VPC Overview

Question 1

Can Security Groups span subnets?

Answer 1

Yes

Question 2

Does one subnet have to stay in one availability zone?

Answer 2

Yes

One Subnet = One AZ

Subnets cannot cross availability zones

Question 3

What RFC 1918 adresses ranges can be used?

Answer 3

10. 0.0.0 /8 (10.0.0.0 - 10.255.255.255.)
11. 16.0.0 /12 (172.16.0.0 - 172.31.255.255)
12. 168.0.0 /16 (192.168.0.0 - 192.168.255.255)

Question 4

How many VPC’s can you have in a region?

Answer 4

Soft limit of 5

Get more by contacting AWS

Question 5

How many internet gateways can you have in a VPC?

Answer 5

one

Question 6

Can security groups span availability zones?

Answer 6

yes

Question 7

Can security groups span subnets?

Answer 7

yes

Question 8

Default VPC Overview

Answer 8

all subnets have route to internet

every EC2 instance has a public and private IP address

Question 9

VPC Peering Overview

Answer 9

Peer with a direct route with private IP addresses

Instances act as if on the same private network

Can peer with other AWS accounts and other VPC’s in same account

Peering always in hub-spoke configuration.

Never have transitive peering

Question 10

List 5 Main Components of a VPC

Answer 10

Internet Gateways (or Virtual Private Gateways)
Route Tables
NACLs
Subnets
Security Groups

Question 11

Are Security Groups Stateful?

Answer 11

Yes

Question 12

Are NACLs Stateless?

Answer 12

Yes

Question 13

Compare stateful vs stateless

Answer 13

Open port 80 on SG does outbound automatically

Open port 80 on NACL, do outbound manually

Question 14

When you create a VPC, what things are automatically created?

Answer 14

Default Route Table
Default NACL
Default VPC Security Group

no IGW
no Subnets

Question 15

Steps in creating VPC

Answer 15

Lecture “build your own custom VPC”

1. Create VPC
2. Create Subnets (assign subnet to AZ)
3. Create internet Gateway, Attach it
4. Create new Route Table
5. Give new Route Table internet access by adding route (0.0.0.0/0 -> IGW)
6. Associate Route Table with subnets
7. Enable auto-assign public IP address for public subnets

(by default new subnets are associated with main route table, so for security, you don’t want main route table to have internet access. Create new route table for the VPC and associate the subnets with it)

Question 16

How many IP addresses do you lose when you provision a subnet?

Answer 16

5

.0 network address
.1 VPC router
.2 AWS DNS Server always reserved
.3 AWS for future use
.255 network broadcast not supported in AWS but reserved

Question 17

Can Security Groups span VPC’s?

Answer 17

NO

Question 18

Name a couple issues with NAT Instances

Answer 18

Single Point of Failure
Performance isn’t great, scaling involves ASG, multiple AZ’s and gets complicated with scripting

Have to edit the instance networking settings to disable source/destination checking

replaced with NAT Gateway

Question 19

What’s the difference between

Egress Only Internet Gateway and NAT Gateway?

Answer 19

Egress only is for IPv6

NAT Gateway is for IPv4

Question 20

What did you goof up when you created a NAT Gateway?

Answer 20

Put it in the private subnet.

Fixed by deleting, making new one in public subnet

Question 21

Do you want to install NAT Gateways in multiple AZ’s?

Answer 21

Yes
If one AZ fails, the NAT Gateway will go down.

Route between them for redundancy

Question 22

Max bandwidth on NAT Gateway

Answer 22

10Gbs

Question 23

Do NAT instances have to be in a public subnet?

Answer 23

Yes

Question 24

How does NAT instance size affect the amount of traffic it can handle?

Answer 24

The amount of traffic depends on the instance size

Question 25

How many public subnets do you need in order to deploy an application load balancer?

Answer 25

At least 2