Virtual Private Cloud (VPC) Flashcards
(139 cards)
1
Q
What does CIDR stand for?
A
Classless Inter-Domain Routing
2
Q
a method for allocating IP addresses
A
CIDR - Classless Inter-Domain Routing
3
Q
A CIDR consists of two components
A
Base IP
Subnet Mask
4
Q
- Represents an IP contained in the range (XX.XX.XX.XX)
- Example:10.0.0.0,192.168.0.0,…
A
Base IP
5
Q
- Defines how many bits can change in the IP
- Example:/0,/24,/32
- Can take two forms:
- /8ó255.0.0.0
- /16ó255.255.0.0
- /24ó255.255.255.0
- /32ó255.255.255.255
A
Subnet Mask
6
Q
basically allows part of the underlying IP to get additional next values from the base IP
A
CIDR - The Subnet Mask
7
Q
New EC2 instances are launched into the default VPC if no ______ is specified
A
subnet
8
Q
Default VPC has Internet connectivity and all EC2 instances inside it have public ________ addresses
A
IPv4
9
Q
Default VPC in new EC2 instances, we also get a public and a private ____________ names
A
IPv4 DNS
10
Q
Can you have multiple VPCs in an AWS region?
A
YES (max. 5 per region – soft limit)
11
Q
Max. CIDR per VPC is ______ , for each CIDR:
* Min. size is
* Max. size is
A
5
/28 (16 IP addresses)
/16 (65536 IP addresses)
12
Q
Because VPC is private, only the ________ ranges are allowed:
* 10.0.0.0 – 10.255.255.255 (10.0.0.0/8)
* 172.16.0.0 – 172.31.255.255 (172.16.0.0/12)
* 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)
A
Private IPv4
13
Q
Your VPC CIDR should ________ overlap with your other networks
A
NOT
14
Q
AWS reserves ______ IP addresses (first 4 & last 1) in each subnet
A
5
15
Q
These 5 IP addresses are __________ for use and can’t be assigned to an EC2 instance
A
not available
16
Q
What does IGW stand for??
A
Internet Gateway
17
Q
- Allows resources (e.g., EC2 instances) in a VPC connect to the Internet
- It scales horizontally and is highly available and redundant
- Must be created separately from a VPC
- OneVPC can only be attached to one IGW and vice versa
A
Internet Gateway (IGW)
18
Q
Internet Gateways on their own __________ allow Internet access
A
do not
19
Q
We can use a ________ to SSH into our private EC2 instances
A
Bastion Host
20
Q
The bastion is in the _______ which is then connected to all other ___________
A
public subnet
private subnets
21
Q
Bastion Host security group must allow inbound from the internet on _________ from restricted CIDR, for example the public CIDR of your corporation
A
port 22
22
Q
Security Group of the EC2 Instances must allow the Security Group of the Bastion Host, or the __________ of the Bastion host
A
private IP
23
Q
What does NAT stand for?
A
Network Address Translation
24
Q
- Allows EC2 instances in private subnets to
connect to the Internet - Must be launched in a public subnet
- Must disable EC2 setting: Source / destination Check
- Must have Elastic IP attached to it
- RouteTables must be configured to route traffic from private subnets to the NAT Instance
A
NAT Instance
25
* AWS-managed NAT, higher bandwidth, high availability, no administration
* Pay per hour for usage and bandwidth
* NATGW is created in a specific Availability Zone, uses an Elastic IP
* Can’t be used by EC2 instance in the same subnet (only from other subnets)
* Requires an IGW (Private Subnet => NATGW => IGW)
* 5 Gbps of bandwidth with automatic scaling up to 45 Gbps
* No Security Groups to manage / required
NAT Gateway
26
NAT Gateway is resilient within a ___________
single Availability Zone
27
NAT Gateway with High Availability - Must create __________ in multiple AZs for fault-tolerance
multiple NAT Gateways
28
There is no cross-AZ failover needed because if an AZ goes down it _______
doesn't need NAT
29
Availability
Highly available within AZ (create in another AZ)
NAT Gateway
30
Bandwidth
Up to 45 Gbps
NAT Gateway
31
Maintenance
Managed by AWS
NAT Gateway
32
Cost
Per hour & amount of data transferred
NAT Gateway
33
Availability
Use a script to manage failover between instances
NAT Instance
34
Bandwidth
Depends on EC2 instance type
NAT Instance
35
Maintenance
Managed by you (e.g., software, OS patches, ...)
NAT Instance
36
Cost
Per hour, EC2 instance type and size, + network $
NAT Instance
37
Public IPv4 - Yes
NAT Gateway
38
Public IPv4 - Yes
NAT Instance
39
Private IPv4 - Yes
Nat Gateway
40
Private IPv4 - Yes
Nat Instance
41
Security Group - No
Nat Gateway
42
Security Group - Yes
Nat Instance
43
Use as Bastion Host - No
Nat Gateway
44
Use as Bastion Host - Yes
Nat Instance
45
What does NACL stand for?
Network Access Control List
46
are like a firewall which control traffic from and to subnets
Network Access Control List (NACL)
47
One NACL per ________, new subnets are assigned the ________
subnet
Default NACL
48
* Rules have a number (1-32766), higher precedence with a lower number
* First rule match will drive the decision
* Example: if you define #100 ALLOW 10.0.0.10/32 and #200 DENY 10.0.0.10/32, the IP address will be allowed because 100 has a higher precedence over 200
* The last rule is an asterisk (*) and denies a request in case of no rule match
* AWS recommends adding rules by increment of 100
NACL Rules
49
Newly created NACLs will ________ everything
deny
50
NACL are a great way of __________?
blocking a specific IP address at the subnet level
51
Accepts everything inbound/outbound with the subnets it’s associated with
Default NACL
52
Instead of modifying the default NACL, instead you want to _______?
create custom NACLs
53
* For any two endpoints to establish a connection, they must use ports
* Clients connect to a defined port, and expect a response on ________
* Different Operating Systems use different port ranges, examples:
* IANA&MSWindows10è49152–65535
* Many Linux Kernelsè32768 – 60999
Ephemeral Ports
54
Security Group vs. NACLs
Operates at the instance level
Security Group
55
Security Group vs. NACLs
Supports allow rules only
Security Group
56
Security Group vs. NACLs
Stateful: return traffic is automatically allowed, regardless of any rules
Security Group
57
Security Group vs. NACLs
All rules are evaluated before deciding whether to allow traffic
Security Group
58
Security Group vs. NACLs
Applies to an EC2 instance when specified by someone
Security Group
59
Security Group vs. NACLs
Operates at the subnet level
NACL
60
Security Group vs. NACLs
Supports allow rules and deny rules
NACL
61
Security Group vs. NACLs
Stateless: return traffic must be explicitly allowed by rules (think of ephemeral ports)
NACL
62
Security Group vs. NACLs
Rules are evaluated in order (lowest to highest) when deciding whether to allow traffic, first match wins
NACL
63
Security Group vs. NACLs
Automatically applies to all EC2 instances in the subnet that it’s associated with
NACL
64
Privately connect two VPCs using AWS’ network
VPC Peering
65
Make them behave as if they were in the same network
VPC Peering
66
Must not have overlapping CIDRs
VPC Peering
67
connection is NOT transitive
(must be established for each VPC that need to communicate with one another)
VPC Peering
68
You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other
VPC Peering
69
You can create VPC Peering connection between VPCs in different _____?
AWS accounts/regions
70
You can reference a security group in a peered VPC _______
(works cross accounts – same region)
71
Every AWS service is publicly exposed (public URL)
VPC Endpoints (AWS PrivateLink)
72
allows you to connect to AWS services using a private network instead of using the public Internet
VPC Endpoints (AWS PrivateLink)
73
They’re redundant and scale horizontally
VPC Endpoints (AWS PrivateLink)
74
They remove the need of IGW, NATGW, ...
to access AWS Services
VPC Endpoints (AWS PrivateLink)
75
In case of issues:
* Check DNS Setting Resolution in your VPC
* CheckRouteTables
VPC Endpoints (AWS PrivateLink)
76
2 types of VPC Endpoints (AWS PrivateLink)
Interface Endpoints (powered by PrivateLink)
Gateway Endpoints
77
* Provisions an ENI (private IP address) as an entry
point (must attach a Security Group)
* Supports most AWS services
* $ per hour + $ per GB of data processed
Interface Endpoints (powered by PrivateLink)
78
* Provisions a gateway and must be used as a target in a route table (does not use security groups)
* Supports both S3 and DynamoDB
* Free
Gateway Endpoints
79
VPC Endpoints - ___________ is most likely going to be preferred all the time at the exam
Gateway
80
is preferred access is required from on- premises (Site to Site VPN or Direct Connect), a different VPC or a different region
Interface Endpoint
81
2 ways for Lambda in VPC accessing DynamoDB
Option1: Access from the public internet
Option 2 (better & free): Access from the private VPC network
82
Because Lambda is in a VPC, it needs a NAT Gateway in a public subnet and an internet gateway
Option1: Access from the public internet
83
* Deploy a VPC Gateway endpoint for DynamoDB
* Change the Route Tables
Option 2 (better & free): Access from the private VPC network
84
* Capture information about IP traffic going into your interfaces:
* VPC Flow Logs
* Subnet Flow Logs
* Elastic Network Interface (ENI) Flow Logs
* Helps to monitor & troubleshoot connectivity issues
* Flow logs data can go to S3, CloudWatch Logs, and Kinesis Data Firehose
* Captures network information from AWS managed interfaces too: ELB, RDS, ElastiCache, Redshift,WorkSpaces, NATGW,Transit Gateway...
VPC Flow Logs
85
* VPN concentrator on the AWS side of the VPN connection
* VGW is created and attached to the VPC from which you want to create the Site-to-Site VPN connection
* Possibility to customize the ASN (Autonomous System Number)
Virtual Private Gateway (VGW)
85
2 types of AWS Site-to-Site VPN
Virtual Private Gateway (VGW)
Customer Gateway (CGW)
86
Software application or physical device on customer side of the VPN connection
Customer Gateway (CGW)
87
Provide secure communication between multiple sites, if you have multiple VPN connections
AWS VPN CloudHub
88
Low-cost hub-and-spoke model for primary or secondary network connectivity between different locations (VPN only)
AWS VPN CloudHub
89
It’s a VPN connection so it goes over the public Internet
AWS VPN CloudHub
90
To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables
AWS VPN CloudHub
91
Provides a dedicated private connection from a remote network to your VPC
Direct Connect (DX)
92
Dedicated connection must be setup between your ________ and AWS Direct Connect locations
DC
93
You need to setup aVirtual Private Gateway on yourVPC
Direct Connect (DX)
94
Access public resources (S3) and private (EC2) on same connection
Direct Connect (DX)
95
Use Cases:
* Increase bandwidth throughput - working with large data sets – lower cost
* More consistent network experience - applications using real-time data feeds * Hybrid Environments (on prem + cloud)
Direct Connect (DX)
96
Does Direct Connect (DX) Supports both IPv4 and IPv6
YES
97
If you want to setup a Direct Connect to one or more VPC in many different regions (same account), you must use a __________?
Direct Connect Gateway
98
2 Direct Connect – Connection Types
Dedicated Connections
Hosted Connections
99
* 1Gbps,10 Gbps and 100 Gbps capacity
* Physical ethernet port dedicated to a customer
* Request made to AWS first, then completed by AWS Direct Connect Partners
Dedicated Connections
100
* 50Mbps, 500 Mbps, to 10 Gbps
* Connection requests are made via AWS Direct Connect Partners
* Capacity can be added or removed on demand
* 1, 2, 5, 10 Gbps available at select AWS Direct Connect Partners
Hosted Connections
101
For Direct Connect – Connection, Lead times are often longer than __________ to establish a new connection
1 month
102
Direct Connect, Data in transit is _________ but is private
not encrypted
103
AWS Direct Connect + VPN provides an ________
IPsec-encrypted private connection
104
* For having transitive peering between thousands of VPC and on-premises, hub-and-spoke (star) connection
* Regional resource, can work cross-region
* Share cross-account using Resource Access Manager (RAM)
* You can peer this across regions
* RouteTables: limit which VPC can talk with othe rVPC
* Works with Direct Connect Gateway,VPN connections
* Supports IP Multicast (not supported by any other AWS ser vice)
Transit Gateway
105
Used for IPv6 only
Egress-only Internet Gateway
106
similar to a NAT Gateway but for IPv6
Egress-only Internet Gateway
107
Allows instances in your VPC outbound connections over IPv6 while preventing the internet to initiate an IPv6 connection to your instances
Egress-only Internet Gateway
108
IP Range
CIDR
109
Virtual Private Cloud => we define a list of IPv4 & IPv6 CIDR
VPC
110
tied to an AZ, we define a CIDR
Subnets
111
at the VPC level, provide IPv4 & IPv6 Internet Access
Internet Gateway
112
must be edited to add routes from subnets to the IGW,VPC Peering Connections,VPC Endpoints, ...
RouteTables
113
public EC2 instance to SSH into, that has SSH connectivity to EC2 instances in private subnets
Bastion Host
114
gives Internet access to EC2 instances in private subnets. Old, must be setup in a public subnet, disable Source / Destination check flag
NAT Instances
115
managed by AWS, provides scalable Internet access to private EC2 instances, IPv4 only
NAT Gateway
116
stateless, subnet rules for inbound and outbound, don’t forget Ephemeral Ports
NACL
117
stateful, operate at the EC2 instance level
Security Groups
118
connect two VPCs with non overlapping CIDR, non-transitive
VPC Peering
119
provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within a VPC
VPC Endpoints
120
can be setup at the VPC / Subnet / ENI Level, for ACCEPT and REJECT traffic, helps identifying attacks, analyze using Athena or CloudWatch Logs Insights
VPC Flow Logs
121
setup a Customer Gateway on DC,aVirtual Private Gateway on VPC, and site-to-site VPN over public Internet
Site-to-SiteVPN
122
hub-and-spoke VPN model to connect your sites
AWS VPN CloudHub
123
setup a Virtual Private Gateway on VPC, and establish a direct private connection to an AWS Direct Connect Location
Direct Connect
124
setup a Direct Connect to many VPCs in different AWS regions
Direct Connect Gateway
125
* Connect services privately from your service VPC to customers VPC
* Doesn’t need VPC Peering, public Internet, NAT Gateway, Route Tables
* Must be used with Network Load Balancer & ENI
AWS PrivateLink / VPC Endpoint Services
126
connect EC2-Classic EC2 instances privately to your VPC
ClassicLink
127
transitive peering connections forVPC,VPN & DX
Transit Gateway
128
copy network traffic from ENIs for further analysis
Traffic Mirroring
129
like a NAT Gateway, but for IPv6
Egress-only Internet Gateway
130
Protect your entire Amazon VPC
AWS Network Firewall
131
From Layer 3 to Layer 7 protection
AWS Network Firewall
132
Any direction, you can inspect
* VPCtoVPCtraffic
* Outbound to internet
* Inbound from internet
* To/fromDirectConnect&Site-to-SiteVPN
AWS Network Firewall
133
Uses the AWS Gateway Load Balancer
AWS Network Firewall
134
Rules can be centrally managed cross- account by AWS Firewall Manager to apply to many ________?
VPCs
135
Supports 1000s of rules
* IP & port - example: 10,000s of IPs filtering
* Protocol – example: block the SMB protocol for outbound communications
* Stateful domain list rule groups: only allow outbound traffic to*.mycorp.com or third-party software repo
* General pattern matching using regex
AWS Network Firewall
136
Traffic filtering: Allow, drop, or alert for the traffic that matches the rules
AWS Network Firewall
137
Active flow inspection to protect against network threats with intrusion-prevention capabilities (like Gateway Load Balancer, but all managed by AWS)
AWS Network Firewall
138
AWS Network Firewall send logs of rule matches to ___________? (3)
Amazon S3
CloudWatch Logs
Kinesis Data Firehose
