VPC

Question 1

What AWS service creates a logically isolated virtual network similar to a traditional network, but with the scalability of the cloud?

Answer 1

Virtual Private Cloud (VPC)

Question 2

How do you enable DNS resolution within a VPC?

Answer 2

Use the “Enable DNS resolution” configuration component

Question 3

How do you provide public DNS names for public instances within a VPC?

Answer 3

Use the “Enable DNS hostnames” configuration option

Question 3

Which minimum and maximum IPv4 CIDR blocks are allowed when creating a VPC?

Answer 3

Minimum /28, Maximum /16

Question 4

Which IPv6 CIDR block is assigned when creating a VPC?

Answer 4

/56

Question 5

What VPC configuration component controls DNS servers, domain names, NTP servers, and the DNS resolution state for devices within a VPC?
Hint: This component cannot be edited, only recreated

Answer 5

DHCP Options Set

Question 6

How the logical subdivision of a VPC residing within a specific Availability Zone (AZ) and representing a network segment with a range of IP addresses is named?

Answer 6

Subnet

Question 7

Can subnets within the same VPC communicate with each other?

Answer 7

Yes, by default, services running in different subnets within the same VPC can communicate with each other

Question 8

How many IP addresses are reserved within a subnet, and why?

Answer 8

Five IP addresses are reserved:
Network address
Network + 1 (for router)
Network + 2 (for DNS)
Network + 3 (for future AWS use)
Network broadcast address

Question 9

Does VPC support broadcast communication?

Answer 9

No, VPC does not support broadcast communication

Question 10

How do you automatically assign a public IP address to new instances within a subnet?

Answer 10

Use the Auto-assign public IPv4 address or Auto-assign IPv6 address configuration component for the subnet

Question 11

What are some important considerations for designing a VPC?

Answer 11

• VPC size
• Network (overlapping CIDR ranges within VPC, Cloud, On-premises, Partners, etc.)
• Structure (tiers, resiliency, and availability)
• Avoid common IP ranges (e.g., 10.0.0.0/16, 10.1.0.0/16)

Question 12

What component implicitly manages traffic flow within a VPC?

Answer 12

The VPC Router (uses the network + 1 IP address)

Question 13

What VPC component defines how network traffic from your subnet or gateway is directed?

Answer 13

Route table, each subnet must be associated with a route table containing a set of rules called routes

Question 14

How many route tables can a VPC subnet be associated with?

Answer 14

One, and only one

Question 15

How many VPC subnets can be associated with a single route table?

Answer 15

A route table can be shared with multiple subnets

Question 16

Which route table is used by default for subnets that aren’t associated with a custom one?

Answer 16

The VPC main route table

Question 17

In a route table, which prefix has higher priority: /16 (VPC) or /32 (single IP)?

Answer 17

In a route table, the more specific prefix (higher number) takes priority, so the answer is /32

Question 18

Which routes are always present and uneditable in a route table and ALWAYS take priority?

Answer 18

Local routes

Question 19

What VPC component acts as a bridge between two networks (public internet and VPC), enabling inbound and outbound connections from resources within a VPC?

Answer 19

Internet Gateway (IGW)

Question 20

How many VPCs can an Internet Gateway be attached to?

Answer 20

One VPC only

Question 20

What is the resiliency scope of an Internet Gateway?

Answer 20

Internet Gateway is a region-resilient service that runs within the AWS Public Zone

Question 21

Which type of firewalls do not track the state of connections, where each request and response is treated individually and requires its own rules

Answer 21

Stateless firewalls

Question 21

Can the IPv4 public address be configured on the EC2 instance OS?

Answer 21

No, the OS is unaware of public addressing, Internet Gateway maintains private IPv4 to public IPv4 mapping

Question 22

Which type of firewalls track the state of connections by maintaining state tables, where requests and responses are identified as two components of the same connection, so a rule configured to accept incoming traffic will allow outgoing by default?

Answer 22

Stateful firewalls

Question 23

How could you identify the requester and responder knowing only ports?

Answer 23

• Requests are always made to well-known ports (80, 443, etc.)
• Requester may use an ephemeral port (1024/49152–65535) to initiate requests

Question 24

Which optional layer of security within a VPC acts as a stateless firewall for controlling traffic in and out of one or more subnets?

Answer 24

Network Access Control List (NACL)

Question 25

What is the difference between default and custom VPC NACLs?

Answer 25

• Default NACL allows inbound and outbound traffic by default
• Custom NACL implicitly denies inbound and outbound traffic by default

Question 26

If you configure the VPC NACL Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?

Answer 26

No, both rules for inbound and outbound connections should be configured in stateless firewalls, as they are treated separately

Question 27

How do VPC NACLs process rules?

Answer 27

NACL rules are processed in order, the lowest rule number is processed first, and once a match occurs, processing stops

The rule with the “*” number is an implicit DENY rule, so if no other rule matches, traffic is denied

Question 28

Describe the content of a VPC NACL rule and the configurations present.

Answer 28

• Rule number
• Protocol/port
• IP/CIDR

Question 29

Can you use VPC NACLs to restrict traffic from one instance to another within the same subnet?

Answer 29

No, NACLs only impact data crossing subnet boundaries

Question 30

What is the relationship between subnets and NACLs within a VPC?

Answer 30

• ONE Subnet can be associated with only ONE NACL
• ONE NACL can be associated with MANY Subnets

Question 31

Which VPC security component could restrict traffic from a certain IP or IP range?

Answer 31

Network Access Control List (NACL)

Question 32

Which VPC security component represents a virtual stateful firewall for the network interface to control incoming and outgoing traffic?

Answer 32

Security Group (SG)

Question 33

If you configure the VPC Security Group Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?

Answer 33

Yes, in stateful firewalls, inbound and outbound traffic are treated as the same request

Question 34

Can you explicitly DENY traffic using a VPC Security Group?

Answer 34

No, security groups do not have an explicit DENY rule, so if traffic is not explicitly allowed, then it is implicitly denied

Question 35

What elements define a VPC Security Group rule in AWS?

Answer 35

• Protocol (e.g., TCP, UDP)
• Port range (e.g., 80, 443)
• Source or destination IP/CIDR block
• Rule direction (inbound or outbound)

Question 36

What’s the best practice for using NACLs and SGs within a VPC?

Answer 36

• Use Security Groups to explicitly allow traffic and reference logical resources
• Use NACLs to explicit deny traffic to specific IP or network

Question 37

What are the benefits of referencing logical resources within VPC Security Group rules?

Answer 37

• Reference another security group to allow traffic from certain application tiers
• Reference the current group itself to manage communication between components within the security group

Question 38

What VPC architectural component enables outbound internet connections for services running in private subnets?

Answer 38

Network Address Translator (NAT) Gateway

Question 39

What is the resiliency scope of a NAT Gateway?

Answer 39

It’s an AZ-resilient service, for high availability, deploy one NAT Gateway in each AZ

Question 40

What is the maximum bandwidth a NAT Gateway can scale up to?

Answer 40

45 Gbps

Question 40

What components are required when creating a NAT Gateway?

Answer 40

• Elastic IP (static public IPv4 address)
• Public Subnet within the VPC

Question 41

What’s the primary function of a NAT Gateway within a VPC?

Answer 41

It performs IP masquerading, hiding private IP addresses behind a single public IP address and maintaining a translation table for communication

Question 42

Does NAT Gateway support IPv6 addresses?

Answer 42

No IPv6 are publically routable by default

• IGW with a route to ::/0 can be used for IPv6 addresses
• For private IPv6 outbound connections, Egress-only IGW can be used

Question 43

What feature of NAT Instance service needs to be disabled for NAT functionality?

Answer 43

Source/Destination Checks feature has to be disabled

Question 44

How do AWS NAT Instances differ from AWS NAT Gateways?

Answer 44

NAT Instance: Customer-managed, single instance (less resilient), cheaper, predictable costs (can be free-tier eligible), can be multi-purpose, can have both NACL on the subnet and SG on the instance

NAT Gateway: AWS-managed, AZ-resilient (auto-scales and recovers within AZ), more expensive, less predictable costs due to auto-scaling, no free-tier eligibility, can have NACL on the subnet, but NO SG

Question 45

Can logical resources be configured in the VPC NACL rule?

Answer 45

No

Question 46

Can logical resources be configured in the VPC Security Group rule?

Answer 46

Yes

Question 47

How many default VPCs can be defined per region?

Answer 47

One, it can be deleted and recreated

Question 48

What is the default VPC CIDR range?

Answer 48

172.31.0.0/16

Question 49

How many subnets are in the default VPC, and what is their CIDR?

Answer 49

The subnet is present in each AZ of the region with /20 CIDR

Question 50

Which network components does the default VPC have pre-created?

Answer 50

• Internet Gateway (IGW)
• Security Group (SG)
• Network Access Control List (NACL)

Question 51

Do subnets in the default VPC assign public IPv4 addresses to the resources?

Answer 51

Yes

Question 52

What feature enables capturing packet metadata for network traffic in a VPC?

Answer 52

VPC Flow Logs

Question 53

Can VPC Flow Logs track both accepted and rejected traffic?

Answer 53

Yes, it can capture ACCEPTED, REJECTED, or ALL traffic types

Question 54

Do VPC Flow Logs capture packet content?

Answer 54

No, they capture only packet metadata, to analyze packet content, a packet sniffer is required

Question 55

At what scope can VPC Flow Logs be configured to capture data?

Answer 55

• VPC level: Captures logs for all interfaces in a VPC
• Subnet level: captures logs for all interfaces within a subnet
• Individual network interface level: captures logs for a specific interface

Question 55

Is VPC Flow Logs a real-time solution?

Answer 55

No, they is not real-time, logs are delivered with a delay

Question 55

What kind of metadata is captured by VPC Flow Logs?
Hint: provide an example of its fields.

Answer 55

• version: 2
• account-id: 493062997015
• interface-id: eni-014b6c6b372721dOb
• srcaddr: 79.33.7.58
• dstaddr: 172.31.8.238
• srcport: 54517
• dstport: 23
• protocol: 6
• packets: 3
• bytes: 180
• start: 1433807174
• end: 1433807218
• action: REJECT
• log-status: OK

Question 56

Where can VPC Flow Logs store captured packet metadata?

Answer 56

In Amazon S3 or CloudWatch Logs

Question 57

Does VPC Flow Logs capture all types of traffic within a VPC?

Answer 57

No, it excludes:

• Metadata service requests (169.254.169.254)
• Time server requests
• DHCP traffic
• Amazon DNS server requests
• Amazon Windows license server requests

Question 58

What is the protocol number for Internet Control Message Protocol (ICMP)?

Answer 58

1

Question 58

What is the protocol number for Transmission Control Protocol (TCP)?

Answer 58

6

Question 59

What is the protocol number for User Datagram Protocol (UDP)?

Answer 59

17

Question 60

Which VPC component provides IPv6-enabled instances with outbound-only access to public AWS services and the internet?

Answer 60

Egress-only Internet Gateway

Question 61

Why can’t a regular VPC Internet Gateway provide outbound-only access for IPv6-enabled instances?

Answer 61

All IPv6 addresses are publicly routable by default, so an Internet Gateway allows both inbound and outbound traffic, which is not suitable for outbound-only requirements

Question 62

What is the primary purpose of an Egress-only Internet Gateway in AWS VPC?

Answer 62

It enables outbound-only access to the public internet for IPv6-enabled instances

Question 63

What configuration is required to use an Egress-only Internet Gateway in AWS VPC?

Answer 63

Add a default IPv6 route (::/0) to the route table, with the Egress-only Internet Gateway (eigw-id) as the target

Question 64

Which AWS VPC feature creates a private and encrypted network link between two VPCs, enabling communication using private IP addresses as if within the same network?

Answer 64

VPC Peering

Question 65

Can VPC Peering connections resolve public hostnames to private IPs?

Answer 65

Yes, but this must be explicitly enabled

Question 66

Can an AWS VPC Peering connection be established between two VPCs with overlapping CIDR ranges?

Answer 66

No, peering connections cannot be created if the VPCs have overlapping CIDR ranges

Question 67

Can a single AWS VPC Peering connection link more than two VPCs?

Answer 67

No, each VPC Peering connection links only two VPCs

Question 68

Is cross-account AWS VPC Peering supported?

Answer 68

Yes, VPC Peering supports connections within the same account, across accounts, in the same region, and across regions

Question 69

Can VPC A communicate with VPC C through VPC B if A is peered with B and B is peered with C?

Answer 69

No, transitive peering is not supported, consider using Transit Gateway for such scenarios

Question 70

What configurations are required for an AWS VPC Peering connection?

Answer 70

• The peering connection must be accepted upon creation
• Route tables on both sides must be updated to direct traffic to the remote CIDR range using the peer gateway object

Question 71

Can Security Groups in same-region peered VPCs reference each other?

Answer 71

Yes, Security Groups in same-region peered VPCs can reference each other as if they belong to the same VPC

Question 72

How can the number of VPC peering connections required for a mesh topology be calculated?

Answer 72

Use the formula: n × (n−1) / 2 where n is the number of VPCs

This approach becomes unmanageable as the number of VPCs grows:
- For 5 VPCs: 10 peering connections
- For 10 VPCs: 45 peering connections

Question 73

Which AWS VPC component allows private connections to supported AWS services?

Answer 73

VPC Endpoint ensures that traffic between a VPC and supported service stays within the AWS network

Question 74

What are the two types of AWS VPC Endpoints?

Answer 74

• Gateway Endpoint
• Interface Endpoint

Question 75

Which VPC Endpoint type is created per service, per region, and must be associated with one or more subnets?

Answer 75

Gateway Endpoint

Question 76

Which AWS VPC Endpoint type enables private access to S3 and DynamoDB without public addressing?

Answer 76

Gateway Endpoint

Question 77

Which VPC Endpoint type is designed to be highly available across all AZs in a region?

Answer 77

Gateway Endpoint

Question 78

Can Gateway Endpoints be used to access services in a different AWS region?

Answer 78

No, Gateway Endpoints cannot access cross-region services

Question 79

Is it possible to access a Gateway Endpoint from outside its VPC?

Answer 79

No, Gateway Endpoints cannot be accessed from outside the VPC

Question 80

What are some ideal use cases for a AWS VPC Gateway Endpoint?

Answer 80

• Enabling private access to public AWS services from within a VPC
• Securing S3 buckets by restricting access to the Gateway Endpoint, ensuring buckets are private

Question 81

How is access controlled for AWS VPC Gateway Endpoints?

Answer 81

Through an Endpoint Policy, which specifies the resources (e.g., specific S3 buckets) the endpoint can access

Question 82

Which AWS VPC Endpoint type relies on routing to direct traffic?

Answer 82

Gateway Endpoint

Question 83

What must be added to an AWS VPC Route Table to direct traffic to public services through a Gateway Endpoint?

Answer 83

Prefix lists associated with the Gateway Endpoint

Question 84

Which AWS VPC Endpoint type enables private access to public AWS services using Elastic Network Interfaces (ENIs) within a VPC?

Answer 84

Interface Endpoint

Question 85

Which AWS VPC Endpoint type is not highly available by default?

Answer 85

Interface Endpoint

Question 86

Which AWS VPC Endpoint type must be deployed in each Availability Zone (AZ) for high availability?

Answer 86

Interface Endpoint

Question 87

Which AWS VPC Endpoint type supports only the TCP protocol and IPv4?

Answer 87

Interface Endpoint

Question 88

Which AWS VPC Endpoint type leverages PrivateLink to inject AWS or third-party services into a VPC?

Answer 88

Interface Endpoint

Question 89

How is access to AWS VPC Interface Endpoints managed?

Answer 89

Through both Endpoint Policies and Security Groups

Question 90

Which AWS VPC Endpoint type relies on DNS for connectivity instead of routing?

Answer 90

Interface Endpoint

Question 91

What DNS names are created when an AWS VPC Interface Endpoint is set up for a service in a specific region?

Answer 91

• Regional DNS name (high availability)
• Zonal DNS name
• Service DNS name

Question 92

How are the created DNS names used in AWS VPC Interface Endpoints?

Answer 92

These DNS names provide private access to the service within the VPC

Question 93

What does the Private DNS feature of AWS VPC Interface Endpoints do?

Answer 93

It overrides default service DNS names, allowing clients to connect privately via interface endpoints instead of using public access