VPC

Question 1

By default, how many VPCs are allowed in each region?

Answer 1

5

Question 2

What is the largest VPC CIDR allowed in AWS?

Answer 2

/16

Question 3

What are the private IP classes/ranges?

Answer 3

10/8

172. 32/12
173. 168/16

Reference: CIDR.xyz

Question 4

How traffic can enter the VPC?

Answer 4

Internet Gateway and Virtual Private Gateway

Question 5

How the default VPC is designed?

Answer 5

Each instance has both public and private IPs

All subnets have a route out to the internet

Question 6

VPC Peering

Answer 6

Connect one VPC with any other VPC using private IP addresses;
Peering is a start configuration: i.e. 1 central VPC peers with 4 others (no transitive/intercept peering)
You can peer between regions

Question 7

What resources are automatically created when a new VPC is provisioned?

Answer 7

The MAIN Router Table (designed to be the private subnet), NACL, Security Group

Question 8

When launching a 10.0.0.0/24 subnet, only 251 IPs are available. Why?

Answer 8

The first four IPs and the last one are reserved:

10. 0.0.0-Network address
11. 0.0.1-VPC router
12. 0.0.2-DNS Server
13. 0.0.3-Reserved for future use
14. 0.0.255-Reserved for Broadcast, but no supported

Question 9

Explain NAT Gateway VS NAT Instance

Answer 9

NAT Gateway is a highly available managed service inside THE Availability Zone, so it is recommended to create one NAT Gateway per AZ. While NAT instance is an EC2 (with NAT community AMI) what you configure according to your needs. Also, the route table needs to be complemented to forward 0.0.0.0/0 traffic to the NAT Instance ENI

Question 10

What is need to disable on a newly created NAT instance?

Answer 10

Source/Destination Check

Question 11

What are the default rules for a created NACL?

Answer 11

Both inbound and outbound traffic are denied from/to everywhere

Question 12

What is an ephemeral port?

Answer 12

It is a short-lived port dynamically assigned. A NAT Gateway uses the ports 1024-65535

Question 13

Why the NACL rules matter?

Answer 13

The lower the number, the higher the priority. If something needs to be denied, it needs to come first.

Question 14

What is VPC Flow log and what it can monitor?

Answer 14

VPC Flow log monitors the accepted or failed traffic of the VPC/Subnet/NIC and sends the logs to either S3 or CloudWatch Logs

Question 15

What is a bastion host?

Answer 15

It is a hardened host either on the outside of the firewall or in a DMZ

Question 16

What is Direct Connect?

Answer 16

It is a solution that allows onpremise to establish private connectivity to the cloud with lower cost, increased bandwidth throughput, and a more consistent network experience

Question 17

What is the purpose of Global Accelerator?

Answer 17

It provides better availability and performance by creating a straight route from customers to the final endpoint (EC2, ALB, ElasticIP, etc).

Question 18

What is a VPC Endpoint?

Answer 18

It is virtual device that will allow your service requests to go straight to the target service such as S3. It skips the NAT Gateway, Direct Connect, VPN Connection, Internet Gateway, etc.

Interface Endpoint: ENI with a private IP that can be used to route the traffic straight to the target service. This ENI will be attached to the EC2. (Several services)
VPC Endpoint: Similar to interface endpoint, but a route is added to the subnet route table. (S3 and DynamoDB only for now)

Question 19

What is a VPC PrivateLink?

Answer 19

It is the technique used to link tens/hundreds/thousands of VPCs.
It requires a NLB on the service and an ENI on the customer VPC

Question 20

What is the purpose of Transit Gateway?

Answer 20

It is a way to simplify the network topology. It works with hub-and-spoke model by supporting transitive peering between VPCs. It also supports IP multicast (not supported by any other AWS service)

Question 21

VPN CloudHub

Answer 21

It is similar to Transit Gateway, hub-and-spoke model, to connect multiple on premise locations using site to site vpn connections with low cost.

Question 22

Describe the AWS Network cost

Answer 22

Data injection is free
Data traffic within the same AZ using private IP is free
Data traffic Inter-AZ is $0.01/GB
Data traffic within the same AZ using private public IP is $0.02/GB
Data traffic between VPCs is also $0.02/GB