VPC Flashcards
Vpc’s consist of
Subnets Route tables Internet gateways Virtual private gateways Network access control lists Security groups
How many availability zones can one subnet be assigned to?
One
Security groups are……….whereas network access control list are……
Stateful
Stateless
Vpc peering does not permit……….
Transitive peering
By default when you create a new vpc, what are the following components that get created?
Default security group
Default NACL
Default route table
How many subnets can you assign to one network access control list.
As many as you need to.
When creating any cider range in aws, how many is addresses does aws reserve, and what are their purposes?
Five Network broadcast address DNS server address The router address The network address One reserved for future usage.
How many internet gateways can you assign to a vpc?
Only one.
What is the core difference between a Nat gateway and a Nat instance?
The Nat gateway is highly available service provided by Amazon whereas the Nat instance is an ec2 instance you need to maintain yourself.
What is the reason we use Nat instances/gateways?
To enable route of public traffic into a private subnet without exposing it to the outside world.
Where must a Nat instance be deployed in a vpc architecture to work?
The a public subnet associated with the vpc to which the private subnet also belongs.
Because Nat instances are essentially an ec2 instance do they sit in front or behind security groups?
Behind them.
What are the two benefits a Nat gateway offers over a Nat instance?
High throughput and no maintenance or patching required unlike an ec2 instance.
Are Nat gateways associated with security groups?
No
True or false, Nat gateways are always assigned a public in address?
True
Nat gateways are only single AZ, if you wanted to create a fault tolerant solution you should?
Deploy Nat gateways in other AZs for protection.
Why might you not choose a Nat instance?
They struggle with high throughput and are a single point of failure in a vpc architecture.
Once you have set up your Nat instance/gateway, what must you do next in order for your private subnet to be able to contact the outside world?
Add a record to the route table to which the private subnet belongs and allow traffic from the Nat instance/gateway.
When creating your Nat instance, what do you need to be mindful of when creating it?
You must ensure that source and destination checks are disabled.
By default the default network access control list allows….
All inbound and outbound traffic.
When creating a custom network access control list all traffic…
Inbound and outbound is denied.
Which gets triggered first, the network access control list or the security group?
The network access control list
When creating a subnet within your vpc, if you do not select a network access control list by default the one assigned is?
The default network access control list for that vpc.
Which of the following services can ban an IP address; network access control lists or security groups?
Network access control lists.
You can associate multiple subnets to an NACL but you cannot…
Associate multiple NACLs to a subnet.
NACLs contain a numbered list of rules, they are executed in..
Order of smallest to highest.
Vpc flow logs allow you to..
Capture up address traffic going to and from network interfaces in your vpc.
Vpc flow logs can be stored in two locations these are..
Cloudwatch or s3
Vpc flow logs can be done at 3 different levels, these are..
Vpc level
Subnet level
Network interface level
What are the three type of traffic vpc flow logs can capture?
All
Accepted
Rejected
Before you set up a vpc flow log for cloudwatch, you must already have..
An existing log group created.
Vpc flow logs can be used for peered vpcs but only if?
They belong to the same account.
Bastions servers provide what role?
They route ssh or rds traffic into your private subnets from the public domain securely allowing you to administrate your private instances.
What is direct connect?
It is a service that allows you to setup a secure and dedicated connection from on premises to aws.
Where might you use direct connect over other forms of connections to your vpc?
When you require a stable and reliable and secure connection.
Where high throughput is being throttled by connection dropouts.
What is global accelerator?
It is a service in which you create accelerators to improve availability and performance of your applications for local and global users.
How is traffic controlled in global accelerator?
Using traffic dials and is configured within endpoint groups.
How many static IPs are you given when setting up global accelerator and if you don’t want those you can….
Two
Bring your own ip addresses.
What are the SEVEN key steps to creating a direct connect connection?
1 create a virtual interface in the direct connect console (this is a public virtual interface).
2 go to the vpc console and then to vpn connections and create a customer gateway.
3 create the virtual private gateway.
4 attach the virtual private gateway to the desired vpc.
5 select vpn connections and create a new vpn connection.
6 select the virtual private gateway and the customer gateway.
7 once the vpn is available, setup the vpn on the customer gateway or firewall.
Vpc endpoints, what are they?
They allow you to privately connect your vpc to aws services using ‘private link’ without requiring a internet gateway, a Nat device, a vpn connection or a direct connect connection.
Once they are established the traffic between your vpc and the aws service does not leave the Amazon network.
What are the two types of vpc endpoints?
Interface endpoints and gateway endpoints.
Aws private link allows you to..
Expose a service vpc to tens, hundreds or thousands of customer vpcs.
What are the two components which enable aws private link between the service vpc and a customer vpc?
A network load balancer on the service vpc.
A elastic network interface (eni) on the customer vpc.
Wha is an aws transit gateway and what problems does it solve, and what is the network topology it provides?
Transitive peering between thousands of vpcs and on premises data centres.
Is the only aws service that supports IP multicast.
Simplify complex network topology.
Works in a hub and spoke topology.