VPC - Virtual Private Cloud

Question 1

What is VPC?

Answer 1

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define

Question 2

What is an Internet Gateway?

Answer 2

An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet

Question 3

What represents also an Internet Gateway for the instances that have a public IPv4?

Answer 3

a NAT

Question 4

Does Internet Gateways guarantee on their own to access internet?

Answer 4

no, you must also edit Route tables, for Egress Only as well

Question 5

What are Route Tables?

Answer 5

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed

Question 6

What is a NAT Instance?

Answer 6

Use a NAT instance in a public VPC subnet to enable outbound internet traffic from instances in a private subnet. (OLD WAY, deprecated)

Question 7

What is a NAT Gateway?

Answer 7

NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet

Question 8

What is NACL?

Answer 8

A network access control list (ACL) is an optional layer of security for your VPC that acts as a stateless firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

Question 9

What is default NACL default behavior

Answer 9

allows everything inbound and ourbound

Question 10

What is the relation cardinality between subnets and NACLs?

Answer 10

1 to 1, new Subnets are assigned the Default NACL

Question 11

What are the characteristics of NACLs?

Answer 11

• Rules have a number (1-32766) and higher precedence with a lower number
• E.g. If you define #100 ALLOW and #200 DENY , IP will be allowed
• Last rule is an asterisk (*) and denies a request in case of no rule match
• AWS recommends adding rules by increment of 100

Question 12

What is new NACLs default behavior

Answer 12

deny everything

Question 13

What is VPC peering?

Answer 13

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6

Question 14

How do instances communicate on VPC peering?

Answer 14

Instances in either VPC can communicate with each other as if they are within the same network

Question 15

What must not have VPCs involved in VPC peering?

Answer 15

overlaping CIDR

Question 16

Is VPC peering transitive?

Answer 16

VPC Peering connection is not transitive (must be established for each VPC that need to
communicate with one another)

Question 17

Can you do VPC peering with another AWS account or inter-region?

Answer 17

yes to all

Question 18

What you must do in order to ensure instances can communicate in VPC peering?

Answer 18

you must update route tables in each VPC’s subnet

Question 19

What is a VPC endpoint?

Answer 19

Use a VPC endpoint to privately connect your VPC to other AWS services and endpoint services.

Question 20

What are the types of VPC endpoints?

Answer 20

interface and gateway

Question 21

What is a VPC Interface Endpoint?

Answer 21

is an elastic network interface (ENI) with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service (most of services). Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses

Question 22

What is a VPC Gateway Endpoint?

Answer 22

is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:
Amazon S3
DynamoDB

Question 23

What you must check in case of issues with you VPC endpoint?

Answer 23

• Check DNS Setting Resolution in your VPC

* Check Route Tables

Question 24

What is VPC Flow Logs?

Answer 24

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC

Question 25

Of what can you create a VPC Flow Log?

Answer 25

• VPC Flow Logs
• Subnet Flow Logs
• Elastic Network Interface Flow Logs

Question 26

Where can Flow Logs go to?

Answer 26

S3 / CloudWatch Logs

Question 27

What helps you with Flow Logs?

Answer 27

Helps to monitor & troubleshoot connectivity issues

Question 28

What can you use to see better VPC Flow logs?

Answer 28

Athena on S3 or CloudWatch Logs Insights

Question 29

What are the components to connect Site to Site VPN between a VPC and a corporate data center?

Answer 29

Create a customer gateway on the Corporate DC
Provision the VPC with a VPN gateway
Connect both using a Site to Site VPN connection

Question 30

What is Direct Connect (DX)?

Answer 30

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS

Question 31

What you need to setup when using Direct Connect (DX)?

Answer 31

You need to provision the VPC with a VPN Gateway

Question 32

If you want to setup a Direct Connect to one or more VPC in many different regions (same account), what you must use?

Answer 32

a Direct Connect Gateway

Question 33

What are the Direct Connect connection types?

Answer 33

• Dedicated Connections

- Hosted Connections

Question 34

What are Direct Connect lead times?

Answer 34

often larger than 1 month to establish a new connection

Question 35

How is Direct Connect data encrypted?

Answer 35

Data in transit is not encrypted but is private

Question 36

What is good to use for networking costs saving

Answer 36

• Use Private IP instead of Public IP for good savings and better network performance
• Use same AZ for maximum savings (at the cost of
high availability)

Question 37

How are Site to Site VPN and Direct Connect (DX) connections?

Answer 37

VPN: Goes over the public internet
DX: Goes over a private network