VPC

Question 1

VPC

Answer 1

Virtual Private Cloud

Question 2

VPC - Define

Answer 2

A private sub-section of AWS that you control, in which you can place AWS resources (such
as EC2 instances and databases). You have FULL control over who has access to the AWS
resources that you place inside your VPC.

Question 3

VPC - AWS Definition

Answer 3

“Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section
of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual
network that you define. You have complete control over your virtual networking
environment, including selection of your own IP address range, creation of subnets and
configuration of route tables and network gateways.”

Question 4

List the Standard Components of a VPC

Answer 4

1. Internet Gateway (IGW)
2. A Route Table (with predefined routes to the default subnets).
3. A Network Access Control List (with predefined rules for access).
4. Subnets to provision AWS resources in (such as EC2 Instance).

Question 5

Internet Gateway (Simplified Definition)

Answer 5

A combination of hardware and software that provides your private network with a route to
the world outside (meaning the Internet) of the VPC.

Question 6

Internet Gateway (AWS Definition)

Answer 6

An Internet gateway is a horizontally scaled, redundant and highly available VPC
component that allows communication between instances in your VPC and the Internet.
It therefore imposes no availability risks or bandwidth constraints on your network traffic.
NOTE: Your “default” VPC already has an IGW attached.

Question 7

Internet Gateway (rules and details) you need to Know:

Answer 7

(1) Only 1 IGW can be attached to a VPC at a time
(2) An IGW cannot be detached from a VPC while there are active AWS resources in the
VPC (such as an EC2 instance or RDS Database)

Question 8

What is a Route Table?

Answer 8

A route table contains a set of rules, called routes, that are used to determine where
network traffic is directed

Question 9

Route Table details you need to know:

Answer 9

(1) Unlike an IGW, you can have multiple “active” route tables in a VPC
(2) You cannot delete a route table if it has “dependancies” (associated subnets)

Question 10

NACL

Answer 10

Network Access Control List

Question 11

NACL Definition

Answer 11

A network access control list (NACL) is an optional layer of security for your VPC that acts
as a firewall for controlling traffic in and out of one or more subnets.

Question 12

NACL Inbound / Outbound Rule Basics

Answer 12

(1) Rules are evaluated based on
“rule #” from lowest to highest
(2) The first rule evaluated that
applies to the traffic type gets immediately applied and executed regardless of the rules that come
after (have a higher “rule #”).
(3) Default: Everything is set to deny.
(4) Any new NACLs you create DENY all traffic by default.
(5) A subnet can only be associated with ONE NACL as a time.
(6) An NACL allows or denies traffic from entering a subnet. Once inside the subnet, other
AWS resources (i.e. EC2 instances) may have an additional layer of security (security
groups).

Question 13

High Availability “Sounds” like

Answer 13

(1) “I can always access my data in the cloud”

(2) “My website never crashes and is always available to my customers”

Question 14

Fault Tolerant “Sounds” like

Answer 14

(1) “One of my web servers failed, but my backup server immediately took over”
(2) “If something in my system fails, it can repair itself. ”

Question 15

AZ (Acronym)

Answer 15

Availability Zone

Question 16

What is an AZ?

Answer 16

Availability Zones are distinct locations that are engineered to be isolated from failures
in other Availability Zones. By launching instances in separate Availability Zones, you
can protect your applications from the failure of a single location. (Datacenters).

Question 17

Describe AZ’s and VPCs

Answer 17

Any AWS resource that you launch (like EC2/RDS) must be placed in a VPC subnet. Any
given subnet must be located in an Availbility Zone. You can (and should) utilize multiple
Availabilty Zones to create redundacy in your architecture. This is what allows for High
Availabilty and Fault Toleratent systems.

Question 18

ELB

Answer 18

Elastic Load Balancer

Question 19

Load Balancing

Answer 19

Common method for distributing incoming traffic among servers.

Question 20

Is a ELB used within a VPC an internal or external load balancer.

Answer 20

Internal.

Question 21

What does ELB do if an EC2 instance becomes unhealthy?

Answer 21

It stops routing traffic to the unhealthy EC2 instance. Routes all traffic to the healthy instance.

Question 22

Can SSL certificates be applied to the ELB?

Answer 22

Yes.

Question 23

Auto Scaling

Answer 23

automates the process of increasing / decreasing the on-demand instances available for application.

Question 24

What service does Auto Scaling utilize for performance metrics?

Answer 24

Cloudwatch.

Question 25

Auto Scaling Launch Configuration

Answer 25

The EC2 template used when autoscaling needs to provision/terminate EC2 instances.

Question 26

Auto Scaling Group

Answer 26

All the rules/settings that govern if/when and EC2 instance is automatically provisioned or terminated.

Question 27

Autoscaling and ELB is required for the architecture to be considered highly available and fault tolerant. T/F

Answer 27

True - the instances have to be spread across at least 2 AZ’s.

Question 28

Classic Load Balancer

Answer 28

Simple balancing of traffic to multiple EC2 instances.
No granular routing rules.
Best used when all traffic is the same data regardless of instance.

Question 29

Application Elastic Load Balancer

Answer 29

Complex balancing.
Content-Based Rules (Pictures,
 Videos,
 text, etc.)(Host, Path)
Supports ECS Containers, HTTP, HTTP/2, Web sockets, etc.

Question 30

ELB Order of Operations

Answer 30

EC2 Instances
Target Groups
Application ELB
Create content Rules.

Question 31

Bastion Host

Answer 31

EC2 instance that lives in public subnet and uses a gateway for traffic that is destined for an instance in a private subnet.
Critical Strong Point

Question 32

NAT Gateway

Answer 32

Designed to provide EC2 instances in private subnets a gateway to the internet. (Software packages, etc.).
Only allows return traffic unless the request originated from the instance in the private subnet.

Question 33

NAT Gateway Subnet essentials.

Answer 33

Must Be in Public Subnet

Must be associated with the Private subnet route table.

Question 34

VPN

Answer 34

Virtual Private Network

Question 35

VPN Essentials

Answer 35

1. enables the ability to extend a subnet from one geographic location to another geographic location on two separate networks.
2. Extending the subnets allows communication between all resources in the two subnets.
3. “Extending” the on-premise network to the cloud or cloud to on-premise.
4. VPN traffic is encrypted.

Question 36

T/F - A VPN has two parallel routes.

Answer 36

True - IPsec tunnels - which is for redundancy.

Question 37

How many Virtual Private Gateways can be attached to a VPC simultaneously?

Answer 37

One

Question 38

What components are required to establish a VPN connection with an on premises environment?

Answer 38

Customer Gateway
Virtual Private Gateway
Router (Route Tables).

Question 39

Customer Gateway

Answer 39

Physical device or software application at the on-premises location that acts as a connector to the VPN.

Customer gateway component is where you configure the public IP address.

Question 40

VPG

Answer 40

Virtual Private Gateway

Connector the VPN - AWS Side.

Question 41

AWS Edge Location

Answer 41

1. AWS datacenter which does not contain AWS services.

2. It is used to deliver content to different parts of the world.

Question 42

CDN

Answer 42

Content Distribution Network.

Question 43

CloudFront

Answer 43

A global CDN - delivers content from an origin to an Edge location.

Question 44

Edge Location

Answer 44

Allows for caching of static objects from the origin location - reduce latency (web server - image traffic).

Question 45

CloudFront Benefits

Answer 45

Users experience lower latency and content load time.

Reduces load on your applications.

Question 46

Updating Cached files

Answer 46

1. Caching is based off the object name.
2. New object with same name or create invalidation to serve a new version.
3. Invalidations have a cost. (create new distribution and move DNS names to reduce costs).
4. Cached objects can be set to specific expiration date/times.

Question 47

Signed URLS

Answer 47

Allow access to private content by creating a temporary, one-time-use URL based off of the number of seconds you want it accessible.

Signed with a X.509 certificate.