VPC - Build Your Own Custom VPC

Question 1

How to create a VPC with public and private subnets:

Answer 1

1. Create VPC, which creates a main route table, default security group, and default network ACL.
2. Create 2 subnets.
3. Create and attach an IGW to the VPC.
4. Create another route table.
5. Associate the IGW and one of the subnets to the custom route table.
6. Launch instance in the public subnet with a security group allowing HTTP, HTTPS, SSH.
7. Launch instance in the private subnet with a security group allowing SSH, ICMP, .
8. Launch NAT instance or create NAT gateway or Bastion.
9. Create Network ACL mirroring security groups

Question 2

What is the purpose of the CIDR block?

Answer 2

Specifies IP address ranges

Question 3

What size can the CIDR be for a VPC or subnet?

Answer 3

Between /16 and /28

Question 4

What is meant by “Tenancy?”

Answer 4

Determines whether VPC and its assets are deployed onto shared hardware or dedicated hardware. Default is shared hardware.

Question 5

When would you want the Tenancy to be Dedicated?

Answer 5

Security concerns, e.g. regulatory requirements

Question 6

When you create a VPC, what else is created?

Answer 6

Main route table, default security group, default network ACL

Question 7

When you create a VPC, what is NOT created?

Answer 7

Subnets, Internet Gateway

Question 8

Can a subnet be the same size as your VPC?

Answer 8

Yes

Question 9

1 subnet always equals

Answer 9

1 Availability Zone

Question 10

To make a subnet public…

Answer 10

…create and attach an Internet Gateway, associate it with a route table, and associate the subnet with that route table. Additionally, enable auto-assign IP on that subnet.

Question 11

When you create a new subnet, is it associated with any route tables?

Answer 11

Yes, it will be associated with the main route table by default

Question 12

Why is it considered a best practice to keep the main route table private?

Answer 12

If there is a route out to the Internet from the main route table, all subnets in that route table will automatically be public, which is a security risk.

Question 13

If you forget to enable auto-assign public IP for a subnet…

Answer 13

…when you launch an EC2 instance you can enable auto-assign there.

Question 14

If you forget to assign a public IP address to a public EC2 instance…

Answer 14

…you can allocate an Elastic IP address to it

Question 15

When you launch an instance in the private subnet…

Answer 15

…traffic will be sourced from the public subnet.

Question 16

To SSH into your private instance from your public instance…

Answer 16

…you need to copy/paste your keypair into the public instance and chmod 600

Question 17

To be able to PING the private instance…

Answer 17

…allow ICMP on the private instance and ping the private IP from the public instance

Question 18

To perform security patches, install software, etc on a private instance…

Answer 18

…you need a way for that instance to access the Internet (NAT instance or NAT gateway)