VPC Flashcards

1
Q

Think of VPC as

A

a logical datacenter in AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

VPCs can span

A

AZs. They cannot span Regions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

VPCs consist of

A

IGWs (or Virtual Private Gateways), Route Tables, Network ACLs, Subnets, Security Groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

1 subnet =

A

1 AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Groups are

A

stateful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Network ACLs are

A

stateless. responses to allow inbound traffic are subject to the rules for outbound traffic and vice versa

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

You can peer VPCs both in

A

same account and with other AWS accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Is transitive peering allowed?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

When creating a NAT instance

A

Disable Source/Destination Check on the instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

NAT instances must be in a

A

public subnet and be behind a security group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

NAT instances must have what in order to work?

A

elastic IP address, a route out of the private subnet to the NAT instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

the amount of traffic that NAT instances supports depends on

A

the instance size. If you are bottlenecking, increase the instance size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

create high availability using

A

Autoscaling Groups, multiple subnets in different AZs and a script to automate failover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NAT gateways

A

preferred by enterprise, scale automatically up to 10 Gbps, No need to patch, not associated w/ security groups, assigned a public IP automatically, update route tables, no need to disable source/dest checks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Default Network ACL

A

created automatically with VPC and by default it allows all outbound and inbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Custom Network ACL

A

by default it denies all outbound and inbound traffic until you add rules

17
Q

Each subnet in VPC must be associated w/

A

network ACL/route table. if you don’t explicitly associate a subnet, the subnet associated with default Network ACL/route table

18
Q

You can associate a nACL with

A

multiple subnets

19
Q

You can associate a subnet with

A

only 1 nACL at a time. when you associate a nACL with a subnet, previous association is removed

20
Q

Rules in NACL are

A

evaluated numerically starting w/ lowest number. inbound and outbound rules separate; each can either allow or deny traffic

21
Q

to block IP addresses

A

use nACLs not security groups

22
Q

NAT vs Bastions

A

NAT provides internet traffic to EC2 instances in private subnets. Bastion is used to securely administer EC2 instances in private subnets

23
Q

If you want resiliency

A

always have 2 public subnets and 2 private subnets. make sure each subnet is in different AZs. with ELBs, 2 public subnets in 2 different AZs. with Bastions, put them behind autoscaling group w/ min size = 2 and use Route53 to fail over

24
Q

How many and what type of subnets are required to deploy an application load balancer?

A

2 public subnets

25
Q

Can you enable flow logs for a VPC that is peered to another account?

A

No, You can only enable flow logs for VPCs that are peered with other VPCs in the same account

26
Q

Can you edit a flow log after creation to associate with a different role?

A

No, you cannot change flow log config after creation

27
Q

Can flow logs be tagged?

A

No

28
Q

What type of traffic will not be captured by flow logs?

A
Instances contacting Amazon DNS
Amazon windows license activation's
Traffic to and from 169.254.169.254
DHCP traffic
Traffic to revered IP address for the default VPC router