VPC Flashcards

1
Q

What is a VPC?

A

resembles: private data centers; private corporate networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Benefits of a VPC

A

ability to launch instances into a subnet;
to define custom IP ranges insdie of each subnet.
to configure route tables between subnets
to confirure internet gateways and attach them to subnets
to create a layered network of resources
extending our net work with VPN//VPG controllrf access
to use security groupe and subnet ACLs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

NAT Instance

A

route private subnet to Public subnet;
stateless. need to create inbound and outbound rules.
source/destination check need to be disabled.always behind security group, must be in public subnet, must have an EIP, ,must be a route out of the private subnet to NATIncrease the instance size if bottleneck
Change the main route table - add a route (0.0.0.0/0 NAT Instance target)
NAT Instance is a single point of failover (put it behind a ASG),

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

default VPC

A

gives users easy access to a VPC without having to configure it from scratch;
have internet gateways attached;
each instance added has a default private and public IP address;
if you delete the default VPC, the only way to get it back is to contact AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

non-default VPC

A

have only private IP addresses but not public IP addresses;
can only access resources through elastic IP addresses, VPNs, or gateway instances;
do not have internet gateways attached by default.
When you create Custom VPC it creates default security group, default network ACL and default route table., it doesn’t create default Subnet

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

VPC peering

A

allows you to setup direct network routing between different VPCs using private IP addresses.
Instances will communicate with each other as if they were on the same private network.
can occur between other AWS accounts and other VPCs within the same region.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

VPC peering Scenarios

A

Peering two VPCs – Company runs multiple AWS accounts and you need to link all the resources as if they were all under one private network.
Peering TO a VPC - multiple VPCs connect to a central VPC but cannot communicate with each other, only the central VPC(file sharing, customer access, active Directory).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

VPC scenarios

A

with public subnet only – Single tier apps;
with public and private subnets;
public and private and hardware connected VPN – extending to on-premises;
with a private subnet only and hardware VPN access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

VPC limits

A
5 VPCs per region;
200 subnet per VPC;
50 customer gateways per region;
5 internet gateways per region'
5 elastic IP per region for each AWS account;
50 VPN connections per region
200 route tables per region;
500 security groups per region.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Bastion vs NAT

A

a Nat is used to provide internet traffic to EC2 instances in private subnets;
a Bastion is used to securely administer EC2 instances(using ASSH or RDP) in private subnets.
Bastion –keep it in public subnet to allow SSH / RDP into instances into private subnets (High availability - Bation in two public subnets and also ASG - Route 53 running Health checks on those Bastion)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NAT gateway

A

released in 2016 - amazon handled
Amazon maintains it for you, no need to handle yourself. (security patches applied by AWS)
You can just create the gateway and assign EIP (put it in public subnet) (automatically assigned)
Change the main route table - add a route (0.0.0.0/0 NAT gateway target)
No need for disable source/destination check or no need to put it behind a security group - it handles it for you.
Highly available / redundancy no need for ASG.NAT gateways are little bit costly - always use it in production scale automatically up to 10Gbps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ACL vs SG

A

Security groups are statefull - any inbound rule , applies to outbound as well (Only Allow rules)
• by default all inbound deny, all outbound allow
• can span across AZ
ACL are stateless -
• For default ACL, all inbound and outbound rules are allowed by default - associated with all subnets in VPC by default
• for Custom ACL, all inbound and outbound traffic is denied by default - not associated with any subnet
• 1 subnet is only associated with ACL. granular rules for ACLs, numbered rules (recommended steps of 100)
• rule no. 99 takes precedence over rule no. 100 (if 99 is blocked and 100 is allowed) 99 will be executed.
• Can SPAN across AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Ephemeral port

A

1024 – 65535should be allowed to take traffic.

if you want to BLOCK IP address then must use ACL, because security group doesn’t have deny

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

VPC Flowlogs:

A

to capture all the traffic information into logs - logs everything (create IAM role and create cloud watch log group - and log stream)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

VPC Cleanup

A

can’t delete VPC if you have active running instance or ELB is running

How well did you know this?
1
Not at all
2
3
4
5
Perfectly