Networking and VPC Flashcards
What is default VPC?
When you start using Amazon VPC, you have a default VPC in each AWS Region. A default VPC comes with a public subnet in each Availability Zone, an internet gateway, and settings to enable DNS resolution.
The default VPC also has the internet access
What is VPC?
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
You can have upto 5 VPC per region (it can be changed).
If you need 29 IP addresses for EC instances in your subnet. Which CIDR range you will use?
You cannot use the subnet of size /27 (means 32 ipaddress). 5 IP addresses are reserved. There you will have only32-5= 27.
You should use /26, means 2 to the power 6 = 64. 64-5=59
what is Internet gateway?
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
one VPC can only be attached to one internet gateway and vice versa.
what is route table?
Your VPC has an implicit router, and you use route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.
What is bastion host?
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet. Because of its exposure to potential attack, a bastion host must minimize the chances of penetration.
What is NAT Instance?
A NAT (Network Address Translation) instance is, like a bastion host, an EC2 instance that lives in your public subnet. A NAT instance, however, allows your private instances outgoing connectivity to the internet while at the same time blocking inbound traffic from the internet.
what is NAT gateway?
NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC). Previously, you needed to launch a NAT instance to enable NAT for instances in a private subnet
What’s the difference between NACL and security group?
- Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance.
- Security groups are stateful. This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.
Network ACLs are stateless. This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic. - Security group supports allow rules only (by default all rules are denied). e.g. You cannot deny a certain IP address from establishing a connection.
Network ACL supports allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection example: Block IP address 123.201.57.39 from establishing a connection to an EC2 Instance. - All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.
Security groups evaluate all the rules in them before allowing a traffic whereas NACLs do it in the number order, from top to bottom. - Network ACL first layer of defense, whereas Security group is second layer of the defense for inbound/ingress traffic.
Security group first layer of defense, whereas Network ACL is second layer of the defense for outbound/egress traffic. - Subnet can have only one NACL, whereas Instance can have multiple Security groups.
- Security group rule allow CIDR, IP, Security group as destination.
Network ACL rule only allow CIDR as destination.
what is VPC peering?
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. You can create VPC peeting connection between VPC in different AWS accounts and regions.
They should not have overlapping CIDRs.
If A is connected to B, B is connected to C. A and C would not be able to communicate. A and C should have peering.
You must update route table in each VPC subnet to ensure EC2 instances can communicate with each other.
What is VPC Endpoint?
VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available Amazon VPC components that allow communication between instances in an Amazon VPC and services without imposing availability risks or bandwidth constraints on network traffic.
The idea is that you have services on AWS, for example, such as DynamoDB and they are accessible publicly. That means that your whole infrastructure through your NAT gateway and then your internet gateway or just directly through your internet gateway does access DynamoDB. But all this traffic goes through the public internet
and you may have other services such as CloudWatch and Amazon S3 that you also wanna access without going through the internet. You wanna access them privately.
So the idea is that you’re going to use VPC endpoints so that your instances don’t have to go through the public internet, they can just go directly through the private AWS network to these services.
What is VPC flow logs?
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose.
If you need to ping your EC2 instances from on premises, what you will need to do in your security group?
You will need to enable ICMP protocol on the inbound of your security group.
what are the two components of site to site VPN?
- Virtual Private Getaway (VGW): is the VPN connector on the AWS side of the VPN connection. it is created and attached to the VPC from where you to create site to site VPN connection.
- customer gateway (CGW): it’s a software application or physical device on customer side for the VPN connection
We have a corporate data center with a customer gateway, and then we have our VPC with our virtual private gateway. So, how do we set up the customer gateway device that is on premises? Which IP address should we use? Well, if your customer gateway is public, there is a public internet-routable IP address for your customer gateway device. Then you would use this one, and you would establish the connectivity between your VGW and your CGW using the public IP of the customer gateway.
But it’s possible for your customer gateway to also be private and have a private IP. In this case, it is very common for it to be behind a NAT device that has NAT-T enabled.
The NAT device has a public IP, and it can be used by the CGW for the connectivity. And then, the site-to-site VPN connection can be established.
The second question that can come up to the exam is that, even though this is set up, this site-to-site VPN connection will not work until you enable route propagation in your VPC within your subnets.
How many types of VPC end points are there?
VPC Endpoints
* Provisions an ENI (private IP address) as an entry
point (must attach a Security Group)
* Supports most AWS services
* $ per hour + $ per GB of data processed
* Interface Endpoint is preferred when access is required from onpremises (Site to Site VPN or Direct Connect), a different VPC or a different region
Gateway Endpoints
* Provisions a gateway and must be used as a target in a route table (does not use security groups)
* Supports both S3 and DynamoDB
* it’s Free
What is VPN CloudHub?
- Provide secure communication between multiple sites, if you have multiple VPN connections
- Low-cost hub-and-spoke model for primary or secondary network connectivity
between different locations (VPN only) - It’s a VPN connection so it goes over the public Internet
- To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables
What is Direct Connect Gateway?
- Direct Connect Gateway is a global network device that helps establish connectivity that spans multiple VPCs spread across multiple AWS Regions. It is a globally available resource that can be created in any Region and accessed from all other Regions.
- It supports Private VIF only and does not support Public VIF.
- DX Gateway and Private VIF should be in the same AWS account, whereas the connected VPCs can be in different AWS accounts and regions.
- It can be associated with
* a Virtual Private Gateway in any VPC, Region, or Account
* a Transit Gateway for multiple VPCs in the same region
How to encrypt data on direct connect?
AWS Direct Connect does not encrypt your traffic that is in transit by default. To encrypt the data in transit that traverses AWS Direct Connect, you must establish a VPN between AWS direct connection location and the customer network.
How to achieve Direct connect - High Resiliency?
High Resiliency:
For critical production workloads that require high resiliency, it is recommended to have one connection at multiple locations. As shown in the figure above, such a topology ensures resilience to connectivity failure due to a fiber cut or a device failure as well as a complete location failure. You can use AWS Direct Connect gateway to access any AWS Region (except AWS Regions in China) from any AWS Direct Connect location.
How to achieve Direct connect - Maximum Resiliency?
Maximum resilience is achieved by having two independent connections in each locations. As shown in the figure below, such a topology provides resilience to device failure, connectivity failure, and complete location failure.
What is Transit Gateway?
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This connection simplifies your network and puts an end to complex peering relationships. Transit Gateway acts as a highly scalable cloud router—each new connection is made only once.
Its original source but it can work cross region. It can be shared across accounts using resource access manager RAM. You can be a transit gateway across regions. You can control which VPC can talk with other VPC by using route tables.
It supports IP Multicast. It’s big clue in the exam.
IP multicast on AWS Transit Gateway makes it easy for customers to build multicast applications in the cloud and distribute data across thousands of connected Amazon Virtual Private Cloud networks. Multicast delivers a single stream of data to many users simultaneously.
What is Egress only Internet gateway?
Allows instances in your VPC outbound connections over IPv6 while preventing
the internet to initiate an IPv6 connection to your instances. This is useful for the instances in private subnet. It allows the instances to connect to the internet but it doesn’t allow any connection to the instances.
Routing table should be updated for the same.
What NAT Gateway and NAT instances can and cannot do?
NAT Gateway doesn’t support port forwarding, cannot be used as bastian host and cannot be associated with security group. NAT instance can do all of it.
