VPC Flashcards
VPCs can span Regions
False, they are Region specifics
Max allowed VPCs/Region
5
You must create a VPC/Region, no default VPCs are avaiable
False, each Region comes with a Default VPC, so that you can launch EC2 directly if you want
Max Subnets/VPC
200
Does DNS names disabled by default?
True
VPC peering
lets you to connect one VPC with another over direct connect
VPC peering can be used across Regions and accounts
True
What configuration does VPC peering uses?
Star Config
Does VPC peering allows Transitive peering?
No transitive peering allowed, it needs one to one connection
VPC peering may overlap CIDR blocks?
No overlapping
_______ determines where network traffic is directing to
Route tables
It is not mandatory to associate each subnet with a route table?
False, it is mandatory.
A subnet can be part of many route tables at any time
False, Subnet can be part of one route table.
One route table can have multiple subnets?
True
Internet Gateway performs Network Address Translation (NAT) for instances that have been assigned public IPV4 addresses?
True
Does AWS has any service to replace traditional Bastion Host/Jump servers?
Yes, System Manager -> Session Manager replaces them
VPC endpoints?
Lets you privately connect your VPC to other AWS services and VPC endpoint services
Pros of VPC endpoints?
– Replaces IGW, NAT device, VPN connection, AWS direct connection
Does instances in VPC needs public IP addresses to communicate AWS services?
No, it does required.
Traffic will be sent to Internet to communicate with the services within AWS using VPC endpoints?
No
VPC flow logs
Captures the IP traffic information in and out of network interfaces within your VPC
Flow logs can be created for _____?
VPC, Subnets and Network interfaces
Where does VPC flow logs stored in AWS
Cloudwatch or S3
You can’t enable flow logs for VPCs which are peered with your VPC unless they are in the same account?
True
what Instance traffic is not monitored?
- Instance traffic generated by contacting aws DNS servers
- Windows Licence activation traffic from instances
- Traffic to and/from the instance metadata addresses (165.254.169.254)
- DHCP traffic
- Any traffic to the reserved address of default VPC router
NACLs acts as a Virtual firewall at subnet level?
True
Does VPCs have default NACL which allow all inbound and out bound traffic?
True
You can block a single IP address using NACL?
True
You can block a single IP address using Security Group?
False
You can only allow traffic using NACL but can not deny?
False, You can allow or deny using NACL
You can only allow traffic using Security Group but can not deny?
True, all traffic is denied by default. You just need to allow what you need
NACL order is determined by the Rule number highest to lowest?
false
Subnets are associated with NACL and Subnets can only belong to a single NACL?
True
If a subnet is not explicitly associated with a NACL, it automatically associated with Default NACL?
True
NACLs are statefull?
False, they are stateless
Security Groups are statefull?
True, they are statefull.
When you create a NACL, all traffic is denied by default?
True
Security Groups acts as ________
Virtual firewall at the instance level
SGs are associated with EC2s?
True
SGs provides security at protocal level and port level?
True
Multiple instances across multiple subnets can belong to a security group?
True
An Ec2 instance can have multiple SGs?
True
you can have ___ inbound and ____ outbound rules in a SG by default?
60 and 60
VPC security groups per Region by default
2500
Security groups per network interface by default
5
What is NAT (Network Address Translation)?
Method to re-map one IP to another
If you’ve a private n/w and needs to gain outbound access to internet, what you should use to re-map the private IPs?
NAT Gateway
You’ve two networks they are conflicting network addresses. what should you use?
NAT
NAT Gateway has to run in public subnet?
True.
NAT gateway is a managed service which launches redundant instances within the selected AZ
True.
does Default NACL allow all in/outbound traffic by default?
True
newly created NACL allow all in/outbound traffic by default?
False
How to create VPC endpoints?
- Select the Service type (eg AWS s3)
- Select a VPC
- Select a subnet (mostly private)
- Accept/notice the route added to custom route table
- Specify the role policy to access S3
How to setup NAT gateway?
1a.Create NAT gateway in public subnet
1b.Add an elastic IP to your NAT gateway
2.Edit route table for a private subnet
3.add the internet address to go thru NAT gateway as
destination 0.0.0.0/0 and target as NAT gateway
How to setup VPC peering?
Both VPCs must be in same region (can be in other aws account as well)
No CIDR conflicts
Create VPC peering by select the local and other account VPC
add the route to another VPC’s address to VPC peer connection in route table in both the VPCs
By default, outgoing traffic is allowed in Security Group regardless of any rules?
True