must you enabled to to allow pinging of you ec2 instance from on-prem?

Answer 22

Enabling route propagation.

ICMP

Question 23

What is AWS Cloud hub?

Where does traffic from cloud hub travel?

Answer 23

Allows you to secure traffic between multiple sites?

Over the public internet.