VPC routing and internet gateway

Question 1

Is a VPC router highly available?

Answer 1

Yes.

Question 2

Where can you find a VPC router?

Answer 2

In each VPC

Question 3

Where do VPC routers have their network interface?

Answer 3

It has a network interface (NETWORK + 1) in each subnet in the VPC.

Question 4

What is the main function of the VPC router?

Answer 4

Route traffic between subnets.

Question 5

What do route tables do?

Answer 5

Route tables defines what the VPC router will do with traffic when data leaves that subnet.

Question 6

Are VPCs created with route tables by default?

Answer 6

Yes, if you don’t associate a custom route table with a subnet, it uses the main route table of the VPC.

Question 7

What happens to the main route table when you associate a custom route table with a subnet?

Answer 7

the main route table is disassociated

Question 8

How many route tables can be associated with a subnet?

Answer 8

A subnet can only have one route table associated at a time

Question 9

Can a route table be associated with many subnets?

Answer 9

Yes.

Question 10

What happens when traffic needs to leave a subnet?

Answer 10

The VPC router reviews the IP packet, looking for the destination address and uses the route table to know where to direct the packet towards.

Question 11

What happens when there are more than one route found as a match?

Answer 11

The prefix is used as priority.

Question 12

In route tables, what does “target: local” mean?

Answer 12

It means that the destination is in the VPC itself

Question 13

Can the local route entry be edited? What is the priority of the local route?

Answer 13

No, it can never be updated and it takes the maximum priority.

Question 14

Is there any exception to the prefix (priority) rule in route tables?

Answer 14

Yes, local routes are max priority.

Question 15

In Route tables, how are local targets always configured by default?

Answer 15

They match the IPv4 and IPv6 CIDR range

Question 16

What is an internet gateway?

Answer 16

A managed service that allows gateway traffic between the VPC and the internet or AWS Public Zones (S3, SQS, SNS, etc.)

Question 17

What type of resilience does Internet Gateways provide?

Answer 17

Regional resilience

Question 18

To what are Internet gateways attached?

Answer 18

To a VPC.

Question 19

What will a IGW cover within a VPC?

Answer 19

It will cover all AZs in a region for the VPC it is attached to.

Question 20

How many IGW can be attached to a VPC?

Answer 20

One

Question 21

What happens if no IGW is attached to a VPC?

Answer 21

It will be entirely private.

Question 22

Can you create an IGW without being attached to a VPC?

Answer 22

Yes.

Question 23

In which AWS domain do IGWs run (private or public)?

Answer 23

It runs within the AWS public Zone

Question 24

Who handles the performance of IGWs?

Answer 24

AWS, it is a managed service.

Question 25

What do you need to make a subnet public?

Answer 25

1. Create IGW
2. Attach IGW to VPC
3. Create custom RT
4. Associate RT
5. Define default routes to the IGW

Question 26

If an instance is created with private and public IP, is the public IP configured in the OS?

Answer 26

No, it is not configured in the OS.

Question 27

What is the interaction of IGW with public and private IPs of an EC2 instance?

Answer 27

The IGW creates a record that links the instance’s private IP to the public IP.

Question 28

What does the IGW do when a package needs to be sent to the public internet from an EC2 instance?

Answer 28

As the Source IP address of the package is the private IP of the instance (remember, the public IP is not configured in the OS), when the package arrives to the IGW, this swaps the private IP for the public IP and pushes the package on the public internet.

Question 29

Related to private/public IPs and IGWs: what happens when a package comes back from the public internet (response for example)?

Answer 29

The package comes back with the public IP as destination and the IGW swaps it for the private IP of the instance and routes it.

Question 30

Does the public IP of an EC2 instance ever touch the instance?

Answer 30

No.

Question 31

What does the IGW do if an instance uses IPv6?

Answer 31

It does not translate any IP, it just pushes it to the public internet.

Question 32

What is a bastion host?

Answer 32

It is an instance in a public subnet inside a VPC

Question 33

What are bastion hosts designed for?

Answer 33

They are used to allow incoming management connections. Used as a management point or as an entry point for a private-only VPC.

Question 34

How can you secure bastion hosts’ access?

Answer 34

Allow specific IP addresses, authentication with SSH or it can integrate with on-premises identification services.