VPC Flashcards
What are 3 IPs that are reserved for private IPs on a network?
1) 10.0.0.0 - 10.255.255.255
2) 172.16.0.0 - 172.31.255.255
3) 192.168.0.0 - 192.168.255.255
Do you have to create your own VPC when running a new EC2 instance?
No, all new EC2 instances can be added to AWS’s default VPC.
What is VPC peering?
Allows you to join two VPCs and instances behave as if they are part of the same network.
What is a VPC?
A logical data center in the cloud
What are the 5 main components of a VPC?
1) IGWs (or VPGs)
2) Route tables
3) Network Access Control Lists
4) Subnets (1 subnet == 1 AZ)
5) Security groups
Are Security groups stateful or stateless?
Security groups are stateful if you open one port (e.g. 22) then the outbound is allowed
What is a NACL?
Network Access Control List
Are NACL stateful or stateless?
Stateless. You must specify inbound and outbound IP address rules
Is transitive allowed for VPCs?
No, transitive peering is not allowed. Peering must be on a one to one basis, so separate connections must be made e.g. A and D VPC connection example
When a custom VPC is created what is created by default?
1) Route table
2) NACL
3) A security group (default)
What 2 things will not be created when a custom VPC is created?
1) Subnet
2) Default internet gateway
Are all assigned AZs the same for two independent AWS accounts?
No, they are not
How many IP addresses are reserved within your subnet?
5
What is the maximum number of internet gateways you can have in a VPC?
1
What does NAT stand for?
Network Address Translation
What is a NAT instance used for?
A NAT instance is used to allow access to the internet.
Where must NAT instances be situated?
They must be situated in a public subnet. There must be a route out of the private subnet to the NAT instance in order for this to work.
What is the most likely bottle neck of traffic in a NAT instance based network architecture?
The size of the NAT instance. Increase the instance size to reduce the bottle neck.
Are NAT instances in front or behind a security group?
Behind
How does a NAT gateway work?
An instance within your private subnet connects directly to a NAT gateway and the NAT gateway connect to the internet.
Are NAT gateways in front or behind a security group?
In front
What are the advantages of using a NAT gateway?
1) Implements redundancy within an AZ
2) Preferred by enterprise
3) Can scale massively up to 456GBs
4) No need to patch (unlike NAT instances)
5) Automatically assigned a public IP address
What is NAT based AZ independent architecture? and how will it reduce the potential for failure?
Adding NAT gateways in each AZ and configuring routing to ensure that resources use the NAT gateway in the same AZ
What traffic with you custom VPC default ACL allow?
ALL outbound and inbound traffic!
When you create a custom ACL, by default what traffic is allowed?
By default custom ACLs DENIES ALL inbound and outbound traffic until you add rules
What will happen if you do not associate a subnet in a VPC with a network ACL?
If you do not associate a subnet with a ACL it wiill automatically associate with the default network ACL (ALLOWS ALL OUTBOUND AND INBOUND TRAFFIC)
Can you block IP addresses using a security group?
No, you can only block an IP address using a NACL
Can you associate a network ACL with multiple subnets?
Yes, however a subnet can only be associated with one NACL at a time
How does a NACL work?
It is comprised of a list of rules which are ordered numerically starting with the lowest numbered rule.
NACLs have separate rules for inbound and outbound traffic and each can either allow or deny traffic
What order must allow and deny rules go in?
Deny rules must always go before an allow rule
What is the minimum number of public subnets needed to deploy an internet facing load balancer?
2
Can you enable VPC flow logs for peered VPCs that are not in your account?
No they must be within your AWS account
Can you change the configuration of a flow log? e.g. associating a new IAM role with the flow log?
No, you cannot change the configuration of a flow log once created
Is all traffic monitored within a VPC flow log?
No
1) traffic to/from a DNS server is not logged
2) Traffic from a windows instance for windows license activation
3) Traffic to/from instance metadata /latest/user-data/
What is a bastion host?
A bastion host enables you to securely connect to your Linux instances without exposing your environment to the Internet.
Access instances in your VPC through Secure Shell (SSH) connections on Linux (inside private subnets). Bastion hosts are also configured with security groups to provide fine-grained ingress control
Can you use NAT gateway as a bastion host?
No
What is Direct connect?
A method to directly connect your data center to AWS.
What is the use case for a direct connect?
Useful for high throughput workloads (lots of network traffic) and if you need a stable and reliable, secure connection
What is a VPC endpoint?
Allows you to privately connect your VPC to supported AWS services. ** ALL WITHIN AWS ENV **
e.g. Instance > VPC gateway > S3 bucket.
What are the 2 types of VPC endpoints?
1) Loads e.g. machine learning services…..
2) Gateways e.g. S3 and DynamoDB
What are the X steps to creating own VPC?
1) Create subnet
- -> Select VPC > Set AZ > name subnet
2) Configure access to instances in VPC
- -> Allow auto assignment of public IPs (off by default)
3) Create an internet gateway and attach to VPC
4) Configure the route table
- -> Need to allow route out to internet > Create 2 > 1 public where you assign 0.0.0.0/0 and ;;/0 and 1 private route table for internal IP access.
5) Create EC2 instance select VPC and subnet association
What is a VPN
Virtual Private Network
Lets you establish a secure and private encrypted tunnel from your network or device to the AWS global network
What are 2 features of a VPN?
1) customer gateway
2) Virtual private gateway
Are all EC2 instances assigned a private and public IP address by default?
Yes
By default how many VPCs can you have per region?
5
True of False… by default instances in new subnets in a custom VPC can communicate with each across an AZ
True
What is the purpose of an egress only internet gateway?
An egress internet only internet gateway is used to allow IPv6 based traffic within a VPC access to the internet whilst denying any connection back into the VPC
Can you conduct your own vulnerability scans on your AWS environment?
Yes, but some may require alerting AWS
How many subnets can you create per VPC?
200
What is a route table?
A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
