VPC Summary Flashcards

1
Q

Think of VPC as…

A

…a logical datacenter in AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1 Subnet =

A

1 AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Groups are…

A

…stateful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Network ACLs are…

A

…stateless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can you peer VPCs in same account?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can you peer VPCs in different accounts?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Transitive peering?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating a NAT instance…

A

…disable Source/Destination Check on the instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NAT instances must be in which subnet?

A

Public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For NAT instance to work…

A

…must have elastic IP address, must be a route out of the private subnet to the NAT instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How much traffic do NAT instances support?

A

Depends on the instance size. If bottlenecking, increase the instance size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You can create high availability using…

A

…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: NAT instances are behind a security group.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NAT gateways…

A

…scale automatically up to 10 Gbps, no need to patch, not associated with security groups, automatically assigned a public IP, do not need to disable source/dest check

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Default NACL…

A

…automatically created with a VPC and by default it allows all inbound and outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Custom NACL…

A

…denies all inbound and outbound traffic until you add rules

17
Q

T/F: Each subnet in your VPC must be associated with a network ACL

18
Q

If you don’t explicitly associate a subnet with a network ACL…

A

…the subnet is automatically associated w/ default network ACL

19
Q

Can you associate a network ACL with multiple subnets?

A

Yes, but a subnet can only be associated with one NACL at a time

20
Q

When you associate a network ACL with a subnet…

A

…the previous association is removed

21
Q

NACL rules…

A

…evaluated in order, starting with the lowest numbered rule

22
Q

NACL inbound and outbound rules are…

A

…separate. Each rule can either allow or deny traffic

23
Q

NACLs are stateless, so…

A

…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)

24
Q

Block IP addresses using…

A

…NACLs not Security Groups

25
A NAT is used to...
...provide internet traffic to EC2 instances in private subnets
26
A Bastion is used to...
...securely administer EC2 instances using SSH or RDP in private subnets
27
If you want resiliency...
...always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs
28
With ELBs, make sure...
...they are in 2 public subnets in 2 different AZs
29
With Bastion hosts...
...put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over
30
To make NAT instances resilient...
...need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways