VPCs Flashcards

1
Q

VPC stands for

A

Virtual Private Cloud

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What mechanism would you use to RDP/SSH into your private subnet from the internet

A

Bastion Hosts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the largest network CIDR block allowed by AWS?

A

/16

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Transitive Peering? Is it permitted by AWS VPCs?

A

Transitive Peering is the ability to communicate with VPCs peered with your direct VPC peers. This functionality is not supported in AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False: VPCs can peer across regions?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False: VPCs can peer across AWS accounts?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or False: Subnets can span availability zones?

A

False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False: You can resolve private IP addresses across a VPC Peering connection

A

True and False; By default, you can only resolve public IP addresses. However, if you enable DNS hostname resolution for your VPC connection, you can resolve private IP addresses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

By default, which components are created for you when you create a VPC?

A

Route Table
Network Access Control List
Security Group

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is not created when you create a VPC?

A

NAT Gateways
Internet Gateways
Subnets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How many and what kinds of IP addresses are reserved by AWS when you create a VPC?

A
5 IP addresses are reserved: 
The network address (10.0.0.0)
The Broadcast address (10.0.0.255)
The Router Address (10.0.0.1)
The DNS Server address (10.0.0.2)
"Future Use" Address (10.0.0.3)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How many Internet Gateways can be configured per VPC?

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

True or False: When you create a VPC, the Route Table includes routes to allow all subnets to talk to each other?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the difference between a NAT Gateway and a NAT Instance?

A

A NAT Instance is a single EC2 instance that resides on a public subnet whereas a NAT Gateway is a managed service for your availability zone. Both allow you to configure Internet access for your private instances whilst blocking the Internet from creating connections to those instances. Since a NAT Instance is an EC2 Instance, it is associated with a Security Group. NAT Gateways are not.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What must you disable on a NAT Instance to permit private instances to access the Internet?

A

Disable Source/Destination checks when creating the instance, which is enabled by default. This check asserts that any traffic it sends or receives must originate from the instance itself, but since this instance acts as a Gateway for your private instances, traffic will originate from the Internet/private instances.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How many NAT Gateways can you have per availability zone?

A

1

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the maximum throughput of a NAT Gateway?

A

5-45 Gbps

18
Q

True or False: You must assign an elastic IP to your NAT Gateway

A

False; an IP is assigned for you automatically

19
Q

How do you configure your NAT Gateways to be highly available?

A

Create NAT Gateways in multiple availability zones; have your resources use the same NAT Gateway as what resides in their AZ.

20
Q

What type of network security mechanism is instance level and stateful?

A

Security Groups

21
Q

What type of network security mechanism is stateless?

A

NACLs

22
Q

True or False: A subnet can be associated with only one NACL at a time

A

True

23
Q

What is the ephemeral port range and why is it used?

A

1024-65535; ephemeral ports are often used as server ports after a connection is established to a server by a client. You should allow these outbound to allow client communications with your server. You should allow these inbound to permit things like system updates on private instances.

24
Q

True or False: When you create a NACL, subnets are automatically associated with it.

A

False; no subnets are associated with new NACLs

25
Q

How many subnets do you need to create an ELB?

A

At least 2

26
Q

What types of traffic is not monitored by a VPC Flow Log?

A
AWS DNS
Windows License Activation
169.254.169.254
DHCP
Traffic to the reserved IP of the VPC router
27
Q

True or False: When you create a VPC Flow Log, you can change its configuration later

A

False; you can’t change a VPC Flow Log after you’ve created it.

28
Q

True or False: You can enable VPC Flow Logs for peered VPCs

A

True but only for VPCs in your own account

29
Q

VPC Flow Logs capture network traffic at which levels?

A

VPC
Subnet
Network Interface

30
Q

True or False: Bastion hosts are hosted behind a Firewall

A

False; you typically place Bastion Hosts outside a firewall or in a DMZ, harden the host, and use it as a proxy service for untrusted networks

31
Q

What are the components of a VPN across AWS DirectConnect?

A

Public Virtual Interface
Customer Gateway
Virtual Private Gateway

32
Q

What are the main benefits of using AWS DirectConnect?

A

Reduced network costs
More consistent network experience
Increased bandwidth via dedicated lines

Note, this traffic isn’t secure by default; you’d need to create a VPN to secure your traffic over DirectConnect

33
Q

How many VPCs can you create per region?

A

5

34
Q

What is the purpose of an Egress-Only Internet Gateway?

A

The Egress-Only IGW allows IPv6 traffic within your VPC to access the Internet but denies Internet resources access to your IPv6 instances.

35
Q

Can you conduct your own vulnerability scans on your VPC without alerting AWS?

A
You can pen-test the following services:
EC2, NAT Gateways, ELBs
RDS
CloudFront
Aurora
API Gateways
Lambda and Lambda Edge
Lightsaile
Elastic Beanstalk

You cannot pen-test the following:
DNS-zone walking via Route53 Hosted Zones
DoS and DDoS (Simulated testing is subject to Terms)
Port Flooding
Protocol flooding
Request flooding

36
Q

What is the purpose of VPC Endpoints?

A

These allow you to privately connect to your VPC without an IGW, NAT device, VPN connection or Direct Connect

37
Q

What two types of VPC Endpoints are there?

A

Interface Endpoints - ENIs with a private IP Address

Gateway Endpoints - For AWS Services S3 and DynamoDB

38
Q

What is AWS Global Accelerator?

A

This service improves the availability and performance for your global users. It provides a fixed static IP for your applications to eliminate the complexity of managing IPs across Regions and AZs. Traffic is routed based on optimal location and application health based on policies you configure.

39
Q

What are the components of a Global Accelerator deployment?

A
2 Static IP Addresses
DNS 
Network Zone (Availability Zone)
Listener
Endpoints/Endpoint Group
40
Q

Why would you use a Global Accelerator with an ELB?

A

ELBs are optimal for performing traditional load-balancing tasks like routing to internal and non-AWS endpoints, pre-warming, and Layer 7 routing all within a single Region. Global Accelerator is good for non-HTTP traffic for a wide range of applications over TCP or UDP across multiple regions. If you have global users, a Global Accelerator is a good choice.

41
Q

How is Global Accelerator different from CloudFront?

A

CloudFront is good for caching dynamic and static content for HTTP (web) and RTMP applications. Global Accelerators are good for non-HTTP applications.