Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

AWS > VPC > Flashcards

VPC Flashcards

1
Q

Does VPC only exist in one region?

A

Yes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What components in traditional network do not exist in VPC?

A
  • Routers
  • Switches
  • VLANs

These components are abstracted into software functions and called by different names.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Can VPC hold AWS resource directly?

A

No, VPC must be divided into subnets that hold your AWS resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the range of CIDR prefix length allowed in VPC?

A

VPC CIDR can range from /16 to /28.

/16 => 65,536 addresses
/28 => 16 addresses

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is CIDR prefix and prefix length?

A

The CIDR block (e.g. 172.16.0.0) is referred to as an IP prefix. The /16 portion of the CIDR is the prefix length.

E.g. 172.16.0.0/16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the recommended IPv4 range by RFC 1918, to avoid conflict with public Internet address?

A
  • 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
  • 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
  • 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Can you change the primary CIDR block of a VPC after creation?

A

No, but you can attach a secondary CIDR blocks to VPC.

The secondary CIDR block must come from the same address range as the primary. For example, if the VPC’s primary CIDR is 172.16.0.0/16, the secondary CIDR can be 172.17.0.0/16.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is CIDR block?

A

A CIDR block is a notation to represent an IPv4 address range.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Can you specify IPv6 CIDR?

A

No, instead AWS assigns one to your VPC at request. The prefix length of an IPv6 VPC CIDR is always /56.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the prefix length of IPv6 CIDR?

A

56.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Is IPv6 CIDR publicly routable?

A

Yes, the IPv6 CIDR will be a publicly routable prefix from the global unicast IPv6 address space, so all IPv6 addresses are reachable from the Internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How many IP addresses are reverved by AWS in a subnet?

A

5.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Is it possible for a subnet and VPC to share the same CIDR?

A

Yes, but you cannot define another subnet in the same VPC, as all the IP addresses are taken.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Can a subnet have multiple CIDRs?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can a subnet span availability zones?

A

No, a subnet can only exist within a single availability zone.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a Elastic Network Interface (ENI)?

A

ENI performs the same basic function as a network interface on a physical server.

Every ENI can only connect to a single subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can you assign secondary private IP addresses to the primary ENI?

A

Yes, any secondary address must come from the same subnet that ENI is attached to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Can ENI exist independently of an EC2 instance?

A

Yes. If you disable the Delete On Termination attribute of the ENI, you can terminate the instance without deleting the ENI.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can an EC2 instance have more than one ENI?

A

Yes, any additional ENI attached to EC2 instance must be in the same subnet as the primary ENI.

You can also take an existing ENI that’s not attached to an instance and attach it to an existing instance as a secondary ENI.

This lets you redirect traffic from a failed instance to a working instance by detaching the ENI from the failed instance and reattaching it to the working instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How to improve network throughput speeds and lower latency than ENIs?

A

Use Elastic Network Adapter, which supports throughput speeds up to 100 Gbps.

ENA uses SR-IOV, which bypass the hypervisor, resulting in lower CPU utilization and better network performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Does custom VPC come with an Internet Gateway?

A

No, you must create one and associate it with a VPC manually.

You can associate only one Internet Gateway with a VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

How to use Internet Gateway in VPC to access Internet?

A

A default route in route table needs to be created that points to the Internet Gateway as a target.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Can a subnet exist without a route table?

A

No.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What elements need to be defined when creating a route?

A
  • Destination IP range in CIDR notation

- Target resource, which must be an AWS network resource, such as an Internet Gateway.

25
Q

What does every route table contain?

A

Every route table contains a local route that allows instances in different subnets to communicate with each other.

172.16.0.0/16 Local

26
Q

What is a default route?

A

A default route’s destination is 0.0.0.0/0

27
Q

What is public subnet?

A

Any subnet that is associated with a route table containing a default route pointing to an Internet Gateway is a public subnet; otherwise, it’s a private subnet.

28
Q

What is a security group?

A

A security group functions as a firewall that controls traffic to and from an instance by permitting traffic to ingress or egress that instance’s ENI.

Every ENI has at least one security group associated with it.

29
Q

What needs to be defined when creating a security group?

A
  • Name

- VPC

30
Q

What needs to be defined when creating an inbound/outbound rule in a security group?

A
  • Source/Destination
  • Protocol
  • Port range
31
Q

What approach does security group use to evaluate traffic?

A

Security groups use a default-deny approach, aka whitelisting.

32
Q

Does route order matter in route table?

A

No. When deciding where to route traffic, the implied router will route based on the closest match.

33
Q

Does rule order matter in security group?

A

No.

34
Q

What outbound rule is created automatically when creating a security group?

A
  • Destination: 0.0.0.0/0
  • Protocol: All
  • Port: All
35
Q

What can you use to define the source or destination in security group rule?

A
  • CIDR

- Security Group ID (from this account or other account)

36
Q

Is security group a stateful firewall?

A

Yes. Stateful means that when a security group allows traffic to pass in one direction, it intelligently allows reply traffic in the opposite direction.

37
Q

Is there a default security group and default Network ACL in each VPC?

A

Yes, default security group and Network ACL cannot be deleted, but can be modified.

38
Q

What is difference between security group and Network ACL?

A
  • Security group is stateful; Network ACL is stateless;
  • Security group rules are evaluated based on “whitelisting” approach; Network ACL rules are evaluated in ascending order of rule number.
  • Network ACL only allows CIDR to define source or destination.
39
Q

What are ephemeral ports?

A

Ephemeral ports are reserved TCP or UDP ports that clients listen for reply traffic on.

40
Q

How to use an Elastic IP address on an EC2 instance?

A
  • Create a new EIP
  • Associate it with the ENI of the EC2 instance

Associating a public IP with an ENI doesn’t reconfigure the ENI with a new address. Instead, the Internet gateway maps the public IP address to the ENI’s private IP address using a process called network address translation (NAT).

41
Q

Is Elastic IP (EIP) tied to a region?

A

Yes.

42
Q

How does AWS Global Accelerator work?

A

If you have AWS resources in multiple regions, AWS Global Accelerator gives you two anycast static IPv4 addresses that you can use to route traffic to resources in any region.

Unlike EIPs, which are tied to an AWS region, Global Accelerator static addresses are spread across different AWS points‐of‐presence (POPs) in over 30 countries. These static addresses are also called anycast addresses because they are simultaneously advertised from multiple POPs.

Users connecting to a static address are automatically routed to the nearest POP. An endpoint group can contain elastic IP addresses, elastic load balancers, or EC2 instances.

Global Accelerator routes traffic to the fastest endpoint.

43
Q

How to use NAT devices from a private subnet?

A

Create a default route in the private subnet’s route table as follows:

  • Destination: 0.0.0.0/0
  • Target: NAT device
44
Q

What’s the limitations of VPC peering?

A
  • Peered VPCs must not have overlapping CIDR blocks.
  • A VPC peering allows only instance-to-instance communication.
  • VPC does not allow daisy-chain. Peer connection must be created between each pair of VPCs.
  • Does not support IPv6
45
Q

What is AWS Transit Gateway?

A

AWS Transit Gateway is a highly available service that lets you connect multiple VPCs and on-premises networks via Direct Connect links or Virtual Private Networks.

46
Q

What are the two types of Direct Connect connections?

A
  • Dedicated (1 Gbps or 10 Gbps)

- Hosted (less than 1 Gbps)

47
Q

What is Direct Connect Gateway?

A

On the AWS side, a Direct Connect gateway does this by connecting to an AWS Transit Gateway or virtual private gateway.

On your end, a Direct Connect gateway maintains a BGP session with your on‐premises equipment and advertises and receives IPv4 and IPv6 route prefixes via BGP.

48
Q

What is AWS Virtual Private Gateway?

A

You can use a AWS Virtual Private Gateway to create a VPN tunnel between on-premise network and a VPC.

49
Q

What are the three types of virtual interfaces of Direct Connect link?

A
  • Private virtual interface (use private IP addresses of resources in VPC, e.g. EC2)
  • Public virtual interface (use public IP addresses of resources, e.g. S3)
  • Transit virtual interface (connects to Transit Gateway that routes to multiple VPCs)

To support multiple virtual interfaces, the Direct Connect link’s speed must be greater than 1 Gbps.

50
Q

Is Direct Connect links encrypted?

A

No, unlike VPN connections, DC links are not encrypted.

51
Q

What is High-Performance Computing (HPC)?

A

High‐performance computing (HPC) is a computing paradigm that uses multiple instances to simultaneously process computationally intensive workloads in parallel.

These instances compose an HPC cluster.

52
Q

What are the two types of HPC cluster?

A
  • Loosely Coupled (e.g. image processing, DNA sequencing)
  • Tightly Coupled (e.g. machine learning, weather forecasting)

Tightly coupled workloads require massive computing power and can’t be broken up into pieces. Instead, multiple instances must work in concert as a single supercomputer. This requires instances to have low‐latency, high‐speed network connectivity to each other. Hence, you’ll want to place tightly coupled instances in the same cluster placement group.

Tightly-coupled HPC cluster requires high-speed, low-latency, and reliable network connectivity.

53
Q

What is Elastic Fabric Adapter (EFA)?

A

The elastic fabric adapter (EFA) is a special type of ENA that supports traditional TCP/IP networking capabilities. What makes it unique is that it allows HPC applications to use the Libfabric API to bypass the operating system’s TCP/IP stack and access the EFA directly, resulting in more throughput and reduced latency.

54
Q

What is AWS ParallelCluster?

A

AWS ParallelCluster can automatically manage your Linux‐based HPC cluster so that you don’t have to do it manually.

ParallelCluster provisions your cluster instances and creates a 15 GB shared filesystem for them to use. The shared filesystem is stored on an EBS volume that’s attached to a master instance and served up to the other instances via the Network File System (NFS).

ParallelCluster also creates a batch scheduler using AWS Batch. You submit your HPC computing jobs to the scheduler, and ParallelCluster takes care of scaling your cluster in or out as necessary.

55
Q

Can you move a EC2 instance to another subnet?

A

No. Instead, you can manually migrate the instance by creating a new AMI from the source instance, and then launch it in the desired subnet.

56
Q

What requires the modification of a route table?

A
  • Use a NAT Gateway

- VPC Peering

57
Q

Does VPC peering support IPv6?

A

No.

58
Q

Does VPC peering support inter-region peering?

A

Some regions do.

59
Q

Is there a default route table in VPC?

A

No, only the main route table.

AWS (15 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions