VPC

Question 1

VPC

Answer 1

Amazon Virtual Private Cloud that lets you provision logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

Question 2

Hardware VPN

Answer 2

Hardware Virtual Private Network - connection between your corporate datacenter and your VPC; leveraging the AWS cloud as an extension of your corporate DC

Question 3

What can you do with VPCs?

Answer 3

1. Launch instances into a subnet of your choosing
2. Assign custom IP address ranges in each subnet
3. Configure route tables between subnets
4. Create internet gateway and attach it to our VPC
5. Much better security control over your AWS resources
6. Instance security groups
7. Subnet NACL

Question 4

Default VPC vs Custom VPC

Answer 4

1. Default VPC is user friendly, allowing you to immediately deploy instances
2. All subnets in default VPC have a route to the internet
3. Each EC2 instance has both public and private IP address

Question 5

VPC Peering allows you to

Answer 5

connect one VPC with another via a direct network route using Private IP addresses

Question 6

In VPC peering, instances behave as if

Answer 6

they were on the same private network

Question 7

You can peer VPCs with

Answer 7

1. other AWS accounts

2. other VPCs in the same account

Question 8

Peering should be configured as

Answer 8

star configuration (1 central VPC peers with 4 others)

Question 9

Transitive Peering

Answer 9

Means that B can’t go directly to C through A - there has to be a connection from B to C.

Question 10

Think of VPC as a logical

Answer 10

DC in AWS

Question 11

VPC consists of

Answer 11

1. IGW (VPG)
   2.Route tables
2. NACL
   4, Subnets
3. Security Groups

Question 12

Subnet to AZ ratio

Answer 12

1 Subnet = 1 AZ

Question 13

Security Groups vs NACL in terms of defining rules

Answer 13

Security groups are STATEFUL while NACLS are stateless

Question 14

Transitive peering is not allowed - true or false

Answer 14

true

Question 15

Security groups only ? rules

Answer 15

allow rules ; no deny

Question 16

with NACL, what can you do with rules?

Answer 16

allow and deny

Question 17

When a new VPC gets created, these get created automatically:

Answer 17

1. Route Table
2. NACL
3. Default Security Group

Question 18

IP addresses reserved for amazon use

Answer 18

first 4 and last IP in each subnet CIDR block (5)

Question 19

What setting needs to be changed for a public subnet to be publicly accessible?

Answer 19

Auto-assign public IP should be changed to yes (default is no)

Question 20

What happens when you initially create an IGW, does it automatically attaches to a VPC?

Answer 20

No

Question 21

How many IGW can be attached to a VPC?

Answer 21

1

Question 22

Security groups in relation to VPC

Answer 22

it doesn’t span VPCs

Question 23

When a new VPC gets created, these do not get created automatically

Answer 23

1. Subnets

2. Default IGW

Question 24

How are AZs assigned?

Answer 24

randomized; US-East-1A in your AWS account can be a completely different zone to US-East-1A in another AWS account

Question 25

Default behavior of Security groups in terms of accessing each other

Answer 25

don’t allow access to each other

Question 26

NAT

Answer 26

Network Address Translation

Question 27

What is a NAT Instance

Answer 27

a single ec2 instance that lives in your public subnet that allows your private instances to connect to the internet while blocking inbound traffic from the internet

Question 28

NAT gateway

Answer 28

highly available gateway that allows your private subnets to communicate to the internet without becoming public

Question 29

NAT instance vs NAT gateway

Answer 29

NAT gateway offers great availability and bandwidth and require less configuration and administration compared to NAT instance

Question 30

What should be disabled to make an EC2 instance a NAT instance?

Answer 30

Disable source/destination check - it should be able to send and receive traffic when the source or destination is not itself

Question 31

NAT instances must be in a ? subnet

Answer 31

public

Question 32

In order for the NAT instance to work

Answer 32

there has to be route out of the private subnet to the NAT instance

Question 33

The amount of traffic that the NAT instance can support depends on the

Answer 33

instance size..if there’s a bottleneck, increase the instance size

Question 34

A nat instance is behind what component in the configuration?

Answer 34

security group

Question 35

Patching for NAT instance in comparison to NAT gateway

Answer 35

NAT instances need to be patched unlike NAT gateway

Question 36

NAT gateways are redundant inside

Answer 36

AZ

Question 37

NAT gateways are not associated with

Answer 37

security groups

Question 38

NAT gateways are automatically assigned a

Answer 38

public ip address

Question 39

NAT gateways can be shared by ? and its downfall?

Answer 39

resources in multiple AZs but if that AZ goes down, all your resources will lose internet access

Question 40

NAT instances are preferred over NAT gateway - true or false

Answer 40

false; NAT gateways are preferred

Question 41

What are the default rules when a NACL is created

Answer 41

default inbound and outbound rules only have DENY everything

Question 42

VPC automatically comes with a default NACL - TRUE OR FALSE

Answer 42

TRUE

Question 43

What are the Default NACL rules that gets tied to VPC when it gets created?

Answer 43

allows all outbound and inbound traffic

Question 44

Custom NACL rules

Answer 44

denies all inbound and outbound traffic until you rules - STATELESS

Question 45

Each subnet in your VPC must be associated with

Answer 45

a NACL

Question 46

If you don’t explicitly associate a subnet with a NACL, the subnet is automatically associated with

Answer 46

default NACL

Question 47

How can IP addresses blocked

Answer 47

using NACLS not security groups

Question 48

NACL relationship to a subnet

Answer 48

one NACL can be associated with multiple subnets

Question 49

Subnet relationship to NACL

Answer 49

a subnet can only be associated to one NACL

Question 50

Evaluation of numbered rules in NACLS

Answer 50

evaluation in order starting with the lowest numbered rule

Question 51

NACLS have separate inbound and outbound rules and each rule can either allow or deny traffic - TRUE OR FALSE

Answer 51

TRUE

Question 52

NACLS are stateless..meaning

Answer 52

responses to allowed inbound traffic are subject to the rules for outbound traffic and vice versa

Question 53

When will the NACLS rule change take effect

Answer 53

immediately

Question 54

If you deny a particular IP address in your NACL, will it reach your security group

Answer 54

no

Question 55

When defining a Load balancer, you need to have at least how many subnets

Answer 55

2

Question 56

If you’re going to use a subnet for Load Balancer, what do you need to have?

Answer 56

it has to be public subnet with IGW attached

Question 57

VPC flow logs

Answer 57

feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

Question 58

Flow log data is stored using

Answer 58

Amazon cloudwatch logs

Question 59

Flow logs can be created at 3 levels:

Answer 59

1. VPC
2. Subnet
3. Network Interface Level

Question 60

You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account - true or false

Answer 60

true

Question 61

Can you tag a flow log

Answer 61

NO

Question 62

After you’ve created a flow log, you can still change its configuration - true of false

Answer 62

false

Question 63

Not all IP traffic is monitored:

Answer 63

1. Traffic generated by instances when they contact Amazon DNS.
2. Traffic generated by a windows instance for Amazon windows license activation
3. Traffic to and from 169.254.169.254 for instance metadata.
4. DHCP traffic
5. Traffic to the reserved IP addresses for the default VPC router

Question 64

Bastion host

Answer 64

special purpose computer on a network specifically designed and configured to withstand attacks

Question 65

NAT Gateway/NAT instance - used to provide

Answer 65

internet traffic to EC2 instances in a private subnet

Question 66

Bastion is used to securely

Answer 66

administer EC2 instances using SSH or RDP

Question 67

NAT gateways can be used as Bastion host - true or false

Answer 67

false

Question 68

AWS Direct connect

Answer 68

cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS

Question 69

Direct connect directly connects your

Answer 69

DC to AWS

Question 70

Direct connect is useful for

Answer 70

1. high throughput workloads (lots of network traffic)

2. need a stable and reliable secure connection

Question 71

VPC End point

Answer 71

enables you to privately connect your vpc to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection or AWS Direct Connect connection.

Question 72

Instances in your VPC require public ip address to communicate with resource in the service - true /false

Answer 72

false

Question 73

If you use the VPC endpoint, traffic between your VPC and other service do not leave the amazon network

Answer 73

true

Question 74

2 types for end points

Answer 74

1. Interface Endpoints

2. Gateway Endpoints

Question 75

Interface Endpoint

Answer 75

an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported device

Question 76

Gateway Endpoint supports

Answer 76

1. S3

2. Dynamo DB