VPC

Question 1

Vpc’s consist of

Answer 1

Subnets 
Route tables
Internet gateways
Virtual private gateways
Network access control lists
Security groups

Question 2

How many availability zones can one subnet be assigned to?

Answer 2

One

Question 3

Security groups are……….whereas network access control list are……

Answer 3

Stateful

Stateless

Question 4

Vpc peering does not permit……….

Answer 4

Transitive peering

Question 5

By default when you create a new vpc, what are the following components that get created?

Answer 5

Default security group
Default NACL
Default route table

Question 6

How many subnets can you assign to one network access control list.

Answer 6

As many as you need to.

Question 7

When creating any cider range in aws, how many is addresses does aws reserve, and what are their purposes?

Answer 7

Five 
Network broadcast address
DNS server address
The router address
The network address
One reserved for future usage.

Question 8

How many internet gateways can you assign to a vpc?

Answer 8

Only one.

Question 9

What is the core difference between a Nat gateway and a Nat instance?

Answer 9

The Nat gateway is highly available service provided by Amazon whereas the Nat instance is an ec2 instance you need to maintain yourself.

Question 10

What is the reason we use Nat instances/gateways?

Answer 10

To enable route of public traffic into a private subnet without exposing it to the outside world.

Question 11

Where must a Nat instance be deployed in a vpc architecture to work?

Answer 11

The a public subnet associated with the vpc to which the private subnet also belongs.

Question 12

Because Nat instances are essentially an ec2 instance do they sit in front or behind security groups?

Answer 12

Behind them.

Question 13

What are the two benefits a Nat gateway offers over a Nat instance?

Answer 13

High throughput and no maintenance or patching required unlike an ec2 instance.

Question 14

Are Nat gateways associated with security groups?

Answer 14

No

Question 15

True or false, Nat gateways are always assigned a public in address?

Answer 15

True

Question 16

Nat gateways are only single AZ, if you wanted to create a fault tolerant solution you should?

Answer 16

Deploy Nat gateways in other AZs for protection.

Question 17

Why might you not choose a Nat instance?

Answer 17

They struggle with high throughput and are a single point of failure in a vpc architecture.

Question 18

Once you have set up your Nat instance/gateway, what must you do next in order for your private subnet to be able to contact the outside world?

Answer 18

Add a record to the route table to which the private subnet belongs and allow traffic from the Nat instance/gateway.

Question 19

When creating your Nat instance, what do you need to be mindful of when creating it?

Answer 19

You must ensure that source and destination checks are disabled.

Question 20

By default the default network access control list allows….

Answer 20

All inbound and outbound traffic.

Question 21

When creating a custom network access control list all traffic…

Answer 21

Inbound and outbound is denied.

Question 22

Which gets triggered first, the network access control list or the security group?

Answer 22

The network access control list

Question 23

When creating a subnet within your vpc, if you do not select a network access control list by default the one assigned is?

Answer 23

The default network access control list for that vpc.

Question 24

Which of the following services can ban an IP address; network access control lists or security groups?

Answer 24

Network access control lists.

Question 25

You can associate multiple subnets to an NACL but you cannot...

Answer 25

Associate multiple NACLs to a subnet.

Question 26

NACLs contain a numbered list of rules, they are executed in..

Answer 26

Order of smallest to highest.

Question 27

Vpc flow logs allow you to..

Answer 27

Capture up address traffic going to and from network interfaces in your vpc.

Question 28

Vpc flow logs can be stored in two locations these are..

Answer 28

Cloudwatch or s3

Question 29

Vpc flow logs can be done at 3 different levels, these are..

Answer 29

Vpc level Subnet level Network interface level

Question 30

What are the three type of traffic vpc flow logs can capture?

Answer 30

All Accepted Rejected

Question 31

Before you set up a vpc flow log for cloudwatch, you must already have..

Answer 31

An existing log group created.

Question 32

Vpc flow logs can be used for peered vpcs but only if?

Answer 32

They belong to the same account.

Question 33

Bastions servers provide what role?

Answer 33

They route ssh or rds traffic into your private subnets from the public domain securely allowing you to administrate your private instances.

Question 34

What is direct connect?

Answer 34

It is a service that allows you to setup a secure and dedicated connection from on premises to aws.

Question 35

Where might you use direct connect over other forms of connections to your vpc?

Answer 35

When you require a stable and reliable and secure connection. Where high throughput is being throttled by connection dropouts.

Question 36

What is global accelerator?

Answer 36

It is a service in which you create accelerators to improve availability and performance of your applications for local and global users.

Question 37

How is traffic controlled in global accelerator?

Answer 37

Using traffic dials and is configured within endpoint groups.

Question 38

How many static IPs are you given when setting up global accelerator and if you don’t want those you can....

Answer 38

Two | Bring your own ip addresses.

Question 39

What are the SEVEN key steps to creating a direct connect connection?

Answer 39

1 create a virtual interface in the direct connect console (this is a public virtual interface). 2 go to the vpc console and then to vpn connections and create a customer gateway. 3 create the virtual private gateway. 4 attach the virtual private gateway to the desired vpc. 5 select vpn connections and create a new vpn connection. 6 select the virtual private gateway and the customer gateway. 7 once the vpn is available, setup the vpn on the customer gateway or firewall.

Question 40

Vpc endpoints, what are they?

Answer 40

They allow you to privately connect your vpc to aws services using ‘private link’ without requiring a internet gateway, a Nat device, a vpn connection or a direct connect connection. Once they are established the traffic between your vpc and the aws service does not leave the Amazon network.

Question 41

What are the two types of vpc endpoints?

Answer 41

Interface endpoints and gateway endpoints.

Question 42

Aws private link allows you to..

Answer 42

Expose a service vpc to tens, hundreds or thousands of customer vpcs.

Question 43

What are the two components which enable aws private link between the service vpc and a customer vpc?

Answer 43

A network load balancer on the service vpc. | A elastic network interface (eni) on the customer vpc.

Question 44

Wha is an aws transit gateway and what problems does it solve, and what is the network topology it provides?

Answer 44

Transitive peering between thousands of vpcs and on premises data centres. Is the only aws service that supports IP multicast. Simplify complex network topology. Works in a hub and spoke topology.