VPC

Question 1

What AWS service creates a logically isolated virtual network similar to a traditional network, but with the scalability of the cloud?

Answer 1

Virtual Private Cloud (VPC)

Question 2

How do you enable DNS resolution within a VPC?

Answer 2

Use the Enable DNS resolution configuration component

Question 3

How do you provide public DNS names for public instances within a VPC?

Answer 3

Use the Enable DNS hostnames configuration component

Question 3

Which minimum and maximum IPv4 CIDR blocks are allowed when creating a VPC?

Answer 3

Minimum /28, Maximum /16

Question 4

Which IPv6 CIDR block is assigned when creating a VPC?

Answer 4

/56

Question 5

What VPC configuration component controls DNS servers, domain names, NTP servers, and the DNS resolution state for devices within a VPC? (Note: This component cannot be edited, only recreated)

Answer 5

DHCP Options Set

Question 6

Name the logical subdivision of a VPC residing within a specific Availability Zone (AZ), representing a network segment with a range of IP addresses.

Answer 6

Subnet

Question 7

Can subnets within the same VPC communicate with each other?

Answer 7

Yes, by default, services running in different subnets within the same VPC can communicate with each other

Question 8

How many IP addresses are reserved within a subnet, and why?

Answer 8

Five IP addresses are reserved:
Network address
Network + 1 (for router)
Network + 2 (for DNS)
Network + 3 (for future AWS use)
Network broadcast address

Question 9

Does VPC support broadcast communication?

Answer 9

No, VPC does not support broadcast communication

Question 10

How do you automatically assign a public IP address to new instances within a subnet?

Answer 10

Use the Auto-assign public IPv4 address or Auto-assign IPv6 address configuration component for the subnet

Question 11

What are some important considerations for designing a VPC?

Answer 11

Consider the size, network (overlapping CIDR ranges within VPC, Cloud, On-premises, Partners, etc.), structure (tiers, resiliency, and availability), and avoid common IP ranges (e.g., 10.0.0.0/16, 10.1.0.0/16)

Question 12

What component implicitly manages traffic flow within a VPC?

Answer 12

The VPC Router (uses the network + 1 IP address)

Question 13

What VPC component defines how network traffic from your subnet or gateway is directed?

Answer 13

Route table. Each subnet must be associated with a route table containing a set of rules called routes

Question 14

How many route tables can a VPC subnet be associated with?

Answer 14

One, and only one

Question 15

How many VPC subnets can be associated with a single route table?

Answer 15

A route table can be shared with multiple subnets

Question 16

Which route table is used by default for subnets that aren’t associated with a custom one?

Answer 16

The VPC main route table

Question 17

In a route table, which prefix has higher priority: /16 (VPC) or /32 (single IP)?

Answer 17

/32. In a route table, the more specific prefix (higher number) takes priority

Question 18

Which routes are always present and uneditable in a route table, and ALWAYS take priority?

Answer 18

Local routes

Question 19

What VPC component acts as a bridge between two networks (public internet and VPC) enabling inbound and outbound connections from resources within a VPC?

Answer 19

Internet Gateway (IGW)

Question 20

How many VPCs can an Internet Gateway be attached to?

Answer 20

One VPC only

Question 20

What is the resiliency scope of an Internet Gateway?

Answer 20

Internet Gateway is a region-resilient service that runs within the AWS Public Zone

Question 21

Which type of firewalls do not track the state of connections, where each request and response is treated individually and requires its own rules?

Answer 21

Stateless firewalls

Question 21

Can the IPv4 public address be configured on the instance OS?

Answer 21

No, the OS is unaware of public addressing. The Internet Gateway maintains private IPv4 to public IPv4 mapping

Question 22

Which type of firewalls track the state of connections by maintaining state tables, where requests and responses are identified as two components of the same connection, so a rule configured to accept incoming traffic will allow outgoing by default?

Answer 22

Stateful firewalls

Question 23

How could you identify the requester and responder knowing only ports?

Answer 23

Requests are always made to well-known ports (80, 443, etc.). The requester may use an ephemeral port (1024/49152–65535) to initiate requests

Question 24

Which optional layer of security within a VPC acts as a stateless firewall for controlling traffic in and out of one or more subnets?

Answer 24

Network Access Control List (NACL)

Question 25

What is the difference between default and custom VPC NACLs?

Answer 25

On a default NACL, traffic is allowed both in and out by default
On a custom NACL, traffic is implicitly denied both in and out by default

Question 26

If you configure the VPC NACL Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?

Answer 26

No, both rules for inbound and outbound connections should be configured in stateless firewalls as they are treated separately

Question 27

How do VPC NACLs process rules?

Answer 27

NACL rules are processed in order. The lowest rule number is processed first. Once a match occurs, processing stops. The rule with the “*” number is an implicit DENY rule, so if no other rule matches, traffic is denied

Question 28

Describe the content of a VPC NACL rule and the configurations present.

Answer 28

A VPC NACL rule includes a rule number, protocol/port, and IP/CIDR, but NO logical resources

Question 29

Can you use VPC NACLs to restrict traffic from one instance to another within the same subnet?

Answer 29

No, NACLs only impact data crossing subnet boundaries

Question 30

What is the relationship between subnets and NACLs within a VPC?

Answer 30

One subnet can be associated with only ONE NACL, but one NACL can be associated with MANY subnets

Question 31

Which VPC security component would you use if you wanted to restrict traffic from a certain IP or IP range?

Answer 31

Network Access Control List (NACL)

Question 32

Which VPC security component represents a virtual stateful firewall for the network interface to control incoming and outgoing traffic?

Answer 32

Security Group (SG)

Question 33

If you configure the VPC Security Group Inbound rule to allow HTTP connections on port 80, will the outbound traffic be allowed by default?

Answer 33

Yes, in stateful firewalls, inbound and outbound traffic are treated as the same request

Question 34

Can you explicitly DENY traffic using a VPC Security Group?

Answer 34

No, security groups do not have an explicit DENY rule. If traffic is not explicitly allowed, then it is implicitly denied

Question 35

Describe the content of a VPC Security Group rule and the configurations present

Answer 35

A VPC Security Group rule includes a rule number, protocol/port, IP/CIDR, and CAN have logical resources

Question 36

What’s the best practice for using NACLs and SGs within a VPC?

Answer 36

Generally, use security groups to allow traffic (explicitly allow, and reference logical resources), and use NACLs to deny traffic (explicit deny on specific IP or network)

Question 37

What are the benefits of referencing logical resources within VPC Security Group rules?

Answer 37

We can reference another security group to allow traffic from certain application tiers or reference the current group itself to manage communication between components within the security group

Question 38

Which VPC architectural component enables outbound connections for services running in private subnets?

Answer 38

Network Address Translator (NAT) Gateway

Question 39

What is the resiliency scope of a NAT Gateway?

Answer 39

It’s an AZ-resilient service. For high availability, deploy one NAT Gateway in each AZ

Question 40

What is the maximum bandwidth a NAT Gateway can scale up to?

Answer 40

45 Gbps

Question 40

What component is required when creating a NAT Gateway?

Answer 40

An Elastic IP (static public IPv4 address), NAT GW should be created in a public subnet within the VPC

Question 41

What’s the primary function of a NAT Gateway within a VPC?

Answer 41

It performs IP masquerading, hiding private IP addresses behind a single public IP address and maintaining a translation table for communication

Question 42

Does NAT Gateway support IPv6 addresses?

Answer 42

No. However, an IGW with a route to ::/0 can be used for IPv6 addresses. For private IPv6 outbound connections, use an Egress-Only IGW instead of a NAT Gateway

Question 43

What feature of the deprecated NAT Instance needs to be disabled for NAT functionality?

Answer 43

Source/Destination Checks feature has to be disabled

Question 44

How do deprecated NAT Instances differ from NAT Gateways?

Answer 44

NAT Instance: Customer-managed, single instance (less resilient), cheaper, predictable costs (can be free-tier eligible), can be multi-purpose, can have both NACL on the subnet and SG on the instance

NAT Gateway: AWS-managed, AZ-resilient (auto-scales and recovers within AZ), more expensive, less predictable costs due to auto-scaling, no free-tier eligibility, can have NACL on the subnet, but NO SG