VPC and Networking Flashcards
What happens to the public IP address of an EC2 instance each time you stop and start it? What about the private one?
Public changes, private does not
What service does Elastic IP provide? What is the pricing?
Allows the user to attach a fixed public IP to an EC2 instance. IPv4 addresses cost per hour, but IPv6 addresses are free.
What is a VPC? What does VPC stand for?
VPC = Virtual Private Cloud
A VPC is simply a private network where you can deploy your resources, linked to a region.
What is a subnet?
A partition within your VPC linked to an availability zone
What is used to allow connections between subnets and the internet?
Route tables
How does a private subnet connect to the internet? What does this mean?
By passing through a NAT gateway. A NAT gateway assigns the private subnet a public IP address that allows them to connect to the internet
Why might you want a private subnet to connect to the internet? (1 e.g.)
To download software updates, for example
What does NACL stand for? What does a NACL do?
Network Access Control List.
A NACL is a firewall that controls traffic to and from a subnet based on IP addresses that want to pass through.
Is a NACL stateful or stateless? What does this mean?
A NACL is stateless.
This means that it evaluates each packet that is trying to pass through individually, regardless if it is from an existing connection or a previous or new one.
Another way of putting it is that it doesn’t keep track of existing or previous network connections.
What is a security group?
A firewall at the EC2 instance level. It can only have allow rules and filter based on IP addresses and other security groups.
What the 2 main differences between a NACL and a Security Group?
A NACL is stateless and is at the subnet level.
A Security Group is stateful and is at the EC2 level.
What are VPC Flow Logs?
Logs that allow you to capture all the IP traffic going through your interfaces (VPC, subnet AND instance levels).
Why are VPC Flow Logs useful?
Allow you to troubleshoot connection issues at all the layers of your network architecture
What is VPC peering?
A service that allows the user to connect to VPC privately using AWS’ network. Since it is over the private network, private IPs are used. This means that you must take care not to assign IPs that are in common within the two VPCs.
Once the peering is done, the 2 VPCs essentially act as 1
When peering 3 VPCs, what is important to keep in mind?
The 3 must all be directly connected to each other to be able to communicate, i.e. if:
A <=> B <=> C then A and C can’t communicate to each other through peering.
But if:
C <=> B <=> A <=> C then all can talk to each other through peering.
What are VPC Endpoints? What are the benefits?
Endpoints allow you to connect to AWS services using the private network instead of the public WWW.
Gives increased security and lower latency.
What is PrivateLink?
A way for many VPCs to connect to a service in a much more scalable manner.
Does not require NAT, internet gateway, peering, routing etc. BUT DOES need a Network Load Balancer (NLB) and Elastic Network Interface (ENI).
What is DX?
Direct Connect.
A service where you can establish a physical connection between your on-premises DC and AWS.
What is AWS Site-to-site VPN? What is needed on the customer side and on the AWS side?
A way to connect on-premise hardware to AWS in an automatically encrypted manner.
Customer side needs a Customer Gateway (CGW), AWS side needs a Virtual Private Gateway (VGW)
What are the pros and cons of site to site VPN vs direct connect?
Site to site is faster to set up and cheaper, DX is more expensive but would have lower latency once done and is more reliable and more private
What is AWS Transit Gateway? Why is it useful?
A service that allows for peering between thousands of VPCs and on-premises networks in a hub-and-spoke system where AWS Transit Gateway is in the middle.
Dramatically simplifies network topologies.
