VPC

Question 1

<p>What is the definition of a VPC?</p>

Answer 1

<p>Virtual Private Cloud - amazon lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. you have complete control over this network, including selection of IP address range, subnets and network gateways</p>

Question 2

<p>True or false: You can only have one internet gateway per VPC</p>

Answer 2

<p>True</p>

Question 3

<p>What are differences between the default VPC and a custom VPC?</p>

Answer 3

<p>Default VPCs are user-friendly, so you can imediately start deploying resources
All subnets in a default VPC have a route out to the internet
In a default VPC, each EC2 instance has both a public and private IP address</p>

Question 4

<p>What is VPC peering?</p>

Answer 4

<p>It allows you to connect a VPC to another VPC using private IP addresses. </p>

Question 5

<p>Can you use VPC peering across accounts?</p>

Answer 5

<p>Yes</p>

Question 6

<p>What is transitive peering?</p>

Answer 6

<p>There is one central VPC, and individual VPCs are peered directly with it. Transitive peering allows the second VPC to then be peered with a third, allowing the first and third VPCs to share resources. This is not permitted in AWS.</p>

Question 7

<p>What is a CIDR block?</p>

Answer 7

<p>It is a range of IP addresses available for a subnet in a VPC</p>

Question 8

<p>What is default vs dedicated tenancy?</p>

Answer 8

<p>Default tenancy means your VPC will share hardware with other VPCs. Dedicated tenancy mans your VPC will exist on dedicated hardware. Dedicated tenancy is much more expensive than default tenancy.</p>

Question 9

<p>When you create a new VPC, what else is created by default?</p>

Answer 9

<p>A default route table
A default network access control list
A default security group
No subnets are created</p>

Question 10

<p>How many IP addresses does amazon reserve when you create a subnet?</p>

Answer 10

<p>5. So a /24 subnet which has 256 available addresses will only give you 251</p>

Question 11

<p>Can you associate a subnet with more than one route table?</p>

Answer 11

<p>No. A subnet can only be associated with a single route table at a time</p>

Question 12

<p>Can you associate a route table with more than one subnet?</p>

Answer 12

<p>Yes. Route tables can be associated with multiple subnets</p>

Question 13

What does an internet gateway do?

Answer 13

1. It provides an endpoint for internet/bound traffic that route tables can point to
2. Performs network address translation (NAT), between a public IP address and the private IP address of the instance

Question 14

A subnet which is associated with a route table containing a route to an internet gateway is known as what?

Answer 14

Public subnet

Question 15

Does the default VPC automatically include a route to the internet gateway for IPv6 traffic?

Answer 15

No

Question 16

When creating a subnet, does AWS automatically include a route to the internet from the main route table for the VPC?

Answer 16

No, you must add that yourself

Question 17

True or false: When a new subnet is created, it is automatically associated with the main route table

Answer 17

True. which is why the main route table should not offer internet access

Question 18

Are public IP addresses automatically assigned to instances launched within subnets in VPCs you create?

Answer 18

Not by default, but you can change the Auto-assign IP setting to Yes for the subnet. In the default VPC, they are automatically assigned.

Question 19

True or false: A security group is limited to a single VPC

Answer 19

True

Question 20

What is ICMP?

Answer 20

Internet control Message Protocol, which allows messaging between devices in an IP network

Question 21

True or false: to make a subnet public, you must associate it with an internet gateway

Answer 21

False. Route tables point to internet gateways, and subnets are associated with route tables.

Question 22

How can you make a private subnet public?

Answer 22

The subnet is private because it is associated with a route table that does not have a route to the internet gateway. To make the subnet public, associate it with a route table that does have a route to the internet gateway

Question 23

What is Network Address Translation?

Answer 23

NAT acts as a bridge between private subnets and the internet, so that they can get to the internet without allowing public access

Question 24

What is a NAT Instance?

Answer 24

An EC2 instance that acts as a gateway to the internet for a private subnet

Question 25

What is a NAT Gateway?

Answer 25

An AWS resource which allows instances in a private subnet to connect to the internet or other AWS services, but does not allow public access

Question 26

Explain why you have to disable Source/Destination check when creating a NAT instance

Answer 26

Normally, ec2 instances must have source/destination checking enabled, which means that either the source or the destination of the traffic must be the Instance. However, with a NAT, the source or dest might be the subnet we are building the NAT for, so we want to disable Source/Destination Checking

Question 27

True or false: NAT Gateways scale automatically

Answer 27

True

Question 28

Do NAT Gateways sit in front of or behind a Security Group? What about NAT Instances?

Answer 28

In front. NAT Instances are behind

Question 29

True or false: You must manually create a public IP Address when creating a NAT Gateway

Answer 29

False. Public IP addresses are assigned to NAT Gateways automatically

Question 30

What is are some differences between a Security Group and a Network ACL?

Answer 30

Security Groups apply to instances, NACLs apply to entire subnets
Security Groups only allow permissions, NACLs both allow and deny permissions
Security Groups are stateful, meaning inbound rules apply outbound, while NACLs are stateless, so you must set both inbound and outbound rules

Question 31

True or false: Subnets can only be associated with one Network ACL at a time

Answer 31

True

Question 32

True or false: Network ACLs can be associated with multiple subnets at the same time

Answer 32

True

Question 33

True or false: Network ACLs can span multiple VPCs

Answer 33

False. A Network ACL belongs to a single VPC

Question 34

When creating a Network ACL, by default is everything alallowed or denied?

Answer 34

Denied

Question 35

When creating a Network ACL, by default is everything alallowed or denied?

Answer 35

Denied

Question 36

In what order are rules evaluated in a Network ACL?

Answer 36

Numerically by rule number

Question 37

If the first rule in a Network ACL allows a packet, and the second rule denies it, is the packet allowed or denied?

Answer 37

It is allowed. As soon as a given packet meets the criteria of a rule, subsequent rules are not evaluated against the packet

Question 38

Does the default Network ACL that comes with a new VPC allow or deny traffic?

Answer 38

Allows it

Question 39

True or false: Every subnet must be associated with exaclty one NetworkACL

Answer 39

True. If you do not explicitly assign one, a subnet is associated with the default Netowkr ACL for that VPC

Question 40

Can Network ACLs span multiple availability zones?

Answer 40

Yes, Network ACLs operate at the level of the VPC

Question 41

If you need to block incoming traffic from a specific IP address, can you do so with Security Groups, Network ACLs, both or neither

Answer 41

Network ACLs. Only Network ACLs can block traffic,

Question 42

What are VPC Flow Logs?

Answer 42

Information about the traffic flowing and and out of interfaces in the VPC is stored in and can be viewed using CloudWatch logs.

Question 43

True or false: Flow log configurations cannot be changed once they are set up

Answer 43

True

Question 44

What is a Bastion?

Answer 44

A Bastion is an instance which is used to administer instances located in private subnets by permitting SSH and RDP traffic

Question 45

True or false: NAT Instances must have an Elastic IP to work

Answer 45

True

Question 46

How many VPCs are allowed per region?

Answer 46

5

Question 47

Can VPC peering occur between VPCs in different regions?

Answer 47

No

Question 48

True or false: VPCs with overlapping CIDR blocks cannot be peered

Answer 48

True

Question 49

True or False: NAT instances and NAT gateways are available for both IPv4 and IPv6

Answer 49

False. IPv4 only

Question 50

What do you do if your NAT Gateway does not have enough bandwidth to handle the traffic being sent to it?

Answer 50

Split the workload into multiple subnets and great a separate NAT Gateway for each

Question 51

What protocols are supported by NAT Gateways?

Answer 51

TCP, UDP, ICMP

Question 52

What does a route table’s target respresent?

Answer 52

The AWS resource that is responsible for routing the packet

Question 53

What does a route table’s destination represent?

Answer 53

The IP adress range where the packet will ultimately end up

Question 54

Can Security Groups span multiple Availability Zones?

Answer 54

Yes

Question 55

If a VPC-A has an Internet Gateway and is peered with VPC-B that is not internet connected, is it possible to use the peering connection for access between VPC-B and the internet?

Answer 55

No, this is called edge-to-edge routing and is not supported

Question 56

Can you change the tenancy for a VPC after it has been created?

Answer 56

No

Question 57

What are Flow Logs?

Answer 57

Logs which capture information about the traffic going in and out of a VPC, subnet or network interface. They can be accessed from CloudWatch

Question 58

How many subnets can one VPC have?

Answer 58

200, but you can submit a request to Amazon for more

Question 59

At what three levels can flow logs operate?

Answer 59

VPC
Subnet
Network Interface