VPC Summary Flashcards

1
Q

Think of VPC as…

A

…a logical datacenter in AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1 Subnet =

A

1 AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Groups are…

A

…stateful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Network ACLs are…

A

…stateless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can you peer VPCs in same account?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can you peer VPCs in different accounts?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Transitive peering?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating a NAT instance…

A

…disable Source/Destination Check on the instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NAT instances must be in which subnet?

A

Public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For NAT instance to work…

A

…must have elastic IP address, must be a route out of the private subnet to the NAT instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How much traffic do NAT instances support?

A

Depends on the instance size. If bottlenecking, increase the instance size.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You can create high availability using…

A

…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: NAT Instances are behind a security group.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the key features of NAT Gateways?

A
  1. Scale automatically up to 10 Gbps.
  2. No need to patch.
  3. Not associated with security groups.
  4. Automatically assigned a public IP.
  5. Do not need to disable source/dest check.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Default NACL…

A

…automatically created with a VPC and by default it allows all inbound and outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Custom NACL…

A

…denies all inbound and outbound traffic until you add rules

17
Q

T/F: Each subnet in your VPC must be associated with a Network ACL

A

True

18
Q

If you don’t explicitly associate a subnet with a network ACL…

A

…the subnet is automatically associated w/ default network ACL

19
Q

Can you associate a Network ACL with multiple subnets?

A

Yes, but a subnet can only be associated with one NACL at a time.

20
Q

When you associate a network ACL with a subnet…

A

…the previous association is removed

21
Q

NACL rules…

A

…evaluated in order, starting with the lowest numbered rule

22
Q

NACL inbound and outbound rules are…

A

…separate. Each rule can either allow or deny traffic

23
Q

NACLs are stateless, so…

A

…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)

24
Q

Block IP addresses using…

A

…NACLs not Security Groups

25
Q

A NAT is used to…

A

…provide internet traffic to EC2 instances in private subnets

26
Q

A Bastion is used to…

A

…securely administer EC2 instances using SSH or RDP (Remote Desktop Protocal) in private subnets

27
Q

If you want resiliency…

A

…always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs

28
Q

With ELBs, make sure…

A

…they are in 2 public subnets in 2 different AZs

29
Q

With Bastion hosts…

A

…put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over

30
Q

To make NAT instances resilient…

A

…need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways

31
Q

What AWS service is used to create accelerators to improve availability and performance of your applications for local and global users?

A

Global Accelerator

32
Q

___ ___ directs traffic to optimal endpoints over the aws global network. this improves the availability and performance of your internet applications that are used by a global audience.

A

global accelerator

33
Q

By default Global Accelerator provides you with ___ static IP addresses that you associate with your accelerator?

A

2

Alternatively, you can bring your own.

34
Q

t or f

each global accelerator contains 1 or more listeners

A

t

35
Q

what is a network zone?

A

similar to an AZ, a network zone is an isolated unit with its own set of physical infrastructure

36
Q

a global accelerator ____ processes inbound connections from clients to global accelerator, based on teh port (or port range) an protocol that you configure.

A

listener

37
Q

Global Acelerator supports which ports? TCP, UDP, or Both?

A

Both TCP and UDP

38
Q

Traffic ____ help you control traffic in Global Accelerator.

A

Dials

39
Q

What is a “NAT Instance”?

A

A NAT (Network Address Translation) instance is, like a Bastion host, an EC2 instance that lives in your Public Subnet. A NAT instance, however, allows your Private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.