Module 3 - Networking Flashcards
What is a CIDR block?
This is how you tell the network how many IP addresses to allocate. Go for more so you don’t run out of addresses.
What is Amazon VPC?
Amazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a logically isolated virtual network. You deploy into ONE of the Regions and can host resources from any Availability Zone within its Region. It’s like your own personal data center.
What is a subnet?
A range of IP addresses in your VPC. It lives in one AZ. It must be associated with only ONE route table but subnets can share a route table.
What is CIDR?
Classless Inter-Domain Routing. It’s a method of allocating IP addresses and IP routing.
What does an Internet Gateway do?
Allows instances in your VPC to talk to the internet. It has 2 jobs:
- Provides a target in your VPC route tables for internet-routable traffic
- Performs network address translation (NAT) for instances that have been assigned public IPv4 addresses
How does a subnet get on a route table?
Every subnet in your network must be on a route table. (and only one route table). It will be on the main one if you don’t specify.
How would you set up multiple environments, like dev, qa, prod?
Create multiple VPCs. For extra security, use multiple accounts also.
How do you make an instance publicly accessible within a VPC?
1) Attach an internet gateway to the VPC (this creates a public subnet)
2) Update the public route table pointing to the gateway.
3) Assign the instance a public IP address.
What is an Elastic IP address?
An IP address that you can move around to any instance. You access it through the Internet Gateway.
What’s the point of an Elastic IP?
You can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.
What are the limitations of an Elastic IP?
Does not work on VPN (because there is no Internet Gateway), limited to 5 addresses.
What is an Elastic Network Interface?
An interface you can attach to an instance, then detach and attach to a different instance, all the while keeping its Elastic IP, private IP, elastic address and MAC address.
What is the purpose of NAT?
Network Address Translation is for conserving IP addresses. This lets your private IP networks connect to the internet. Not needed for IPv6.
What is a NAT gateway?
A one-way (outbound) connection between private subnet instances and the internet. The NAT gateway uses its Elastic IP address as the source IP for traffic from the private subnet. Not needed for IPv6.
What is a network ACL?
Network Access Control List. It’s an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more SUBNETS. It contains a list of rules evaluated in order to determine if traffic is allowed.
What is the setting of the default network ACL?
VPCs automatically get a default NACL. It allows all inbound and outbound IPv4 traffic. CUSTOM ACLs deny all traffic by default.
What are the components of an ACL rule?
• Rule number – As soon as a rule matches traffic, it is applied regardless of any higher-numbered rule that might contradict it.
• Type – e.g., Secure Shell (SSH). You can also specify all traffic or a custom range.
• Protocol – You can specify any protocol that has a standard protocol number.
• Port range – e.g., 80 for HTTP traffic.
• Source – For inbound rules only, the source of the traffic (CIDR range).
• Destination – For outbound rules only, the destination for the traffic (CIDR range).
• Allow or Deny – Whether to allow or deny the specified traffic
STATELESS
What is a security group?
A virtual firewall for your EC2 instance to control inbound and outbound traffic. Works at the instance level. Supports only allow rules. STATEFUL (response to a request will be allowed).
What is the default setting for a security group?
Allow all outbound traffic. Block all inbound traffic.
What is security group chaining?
The inbound and outbound rules are set up in a way that traffic can only flow from the top tier to the bottom tier and back up again. Prevents security breaches in one tier from compromising other tiers.
Describe a multilayer defense
- Run in VPC (control which instances are exposed to internet)
- Network ACL at the subnet level
- Security groups (most common)
How many VPCs can you have per region? How many subnets per VPC?
5 VPCs per region.
200 Subnets per VPC.
What parts of a VPC cost you money?
NAT gateway, VPC endpoints, VPN gateway, customer gateway
I created an EC2 instance in my VPC but I don’t see its public DNS.
You have to enable DNS hostnames. They are off by default.
