VPC: Virtual Private Cloud

Question 1

Can VPCs owned by the same AWS account talk to each other be default?

Answer 1

No. VPCs are isolated by default. They must be configured to talk to other resources, such as other VPCs.

Question 2

What is a Virtual Private Cloud (VPC)?

Answer 2

A virtual network inside AWS.

Question 3

Are VPCs global, Region, or AZ services?

Answer 3

Region

Question 4

What is the default access setting for a Custom VPC?

Answer 4

Private and isolated. Nothing can communicate with a Custom VPC unless you configure the VPC to allow it.

Question 5

How many Default VPCs are allowed per Region?

Answer 5

One.

Question 6

What is the default VPC CIDR for the Default VPC?

Answer 6

172.31.0.0/16

Question 7

Where are VPC subnets located?

Answer 7

In Availability Zones.

Question 8

How many subnets does the default VPC have and where are they located?

Answer 8

The Default VPC for a Region has one subnet in each AZ in the Region.

Question 9

How resilient are subnets?

Answer 9

Subnets are AZ resilient.

Question 10

Can the Default VPC be deleted?

Answer 10

Yes.

Question 11

Can the VPC CIDR of the Default VPC be changed?

Answer 11

No. It is always 172.31.0.0/16 and cannot be changed.

Question 12

How large are the subnets in the Default VPC?

Answer 12

/20 which is 4096 IP addresses.

Question 13

What type of IP addresses do resources that are deployed into the Default VPC receive automatically?

Answer 13

Public IPv4 addresses.

Question 14

What are the minimum and maximum sizes of a VPC inside AWS?

Answer 14

The minimum is /28 which is 16 IP addresses.

The maximum is /16 which is 65535 IP addresses.

Question 15

How resilient is a VPC?

Answer 15

VPCs are Region resilient.

Question 16

What is dedicated tenancy for a VPC?

Answer 16

All resources created inside the VPC have to be on dedicated hardware.

Question 17

When assigning an IPv6 CIDR block to a custom VPC, what size must the block be?

Answer 17

/56, but the block must either be assigned by AWS or you must use addresses that you own.

Question 18

What is the Route 53 DNS IP address in a VPC?

Answer 18

Base IP + 2

Question 19

What option must be set to enable DNS resolution (using the Base IP + 2 address) in a VPC?

Answer 19

enableDnsSupport

Question 20

What option must be set to give resources DNS names?

Answer 20

enableDnsHostnames

Question 21

What is the maximum number of Availability Zones that a subnet can be in?

Answer 21

One.

Question 22

Can subnet IP ranges overlap with other subnets?

Answer 22

No.

Question 23

What are the reserved IP addresses in an AWS subnet?

Answer 23

1. Network address (x.y.z.0)
2. Network + 1 address (x.y.z.1) - VPC router
3. Network + 2 address (x.y.z.2) - DNS
4. Network + 3 address (x.y.z.3) - Reserved
5. Broadcast address (x.y.z.255) - Broadcast

Question 24

How many Availability Zones does a VPC’s router run in?

Answer 24

Every AZ that the VPC uses.

Question 25

What address is used to access the VPC’s router in each subnet?

Answer 25

The Network + 1 address.

Question 26

What set of rules defines how a VPC router operates?

Answer 26

A route table.

Question 27

What notation is used to specify the default route in an AWS routing table?

Answer 27

0.0.0.0/0 for IPv4
::/0 for IPv6

Question 28

If routes in the routing table overlap, which route has a higher priority?

Answer 28

The route with the higher prefix value because it is more specific. The exception is the default local routes which always take priority and route traffic within the VPC.

Question 29

How many subnets can a route table be attached to?

Answer 29

Zero or more.

Question 30

How many route tables can a subnet have?

Answer 30

One.

Question 31

How resilient is an Internet Gateway (IGW)?

Answer 31

An IGW is Region resilient.

Question 32

How many Internet Gateways can a VPC have?

Answer 32

Zero or one.

Question 33

How many VPCs can an Internet Gateway be attached to?

Answer 33

Zero or one.

Question 34

What zone does an Internet Gateway run from within?

Answer 34

AWS Public Zone.

Question 35

When an EC2 instance inside a VPC has a public IPv4 address, where is that IPv4 address configured?

Answer 35

On the Internet Gateway. It is not actually configured on the instance itself. The IGW maps the public IPv4 address to the instance’s private IPv4 address and forwards packets appropriately. EC2 instances never have knowledge of their public IPv4 address.

Question 36

What is a Bastion Host / Jumpbox?

Answer 36

An EC2 instance in a public subnet that allows for incoming connections. It provides access to internal VPC resources and serves as the only ingress to the VPC.

Question 37

For a stateless firewall, how many rules are needed to govern a typical TCP connection?

Answer 37

Two. One rule for the outbound traffic and one for the inbound traffic. Because the firewall is stateless, it does not understand that the inbound and outbound traffic flows are part of the same request/response connection pair.

Question 38

When using stateless firewalls, what security risks are exposed because of the use of ephemeral ports?

Answer 38

Client devices use of ephemeral ports means that the firewall must allow traffic on the entire range of ephemeral ports.

Question 39

How do stateful firewalls lower admin overhead?

Answer 39

Correlating requests and responses reduces the number of firewall rules required to allow connections.

Question 40

What types of connections do Network Access Control Lists (NACL) govern?

Answer 40

NACLs govern traffic entering or leaving a subnet. Connection within a subnet are not governed by NACLs.

Question 41

How many rule types do NACLs have?

Answer 41

Two. Inbound and outbound rules.

Question 42

Are NACLs stateful or stateless?

Answer 42

Stateless.

Question 43

What type of actions do NACLs enable?

Answer 43

Explicit allow or explicit deny.

Question 44

How are NACL rules processed?

Answer 44

Starting at the lowest rule number until there is a match.

Question 45

What network security control mechanism should you use to explicitly deny traffic from known bad actors or bad IPs?

Answer 45

NACLs

Question 46

Are Security Groups stateful or stateless?

Answer 46

Stateful.

Question 47

Do Security Groups allow explicit DENY, implicit DENY, or both?

Answer 47

Implicit DENY only. Security Groups CANNOT explicitly DENY traffic.

Question 48

What can Security Groups be attached to?

Answer 48

IP, CIDRs, and the Elastic Network Interface (ENI) of AWS Resources.

Question 49

What does a Security Group reference apply to?

Answer 49

An SG reference applies to anything to which the SG is attached. This allows you to scale resources inside the security group without creating more rules.

Question 50

Can a Security Group reference itself?

Answer 50

Yes. This allows traffic between all resources that have the SG attached to them.

Question 51

What functionality does a NAT Gateway provide?

Answer 51

A NAT Gateway provides ranges of IP address that are not publicly routable with outgoing Internet and AWS Public Zone access. This is done using IP Masquerading.

Question 52

Where is a NAT Gateway deployed?

Answer 52

In a public subnet of a VPC.

Question 53

In a typical NAT Gateway deployment, where do the default routes for the private and public subnets point?

Answer 53

The default route for the private subnet points at the NAT Gateway.

The default route for the public subnet points at an Internet Gateway.

Question 54

How resilient is a NAT Gateway?

Answer 54

A NAT Gateway is AZ resilient.

Question 55

How much bandwidth does a NAT Gateway provide?

Answer 55

Up to 45 Gbps.

Question 56

How are NAT Gateways charged?

Answer 56

1. An hourly rate (full hours only)
2. Gb of data processed rate

Question 57

To enable maximum availability of NAT Gateway in a VPC, how many NAT Gateways must be deployed?

Answer 57

One in each Availability Zone that is being used.

Question 58

Does NAT Gateway work with IPv6?

Answer 58

No. All IPv6 addresses are publicly routable, so Internet Gateway works with IPv6 without needing a NAT Gateway.

Question 59

What data do VPC Flow Logs capture?

Answer 59

Metadata only. They do not capture packet contents.

Question 60

Are VPC Flow Logs realtime?

Answer 60

No. There is a delay between when traffic is observed and when data shows up in the log destination.

Question 61

What type of connections can Flow Logs capture metadata on?

Answer 61

ACCEPTED connections, REJECTED connections, or both.

Question 62

What does an Egress-Only Internet Gateway provide?

Answer 62

Outbound-Only Internet access for IPv6. IPv4 is handled by a NAT Gateway.

Question 63

How many Egress-Only Internet Gateways can you have?

Answer 63

Up to one for each VPC in a Region.

Question 64

What do Gateway Endpoints provide?

Answer 64

Access to services in the AWS Public Zone (specifically, S3 and DynamoDB) from private resources without implementing typical Internet-access infrastructure. This allows you to grant access to S3 and DynamoDB without also providing general Internet access to the private resources.

Question 65

How resilient is a Gateway Endpoint?

Answer 65

A Gateway Endpoint is Region resilient.

Question 66

How do you control the specific accesses (e.g., specific S3 buckets) that a Gateway Endpoint can provide access to?

Answer 66

By creating an Endpoint Policy.

Question 67

How do you implement cross-region access with Gateway Endpoints?

Answer 67

You can’t. They aren’t cross-region.

Question 68

What does an Interface Endpoint provide?

Answer 68

Access to services in the AWS Public Zone other than DynamoDB (S3 is now supported) from private resources without implementing typical Internet-access infrastructure. This allows you to grant access to DynamoDB without also providing general Internet access to the private resources.

Question 69

How resilient are Interface Endpoints?

Answer 69

They are AZ resilient.

Question 70

How is network access controlled with Interface Endpoints?

Answer 70

By using Security Groups. Gateway Endpoints do not work with Security Groups.

Question 71

What network protocols are supported by Interface Endpoints?

Answer 71

TCP and IPv4 only.

Question 72

How does an Interface Endpoint inject public services into the VPC?

Answer 72

By using PrivateLink.

Question 73

How do Gateway Endpoints and Interface Endpoints differ in implementation?

Answer 73

Gateway Endpoints automatically add prefixes to the VPC Router’s route table to route traffic to the specified public services.

Interface Endpoints inject an Elastic Network Interface into a subnet for each public service that you are trying to access. They use DNS to resolve to the IP address of the Interface Endpoint in the subnet.

Question 74

What does VPC Peering do?

Answer 74

It creates a direct, encrypted network link between exactly two VPCs.

Question 75

What is the maximum number of VPCs that can be connected by VPC Peering?

Answer 75

Two.

Question 76

Does VPC Peering support cross-region and cross-account peering?

Answer 76

Yes.

Question 77

What Security Group capability is available when using VPC Peering?

Answer 77

In the same Region, Security Groups can reference Security Groups in the peer VPC.

Question 78

How do you implement transitive peering with VPC Peering?

Answer 78

You can’t. You have to peer each pair of VPCs directly.

Question 79

After peering two VPCs, what addition steps are needed to ensure traffic flows correctly?

Answer 79

Routing configuration, Security Group configuration, and Network Access List configuration.

Question 80

What limitations are there for VPC CIDRs with regards to VPC peering.

Answer 80

VPC Peering connections cannot be created when there is overlap in the VPC CIDRs.