VPC

Question 1

Regions

Answer 1

Separate physical locations in the world where AWS has cloud infrastructure

Each region consist of multiple AZs

There are many regions around the world

regions are connected by AWS global network

network across regions do not offer low latency, usually regions are far apart

Question 2

Availability Zone

Answer 2

one or more data centers

each AZ has redundant power sources and networking (within and between AZ)

low latency between and within AZs

AZs can contain public and/or private subnets

Question 3

AWS Outpost

Answer 3

Subset of AWS services (e.g EC2) that can be run in a corporate data center that has connectivity to an AWS region

Question 4

AWS Local Zone

Answer 4

Like AZ in metropolitan areas, connected to a region, so that resources are closer to where you are to offer lower latency but they are more expensive than AZs

offer increase performance for your app

Question 5

AWS Wavelength Zone

Answer 5

For 5g and lower latency for mobile with connectivity back to the region

offer increase performance for your mobile app

Question 6

Cloud Front

Answer 6

content delivery network where resources can be cached at locations around the world for better performance

allows for global deployment

Question 7

Amazon Global Infrastructure

Answer 7

Cloud Front
VPC
AZ
Region

Question 8

How are IP addresses structured

Answer 8

4 numerals that represent a binary octets with decimals in between

Question 9

What numbers do the bits represent in a binary octet

Answer 9

2^7=128
2^6=64
2^5=32
2^4=16
2^3=8
2^2=4
2^1=2
2^0=1

Question 10

What is the Network ID of an IP

Answer 10

Represents the network, so each computer (host) on the network will have the same Network ID

Question 11

What is the Host ID of an IP

Answer 11

Represents the unique host number for each host/computer on the network

Question 12

What is the subnet mask of an IP address

give example

Answer 12

used to define the network and host id

If subnet mask is 255.255.255.0, network id is first 3 octets and host id is last octect

Question 13

What is the network id and subnet mask of 192.168.0.0/24

Explain

Answer 13

Network ID is 192.168.0.0
Subnet mask is 255.255.255.0

Subnet mask has 24 bits which represents 255.255.255.0
so the first 3 octets of the CIDR IP are the network ID with appending the 0 to represent first host so 192.168.0.0

Question 14

What private IP addresses

Who designates

Answer 14

10 network 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

these addresses are reserved for private use according to IETF RFC-1918

not routable outside the network, e.g. internet

Question 15

What can you do with private IP addresses, what are constraints?

Answer 15

Use private IPs as internal IPs

Question 16

VPC

Answer 16

Virtual Private Cloud

logically isolated portion of the AWS cloud within a region

each VPC has unique CIDR block that is used to assign a subset of IP

addresses again expressed in CIDR to each subnet within the VPC

spans all AZs in region

Question 17

Where do subnets live in AWS?

Answer 17

A subnet is configured in one AZ and can’t span AZs

Question 18

VPC Router

How do we configure it?

Answer 18

takes care of routing within and outside of the VPC

interconnects subnets and directs traffic between Internet Gateways, Virtual Private Gateways, NAT Gateways and subnets

configure it by configuring route tables

Question 19

Route Table

Answer 19

configures routing traffic in and out of your VPC

Question 20

Internet Gateway

How is it configured?

Answer 20

IGW VPC attached connection to the public internet for IPv4

Only one per VPC and attached to the VPC

used to connect to the internet

need to configure target or destination of IGW id in the route table

Question 21

What is the default limit of VPCs per region

Answer 21

5

Question 22

What is a subnet in the context of a VPC

Answer 22

A segment of a VPC’s IP address range (usually expressed in CIDR notation) where you can place groups of isolated resources

Question 23

What components are within a VPC

Answer 23

1. Subnets
   Internet Gateway
   VPC Router/Route Table
   Peering Connections
   VPC Endpoints
   NAT Instances
   NAT Gateways
   Virtual Private Gateways
   Customer Gateway
   AWS Direct Connect
   Security Group
2. Network ACL

Question 24

Peering Connection

Answer 24

Direct connection between 2 VPCs

Question 25

NAT Instance

Answer 25

Enables Internet access for EC2 instances in private subnets

NAT Instances are managed by you

Question 26

NAT Gateway

Answer 26

Enables Internet access for EC2 instances in private subnet

NGW is managed by AWS

Question 27

Virtual Private Gateway

Answer 27

The VPC side of a VPN connection

Question 28

Customer Gateway

Answer 28

The customer side of a VPN connection that is connected on the other end to AWS VPC

Question 29

AWS Direct Connect

Answer 29

High speed, high bandwidth private network connection from customer to AWS

Question 30

Security Group

Answer 30

Instance level firewall controlling all network traffic to the instance

Stateful firewall - if inbound traffic is allowed, outbound will be allowed

Question 31

Network ACL

Answer 31

Subnet level firewall

apply only entering and existing the subnet (egress and ingress. - not within)

Stateless firewall - both rules for inbound and outbound must be configured to complete a request

Question 32

Egress-only Internet Gateway

Answer 32

VPC connection to the public internet for IPv6 and only allows outbound traffic but not inbound

Question 33

Default VPC

Answer 33

A default VPC is created in each region with a public subnet of each AZ

Question 34

CIDR Block AWS Rules

Answer 34

1. CIDR block size can be between /16 and /28
2. CIDR Block must not overlap with an existing CIDR block associated with the VPC
3. You cannot increase or decrease the size of an existing CIDR block
4. The first four and the last IP address are not available for use

Question 35

What CIDR blocks does AWS recommend?

Answer 35

RFC 1918 ranges

10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0 - 192.168.255.255
(192.168/16 prefix)

Question 36

Best practices for mapping/planning network (e.g CIDRs)

Answer 36

1. Bigger CIDR blocks for VPC are typically better because this will give more flexibility
2. Smaller subnets are OK for most use cases
3. Consider deploying application tiers per subnet
4. Split your HA resources across subnets in different AZs
5. VPC Peering requires non overlapping CDIR blocks, this is across all VPCs in all Regions/accounts you want to connect
6. Avoid overlapping CIDR blocks as much as possible

Question 37

Stateful Firewall

Answer 37

allows return traffic automatically

Question 38

Stateless Firewall

Answer 38

checks for allow rule for both the outbound and inbound network connections of a request

Question 39

Differences between NACL and security groups

Answer 39

Security Groups operate at instance or interface level - filters traffic within and outside subnet
Network ACL operates at the subnet level - filters traffic outside subnet only

SG - allow rules only
NACL - allow and deny rules

SG - stateful
NACL - stateless

SG - evaluate all rules
NACL - process rules in order until it hits an allow or deny

SG - applies to an instance if associated with the group
NACL - applies to all instances in the subnet it associated with

Question 40

VPC Peering

Answer 40

enables routing between 2 VPCs using private IPv4 or IPv6 addresses using Amazon Global Network (e.g. not the internet)

CIDR blocks cannot overlap

No transitive peering (e.g. A peered with B and B peered with C, A cannot talk to C).

VPCs can be in different accounts and regions

Question 41

VPC Interface Endpoint

Answer 41

Used to connect EC2 to public AWS services using private DNS/IPs

an ENI is created

Each interface endpoint can connect to one of the many AWS services (e.g. CloudFormation, CodeDeploy, Private Link)

Question 42

VPC Gateway Endpoint

Answer 42

Uses a route table entry to connect to a public service without going out to internet

Provision Gateway Endpoint, Route table with destination as prefix list for S3 or DynamoDB and the gateway id

You can use IAM policies to resource policies to limit traffic to just the gateway

Question 43

Difference between VPC interface endpoint and VPC gateway endpoint

Answer 43

Interface Endpoint
What: ENI with Private IP
How: DNS entries to redirect traffic
Which service: API Gateway, CloudFormation, CloudWatch, etc.
Security: Security Groups

Gateway Endpoints:
What: A gateway that is a target for specific route
How: Use prefix list in the route table to redirect traffic
Which: Amazon S3, DynamoDB
Security: VPC Endpoint Policies

Question 44

VPN Endpoint

Answer 44

Client VPN network interface created in subnet

VPN client software (choose from your preferred option) connects over SSL/TLS 443 over the internet

VPN Endpoint performs SNAT (source NAT) from CIDR associated with VPN endpoint to CIDR associated with VPC

In the client route table there is an entry with destination VPC CIDR to the Gateway pointing at the VPN endpoint

Question 45

What is an AWS VPN

Answer 45

a managed IPSec VPN

it connects AWS to a corporate data center or office and tunnels the traffic through over the internet using an encrypted VPN where private IPs can be used

Question 46

What is a Virtual Private Gateway (VGW)

Answer 46

End of AWS VPN deployed of the AWS side

A VGW is deployed on the AWS site

Question 47

What is a Customer Gateway

Answer 47

deployed on the customer side of an AWS VPN

Question 48

How is the communication established when a VPN connection is configured between a customer gateway and VGW?

Answer 48

The VPN connection that connects a Virtual Private Gateway and a Customer Gateway supports static routes or BGP peering/routing

Route table points to the VGW

Question 49

What are use cases for AWS Site to Site VPN

Answer 49

Connecting corporate data center or office to AWS over encrypted VPN using internet or a back up to AWS direct connect

Question 50

What is BGP
What is ASN

Answer 50

Border Gateway Protocol - used for advertising routes to different parts of the network

Autonormal System Number

Each env has own ASN that corresponds to the routes that are advertised and needs the ASN as the IP prefix

Question 51

What is the network topology for AWS VPN Cloud Hub

Answer 51

Remote offices connect to VGW in a hub and spoke model

VGW is the hub

Each office must use a unique BGP ASN

Traffic can flow to and from AWS to the offices/data centers or to and from the offices/data centers in a transitive manner, first going from the office to the VGW and then to the another office

Question 52

AWS Direct Connect (DX)

Answer 52

Private connection; doesn’t rely on the internet

between your data center/office to AWS

Question 53

What is required for AWS DX

Answer 53

AWS Direct Connect service configured in a region

AWS Direct Connect location with an AWS cage and a Customer cage

The AWS cage must have a router where AWS Direct Connect endpoint is configured (AWS provided)

The Customer Cage must have an router configured (customer/ISP provided)

Customer must have a customer router in their data center/office

The customer router is connected to the DX router n the DX location

A DX port (1000-Base-LX or 10GBASE-LR) must be allocated in a DX location

A cross connect between the AWS DX router and the customer DX router

DX is a physical fibre connection to AWS running at 1Gbps or 10Gbps

100gbps is now available in some locations

Question 54

Benefits of AWS DX

Answer 54

Private connection between AWS and your data center/office

Consistent network experience - increased speed/latency and bandwidth/throughput

Lower cost for orgs that transfer large volumes of data

Question 55

Private VIF

Answer 55

connects to a single VPC in the same AWS Region using a VGW

Question 56

VIF

Answer 56

A virtual interface using 802.1Q VLAN and a BGP session

Question 57

Public VIF

Answer 57

used to connect to AWS Public Services in any region but not the internet

Question 58

How do you connect multiple VPCs to AWS DX

Answer 58

Multiple private VIFs can be used to connect multiple VPCs in one region using DX architecture components (VGWs, AWS Cage and router, Customer/Partner cage and router, DX endpoint, customer router in data center)

Question 59

Hosted VIF

Answer 59

VIF shared across AWS account

Question 60

What is an alternate way to connect directly to AWS services

Answer 60

DX connections via APN partners can be purchased and run at speeds between 50gmbps to 500 mbps

Question 61

Is DX traffic encrypted? If so, how do you configure? If not, are there options to encrypt?

Answer 61

No, DX traffic is not encrypted.

You can configure an IPSEC site - to - site VPN over VIF to add encryption in transit

Question 62

DX Gateway

Answer 62

Connects multiple regions using one DX connection and uses AWS global network for low latency, high throughput

Question 63

What is the architecture of a DX Gateway

Answer 63

VGW in each region connects to DX Gateway

Private VIF connects DX Gateway to AWS direct connection location via AWS and Partner routers, and partner router in DX location connects back to corporate office/data center

BGP advertises route to all VPCs via DX Gateway

Question 64

What are contraints of DX Gateway

Answer 64

You can’t route traffic between regions (e.g. VGWs can’t talk directly to each other) using DX Gateway, only to/fro the corporate office/data center

Question 65

AWS Transit Gateway

Answer 65

“Cloud Router”

is a network transit hub that interconnects VPCs and on premise corporate networks

achieves full transitive routing between on premise, VPCs and TGW

Question 66

How do you configure traffic to connect over AWS transit gateway

Answer 66

VPCs are attached to the transit gateway

Specify one subnet in each AZ to enable routing to all subnets

Connect transit gateway to customer gateway

Question 67

What can TGWs connect to?

Answer 67

VPN
3rd party appliances
Direct Connect (DX) Gateway
TGWs in other regions or accounts

Question 68

Transit VIF

Answer 68

Virtual interface specifically used for DX Gateway associated to TGW

Question 69

What is the structure of an IPv6 address

What limitation other than IP space does IPv6 allow vs IPv4?

Answer 69

128 bits
uses hexidecimal
has a network part to represent the network
and a node part to represent the machine

All IPv6 addresses are publicly routable; no NAT required

Question 70

What do you need to configure to use IPv6 in your VPC?

Answer 70

Configure public subnet

configure IPv4 CIDR block to assign subnet ranges for VPC subnets and CIDR for subnets
AWS will assign IPv6 CIDR (/56) address range for your VPC
Create CIDR for subnets; The subnet receives a /64 range - allowing 18 million trillion addresses

The last 2 digits in the hexidecimal IPv6 - a hexidecimal pair is assigned for each subnet - values from 00-FF, which designates the individual subnet; so it must be unique

256 possible subnets with /64 (18 million trillion IPs)

Question 71

What is the all traffic IPv6 address

When would we use this?

Answer 71

::/0

configuring route tables for all traffic outside IPv6 CIDRs mapped in the route table - likely sending all other traffic to IGW

Question 72

VPC Flow Logs

Answer 72

Capture information about IP traffic going to and from network interfaces in a VPC

Data is stored uisng cloud watch logs or S3

Question 73

What are the levels flow logs can be created?

Answer 73

VPC
Subnet
Network Interface