VPC

Question 1

Think of VPC as

Answer 1

a logical datacenter in AWS

Question 2

VPCs can span

Answer 2

AZs. They cannot span Regions

Question 3

VPCs consist of

Answer 3

IGWs (or Virtual Private Gateways), Route Tables, Network ACLs, Subnets, Security Groups

Question 4

1 subnet =

Answer 4

1 AZ

Question 5

Security Groups are

Answer 5

stateful

Question 6

Network ACLs are

Answer 6

stateless. responses to allow inbound traffic are subject to the rules for outbound traffic and vice versa

Question 7

You can peer VPCs both in

Answer 7

same account and with other AWS accounts

Question 8

Is transitive peering allowed?

Answer 8

No

Question 9

When creating a NAT instance

Answer 9

Disable Source/Destination Check on the instance

Question 10

NAT instances must be in a

Answer 10

public subnet and be behind a security group

Question 11

NAT instances must have what in order to work?

Answer 11

elastic IP address, a route out of the private subnet to the NAT instance

Question 12

the amount of traffic that NAT instances supports depends on

Answer 12

the instance size. If you are bottlenecking, increase the instance size

Question 13

create high availability using

Answer 13

Autoscaling Groups, multiple subnets in different AZs and a script to automate failover

Question 14

NAT gateways

Answer 14

preferred by enterprise, scale automatically up to 10 Gbps, No need to patch, not associated w/ security groups, assigned a public IP automatically, update route tables, no need to disable source/dest checks

Question 15

Default Network ACL

Answer 15

created automatically with VPC and by default it allows all outbound and inbound traffic

Question 16

Custom Network ACL

Answer 16

by default it denies all outbound and inbound traffic until you add rules

Question 17

Each subnet in VPC must be associated w/

Answer 17

network ACL/route table. if you don’t explicitly associate a subnet, the subnet associated with default Network ACL/route table

Question 18

You can associate a nACL with

Answer 18

multiple subnets

Question 19

You can associate a subnet with

Answer 19

only 1 nACL at a time. when you associate a nACL with a subnet, previous association is removed

Question 20

Rules in NACL are

Answer 20

evaluated numerically starting w/ lowest number. inbound and outbound rules separate; each can either allow or deny traffic

Question 21

to block IP addresses

Answer 21

use nACLs not security groups

Question 22

NAT vs Bastions

Answer 22

NAT provides internet traffic to EC2 instances in private subnets. Bastion is used to securely administer EC2 instances in private subnets

Question 23

If you want resiliency

Answer 23

always have 2 public subnets and 2 private subnets. make sure each subnet is in different AZs. with ELBs, 2 public subnets in 2 different AZs. with Bastions, put them behind autoscaling group w/ min size = 2 and use Route53 to fail over

Question 24

How many and what type of subnets are required to deploy an application load balancer?

Answer 24

2 public subnets

Question 25

Can you enable flow logs for a VPC that is peered to another account?

Answer 25

No, You can only enable flow logs for VPCs that are peered with other VPCs in the same account

Question 26

Can you edit a flow log after creation to associate with a different role?

Answer 26

No, you cannot change flow log config after creation

Question 27

Can flow logs be tagged?

Answer 27

No

Question 28

What type of traffic will not be captured by flow logs?

Answer 28

Instances contacting Amazon DNS
Amazon windows license activation's
Traffic to and from 169.254.169.254
DHCP traffic
Traffic to revered IP address for the default VPC router