Amazon Virtual Private Cloud (VPC) | Security and Filtering Flashcards
Does Amazon VPC support multicast or broadcast?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
No.
How do I secure Amazon EC2 instances running within my VPC?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Amazon EC2 security groups can be used to help secure instances within an Amazon VPC. Security groups in a VPC enable you to specify both inbound and outbound network traffic that is allowed to or from each Amazon EC2 instance. Traffic which is not explicitly allowed to or from an instance is automatically denied.
In addition to security groups, network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs).
What are the differences between security groups in a VPC and network ACLs in a VPC?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering.
What is the difference between stateful and stateless filtering?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. For example, a stateful filter that allows inbound traffic to TCP port 80 on a webserver will allow the return traffic, usually on a high numbered port (e.g., destination TCP port 63, 912) to pass through the stateful filter between the client and the webserver. The filtering device maintains a state table that tracks the origin and destination port numbers and IP addresses. Only one rule is required on the filtering device: Allow traffic inbound to the web server on TCP port 80.
Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on TCP port 80, and another rule to allow outbound traffic from the webserver (TCP port range 49, 152 through 65, 535).
Within Amazon VPC, can I use SSH key pairs created for instances within Amazon EC2, and vice versa?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Yes.
Can Amazon EC2 instances within a VPC communicate with Amazon EC2 instances not within a VPC?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Yes. If an Internet gateway has been configured, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the Internet gateway and then enters the public AWS network to reach the EC2 instance. If an Internet gateway has not been configured, or if the instance is in a subnet configured to route through the virtual private gateway, the traffic traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network.
Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Yes. Instances in one region can communicate with each other using Inter-Region VPC Peering, public IP addresses, NAT gateway, NAT instances, VPN Connections or Direct Connect connections.
Can Amazon EC2 instances within a VPC communicate with Amazon S3?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Yes. There are multiple options for your resources within a VPC to communicate with Amazon S3. You can use VPC Endpoint for S3, which makes sure all traffic remains within Amazon’s network and enables you to apply additional access policies to your Amazon S3 traffic. You can use an Internet gateway to enable Internet access from your VPC and instances in the VPC can communicate with Amazon S3. You can also make all traffic to Amazon S3 traverse the Direct Connect or VPN connection, egress from your datacenter, and then re-enter the public AWS network.
Why can’t I ping the router, or my default gateway, that connects my subnets?
Security and Filtering
Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery
Ping (ICMP Echo Request and Echo Reply) requests to the router in your VPC is not supported. Ping between Amazon EC2 instances within VPC is supported as long as your operating system’s firewalls, VPC security groups, and network ACLs permit such traffic.
