VPC Flashcards
What does the CIDR consist of?
Base IP: Represents an IP contained in a range
Subnet Mask: Defines how many bits can change in the IP
What allows us to access our VPC over the internet?
An internet gateway that is attached to our VPC
How do we know if a subnet is public or private?
If it has access to an internet gateway
How many IP addresses are reserved by your subnet for AWS usage?
5, the first 4 and the last one
How many VPCs can be attached to an Internet Gateway
Only one, and vice versa
We have created an IG and attached it to our VPC, but resources cannot connect to the internet, why?
Route tables must be edited to allow public access
What are NAT instances?
An EC2 instance that acts as an intermediary between a private subnet and the public internet. It allows EC2 instances in private subnets to access the internet
What is the difference between a NAT Gateway and an Internet Gateway
An Internet Gateway allows public facing resources to access the internet
A NAT Gateway allows for resources in a private subnet to reach the internet
How many regions can a VPC span?
One
True or False: NAT Gateway spans multiple AZs by default
False. NAT GTW can only be in one zone. You must create multiple gateways in multiple AZs for fault-tolerance. Instances in multiple AZs can use one NAT Gateway
True or False: NAT Gateways allow traffic to the internet but not from the internet
True
What is the purpose of the VPC’s Main Route Table?
It controls routing to/from a subnet or gateway. It is automatically applied for all un-associated subnets
True or False: You cannot associate a subnet with more than one route table?
True
Of NACL vs SG, which one is stateless and which one is stateful?
SG is stateful, NACL is stateless
What does the NACL control access to?
Subnets
How many NACL’s are there per subnet?
One
You have two competing NACL rules, how is it decided which one “wins”?
All rules have numbers, the lower number wins
What is the difference between a NACL and route table?
A NACL is a firewall, meant to accept or block traffic. A route table directs associated traffic to where it needs to go
True or False: The default NACL automatically denies all inbound/outbound traffic?
False. It accepts all traffic
What is the difference between NACL and a Security Group?
SGs operate at the instance level, NACLs operate at the subnet level. NACL’s traffic rules apply to all instances in the subnet they are associated with
What is the significance of the Security Group being stateful?
It will allow outbound traffic if the inbound traffic is accepted, whereas something like the NACL which is stateless, must have an explicit inbound/outbound ruling and must consider ephemeral ports
True or False: If VPC A is peered with VPC B and VPC B is peered with VPC C, than VPC A and VPC C are peered.
False. We must explicitly peer
True or False: We cannot peer two VPCs in different accounts
False
What is the purpose of VPC endpoints?
It allows AWS resources inside a VPC to communicate to AWS resources outside a VPC. It uses a private network instead of a public network
What does VPC Endpoints use to communicate with external AWS resources?
AWS PrivateLink
What are the types of endpoints for VPC Endpoint?
Interface Endpoint: Utilize AWS PrivateLink to link to external resources in AWS network
Gateway Endpoint: Utilizes a subnet route table to route calls through a gateway
What are the two services that support VPC Gateway Endpoints?
S3 and DynamoDB
What is the preferred Endpoint for S3
Gateway Endpoint. Free and easy configuration
What does the AWS Site-to-Site VPN connection need?
Virtual Private Gateway: Created on the AWS VPC side
Customer Gateway: Application or device on customer side
What is the difference between AWS DX and AWS VPN?
Direct Connect is over a private provided network; VPN is over public but encrypted through the VPN
What are the Direct Connect connection types?
Dedicated Connections and Hosted Connections; Dedicated Connections tend to have higher capacity
True or False: Data over Direct Connect is encrypted?
False. We must set up a VPN to encrypt data
How can we set up maximum resiliency in Direct Connect?
Set up multiple connections in each Direct Connect location
Check Notes
What is the max number of CIDR per VPC?
5
What is the min and max CIDR size in VPC?
/28 is the min and /16 is the max
What is a Bastion Host?
Bastion Hosts allow internet access (SSH) to a private subnet through a public subnet.
What must the Bastion Host security group allow to access private subnet?
Must allow inbound traffic from the internet on port 22 from restricted CIDR (addresses allowed through to private). The security group of the private subnet must allow the Bastion Host private IP
What is the difference between a NAT Instance and a Bastion Host?
A bastion host allows us to SSH into a private instance from a public one. A NAT Instance allows us to access the internet without worrying about inbound traffic from the internet
What are ephemeral ports in relation to NACLs?
When clients are making requests, they initiate a request on a specific port, but expect to receive a response on a specific port range, known as ephemeral ports; it’s important to configure these in the NACLs
What is VPC peering?
VPC peering allows two VPCs to privately communicate over AWS’ network
True or False: We must update the route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other in VPC peering
True
True or False: A VPC has one router and one route table
False. A VPC has one router but can have multiple route tables. The router is responsible for directing traffic according to the route tables
How do we provision a VPC Gateway Endpoint?
We create one, choose which VPC and define which route table it will be directed through
Are route tables inbound or outbound defining?
Route tables define both outbound and inbound traffic depending on the destination and target. Traffic from outside the VPC can be directed but are blocked by NACLs and Security Groups
What are VPC flow logs?
VPC flow logs capture information about IP traffic going into your interfaces
How can we query the VPC flow logs?
Athena on S3
CloudWatch Logs Insights
What is AWS VPN CloudHub?
It allows one Virtual Private Gateway (VCW) to connect to multiple Cusotmer Gateways for site-to-site VPN
What IP address do we use for the Customer Gateway Device in site-to-site VPN connections?
Either the public IP address of the Customer Gateway device OR if it’s behind a NAT device (the Customer Gateway has a private IP) use the public IP of the NAT device
What is AWS Transit Gateway?
Transit Gateway is a network transit hub used to interconnect your VPCs and on-premise networks. It also allows us to share Direct Connect between multiple accounts
We need to support IP Multicast. What service can we use?
AWS Transit Gateway
What is ECMP?
ECMP is Equal-cost multi-path routing. It is a feature provided by Transit Gateway. It allows use to create multiple site-to-site VPN connections to increase the bandwidth of the connections to AWS
What is VPC Traffic Mirroring
Traffic Mirroring captures traffic from an ENI to an ENI (or Network Load Balancer), filters it and can send it to a monitoring application
True or False: IPv4 can be disabled for your VPC and subnets?
False
True or False: Egress-only Internet Gateway is for both IPv4 and IPv6
False. Only for IPv6; Egress-only IG allows for outbound (egress) traffic only
True or false: Instances in Private Subnets can access the Egress-only IGW without a NAT Gateway
True. But is must be defined in the Route Table
Security Groups operate at the …………….. level while NACLs operate at the …………….. level
EC2 Instance, NACL
You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?
NAT Gateway
You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do?
AWS Direct Connect Gateway
If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a dedicated or hosted connection?
Hosted. Dedicated supports 1Gbps and 10 Gbps
When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection?
Virtual Private Gateway and Customer Gateway
Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend?
AWS VPN CloudHub. Allows you to securely communicate with multiple sites using AWS VPN. It is a hub-and-spoke model
You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?
AWS Direct Connect
True or False: Using a Direct Connect connection, you can access both public and private AWS resources
True
You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel’s maximum limit of 1.25 Gbps. What should you do?
Transit Gateway
You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?
Add an additional IPv4 CIDR to your VPC
Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7?
AWS Network Firewall
