VPC

Question 1

What do you get with the default VPC?

Answer 1

1 VPC with CIDR 172.31.0.0/16
1 subnet per AZ with ipv4 /20 CIDRs.
Each subnet has auto assign public ipv4 address enabled.
1 Route table
1 Network ACL with 2 inbound and 2 outbound rules that allow all traffic + the implicit deny under it.
2 Routes: 1 for public destination traffic (0.0.0.0/0) pointing to the internet gw target, and 1 for private destination traffic (172.31.0.0/16) pointing to “local” target. (172.31.0.0/16) has higher priority than (0.0.0.0/0).
1 Internet gateway (igw connect VPCs to the internet)

Question 2

What are VPC limits?

Answer 2

Max 5 VPC per region.
Up to 5 CIDR per VPC between /16 and /28
VPC must have private range.

Question 3

Should 2 VPCs CIDRs overlap or not? Why?

Answer 3

No. Because if you want to connect the 2 VPCs you must make sure the IP addresses of the 2 VPCs don’t overlap.

Question 4

If you have a CIDR block 10.0.0.0/24 how many free IPs do you have?

Answer 4

Normally you would have 256 addresses, the first of which is the network address, and the last is the broadcast address, so you have 254 free IPs for hosts.

But AWS reserves 5 addresses, so you will actually have 251 addresses for hosts.

The 5 reserved addresses:

10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address

Question 5

How many addresses does AWS reserve for each subnet, which are there, and what are they for?

Answer 5

5

Example 10.0.0.0/24 CIDR:

10.0.0.0: Network address
10.0.0.1: VPC Router
10.0.0.2: AWS DNS
10.0.0.3: Reserved for future AWS use
10.0.0.255: Broadcast Address (Not for broadcast, just reserved by aws)

Question 6

What is the broadcast address of a subnet used for in aws?

Answer 6

AWS VPC does not support Broadcast traffic, so the usual broadcast address of a subnet is reserved by AWS.

Question 7

In AWS, what CIDR block size would you use if you need 29 addresses?

Answer 7

/26.

Normally it would be /27 since it gives you 32 - 2 = 30 addresses. But AWS reserves 5 addresses in total, so you would just get 27 usable addresses for hosts.

So you need a /26 subnet, giving you 59 IPs.

Question 8

How many internet gateways can a VPC have?

Answer 8

Only 1

Question 9

What are internet gateway characteristics?

Answer 9

Only 1 igw per VPC
Created separately from a VPC
It scalers horizontally and is HA and redundant.
You need to edit the route tables to make your igw work

Question 10

What do you need to create in the network side for a resource like an EC2 instance to be able to access internet?

Answer 10

A VPC
An igw
A subnet
Enable auto asign public ipv4 address to your subnet
Attach your new igw to your VPC
Create a route table for your VPC
Associate your subnet to your route table
Create a route that forwards external destined traffic: 0.0.0.0/0 to your internet gateway.

Question 11

What are Bastion hosts?

Answer 11

Bastion hosts, are for when users want to access EC2 instances that are in a private subnet from their computer, so from the internet.

For this we can use an EC2 instance called Bastion Host, located in a public subnet.

This Bastion Host does have access to the private net EC2 instance.

So we first connect with SSH to the bastion host, then connect from the bastion to the private net instance through SSH.

Question 12

What inbound rule would you configure in a bastion host?

Answer 12

An inbound rule that allows SSH traffic only from select IPs.

For example your organization public ip or CIDR.

(You would also configure inbound SSH rules in the EC2 instances that the bastion host will connect to. Only allowing inbound traffic from the bastion host private ip or sg)

Question 13

What do you need besides connectivity to connect from a bastion host to a private net EC2 instance?

Answer 13

The bastion host needs to have a key pair for the private ec2 instance to be able to ssh into it

Question 14

What is a NAT instance?

Answer 14

An EC2 instance with an elastic ip, that receives traffic from private ips, and translates it to send it to its destination, usually the internet.

The route table for the private ip must redirect traffic to the NAT instance.

EC2 Nat instance must have the setting “source/destination” check disabled for NATting to work.

The AMI used for this is an Amazon Linux AMI that comes pre configured for NAT instances.

NAT instance has reached the end of support. NAT Gateway is the recommended better solution for NAT.

Question 15

What is NAT?

Answer 15

Network Address Translation: A feature of routers, firewalls, etc, that rewrites the packets it receives, and sends them to their destination with their source ip modified.

Question 16

What is the better solution, NAT Instance or NAT Gateway?

Answer 16

NAT Gateway. The other one has reached end of support by aws.

Question 17

What are the differences between NAT Gateway and NAT Instances?

Answer 17

NAT GW is AWS managed, instead of an EC2 instance that you need to update OS, software patches, etc.
NAT GW is higher bandwidth, HA within an AZ, no administration of servers.
With NAT GW you don’t need to manage any security groups for it to work.
NAT GW is easier to set up. You just assign it to a subnet, give it an elastic ip, and edit the route table of the network you want to route to it: (Destination: 0.0.0.0/0 > Target: nat-xxxxx) so that it routes internet facing traffic to the NAT GW. *Or other traffic in case of private natting: (Destination: 10.0.0.15/32 > Target: nat-xxxxx). This last example routes traffic from my private subnet to the ip 10.0.0.15 to the NAT GW.

**The NAT GW can route traffic to the internet by being in a public subnet with an igw, an elastic ip, and routes to the internet. If your NAT is private, your NAT GW network needs to have routes in its route table that point for example towards 10.0.0.15.

Question 18

What do you pay for when using NAT Gateway?

Answer 18

Per hour of usage and bandwidth used.

Question 19

What do NAT gw and NAT instances need to connect to internet?

Answer 19

An igw

Question 20

How do you acomplish multi AZ with NAT Gateway?

Answer 20

You need to deploy a NAT GW per AZ

Question 21

Can you use a NAT Gateway as a Bastion Host?

Answer 21

No because you cant connect with SSH to the NAT Gateway, since its AWS managed.

Question 22

How does NAT Gateway work?

Answer 22

NAT Gateway works in a specific subnet, similar to an EC2 instance.
For routing traffic to the internet it needs to be in a public subnet. But it can route traffic to private destinations too.

And it uses an Elastic IP (Static Public IP).

You then need to update the private network route table to point to the NAT GW when trying to connect to the internet.

Question 23

NACLs are Stateless, and SGs are Stateful. What does this mean?

Answer 23

Stateless means it doesn’t keep track of active connections when allowing or denying traffic. (NACLs are stateless). In this case you need to make rules to allow ephemeral ports so that traffic flows normally.

Stateful firewall is a kind of firewall that keeps track and monitors the state of active network connections while analyzing incoming traffic.
This means it knows then a packet is in response to a different request. In this case you don’t need to make rules for ephemeral ports, because it keeps track of initiated connections.

When there is an incoming request to an EC2 instance, first it goes through the NACL inbound rules to check if it’s allowed. If it is, then it goes through the SG inbound rules of the instance to check if it’s allowed. Then if it is, there is a response from the EC2 instance to the request, and this response is automatically allowed at the SG level, not checking for the outbound rules of the SG, because the SG rules are STATEFUL.

But, then the response goes through the NACL rules, and is not automatically allowed because NACL rules are STATELESS. This means you need to configure the same inbound rules as outbound rules for communication traffic to flow normally.

The same applies for outbound traffic.

Question 24

What is a NACL?

Answer 24

Network Access Control List:

It’s like a firewall, that controls traffic from and to subnets

Each subnet can only have 1 NACL. A NACL can have many subnets assigned. New subnets are assigned to the Default NACL.

In other words, you can use a NACL to control the way many subnets behave.

Question 25

At what level do NACLs control traffic?

Answer 25

At the subnet level. There is 1 NACL per subnet.

Question 26

How does the Default NACL behave?

Answer 26

Allows everything inbound/outbound.

Question 27

What is the NACL rule with an asterisk (*)?

Answer 27

It's the last rule of every NACL that applies if no other rule matches, and denies all traffic.

Question 28

What are ephemeral ports and how do they work?

Answer 28

When you initiate a connection to a server, you do it to a destination port, for example for SSH you connect to destination port 22. But you initiate the connection by using a source port in the client side. This port is an ephemeral port. So, the client temporarily opens a random ephemeral port where he initiates the connection on his side, and he opens this port just for this one connection. And the desitination server has rules that keep port 22 open to receive the connection successfully. TLDR: source ip: x, source port: 50192, dest ip: y, dest port: 22 payload: xyz Diffferent OSs use different ephemeral port ranges. Examples: IANA & Windows 10: 49152-65535. Linux: 32768-60999 When the reply comes from the ssh server, the source port that the server uses will be port 22, and the destination port will be 50192. TLDR: source ip: y, source port: 22, dest ip: x, dest port: 50192 payload: abc So, the ephemeral port is just a random port that is assigned by the initiator of the connection for the duration of the connection.

Question 29

How do ephemeral ports work with NACLs?

Answer 29

You need to make rules to allow traffic coming from ephemeral ports so that connectivity works properly. Since NACLs are stateless and don't keep track of ongoing connections between hosts. Example: I initiate an http connection through port 443, which is allowed in my NACL, and i use ephemeral port 50192 as a source port. Then come the response packets from the HTTPS server, which will come with source port 443 and destination port 50192. In a stateful fireall this response will be allowed with no need to make an incoming firewall rule through port 50192, since the firewall knows the connection was iniciated by me through port 443. In the case of NACLs, since they don't keep track of these active connections, they don't know if this connection is an ongoing connection or a new one. So I need to make a rule that allows incoming traffic to destination port 50192. And since ephemeral ports like 50192 are randomly selected for each connection, I need to make rules for the full range of ports. This range would be 32768-65535, if you want to include the ranges that linux and windows machines use.

Question 30

What are NACLs for?

Answer 30

For allowing or blocking outgoing and incoming traffic between your subnet and the internet. Or between your subnet and another subnet. Or between your subnet and another VPC.

Question 31

How many subnets per NACL?

Answer 31

as many as you want.

Question 32

How many NACLS per subnet?

Answer 32

Only 1.

Question 33

What are the differences between NACLs and SGs?

Answer 33

SG Operates at instance level. NACL operates at subnet level. SG supports allow rules only. NACL supports allow and deny rules. SGs are stateful. NACLs are stateless. In SGs all rules are evaluated before deciding to allow traffic. In NACLs rules are evaluated in order until it finds a matching rule. SGs applies rules to an EC2 instance when specified. NACLs apply to all EC2 instances in the subnet or subnets associated to it.

Question 34

What is VPC Peering?

Answer 34

To privately connect 2 VPCs between each other. These can be 2 VPCs in the same account, different region, or different accounts. The 2 VPCs can't have overlapping CIDRs. VPC peering is not transitive. It must be established for each different VPC that a "VPC1" wants to communicate with. You must update route tables in each VPCs subnets to ensure communication.

Question 35

If you have VPC1 VPC2 and VPC3. You have VPC Peering between 1 and 2. And VPC Peering between 2 and 3. Can VPC 1 communicate with VPC 3?

Answer 35

NO. You would need to enable VPC Peering between VPC 1 and 3.

Question 36

How could AWS Account A resource communicate with AWS Account B resource? Both resources must be in private subnets (No internet).

Answer 36

With VPC Peering these 2 resources can communicate with each other internally. And both their SGs can reference each other in the SG rules, ONLY if both resources are in the same region.

Question 37

Can sg rule reference another sg in a different region?

Answer 37

No. SG rules can only reference SGs in the same region. It can reference SGs in other accounts if VPC peering is enabled between these 2 accounts, but this is still only possible if both SGs from both AWS accounts are on the same region.

Question 38

What are VCP Endpoints?

Answer 38

An AWS VPC feature, that lets your VPC resources access other services privately, instead of them having to go through your NAT GW, and IGW, and through the internet. When using VPC endpoint, traffic goes from your VPC to the AWS Services through the private AWS network.

Question 39

What is AWS PrivateLink?

Answer 39

The technology that allows you to create VPC Interface Endpoints to communicate between your VPC resources and AWS Services. (Gateway Endpoints are not related to PrivateLink).

Question 40

What are the types of VPC Endpoints and how do they work?

Answer 40

Interface Endpoint (Privatelink): It provisions an ENI with a private IP, that acts as entry point to AWS Services. This ENI comes with an SG that you must configure to allow access. Gateway Endpoint: This type provisions a gateway similar to the igw, but that routes traffic to the aws private network and the aws services. You must modify your route table to have a route with this gw as a target. Gateway Endpoind can only target DynamoDB and S3. And do not use Privatelink

Question 41

How many route tables can a VPC be associated with?

Answer 41

Up to 200.

Question 42

How many route tables can a subnet be associated with?

Answer 42

Only 1.

Question 43

Which type of VPC Endpoint uses PrivateLink technology?

Answer 43

Interface Endpoints

Question 44

Which VPC Endpoint type uses an ENI and SG?

Answer 44

Interface Endpoint

Question 45

Which VPC Endpoint type uses a GW and Route Table?

Answer 45

Gateway Endpoint.

Question 46

Which type of VPC Endpoint is recommended when connecting your VPC to S3?

Answer 46

Gateway Endpoint.

Question 47

Which type of VPC Endpoint is recommended when connecting your VPC to DynamoDB?

Answer 47

Gateway Endpoint.

Question 48

Which type of VPC Endpoint is recommended when connecting your VPC to SNS?

Answer 48

Interface Endpoint. (Gateway Endpoint is only for S3 and DynamoDB).

Question 49

Which type of VPC Endpoint is recommended when connecting your VPC to Aurora.?

Answer 49

Interface Endpoint. (Gateway Endpoint is only for S3 and DynamoDB).

Question 50

When is Interface Endpoint preferred over Gateway Endpoint, for accesing S3 or DynamoDB?

Answer 50

Only when accessing those resources from On-Premises with Site to Site VPN or with Direct Connect. The rest of the time Gateway Endpoint is preferred because it's free.

Question 51

How are you charged for using VCP Endpoints?

Answer 51

When using Interface Endpoint, your are charged per hour and per GB of data processed. Gateway Endpoint is free.

Question 52

Can AWS Services be accessed through the internet?

Answer 52

Yes. All AWS Services have access to the internet and can receive requests through it given you have the proper permissions. AWS Services can alsobe accessed internally from VPCs through VPC Endpoints.

Question 53

What are VPC Flow Logs? How does capturing Flow Logs work?

Answer 53

They capture information about IP traffic (Packets) going through your interfaces. You have VPC Flow logs, Subnet Flow logs, and ENI Flow logs. You can also create flow logs for ENIs that are associated to AWS Managed services like ELBs, RDS, ElastiCache, NATGW, etc. Flow logs captures traffic in "flows". Flows are the interaction between 2 IPs. Each flow has a duration or interval. After a flow is finished it's registered in a text line or record that indicates packet size and bytes sent. You can configure the maximum interval to 10min or to 1 min. If maximum interval is 1 min you will get more records printed in the flow log, thus costing you more money. A 10min interval flow record weighs the same as a 1min interval flow record, since its a text line nonetheless. You can create flow logs for all traffic, only accepted, or only rejected traffic. You create flow logs to capture flows of traffic constantly in intervals. Once you create a flow log for a resource (VPC, Subnet, ENI, it captures these flows in intervals indefinitely, until you delete the flow or disable it. Flow Logs data can go into S3, CloudWatch, or Kinesis Data Firehose. The data captured includes src ip, dst ip, src port, dst port, eni id, protocol, action, bytes, packet size, etc.

Question 54

How can you query VPC Flow Logs?

Answer 54

With Athena on S3, or CloudWatch Logs.

Question 55

What is S2S VPN?

Answer 55

Site to site VPN is a VPN feature that lets you connect your AWS VPC to your on premises network, privately via encrypted traffic, through the internet. It needs a VGW: Virtual Private Gateway: This VGW is the VPN concentrator, meaning it acts as gateway for multiple VPNs from multiple locations, but always to your same aws VPC.

Question 56

What is Virtual Private Gateway (VGW)?

Answer 56

It's a gateway on the AWS side of a VPN connection. It's a VPN Concentrator, so you can establish multiple VPN tunnels to it. The VGW is created and attached to the VPC where you want to create the S2S VPN. VGW is HA, and creates multiple tunnels for redundancy on AWS side.

Question 57

What is a VPN Concentrator?

Answer 57

A VPN concentrator is a specialized network device that provides secure connections for multiple VPN (Virtual Private Network) tunnels. It manages and handles the encryption, decryption, and secure data transmission between remote users or sites and the internal network. Essentially, it serves as a hub for VPN connections, centralizing and managing multiple secure tunnels, making it easier to handle a large number of remote connections. In AWS, a VPN Concentrator is the VGW (Virtual Private Gateway).

Question 58

What are the terms CGW and VGW?

Answer 58

VGW is the VPN Concentrator on the AWS side. CGW is the device on the customer side of the VPN connection, that connects your onpremises network to the VPN.

Question 59

What should you know about setting up your CGW?

Answer 59

You create a CGW in aws, but this will be a representation of your onpremises CGW, so that AWS identifies it. You enter the ASN of your onpremises router if you use BGP routing, the ip address of the CGW, and a certificate for your CGW. If you have a Public IP Address you can use that as CGW. If you don't, your CGW can be a private ip. And you can NAT this private ip to a public ip.

Question 60

After you already configured your VGW, CGW, and S2S VPN, what is an extra step you need to take for the VPN to work?

Answer 60

You need to enable route propagation for the Virtual Private Gateway (VGW) in the route table associated with the subnets you want to see through the VPN.

Question 61

What is AWS VPN CloudHub?

Answer 61

A feature that allows 2 or more different CGWs that have S2S VPNs against your VPC, to communicate between each other through your AWS side VGW and your VPC. This provides secure communication between multiple sites.

Question 62

How many VGW can you have in a VPC?

Answer 62

Only 1. A VGW can manage multiple VPN Tunnels with HA.

Question 63

How many VGW can connect to a CGW?

Answer 63

Many. This enables you to connect VPNs to multiple VPCs.

Question 64

How many CGW can connect to a VGW?

Answer 64

Many. VGW can handle having multiple tunnels to your VPC from different onpremises sites. For example, branch offices. If you add VPN CloudHub these CGWs can also communicate with each other through the VGW.

Question 65

What is Direct Connect (DX)?

Answer 65

It allows your business to have a dedicated private connection between your onpremises site and your aws vpc, through a Private VIF. Or from your DC to a public service like S3, through a Public VIF. It's not an SSL VPN. Nor any VPN. This doesn't go through the internet, its private. So it needs to be set up physically between your DC and one of AWS Direct Connect locations. For this you need a VGW for connectivity between your DC and AWS.

Question 66

What are good Direct Connect use cases?

Answer 66

DX is good for when you need more bandwidth against your resources. A more consistent network experience against your applications. Especially if you have bad internet connectivity to aws. Good for using hybrid environments because you have private connectivity between your private datacenters and the aws cloud.

Question 67

What are Direct Connect Locations?

Answer 67

These are physical locations that you can connect to, to gain private access between them and aws regions. These locations are owned by telecommunications companies that are partnered with aws to offer this service. The connectivity between your network and your AWS VPC is private. For this the telecommunications company usually deploys fiber to your DC if possible (close by) or they offer you a colocation service so you have presence in their DC where they have private connectivity with a region of aws.

Question 68

What is a VIF?

Answer 68

A Private Virtual Interface (VIF), is a virtual interface that enables a private dedicated connection between your DC and your AWS VPC (VGW), through aws direct connect locations. A Public Virtual Interface is a VIF that enables public connectivity between your onpremises datacenter and public aws services like s3. (this case doesnt connect to to a VGW)

Question 69

What is a Direct Connect Gateway?

Answer 69

Allows you to have the features of direct connect but to other regions as well. This improves scalability for your hybrid architectures with direct connect. After you established a connection between your DC and a Direct Connect location for a region where you have your VGW and VPC, you can then connect to a direct connect gateway through a private VIF, that will grant you connectivity to another region. You can do this because the direct connect gateway will have a private VIF against a VGW in your VPC in a region, and also against another VGW in your VPC in a different region.

Question 70

How long does it take to set up direct connect between your DC and a direct connect location?

Answer 70

At least 1 month.

Question 71

How do you accomplish encryption in transit for the data that goes through direct connect?

Answer 71

You must set up a VPN between your DC and AWS for the traffic that goes through Direct Connect, because normal traffic for direct connect is not encrypted.

Question 72

Let's say your workloads are critical, and you need very high resiliency for your connection through direct connect. How could you achieve this?

Answer 72

For high resiliency you can have a setup with 2 corporate datacenters, and 2 direct connect locations connected with 2 VIFs against your AWS VPC. For Maximum resiliency, you can have a setup with 2 corporate datacenters, 2 direct connect locations, and 2 VIFs in 2 separate physical routers per direct connect location. Meaning 4 total connections in 2 locations against your VPC. A 3rd very resilient architecture would be to use direct connect as a primary way to access your VPC, and have as a backup connection a Site to Site VPN. This would be cheaper than having 2 direct connect locations. In case direct connect fails, the vpn kicks in and connects you through the internet.

Question 73

How can Direct Connect and S2S VPN work together?

Answer 73

Using DirectConnect as a primary connection between your DC and your VPC, and having a site to site VPN as a backup connection in case of failure.

Question 74

What is Transit Gateway?

Answer 74

A way to simplify connectivity between VPCs, onpremises, etc, instead of using multiple S2S VPNs, multiple VPC Peerings, etc, which can become very complex architectures once your network scales. Transit gateway solves that problem by doing transitive peering between thousands of VPCs, and your onpremises datacenters. For this it uses a hub-spoke topology (star topology) where Transit Gateway acts as the hub (Center) of the star, and connects to your VPCs, Direct Connect Gateways, When using transit gateway you dont need to peer the VPCs together. They all can talk to each other through the transit gateway. When using transit gateway you use direct connect against the transit gateway, giving you access to all your VPCs. The same for S2S VPN.

Question 75

How can direct connect connect against multiple VPCs easily?

Answer 75

By connecting to a direct connect gateway and using Transit Gateway. Transit Gateway can connect to the direct connect gateway, and can connect to all your VPCs. With this your onpremises DC will be able to see all the VPCs thanks to transitive peering.

Question 76

How can S2S VPN connect against multiple VPCs easily?

Answer 76

A S2S VPN CGW can establish multiple tunnels against mutliple VGWs in different VPCs, if your onpremises infrastructure allows it. A better option, would be to use Transit Gateway. It interconnects multiple VPCs thanks to transitive peering, and can also connecto to your S2S VPN CGW, giving you connectivity against all VPCs that are connected to the Transit Gateway.

Question 77

How do you define which VPCs can talk to each other with Transif Gateway?

Answer 77

You need to define routes in your route tables of your VPCs to decide how each VPC talks to other VPCs.

Question 78

What is the only service that supports IP Multicast?

Answer 78

Transit Gateway

Question 79

How can you increase the bandwidth of your S2S VPN?

Answer 79

With transit gateway you have the option of increasing the bandwidth of your VPNs, by letting you create 2 or more VPNs per CGW against your transit gw. *With VGW you were only able to create 1 VPN per CGW per VGW. And Transit Gateway supports ECMP: Equal cost multi-path routing. This lets you use all those multiple VPNs simultaneously, thus increasing the VPN throughput.

Question 80

How can you set up direct connect for multiple AWS Accounts?

Answer 80

Setting up Transit Gateway as target for the Direct connect setup. (Through a direct connect gateway). You can do it because transit gateway can connect to VPCs on different AWS accounts. DC > Direct Connect Location > Direct Connect Gateway > Transit Gateway > VPC from account 1, VPC from account 2.

Question 81

What is Traffic Mirroring?

Answer 81

For capturing and inspecting traffic in your VPC. You set up a NLB, with EC2 instances with security appliance in them. If you want to capture traffic for x EC2 instance, without disrupting the connectivity of the instance. You then set up traffic mirroring. With this enabled, all traffic of the ENI of instance x is also sent (mirrored) to our NLB. Instance x doesn't notice the mirroring of traffic. Traffic mirroring can be set up against multiple instances for their traffic to be mirrored to our ENI or NLB.

Question 82

What about VPC and ipv6?

Answer 82

You can enable it to operate in dual stack with ipv4. EC2 instances will then get 2 ips, ipv4 and ipv6 and can use either to communicate. Ipv4 cannot be disabled.

Question 83

What are Egress Only Internet Gateway?

Answer 83

These are for ipv6 connectivity from your VPC to the internet. Like the name says, since ipv6 ips are all public, this gateway allows only egress traffic so that EC2 instances can navigate the internet through it but no inbound requests are allowed towards your instances. You need to update route tables for traffic from your ipv6 to go to this egress igw. This works similarly to a NAT Gateway for browsing internet when using ipv4 from a private subnet. The difference is that since ipv6 are public, there is no network address translation going on. For public ipv6 you just go through the internet gateway. (you dont want an egress only in this case because you want your instances to be accessible from the internet, hence a public subnet). For private ipv6 you go through the egress only internet gateway, similarly to how you go through the NAT Gateway when using ipv4.

Question 84

If we are using an EC2 instance with Ipv6 and we want to browse the internet, how should we do it?

Answer 84

Through an egress only internet gateway. You must update route tables to route traffic from your instances to internet through this egress only igw.

Question 85

Does AWS Charge you for traffic between 2 EC2 instances in the same AZ?

Answer 85

No. It's free.

Question 86

Does AWS Charge you for incoming external traffic to your EC2 instances?

Answer 86

No. It's free.

Question 87

Does AWS Charge you for traffic between 2 EC2 instances in the same region, but in different AZs?

Answer 87

You are charged $0.02 per GB if traffic goes through the internet, meaning it's through the instances public ip, and it leaves the aws network and goes back in. You are charged half, $0.01 per GB, if you use private ips. Now you are using the internal AWS network for traffic between those 2 AZs.

Question 88

Does AWS Charge you for traffic between 2 EC2 instances in different regions?

Answer 88

Yes. $0.02 per GB since traffic uses public IPs and leaves the AWS network to get from 1 region to the other.

Question 89

You have 5 EC2 instances that communicate with each other through the network constantly. What is the best placement to lower internet traffic costs? Why?

Answer 89

Putting all 5 instances in the same AZ. Traffic between the same AZ using private ips is free, compared to traffic between 2 AZs in same region that costs 1 cent per GB, and between 2 regions that costs 2 cents per GB- The issue is that you have less HA capabilities.

Question 90

Which type of traffic is usually free? Ingress or Egress?

Answer 90

Ingress.

Question 91

How can you minimize networking costs?

Answer 91

Keeping traffic inside aws as much as possible. Since you are only charged mostly for traffic leaving aws.

Question 92

What is cheaper for accessing services like S3 from your VPC? NAT Gateway + Internet Gateway VPC Endpoint

Answer 92

VPC Endpoint. Has no cost. Only $0.01 per GB transfered through it.

Question 93

What is AWS Network Firewall?

Answer 93

We know NACLs protect subnets, SGs protect instances or ENIs. But AWS Network Firewall protects your WHOLE VPC. Protection is from Layer 3 to Layer 7. You can inspect any kind of traffic in any direction: VPC to VPC Inbound from internet Outbound to internet To/From Direct Connect To/From S2S VPN It's AWS Managed. Internally it uses the GLB. These rules can apply to multiple VPCs, and can also be applied Cross Account.

Question 94

Whats the difference between dedicated or hosted direct connect connections?

Answer 94

Dedicated is provided by aws. Hosted is provided by an AWS Partner. Dedicated gives you your own dedicated port, managed by aws. Hosted gives you a shared port managed by the partner and used by multiple customers. Dedicated has higher bandwidth options: 1Gbps, 10Gbps, 100Gbps. Hosted has more flexible bandwidth options: 50Mbps, 500Mbps, 10Gbps.

Question 95

Which type of direct connect hast higher bandwidth options?

Answer 95

Dedicated. Up to 100GBps compared to Hosted that has up to 10Gbps.

Question 96

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel's maximum limit of 1.25 Gbps. What should you do?

Answer 96

Use Transit Gateway. It's "ECMP: Equal cost multi-path routing" protocol enables you to use both tunnels of the S2S VPN simultaneously, giving you 2.5Gbps. Besides, it lets you set up more VPNs from the Same CGW, all with simultaneous use. Giving you 2.5Gbps of added bandwidth per VPN (5Gbps, 7.5Gbps, etc).

Question 97

What is dual stack?

Answer 97

Using ipv4 and ipv6 simultaneously.

Question 98

You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?

Answer 98

Add an additional IPv4 CIDR to your VPC. You ran out of free IPv4 IPs.

Question 99

How do you block an specific client ip address in an ELB + EC2 app infrastructure?

Answer 99

At the NACL. You can also install WAF in your ELB. It lets you establish rules to limit requests from a single client, etc.

Question 100

How do you block an specific client ip address in a CloudFront + ELB + EC2 app infrastructure?

Answer 100

NACL don't help you block an ip because the ALB only sees the cloudfront public ip addresses, which must be allowed for the infrastructure to work. And cloudfront is external to your VPC. If an attack comes from a specific country, you can use cloudfront georestriction to block a whole country. For a specific IP you can use WAF similarly to with the ALB. It lets you establish rules to limit requests from a single client, or block ips, etc.