VPCs

Question 1

What does VPC stand for?

Answer 1

Virtual Private Cloud

Question 2

What is a VPC?

Answer 2

• Think virtual data center in the cloud
• A logically isolated section of AWS where you can launch AWS resources in a virtual network that you define

Question 3

What can you do with a VPC?

Answer 3

• Launch instances into a subnet of your choosing
• Assign custom IP address ranges in each subnet
• Configure route tables between subnets
• Create Internet Gateway and attach it to our VPC
• Much better security control over your AWS resources
• Instance security groups
• Subnet Network Access Control Lists

Question 4

What is VPC Peering?

Answer 4

• Allows you to connect one VPC with another via a direct network route using private IP addresses
• Instances behave as if they were on the same private network

Question 5

Can VPC Peering be done between two VPCs in different AWS accounts?

Answer 5

Yes

Question 6

Suppose VPC A is peered with VPC B, and VPC B is paired with VPC C. Is VPC A considered peered with VPC C?

Answer 6

NO. VPC Peering is NOT transitive!

Question 7

Can you use VPC Peering to peer two VPC in different AWS regions?

Answer 7

Yes

Question 8

What does IGW stand for?

Answer 8

Internet Gateway

Question 9

What are the key components of a VPC?

Answer 9

• Gateway (IGW or Virtual Private Gateway)
• Route Tables
• Network Access Control Lists
• Subnets
• Security Groups

Question 10

Can you have two VPC subnets in the same AZ?

Answer 10

Yes

Question 11

Can you have a subnet stretched across multiple AZs?

Answer 11

No

Question 12

When you create a VPC, what infrastructure is created by default?

Answer 12

• A Default Route Table
• A Network ACL
• A Default Security Group

(Note that it does NOT create subnets or IGWs)

Question 13

If I launch a VPC into US-East-1a in my account, and someone else launches a VPC into US-East-1a in their account, does this mean the two VPCs are in the same AZ?

Answer 13

Not necessarily, The AZ’s are randomized

Question 14

How many IP Addresses does Amazon Reserve per subnet?

Answer 14

5

Question 15

What is the maximum number of IGWs you can have per VPC?

Answer 15

1

Question 16

Can you have a security group spanning multiple VPCs?

Answer 16

No

Question 17

Can you create an ELB with only one public subnet?

Answer 17

No, to create an ELB you need at least 2 public subnets

Question 18

What is a Bastion Host?

Answer 18

A hardened, secure request forwarder allowing you to SSH/RDP in to private subnets in order to administer them (Idea is about lowering surface area of attack)

Question 19

Can you use a NAT Gateway as a Bastion Host?

Answer 19

No

Question 20

Are Bastion Hosts usually placed in a private subnet or a public subnet?

Answer 20

They are placed in a public subnet so you can access the private subnet

Question 21

What is Direct Connect and what are its primary use cases?

Answer 21

• Idea is that it directly connects your data center to AWS
• Useful for high throughput workloads (lots of network traffic)
• Useful if you need a stable and reliable secure connection

Question 22

What are the steps for setting up AWS Direct Connect?

Answer 22

1. Create a virtual interface in the direct connect console. This is a PUBLIC virtual interface
2. Go to the VPC Console and then to VPN Connection. Create a Customer Gateway
3. Create a Virtual Private Gatway
4. Attach the Virtual Private Gateway to the desired VPC
5. Select VPN Connections and create a new VPN Connection.
6. Select the Virtual Private Gateway and the Customer Gateway
7. Once the VPN is available, set up the VPN on the customer gateway or firewall

Question 23

What is AWS Global Accelerator?

Answer 23

A service in which you create accelerators to improve availability and performance of your applications for local and global users

Question 24

How many static IP addresses does AWS assign to you for Global Accelerator?

Answer 24

2

(Note you can also bring your own static IPs!)

Question 25

How do you control traffic in AWS Global Accelerator?

Answer 25

Use traffic dials. This is done within an endpoint group

Question 26

What is a VPC Endpoint?

Answer 26

A VPC Endpoint enables you to privately connect your VPC to supported AWS Services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN Connection, or Direct Connect Connection

Question 27

What are the two types of VPC Endpoints?

Answer 27

• Interface Endpoints
• Gateway Endpoints

Question 28

For what services are VPC Gateway Endpoints supported?

Answer 28

• Amazon S3
• DynamoDB

Question 29

Suppose you want to peer a VPC with tens or thousands of other customer VPCs. What is the best way to accomplish this?

Answer 29

AWS PrivateLink

Question 30

Does AWS PrivateLink require VPC Peering?

Answer 30

No.

There’s no NAT, no route tables, no IGWs, etc.

Question 31

What is required to use AWS PrivateLink?

Answer 31

• A Network Load Balancer on the service VPC
• An ENI on the customer VPCs

Question 32

What is AWS Transit Gateway used for?

Answer 32

• It allows you to have transitive peering between thousands of VPCs and on-premises data centers
• Think simplify network topology
• Always works on a hub-and-spoke model

Question 33

Can you use AWS Transit Gateway across multiple regions?

Answer 33

Yes

Question 34

Can you use AWS Transit Gateway across multiple accounts?

Answer 34

Yes

Question 35

Do AWS Transit Gateways work with Direct Connect?

Answer 35

Yes

Question 36

When using AWS Transit Gateways, how can I limit how VPCs talk to one another?

Answer 36

Use route tables

Question 37

What is the ONLY AWS Service that supports IP Multicast?

Answer 37

AWS Transit Gateway

Question 38

What is the use case for AWS VPN CloudHub?

Answer 38

• Connecting multiple sites, each with a VPN Connection, together over a hub-and-spoke model
• It operates over the public internet, but all traffic between the customer gateways and the VPN CloudHub is encrypted

Question 39

When using VPCs, will private IPs or public IPs produce a lower network cost? Why?

Answer 39

private IPs are less expensive than public IPs, because private IPs use the AWS Backbone Network

Question 40

In general, does AWS charge you more/less/or the same for communicating between VPCs in different AZs within the same region vs. communicating between VPCs in different regions?

Answer 40

communicating between VPCs in different AZs in the same region is less expensive than communicating between VPCs in different regions.

Question 41

How can you use VPCs and cut all network costs? What is the problem with that approach?

Answer 41

• Use private IP addresses
• group all EC2 instances in a single AZ
• This is a problem because it leaves a single point of failure

Question 42

What is the definition of a public subnet?

Answer 42

One that has at least one route in its routing table that uses an IGW

Question 43

Does VPC peering support edge to edge routing?

Answer 43

No