VPC

Question 1

What is an EIP?

Answer 1

An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. By using an Elastic IP address, you can mask the failure of an instance or software by rapidly remapping the address to another instance in your account. An Elastic IP address is allocated to your AWS account, and is yours until you release it.

An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet. For example, this allows you to connect to your instance from your local computer.

Question 2

What is a VPC endpoint (vpce)?

Answer 2

An endpoint allows instances in a subnet to access services outside the subnet. These services are either AWS services such as a S3 or Dynamodb or other services you may have created yourself.

Question 3

What is an Internet Gateway (igw)?

Answer 3

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. An Internet Gateway allows resources within your VPC to access the internet, and vice versa.

Question 4

What is a NAT gateway?

Answer 4

You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances.
It allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, OS patch, etc). It only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.
- Security Groups cannot be associated with a NAT Gateway
- You’ll need one in each AZ since they only operate in a single AZ

Question 5

How many IGWs per VPC?

Answer 5

Only one can be associated with each VPC

Question 6

How many NAT gateways in a Region?

Answer 6

One per AZ - for redundancy

Question 7

Relationship between a VPC/IGW/NAT/SUBNET?

Answer 7

An IGW is per VPC and it allows internet traffic to and from the VPC.
A NATGW is deployed in a public subnet inside the VPC
Instances in the public and private subnets can route traffic to the NATGW from their respective subnets
The NATGW routes traffic to the Internet via the IGW attached to the VPC
NATGWs are AZ resilient - HA inside an AZ (but if whole AZ fails then it would fail)

Question 8

What is a Route table?

Answer 8

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.

• Your VPC has an implicit router
• Each subnet in your VPC must be associated with a route table
• You can explicitly associate a subnet with a particular route table, otherwise, the subnet is implicitly associated with the main route table.
• A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.

Question 9

Difference between IGW and NATGW?

Answer 9

• IGW allows trafficto be initiated from the internet into your VPC and vice-versa, by default
• NATGW allows traffic to be initiated only one way - from subnet to Internet - not the other way round

Question 10

What CIDR notation should you choose when creating a VPC?

Answer 10

• A large enough address range to support the needed subnets
• Any CIDR range between /16 and /28 can be chosen.
  source: LinkedIn Learning

Question 11

Can subnets span AZs?

Answer 11

No

Question 12

Can VPCs span AZs?

Answer 12

Yes - since VPCs can comprise of multiple subnets and each subnet could be in its own AZ theoretically.
Source: myself

Question 13

Manage by DNS - explain this?

Answer 13

Do not be IP-aware, rely on DNS as much as possible.

Source: LinkedIn Learning

Question 14

What is a Transit Gateway?

Answer 14

AWS Transit Gateway connects VPCs and on-premises networks through a central hub

Question 15

What is the difference between NACL and Security Groups?

Answer 15

• NACLS has explicit ALLOW and DENY rules and are stateless
• SGs DENY everything by default, needs ALLOW rules
• SGs evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom.
• NACLs are used where resources are not involved and subnets are involved
• When SGs are supported on a resource use SGs (reduces number of rules and complexity)

Question 16

What is a Security Group?

Answer 16

• They are firewall rules attached to an instance (ENI)
• They can only ALLOW and not explicitly DENY traffic. - Anything not ALLOW’ed is DENY’ed.
• Separate INBOUND and OUTBOUND rules can be specified.
• They are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
• Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
• Security group rules enable you to filter traffic based on protocols and port numbers.

Question 17

How many SGs per instance?

Answer 17

Can have up to 5. Can be increased upon request.

Question 18

What is VPC Peering?

Answer 18

• A way to connect two VPCs

- is not transitive (A->B, B-> C does not imply A->C)

Question 19

What is a Gateway Endpoint (GWE)?

Answer 19

A private connection between a VPC and an AWS resource like S3 or DynamoDB. Only S3 and DynamoDB use GEs. All other AWS services use Interface Endpoints.

Question 20

What is AWS PrivateLink?

Answer 20

AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access your services, AWS PrivateLink ensures your traffic is not exposed to the public internet

Question 21

What is an Interface Endpoint?

Answer 21

An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet. It serves as an entry point for traffic destined to a supported AWS service or a VPC endpoint service

It is not HA since it is associated with the subnet unlike a GWE which is HA and associated with the VPC, so put IEs in every AZ you have

IEs use DNS, not simple routing (like a GWE) to resolve to the private IP of the IE which then routes the traffic to the AWS service you are trying to reach to

Question 22

What is a Virtual Private Gateway (VPGW)?

Answer 22

The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

Question 23

What are Flow Logs?

Answer 23

It is for capturing networking traffic metadata in your network, they don’t capture data (ie not a packet sniffer)

• Apply them at VPC level
• apply at subnet level
• NIC level
• not real time
• can be used to log to S3 or CW

Question 24

What does enableDnsHostnames do?

Answer 24

If set to true, gives instances DNS names

Question 25

What does enableDnsSupport do?

Answer 25

Enables DNS resolution in a VPC

Question 26

What is the IP address of DNS in a VPC?

Answer 26

Base IP address + 2 so: 10.0.0.0 -> DNS host is: 10.0.0.2

provided by Route53

Question 27

How many DHCP options set per VPC?

Answer 27

1 per VPC, flows to all subnets

Question 28

Can an EC2 instance see its own public address?

Answer 28

No. The OS of an EC2 instance has no clue about its public address. It only sees the private IPV4 address. The IGW handles comms on behalf of an EC2 instance that has a public IP by keeping a look up table.

Question 29

What are NACLs?

Answer 29

• Network Access Control List
• Rules for traffic entering/leaving subnets
• Can explicitly ALLOW or DENY
• applied only to Subnet, not other resources
• One subnet = one NACL at a time
• use with SGs to add explicit DENYs

Question 30

What are ephemeral ports?

Answer 30

When webserver wants to communicate to user’s browser an ephemeral port is used, between 1024-65535 on the user’s desktop

Question 31

Can NATGWs have security groups applied on them?

Answer 31

No. Only NAT Instances you stand up yourself as an EC2 instance can have SGs on them.

Question 32

What is WAF

Answer 32

Web Application Firewall
- Layer 7 Firewall
- understands HTTP and HTTPS
- Complex application layer attacks like SQL injection or Cross site scripting, Geo blocks, Rate awareness
- WEBACL integrated with ALB, APIGW, and CloudFront
-

Question 33

What is Shield?

Answer 33

Protect from DDoS

• Shield Standard - comes free with R53 or CloudFront
• Layer 3 and 4 protection against DDoS

Shield Advanced $3000/pm

• Protects EC2, ELB, CloudFront, Global Accelerator and R53
• 24/7/365 Advanced response team
• Financial insurance against increased AWS costs

Question 34

What is CloudHSM

Answer 34

True “single tenant” Hardware Security Module
- Tamper-resistant piece of hardware
- AWS provisions it but customer manages it
- Federal Information Processing Standard (FIPS) compliant - FIPS-140-2 L3 compliant
(KMS is L2 overall some L3)

Use Industry standard Cryptography - PKCS-11, JCE (java cryptography) or CryptoNG (microsoft) to access the cluster

CloudHSM - VPC - deploy multiple HSM in multiple AZs for HA, they replicate keys between all the HSM modules in the cluster

HSM ENI is injected into your VPC so you can access them
CloudHSM client is installed on the EC2 instances for access to the HSM appliances

Question 35

Cloud HSM use cases

Answer 35

• No native integration between CloudHSM and AWS products so no SSE-S3
• Offload SSL/TLS processing for Webservers (efficient)
• Enable Transparent Data Encryption (TDE) for Oracle Databases
• Protect private keys for an issuing Certificate Authority (CA)