VPC

Question 1

What is a VPC?

Answer 1

resembles: private data centers; private corporate networks.

Question 2

Benefits of a VPC

Answer 2

ability to launch instances into a subnet;
to define custom IP ranges insdie of each subnet.
to configure route tables between subnets
to confirure internet gateways and attach them to subnets
to create a layered network of resources
extending our net work with VPN//VPG controllrf access
to use security groupe and subnet ACLs.

Question 3

NAT Instance

Answer 3

route private subnet to Public subnet;
stateless. need to create inbound and outbound rules.
source/destination check need to be disabled.always behind security group, must be in public subnet, must have an EIP, ,must be a route out of the private subnet to NATIncrease the instance size if bottleneck
Change the main route table - add a route (0.0.0.0/0 NAT Instance target)
NAT Instance is a single point of failover (put it behind a ASG),

Question 4

default VPC

Answer 4

gives users easy access to a VPC without having to configure it from scratch;
have internet gateways attached;
each instance added has a default private and public IP address;
if you delete the default VPC, the only way to get it back is to contact AWS.

Question 5

non-default VPC

Answer 5

have only private IP addresses but not public IP addresses;
can only access resources through elastic IP addresses, VPNs, or gateway instances;
do not have internet gateways attached by default.
When you create Custom VPC it creates default security group, default network ACL and default route table., it doesn’t create default Subnet

Question 6

VPC peering

Answer 6

allows you to setup direct network routing between different VPCs using private IP addresses.
Instances will communicate with each other as if they were on the same private network.
can occur between other AWS accounts and other VPCs within the same region.

Question 7

VPC peering Scenarios

Answer 7

Peering two VPCs – Company runs multiple AWS accounts and you need to link all the resources as if they were all under one private network.
Peering TO a VPC - multiple VPCs connect to a central VPC but cannot communicate with each other, only the central VPC(file sharing, customer access, active Directory).

Question 8

VPC scenarios

Answer 8

with public subnet only – Single tier apps;
with public and private subnets;
public and private and hardware connected VPN – extending to on-premises;
with a private subnet only and hardware VPN access.

Question 9

VPC limits

Answer 9

5 VPCs per region;
200 subnet per VPC;
50 customer gateways per region;
5 internet gateways per region'
5 elastic IP per region for each AWS account;
50 VPN connections per region
200 route tables per region;
500 security groups per region.

Question 10

Bastion vs NAT

Answer 10

a Nat is used to provide internet traffic to EC2 instances in private subnets;
a Bastion is used to securely administer EC2 instances(using ASSH or RDP) in private subnets.
Bastion –keep it in public subnet to allow SSH / RDP into instances into private subnets (High availability - Bation in two public subnets and also ASG - Route 53 running Health checks on those Bastion)

Question 11

NAT gateway

Answer 11

released in 2016 - amazon handled
Amazon maintains it for you, no need to handle yourself. (security patches applied by AWS)
You can just create the gateway and assign EIP (put it in public subnet) (automatically assigned)
Change the main route table - add a route (0.0.0.0/0 NAT gateway target)
No need for disable source/destination check or no need to put it behind a security group - it handles it for you.
Highly available / redundancy no need for ASG.NAT gateways are little bit costly - always use it in production scale automatically up to 10Gbps

Question 12

ACL vs SG

Answer 12

Security groups are statefull - any inbound rule , applies to outbound as well (Only Allow rules)
• by default all inbound deny, all outbound allow
• can span across AZ
ACL are stateless -
• For default ACL, all inbound and outbound rules are allowed by default - associated with all subnets in VPC by default
• for Custom ACL, all inbound and outbound traffic is denied by default - not associated with any subnet
• 1 subnet is only associated with ACL. granular rules for ACLs, numbered rules (recommended steps of 100)
• rule no. 99 takes precedence over rule no. 100 (if 99 is blocked and 100 is allowed) 99 will be executed.
• Can SPAN across AZ

Question 13

Ephemeral port

Answer 13

1024 – 65535should be allowed to take traffic.

if you want to BLOCK IP address then must use ACL, because security group doesn’t have deny

Question 14

VPC Flowlogs:

Answer 14

to capture all the traffic information into logs - logs everything (create IAM role and create cloud watch log group - and log stream)

Question 15

VPC Cleanup

Answer 15

can’t delete VPC if you have active running instance or ELB is running