VPC Flashcards
What does CIDR stand for?
Classless Inter-Domain Routing
What is CIDR used for?
It is used in Security Group Rules to allocate IP addresses
What 2 components make up a CIDR?
- A Base IP like 12.34.56.78
- A Subnet Mask like /0, /24 or /32
What does a Subnet Mask do?
It defines how many bits can change in the IP
What does /8 Subnet Mask equal in IP?
255.0.0.0
What does /16 Subnet Mask equal in IP?
255.255.0.0
What does /24 Subnet Mask equal in IP?
255.255.255.0
What does /32 Subnet Mask equal in IP?
255.255.255.255
What is an IP made up of?
Its made up of 4 octets: 0.0.0.0
What does /32 mean regarding octets?
That no octet can change
What does /24 mean regarding octets?
That the last octet can change
What does /16 mean regarding octets?
That the last 2 octets can change
What does /8 mean regarding octets?
That the last 3 octets can change
What does /0 mean regarding octets?
That all octets can change
What values can a private network have?
They can have 10.0.0.0/8
What does the AWS default VPC IP usually look like?
172.16.0.0/12
What doe home network IPs look like?
192.168.0.0/16
What IP addresses does AWS reserve in a subnet?
The first 4 and the last 1
What does AWS use the reserved IPs for?
- 10.0.0.0 for Network Access
- 10.0.0.1 for the VPC Router
- 10.0.0.2 for mapping to Amazon provided DNS
- 10.0.0.3 for future use
- 10.0.0.255 for Network Broadcast Address
How do you calculate how many IP addresses a CIDR block represents?
2^32-prefix, where prefix is the number after the slash
What is an Internet Gateway used for?
It allows AWS resources in a VPC to access the internet
What is required for an Internet Gateway to allow Internet access?
A Route Table
What is a Bastion Host used for?
It is used to ssh into an EC2 instance in a private subnet
What are 3 important points about Bastion Hosts?
- The bastion host is in a public subnet, which allows access to resources in a private subnet
- The Bastion Host only requires SSH access on port 22
- The Bastion Host should only have access to the IP address you need, not a security group etc
In NAT Instance, what does NAT stand for?
Network Address Translation
What does a Nat Instance do?
Allows EC2 instances in private subnets to connect to the internet
Should you choose NAT Instance or NAT Gateway?
NAT Gateway
What are 4 things you must do when setting up a NAT Instance?
- Must launch in a public subnet
- Must disable EC2 Source/Destination Check
- Must have Elastic IP attached to it
- Must configure Route Table to route traffic from private subnets to the NAT instance
What is a NAT Gateway?
An AWS managed NAT (Network Address Translation)
Can a NAT Gateway be used by an EC2 instance in the same subnet?
No, they need to be in a different subnet
Can a NAT Gateway work without an Internet Gateway?
No, Internet Gateway is required
At what level is the Network Access Control List (NACL)?
It is at the Subnet Level
At what level is the Security Group?
It is at the instance level
Out of NACL and Security Groups, which are stateful?
NACLs are stateless and Security Groups are stateful
What does stateful mean for Security Groups?
It means whatever rules permit traffic in, will also let traffic out
What does stateless mean for NACLs?
It means that outbound traffic needs to pass outbound rule checks before its permitted
What is a NACL?
Its like a firewall that controls traffic to/from subnets
How many NACLs can a subnet have?
1, and new subnets are assigned the default
What are 3 things to remember about defining NACL rules?
- Rules have a number and the lower the number, the higher the precedence
- The first rule match will drive the decision
- The last rule is an asterisk and denies a request if no match
What does the default NACL allow?
The default allows all inbound/outbound traffic
What does newly created NACL allow?
The newly created NACL denies all inbound/outbound
What is an Ephemeral Port?
Its a port that is open as long as the connection between client/server
What is VPC Reachability Analyzer?
Its a network diagnostics tool that debugs network connectivity between endpoints
Using VPC Peering, can I access VPC C from VPC A?
You must setup directly between the 2
What is a VPC endpoint?
It allows your private AWS services to access other services without accessing the public internet
What are the 2 types of VPC endpoints?
- Interface Endpoints
- Gateway Endpoints
Do both VPC endpoint types support most AWS services?
Gateway Endpoints support S3 and DynamoDB only, Interface Endpoints support most services
What are VPC Flow Logs?
They capture information about IP traffic going into your interfaces
What is Site to Site VPN?
It is a connection from AWS to on-site
What 2 types of Site to Site VPN are there?
- Virtual Private Gateway
- Customer Gateway
What is the difference between Virtual Private Gateway and Customer Gateway?
The Virtual Private Gateway has a VPN concentrator on the AWS side. The Customer Gateway has a physical device on the Customer side
If you’re using a Customer Gateway device, what IP address do you use?
Use the Public Internet-routable IP address or if its behind a NAT device, the public IP of the NAT
What is an important step when using Virtual Private Gateway?
Enable Route Propagation for the Virtual Private Gateway in the route table associated with the subnet
If you need to ping your EC2 instance from on-premises, what should you do?
Add ICMP protocol on the inbound of the security grooup
What is DX (Direct Connect)?
It provides a dedicated private connection from a remote network into your VPC
What are the 2 types of connections in Direct Connect?
- Dedicated Connections (Physical ethernet connection)
- Hosted Connections (Connections made via AWS Direct Connect Partners)
How long does it usually take a Direct Connect connection to establish?
Often longer than a month
What is the difference between High Resiliency and Maximum Resiliency for Direct Connect?
- High Resiliency has 2 separate AWS Direct Connect Locations, each with a single connection.
- Maximum Resiliency also has 2 separate AWS lDirect Connect Locations but each has 2 connections
What should I use if I want to expose a service to 1000’s of VPCs?
Use AWS PrivateLink
What 2 things are required for AWS PrivateLink?
- A Network Load Balancer (your side)
- An Elastic Network Interface (ENI) (customer side)
What isTransit Gateway used for?
Connecting 1000’s of VPC and on-premise
For Transit Gateway, how do you determine which VPC can talk to another?
VPC route tables
What does ECMP for Transit Gateway stand for?
Equal cost, multi path routing
Can Egress-Only Internet Gateways be used for IPv4 and IPv6?
No, only IPv6. Use NAT Gateway for IPv4
What are the networking costs between using public or private IPs?
- If traffic is within the same availability zone using private IP, its free
- If traffic is not in the same availability zone using private IP, its $0.01 per gb
- If traffic is within the same availability zone using public IP, its $0.02 per gb
