VPC Summary Flashcards
Think of VPC as…
…a logical datacenter in AWS
1 Subnet =
1 AZ
Security Groups are…
…stateful
Network ACLs are…
…stateless
Can you peer VPCs in same account?
Yes
Can you peer VPCs in different accounts?
Yes
Transitive peering?
No
When creating a NAT instance…
…disable Source/Destination Check on the instance
NAT instances must be in which subnet?
Public
For NAT instance to work…
…must have elastic IP address, must be a route out of the private subnet to the NAT instance
How much traffic do NAT instances support?
Depends on the instance size. If bottlenecking, increase the instance size.
You can create high availability using…
…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover
T/F: NAT Instances are behind a security group.
True
What are the key features of NAT Gateways?
- Scale automatically up to 10 Gbps.
- No need to patch.
- Not associated with security groups.
- Automatically assigned a public IP.
- Do not need to disable source/dest check.
Default NACL…
…automatically created with a VPC and by default it allows all inbound and outbound traffic
Custom NACL…
…denies all inbound and outbound traffic until you add rules
T/F: Each subnet in your VPC must be associated with a Network ACL
True
If you don’t explicitly associate a subnet with a network ACL…
…the subnet is automatically associated w/ default network ACL
Can you associate a Network ACL with multiple subnets?
Yes, but a subnet can only be associated with one NACL at a time.
When you associate a network ACL with a subnet…
…the previous association is removed
NACL rules…
…evaluated in order, starting with the lowest numbered rule
NACL inbound and outbound rules are…
…separate. Each rule can either allow or deny traffic
NACLs are stateless, so…
…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)
Block IP addresses using…
…NACLs not Security Groups
A NAT is used to…
…provide internet traffic to EC2 instances in private subnets
A Bastion is used to…
…securely administer EC2 instances using SSH or RDP (Remote Desktop Protocal) in private subnets
If you want resiliency…
…always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs
With ELBs, make sure…
…they are in 2 public subnets in 2 different AZs
With Bastion hosts…
…put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over
To make NAT instances resilient…
…need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways
What AWS service is used to create accelerators to improve availability and performance of your applications for local and global users?
Global Accelerator
___ ___ directs traffic to optimal endpoints over the aws global network. this improves the availability and performance of your internet applications that are used by a global audience.
global accelerator
By default Global Accelerator provides you with ___ static IP addresses that you associate with your accelerator?
2
Alternatively, you can bring your own.
t or f
each global accelerator contains 1 or more listeners
t
what is a network zone?
similar to an AZ, a network zone is an isolated unit with its own set of physical infrastructure
a global accelerator ____ processes inbound connections from clients to global accelerator, based on teh port (or port range) an protocol that you configure.
listener
Global Acelerator supports which ports? TCP, UDP, or Both?
Both TCP and UDP
Traffic ____ help you control traffic in Global Accelerator.
Dials
What is a “NAT Instance”?
A NAT (Network Address Translation) instance is, like a Bastion host, an EC2 instance that lives in your Public Subnet. A NAT instance, however, allows your Private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.
