VPC 3 Flashcards

1
Q

NACLs

What are NACLs associated with?

A

Subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

NACLs

How do NACLs control traffic within a single Subnet?

A

They aren’t. NACLs are inter-subnet only

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NACLs

How do NACLs handle request and response packets?

A

Orthogonal concept: they handle INBOUND and OUTBOUND traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

NACLs

How do you deny traffic with a NACL?

A

Just do it. NACLs have explicit allow and deny. Security Groups don’t have deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

NACLs

How does a NACL decide which rule to apply?

A

Rule number (low to high), stop when 1st rule matches

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NACLs

What happens if you have both an ALLOW and a DENY rule?

A

Nothing special, just pick the first rule that matches (lowest Rule Number)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NACLs

What is rule number “*”?

A

An implicit DENY for all traffic (it’s notional, doesn’t actually exist as a rule)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

NACLs

So, why does any traffic flow anywhere since we all don’t bother with NACLs?

A

Default NACL comes with “100 0.0.0.0/0 ALLOW” rule above the “*” deny rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NACLs

What do you get when you create a new, custom NACL?

A

Just the “*” deny rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NACLs

How do you set the source and destination CIDR on NACLs?

A

Set Source on Inbound rules, set Destination on Outbound rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NACLs

What’s the port range for ephemeral ports used by TCP?

A

1024 - 65535

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

NACLs

How do you assign a NACL to a Security Group?

A

Can’t. NACLs are only assignable to Subnets and only deal with CIDR addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

NACLs

How do I set up NACLs to allow traffic from Subnet 1 to Subnet 2?

A

2 NACL rules on each subnet, one for each direction (total of 4 rules)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Peering

[important]How many VPCs can you connect with a Peer?

important

A

2 only, no more no less

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Peering

Can you route IPv6 over VPC Peers?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Peering

Can you peer with a VPC in another account?

A

Yes

17
Q

Peering

Can you peer with a VPC in another region?

A

Yes

18
Q

Peering

What is the bandwidth limitation with VPC Peers?

A

None

19
Q

Peering

IF you peer A and B and also peer B and C, can A talk to C?

A

No, nothing transitive, must peer A and C separately.

20
Q

Peering

Does a VPC Peer use Gateway endpoint or an Interface endpoint?

A

Neither. Shows up as “pcx-“ target for routing.

21
Q

Peering

Cost structure for a Peering connection?

A

Free (data charged if across AZs or across Regions)

22
Q

Peering

Just peered two VPCs, but traffic isn’t flowing…

A

Must add route table entries targeting CIDR bocks in the other VPC

23
Q

Peering

What is the target of a route table entry to reach a peered VPC?

A

“pcx-NNNNNNNN”

24
Q

Peering

Can you have SGs in your VPC reference SGs in the peered VPC?

A

Yes, if they are in the same region

25
Q

Peering

Can you run DNS out of one VPC and have a peer use it?

A

No

26
Q

Peering

Do Peers support jumbo frames?

A

Only within the same region

27
Q

Peering

Can you use the IGW in a peered VPC?

A

No (ENIs only)

28
Q

Peering

Can you use a NAT device in a peered VPC?

A

No (exception to the “ENIs only” rule)

29
Q

Peering

Can you use a VPN connection in a peered VPC?

A

No

30
Q

Peering

Can you use a Direct Connect connection in a peered VPC?

A

No

31
Q

Peering

Can you use a Gateway Endpoint to reach S3 in a peered VPC?

A

No

32
Q

Peering

Can you use an Interface Endpoint in a peered VPC?

A

Yes (just an ENI, route to it)

33
Q

Peering

How can you deal with a peered VPC with overlapping CIDR bocks?

A

Can’t. Can’t create a peer if there is overlapping IP addresses