VPC 3

Question 1

NACLs

What are NACLs associated with?

Answer 1

Subnets

Question 2

NACLs

How do NACLs control traffic within a single Subnet?

Answer 2

They aren’t. NACLs are inter-subnet only

Question 3

NACLs

How do NACLs handle request and response packets?

Answer 3

Orthogonal concept: they handle INBOUND and OUTBOUND traffic

Question 4

NACLs

How do you deny traffic with a NACL?

Answer 4

Just do it. NACLs have explicit allow and deny. Security Groups don’t have deny.

Question 5

NACLs

How does a NACL decide which rule to apply?

Answer 5

Rule number (low to high), stop when 1st rule matches

Question 6

NACLs

What happens if you have both an ALLOW and a DENY rule?

Answer 6

Nothing special, just pick the first rule that matches (lowest Rule Number)

Question 7

NACLs

What is rule number “*”?

Answer 7

An implicit DENY for all traffic (it’s notional, doesn’t actually exist as a rule)

Question 8

NACLs

So, why does any traffic flow anywhere since we all don’t bother with NACLs?

Answer 8

Default NACL comes with “100 0.0.0.0/0 ALLOW” rule above the “*” deny rule

Question 9

NACLs

What do you get when you create a new, custom NACL?

Answer 9

Just the “*” deny rule

Question 10

NACLs

How do you set the source and destination CIDR on NACLs?

Answer 10

Set Source on Inbound rules, set Destination on Outbound rules

Question 11

NACLs

What’s the port range for ephemeral ports used by TCP?

Answer 11

1024 - 65535

Question 12

NACLs

How do you assign a NACL to a Security Group?

Answer 12

Can’t. NACLs are only assignable to Subnets and only deal with CIDR addresses.

Question 13

NACLs

How do I set up NACLs to allow traffic from Subnet 1 to Subnet 2?

Answer 13

2 NACL rules on each subnet, one for each direction (total of 4 rules)

Question 14

Peering

[important]How many VPCs can you connect with a Peer?

important

Answer 14

2 only, no more no less

Question 15

Peering

Can you route IPv6 over VPC Peers?

Answer 15

Yes

Question 16

Peering

Can you peer with a VPC in another account?

Answer 16

Yes

Question 17

Peering

Can you peer with a VPC in another region?

Answer 17

Yes

Question 18

Peering

What is the bandwidth limitation with VPC Peers?

Answer 18

None

Question 19

Peering

IF you peer A and B and also peer B and C, can A talk to C?

Answer 19

No, nothing transitive, must peer A and C separately.

Question 20

Peering

Does a VPC Peer use Gateway endpoint or an Interface endpoint?

Answer 20

Neither. Shows up as “pcx-“ target for routing.

Question 21

Peering

Cost structure for a Peering connection?

Answer 21

Free (data charged if across AZs or across Regions)

Question 22

Peering

Just peered two VPCs, but traffic isn’t flowing…

Answer 22

Must add route table entries targeting CIDR bocks in the other VPC

Question 23

Peering

What is the target of a route table entry to reach a peered VPC?

Answer 23

“pcx-NNNNNNNN”

Question 24

Peering

Can you have SGs in your VPC reference SGs in the peered VPC?

Answer 24

Yes, if they are in the same region

Question 25

Peering

Can you run DNS out of one VPC and have a peer use it?

Answer 25

No

Question 26

Peering

Do Peers support jumbo frames?

Answer 26

Only within the same region

Question 27

Peering

Can you use the IGW in a peered VPC?

Answer 27

No (ENIs only)

Question 28

Peering

Can you use a NAT device in a peered VPC?

Answer 28

No (exception to the “ENIs only” rule)

Question 29

Peering

Can you use a VPN connection in a peered VPC?

Answer 29

No

Question 30

Peering

Can you use a Direct Connect connection in a peered VPC?

Answer 30

No

Question 31

Peering

Can you use a Gateway Endpoint to reach S3 in a peered VPC?

Answer 31

No

Question 32

Peering

Can you use an Interface Endpoint in a peered VPC?

Answer 32

Yes (just an ENI, route to it)

Question 33

Peering

How can you deal with a peered VPC with overlapping CIDR bocks?

Answer 33

Can’t. Can’t create a peer if there is overlapping IP addresses