VPC Flashcards
What is VPC
Its is like a logical datacenter inside AWS,
Consists of Subnets, gateways, Route tables, network access control lists and security groups
What is the use of NAT Gateway
It is a Gateway which is used by private Subnets to talk to the internet, but prevent the intrenet from initiating any connection with the instances.
Difference between NAT instance and NAT Gateway
NAT instance is a single EC2 instance used by private subnets to connect to internet, whereas NAT gateway is a full-blown, highly available gateway used by private Subnets to talk to outside Internet
What is the default rules for new NACL?
All inbound and outbound traffic are denied by default.
Rules are always added in chronological order.
Inbound and outbound rules can be specified independently to allow or deny traffic
Do we have to create NACL while creating VPC?
While creating a VPC an NACL is created by default.
By default, it allows all inbound and outbound traffic.
Every subnet added to the VPC will automatically get associated to the default NACL
Relationship between NACL and Security groups?
NACL’s are always going to be evaluated before the security groups.
What is the best option to block ip addresses, Security groups or NACL’S?
NACL’s are the best option to block ip addresses
What is the relationship between Subnets and NACL’s
Each subnet must be associated with only one NACL, but an NACL could be associated with more than 1 subnet
What is VPC flow log?
It’s a way to Analyse traffic flowing in and out of subnets, VPC’s and instances.
What kind of traffic are not monitored by flow logs
1) Traffic to Amazon DNS
2) License activation calls
3) DHCP traffic
4) Calls to Instance Metadata
5) Traffic to reserved ip address for default VPC router
What is Bastion Host
It is a jump box, which sits in a Public subnet, through which we connect to a private subnet. This machine is configured only to have a proxy server and everything else is removed to reduce the attack surface.
What is direct Connect in AWS
The dedicated connection from Customer premises to AWS, region, and services. Useful for high throughput workloads or if you need a secure and highly available connection
What is VPC endpoint?
It is a way to privately connect VPC to supported AWS services like S3, etc without the need for Internet Gateway, NAT device, VPN or AWS Direct Connect Connection.
Difference between NACL and Security group?
Security groups are stateful, whereas NACL is stateless.
We can define inbound and outbound which can deny and allow connectiosns in NACL. NACL is the first line of defence, followed by the security group.
Whereas in Security Group, we cant create deny rules, if a port is opened to allow a request then then response will flow back in following the same port
how to connect to an ec2 machine inside a private subnet?
Create a security group, which will allow icmp and http, https, https traffic, my sql and aurora to this machine and also mention the CIDR address range or ip addresses which can communicate with this security group.Then we can connect to this machine which sits inside the CIDR range we have defined to allow access.
How to give a machine inside a private subnet connect to internet?
1) Use a NAT instance in public subnet which has access to the public internet.
2) Modify the route table associated with private subnet to direct internet bound traffic to the NAT Instance.
3) Then we create a route in a route table for the VPC to allow access to he internet. The destination will be 0.0.0.0 and the instance selected in TARGET will be the NAT instance then, Disable source and destination checks in the NAT instance else the whole thing won’t work.
Or
1) Create a NAT gateway in a public subnet.
2) Give it a new elastic ip address for NAT gateway.
3) Modify the route table associated with private subnet to direct internet bound traffic to the NAT Instance.
4) Add a new route in the route table of our VPC to connect to the internet and select the Target for this route to be the NAT gateway.
5) The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address.
How to Change Elastic ip address associated with NAT gateway ?
Once associated the elastic ip address cant be changed.
How to associate Security groups with NAT gateway?
We cant associate Security Groups with NAT Gateway.
How to avoid Data processing fees while accessing S3 and Dynamo db in the same region?
Set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway. There are no charges for using a gateway endpoint.
What are the uses of NACL?
To control the traffic which flows in and out of a subnet.
How to make Nat Gateways highly available?
Create them in multiple Az’s
What is Internet Gateway in VPC?
It is through internet gateway instances inside a VPC connect to internet. It provides a target for the routes defined in the route table and its is through the Internet Gateway the outside world can connect to instance inside the VPC.
What is the default setting for a Security group
The default settings for a default security group allow no inbound traffic from the internet and allow all outbound traffic to the internet.
What is the use of Elastic ip address?
If you want any instance or Gateway to be reachable from the internet over IPv4 the it needs an elastic ip address.
