VPC Flashcards
True or false: Network ACLs can span multiple VPCs
False. A Network ACL belongs to a single VPC
Can you associate a route table with more than one subnet?
Yes. Route tables can be associated with multiple subnets.
True or false: Subnets can only be associated with one Network ACL at a time
True
If a VPC-A has an Internet Gateway and is peered with VPC-B that is not internet connected, is it possible to use the peering connection for access between VPC-B and the internet?
No, this is called edge-to-edge routing and is not supported
What are VPC Flow Logs?
Information about the traffic flowing in and out of interfaces in the VPC is stored in and can be viewed using CloudWatch logs.
Can you change the tenancy for a VPC after it has been created?
No
What is a CIDR block?
It is a range of IP addresses available for a subnet in a VPC
True or false: Network ACLs can be associated with multiple subnets at the same time
True
True or false: NAT Gateways scale automatically
True
True or false: Every subnet must be associated with exaclty one NetworkACL
True. If you do not explicitly assign one, a subnet is associated with the default Network ACL for that VPC.
When creating a Network ACL, by default is everything allowed or denied?
Denied
Do NAT Gateways sit in front of or behind a Security Group? What about NAT Instances?
In front. NAT Instances are behind
What is ICMP?
Internet control Message Protocol, which allows messaging between devices in an IP network
True or false: A security group is limited to a single VPC
True
What is VPC peering?
It allows you to connect a VPC to another VPC using private IP addresses.
What protocols are supported by NAT Gateways?
TCP, UDP, ICMP
What does an internet gateway do?
- It provides an endpoint for internet/bound traffic that route tables can point to
- Performs network address translation (NAT), between a public IP address and the private IP address of the instance
A subnet which is associated with a route table containing a route to an internet gateway is known as what?
Public subnet
True or false: VPCs with overlapping CIDR blocks cannot be peered
True
When creating a subnet, does AWS automatically include a route to the internet from the main route table for the VPC?
No, you must add that yourself
What is the definition of a VPC?
Virtual Private Cloud - amazon lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over this network, including selection of IP address range, subnets and network gateways
True or false: to make a subnet public, you must associate it with an internet gateway
False. Route tables point to internet gateways, and subnets are associated with route tables.
Can VPC peering occur between VPCs in different regions?
No
In what order are rules evaluated in a Network ACL?
Numerically by rule number
Are public IP addresses automatically assigned to instances launched within subnets in VPCs you create?
Not by default, but you can change the Auto-assign IP setting to Yes for the subnet. In the default VPC, they are automatically assigned.
Can you use VPC peering across accounts?
Yes
Does the default VPC automatically include a route to the internet gateway for IPv6 traffic?
No
What do you do if your NAT Gateway does not have enough bandwidth to handle the traffic being sent to it?
Split the workload into multiple subnets and great a separate NAT Gateway for each
Explain why you have to disable Source/Destination check when creating a NAT instance
Normally, ec2 instances must have source/destination checking enabled, which means that either the source or the destination of the traffic must be the Instance. However, with a NAT, the source or dest might be the subnet we are building the NAT for, so we want to disable Source/Destination Checking
Can Network ACLs span multiple availability zones?
Yes, Network ACLs operate at the level of the VPC
If the first rule in a Network ACL allows a packet, and the second rule denies it, is the packet allowed or denied?
It is allowed. As soon as a given packet meets the criteria of a rule, subsequent rules are not evaluated against the packet
True or false: Flow log configurations cannot be changed once they are set up
True