1
Q

What configuration needs to be done on a NAT instance for it to be able to do NAT?

A

Disable Source/Destination check on the instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Where does the NAT instance need to be placed? In a private or public subnet?

A

NAT instances must be in a public subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What needs to be done on the private subnet for it to be able to use a NAT instance in the public subnet?

A

There must be a route out of the private subnet to the NAT instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

On what depend the amount of traffic that NAT instances can support?

A

It depends on the NAT instance size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can high availability for the NAT instance be achieved?

A

You can create high availability using Auto Scaling groups, multiple subnets in different AZs, and a script to automate failover.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What security consideration do I need to have with NAT instances?

A

The NAT instance must be behind a security group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the advantages of NAT Gateways over NAT instances?

A
  • Scale automatically up to 10Gbps
  • No need to patch
  • Not associated with Security Groups
  • Automatically assigned a public IP address
  • No need to disable Source/Destination checks (do need to update the route tables of course)
  • More secure than NAT instances
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is allowed/disallowed in the default network ACL of a VPC?

A

By default, it allows all outbound and inbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is allowed/disallowed by default when a new netowrk ACL is created?

A

By default, a new custom network ACL denies all inbound and a¡outbound traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Does a subnet need to be associated with an network ACL?

A

Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Can a subnet be associated with multiple network ACLs?

A

No, only with one. When you associate a network ACL with a subnet, the previous association is removed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can an ACL be associated with multiple subnets?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does the rules of a network ACL work?

A

Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Are network ACLs stateful or stateless?

A

Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can I block specific IP address with Security Groups or network ACLs?

A

Block IP addresses with network ACLs, not Security Groups.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How many public subnets are needed to deploy an application load balancer?

A

At least 2

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Can I enable Flow Logs for VPCs peered with my VPC?

A

Only if the peered VPC is in my account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Can I tag Flow Logs?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Can I change a VPC Flow Log configuration after its creation?

A

No (example: can’t associate a different IAM role)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What traffic is not monitored in VPC Flow Logs?

A

The following traffic is not monitored.
- Traffic from instances to Amazon DNS servers.
- Traffic generated by a Windows instance for Windows license activation.
- Traffic to and from 169.254.169.254 for instance metadata.
- DHCP traffic.
Traffic to reserved IP address for the default VPC router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How many Internet Gateways can I attach to my custom VPC?

A

1

22
Q

Are network ACLs a layer of security for instances or subnets?

A

Security Groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

23
Q

Are you permitted to conduct your own vulnerability scans on your VPC without contacting AWS first?

A

No

24
Q

By default, how many VPCs am I allowed in each region?

A

5

25
Q

Can a subnet span multiple AZs?

A

No

26
Q

Which is a chief advantage of using VPC endpoints?

A

Traffic between your VPC and the other service foes not leave the Amazon network.

27
Q

What is created automatically when a VPC is created?

A
  • Security Group
  • Network ACL
  • Route Table
28
Q

Which suffix offers the largest range of internal IP addresses? (/16, /20, /24, /28)

A

/16

29
Q

When peering VPCs, can I peer with VPCs in another account?

A

Yes

30
Q

By default, can new subnets in a custom VPC communicate with each other across AZs?

A

Yes

31
Q

How to allow an application in a custom VPC to communicate back to an on-premise data center?

A

Either:
- Using a site-to-site VPN (requiring the VPC to have an Internet Gateway attached), or
- Using Direct Connect
The VPC in which the application sits, must be configured so that it does not have an IP address range that conflicts with that of the on-premise VLAN in which the back-end services sit.

32
Q

What is Customer Gateway?

A

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.

33
Q

What is a Virtual Private Gateway?

A

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection. A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance.

34
Q

Are these valid options to combine and configure to establish a successful site-to-site VPN connection from your on-premise network to an AWS VPC?

  • An on-premise Customer Gateway
  • A private subnet in your VPC
  • A Virtual Private Gateway
  • A VPC with hardware VPN access
A

Yes

35
Q

Which IPs in each subnet’s CIDR block are reserved by Amazon?

A

AWS reserve both the first four and the last IP addresses.

First four:

  • 10.0.0.0: Network address.
  • 10.0.0.1: VPC router-
  • 10.0.0.2: DNS…
  • 10.0.0.3: Future use.

Last:
- 10.0.0.255: broadcast.

36
Q

Does the private IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

Yes. The private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.

37
Q

Does the public IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

No. We release the public IPv4 address and assign a new one when you restart it. The instance retains, however, its associated Elastic IP addresses (if any).

38
Q

At what levels can VPC Flow Logs be created?

A
  • Network interface levels
  • Subnet
  • VPC
39
Q

Which component allows me to SSH or RDP into an EC2 instance located in a private subnet?

A

Bastion Host

40
Q

Can a subnet span AZ’s ?

A

No

41
Q

NAT gw characteristics?

A
Redundant inside AZ
preferred by enterprise
No patching
Not associated with security groups
automatically assigned a public IP
No need to disable source and destination checks
42
Q

Can a NACL be associated with multiple subnets?

A

Yes, but a subnet can only be associated with one ACL

43
Q

Can you enable VPC flow logs for peered VPC’s?

A

Only if the the peered VPC is in your account

44
Q

Can you tag a flow log?

A

No

45
Q

Can you change a flow log configuration after its created?

A

No. You can associate a different IAM role

46
Q

What is not logged in VPC flow logs?

A

DNS traffic, windows licensing, and 169.254.169.254, DHCP, traffic to default VPC router

47
Q

What is direct connect?

A

connect your DC to AWS
Useful for high throughput
and need stable secure connection

48
Q

What can you use to connect your VPC to some AWS service privately without a gateway, NAT, VPN connection or AWS direct connection, without traffic leaving the AWS network?

A

VPC endpoint

49
Q

What are the two types of VPC end points?

A

Interface and Gateway

50
Q

What services do gateway endpoints support?

A

Amazon S3

DynamoDB