aws networking Flashcards Preview

Software Engineering > aws networking > Flashcards

Flashcards in aws networking Deck (50)
Loading flashcards...
1
Q

what is an availability zone meant to represent?

A

a data center in a region, basically. could be one building (it’s not, really)

2
Q

what partitions does a VPC encompass?

A

one region with a number of availability zones

3
Q

what do subnets encompass?

A

one availability zone with a number of instances

4
Q

what is the ip range of a VPC

A

the internal IP addresses available to instances

5
Q

what IPs do instances receive?

A

both internal IP for internal routing, and public IP

6
Q

how does internet access happen into instances in VPC?

A

through an internet gateway

7
Q

what do security groups help with?

A

controlling what traffic can go to instances, and what traffic can go from instances.
they control traffic between instances.
they can be applied to many instances, across subnets.
they can control access to instances by ID, or by other security groups
they only have allow rules, implicit deny rule at end of rule set

8
Q

what do network access control lists (NACLs) work with?

A

they control what traffic goes to subnets

9
Q

what is a route table for?

A

specific routing of network traffic on subnets within the vpc, I think for just outgoing requests. also, assignment of public IPs here?

10
Q

how is a subnet made private?

A

it blocks outgoing traffic, and does not have public IPs

11
Q

why would a subnet want to talk to the internet?

A

by redirecting outgoing traffic via the route table to a network address translation (NAT) gateway. the NAT gateway translates private IP to public

12
Q

what is the purpose of a CIDR block?

A

classless interdomain routing (CIDR) is notation for IP address ranges. it defines the IP addresses for the subnet. CIDR binary calculator

13
Q

what does 192.168.0.1/X do?

A

X is the number of IP addresses that are fixed

14
Q

what does 192.168.0.1/16 map to?

A

the whole range of 192.168.x.x

15
Q

if I have a private subnet, why does it have routes to 0.0.0.0 in the route table? (mine go to an elastic network interface)

A

I dunno, subnet: https://us-east-1.console.aws.amazon.com/vpc/home?region=us-east-1#SubnetDetails:subnetId=subnet-e25377ed

16
Q

what do 0’s in IP addresses mean? e.g. 172.31.0.0, or 0.0.0.0. also, is 0.0.0.0 special?

A

dunno

17
Q

what is the network ID and host ID of 192.168.0.1?

A

network ID: 192.168.0, host ID 1

18
Q

what subnet mask/network mask/netmask is 24 equivalent to?

A

255.255.255.0

19
Q

what are the addresses you can use for hosts?

A

1 to 254. you can’t assign 0 to a host, and 255 is the broadcast address.
I think the host depends on the size of the subnet mask though, because /16 in CIDR means you can have 65,534 hosts

20
Q

why can you have 126 networks in a class A network?

A

dunno

21
Q

can you characterize IPv4 address classes?

A

subnet masks go 255.0.0.0 for A, 255.255.0.0 for B, 255.255.255.0 for C
Class A: total of 126 networks, 16,777,214 usable addresses (hosts?)
Class B: total of 16,382 networks, 65,534 usable addresses (hosts?)
Class C: 2,097,150 networks, 254 usable addresses

22
Q

what address ranges are reserved for private use according to IETF RFC-1918?

A

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.32.255.255
192.168.0.0 to 192.168.0.255

23
Q

what do the subnet masks for address classes usually look like?

A

they usually correspond to the number of networks available in that class, e.g. 24 for class C (192.168.0.0 to 192.168.0.255)

24
Q

what does classless interdomain routing use?

A

variable length subnets masks. it is used to deviate from the standard classes of addresses, I guess

25
Q

what is the router of a VPC tasked with? how is it related to a route table?

A

router coordinates traffic going outside of subnets. route table abstracts what the router is doing.

26
Q

how does a VPC know what IP addresses it contains?

A

each VPC is given one CIDR block of addresses

27
Q

what is a subnet?

A

a segment of a VPC’s IP address range, deployed in one availability zone, where you can place groups of isolated resources

28
Q

what is an Internet Gateway/Egress-only Internet Gateway

A

the amazon VPC side of a connection to the public internet for IPv4/IPv6

29
Q

what is a VPC router?

A

Routers interconnect subnets and direct traffic between Internet gateways, virtual private gareways, NAT gateways, and subnets

30
Q

what is a Peering Connection?

A

Direct connection between two VPCs

31
Q

what are VPC endpoints?

A

private connection to public AWS services

32
Q

what is a NAT gateway?

A

enables internet access for EC2 instances in private subnets, managed by AWS. one subnet per NAT gateway.

33
Q

what is a Virtual Private Gateway?

A

the amazon VPC side of a VPN connection

34
Q

what is a Customer Gateway?

A

customer side of a VPN connection

35
Q

What is AWS Direct Connect?

A

High speed, high bandwidth, private network connection from customer to aws

36
Q

what is a security group?

A

instance-level firewall

37
Q

what is a Network ACL?

A

subnet-level firewall

38
Q

what is VPC an abstraction for?

A

you own data center

39
Q

what are the rules for AWS VPC CIDR blocks?

A
  • Size: /16 to /28
  • CIDR block can’t overlap with any existing CIDR block associated with the VPC
  • you can’t change the size of an existing CIDR block
  • the first four and last IP addresses are not available
  • recommended to choose from RFC 1918 ranges: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16
  • (note that with VPC peering, CIDR blocks can’t overlap)
40
Q

how can multiple VPCs for multiple clients have the same exact CIDR blocks?

A

assuming they can, I think it’s because these are private IPs, not exposed to internet, so we’re not really taking them away

41
Q

seven tips for creating a VPC’s CIDR block

A
  • ensure you have enough networks and hosts
  • bigger CIDR blocks are better for flexibility
  • smaller subnets are ok most of the time
  • consider deploying application tiers per subnet
  • split your high-availability resources across subnets in different AZs
  • VPC peering requires non-overlapping CIDR blocks, across all VPCs in all regions/accounts you want to connect
  • avoid overlapping CIDR blocks as much as possible
42
Q

what are the differences between public/private subnets?

A

as far as I know:
private subnets have:
- private route table entry (looks like one route table can handle multiple subnets)
- no auto-assigned public IPs
public subnets have:
- public route tables (with internet gateways)
- auto-assigned public IPs

43
Q

characterize route tables

A
  • associated with up to several subnets, but a subnet can only be associated with one route table
  • there is always one main route table for a vpc, and all subnets in the VPC that don’t have explicit associations will be associated with it
44
Q

if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target internet gateway 1234

A

traffic in the internal CIDR will be sent to local, all other traffic will be sent to the internet gateway

45
Q

if you have a route table that defines the following, what will the behavior be?
- destination 10.0.0.0/16 (internal CIDR); target local
- destination 0.0.0.0/0; target NAT gateway 1234

A

traffic in the internal CIDR will be sent to local, all other traffic will be sent to the NAT gateway
- remember, NAT gateways allow internet access to private instances

46
Q

how does a security group differ from a NACL?

A

security group applies at the instance level, NACL applies at the subnet level

47
Q

between NACLs and security groups, which are stateless and which are stateful?

A

NACL is stateless, security is stateful

48
Q

what do stateful and stateless firewalls mean?

A

stateful: allows traffic to return automatically
stateless: checks for an allow rule for both connections

49
Q

how is the traffic returned to the client here? https://www.youtube.com/watch?v=g2JOHLHh4rI&t=2715s

A

dunno

50
Q

what are some differences between NACLs and security groups?

A
  • NACLs have an explicit allow list
  • rules are processed in order (not sure if this is different from security groups, actually), meaning the first rule to match a given request wins