VPC Flashcards
1
Q
VPC
A
Virtual Private Cloud
- Linked to specific region / CIDR range
- Public & private subnets inside VPC associated with each AZ
- Route tables to define access between internet and subnets
2
Q
IP Addresses
A
- IPv4
- Public IPv4
- EC2 instances get public IPs on start
- Private IPv4 (private networks, static IPs)
- Elastic IP
- Fixed public IPv4 addresses (ongoing cost if not used)
- IPv6
3
Q
Internet Gateway & NAT Gateways
A
- Internet gateways connect VPC to internet
- Public subnets have route to internet gateway
- NAT gateway can access internet while remaining private (route from private subnet to NAT gateway & from gateway to internet gateway
4
Q
Look up CIDRs
A
CIDR.xyz
5
Q
Network ACL for VPCs
A
NACL Network access control list
- Firewall to and from subnet level
- ALLOW and DENY
- Attached at subnet level
- Rules only include IP addresses
- Stateless
6
Q
ENI
A
Elastic Network Interface
7
Q
Security Groups w/VPCs
A
Security Groups
- Firewall controls traffic to and from an ENI / EC2 instance level
- ALLOW only
- Rules include IP addresses & other security groups
- Stateful
8
Q
VPC Flow Logs
A
*Log of IP address information
* * VPC FLow Logs
* * Subnet flow logs
* * ENI flow logs
- Helps monitor and troubleshoot
- Also captures ELBs, Elasticadche, RDS, etc.
- Send to S3, CloudWatch logs, Kinesis data firehose
9
Q
VPC Peering
A
Connect two VPC privately
- Peer them so they appear to be in the same network
- IP address must not overlap
- Not transitive. Each VPC must be added to peering conne tions
10
Q
VPC Endpoints
A
- Connect AWS services using private AWS network
- Better security, lower latency
- VPC endpoint Gateway: S# & Dynamo DB
- VPC endpoint Interface: the rest
11
Q
AWS PrivateLink
A
- Most secure & scalable way to expose a service to 1000’s of VPCs
- Doesn’t require VPC peering, internet gateway, NAT, route tables, etc.
- Requires a network load balancer (Service VPC) and ENI (Customer VPC)
12
Q
Site to Site VPN
A
- Site to Site VPN connect on-prem to VPN
- Goes over public internet
- Automatically encrypted
- on-prem: Must use a customer gateway (CGW)
- AWS side needs virtual private gateway (VPW)
13
Q
Direct Connect
A
- Direct connect (DX)
- Establish physical connection between on-prem & AWS
- secure, fast, and private
- private network
- takes at least a month due to provisioning
14
Q
Uses of Client VPN
A
- Connect from computer using OpenVPN to private network in AWS
- Connect to EC2 over private IP (like being in private VPC)
15
Q
Transit Gateway
A
- For having transitive peering between thousands of VPCV an on-prem, hub and spoke
- One single gateway provides this
- Works with direct connect gateway, VPN connections