VPC

Question 1

What is a VPC?

Answer 1

A VPC is basically a virtual data center within the AWS Cloud.

Question 2

How many VPCs can you have in a region?

Answer 2

Soft cap of 5 VPCs in a given region. You can call AWS to increase the limit

Question 3

What security features does VPC have?

Answer 3

NACLS (Network Access Control List)

Security Groups

Question 4

What subnet ranges can you use?

Answer 4

You can use any classful private IP address ranges as well as CIDR/VLSM blocks.

Question 5

What is the lowest and highest prefix length for a subnet you can use in VPC?

Answer 5

/16

/28

Question 6

What are subnets in VPC/AWS?

Answer 6

Each subnet is in its own AZ. 1 subnet = 1AZ

Question 7

How many internet gateways can you have in a VPC?

Answer 7

You can only have 1 internet gateway per VPC.

Question 8

How is a default VPC structured?

Answer 8

All subnets in the default VPC has a route out to the internet.

All EC2 instances have a private and public IP address

Question 9

What is VPC Peering?

Answer 9

VPC peering allows you to connect one VPC with another. You can even connect VPCs in one AWS account with another AWS account’s VPC.

Instances will behave as if they are on the same private network.

Question 10

What type of logical network topography is a VPC peer in?

Answer 10

Star-type, 1 central VPC with other peers connecting to that central VPC. Each peer does not have transitive access to the other through the central VPC. (Not mesh)

Question 11

What do VPCs consist of?

Answer 11

Internet Gateways/VP Gateways, Route Tables, NACLs, Security Groups, Subnets

Question 12

Are Security Groups stateful?

Answer 12

Yes, Security groups are stateful which means that if an inbound connection is allowed, once the session is created outbound will also be allowed even if it’s not explicitly configured so.

Question 13

Are NACLs stateful?

Answer 13

No. NACLs are not stateful. NACLs are stateless. You must explicitly configure inbound and outbound.

Question 14

What does it mean for a network connection to be stateful?

Answer 14

It means that if the connection session has been created whether inbound or outbound the opposite (inbound/outbound) does not need to be explicitly configured.

Question 15

What is a NAT Gateway used for?

Answer 15

A NAT gateway allows a subnet to reach the internet.

Question 16

What is a Bastion (Jump Box)?

Answer 16

A jumpbox/bastion allows you to access the rest of a private network by SSHing or RDPing.

Question 17

What is a VPC Flow Log?

Answer 17

A VPC Flow Log is a type of a log that you can create which captures most IP traffic.

Question 18

What are the 3 Levels VPC Flow Logs can be created at?

Answer 18

3 Levels:

• VPC
• Subnet
• Network Interface

Question 19

What is a requirement that must be in place before you create a VPC Flow Log?

Answer 19

You must have a CloudWatch Log group.

Question 20

Where does a VPC Flow Log end up?

Answer 20

CloudWatch Log

Question 21

What are some examples of traffic which a VPC Flow Log will not capture?

Answer 21

• DNS traffic to an Amazon DNS Server (unless it’s your own)
• Amazon’s Windows Instance Activation traffic
• Traffic from a VPC Peer unless that VPC peer belongs to your own account
• Traffic from and to http://169.254.169.254/latest/meta-data/

Question 22

How should you create NACL rules?

Answer 22

You should create NACL rules by incrementing 100 each rule so you have a chance to omit your rule if you make a mistake

Question 23

What is a VPC Endpoint?

Answer 23

A VPC endpoint is used to communicate with an AWS service through the internal network and not the internet

Question 24

What are the two types of VPC Endpoints and what are their differences?

Answer 24

Interface Endpoint:

• An ENI that is used to receive internal traffic from an AWS service
• Single Host-wide

Gateway Endpoint:

• Used as a gateway/route on a subnet to communicate with an AWS service
• Subnet-wide

Question 25

What are the advantages of a NAT Gateway over a NAT Instance?

Answer 25

Automatically scales to 10Gbit/s. No need to patched, fully managed. Highly Available via elastic IP.

Question 26

What do you have to set up in order to use a NAT instance?

Answer 26

• Src/Dest check disable
• Create EC2 instance from community AMI NAT instance image
• Set 0.0.0.0/0 to point to it from routing table
• Patch it
• Use autoscaling groups/ELBs to scale it
• Use script to failover

Question 27

Once you create a Flow Log are you able to change its configuration?

Answer 27

Nope. Once you create a Flow Log you cannot change its configuration.

Question 28

You are creating an Application Load Balancer. What do you have to have in a VPC before you can do this?

Answer 28

Your VPC must have two public facing subnets as a requirement for creating a Load Balancer is that you have two subnets you can attach it to.

Question 29

What level do security groups operate at?

Answer 29

Security Groups operate at the instance level.

Question 30

How do security groups evaluate rules?

Answer 30

Security groups evaluate all rules

Question 31

Can you set a deny rule on a Security Group?

Answer 31

Nope. Only allow rules