VPC & Shared Responsibility Model

Question 1

Shared Responsibility Levels

Answer 1

CIA

Infrastructure (EC2)
Container Services (OS & App Mgt)
Absracted (DynamoDB)

Question 2

Shared Responsibility - Amazon vs Client

Answer 2

Client is responsible for Clisde Side Encryption and Customer Data

Amazon

• 1) OS and Application Mgt
• 2) S3 and DynamoDB
• 3) Hypervisor???

Question 3

What is VPC

Answer 3

Logical Data Center in AWS

Question 4

How many Availability Zones can a VPC Span

Answer 4

Multiple :D

Question 5

How man Regions can a VPC Span

Answer 5

1

Question 6

What do VPCs consis of

Answer 6

Routs, Tables, ACL, IGW, Subnets, SGs

Question 7

How many Availability Zones per subnet

Answer 7

1

Question 8

VPC Peering

Answer 8

you can peer VPCs even with other AWS accounts if you have an agreement

Question 9

NAT Instance does not support

Answer 9

Transitive Peering

Question 10

NAT Instance - what Instance setting do you need to disable?

Answer 10

Source Destination Check

Question 11

NAT Instance - what type of subnet must it be under

Answer 11

Public

Question 12

NAT Instance - what does it need in order to work

Answer 12

1) Elastic IP

2) Route out of the private subnet

Question 13

NAT Instance - Traffic size depends on this

Answer 13

Size of Instance

Question 14

NAT Instance - what does it need to create High Availability

Answer 14

Autoscalling groups

Question 15

NAT Instance - Does is use Security Groups or ACLs

Answer 15

Security Groups of course silly

Question 16

NAT Instance - are Stateful or Stateless

Answer 16

Stateful

Question 17

Stateful

Answer 17

Return Traffic Automatically Allowed. This the FULL = FULL of RIGHTS

Question 18

Stateless

Answer 18

Return Traffic must be Explicitly Allowed

Question 19

NAT Gateways Benefits

Answer 19

No need to patch and is preferred.

Question 20

NAT Gateways - Use ACL or SGs

Answer 20

ACLs. Only thing that uses SG are NAT Instances

Question 21

NAT Gateways - Auto assigns a public address - true or false

Answer 21

true

Question 22

NAT Gateways - what VPC item do you add them to? Subnet, IGW, Route, ACL

Answer 22

Route. They are added to the defualt route just like Route Instances.

Question 23

ACL (Access Control Lists) - Created automatically when VPC is created - true or false

Answer 23

true. A single default ACL (and Route) is created. it allows all traffic both inbount and outbound by default. Not like a custom.

Question 24

ACL - Default ACL allow all traffic - true or false

Answer 24

True

Question 25

ACL - Custom ACL allow all traffic - true or false

Answer 25

False - Denies all by default. It’s Stateless so access must be assigned explicitly.

Question 26

ACL - What happens when a subnet is not explicitly associated to an ACL?

Answer 26

The subnet will be associated with the default ACL. Subnet MUST be assigned to some ACL. Default allows all traffic.

Question 27

ACL - 1 Subnet equals how many ACLs

Answer 27

1 ACL. When you add a subnet to a new ACL the subnet is then removed from the old ACL.

Question 28

ACL - Can an ACL have multiple Subnets

Answer 28

Yes

Question 29

ACL - How are rules evaluted

Answer 29

In order form small to large

Question 30

ACL - Inbound and outbound roles are assigned together - true or flase

Answer 30

False. Inbound and outbound rules are assigned invidually. Stateless son!

Question 31

NAT vs Bastion

Answer 31

NAT=provides INTERNET traffic to EC2 in proivate subnet

Bastion= aka JumpBox allows secure admin EC2s in proivate subnets

Question 32

Resiliency - where must the 2 public subnets be located for resiliency?

Answer 32

in different Availability Zones

Question 33

Resiliency - how to you achieve resiliency for bastions?

Answer 33

Auto scalling Group. use Route53 with RR or Failover.

Question 34

Resiliency - How to make a NAT Instance resilient?

Answer 34

HARD- 1 in each public subnet each with their on public IP.

Need Fail Over Script

Question 35

VPC - How to monitor traffic

Answer 35

using VPC Flow Logs

Question 36

VPC - How many allowed per Region

Answer 36

5 VPCs

Question 37

ACL - what level do they provide security

Answer 37

At the Subnet Level. Also they block IP address as opposed to ports only.