VPC

Question 1

Subnets and Availability Zones?

Answer 1

One Subnet equals = 1 availability zone.

You cannot have a subnet that crosses multiple availability zones.

Question 2

What is a security group

Answer 2

1) Your first line of defense against hackers.
2) It is a virtual FireWall
3) Associated to an EC instance.
4) Multiple security groups can be associated with an EC2 instance.

Question 3

Security Groups are stateful

Answer 3

Whenever you add an inbound rule, it also adds an outbound rule.

Question 4

Security group denial

Answer 4

Everything is denied/blocked by default, so you need to select what you want to allow, not what you want to. deny.

Question 5

Security Groups outbound

Answer 5

All outbound traffic is allowed.

Question 6

NACL State

Answer 6

Network Access Control Lists are stateless.

Question 7

What is a VPC ?

Answer 7

Think of it as a virtual data centre in the cloud.

* You are given one on account setup.

Question 8

What does a VPC do?

Answer 8

Lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
* You have complete control over your virtual networking environment. (IP Addresses, subnets, route tables and gateways)

Question 9

VPC and VPN

Answer 9

YOu can create hardware VPNS connections between your corporate data centre and your VPC and leverage the AWS cloud as an extension of your DC.

Question 10

How you do access a VPC ?

Answer 10

1) Internet Gateway (Internet access)

2) A virtual private gateway (VPN Access)

Question 11

Subnets and Availability Zones

Answer 11

1 subnet = 1 availability zone

Question 12

Security groups and Subnets

Answer 12

Security groups can span subnets.

Question 13

AWS approved Internal IP Ranges:

Answer 13

10. 0.0.0 - 10/8
11. 16.0.0. - 172.16/12
12. 168.0.0 - 192.168/16

Question 14

VPC limit per region ?

Answer 14

Soft: 5

Question 15

Default vs Custom VPC ?

Answer 15

All subnets in a default VPC have a route to the internet.

Question 16

VPC peering

Answer 16

Allows you to connect 1 vpc with another via a direct network route using private ip addresses.
Instances behave as if they were on the same private network.
You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
Always in a hub and spoke, not transitive peering.

Question 17

VPC consists of:

Answer 17

Internet gateways
virtual private gateways
route tables
Network Access Control Lists
Subnets
Security Groups

Question 18

IP Address Restrictions CIDR blocks:

Answer 18

The first 4 and last IP Address in each subnet CIDR block are not available for you to use and cannot be assigned.

Question 19

VPCs and Multiple Internet Gateways

Answer 19

you can only have 1 internet gateway per VPC.

Question 20

NAT Instances

Answer 20

This is a community amazon-AMI.
Can be used as a bastion server.
disable SRC / DST check on the instance.
Must be on a public subnet.
Traffic support is directly correlated to the NAT instance size.
You can create HA using autoscaling groups.
Can script an automated failover

Question 21

Nat Gateways

Answer 21

Preferred by Enterprises.
scale automatically up to 10 Gbps
No patching.
Not associated with a security group
automatically assigned a public ip address
remember to update route tables post-implementation.
higher level of security.
managed 100% by Amazon.
no need to disable source-destination checks.

Question 22

NACL

Answer 22

private NACL’s deny everything by default.

Question 23

NACL rule numbering

Answer 23

ipv4 - start at 100, and go up in increments of 100
ipv6 - start at 101, and go up in increments of 100

Rules are evaluated in order, lowest to highest.

Question 24

Default NACL

Answer 24

Your VPC comes with a default NACL, and by default it allows all inbound / outboard traffic.

Question 25

Custom NACLs

Answer 25

Remember you need to build inbound and outbound NACL rules. They are seperate due to being stateless. .

Question 26

NACLS and Subnets:

Answer 26

Each subnet must be assigned to a default NACL and if you don’t assign one then it is associated with the default.

A NACL can be associated with multiple subnets, but a subnet can only be associated with a single NACL.

Question 27

NACLs vs Security Groups

Answer 27

Block IPs using NACLs not Security Groups

Question 28

VPC flow logs can be created at how many levels?

Answer 28

1) VPC
2) Subet
3) Network Interface Level

Question 29

IP Traffic not Monitored:

Answer 29

1) DNS Traffic to the Amazon DNS Server
2) Traffic generated by a windows instance for activation.
3) traffic to and from 169.254.169.254 for metadata
4) DHCP traffic
5) Traffic to the reserved IP address for the default VPC router.

Question 30

VPC Endpoints

Answer 30

is an inside gateway or interface that allows you connect to an endpoint outside of the VPC.

Question 31

Application Load Balancers

Answer 31

You will need at least 2 public subnets in order to deploy an application load balancer.

Question 32

VPC flow log tagging

Answer 32

You cannot tag a VPC flow log.