VPCs Flashcards
What does a VPC allow you to do?
Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
In a VPC Subnet how many addresses are reserved by AWS?
AWS reserves 5 addresses per subnet:
.0: Network address.
.1: Reserved by AWS for the VPC router.
.2: Reserved by AWS. The IP address of the DNS server is always the base of the VPC network range plus two; however, we also reserve the base of each subnet range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. For more information, see Amazon DNS Server.
.3: Reserved by AWS for future use.
.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
What is a NAT instance?
A network address translation (NAT) instance is an EC2 instance in a public subnet in your VPC that can enable instances in the private subnet to initiate outbound IPv4 traffic to the Internet or other AWS services, but prevent the instances from receiving inbound traffic initiated by someone on the Internet. (Internet Proxy)
What is the availability model of NAT Gateway?
NAT Gateways in each Availability Zone are built with redundancy, but only exist in a single Availability Zone. NAT Gateways must be built in multiple Availability Zones to avoid interruption if an Availability Zone goes down.
What setting will allow a NAT Instance to forward traffic for another EC2 Instance?
In order for a NAT Instance to forward traffic for other instances you need to disable the Source/Destination Check on the NAT Instance.
How many network ACLs can a subnet be associated with?
A subnet can only be associated with a single ACL.
What are the default settings for a private Network Access Control List?
The default settings for a private NACL are to deny all inbound and outbound traffic.
In what order are ACL rules evaluated?
Rules are evaluated in numerical order by the rule number.
What is the difference in the default permissions between the default Network ACL and a custom Network ACL?
The default Network ACL allows all traffic inbound and outbound by default. Custom Network ACLs deny all traffic inbound and outbound by default.
How can a subnet be associated with a Network ACL?
Every subnet must be associated with an ACL. When a subnet is created it will automatically be associated with the default ACL of of your VPC. An ACL can be associated with multiple subnets but a subnet can only be associated with a single ACL. Similarly an ACL can span multiple Availability Zones but a subnet can only reside in a single Availability Zone.
What mechanism do you have to use to block access to or from a specific IP address?
Blocking IP addresses can only be done using ACLs, this cannot be done using Security Groups.
What is the requirement of the VPC used when provisioning an Elastic Load Balancer?
When provisioning an ELB your VPC must have subnets in at least two Availability Zones and those subnets must be Internet accessible (provisioned with Internet Gateway).
At what levels can you create a VPC Flow Log?
Flow Logs can be created at the following levels:
- VPC
- subnet
- network interface
What is the purpose of a VPC Endpoint?
A VPC endpoint allows EC2 instances in a private VPC to connect to AWS resources without needing access to the internet.
How many VPC’s are allowed in each AWS Region by default?
5
