VPC

Question 1

What are the elements of a VPC?

Answer 1

1. IP Address Range (CIDR Block)
2. Subnets
3. Route Tables
4. Internet Gateway
5. NAT Gateway/NAT Instance
6. Security Groups
7. Network Access Control Lists (NACLs)
8. Elastic IP Addresses
9. VPC Peering
10. VPC Endpoints
11. Virtual Private Gateway (VPN/Direct Connect)
12. Flow Logs

Question 2

What is a Virtual Private Gateway?

Answer 2

A virtual private gateway enables secure communication between your VPC and your on-premises network using either VPN connections or AWS Direct Connect.

Question 3

What is VPC CIDR Block?

Answer 3

IP Address Range (CIDR Block): When creating a VPC, you define an IP address range for the VPC using Classless Inter-Domain Routing (CIDR) notation. This range determines the available IP addresses for your VPC’s subnets.

Question 4

What are VPC Subnets?

Answer 4

Subnets: Subnets are subdivisions of a VPC’s IP address range. Public subnets have direct access to the internet, while private subnets do not. 1 subnet is always in 1 Availability Zone.

Question 5

What are VPC Route Tables?

Answer 5

Route Tables: A route table defines the rules for routing traffic between subnets, as well as to the internet or other network destinations. Each subnet is associated with a route table that specifies where network traffic should be directed.

Question 6

What is VPC Internet Gateway?

Answer 6

Internet Gateway: An internet gateway allows resources in public subnets to connect to the internet or AWS public zone. It serves as a gateway for traffic between the VPC and the public internet.

Question 7

What is a NAT Gateway/NAT Instance?

Answer 7

NAT Gateway/NAT Instance: NAT (Network Address Translation) gateways or NAT instances allow resources in private subnets to initiate outbound traffic to the internet while still maintaining security. They act as intermediaries for sending traffic from private subnets to the internet.
- Not associated with security groups.
- Should be added in a public subnet.
- 5-45 Gbps.
- If you’re using NAT Gateways and your resources are spread across different Availability Zones, it’s important to make sure each Availability Zone has its own NAT Gateway. If one NAT Gateway goes down, resources in other Availability Zones won’t lose internet access.

Question 8

What are Security groups?

Answer 8

Security Groups: Security groups are virtual firewalls that control inbound and outbound traffic to instances within a subnet. They are stateful and control traffic based on security group rules.
- In order to communicate to your EC2 instances via SSH, RDP, or HTTP, you will need to open up the correct ports.
- By default, all inbound traffic is blocked, and all outbound traffic is blocked.

Question 9

What are NACLs?

Answer 9

Network Access Control Lists (NACLs): NACLs are stateless network traffic filters that control traffic entering and leaving subnets. They are less granular than security groups but operate at the subnet level.
- Can block specific IP addresses.
- By default, all inbound/outbound traffic is allowed.
- A subnet can be associated with only 1 network ACL at a time. When you associate a network ACL with a subnet, the previous association is removed.
- Network ACLs contain a numbered list of rules that are evaluated in order, starting with the lowest-numbered rule.

Question 10

What are Elastic IP Addresses?

Answer 10

Elastic IP Addresses: Elastic IP addresses are static, public IP addresses that you can associate with instances or network interfaces in your VPC. They are useful for resources that need to have a consistent public IP.

Question 11

What is VPC peering?

Answer 11

VPC peering allows you to connect 2 VPCs using private IP addresses, enabling resources in different VPCs to communicate as if they were in the same network.
- You can peer VPCs with other AWS accounts.
- You can peer between regions.
- In the same region, ASGs can reference each other directly. In different regions, ASGs reference each other with IP addresses or IP ranges.
- Peering is in a star configuration (e.g., 1 central VPC peers with 4 others).
No transitive peering! ( hub-and-spoke model)
- We create a VPC peering, create the routes, and if necessary the SGs and ACLS

Question 12

What are VPC endpoints?

Answer 12

VPC endpoints provide a private connection between your VPC and supported AWS services, avoiding the need to traverse the public internet.

2 Types of VPC Endpoints:
- Interface endpoints: an elastic network interface with a private IP address that serves as an entry point for traffic headed to a supported
service. They support a large number of AWS services.

• Gateway endpoints: Similar to NAT gateways, a gateway endpoint is
  a virtual device you provision. It supports connection to S3 and DynamoDB.

Question 13

What are VPC Flow Logs?

Answer 13

VPC Flow Logs capture information about IP traffic flowing to and from network interfaces in your VPC, providing insight into network activity.

DON’T monitor packet contents … that requires a packet sniffer. Only packet metadata(source IP, destination IP, ports, packet size etc)

Can be stored on S3 or CloudWatch Logs.

Are NOT real time.

Question 14

What is AWS PrivateLink?

Answer 14

AWS PrivateLink is a private networking technology that allows you to securely connect your VPC (Virtual Private Cloud) to services as if they were in your VPC. This means that you can connect to AWS services, services hosted by other AWS accounts, and supported AWS Marketplace services without exposing your traffic to the public internet.

• Doesn’t require VPC peering; no route tables, NAT gateways, internet gateways, etc.

Question 15

What is ENI?

Answer 15

ENI stands for Elastic Network Interface. It’s a virtual network interface that you can attach to an Amazon Elastic Compute Cloud (Amazon EC2) instance in an Amazon Virtual Private Cloud (Amazon VPC). An ENI acts as a network adapter, providing networking capabilities to an EC2 instance.

Question 16

what is AWS VPN CloudHub?

Answer 16

• If you have multiple sites, each with its own VPN connection, you can use
  AWS VPN CloudHub to connect those sites together. It’s similar to VPC
  peering in that it works on a hub-and-spoke model.
• AWS VPN CloudHub is low-cost and easy to manage. Though it operates over the public internet, all traffic between the customer gateway and the AWS VPN CloudHub is encrypted.

Question 17

What is Direct Connect?

Answer 17

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router.

With this connection, you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet service providers in your network path.

Business Premises => DX Location => AWS Region. AWS regions have multiply Direct Connect Locations.

Speed: 1G or 10G or 100G

Question 18

What are the 2 types of Direct Connect connection?

Answer 18

• Dedicated Connection(Customer DX router to AWS DX router): A physical Ethernet connection associated with a single customer. Customers can request a dedicated connection through the AWS Direct Connect console, the CLI, or the API.
• Hosted Connection(Provider DX router to AWS DX router): A physical Ethernet connection that an AWS Direct Connect Partner provisions on behalf of a customer. Customers request a hosted connection by contacting a partner in the AWS Direct Connect Partner Program, who provisions the connection.

Direct Connect connections happen in AWS DX Locations. A connection is a port allocation to AWS DX router.

Question 19

VPNs vs. Direct Connect

Answer 19

VPNs allow private communication, but it still traverses the public internet to get the data delivered. While secure, it can be painfully slow.
DIRECT CONNECT IS:
- Fast
- Secure
- Reliable
- Able to take massive throughput

Can be used together because Direct Connect takes time to be implemented while VPNs can be up in hours.

Question 20

What is AWS Transit Gateway?

Answer 20

AWS Transit Gateway connects VPCs and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router — each new connection is only made once.
- Allows you to have transitive peering between thousands of VPCs and on-premises data centers.
- Works on a hub-and-spoke model.
- Works on a regional basis, but you can have it across multiple regions.
- You can use it across multiple AWS accounts using RAM (Resource Access Manager).
- You can use route tables to limit how VPCs talk to one another.
- Works with Direct Connect as well as VPN connections.
- Supports IP multicast (not supported by any other AWS service).

Question 21

What is AWS Wavelength?

Answer 21

AWS Wavelength embeds AWS compute and storage services within
5G networks, providing mobile edge computing infrastructure for developing, deploying, and scaling ultra-low-latency applications.

Question 22

How many default VPCs can exist in a Region?

Answer 22

1 default VPC but you can have many custom VPCs in a Region.

Question 23

What is the default VPC CIDR block in AWS?

Answer 23

172.31.0.0/16 It only gets one and it is always the same.

Question 24

How many subnets does the default VPC have?

Answer 24

One subnet (/20) in each Availability Zone (AZ) of the AWS region where it’s created.

Question 25

Can the default VPC be removed?

Answer 25

Yes, can be removed and recreated.

Question 26

What are the elements of the default vpc?

Answer 26

Subnets (/20) in each AZ. Internet Gateway(IGW), Security Group(SG), NACL

Question 27

In the default VPC are subnets configured in such a way that instances launched within those subnets are assigned public IP addresses by default?

Answer 27

Yes.

Question 28

Where does the option “Enable DNS resolution” on a VPC help?

Answer 28

Is helpful for allowing your VPC resources to communicate with each other and with resources on the internet. For example, if you have an EC2 instance in your VPC that needs to access a database in your VPC, DNS resolution will allow the EC2 instance to find the database’s IP address.

Question 29

Where does the option “Enable DNS hostnames” on a VPC help?

Answer 29

Is helpful for making your VPC resources easier to identify and manage. For example, if you have two EC2 instances in your VPC, you can give them DNS hostnames of webserver1 and webserver2. This will make it easier for you to identify and manage these resources.

Question 30

Which are the reserved IPs in each subnet?

Answer 30

e.g 10.16.16.0/20
1. Network address (10.16.16.0) - the first address of any subnet(not specific to AWS).
2. Network + 1 (10.16.16.1) - VPC Router(in AWS)
3. Network + 2 (10.16.16.2) - DNS (in AWS)
4. Network + 3 (10.16.16.3) - For future use
5. Broadcast address (10.16.31.255) - (even though broadcast is not supported in AWS).

Question 31

Do you need an Internet Gateway per AZ to connect to the Internet?

Answer 31

No. Internet Gateway is region-resilient. One Internet Gateway will cover all AZs in the region.

Question 32

How many Internet Gateways a VPC can have?

Answer 32

0 (private VPC) or 1 (public VPC)

Question 33

“Public IPv4 address is not directly attached to the instance or any interfaces, it is associated with it”. What does this mean?

Answer 33

If the IPv4 is directly attached, the OS utilities would be aware of it (things like ifconfig, etc. in Linux).
If you connect to a Linux instance and display the IPv4 addresses, you will only see the private ones.
The public IP address is associated with the private IPv4 address in the internet gateway.

Question 34

Does the operating system of an EC2 instance have the Public IPv6 of the instance?

Answer 34

Yes.

Question 35

What is a Bastion Host/jumpbox?

Answer 35

It is an instance inside a public subnet in a VPC. It is generally the only way to access private resources inside a VPC.

Question 36

What are the steps to make a subnet public?

Answer 36

1. Create an Internet Gateway.
2. Associate the IG with the subnet’s VPC.
3. Create a route table for the subnet.
4. Associate the route table with the subnet.
5. Add default routes onto the route table pointing at the IG.
6. Enable the allocation of IPv4 addresses for the subnet.

Question 37

With how many subnets can an instance be associated?

Answer 37

An instance must be associated with a single(one and only) subnet in order to receive a network interface and an IP address.

Question 38

What are Security Group’s logical references?

Answer 38

Security group logical references allow you to reference security groups in other security groups. This can be useful for creating more complex and granular security policies.

Question 39

What are Security Groups self-references?

Answer 39

Security Groups in AWS can have “self-references,” which means you can configure a security group to allow traffic from instances associated with the same security group.
For example: You might want to allow instances in the same security group to communicate on certain ports (e.g., database ports) while restricting other ports.

Question 40

What kind of IP does a NAT Gateway use?

Answer 40

Uses Elastic IPs (Static IPv4 Public)

Question 41

What is the important step that needs an EC2 instance to function like a NAT instance?

Answer 41

Disable source/destination checks. This is essential because it allows the instance to forward traffic from private subnets to the internet and vice versa without dropping the packets due to source/destination checks.

Question 42

When a NAT instance should be preferred over a NAT Gateway?

Answer 42

Rarely. If cost is the primary choice or if you deploy services in a test VPC. You can use a very small EC2 instance, even in free-tier, and have predictable costs. A NAT GAteway is not free-tier eligible. You have also access to manage a NAT instance(e.g. use it also as a bastion host).

Question 43

Can you use SGs and NACLs with NAT Gateways?

Answer 43

Only NACLs, do not support SGs.

Question 44

How does NAT Gateways work with IPv6?

Answer 44

NAT Gateways aren’t required and do not work with IPv6. All IPv6 addresses are publicly routable. The internet Gateway works will all IPv6 addresses directly.

Question 45

What service would you use if you want IPv6 outbound access only?

Answer 45

Egress-only Internet Gateway.

Question 46

Is it true that some services could behave oddly if a default VPC does not exist?

Answer 46

Yes. For example, if you try to launch an EC2 instance without specifying a VPC, the instance will be launched into the default VPC. However, if there is no default VPC, the instance will fail to launch.

Question 47

How can an Internet Gateway (IGW) be configured to be highly available?

Answer 47

It is HA by default(when attached to a VPC).

Question 48

How many route tables can a subnet be associated with in Amazon Virtual Private Cloud (Amazon VPC)?

Answer 48

A subnet can be associated with only one route table at a time.

Question 49

At what levels can VPC flow logs be created?

Answer 49

• VPC Level
• Subnet Level
• Network Interface Level (ENIs)

Question 50

What type of IP traffic might not be monitored by VPC Flow logs?

Answer 50

• Traffic generatd by instances when they contact the Amazon DNS server
  
  • _{If you use your own DNS server, traffic to it <em>will</em> be logged}
• Traffic generated by Windows instances for Amazon Windows license activation
• Traffic to and from 169.254.269.254 for instance metadata
• DHCP Traffic
• Traffic to the reserved IP address for the default VPC router

Question 51

What are the VPC Flow Log Protocol Numbers for ICMP, TCP, UDP?

Answer 51

• ICMP (1): Used for network management and error reporting.
• TCP (6): Reliable, connection-oriented protocol used for applications like web browsing and file transfers.
• UDP (17): Unreliable, connectionless protocol used for applications that require low latency, such as streaming media and online gaming.

Question 52

What is an Egress-Only Internet Gateway (EOIG) and when is it used?

Answer 52

An Egress-Only Internet Gateway is used in Amazon VPCs with IPv6 connectivity. It enables outbound IPv6 traffic to the internet while blocking incoming unsolicited traffic. It’s used for secure outbound access and is ideal when you need to allow IPv6 traffic to reach the internet while maintaining strict control over inbound traffic.

Question 53

What are VPC Gateway endpoints?

Answer 53

• Gateway endpoints are a type of VPC endpoint that allows access to S3 and DynamoDB without using public addressing.
• Gateway endpoints add ‘prefix lists’ to the route table, allowing the VPC router to direct traffic flow to the public services via the gateway endpoint.
• Endpoint policy is used to control what it can access.
• Regional… cannot access cross-region services.
• HA by default. across all AZs in a region.

Question 54

What are VPC Interface endpoints?

Answer 54

• Provide private access to AWS services. Anything but DynamoDB, S3(recently is supported!)
• Added to specific subnets - an ENI - not HA.
• Security Groups and Endpoint Policies can be used.
• TCP and IPv4 only. Subset of PrivateLink.
• Endpoint provides a NEW service endpoint DNS(not prefix lists like Gateway endpoints)

Question 55

What are the different types of VPC interface endpoints in Amazon VPC?

Answer 55

• Regional Endpoints: These endpoints are created in a specific AWS region and allow your VPC to access AWS services within that region over a private network connection. They are used for services that are regional in scope.
• Zonal Endpoints: These endpoints are associated with specific Availability Zones within a region and allow your VPC to access AWS services that are localized to those Availability Zones. They are used for services with a zonal scope and provide high availability.
• Private DNS Endpoints: (DEFAULT)These endpoints override the default DNS resolution for specific AWS services. They ensure that the DNS requests for these services are resolved to private IP addresses, allowing for secure and private communication with those services without public internet exposure.

Question 56

What is IPsec VPN?

Answer 56

IPsec VPN, or Internet Protocol Security Virtual Private Network, is a security protocol suite that ensures secure communication over untrusted networks, like the internet. It achieves this by encrypting and authenticating data packets, thus protecting their confidentiality and integrity. IPsec VPNs are used for various purposes, including secure remote access for users and site-to-site connections for linking multiple networks securely. These VPNs use authentication methods and encryption algorithms to provide robust security, making them essential for safeguarding data during transmission and enabling secure connections over public networks.

IPsec VPN negotiation occurs in two phases. In Phase 1, participants establish a secure channel in which to negotiate the IPsec security association (SA). In Phase 2, participants negotiate the IPsec SA for authenticating traffic that will flow through the tunnel.

Question 57

What is AWS Site-to-Site VPN?

Answer 57

AWS Site-to-Site VPN is a hardware VPN solution that creates a highly available IPSEC VPN between an AWS VPN and an external network such as on-premises traditional networks. VPNs are quick to set up(less than an hour) vs Direct Connect, don’t offer the same high performance, but do encrypt data in transit.

VPN connection between the Virtual Private Gateway(VGW) and the Customer Private Gateway (CGW). VGW creates 2 physical endpoints for each CGW. For HA more than 1 CGW is needed.

Question 58

What is the difference between static and dynamic VPN in AWS?

Answer 58

• A static VPN uses static routes to define the paths that traffic should take between your on-premises network and your VPC. This means that you need to manually configure the routes on your on-premises network and your VPC. Static VPNs are a good choice for small deployments where the network topology is not expected to change frequently.

Static VPNs typically utilize the IPsec protocol to establish a secure tunnel between the on-premises network and the VPC. IPsec ensures that all traffic flowing through the tunnel is encrypted and authenticated, protecting it from unauthorized access.

• A dynamic VPN uses Border Gateway Protocol (BGP) to exchange routing information between your on-premises network and your VPC. This means that the routes are automatically updated as the network topology changes. Dynamic VPNs are a good choice for larger deployments where the network topology is expected to change frequently.