VPC

Question 1

What are the 6 important parts of a VPC? What is the role of each?

Answer 1

1. Subnet (s) - allows you to place resources within specific networks
2. Security Group (s) - default way to allow traffic into a subnet
3. Network ACL (s) - Optional extra security for your subnet
4. Route Tables - Provides path from your subnet to other subnets or the internet
5. Internet Gateway - Provides a path to the internet from a subnet.
6. NAT Gateway - allows access to the internet from a private subnet.

Question 2

Can a subnet span an availability zone?

Answer 2

no. A subnet must always be on one AZ

Question 3

What important thing must you do with a custom create public and private subnets in a VPC?

Answer 3

Set autoassign IPV4 to True for the public subnet and False for the private subnet (s)

Question 4

Which 2 entities in VPCs allow Internet access?

Answer 4

Internet Gateways
- Allow access to the internet. They are associated with VPCs, and from within a public subnet, you create a route table to the internet gateway.

NAT Gateways
- Used by private subnets to access the internet. You add them to the route table associated with the private subnet, and they point to the internet gateway and allow access out to the internet, but not into the private subnet. Note that NAT gateways are created in a public subnet.

Question 5

Describe this diagram and talk about its parts.

Answer 5

Items in the network diagram

• A VPC (Virtual Private Cloud)
• Two Subnets, one private and one public.
• One Security Group per subnet
• One Network ACL per subnet
• One route Table Per subnet
• Private subnet route table has a route table entry pointing to the NAT gateway which is connected to the Internet gateway to allow access to the internet
• Public subnet route table has a route out to 0.0.0.0/0 mapped to the internet gateway allowing access out to the internet

Question 6

Match up the terms and explain.

Security Group
Network ACLs

match to

Stateful
Stateless

Answer 6

• Security Groups are stateful. If you open up a port into a security group its open both ways
• Network ACLs are stateless. You’d need to open access in each direction, inbound and outbound

Question 7

Is access blocked or open by default with Security Groups? What about Network ACLs? What about when you add a security group or NACL?

Answer 7

• Default
  
  • Security Groups are Closed by default. You must open the ports you want open.
  • Network ACLs are Open by default. You can block the ports you want blocked, both directions
• Custom Created
  
  • Security Groups are Open
  • NACLs are Closed

Question 8

How many subnets can a Network ACL be associated with?

Answer 8

One or many. This is an optional layer of security for your VPC, set up by port.

Every subnet must be associated with a Network ACL.. If you don’t its associated with your DEFAULT network ACLs

Question 9

How are the rules in NACLs evaluated?

Answer 9

They are evaluated from smallest to largest. the first rule is the wildcard which denies everything

Question 10

What can you do with a Network ACL that you cant do with a Security group?

Answer 10

You can block IP addresses

Question 11

Whats the weird thing you have to do about outbound ports in NACLs with web servers

Answer 11

You can open up “ephemeral ports” for 1024-65535. This covers responses on random ports that web servers might make.

Question 12

What happens in an NACL when you create a rule number 300 that is a DENY on port 80 when you also have a rule number 200 which is an ALLOW for port 80?

Answer 12

The higher number does NOT override the earlier rule. We’ve allowed traffic on port 80 at rule 200, so anything after rule 200 won’t override that.

Question 13

When blocking an IP address, how would you do it?

Answer 13

Use NACL’s. Create an inbound rule BEFORE any ALLOW rules for that port, and enter a deny on that IP address

Question 14

What are VPC endpoints for?

Answer 14

Allows you to connect from your VPC into other AWS resources without leaving the AWS network

Question 15

What are the two types of VPC Endpoints?

Answer 15

Interface: Support many more services, It’s an ENI
Gateways: Dynamo and S3 only - Creates a gateway machine similar to a NAT Gateway

Question 16

What would the steps be to grant access to an EC2 instance in a private subnet to a DynamoDB database using VPC Endpoints?

Answer 16

Create the VPC Endpoint (Gateway)
Ensure the route table is updated to include a route to this VPC endpoint

Question 17

What is VPC Peering?

Answer 17

Allows you to connect VPCs together. lets them act as if they were in the same network.

Question 18

What is transitive peering?

Answer 18

Its not supported. Its allowing a VPC to indirectly connect to another one. VPCs that are peered must be directly connected.

Question 19

Can you VPC Peer across regions? Across Accounts?

Answer 19

Yes and yes!

Question 20

Are there caveats with VPC peering?

Answer 20

CIDR ranges cannot overlap.

Question 21

What is AWS Privatelink used for?

Answer 21

Allows you to connect a VPC to other VPCs at scale. You can connect to many customer VPCs

Officially: AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify your network architecture and make it less vulnerable to attack vectors

Think AWS CloudHub but not over the internet.

VPC Endpoints are powered by AWS Privatelink

Question 22

What is AWS Cloudhub used for?

Answer 22

Allows you connect multiple sites together if they all use VPNs. Think “hub and spoke”

think of this related to “aggregating customer VPN connections” or “connecting from AWS to multiple different customer networks” using

Virtual Private Gateway –> VPN/ipSec –> Customer Gateway

Question 23

What is AWS Direct Connect for?

Answer 23

Allows you to connect your data center to AWS.

Does not use the public internet.

You can use AWS Direct Connect to create a dedicated private connection from a remote network to your VPC. You can combine this connection with an AWS-managed VPN connection to create an IPsec-encrypted connection.

Question 24

What are the two types of connections for AWS Direct Connect

Answer 24

1. Dedicated Connection - physical ethernet connection
2. Hosted connection - physical ethernet also, but thru an AWS direct connect partner

Question 25

What is AWS Transit Gateway for?

Answer 25

• Allows you to simplify your network topology.
• No more complex peering relationships among VPCs and data centers
• Think hub and spoke
• Does allow transitive peering
• support IP Muticast

Question 26

What AWS service allows you to simplify your network topography?

Answer 26

AWS Transit Gateway

Question 27

How would you make a high availability NAT Gateway?

Answer 27

Create one NAT Gateway per availability zone. Ensure that the resources use the NAT gateway in the same AZ the resource is in.

Question 28

What is it called when you attach an ENI to a running instance?

Answer 28

Hot attach

Question 29

What is it called when you attach an ENI to an instance as it is starting up?

Answer 29

Cold attach

Mneumonic

Hot–> Warm –> Cold

Running –> Stopped –> Launching

Question 30

What is it called when you attach an ENI to an instance when its stopped?

Answer 30

Warm attach

Mneumonic

• R → S → L
• H → W → C

Question 31

Does the default NACL allow or deny traffic by default?

Answer 31

Allow

Question 32

Does a newly created NACL allow or deny all traffic by default?

Answer 32

Custom ACLs DENY all traffic until you add rules.

Question 33

Can you remove or edit the asterisk rule in an NACL?

Answer 33

No. you cant edit or remove it.

Question 34

At what level to Security Groups operate?

Answer 34

At the EC2 Instance level.

Question 35

Can you delete the default security group?

Answer 35

no.

Question 36

In a PUBLIC subnet what steps need to be taken to make sure an EC2 instance deployed to that subnet has internet access?

Answer 36

1. You must create an internet gateway and associate it with the VPC
2. Must set the subnet to “Auto-Assign Public IPv4 addresses”
3. Must add a route in the routing table to the Internet Gateway for 0.0.0.0/0
4. Must ensure the subnet is associated with the Route table with the internet gateway
5. EC2 instance must have a public IP address

Question 37

In a PRIVATE subnet what steps need to be taken to make sure an EC2 instance deployed to that subnet has internet access?

Answer 37

1. You must have an internet gateway that is associated with the VPC
2. Create a NAT gateway and associate it with the VPC (in the public subnet)
3. Add a Route to the NAT gateway in the Route Table associated with the private subnet from 0.0.0.0/0.
4. Note: The Route Table associated with the Private subnet can be the Main RT because there is no route into this Subnet.

Question 38

What 3 components get created when you create a custom VPC? What 3 components do NOT automatically get created?

Answer 38

Automatic

1. Route Table (main)
2. Default Security Group (Closed)
3. Main Network NACL (Open)

Not Automatic

1. Subnets
2. Internet Gateway
3. NAT Gateway

Question 39

How many addresses are reserved by AWS when you create a subnet?

Answer 39

5. The first 4 and the last IP Address

Question 40

What is the valid largest and smallest range for IP Addresses?

Answer 40

/16 is the largest

/28 is the smallest usable

/32 would specify a single IP Address

Question 41

How many Internet Gateways can you have per VPC?

Answer 41

1

Question 42

What makes a subnet a “public” subnet?

Answer 42

A subnet is public if its traffic is routed to an internet gateway

Question 43

What is the difference between 110.238.98.7/32 and 110.238.98.71/0

Answer 43

/32 indicates one IP address and /0 indicates the whole network.

Question 44

What 3 AWS and remote assets could you use, generally, to connect a remote network to a VPC in AWS?

Answer 44

• VPC would have an attached Virtual Private Gateway
• Remote network has a customer gateway with VPN connection enabled (Customer Gateway)
• Set up the routing that VPC bound traffic is routed to the VPG

Question 45

How many security groups can you assign to an EC2 instance?

Answer 45

up to 5

Question 46

How can you reuse your existing VPN equipment to connect to AWS over the internet

Answer 46

AWS Managed VPN

Question 47

Does AWS Direct Connect operate over the internet?

Answer 47

No. It uses a private connection.

Question 48

Describe how you’d configure your private network to connect to a VPC in AWS. What are the Crucial parts?

Answer 48

• Virtual Private Gateway in the VPC
• Customer Gateway in the private network
• VPN traffic from the customer gateway is routed to the VPG

Question 48

Describe how you’d configure your private network to connect to a VPC in AWS. What are the Crucial parts?

Answer 48

• Virtual Private Gateway in the VPC
• Customer Gateway in the private network
• VPN traffic from the customer gateway is routed to the VPG

Question 49

Using VPC endpoints how can you control access to a large number of S3 buckets

Answer 49

Apply an “endpoint policy” to the VPC Endpoint

Question 50

What state should an instance be in to perform a Hot, Warm, and Cold ENI Attach?

Answer 50

ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach)

Mneumonic

Hot–> Warm–> Cold

R–> S –> L

(Running) –> Stopped –> Launching

Question 51

What is traffic mirroring in a VPC?

Answer 51

A feature that lets you copy traffic from an elastic network interface to do things like

• content inspection
• threat monitoring
• troubleshooting