VPC

Question 1

What is VPC

Answer 1

Its is like a logical datacenter inside AWS,

Consists of Subnets, gateways, Route tables, network access control lists and security groups

Question 2

What is the use of NAT Gateway

Answer 2

It is a Gateway which is used by private Subnets to talk to the internet, but prevent the intrenet from initiating any connection with the instances.

Question 3

Difference between NAT instance and NAT Gateway

Answer 3

NAT instance is a single EC2 instance used by private subnets to connect to internet, whereas NAT gateway is a full-blown, highly available gateway used by private Subnets to talk to outside Internet

Question 4

What is the default rules for new NACL?

Answer 4

All inbound and outbound traffic are denied by default.
Rules are always added in chronological order.
Inbound and outbound rules can be specified independently to allow or deny traffic

Question 5

Do we have to create NACL while creating VPC?

Answer 5

While creating a VPC an NACL is created by default.
By default, it allows all inbound and outbound traffic.
Every subnet added to the VPC will automatically get associated to the default NACL

Question 6

Relationship between NACL and Security groups?

Answer 6

NACL’s are always going to be evaluated before the security groups.

Question 7

What is the best option to block ip addresses, Security groups or NACL’S?

Answer 7

NACL’s are the best option to block ip addresses

Question 8

What is the relationship between Subnets and NACL’s

Answer 8

Each subnet must be associated with only one NACL, but an NACL could be associated with more than 1 subnet

Question 9

What is VPC flow log?

Answer 9

It’s a way to Analyse traffic flowing in and out of subnets, VPC’s and instances.

Question 10

What kind of traffic are not monitored by flow logs

Answer 10

1) Traffic to Amazon DNS
2) License activation calls
3) DHCP traffic
4) Calls to Instance Metadata
5) Traffic to reserved ip address for default VPC router

Question 11

What is Bastion Host

Answer 11

It is a jump box, which sits in a Public subnet, through which we connect to a private subnet. This machine is configured only to have a proxy server and everything else is removed to reduce the attack surface.

Question 12

What is direct Connect in AWS

Answer 12

The dedicated connection from Customer premises to AWS, region, and services. Useful for high throughput workloads or if you need a secure and highly available connection

Question 13

What is VPC endpoint?

Answer 13

It is a way to privately connect VPC to supported AWS services like S3, etc without the need for Internet Gateway, NAT device, VPN or AWS Direct Connect Connection.

Question 14

Difference between NACL and Security group?

Answer 14

Security groups are stateful, whereas NACL is stateless.
We can define inbound and outbound which can deny and allow connectiosns in NACL. NACL is the first line of defence, followed by the security group.

Whereas in Security Group, we cant create deny rules, if a port is opened to allow a request then then response will flow back in following the same port

Question 15

how to connect to an ec2 machine inside a private subnet?

Answer 15

Create a security group, which will allow icmp and http, https, https traffic, my sql and aurora to this machine and also mention the CIDR address range or ip addresses which can communicate with this security group.Then we can connect to this machine which sits inside the CIDR range we have defined to allow access.

Question 16

How to give a machine inside a private subnet connect to internet?

Answer 16

1) Use a NAT instance in public subnet which has access to the public internet.
2) Modify the route table associated with private subnet to direct internet bound traffic to the NAT Instance.
3) Then we create a route in a route table for the VPC to allow access to he internet. The destination will be 0.0.0.0 and the instance selected in TARGET will be the NAT instance then, Disable source and destination checks in the NAT instance else the whole thing won’t work.

Or

1) Create a NAT gateway in a public subnet.
2) Give it a new elastic ip address for NAT gateway.
3) Modify the route table associated with private subnet to direct internet bound traffic to the NAT Instance.
4) Add a new route in the route table of our VPC to connect to the internet and select the Target for this route to be the NAT gateway.
5) The NAT gateway sends the traffic to the internet gateway using the NAT gateway’s Elastic IP address as the source IP address.

Question 17

How to Change Elastic ip address associated with NAT gateway ?

Answer 17

Once associated the elastic ip address cant be changed.

Question 18

How to associate Security groups with NAT gateway?

Answer 18

We cant associate Security Groups with NAT Gateway.

Question 19

How to avoid Data processing fees while accessing S3 and Dynamo db in the same region?

Answer 19

Set up a gateway endpoint and route the traffic through the gateway endpoint instead of the NAT gateway. There are no charges for using a gateway endpoint.

Question 20

What are the uses of NACL?

Answer 20

To control the traffic which flows in and out of a subnet.

Question 21

How to make Nat Gateways highly available?

Answer 21

Create them in multiple Az’s

Question 22

What is Internet Gateway in VPC?

Answer 22

It is through internet gateway instances inside a VPC connect to internet. It provides a target for the routes defined in the route table and its is through the Internet Gateway the outside world can connect to instance inside the VPC.

Question 23

What is the default setting for a Security group

Answer 23

The default settings for a default security group allow no inbound traffic from the internet and allow all outbound traffic to the internet.

Question 24

What is the use of Elastic ip address?

Answer 24

If you want any instance or Gateway to be reachable from the internet over IPv4 the it needs an elastic ip address.

Question 25

What is route Table?

Answer 25

Contains a set of rules called routes, which determines where the traffic from a Subnet is routed.
VPC has an implicit router, and you use route tables to control where network traffic is directed

Question 26

How are routes defined for communication within the VPC?

Answer 26

every route table comes with a default set of routes configured for communication within the VPC

Question 27

Types of VPC Endpoint?

Answer 27

Gateway endpoint and Interface endpoint

Question 28

What is the scope of VPC and Subnet?

Answer 28

VPC have regional scope and Subnets are associated with an AZ. Each Subnet is associated with one AZ and they cannot span multiple Az’s.

Question 29

How many VPC’s can be created per region?

Answer 29

Max of 5 VPC per region

Question 30

What is a peering connection?

Answer 30

A peering connection enables you to route traffic via private IP addresses between two peered VPCs

Question 31

What are some options to connect to a VPC?

Answer 31

Hardware based VPN
Software VPN
Direct Connect VPN
CloudHub

Question 32

What is a Elastic Ip address?

Answer 32

An Elastic IP address is a static IPv4 address that is associated with an instance or network interface.

Question 33

Difference between Elastic ip address and auto -assigned public ip address?

Answer 33

Elastic IPs are retained in your account whereas auto-assigned public IPs are released.