VPC Flashcards
By default, how many VPCs are allowed in each region?
5
What is the largest VPC CIDR allowed in AWS?
/16
What are the private IP classes/ranges?
10/8
- 32/12
- 168/16
Reference: CIDR.xyz
How traffic can enter the VPC?
Internet Gateway and Virtual Private Gateway
How the default VPC is designed?
Each instance has both public and private IPs
All subnets have a route out to the internet
VPC Peering
Connect one VPC with any other VPC using private IP addresses;
Peering is a start configuration: i.e. 1 central VPC peers with 4 others (no transitive/intercept peering)
You can peer between regions
What resources are automatically created when a new VPC is provisioned?
The MAIN Router Table (designed to be the private subnet), NACL, Security Group
When launching a 10.0.0.0/24 subnet, only 251 IPs are available. Why?
The first four IPs and the last one are reserved:
- 0.0.0-Network address
- 0.0.1-VPC router
- 0.0.2-DNS Server
- 0.0.3-Reserved for future use
- 0.0.255-Reserved for Broadcast, but no supported
Explain NAT Gateway VS NAT Instance
NAT Gateway is a highly available managed service inside THE Availability Zone, so it is recommended to create one NAT Gateway per AZ. While NAT instance is an EC2 (with NAT community AMI) what you configure according to your needs. Also, the route table needs to be complemented to forward 0.0.0.0/0 traffic to the NAT Instance ENI
What is need to disable on a newly created NAT instance?
Source/Destination Check
What are the default rules for a created NACL?
Both inbound and outbound traffic are denied from/to everywhere
What is an ephemeral port?
It is a short-lived port dynamically assigned. A NAT Gateway uses the ports 1024-65535
Why the NACL rules matter?
The lower the number, the higher the priority. If something needs to be denied, it needs to come first.
What is VPC Flow log and what it can monitor?
VPC Flow log monitors the accepted or failed traffic of the VPC/Subnet/NIC and sends the logs to either S3 or CloudWatch Logs
What is a bastion host?
It is a hardened host either on the outside of the firewall or in a DMZ
What is Direct Connect?
It is a solution that allows onpremise to establish private connectivity to the cloud with lower cost, increased bandwidth throughput, and a more consistent network experience
What is the purpose of Global Accelerator?
It provides better availability and performance by creating a straight route from customers to the final endpoint (EC2, ALB, ElasticIP, etc).
What is a VPC Endpoint?
It is virtual device that will allow your service requests to go straight to the target service such as S3. It skips the NAT Gateway, Direct Connect, VPN Connection, Internet Gateway, etc.
Interface Endpoint: ENI with a private IP that can be used to route the traffic straight to the target service. This ENI will be attached to the EC2. (Several services)
VPC Endpoint: Similar to interface endpoint, but a route is added to the subnet route table. (S3 and DynamoDB only for now)
What is a VPC PrivateLink?
It is the technique used to link tens/hundreds/thousands of VPCs.
It requires a NLB on the service and an ENI on the customer VPC
What is the purpose of Transit Gateway?
It is a way to simplify the network topology. It works with hub-and-spoke model by supporting transitive peering between VPCs. It also supports IP multicast (not supported by any other AWS service)
VPN CloudHub
It is similar to Transit Gateway, hub-and-spoke model, to connect multiple on premise locations using site to site vpn connections with low cost.
Describe the AWS Network cost
Data injection is free
Data traffic within the same AZ using private IP is free
Data traffic Inter-AZ is $0.01/GB
Data traffic within the same AZ using private public IP is $0.02/GB
Data traffic between VPCs is also $0.02/GB
