VPC Summary

Question 1

Think of VPC as…

Answer 1

…a logical datacenter in AWS

Question 2

1 Subnet =

Answer 2

1 AZ

Question 3

Security Groups are…

Answer 3

…stateful

Question 4

Network ACLs are…

Answer 4

…stateless

Question 5

Can you peer VPCs in same account?

Answer 5

Yes

Question 6

Can you peer VPCs in different accounts?

Answer 6

Yes

Question 7

Transitive peering?

Answer 7

No

Question 8

When creating a NAT instance…

Answer 8

…disable Source/Destination Check on the instance

Question 9

NAT instances must be in which subnet?

Answer 9

Public

Question 10

For NAT instance to work…

Answer 10

…must have elastic IP address, must be a route out of the private subnet to the NAT instance

Question 11

How much traffic do NAT instances support?

Answer 11

Depends on the instance size. If bottlenecking, increase the instance size

Question 12

You can create high availability using…

Answer 12

…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover

Question 13

T/F: NAT instances are behind a security group.

Answer 13

True

Question 14

NAT gateways…

Answer 14

…scale automatically up to 10 Gbps, no need to patch, not associated with security groups, automatically assigned a public IP, do not need to disable source/dest check

Question 15

Default NACL…

Answer 15

…automatically created with a VPC and by default it allows all inbound and outbound traffic

Question 16

Custom NACL…

Answer 16

…denies all inbound and outbound traffic until you add rules

Question 17

T/F: Each subnet in your VPC must be associated with a network ACL

Answer 17

True

Question 18

If you don’t explicitly associate a subnet with a network ACL…

Answer 18

…the subnet is automatically associated w/ default network ACL

Question 19

Can you associate a network ACL with multiple subnets?

Answer 19

Yes, but a subnet can only be associated with one NACL at a time

Question 20

When you associate a network ACL with a subnet…

Answer 20

…the previous association is removed

Question 21

NACL rules…

Answer 21

…evaluated in order, starting with the lowest numbered rule

Question 22

NACL inbound and outbound rules are…

Answer 22

…separate. Each rule can either allow or deny traffic

Question 23

NACLs are stateless, so…

Answer 23

…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)

Question 24

Block IP addresses using…

Answer 24

…NACLs not Security Groups

Question 25

A NAT is used to…

Answer 25

…provide internet traffic to EC2 instances in private subnets

Question 26

A Bastion is used to…

Answer 26

…securely administer EC2 instances using SSH or RDP in private subnets

Question 27

If you want resiliency…

Answer 27

…always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs

Question 28

With ELBs, make sure…

Answer 28

…they are in 2 public subnets in 2 different AZs

Question 29

With Bastion hosts…

Answer 29

…put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over

Question 30

To make NAT instances resilient…

Answer 30

…need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways