VPC Flashcards
What configuration needs to be done on a NAT instance for it to be able to do NAT?
Disable Source/Destination check on the instance.
Where does the NAT instance need to be placed? In a private or public subnet?
NAT instances must be in a public subnet.
What needs to be done on the private subnet for it to be able to use a NAT instance in the public subnet?
There must be a route out of the private subnet to the NAT instance.
What depends on the amount of traffic that NAT instances can support?
It depends on the NAT instance size.
How can high availability for the NAT instance be achieved?
You can create high availability using Auto Scaling groups, multiple subnets in different AZs, and a script to automate failover.
What security consideration do I need to have with NAT instances?
The NAT instance must be behind a security group.
What are the advantages of NAT Gateways over NAT instances?
- Scale automatically up to 10Gbps
- No need to patch
- Not associated with Security Groups
- Automatically assigned a public IP address
- No need to disable Source/Destination checks (do need to update the route tables of course)
- More secure than NAT instances
What is allowed/disallowed in the default network ACL of a VPC?
By default, it allows all outbound and inbound traffic
Does a subnet need to be associated with an network ACL?
Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
Can a subnet be associated with multiple network ACLs?
No, only with one. When you associate a network ACL with a subnet, the previous association is removed.
Can an ACL be associated with multiple subnets?
Yes
How do the rules of a network ACL work?
Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.
Are network ACLs stateful or stateless?
Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.
Can I block specific IP address with Security Groups or network ACLs?
Block IP addresses with network ACLs, not Security Groups.
How many public subnets are needed to deploy an application load balancer?
At least 2
Can I enable Flow Logs for VPCs peered with my VPC?
Only if the peered VPC is in my account.
Can I tag Flow Logs?
No
Can I change a VPC Flow Log configuration after its creation?
No (example: can’t associate a different IAM role)
What traffic is not monitored in VPC Flow Logs?
The following traffic is not monitored.
- Traffic from instances to Amazon DNS servers.
- Traffic generated by a Windows instance for Windows license activation.
- Traffic to and from 169.254.169.254 for instance metadata.
- DHCP traffic.
Traffic to reserved IP address for the default VPC router.