VPC

Question 1

What does CIDR stand for?

Answer 1

Classless Inter-Domain Routing

Question 2

What is CIDR used for?

Answer 2

It is used in Security Group Rules to allocate IP addresses

Question 3

What 2 components make up a CIDR?

Answer 3

• A Base IP like 12.34.56.78

- A Subnet Mask like /0, /24 or /32

Question 4

What does a Subnet Mask do?

Answer 4

It defines how many bits can change in the IP

Question 5

What does /8 Subnet Mask equal in IP?

Answer 5

255.0.0.0

Question 6

What does /16 Subnet Mask equal in IP?

Answer 6

255.255.0.0

Question 7

What does /24 Subnet Mask equal in IP?

Answer 7

255.255.255.0

Question 8

What does /32 Subnet Mask equal in IP?

Answer 8

255.255.255.255

Question 9

What is an IP made up of?

Answer 9

Its made up of 4 octets: 0.0.0.0

Question 10

What does /32 mean regarding octets?

Answer 10

That no octet can change

Question 11

What does /24 mean regarding octets?

Answer 11

That the last octet can change

Question 12

What does /16 mean regarding octets?

Answer 12

That the last 2 octets can change

Question 13

What does /8 mean regarding octets?

Answer 13

That the last 3 octets can change

Question 14

What does /0 mean regarding octets?

Answer 14

That all octets can change

Question 15

What values can a private network have?

Answer 15

They can have 10.0.0.0/8

Question 16

What does the AWS default VPC IP usually look like?

Answer 16

172.16.0.0/12

Question 17

What doe home network IPs look like?

Answer 17

192.168.0.0/16

Question 18

What IP addresses does AWS reserve in a subnet?

Answer 18

The first 4 and the last 1

Question 19

What does AWS use the reserved IPs for?

Answer 19

• 10.0.0.0 for Network Access
• 10.0.0.1 for the VPC Router
• 10.0.0.2 for mapping to Amazon provided DNS
• 10.0.0.3 for future use
• 10.0.0.255 for Network Broadcast Address

Question 20

How do you calculate how many IP addresses a CIDR block represents?

Answer 20

2^32-prefix, where prefix is the number after the slash

Question 21

What is an Internet Gateway used for?

Answer 21

It allows AWS resources in a VPC to access the internet

Question 22

What is required for an Internet Gateway to allow Internet access?

Answer 22

A Route Table

Question 23

What is a Bastion Host used for?

Answer 23

It is used to ssh into an EC2 instance in a private subnet

Question 24

What are 3 important points about Bastion Hosts?

Answer 24

• The bastion host is in a public subnet, which allows access to resources in a private subnet
• The Bastion Host only requires SSH access on port 22
• The Bastion Host should only have access to the IP address you need, not a security group etc

Question 25

In NAT Instance, what does NAT stand for?

Answer 25

Network Address Translation

Question 26

What does a Nat Instance do?

Answer 26

Allows EC2 instances in private subnets to connect to the internet

Question 27

Should you choose NAT Instance or NAT Gateway?

Answer 27

NAT Gateway

Question 28

What are 4 things you must do when setting up a NAT Instance?

Answer 28

- Must launch in a public subnet - Must disable EC2 Source/Destination Check - Must have Elastic IP attached to it - Must configure Route Table to route traffic from private subnets to the NAT instance

Question 29

What is a NAT Gateway?

Answer 29

An AWS managed NAT (Network Address Translation)

Question 30

Can a NAT Gateway be used by an EC2 instance in the same subnet?

Answer 30

No, they need to be in a different subnet

Question 31

Can a NAT Gateway work without an Internet Gateway?

Answer 31

No, Internet Gateway is required

Question 32

At what level is the Network Access Control List (NACL)?

Answer 32

It is at the Subnet Level

Question 33

At what level is the Security Group?

Answer 33

It is at the instance level

Question 34

Out of NACL and Security Groups, which are stateful?

Answer 34

NACLs are stateless and Security Groups are stateful

Question 35

What does stateful mean for Security Groups?

Answer 35

It means whatever rules permit traffic in, will also let traffic out

Question 36

What does stateless mean for NACLs?

Answer 36

It means that outbound traffic needs to pass outbound rule checks before its permitted

Question 37

What is a NACL?

Answer 37

Its like a firewall that controls traffic to/from subnets

Question 38

How many NACLs can a subnet have?

Answer 38

1, and new subnets are assigned the default

Question 39

What are 3 things to remember about defining NACL rules?

Answer 39

- Rules have a number and the lower the number, the higher the precedence - The first rule match will drive the decision - The last rule is an asterisk and denies a request if no match

Question 40

What does the default NACL allow?

Answer 40

The default allows all inbound/outbound traffic

Question 41

What does newly created NACL allow?

Answer 41

The newly created NACL denies all inbound/outbound

Question 42

What is an Ephemeral Port?

Answer 42

Its a port that is open as long as the connection between client/server

Question 43

What is VPC Reachability Analyzer?

Answer 43

Its a network diagnostics tool that debugs network connectivity between endpoints

Question 44

Using VPC Peering, can I access VPC C from VPC A?

Answer 44

You must setup directly between the 2

Question 45

What is a VPC endpoint?

Answer 45

It allows your private AWS services to access other services without accessing the public internet

Question 46

What are the 2 types of VPC endpoints?

Answer 46

- Interface Endpoints | - Gateway Endpoints

Question 47

Do both VPC endpoint types support most AWS services?

Answer 47

Gateway Endpoints support S3 and DynamoDB only, Interface Endpoints support most services

Question 48

What are VPC Flow Logs?

Answer 48

They capture information about IP traffic going into your interfaces

Question 49

What is Site to Site VPN?

Answer 49

It is a connection from AWS to on-site

Question 50

What 2 types of Site to Site VPN are there?

Answer 50

- Virtual Private Gateway | - Customer Gateway

Question 51

What is the difference between Virtual Private Gateway and Customer Gateway?

Answer 51

The Virtual Private Gateway has a VPN concentrator on the AWS side. The Customer Gateway has a physical device on the Customer side

Question 52

If you're using a Customer Gateway device, what IP address do you use?

Answer 52

Use the Public Internet-routable IP address or if its behind a NAT device, the public IP of the NAT

Question 53

What is an important step when using Virtual Private Gateway?

Answer 53

Enable Route Propagation for the Virtual Private Gateway in the route table associated with the subnet

Question 54

If you need to ping your EC2 instance from on-premises, what should you do?

Answer 54

Add ICMP protocol on the inbound of the security grooup

Question 55

What is DX (Direct Connect)?

Answer 55

It provides a dedicated private connection from a remote network into your VPC

Question 56

What are the 2 types of connections in Direct Connect?

Answer 56

- Dedicated Connections (Physical ethernet connection) | - Hosted Connections (Connections made via AWS Direct Connect Partners)

Question 57

How long does it usually take a Direct Connect connection to establish?

Answer 57

Often longer than a month

Question 58

What is the difference between High Resiliency and Maximum Resiliency for Direct Connect?

Answer 58

- High Resiliency has 2 separate AWS Direct Connect Locations, each with a single connection. - Maximum Resiliency also has 2 separate AWS lDirect Connect Locations but each has 2 connections

Question 59

What should I use if I want to expose a service to 1000's of VPCs?

Answer 59

Use AWS PrivateLink

Question 60

What 2 things are required for AWS PrivateLink?

Answer 60

- A Network Load Balancer (your side) | - An Elastic Network Interface (ENI) (customer side)

Question 61

What isTransit Gateway used for?

Answer 61

Connecting 1000's of VPC and on-premise

Question 62

For Transit Gateway, how do you determine which VPC can talk to another?

Answer 62

VPC route tables

Question 63

What does ECMP for Transit Gateway stand for?

Answer 63

Equal cost, multi path routing

Question 64

Can Egress-Only Internet Gateways be used for IPv4 and IPv6?

Answer 64

No, only IPv6. Use NAT Gateway for IPv4

Question 65

What are the networking costs between using public or private IPs?

Answer 65

- If traffic is within the same availability zone using private IP, its free - If traffic is not in the same availability zone using private IP, its $0.01 per gb - If traffic is within the same availability zone using public IP, its $0.02 per gb