VPC

Question 1

NAT Gateways characteristics

Answer 1

• Redundant inside the AZ
• Starts at 5 Gbps and scales to 45 Gbps
• No need to patch
• Not associated with Security Groups
• Automatically assigned a public IP address

Question 2

What is allowed/disallowed in the default network ACL of a VPC?

Answer 2

By default, it allows all outbound and inbound traffic

Question 3

What is allowed/disallowed by default when a new ACL is created?

Answer 3

By default, a new custom network ACL denies all inbound and outbound traffic until you add rules

Question 4

Does a subnet need to be associated with an ACL?

Answer 4

Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

Question 5

Can a subnet be associated with multiple ACLs?

Answer 5

No, only with one. When you associate a network ACL with a subnet, the previous association is removed.

Question 6

Can an ACL be associated with multiple subnets?

Answer 6

Yes

Question 7

How does the rules of a network ACL work?

Answer 7

Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

Question 8

Are network ACLs stateful or stateless?

Answer 8

Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

Question 9

Can I block specific IP address with Security Groups or network ACLs?

Answer 9

Block IP addresses with network ACLs, not Security Groups.

Question 10

How many public subnets are needed to deploy an application load balancer?

Answer 10

At least 2

Question 11

Are network ACLs a layer of security for instances or subnets?

Answer 11

Security Groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

Question 12

By default, how many VPCs am I allowed in each region?

Answer 12

5

Question 13

Can a subnet span multiple AZs?

Answer 13

No

Question 14

When peering VPCs, can I peer with VPCs in another account?

Answer 14

Yes

Question 15

By default, can new subnets in a custom VPC communicate with each other across AZs?

Answer 15

Yes

Question 16

Which IPs in each subnet’s CIDR block are reserved by Amazon?

Answer 16

AWS reserve both the first four and the last IP addresses.

First four:

• 10.0.0.0: Network address.
• 10.0.0.1: VPC router-
• 10.0.0.2: DNS…
• 10.0.0.3: Future use.

Last:
- 10.0.0.255: broadcast.

Question 17

Does the private IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

Answer 17

Yes. The private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.

Question 18

Does the public IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

Answer 18

No. We release the public IPv4 address and assign a new one when you restart it. The instance retains, however, its associated Elastic IP addresses (if any).

Question 19

Which component allows me to SSH or RDP into an EC2 instance located in a private subnet?

Answer 19

Bastion Host

Question 20

How to achieve High Availability when using NAT Gateways?

Answer 20

If you have resources in multiple AZs and they share a NAT Gateway, in the event the NAT Gateway’s AZ goes down, resources in the other AZ lose internet access.

To create an AZ-independent architecture, create a NAT Gateway in each AZ and configure your routing to ensure resources use the NAT Gateway in the same AZ.

Question 21

Are Security Groups stateful or stateless?

Answer 21

Security Groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Question 22

AWS Direct Connect

Answer 22

• Direct Connect directly connects your data center to AWS
• Useful for high-throughput workloads
• Helpful when you need a stable and reliable secure connection

Question 23

VPC Endpoints

Answer 23

• Use case: When you want to connect AWS services without leaving the Amazon internal network
• 2 types of VPC endpoints: Interface endpoints and gateway endpoints
• Gateway endpoints: Support S3 and DynamoDB

Question 24

VPC Peering

Answer 24

• Allows you to connect 1 VPC with another via a direct network route using private IP addresses
• Instances behave as if they were on the same private network
• You can peer VPCwith other AWS accounts as well with other VPC in the same account
• Peering is in a start configuration. No transitive peering.
• You can peer between regions

Question 25

Can you do VPC peering between regions?

Answer 25

Yes

Question 26

AWS PrivateLink

Answer 26

• To peer VPCs to tens, hundreds, or thousands of customer VPCs
• Doesn’t require VPC peering. No route tables, NAT gateways, internet gateways.
• Requires a Network Load Balancer on the service VPC and an ENI on the client VPC

Question 27

AWS Transit Gateway

Answer 27

• You can route tables to limit how VPCs talk to one another
• Works with Direct Connect as well as VPN connections
• Supports IP multicast (not supported by any other AWS service)

Question 28

AWS VPN CloudHub

Answer 28

The AWS VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. Use this approach if you have multiple branch offices and existing Internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.