VPC - Virtual Private Cloud Flashcards
What is VPC?
Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define
What is an Internet Gateway?
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet
What represents also an Internet Gateway for the instances that have a public IPv4?
a NAT
Does Internet Gateways guarantee on their own to access internet?
no, you must also edit Route tables, for Egress Only as well
What are Route Tables?
A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed
What is a NAT Instance?
Use a NAT instance in a public VPC subnet to enable outbound internet traffic from instances in a private subnet. (OLD WAY, deprecated)
What is a NAT Gateway?
NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet
What is NACL?
A network access control list (ACL) is an optional layer of security for your VPC that acts as a stateless firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
What is default NACL default behavior
allows everything inbound and ourbound
What is the relation cardinality between subnets and NACLs?
1 to 1, new Subnets are assigned the Default NACL
What are the characteristics of NACLs?
- Rules have a number (1-32766) and higher precedence with a lower number
- E.g. If you define #100 ALLOW and #200 DENY , IP will be allowed
- Last rule is an asterisk (*) and denies a request in case of no rule match
- AWS recommends adding rules by increment of 100
What is new NACLs default behavior
deny everything
What is VPC peering?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6
How do instances communicate on VPC peering?
Instances in either VPC can communicate with each other as if they are within the same network
What must not have VPCs involved in VPC peering?
overlaping CIDR
Is VPC peering transitive?
VPC Peering connection is not transitive (must be established for each VPC that need to
communicate with one another)
Can you do VPC peering with another AWS account or inter-region?
yes to all
What you must do in order to ensure instances can communicate in VPC peering?
you must update route tables in each VPC’s subnet
What is a VPC endpoint?
Use a VPC endpoint to privately connect your VPC to other AWS services and endpoint services.
What are the types of VPC endpoints?
interface and gateway
What is a VPC Interface Endpoint?
is an elastic network interface (ENI) with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service (most of services). Interface endpoints are powered by AWS PrivateLink, a technology that enables you to privately access services by using private IP addresses
What is a VPC Gateway Endpoint?
is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. The following AWS services are supported:
Amazon S3
DynamoDB
What you must check in case of issues with you VPC endpoint?
- Check DNS Setting Resolution in your VPC
* Check Route Tables
What is VPC Flow Logs?
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC
Of what can you create a VPC Flow Log?
- VPC Flow Logs
- Subnet Flow Logs
- Elastic Network Interface Flow Logs
Where can Flow Logs go to?
S3 / CloudWatch Logs
What helps you with Flow Logs?
Helps to monitor & troubleshoot connectivity issues
What can you use to see better VPC Flow logs?
Athena on S3 or CloudWatch Logs Insights
What are the components to connect Site to Site VPN between a VPC and a corporate data center?
Create a customer gateway on the Corporate DC
Provision the VPC with a VPN gateway
Connect both using a Site to Site VPN connection
What is Direct Connect (DX)?
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS
What you need to setup when using Direct Connect (DX)?
You need to provision the VPC with a VPN Gateway
If you want to setup a Direct Connect to one or more VPC in many different regions (same account), what you must use?
a Direct Connect Gateway
What are the Direct Connect connection types?
- Dedicated Connections
- Hosted Connections
What are Direct Connect lead times?
often larger than 1 month to establish a new connection
How is Direct Connect data encrypted?
Data in transit is not encrypted but is private
What is good to use for networking costs saving
• Use Private IP instead of Public IP for good savings and better network performance
• Use same AZ for maximum savings (at the cost of
high availability)
How are Site to Site VPN and Direct Connect (DX) connections?
VPN: Goes over the public internet
DX: Goes over a private network
