VPC

Question 1

What is a Virtual Private Cloud (VPC)?

Answer 1

An isolated section of the AWS cloud where you can launch AWS resources in a user defined virtual network

Question 2

How many regions can a VPC span?

Answer 2

1

Question 3

How many AZs does a VPC span?

Answer 3

VPCs span all of the AZs in the Region

Question 4

How many VPC’s can you have per region?

Answer 4

5

Question 5

How many subnets can a VPC contain?

Answer 5

“200

more can be requested through AWS”

Question 6

What is created in default VPCs?

Answer 6

"A CIDR block size /16
A default subnet per AZ block size /20
An Internet Gateway 
A default security group 
A default NACL 
A default Route Table
Default DHCP options
*CIDR classless inter-domain routing"

Question 7

What is a Default Everywhere IP?

Answer 7

“0.0.0.0/0

represents all possible IP addresses”

Question 8

In VPCs what is the Internet Gateway (IGW) component?

Answer 8

“A VPC component used to allow a VPC access to the internet
creates a target in the VPC route tables for internet-routable traffic
performs NAT for instances assigned public IPv4 addresses
*NAT network address translation”

Question 9

In VPCs what is the Routing Tables component?

Answer 9

A VPC component used to determine where network traffic is directed

Question 10

What is the relationship between route tables and subnets?

Answer 10

“Each subnet in your VPC must be associated with a route table
A subnet can be associated with only one route table at a time
A route table can be associated with multiple subsets”

Question 11

What is a Bastion / Jumpbox?

Answer 11

“An EC2 instance with hardened security, the only point that accepts SSH/RDP access from the internet, the only IP allowed to SSH/RDP into surrounding VPC components
Bastions/Jumpboxes must be located in a public subnet”

Question 12

Bastion vs NAT

Answer 12

“NAT provides private subnets outbound access and denys inboud initiations from the internet
Bastions provide inbound access to private subnets”

Question 13

What is a Subnet?

Answer 13

“A logical subdivision of an IP network

Subnets can be public or private”

Question 14

What is AWS Direct Connect?

Answer 14

“An AWS solution for establishing dedicated network connections from on-premises locatoins to AWS
Offers a very fast and very consistant network
Low-end Bandwidth from 50-500M
High-end Bandwidth either 1GB or 10GB”

Question 15

What is a NAT?

Answer 15

“Network Address Translation
A method of re-mapping one IP Address space into another
Use cases:
allowing private instances internet access
resolve network address conflicts”

Question 16

NAT instance vs NAT Gateway?

Answer 16

“Both are:
EC2 instances with NAT
located in public subnets
NAT instance(legacy)
Community maintained EC2 instance for NAT
EC2 controlled by the user
NAT Gateway
AWS maintained and managed EC2 instance for NAT
EC2s controlled by AWS
Launched with redundant instances in the slected AZ
Cannot associate a security group with a NAT gateway”

Question 17

Securly connect two private subnets in different peering VPCs?

Answer 17

Create a NAT gateway in both VPC and configure the routes

Question 18

What is the VPC Peering feature?

Answer 18

“It allows you to connect one VPC to another over a direct network route using private IP addresses
Instances on peered VPCs behave as though they were on the same network
Can connect to different AWS accounts and different regions”

Question 19

What are some limitations on the VPC Peering feature?

Answer 19

“Each connection must be explicitly created
There is no Transitive Peering(the connection must be direct and explicit)
Cannot connect VPC with overlapping CIDR Blocks”

Question 20

In VPCs what is a VPC Endpoint component?

Answer 20

“A private network connection from your VPC to anotherAWS service
Endpoints are supported within the same region only.
Benifits:
Instances in VPC don’t require public IP addresses to communicate to service resources
Traffic between your VPC and other services does not leave the AWS network”

Question 21

What are the two types of VPC Endpoints?

Answer 21

“Interface Endpoints
Use Elastic Network Interfaces (ENI) with a private IP adress
Powered by AWS PrivateLink
Costs
Gateway Endpoints
Free
Adds a target for a specific route in your route table
Most common use case is connecting to S3 and DynamoDB”

Question 22

What is the VPC Flow Logs feature?

Answer 22

“Monitors in-and-out traffic of your network interfaces within you VPC
They contain source and destination IP adresses (not hostnames)
They can be sent to either S3 or CloudWatch Logs”

Question 23

At what infrastructure level can you turn on CloudWatch Logs?

Answer 23

“VPC
Subnets
Network Interface
*Each level contains information from all sources below it as well”

Question 24

What are some limitations on VPC Flow Logs?

Answer 24

“Cannot be tagged like other AWS services
Cannot change the configuration once its created
Cannot enable flow logs for VPCs peered wiht you VPC unless it is in the same account
Some instance traffic is not monitored”

Question 25

What is a NACL?

Answer 25

“Network Access Control Lists

An optional layer of security for your VPC that acts like a firewall in an out of subnets”

Question 26

What level of access do default NACLs allow?

Answer 26

all outbound and inbound traffic

Question 27

How many NACLs can a subnet be associated with?

Answer 27

“all subnets must be associated to a single NACL
they cannot be associated to more that one NACL
if not explicitly associated to a NACL a subnet will automatically associate with the default NACL”

Question 28

NACL vs Security group

Answer 28

“security group - virtual firewall for your instance assigned at launch
NACL - optional layer for VPC that acts as a firewall for one or more subnets
Both
inbound and outbound rules
NACL
Rule can either Allow or Deny traffic
Security Group
Rule can only allow traffic”

Question 29

Precident order between NAT gateway and VPC endpoint

Answer 29

VPC endpoints take precedence over NAT Gateway or Internet Gateway

Question 30

Private vs Public vs Elastic IP

Answer 30

“Public - the machine can be identified on the internet
when you stop and start an EC2 the private ip remains the same but the public IP is lost
Private - can only be identified on a private network
Elastic - a public IPv4 you own as long as you don’t delete it
Using Elastic IPs usually reflects poorly on the architect as there are better ways to design access”

Question 31

What is the max number of Elastic IPs you can have per account?

Answer 31

“5

More can be requested through AWS”

Question 32

How are NACL rules evaluated?

Answer 32

“Rules are ordered from lowest to highest on the rule sheet
They are evaluated one by one until a rule matches traffic
Once matched this rule is applied regardless of any higher-numbered rule that contradicts it”

Question 33

How many target tracking scaling policies can an ASG have?

Answer 33

Multiple as long as each of them targets a different metric

Question 34

When using ASG, when do instances count during the warm-up phase?

Answer 34

Instance do not count in any metrics while the instance warmup is in progress

Question 35

virtual private gateway vs Cutomer Gateway

Answer 35

“The two sides of a VPN connection
Virtual private gateway - interface on the VPC
Customer gateway - either a virtual interface or a hardware interface on an outside network “

Question 36

What is DHCP?

Answer 36

“Dynamic host configuration protocol
when a new machine is attached to a network it sends out a request for an in-network IP address
the DHCP server or software hears and responds with an unregistered IP
the new machine responds and the connection is registered in the DHCP server or software”

Question 37

What is an EIP?

Answer 37

“Elastic Ip address
static ip address owned by you until you stop using it
free if attached to an EC2 instance, costs 0.01/hr if in reserve, charged if remapped >100 times”

Question 38

common ports to know

Answer 38

“3306 my SQL server.
443 https.
80 http”

Question 39

What is ClassicLink?

Answer 39

a component that allows a classic EC2 without a VPC to communicate with a VPC