Module 7: Create a networking env

Question 1

Reminder on AWS Physical infrastructure

Answer 1

Servers in racks in data center. Every rack has network routers and switch to route traffic.
Data centers grouped in AZ.
AZ grouped in regions and connected with 0.001-9 second latency network.
Region inter connected with 0.01-9 second latency

Question 2

Reminder on Virtual networks

Answer 2

A virtual network emulates a phyisical one with switches, firewall, and load balacer. It comes on top of the physical network.

Question 3

A VPC is logically or Phiysically isolated?

Answer 3

Logically

Question 4

Name two services designed to operate in a VPC

Answer 4

EC2 and RDS

Question 5

Name two services operating outside a customer VPC

Answer 5

Lambda and CloudWatch

Question 6

Why should you build a new VPC for production environment ?

Answer 6

Because the default VPC already has connectivity conifgurations, You should configure your own depending on your configuration

Question 7

How do you size a VPC ?

Answer 7

By allocating a range of IP

Question 8

What is another name for a range of IP.

Answer 8

A CIDR block

Question 9

What is a CIDR block?

Answer 9

It’s a Classeless Inter-Domain Routing. In other words, a range of IP

Question 10

Is the size of the VPC easy to modify ?

Answer 10

No, this is why it’s important to assess the size correctly.

Question 11

Min and Max size of an IPv4 VPC ?

Answer 11

Min of 16 IP adresses (/28)
Max of 65536 IP adresses (/16)

Question 12

What is the dual stack configuraion for a VPC ?

Answer 12

Includes both IPv4 and IPv6 domains

Question 13

What tool can I use to manage my adresses more easily ?

Answer 13

The IP address manager (IPAM)

Question 14

Why opt for IPv6?

Answer 14

More adresses and also often better performance because IPV4 doesn’t do NAT

Question 15

What should I be careful with when sizing a VPC with IPv4?

Answer 15

The cost because each IP is billed by the hour whether attached to a service or not.

Question 16

What is a subnet ?

Answer 16

It’s a division of a VPC. They are linked to AZ. It’s also a segment of the range of IP in the VPC.

Question 17

Can subnet CIDR block overlap ?

Answer 17

No

Question 18

Are all IP in a subnet freely available to the customer?

Answer 18

No Amazon reserves 5 for its usage.
1. Network Adress
2. VPC local Router
3. DNS resolution
4. Future use (Undefined yet)
last. Network broadcast address

Question 19

Two types of subnet

Answer 19

Public or Pricate depending on how accessible they are.

Question 20

What should I consider for making ressources accessible through the internet ?

Answer 20

A subnet with an internet Gateway

Question 21

How to configure my VPC to send traffic to the internet?

Answer 21

Create a public VPC with a public subnet route table

Question 22

What is an elastic IP address ?

Answer 22

An IP address that can migrate from an EC2 to another. The IP stays the same.

While a private IP is released when the instance is terminated, the elastic IP stays.

First is free but additional incur charges.

Question 23

Cost and elastic IPs?

Answer 23

The first one is free but if detached and not reattach there is an hourly fee.
Additional Elastic IP are at cost.

Question 24

What can elastic IP link to ?

Answer 24

Load balancer, VPC network interface, or EC2

Question 25

If you don't want your ressource to be accessible from the internet?

Answer 25

Create a private subnet

Question 26

What is best practie about route tables and subnet?

Answer 26

To define custom route table for every subnet

Question 27

What are NAT useful for ?

Answer 27

If you don't want to expose your Ip to the internet a NAT will replace the IP with its own.

Question 28

Can IPV4 do NAT?

Answer 28

No this is also why an internet gateway can be used

Question 29

Sometime a ressource in a private subnet may need access to the internet. How to do that?

Answer 29

Use a NAT device hosted in another public subnet that will be linked to the private subnet through the private subnet route.

Question 30

What are the options for setting up a NAT device ?

Answer 30

NAT gateway provided by AWS, or setup your own NAT device in an EC2 instance. Note: When using multiple AZ create a gateway for each AZ for better resilience

Question 31

What about IPv6 if a private subnet wants to access the internet?

Answer 31

Setup an Egress only internet gateway that allows outbound but no inbound

Question 32

Should I place web app in a private or public subnet

Answer 32

Amazon recommands private with load balancer in front. Except if the environment requires a public subnet.

Question 33

Recall in your mind the proper security layer between the client application and the EC2

Answer 33

1.Secure network protocol (TLS or HTTPS) 2. Internet Gateway 3. Route table 4. ACL 5.Subnet layer 6.Security group layer

Question 34

What is the differnce between a security group and an access Control list ?

Answer 34

The security group will prevent you to enter a building quite like having a key to open a door. An ACL will let you in if you are the right person. Security group = do you have the Key The security group controls the ressource ACL = Does the doorman know you. The ACL controls the subnet. A security group is statefull, meaning that if inbound traffic allowed, outbound allowed as well by default. An ACL is stateless inbound and outbound must be explicitely stated. Security groups only specifies allow ACL specifes allow and deny

Question 35

What additional safety can be added to the network ?

Answer 35

A firewall, when dealing with sensitive data. It's a buffer to ensure that the incoming traffic is not malicious. It's deplyoed in a specific firewall subnet. The route will point to the firewall instead. Other option is to use a bastion host. A server providing maintenance access to the private subnet. You host it in a public subnet and allow access to it through IAM policies and sec group. and only link it to the private subnet.

Question 36

How do I best connect to managed AWS services ?

Answer 36

Through the use of an interface VPC endpoint

Question 37

How to set up the interface VPC endpoint?

Answer 37

Choose the service, choose the VPC in the service, then the subnet and specify the security group

Question 38

What other type of endpoint exists and what is it used for ?

Answer 38

Gateway VPC endpoints to connect to S3 or Dynamo DB. The diff is that there is no AWS Privatelink like for interface VPC.

Question 39

Interface VPC endpoints vs gateway VPC endpoints

Answer 39

Gateway need a public IP, and interface a private one. Basically interface is more secure but costs and limits perf. While gateway is less secure but free and no limitation on perf.

Question 40

How do I monitor the traffic in my VPC?

Answer 40

With VPC flow logs

Question 41

What type of traffic do I monitor in my VPC flow log ?

Answer 41

All traffic, accepted traffic or rejected traffic

Question 42

What service may work well in conjunction with the flow logs ?

Answer 42

Amazon Cloudwatch, but can also be exported to a S3 and be analysed there through Athena for example. Amazon Kinesis data firehose can also deliver logs to Amazon Open search dashboard or third party solutions like Spunk

Question 43

Can all users acces the logs ?

Answer 43

No. attach a role to an IAM user with the appropriate permissions

Question 44

Additional tools for VPC monitoring ?

Answer 44

Reachability analyzer Network Access Analyzer Traffic mirroring

Question 45

Well architected: How to make the network RELIABLE?

Answer 45

Ensure IP subnet allocation accounts for expansion and availability. (do not forget the 5 reserved ip by subnet, be careful of services having to provision additional IP, plan carefully)

Question 46

Well architected: How to make the network SECURE?

Answer 46

Create network layers: Group services sharing the same security requirements in a layer with the proper security rules control traffic at all layers: Combine ACL, Security groups... Inspect and Protect: VPC network Acces analyzer

Question 47

Well architected: How to make the network EFFICIENT?

Answer 47

Understand how networking impact performance. Evaluate available networking features Choose network protocol to improve perf: Do not use TCP for all but also consider UDP for real time data

Question 48

What Network protocol for real time data?

Answer 48

UDP

Question 49

What network protocol for critical data?

Answer 49

TCP because more reliable

Question 50

Well architected: How to make the network COST OPTIMIZED?

Answer 50

Choose the region accordingly

Question 51

How do you create a public subnet ?

Answer 51

Create an internet gateway. Create a route table. Add a route to the route table that directs 0.0.0.0/0 traffic to the internet gateway. Associate the route table with a subnet, which becomes a public subnet.