VPC Flashcards
This deck aims to help retain concepts related to the AWS VPC service.
What AWS service creates a logically isolated virtual network similar to a traditional network, but with the scalability of the cloud?
Virtual Private Cloud (VPC)
How do you enable DNS resolution within a VPC?
Use the “Enable DNS resolution” configuration component
How do you provide public DNS names for public instances within a VPC?
Use the “Enable DNS hostnames” configuration option
Which minimum and maximum IPv4 CIDR blocks are allowed when creating a VPC?
Minimum /28, Maximum /16
Which IPv6 CIDR block is assigned when creating a VPC?
/56
What VPC configuration component controls DNS servers, domain names, NTP servers, and the DNS resolution state for devices within a VPC?
Hint: This component cannot be edited, only recreated
DHCP Options Set
How the logical subdivision of a VPC residing within a specific Availability Zone (AZ) and representing a network segment with a range of IP addresses is named?
Subnet
Can subnets within the same VPC communicate with each other?
Yes, by default, services running in different subnets within the same VPC can communicate with each other
How many IP addresses are reserved within a subnet, and why?
Five IP addresses are reserved:
Network address
Network + 1 (for router)
Network + 2 (for DNS)
Network + 3 (for future AWS use)
Network broadcast address
Does VPC support broadcast communication?
No, VPC does not support broadcast communication
How do you automatically assign a public IP address to new instances within a subnet?
Use the Auto-assign public IPv4 address or Auto-assign IPv6 address configuration component for the subnet
What are some important considerations for designing a VPC?
- VPC size
- Network (overlapping CIDR ranges within VPC, Cloud, On-premises, Partners, etc.)
- Structure (tiers, resiliency, and availability)
- Avoid common IP ranges (e.g., 10.0.0.0/16, 10.1.0.0/16)
What component implicitly manages traffic flow within a VPC?
The VPC Router (uses the network + 1 IP address)
What VPC component defines how network traffic from your subnet or gateway is directed?
Route table, each subnet must be associated with a route table containing a set of rules called routes
How many route tables can a VPC subnet be associated with?
One, and only one
How many VPC subnets can be associated with a single route table?
A route table can be shared with multiple subnets
Which route table is used by default for subnets that aren’t associated with a custom one?
The VPC main route table
In a route table, which prefix has higher priority: /16 (VPC) or /32 (single IP)?
In a route table, the more specific prefix (higher number) takes priority, so the answer is /32
Which routes are always present and uneditable in a route table and ALWAYS take priority?
Local routes
What VPC component acts as a bridge between two networks (public internet and VPC), enabling inbound and outbound connections from resources within a VPC?
Internet Gateway (IGW)
How many VPCs can an Internet Gateway be attached to?
One VPC only
What is the resiliency scope of an Internet Gateway?
Internet Gateway is a region-resilient service that runs within the AWS Public Zone
Which type of firewalls do not track the state of connections, where each request and response is treated individually and requires its own rules
Stateless firewalls
Can the IPv4 public address be configured on the EC2 instance OS?
No, the OS is unaware of public addressing, Internet Gateway maintains private IPv4 to public IPv4 mapping
Which type of firewalls track the state of connections by maintaining state tables, where requests and responses are identified as two components of the same connection, so a rule configured to accept incoming traffic will allow outgoing by default?
Stateful firewalls
How could you identify the requester and responder knowing only ports?
- Requests are always made to well-known ports (80, 443, etc.)
- Requester may use an ephemeral port (1024/49152–65535) to initiate requests
Which optional layer of security within a VPC acts as a stateless firewall for controlling traffic in and out of one or more subnets?
Network Access Control List (NACL)
What is the difference between default and custom VPC NACLs?
- Default NACL allows inbound and outbound traffic by default
- Custom NACL implicitly denies inbound and outbound traffic by default
If you configure the VPC NACL Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?
No, both rules for inbound and outbound connections should be configured in stateless firewalls, as they are treated separately
How do VPC NACLs process rules?
NACL rules are processed in order, the lowest rule number is processed first, and once a match occurs, processing stops
The rule with the “*” number is an implicit DENY rule, so if no other rule matches, traffic is denied
Describe the content of a VPC NACL rule and the configurations present.
- Rule number
- Protocol/port
- IP/CIDR
Can you use VPC NACLs to restrict traffic from one instance to another within the same subnet?
No, NACLs only impact data crossing subnet boundaries
What is the relationship between subnets and NACLs within a VPC?
- ONE Subnet can be associated with only ONE NACL
- ONE NACL can be associated with MANY Subnets
Which VPC security component could restrict traffic from a certain IP or IP range?
Network Access Control List (NACL)
Which VPC security component represents a virtual stateful firewall for the network interface to control incoming and outgoing traffic?
Security Group (SG)
If you configure the VPC Security Group Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?
Yes, in stateful firewalls, inbound and outbound traffic are treated as the same request
Can you explicitly DENY traffic using a VPC Security Group?
No, security groups do not have an explicit DENY rule, so if traffic is not explicitly allowed, then it is implicitly denied
What elements define a VPC Security Group rule in AWS?
- Protocol (e.g., TCP, UDP)
- Port range (e.g., 80, 443)
- Source or destination IP/CIDR block
- Rule direction (inbound or outbound)
What’s the best practice for using NACLs and SGs within a VPC?
- Use Security Groups to explicitly allow traffic and reference logical resources
- Use NACLs to explicit deny traffic to specific IP or network
What are the benefits of referencing logical resources within VPC Security Group rules?
- Reference another security group to allow traffic from certain application tiers
- Reference the current group itself to manage communication between components within the security group
What VPC architectural component enables outbound internet connections for services running in private subnets?
Network Address Translator (NAT) Gateway
What is the resiliency scope of a NAT Gateway?
It’s an AZ-resilient service, for high availability, deploy one NAT Gateway in each AZ
What is the maximum bandwidth a NAT Gateway can scale up to?
45 Gbps
What components are required when creating a NAT Gateway?
- Elastic IP (static public IPv4 address)
- Public Subnet within the VPC
What’s the primary function of a NAT Gateway within a VPC?
It performs IP masquerading, hiding private IP addresses behind a single public IP address and maintaining a translation table for communication
Does NAT Gateway support IPv6 addresses?
No IPv6 are publically routable by default
- IGW with a route to ::/0 can be used for IPv6 addresses
- For private IPv6 outbound connections, Egress-only IGW can be used
What feature of NAT Instance service needs to be disabled for NAT functionality?
Source/Destination Checks feature has to be disabled
How do AWS NAT Instances differ from AWS NAT Gateways?
NAT Instance: Customer-managed, single instance (less resilient), cheaper, predictable costs (can be free-tier eligible), can be multi-purpose, can have both NACL on the subnet and SG on the instance
NAT Gateway: AWS-managed, AZ-resilient (auto-scales and recovers within AZ), more expensive, less predictable costs due to auto-scaling, no free-tier eligibility, can have NACL on the subnet, but NO SG
Can logical resources be configured in the VPC NACL rule?
No
Can logical resources be configured in the VPC Security Group rule?
Yes
How many default VPCs can be defined per region?
One, it can be deleted and recreated
What is the default VPC CIDR range?
172.31.0.0/16
How many subnets are in the default VPC, and what is their CIDR?
The subnet is present in each AZ of the region with /20 CIDR
Which network components does the default VPC have pre-created?
- Internet Gateway (IGW)
- Security Group (SG)
- Network Access Control List (NACL)
Do subnets in the default VPC assign public IPv4 addresses to the resources?
Yes
What feature enables capturing packet metadata for network traffic in a VPC?
VPC Flow Logs
Can VPC Flow Logs track both accepted and rejected traffic?
Yes, it can capture ACCEPTED, REJECTED, or ALL traffic types
Do VPC Flow Logs capture packet content?
No, they capture only packet metadata, to analyze packet content, a packet sniffer is required
At what scope can VPC Flow Logs be configured to capture data?
- VPC level: Captures logs for all interfaces in a VPC
- Subnet level: captures logs for all interfaces within a subnet
- Individual network interface level: captures logs for a specific interface
Is VPC Flow Logs a real-time solution?
No, logs are delivered with a delay
What kind of metadata is captured by VPC Flow Logs?
Hint: provide an example of its fields.
- version: 2
- account-id: 493062997015
- interface-id: eni-014b6c6b372721dOb
- srcaddr: 79.33.7.58
- dstaddr: 172.31.8.238
- srcport: 54517
- dstport: 23
- protocol: 6
- packets: 3
- bytes: 180
- start: 1433807174
- end: 1433807218
- action: REJECT
- log-status: OK
Where can VPC Flow Logs store captured packet metadata?
In Amazon S3 or CloudWatch Logs
Does VPC Flow Logs capture all types of traffic within a VPC?
No, it excludes:
- Metadata service requests (169.254.169.254)
- Time server requests
- DHCP traffic
- Amazon DNS server requests
- Amazon Windows license server requests
What is the protocol number for Internet Control Message Protocol (ICMP)?
1
What is the protocol number for Transmission Control Protocol (TCP)?
6
What is the protocol number for User Datagram Protocol (UDP)?
17
Which VPC component provides IPv6-enabled instances with outbound-only access to public AWS services and the internet?
Egress-only Internet Gateway
Why can’t a regular VPC Internet Gateway provide outbound-only access for IPv6-enabled instances?
All IPv6 addresses are publicly routable by default, so an Internet Gateway allows both inbound and outbound traffic, which is not suitable for outbound-only requirements
What is the primary purpose of an Egress-only Internet Gateway in AWS VPC?
It enables outbound-only access to the public internet for IPv6-enabled instances
What configuration is required to use an Egress-only Internet Gateway in AWS VPC?
Add a default IPv6 route (::/0) to the route table, with the Egress-only Internet Gateway (eigw-id) as the target
Which AWS VPC feature creates a private and encrypted network link between two VPCs, enabling communication using private IP addresses as if within the same network?
VPC Peering
Can VPC Peering connections resolve public hostnames to private IPs?
Yes, but this must be explicitly enabled
Can an AWS VPC Peering connection be established between two VPCs with overlapping CIDR ranges?
No, peering connections cannot be created if the VPCs have overlapping CIDR ranges
Can a single AWS VPC Peering connection link more than two VPCs?
No, each VPC Peering connection links only two VPCs
Is cross-account AWS VPC Peering supported?
Yes, VPC Peering supports connections within the same account, across accounts, in the same region, and across regions
Can VPC A communicate with VPC C through VPC B if A is peered with B and B is peered with C?
No, transitive peering is not supported, consider using Transit Gateway for such scenarios
What configurations are required for an AWS VPC Peering connection?
- The peering connection must be accepted upon creation
- Route tables on both sides must be updated to direct traffic to the remote CIDR range using the peer gateway object
Can Security Groups in same-region peered VPCs reference each other?
Yes, Security Groups in same-region peered VPCs can reference each other as if they belong to the same VPC
How can the number of VPC peering connections required for a mesh topology be calculated?
Use the formula: n × (n−1) / 2 where n is the number of VPCs
This approach becomes unmanageable as the number of VPCs grows:
- For 5 VPCs: 10 peering connections
- For 10 VPCs: 45 peering connections
Which AWS VPC component allows private connections to supported AWS services?
VPC Endpoint ensures that traffic between a VPC and supported service stays within the AWS network
What are the two types of AWS VPC Endpoints?
- Gateway Endpoint
- Interface Endpoint
Which VPC Endpoint type is created per service, per region, and must be associated with one or more subnets?
Gateway Endpoint
Which AWS VPC Endpoint type enables private access to S3 and DynamoDB without public addressing?
Gateway Endpoint
Which VPC Endpoint type is designed to be highly available across all AZs in a region?
Gateway Endpoint
Can Gateway Endpoints be used to access services in a different AWS region?
No, Gateway Endpoints cannot access cross-region services
Is it possible to access a Gateway Endpoint from outside its VPC?
No, Gateway Endpoints cannot be accessed from outside the VPC
What are some ideal use cases for a AWS VPC Gateway Endpoint?
- Enabling private access to public AWS services from within a VPC
- Securing S3 buckets by restricting access to the Gateway Endpoint, ensuring buckets are private
How is access controlled for AWS VPC Gateway Endpoints?
Through an Endpoint Policy, which specifies the resources (e.g., specific S3 buckets) the endpoint can access
Which AWS VPC Endpoint type relies on routing to direct traffic?
Gateway Endpoint
What must be added to an AWS VPC Route Table to direct traffic to public services through a Gateway Endpoint?
Prefix lists associated with the Gateway Endpoint
Which AWS VPC Endpoint type enables private access to public AWS services using Elastic Network Interfaces (ENIs) within a VPC?
Interface Endpoint
Which AWS VPC Endpoint type is not highly available by default?
Interface Endpoint
Which AWS VPC Endpoint type must be deployed in each Availability Zone (AZ) for high availability?
Interface Endpoint
Which AWS VPC Endpoint type supports only the TCP protocol and IPv4?
Interface Endpoint
Which AWS VPC Endpoint type leverages PrivateLink to inject AWS or third-party services into a VPC?
Interface Endpoint
How is access to AWS VPC Interface Endpoints managed?
Through both Endpoint Policies and Security Groups
Which AWS VPC Endpoint type relies on DNS for connectivity instead of routing?
Interface Endpoint
What DNS names are created when an AWS VPC Interface Endpoint is set up for a service in a specific region?
- Regional DNS name (high availability)
- Zonal DNS name
- Service DNS name
How are the created DNS names used in AWS VPC Interface Endpoints?
These DNS names provide private access to the service within the VPC
What does the Private DNS feature of AWS VPC Interface Endpoints do?
It overrides default service DNS names, allowing clients to connect privately via interface endpoints instead of using public access
Which outbound port range should be specified in AWS Network ACLs for ephemeral responses?
1024-65535 (to cover requests originating from AWS Lambda, NAT, Windows operating systems, and AWS ELB)
