VPC

Question 1

AWS VPN CloudHub

Answer 1

Provide secure communication between VPC
multiple sites, if you have multiple VPN

Low-cost hub-and-spoke model for PRIMARY OR SECONDARY NETWORK CONNECTIVITY BETWEEN DIFFERENT LOCATIONS(von ONLY)

Question 2

Direct Connect (DX)

Answer 2

Provides a dedicated private connection from a remote network to your VPC
* Dedicated connection must be setup between your DC and AWS Direct Connect locations
->You need to setup a Virtual Private Gateway on your VPC

Question 3

VPC Flow Logs

Answer 3

Capture information about IP traffic going into your interfaces:
* VPC Flow Logs
* Subnet Flow Logs
* Elastic Network Interface (ENI) Flow Logs
* Helps to monitor & troubleshoot connectivity issues
* Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose

Question 4

AWS Site-to-Site VPN

Answer 4

Virtual Private Gateway (VGW)
* VPN concentrator on the AWS side of the VPN connection
* VGW is created and attached to the VPC from which you want to create the

Site-to-Site VPN connection
* Possibility to customize the ASN (Autonomous System Number)
* Customer Gateway (CGW)
* Software application or physical device on customer side of the VPN connection

Question 5

Direct Connect Gateway

Answer 5

If you want to setup a Direct Connect to one or more VPC in many different
regions (same account), you must use a Direct Connect Gateway

Direct Connect – Connection Types

Dedicated Connections: 1Gbps,10 Gbps and 100 Gbps capacity
Hosted Connections: 50Mbps, 500 Mbps, to 10 Gbps

Question 6

Site-to-Site VPN connection as a backup

Answer 6

In case Direct Connect fails, you can set up a backup Direct Connect CONNECTION WE USE A SITE TI SITE VPN FOR REDUNCDENCY

Question 7

IPv4 cannot be disabled for your VPC
and subnets

Answer 7

TRUE

Question 8

CIDR – IP Range
* VPC – Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR
* Subnets – tied to an AZ, we define a CIDR
* Internet Gateway – at the VPC level, provide IPv4 & IPv6 Internet Access
Route Tables – must be edited to add routes from subnets to the IGW, VPC Peering , CONNECTIONS , vpc ENDPOINTS

Question 8

Egress-only Internet Gateway

Answer 8

Used for IPv6 only
* (similar to a NAT Gateway but for IPv6)
* Allows instances in your VPC outbound
connections over IPv6 while preventing
the internet to initiate an IPv6 connection
to your instances
* You must update the Route Tables

Question 9

Bastion Host – public EC2 instance to SSH into, that has SSH connectivity to EC2 instances in private subnets
* NAT Instances – gives Internet access to EC2 instances in private subnets. Old, must be setup in a public subnet, disable Source / Destination check flag
* NAT Gateway – managed by AWS, provides scalable Internet access to private EC2

Question 10

NACL – stateless, subnet rules for inbound and outbound, don’t forget Ephemeral
Ports
* Security Groups – stateful, operate at the EC2 instance level
* VPC Peering – connect two VPCs with non overlapping CIDR, non-transitive

Answer 10

• VPC Endpoints – provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC
• VPC Flow Logs – can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights
• Site-to-Site VPN – setup a Customer Gateway on DC, a Virtual Private Gateway on
  VPC, and site-to-site VPN over public Internet
• AWS VPN CloudHub – hub-and-spoke VPN model to connect your sites

Question 11

• VPC Endpoints – provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC
• VPC Flow Logs – can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights

Answer 11

• Site-to-Site VPN – setup a Customer Gateway on DC, a Virtual Private Gateway on
  VPC, and site-to-site VPN over public Internet
• AWS VPN CloudHub – hub-and-spoke VPN model to connect your sites