VPC

Question 1

VPC

Answer 1

Virtual Private Cloud is a logically isolated datacenter that you can configure in VPC.

Question 2

Hardware VPC

Answer 2

is a connection between your corporate datacenter and VPC. It serves as an extension of your corporate data center.

Question 3

VPC sample flow

Answer 3

InternetGW–>Router–>RouteTable–>NetworkACL–>SecurityGroup–>PublicSN

Question 4

IANA resreves 3 sets of IP address for private use

Answer 4

10. 0.0.0 - 10/8 prefix
11. 16.0.0 - 172..16/12 prefix
12. 168.0.0/16 prefix

Question 5

Default VPC vs Custom VPC

Answer 5

All subnets in a default VPC has access to internet. easily deploy EC2. Each EC2 instance has public and private IP address.

Question 6

VPC peering

Answer 6

Lets VPC talk to each other

Question 7

1subnet

Answer 7

1 AZ

Question 8

Security Groups vs Network ACL

Answer 8

Security Group are stateful, Nework ACL(allow deny). If you open in inbound it does not automatically open on outboud

Question 9

The maximum number of VPCs has been reached.

Answer 9

the default limit is 5 VPCs per Region

Question 10

VPC

Answer 10

Complete control over your networking env. IP address range, subnets, configuration of route tables and network gateways

Question 11

VPC cannot span regions

Answer 11

VPS is a logical datacenter in AWS

Question 12

When you create a VPS it does not create a subnet

Answer 12

route table, security group, Network acl is automatically created.

Question 13

Main route table

Answer 13

is created when the vpc is created. It contains two routes. One for IPv4 and IPv6. Any subnet having this as route can communicate with each other. Any subnet created is associated automatically with the main route table

Question 14

Reserves 5 ip addresses within every subnet

Answer 14

network address, router, DNS, reserved for future, Network broadcast

Question 15

Reserves 5 ip addresses within every subnet

Answer 15

network address, router, DNS, reserved for future, Network broadcast

Question 16

VPC flow logs

Answer 16

Flow log data is stored in amazon cloud watch logs

Question 17

VPC flows logs can be created at 3 levels

Answer 17

VPC, subnet, Network interface level

Question 18

Not all IP traffic is monitored by flow logs

Answer 18

traffic towards amazon DNS, windows instance, traffic to apipa for instance metadata, DHCP traffic, traffic to reserved IP address of default VPC router

Question 19

AWS direct connect

Answer 19

cloud service solution that makes it eazy to establish a direct network connection from your premises to AWS. . Reduce network costs, increase bandwidth and consistent network experience

Question 20

AWS direct connect

Answer 20

cloud service solution that makes it eazy to establish a direct network connection from your premises to AWS. . Reduce network costs, increase bandwidth and consistent network experience

Question 21

with VPC endpoint

Answer 21

Traffic between your VPC components and other services do not leave the Amazon network

Question 22

VPC endpoints

Answer 22

are virtual devices. horizontal scaled, redundant.

Question 23

2 types of VPC endpoints

Answer 23

interface endoints
gateway endoints( are NAT GWs supported for S3 and dynamo DB)

Question 24

NAT gateways

Answer 24

Redundant inside AZ, Preferred by enterprise, Starts with 5Gbps and goes upto 45Gbps, no need to patch, Not associated with security groups, automatically assigned a public ip address, Remember to update your route tables, No need to disable source/destination checks

Question 25

AZ independent architecture

Answer 25

create a NAT in each AZ and configure your routing to ensure that resources use the NAT GW in teh same AZ

Question 26

AZ independent architecture

Answer 26

create a NAT in each AZ and configure your routing to ensure that resources use the NAT GW in teh same AZ

Question 27

A VPN connection consists of which of the following components

Answer 27

Customer Gateway, virtual private gateway

Question 28

NACL is automatically added by default to all new subnets in the same vpc.

Answer 28

However it is configured not to communicate. So subnets will not be able to communicate by default.

Question 29

softlimit on the number of VPN connections per VPC

Answer 29

10

Question 30

softlimit on the number of VPN connections per VPC

Answer 30

10

Question 31

The VPN Cloud HUB

Answer 31

operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing Internet connections who would like to implement a convenience potentially backup connectivity between these remote offices.

Question 32

ASG order of execution

Answer 32

ASG terminates the unlealthy instance first and then launches a new instance. Amazon EC2 Auto Scaling creates a new scaling activity for terminating the unhealthy instance and then terminates it. Later, another scaling activity launches a new instance to replace the terminated instance.

Question 33

advantages of direct connect

Answer 33

security
cost ends up being cheaper over ISP
network consistency not affected by netk congestion
lower latency
you can reach any of the public services S3 or dynamo DB over private connection

Question 34

Steps to get direct connect

Answer 34

decide region, because the direct connect facilities are associated with a particular region
2) download letter of authorization and give it to customers direct connect provider like verizon, authorizing them to connect to AWS backbone
3) On console create private VIF( for connecting to vpc) and public VIF( for public services like s3 and dynamo)
4) You can choose hw VPN as a failover to direct connect or have 2 direct connections and connect to a different location
5) configure route propogation
Note: even though you are using public interface for s3 and dynamo you can going over private connection and not internet
6) DX is only to a region so by default you can connect only the VPC’s in that region. To be able to connect to other VPC’s you need direct connect GW. You can make private VIF to connect to DGW which will allow you to communicate to all regious except China. Watchout VPC’s cannot have overlapping IP addresses

Question 35

for peering vpc’s can be across regions and also from another account

Answer 35

If it is another account the account owner has to authorize the peering request

Question 36

After peering vpc. you can restrict the routing to just the required subnets. You don’t have to route the entire vpc

Answer 36

The peering will get an ID and that ID will be the target in the route table the key will be the subnet in the target vpc.

Question 37

instances in the two VPCs cannot reach one another

Answer 37

update the route tables, The security group rules are not set to allow traffic from the security group of the other instances.