VPCs

Question 1

From a resilience perspective, what is the difference between a NAT instance and a NAT gateway?

Answer 1

A NAT instance are individual EC2 instances, NAT Gateways are highly available and spread over multiple AZs

Question 2

What do NAT instances and NAT gateways allow?

Answer 2

NAT instances and NAT gateways allow your private subnets to access the internet.

Question 3

What is a VPC?

Answer 3

Virtual Private Cloud (VPC) is a logically isolated section of AWS where you can launch resources in your own virtual network.

Question 4

What is a Bastion or jump box used for?

Answer 4

A Bastion is an instance in a public subnet that allows you to ssh to an instance in your private subnet.

Question 5

What is VPC peering?

Answer 5

VPC peering is the connection of one VPC to another via a direct network route.

VPC peering means that instances behave as if they were on the same private network

Question 6

Can VPC peering occur between regions?

Answer 6

Yes you can peer VPCs between regions

Question 7

Can subnets in a VPC span availability zones?

Answer 7

No subnets cannot span availability zones.

1 subnet = 1 availability zone

Question 8

How do you enable an instance in your private subnet to access the internet using a NAT Gateway?

Answer 8

You use a route table update to link your private subnet to the NAT Gateway which has access out to the internet

Question 9

By default, does a new NACL deny or allow all traffic?

Answer 9

By default a new NACL denies all traffic

Question 10

Are NAT Gateways or Instances resilient?

Answer 10

NAT Gateways are resilient.

NAT Instances are single EC2 instances with specially configured routing tables. They can also become overwhelmed if they are dealing with the traffic for thousands of other EC2 instances

Question 11

On what does the amount of traffic that a NAT instance can support depend?

Answer 11

The size of the instance determines the amount of traffic that a NAT instance can support

Question 12

Where is a NAT instance in relation to a security group?

Answer 12

A NAT instance will be behind a security group

Question 13

Do you need to patch NAT instances and NAT gateways?

Answer 13

You need to patch NAT instances but not NAT gateways

Question 14

Are NAT gateways redundant?

Answer 14

NAT gateways are redundant inside an AZ.

However if you have instances in multiple AZs and they share one NAT instance in a single AZ, then an outage in that AZ will mean no internet connectivity. You should use a NAT gateway in each AZ.

Question 15

When creating a new VPC does the default network ACL allow or deny all outbound and inbound traffic?

Answer 15

A default NACL automatically allows all outbound and inbound traffic.

Question 16

Do custom NACLS by default allow or deny all inbound and outbound traffic?

Answer 16

By default, all custom NACLS deny all inbound and outbound traffic

Question 17

What is the flow of traffic when using Global Accelerator?

Answer 17

Traffic from the user client > Edge Location > Global Accelerator > Endpoint Group > Endpoint

Question 18

Do you have to associate a subnet with a NACL?

Answer 18

Yes all subnets need to be associated with a NACL. If you don’t assign a NACL, then the default NACL gets associated.

Question 19

Do you block IP addresses with NACLs or Security Groups?

Answer 19

You block IP addresses with NACLs and not Security Groups

Question 20

What is the link between NACLs and Subnets?

Answer 20

You can associate a NACL with multiple subnets, but each subnet can only be associated with one NACL at any time.

Question 21

Do NACLs or Security Groups have a numbered list of rules that is evaluated in number order?

Answer 21

NACLs have a numbered list of rules that is evaluated in number order

Question 22

What are VPC Flow Logs?

Answer 22

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network instances in your VPC.

Question 23

How is VPC Flow Log data stored?

Answer 23

VPC Flow Log data is stored using CloudWatch.

Question 24

At what levels can VPC Flow Logs be created?

Answer 24

VPC Flow Logs can be created at VPC, Subnet and Network Interface levels.

Question 25

Can you enable VPC Flow Logs for peered VPCs?

Answer 25

You can only enable VPC Flow Logs for peered VPCs if they are in your account.

Question 26

Can you change the configuration of a VPC Flow Log once created?

Answer 26

No you cannot changed the configuration of a VPC Flow Log once created.

Question 27

What IP traffic is not monitored by VPC Flow logs?

Answer 27

Traffic not monitored by VPC Flow Logs includes:

• Any traffic to AWS DNS servers
• Any Windows traffic for licence activation
• Traffic to and from 169.254.169.254 for instance metadata
• DHCP traffic
• Traffic to the reserved IP address for the default VPC router

Question 28

What is a Bastion Host?

Answer 28

A Bastion Host is a specially hardened computer on a network designed and configured to withstand attacks.

It generally contains minimal applications or services and is generally used in order to connect to instances in a private subnet from a public subnet.

Question 29

What is the difference between Bastions and NAT Gateways / NAT Instances?

Answer 29

Bastions are used to securely administer EC2 instances in private subnets. NAT Gateways / Instances are used to enable internet access to EC2 instances in a private subnet.

Question 30

What is Direct Connect?

Answer 30

AWS Direct Connect establishes a dedicated network connection from your premises to AWS without traversing the internet.

Question 31

When would you use Direct Connect?

Answer 31

You would use Direct Connect for high throughput workloads and to provide a stable, reliable and secure connection.

Question 32

What is Global Accelerator?

Answer 32

Global Accelerator directs traffic to optimal endpoints over the AWS Global network to optimise performance and availability.

Rather than hopping across multiple networks, Global Accelerator allows you to leverage the AWS Network directly.

Question 33

What are the components of Global Accelerator?

Answer 33

The Global Accelerator components are:

• 2 Static IP addresses to associate with your accelerator
• Accelerator
• DNS Name
• Network Zone
• Listener
• Endpoint Group
• Endpoint

Question 34

What is a Listener?

Answer 34

A Listener processes inbound connections from clients to Global Accelerator based on port range and protocol that you configure.

You tell a listener on what port numbers you want to listen

Question 35

What AWS services can endpoints be?

Answer 35

Endpoints can be:

• Network Load Balancers
• Application Load Balancers
• EC2 instances
• Elastic IP addresses

Question 36

What is a VPC Endpoint?

Answer 36

A VPC Endpoint enables you to connect your VPC to supported AWS services without needing an Internet Gateway, NAT device or VPN connection.

Question 37

What are the two types of VPC Endpoint?

Answer 37

Interface and Gateway Endpoints are the two types of VPC Endpoint.

Question 38

What services do Gateway Endpoints currently support?

Answer 38

Gateway Endpoints currently support S3 and DynamoDB.

Question 39

What is an Interface Endpoint?

Answer 39

An interface endpoint is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supporting AWS service.

Question 40

What is AWS PrivateLink?

Answer 40

AWS PrivateLink is a way to expose an application in your VPC to tens, hundreds or thousands of customer VPCs

Question 41

What is required to enable PrivateLink?

Answer 41

PrivateLink requires a Network Load Balancer on the Service VPC and an ENI on the customer VPC.

Question 42

What is not required to enable PrivateLink?

Answer 42

PrivateLink does not require any VPC peering, route tables, NAT or IGWs.

Question 43

What does AWS Transit Gateway enable?

Answer 43

Transit Gateway allows you to have transitive peering between thousands of VPCs and on-premise data centres in a hub/spoke model.

Question 44

What is VPN CloudHub?

Answer 44

VPN CloudHub is a means to connect together multiple sites that each have their own VPN connection.

Question 45

Does VPN CloudHub traverse the internet?

Answer 45

Yes CloudHub does traverse the internet but all traffic is encrypted.

Question 46

What are two tips to save money on Network costs?

Answer 46

In order to save money or Network costs:

• Use private IP addresses over public ones as this uses the AWS backbone network saving costs
• Group EC2 instances in the same AZ (although this will provide single point of failure issues)

Question 47

What is created when you setup a new VPC?

Answer 47

By default a Route Table, a NACL and a Default Security Group are created when you setup a VPC.

No subnets or IGWs will be created

Question 48

How many IGWs can you connect to your VPC?

Answer 48

You can only connect one IGW to your VPC

Question 49

What should you do if your NAT instance is proving to be a bottleneck?

Answer 49

If your NAT instance is a bottleneck then you should increase the instance size

Question 50

What do autoscaling groups provide?

Answer 50

Autoscaling groups provide high availability

Question 51

What are the different levels on which NACLs and Security Groups operate?

Answer 51

NACLs operate on the subnet level whereas Security Groups operate on the instance level

Question 52

What is the difference when connecting to other AWS services using a NAT Gateway or a VPC Endpoint?

Answer 52

In contrast to a NAT gateway, traffic between your VPC and other services do not leave the Amazon network when using VPC gateway endpoints.

Question 53

What is a Gateway VPC endpoint?

Answer 53

A Gateway VPC endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service (S3 and DynamoDB).

Question 54

What is the purpose of an egress-only internet gateway?

Answer 54

The purpose of an egress-only internet gateway is to allow IPv6 based traffic within a VPC to access the internet, whilst denying any internet based resources to connection back into the VPC.

Question 55

By default does a Security Group include any rules?

Answer 55

By default, a security group includes an outbound rule that allows all outbound traffic.

Question 56

What is an Elastic IP address?

Answer 56

An Elastic IP address is a public IPv4 address, which is reachable from the internet.

If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.

Question 57

How many VPCs can you have without asking AWS for more?

Answer 57

You can have up to five Amazon VPCs per AWS account per AWS Region, but you can place a support request to increase the number.

Question 58

Does your instance retain the same public IP address when re-started?

Answer 58

AWS releases your instance’s public IP address when it is stopped, hibernated, or terminated.

Your stopped or hibernated instance receives a new public IP address when it is started.

Question 59

Can you run penetration tests own your AWS infrastructure?

Answer 59

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services only.

You should request authorization for other simulated events.

Question 60

What service should you think of if there is a question about peering tens, hundreds or thousands of VPCs?

Answer 60

For such a peering you should consider PrivateLink

Question 61

When would you use a Gateway endpoint vs an Interface endpoint?

Answer 61

• Use Gateway Endpoint if the AWS service is either DynamoDB or S3.

• Use Interface Endpoint for everything else.

Question 62

A Security group is the firewall of ???

Answer 62

A Security group is the firewall of EC2 Instances.

Question 63

A Network ACL is the firewall of ???

Answer 63

A Network ACL is the firewall of the VPC Subnets.

Question 64

Do NACLS or Security Groups need to be explicitly assigned?

Answer 64

Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance.

Question 65

Does a Security Group or a NACL support allow rules only?

Answer 65

Security group supports allow rules only (by default all rules are denied).

Network ACL supports allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection.

Question 66

Does a Security Group or a NACL apply the rules in order?

Answer 66

All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.

Question 67

What is the ratio of NACLs to Subnets and Security Groups to Instances?

Answer 67

Subnet can have only one NACL, whereas Instance can have multiple Security groups.

Question 68

From the perspective of allowing internet connectivity to instances, what is the difference between Internet Gateways and NAT Gateways?

Answer 68

Internet Gateway (IGW) allows instances with public IPs to access the internet whereas NAT Gateway (NGW) allows instances with no public IPs to access the internet.

Question 69

What is the bandwidth limit of internet connectivity with an Internet Gateway?

Answer 69

The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic — internal to the VPC and out to the Internet.

Question 70

What causes a subnet to be deemed a Public Subnet?

Answer 70

A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.

Question 71

What are the two main differences between an Internet Gateway and a NAT Gateway?

Answer 71

1. A NAT Gateway allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, OS patch, etc).
2. A NAT Gateway only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.

Question 72

What is the bandwidth limit of internet connectivity with a NAT Gateway?

Answer 72

A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps. (a NAT Instance is limited to the bandwidth associated with the EC2 instance type).

Question 73

Based on what does Global Accelerator route traffic to optimal AWS endpoints?

Answer 73

Global Accelerator routes traffic to optimal AWS endpoints based on:

• Endpoint health
• Client locations
• User-configured weights

Question 74

What are the Global Accelerator types?

Answer 74

The 2 Global Accelerator types are:

• Standard Accelerator
• Custom-routing Accelerator

Question 75

What is the routing difference between Standard and Custom-routing Global Accelerator types?

Answer 75

Standard Accelerators automatically route traffic to a healthy endpoint nearest your user whereas Custom-routing Accelerators allow you to use your application logic to directly route to specific EC2 endpoints.

Question 76

What endpoint types does Global Accelerator support?

Answer 76

Standard Accelerators support:

• Network Load Balancers
• Application Load Balancers
• EC2
• and Elastic IPs as endpoints.

Custom-routing Accelerators support only VPC subnet endpoints

Question 77

What must you do in order to ensure that an ip can be blocked by a NACL?

Answer 77

In order to ensure that an ip is blocked you need to put the rule before the http / https ALLOW rule

Question 78

What is the ratio between NACLs and subnets?

Answer 78

A NACL can be associated with multiple subnets, but a subnet can only be associated with one NACL

Question 79

What happens if you don’t associated a subnet with a NACL?

Answer 79

If you don’t associate a subnet with a NACL then it gets associated to the default NACL

Question 80

Do you block IP addresses with Security Groups or NACLs?

Answer 80

You block specific IP addresses with NACLs

Question 81

Do NACLs by default allow or deny inbound and outbound traffic?

Answer 81

Default NACLs allow all inbound and outbound traffic, Custom NACLs deny all inbound and outbound traffic

Question 82

What is used to provide internet traffic to EC2 instances in private subnets?

Answer 82

A NAT Gateway or NAT instance is used to provide internet traffic to EC2 instances in private subnets

Question 83

What is X-Connect?

Answer 83

X-Connect is how the Direct Connect routers are linked

Question 84

What is an accelerator?

Answer 84

An accelerator directs traffic to optimal endpoints over the AWS global network to improve availability and performance of internet apps

Each accelerator includes one or more listeners

Question 85

What are Global Accelerator Endpoint Groups?

Answer 85

An endpoint group routes requests to one or more registered endpoints in AWS Global Accelerator.

When you add a listener in a standard accelerator, you specify the endpoint groups for Global Accelerator to direct traffic to. An endpoint group, and all the endpoints in it, must be in one AWS Region. You can add different endpoint groups for different purposes, for example, for blue/green deployment testing.

Question 86

Regarding where they are, what is the difference between an interface and gateway endpoint?

Answer 86

diagram

Question 87

What are the methods available to open applications in your VPC to other VPCs?

Answer 87

To open your VPC to other VPCs you can:

• Open the VPC to the internet
• VPC peering
• PrivateLink Connection

Question 88

What is the only service that supports IP multicast?

Answer 88

Transit Gateway is the only service that supports IP multicast

Question 89

What is the best service to use to simplify a complicated network topology?

Answer 89

Transit Gateway is the best service to use to simplify a complicated topology

Question 90

If connecting to your services using a Private IP address, is that free?

Answer 90

If the service you connect to is in the same AZ then there is no cost. There will be a cost if the service instance is in a different AZ

Question 91

What architecture should you use in order to keep your networking cost free?

Answer 91

In order for cost free networking you should group all your EC2 instances in the same AZ.

This does mean however that you will have single point of failure concerns

Question 92

What must you remember to do when creating a NAT instance?

Answer 92

When creating a NAT instance you must remember to disable source/destination check on that instance

Question 93

Where must NAT instances be hosted?

Answer 93

NAT instances must be hosted in a public subnet

Question 94

Are NAT Gateways redundant?

Answer 94

NAT Gateways are redundant inside the AZ

So any resources in another AZ using the Gateway should ideally use their own Gateway

Question 95

Can VPC flow logs be enabled for VPCs that are peered with your VPC?

Answer 95

You can only enable Flow Logs for peered VPCs if they are in your account

Question 96

To provide internet connectivity what are Internet and NAT Gateways connected to ?

Answer 96

You attach an Internet Gateway to your VPC, whereas NAT Gateways are attached to your subnets to give them a route to the internet

Question 97

What would you use to enable an instance in your private subnet to access AWS services without leaving the AWS network?

Answer 97

To reach services without leaving the AWS network or going across the internet you would use a VPC Gateway Endpoint

Question 98

What is the difference between VPC gateway endpoint and VPC interface endpoint?

Answer 98

A VPC Gateway Endpoint serves as a target for a route in your route table for traffic destined for the service.

A VPC Interface Endpoint uses an elastic network interface (ENI) as an entry point for traffic destined to the service.

Question 99

What are VPC Flow Logs used for?

Answer 99

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

Question 100

What is a Customer Gateway?

Answer 100

A customer gateway is a resource that you create in AWS that represents the physical customer gateway device in your on-premises network.

Question 101

What is a Bastion used for?

Answer 101

A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet.

Question 102

What is an Elastic IP address?

Answer 102

An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.

Question 103

How do security groups work?

Answer 103

Security groups control access at the instance-level (as they are associated with network interfaces), they support “allow” rules only, and they evaluate all rules before deciding whether to allow traffic into the instance(s).

Question 104

To where can VPC Flow Log data be published?

Answer 104

Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.