VPC Flashcards

1
Q

Regions

A

Separate physical locations in the world where AWS has cloud infrastructure

Each region consist of multiple AZs

There are many regions around the world

regions are connected by AWS global network

network across regions do not offer low latency, usually regions are far apart

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Availability Zone

A

one or more data centers

each AZ has redundant power sources and networking (within and between AZ)

low latency between and within AZs

AZs can contain public and/or private subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

AWS Outpost

A

Subset of AWS services (e.g EC2) that can be run in a corporate data center that has connectivity to an AWS region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

AWS Local Zone

A

Like AZ in metropolitan areas, connected to a region, so that resources are closer to where you are to offer lower latency but they are more expensive than AZs

offer increase performance for your app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

AWS Wavelength Zone

A

For 5g and lower latency for mobile with connectivity back to the region

offer increase performance for your mobile app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Cloud Front

A

content delivery network where resources can be cached at locations around the world for better performance

allows for global deployment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Amazon Global Infrastructure

A

Cloud Front
VPC
AZ
Region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How are IP addresses structured

A

4 numerals that represent a binary octets with decimals in between

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What numbers do the bits represent in a binary octet

A

2^7=128
2^6=64
2^5=32
2^4=16
2^3=8
2^2=4
2^1=2
2^0=1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the Network ID of an IP

A

Represents the network, so each computer (host) on the network will have the same Network ID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the Host ID of an IP

A

Represents the unique host number for each host/computer on the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the subnet mask of an IP address

give example

A

used to define the network and host id

If subnet mask is 255.255.255.0, network id is first 3 octets and host id is last octect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is the network id and subnet mask of 192.168.0.0/24

Explain

A

Network ID is 192.168.0.0
Subnet mask is 255.255.255.0

Subnet mask has 24 bits which represents 255.255.255.0
so the first 3 octets of the CIDR IP are the network ID with appending the 0 to represent first host so 192.168.0.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What private IP addresses

Who designates

A

10 network 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

these addresses are reserved for private use according to IETF RFC-1918

not routable outside the network, e.g. internet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What can you do with private IP addresses, what are constraints?

A

Use private IPs as internal IPs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

VPC

A

Virtual Private Cloud

logically isolated portion of the AWS cloud within a region

each VPC has unique CIDR block that is used to assign a subset of IP

addresses again expressed in CIDR to each subnet within the VPC

spans all AZs in region

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Where do subnets live in AWS?

A

A subnet is configured in one AZ and can’t span AZs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

VPC Router

How do we configure it?

A

takes care of routing within and outside of the VPC

interconnects subnets and directs traffic between Internet Gateways, Virtual Private Gateways, NAT Gateways and subnets

configure it by configuring route tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Route Table

A

configures routing traffic in and out of your VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Internet Gateway

How is it configured?

A

IGW VPC attached connection to the public internet for IPv4

Only one per VPC and attached to the VPC

used to connect to the internet

need to configure target or destination of IGW id in the route table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the default limit of VPCs per region

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is a subnet in the context of a VPC

A

A segment of a VPC’s IP address range (usually expressed in CIDR notation) where you can place groups of isolated resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What components are within a VPC

A
  1. Subnets
    Internet Gateway
    VPC Router/Route Table
    Peering Connections
    VPC Endpoints
    NAT Instances
    NAT Gateways
    Virtual Private Gateways
    Customer Gateway
    AWS Direct Connect
    Security Group
  2. Network ACL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Peering Connection

A

Direct connection between 2 VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

NAT Instance

A

Enables Internet access for EC2 instances in private subnets

NAT Instances are managed by you

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

NAT Gateway

A

Enables Internet access for EC2 instances in private subnet

NGW is managed by AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Virtual Private Gateway

A

The VPC side of a VPN connection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Customer Gateway

A

The customer side of a VPN connection that is connected on the other end to AWS VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

AWS Direct Connect

A

High speed, high bandwidth private network connection from customer to AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Security Group

A

Instance level firewall controlling all network traffic to the instance

Stateful firewall - if inbound traffic is allowed, outbound will be allowed

31
Q

Network ACL

A

Subnet level firewall

apply only entering and existing the subnet (egress and ingress. - not within)

Stateless firewall - both rules for inbound and outbound must be configured to complete a request

32
Q

Egress-only Internet Gateway

A

VPC connection to the public internet for IPv6 and only allows outbound traffic but not inbound

33
Q

Default VPC

A

A default VPC is created in each region with a public subnet of each AZ

34
Q

CIDR Block AWS Rules

A
  1. CIDR block size can be between /16 and /28
  2. CIDR Block must not overlap with an existing CIDR block associated with the VPC
  3. You cannot increase or decrease the size of an existing CIDR block
  4. The first four and the last IP address are not available for use
35
Q

What CIDR blocks does AWS recommend?

A

RFC 1918 ranges

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0 - 192.168.255.255
(192.168/16 prefix)

36
Q

Best practices for mapping/planning network (e.g CIDRs)

A
  1. Bigger CIDR blocks for VPC are typically better because this will give more flexibility
  2. Smaller subnets are OK for most use cases
  3. Consider deploying application tiers per subnet
  4. Split your HA resources across subnets in different AZs
  5. VPC Peering requires non overlapping CDIR blocks, this is across all VPCs in all Regions/accounts you want to connect
  6. Avoid overlapping CIDR blocks as much as possible
37
Q

Stateful Firewall

A

allows return traffic automatically

38
Q

Stateless Firewall

A

checks for allow rule for both the outbound and inbound network connections of a request

39
Q

Differences between NACL and security groups

A

Security Groups operate at instance or interface level - filters traffic within and outside subnet
Network ACL operates at the subnet level - filters traffic outside subnet only

SG - allow rules only
NACL - allow and deny rules

SG - stateful
NACL - stateless

SG - evaluate all rules
NACL - process rules in order until it hits an allow or deny

SG - applies to an instance if associated with the group
NACL - applies to all instances in the subnet it associated with

40
Q

VPC Peering

A

enables routing between 2 VPCs using private IPv4 or IPv6 addresses using Amazon Global Network (e.g. not the internet)

CIDR blocks cannot overlap

No transitive peering (e.g. A peered with B and B peered with C, A cannot talk to C).

VPCs can be in different accounts and regions

41
Q

VPC Interface Endpoint

A

Used to connect EC2 to public AWS services using private DNS/IPs

an ENI is created

Each interface endpoint can connect to one of the many AWS services (e.g. CloudFormation, CodeDeploy, Private Link)

42
Q

VPC Gateway Endpoint

A

Uses a route table entry to connect to a public service without going out to internet

Provision Gateway Endpoint, Route table with destination as prefix list for S3 or DynamoDB and the gateway id

You can use IAM policies to resource policies to limit traffic to just the gateway

43
Q

Difference between VPC interface endpoint and VPC gateway endpoint

A

Interface Endpoint
What: ENI with Private IP
How: DNS entries to redirect traffic
Which service: API Gateway, CloudFormation, CloudWatch, etc.
Security: Security Groups

Gateway Endpoints:
What: A gateway that is a target for specific route
How: Use prefix list in the route table to redirect traffic
Which: Amazon S3, DynamoDB
Security: VPC Endpoint Policies

44
Q

VPN Endpoint

A

Client VPN network interface created in subnet

VPN client software (choose from your preferred option) connects over SSL/TLS 443 over the internet

VPN Endpoint performs SNAT (source NAT) from CIDR associated with VPN endpoint to CIDR associated with VPC

In the client route table there is an entry with destination VPC CIDR to the Gateway pointing at the VPN endpoint

45
Q

What is an AWS VPN

A

a managed IPSec VPN

it connects AWS to a corporate data center or office and tunnels the traffic through over the internet using an encrypted VPN where private IPs can be used

46
Q

What is a Virtual Private Gateway (VGW)

A

End of AWS VPN deployed of the AWS side

A VGW is deployed on the AWS site

47
Q

What is a Customer Gateway

A

deployed on the customer side of an AWS VPN

48
Q

How is the communication established when a VPN connection is configured between a customer gateway and VGW?

A

The VPN connection that connects a Virtual Private Gateway and a Customer Gateway supports static routes or BGP peering/routing

Route table points to the VGW

49
Q

What are use cases for AWS Site to Site VPN

A

Connecting corporate data center or office to AWS over encrypted VPN using internet or a back up to AWS direct connect

50
Q

What is BGP
What is ASN

A

Border Gateway Protocol - used for advertising routes to different parts of the network

Autonormal System Number

Each env has own ASN that corresponds to the routes that are advertised and needs the ASN as the IP prefix

51
Q

What is the network topology for AWS VPN Cloud Hub

A

Remote offices connect to VGW in a hub and spoke model

VGW is the hub

Each office must use a unique BGP ASN

Traffic can flow to and from AWS to the offices/data centers or to and from the offices/data centers in a transitive manner, first going from the office to the VGW and then to the another office

52
Q

AWS Direct Connect (DX)

A

Private connection; doesn’t rely on the internet

between your data center/office to AWS

53
Q

What is required for AWS DX

A

AWS Direct Connect service configured in a region

AWS Direct Connect location with an AWS cage and a Customer cage

The AWS cage must have a router where AWS Direct Connect endpoint is configured (AWS provided)

The Customer Cage must have an router configured (customer/ISP provided)

Customer must have a customer router in their data center/office

The customer router is connected to the DX router n the DX location

A DX port (1000-Base-LX or 10GBASE-LR) must be allocated in a DX location

A cross connect between the AWS DX router and the customer DX router

DX is a physical fibre connection to AWS running at 1Gbps or 10Gbps

100gbps is now available in some locations

54
Q

Benefits of AWS DX

A

Private connection between AWS and your data center/office

Consistent network experience - increased speed/latency and bandwidth/throughput

Lower cost for orgs that transfer large volumes of data

55
Q

Private VIF

A

connects to a single VPC in the same AWS Region using a VGW

A private virtual interface should be used to access an Amazon VPC using private IP addresses.

56
Q

VIF

A

A virtual interface using 802.1Q VLAN and a BGP session

57
Q

Public VIF

A

used to connect to AWS Public Services in any region but not the internet

A public virtual interface can access all AWS public services using public IP addresses.

58
Q

How do you connect multiple VPCs to AWS DX

A

Multiple private VIFs can be used to connect multiple VPCs in one region using DX architecture components (VGWs, AWS Cage and router, Customer/Partner cage and router, DX endpoint, customer router in data center)

59
Q

Hosted VIF

A

VIF shared across AWS account

60
Q

What is an alternate way to connect directly to AWS services

A

DX connections via APN partners can be purchased and run at speeds between 50 mbps to 500 mbps

61
Q

Is DX traffic encrypted? If so, how do you configure? If not, are there options to encrypt?

A

No, DX traffic is not encrypted.

You can configure an IPSEC site - to - site VPN over VIF to add encryption in transit

62
Q

DX Gateway

A

Connects multiple regions using one DX connection and uses AWS global network for low latency, high throughput

63
Q

What is the architecture of a DX Gateway

A

VGW in each region connects to DX Gateway

Private VIF connects DX Gateway to AWS direct connection location via AWS and Partner routers, and partner router in DX location connects back to corporate office/data center

BGP advertises route to all VPCs via DX Gateway

64
Q

What are contraints of DX Gateway

A

You can’t route traffic between regions (e.g. VGWs can’t talk directly to each other) using DX Gateway, only to/fro the corporate office/data center

65
Q

AWS Transit Gateway

A

“Cloud Router”

is a network transit hub that interconnects VPCs and on premise corporate networks

achieves full transitive routing between on premise, VPCs and TGW

66
Q

How do you configure traffic to connect over AWS transit gateway

A

VPCs are attached to the transit gateway

Specify one subnet in each AZ to enable routing to all subnets

Connect transit gateway to customer gateway

67
Q

What can TGWs connect to?

A

VPN
3rd party appliances
Direct Connect (DX) Gateway
TGWs in other regions or accounts

68
Q

Transit VIF

A

Virtual interface specifically used for DX Gateway associated to TGW

transit virtual interface should be used to access one or more Amazon VPC Transit Gateways associated with Direct Connect gateways. You can use transit virtual interfaces with any AWS Direct Connect dedicated or hosted connection of any speed.

69
Q

What is the structure of an IPv6 address

What limitation other than IP space does IPv6 address vs IPv4?

A

128 bits
uses hexidecimal
8 16 bit quartet’s separated by a colon
has a network part to represent the network
and a node part to represent the machine

All IPv6 addresses are publicly routable; no NAT required

70
Q

What do you need to configure to use IPv6 in your VPC?

A

Configure public subnet

configure IPv4 CIDR block to assign subnet ranges for VPC subnets and CIDR for subnets
AWS will assign IPv6 CIDR (/56) address range for your VPC
Create CIDR for subnets; The subnet receives a /64 range - allowing 18 million trillion addresses

The last 2 digits in the hexidecimal IPv6 - a hexidecimal pair is assigned for each subnet - values from 00-FF, which designates the individual subnet; so it must be unique

256 possible subnets with /64 (18 million trillion IPs)

71
Q

What is the all traffic IPv6 address

When would we use this?

A

::/0

configuring route tables for all traffic outside IPv6 CIDRs mapped in the route table - likely sending all other traffic to IGW

72
Q

VPC Flow Logs

A

Capture information about IP traffic going to and from network interfaces in a VPC

Data is stored uisng cloud watch logs or S3

Access data in EC2 or VPC console

Turned off by default

73
Q

What are the levels flow logs can be created?

A

VPC
Subnet
Network Interface

74
Q

Flow logs can help you…?

A

Diagnose overly restrictive security group rules.
*
Monitor the traffic that is reaching your instance.
*
Determine the direction of the traffic to and from the network interfaces.