VPC

Question 1

What does the CIDR consist of?

Answer 1

Base IP: Represents an IP contained in a range
Subnet Mask: Defines how many bits can change in the IP

Question 2

What allows us to access our VPC over the internet?

Answer 2

An internet gateway that is attached to our VPC

Question 3

How do we know if a subnet is public or private?

Answer 3

If it has access to an internet gateway

Question 4

How many IP addresses are reserved by your subnet for AWS usage?

Answer 4

5, the first 4 and the last one

Question 5

How many VPCs can be attached to an Internet Gateway

Answer 5

Only one, and vice versa

Question 6

We have created an IG and attached it to our VPC, but resources cannot connect to the internet, why?

Answer 6

Route tables must be edited to allow public access

Question 7

What are NAT instances?

Answer 7

An EC2 instance that acts as an intermediary between a private subnet and the public internet. It allows EC2 instances in private subnets to access the internet

Question 8

What is the difference between a NAT Gateway and an Internet Gateway

Answer 8

An Internet Gateway allows public facing resources to access the internet
A NAT Gateway allows for resources in a private subnet to reach the internet

Question 9

How many regions can a VPC span?

Answer 9

One

Question 10

True or False: NAT Gateway spans multiple AZs by default

Answer 10

False. NAT GTW can only be in one zone. You must create multiple gateways in multiple AZs for fault-tolerance. Instances in multiple AZs can use one NAT Gateway

Question 11

True or False: NAT Gateways allow traffic to the internet but not from the internet

Answer 11

True

Question 12

What is the purpose of the VPC’s Main Route Table?

Answer 12

It controls routing to/from a subnet or gateway. It is automatically applied for all un-associated subnets

Question 13

True or False: You cannot associate a subnet with more than one route table?

Answer 13

True

Question 14

Of NACL vs SG, which one is stateless and which one is stateful?

Answer 14

SG is stateful, NACL is stateless

Question 15

What does the NACL control access to?

Answer 15

Subnets

Question 16

How many NACL’s are there per subnet?

Answer 16

One

Question 17

You have two competing NACL rules, how is it decided which one “wins”?

Answer 17

All rules have numbers, the lower number wins

Question 18

What is the difference between a NACL and route table?

Answer 18

A NACL is a firewall, meant to accept or block traffic. A route table directs associated traffic to where it needs to go

Question 18

True or False: The default NACL automatically denies all inbound/outbound traffic?

Answer 18

False. It accepts all traffic

Question 19

What is the difference between NACL and a Security Group?

Answer 19

SGs operate at the instance level, NACLs operate at the subnet level. NACL’s traffic rules apply to all instances in the subnet they are associated with

Question 20

What is the significance of the Security Group being stateful?

Answer 20

It will allow outbound traffic if the inbound traffic is accepted, whereas something like the NACL which is stateless, must have an explicit inbound/outbound ruling and must consider ephemeral ports

Question 21

True or False: If VPC A is peered with VPC B and VPC B is peered with VPC C, than VPC A and VPC C are peered.

Answer 21

False. We must explicitly peer

Question 22

True or False: We cannot peer two VPCs in different accounts

Answer 22

False

Question 23

What is the purpose of VPC endpoints?

Answer 23

It allows AWS resources inside a VPC to communicate to AWS resources outside a VPC. It uses a private network instead of a public network

Question 24

What does VPC Endpoints use to communicate with external AWS resources?

Answer 24

AWS PrivateLink

Question 25

What are the types of endpoints for VPC Endpoint?

Answer 25

Interface Endpoint: Utilize AWS PrivateLink to link to external resources in AWS network
Gateway Endpoint: Utilizes a subnet route table to route calls through a gateway

Question 26

What are the two services that support VPC Gateway Endpoints?

Answer 26

S3 and DynamoDB

Question 27

What is the preferred Endpoint for S3

Answer 27

Gateway Endpoint. Free and easy configuration

Question 28

What does the AWS Site-to-Site VPN connection need?

Answer 28

Virtual Private Gateway: Created on the AWS VPC side

Customer Gateway: Application or device on customer side

Question 29

What is the difference between AWS DX and AWS VPN?

Answer 29

Direct Connect is over a private provided network; VPN is over public but encrypted through the VPN

Question 30

What are the Direct Connect connection types?

Answer 30

Dedicated Connections and Hosted Connections; Dedicated Connections tend to have higher capacity

Question 31

True or False: Data over Direct Connect is encrypted?

Answer 31

False. We must set up a VPN to encrypt data

Question 32

How can we set up maximum resiliency in Direct Connect?

Answer 32

Set up multiple connections in each Direct Connect location

Check Notes

Question 33

What is the max number of CIDR per VPC?

Answer 33

5

Question 34

What is the min and max CIDR size in VPC?

Answer 34

/28 is the min and /16 is the max

Question 35

What is a Bastion Host?

Answer 35

Bastion Hosts allow internet access (SSH) to a private subnet through a public subnet.

Question 36

What must the Bastion Host security group allow to access private subnet?

Answer 36

Must allow inbound traffic from the internet on port 22 from restricted CIDR (addresses allowed through to private). The security group of the private subnet must allow the Bastion Host private IP

Question 37

What is the difference between a NAT Instance and a Bastion Host?

Answer 37

A bastion host allows us to SSH into a private instance from a public one. A NAT Instance allows us to access the internet without worrying about inbound traffic from the internet

Question 38

What are ephemeral ports in relation to NACLs?

Answer 38

When clients are making requests, they initiate a request on a specific port, but expect to receive a response on a specific port range, known as ephemeral ports; it’s important to configure these in the NACLs

Question 39

What is VPC peering?

Answer 39

VPC peering allows two VPCs to privately communicate over AWS’ network

Question 40

True or False: We must update the route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other in VPC peering

Answer 40

True

Question 41

True or False: A VPC has one router and one route table

Answer 41

False. A VPC has one router but can have multiple route tables. The router is responsible for directing traffic according to the route tables

Question 42

How do we provision a VPC Gateway Endpoint?

Answer 42

We create one, choose which VPC and define which route table it will be directed through

Question 43

Are route tables inbound or outbound defining?

Answer 43

Route tables define both outbound and inbound traffic depending on the destination and target. Traffic from outside the VPC can be directed but are blocked by NACLs and Security Groups

Question 44

What are VPC flow logs?

Answer 44

VPC flow logs capture information about IP traffic going into your interfaces

Question 45

How can we query the VPC flow logs?

Answer 45

Athena on S3
CloudWatch Logs Insights

Question 46

What is AWS VPN CloudHub?

Answer 46

It allows one Virtual Private Gateway (VCW) to connect to multiple Cusotmer Gateways for site-to-site VPN

Question 47

What IP address do we use for the Customer Gateway Device in site-to-site VPN connections?

Answer 47

Either the public IP address of the Customer Gateway device OR if it’s behind a NAT device (the Customer Gateway has a private IP) use the public IP of the NAT device

Question 48

What is AWS Transit Gateway?

Answer 48

Transit Gateway is a network transit hub used to interconnect your VPCs and on-premise networks. It also allows us to share Direct Connect between multiple accounts

Question 49

We need to support IP Multicast. What service can we use?

Answer 49

AWS Transit Gateway

Question 50

What is ECMP?

Answer 50

ECMP is Equal-cost multi-path routing. It is a feature provided by Transit Gateway. It allows use to create multiple site-to-site VPN connections to increase the bandwidth of the connections to AWS

Question 51

What is VPC Traffic Mirroring

Answer 51

Traffic Mirroring captures traffic from an ENI to an ENI (or Network Load Balancer), filters it and can send it to a monitoring application

Question 52

True or False: IPv4 can be disabled for your VPC and subnets?

Answer 52

False

Question 53

True or False: Egress-only Internet Gateway is for both IPv4 and IPv6

Answer 53

False. Only for IPv6; Egress-only IG allows for outbound (egress) traffic only

Question 54

True or false: Instances in Private Subnets can access the Egress-only IGW without a NAT Gateway

Answer 54

True. But is must be defined in the Route Table

Question 55

Security Groups operate at the …………….. level while NACLs operate at the …………….. level

Answer 55

EC2 Instance, NACL

Question 56

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?

Answer 56

NAT Gateway

Question 57

You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do?

Answer 57

AWS Direct Connect Gateway

Question 58

If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a dedicated or hosted connection?

Answer 58

Hosted. Dedicated supports 1Gbps and 10 Gbps

Question 59

When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection?

Answer 59

Virtual Private Gateway and Customer Gateway

Question 60

Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend?

Answer 60

AWS VPN CloudHub. Allows you to securely communicate with multiple sites using AWS VPN. It is a hub-and-spoke model

Question 61

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?

Answer 61

AWS Direct Connect

Question 62

True or False: Using a Direct Connect connection, you can access both public and private AWS resources

Answer 62

True

Question 63

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What should you do?

Answer 63

Transit Gateway

Question 64

You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?

Answer 64

Add an additional IPv4 CIDR to your VPC

Question 65

Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7?

Answer 65

AWS Network Firewall