VPC Flashcards
VPC. What does it mean. What is it.
Virtual Private Cloud.
It’s your own little bit of the AWS network.
VPC Limit Per Account
5 VPCs, per region, per account.
What’s a subnet?
Subnets allow you to split your VPC into networks.
True or false. Subjects must reside in the CIDR block of their parent VPC?
True
CIDR block means.
Classless inter domain routing.
True or false. Public subnets will have a public and private IP.
True.
For a subnet to be made public. You must carry out two action. What are they?
Add an internet gateway
Add a record to the routes table referring to said internet gateway.
The two types of subnet are.
Public
Private
IGW stands for?
Internet gateway.
True or false. To make a application highly available. Resources should be in subnets split across multiple AZ’s.
True.
All subnets have a default route that can not be deleted. It allows all the subnets to talk to each other. What is this route?
10.0.0.0/16
1st address in an AWS subnet is reserved for…
Network
2nd address in an AWS subnet is reserved for…
Routing
3rd address in an AWS subnet is reserved for…
DNS
4th address in an AWS subnet is reserved for…
AWS future use
Last address in an AWS subnet is reserved for…
Broadcasting
NACL stands for
Network access control list
What is the purpose of a NACL?
Network firewalls for subnets.
True or false. NACLs contain a numbered list of rules that run sequentially
True
What’s the purpose of a security group?
Firewall / access control at the resource level.
Security groups are state full. What doss this mean?
You don’t have to configure rules to allow for return traffic.
NACLs are stateless. What does this mean?
You will have to configure rules for how to handle return traffic.
What’s the purpose of a NAT gateway?
It allows resources from a private subnet to make requests out to the internet.
True or false. NAT gateways do not respond to incoming requests from the internet?
True.
Steps that must be taken to get a NAT gateway up and running?
Create the Nat gateway.
Add a route to the gateway in the routes table.
NAT gateway stands for.
Network Address Translator.
What’s the purpose in a bastion host?
It allows you to access subnets from external hosts.
Eg connect to an EC2 in a private subnet, from your home computer.
What resource is used to create a bastion host on AWS?
EC2
Keys to other servers should never be kept on a bastion server. How do you get around this?
SSH agent forwarding.
What does the transit gateway do?
It’s one hub that can centralise all data in all VPCs.
If your VPN decice DOES support BGP (Border Gateway Protocol) you should enable…
Dynamic routing
If your VPN decice DOES NOT support BGP (Border Gateway Protocol) you should specify.
Static Routing.
True or false. A subnet is automatically created when you create a VPC?
False.
When creating a VPC. AWS automatically creates three things.
A DHCP options set
A route table
A network ACL
True or false. An internet gateway is highly available, redundant and horizontally scaleable.
True.
An ENI can be attached directly to a running instance. What is this practise known as?
A hot attatch
Attaching an ENI to an instance during launch, is known as
A cold attatch
Where are VPC flowlogs stored
Cloudwatch Logs
Once a VPC flow log has been created. Can it be modified.
Nope
VPC flow logs. Can capture info from…
A network interface for an instance
A subnet
The VPC
Each VPC flow log. Is made up with data from a time window. How long is this time window?
15 mins
A route table can be assigned to how many subnets?
One
Can a subnet be assigned to multiple routes tables?
Yes
Within a VPC public subnet. What function does the IP address provide?
To allow communication with external resources via the internet.
What does the local route on a routes table enable?
Communication between VPC subnets.
Security groups support allow rules only. True or false.
True
You launch a dedicated EBS-Backed EC2 instance. Does the EBS run on the single tennant hardware with the EC2 instance?
No.
What RDS service uses mirroring, instead of multi AZ deployment
Microsoft sql server
IAM policy logic always starts with…
A default deny.
Are network ACLs stateless or stateful
Stateful
Can instances in a custom security group, communicate with each other by default?
No. You must give explicit permission.
Can instances in the default security group, communicate with each other by default?
Yes
Are EIPs region specific?
Yes
Can EIPs be moved between VPCs in the same region
Yes
What does a VPC end point allow for?
To establish a private connection between a VPC and other AWS resources.
Eg an EC2 instance in a private subnet and s3
To make different resources talk to each other. Always use …. never ….
IAM roles
Access keys
You can not use NAT gateways on private subnets. What must you use instead?
VPC end points
The two types of VPC endpoint are
Gateway endpoint
Interface endpoint
When to use a gateway endpoint?
For s3 and Dynamo
When to use an interface endpoint?
When it’s not for s3 or Dynamo
Want to secure your VPC. Use what two things?
Network ACLs
Security groups
If you add a rule to a network ACL. Does it effect all instances in the related subnet?
Yes
You detect a malicious set of IPs attacking your VPC. Where best to apply a block on the IP range?
The network ACL
NAT instances. Who is responsible for security, scalability and health checks?
You are.
What is NAT gateway?
Fully managed service for NAT instances
How to make NAT gateways HA?
Place them in multiple AZ’s
True or false. NAT gateways are a good choice where a NAT instance is a bottle neck?
True
Is Amazon direct connect encrypted by default?
No
How to encrypt data sent over direct connect?
Use a VPN
Is direct connect considered low latency?
Yes
What does direct connect do?
Managed connectivity between multiple VPCs
What is flat network architecture in AWS
Single account with a single VPC
What is seven enter network architecture in AWS?
Multiple accounts in multiple VPCs
Is transistive routing supporting in VPC peering?
No
Does VPC Peering work cross region?
Yes
Site to site VPN connections require
A pupbloc IP address on the customer gateway of the on premisises network
A virtual gateway attatched to the VPC
Can you share a NAT instance across a VPC?
No
You have a direct connect connection. But you need it to be highly available. How do you do this?
Have a redundant connection fallback from another location.