VPCs

Question 1

VPC

Answer 1

virtual data center in the cloud

1 subnet = 1 AZ

Question 2

Largest subnet you can use in your VPC

Answer 2

10.0.0.0/16

65,526 addresses

Question 3

VPC features

Answer 3

launch instances in a subnet of our choosing
assign custom IP address ranges
configure route tables between subnets
create internet gateway and attach to our VPC
NACLs
instance security groups

Question 4

Default vs custom vpc

Answer 4

default: user friendly; allows immediate deployment of instances

Question 5

VPC peering

Answer 5

connects 2 VPCs via a direct network route using private IP addresses
Instances behave as if they were on the same private network
can peer across regions
Does not support transitive peering

Question 6

security groups vs NACLs

Answer 6

security groups: stateful
NACLs: stateless
need to add individual allow and deny lists

Question 7

What gets created by default when you create a VPC

Answer 7

route table
NACLs
security group

Question 8

Route table best practice

Answer 8

Keep primary route table private

Question 9

VPC security groups

Answer 9

security groups cannot span multiple VPCs

Question 10

NAT instance vs NAT gateway

Answer 10

NAT instance - invidiual instance

NAT gateway - highly available way to provide internet access to private subnets w/out becoming public

Question 11

NAT gateways HA/DR

Answer 11

redundant inside an AZ

cannot span multiple AZs

Question 12

NAT gateway security groups

Answer 12

Not associated with security groups

Question 13

NAT gateway config info

Answer 13

no need to patch
need to update route tables
automatically assigned a public ip addr
no need to disable source/dest checks
create a nat gateway in each availability zone

Question 14

NACLs and Security Group order of operations

Answer 14

NACLs resolved before security groups

NACL rules resolved in order of rule #, stopping on match

Question 15

ACL and subnet associations

Answer 15

ACL - can have many subnets

subnet - can only have one ACL

Question 16

Load balancer config

Answer 16

need at least 2 public subnets

Question 17

VPC flow log levels

Answer 17

vpc
subnet
network interface level

Question 18

VPC flow log config

Answer 18

cannot change VPC config after it’s created
cannot associate a different IAM role w/ flow log
can tag flow logs

Question 19

Bastion host - definition

Answer 19

special purpose computer designed and configured to withstand attacks

Either outside of firewall or in DMZ

helps reduce attack surface by removing need to harden devices behind it

used to securely administer EC2 instances

AKA jump box

Question 20

Direct Connect

Answer 20

service solution used to establish a dedicated network connection from on-prem to AWS

reduces network costs
increases bandwidth
stable and reliable secure connection

Question 21

global accelerator

Answer 21

improves availability and performance of apps

directs traffic to optimal endpoints over AWS

by default provides two default IP addresses
-customer can bring their own

Question 22

global accelerator components

Answer 22

static ip addresses
accelerator
dns name
network zone
listener
endpoint group
endpoint

Question 23

global accelerator network zone

Answer 23

services the static ip addresses
similar to an AZ
each zone is isolated within it’s own physical infrastructure

Question 24

global accelerator listener

Answer 24

processes inbound connections from clients to global accelerator based on configured port and protocol

listeners forward traffic to endpoints in attached/associated endpoint groups

endpoint groups associated to listeners by region

Question 25

global accelerator endpoint group

Answer 25

associated w/ specific aws regions

can specify percentage of traffic directed to each endpoint group

Question 26

global accelerator endpoints

Answer 26

NLB, ALB, EC2 instances, Elastic IP addresses

can have weights to specify proportion of traffic received by endpoint

Question 27

VPC endpoint

Answer 27

virtual device that allow communication between instances in your VPC and services

allows you to privately connect to VPC w/out requiring an internet gateway, NAT device, VPN, or DirectConnect

Question 28

VPC endpoint types

Answer 28

interface endpoint

gateway endpoint

Question 29

interface endpoint

Answer 29

network interface w/ private IP addresses that serve as an entry point for traffic to a supported service

Question 30

supported gateway endpoint services

Answer 30

amazon s3

dynamo db

Question 31

gateway endpoint

Answer 31

similar to NAT gateways

Question 32

PrivateLink

Answer 32

Open services in a VPC to other VPCs

Only requires an NLB on the service VPC and an ENI on the client VPC

Question 33

Transit Gateway

Answer 33

A way to simplify your network topology

Provides transitive peering between many VPCs and on-prem data centers

can be used across multiple AWS accounts via RAM

can use route tables

supports IP multicast

Question 34

VPN Cloudhub

Answer 34

Allows users to connect into a virtual private gateway via VPN

The vpg provides access to VPC subnets

good when there are multiple sites w/ their own VPN connection

Question 35

Network Costs

Answer 35

Free
-instances w/in same AZ

Not free

• instances in different AZs via private IP
• – more if traffic needs to go over public IP
• instances in different regions

Question 36

IP traffic that is not monitored/logged

Answer 36

DNS traffic to Amazon DNS server

Traffic to Amazon Windows license activation

Traffic to/from 169.254.169.254

DHCP traffic

traffic to reserved IPs for reverse IP routing

Question 37

Direct Connect setup steps

Answer 37

Create virtual interface in Direct Connect console

Create a customer gateway

Create a virtual private gateway

attache virtual private gateway to desired VPC

create a new vpn connection

select the virtual private gateway and the customer gateway

set up vpn on customer gateway or firewall

Question 38

Max number of VPCS per account per region

Answer 38

5

Question 39

max internet gateways per VPC

Answer 39

1