Virtual Private Cloud (VPC) Networking

Question 1

Which of the following correctly describe NAT gateways?

a. The are redundant inside the availability zone
b. Must be patched
c. Scales from 5 Gbps to 45 Gbps
d. Are associated with security groups
e. Are automatically assigned an IP address

Answer 1

a. The are redundant inside the availability zone (Correct)
c. Scales from 5 Gbps to 45 Gbps (Correct)
e. Are automatically assigned an IP address (Correct)

b. Must be patched (Incorrect)
- NAT Gateways do not need to be patched
d. Are associated with security groups (Incorrect)
- NAT Gateways are not associated with security groups

Question 2

True or False? You can’t have a subnet
that spans multiple Availability Zones.

Answer 2

True.

Question 3

Explain how to create an Availability Zone-independent architecture.

Answer 3

To create an availability Zone-independent architecture, you need to create NAT gateways in each Availability Zone. And then, you just need to configure your routing to ensure that the resources use the NAT gateway in the same Availability Zone.

Question 4

True or false? If you have resources in multiple Availability Zones and they share a NAT gateway, in the event that that NAT gateway’s Availability Zone is down, then the resources in the other Availability Zones are going to lose internet access.

Answer 4

True.

Question 5

Security groups are ________ .
If you send a request from your instance, the response traffic to that request is allowed to flow in regardless of the inbound security group rules. Responses to allowed inbound traffic are
allowed to flow out regardless of the outbound rules.

Answer 5

stateful

Question 6

True or False. So when you create a VPC,
you get a default Network ACL automatically,
and that, by default, denies all inbound
and outbound traffic for security reasons.

Answer 6

False. So when you create a VPC, you get a default Network ACL automatically, and that, by default, also allows all inbound and outbound traffic.

Question 7

True or False. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules.

Answer 7

True. By default, each custom Network ACL denies all inbound and outbound traffic until you add rules. So it’s the opposite of your default Network ACL. When you create a custom Network ACL, by default, it denies all inbound and outbound traffic until you go in and add those rules.

Question 8

True or False? If you don’t explicitly associate a subnet with a Network ACL, then that subnet is automatically associated with the default Network ACL.

Answer 8

True. Each subnet in your VPC must be associated
with a Network ACL. If you don’t explicitly associate a subnet with a Network ACL, then that subnet is automatically associated with the default Network ACL.

Question 9

You can block IP addresses
using __________, and you don’t do that using ________

Answer 9

Network ACLs, Security Groups

-If you need to block access. What level do you do it at? You always do that at the Network ACL-level.

Question 10

True or false. In order to ensure a redundant network infrastructure, you must associate a custom Network ACL with a subnet.

Answer 10

False. A subnet itself can be associated with only 1 Network ACL at a time. So when you associate a Network ACL with a subnet, the previous association is removed.

Question 11

What is the purpose of the numbers in a Network ACL?

Answer 11

Network ACLs contain a numbered list of rules
that are evaluated in order, starting with the lowest number first.

Question 12

True or False? Network ACLs have separate inbound and outbound rules.

Answer 12

True. Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

Question 13

_________ is a way of directly connecting
your data center to AWS. It’s useful for high-throughput workloads with lots of network traffic, and it’s helpful for when you need a stable and reliable secure connection.

Answer 13

Direct Connect

• For scenarios talking about, “You’ve got a VPN connection, it keeps dropping out. You need a stable and reliable connection that can handle high-throughput.” Think of Direct Connect.

Question 14

_________ are used when you want to connect AWS services without leaving the Amazon’s internal network.

Answer 14

VPC endpoints

Question 15

There’s 2 types of VPC endpoints.
There’s ________ endpoints and __________ endpoints. And __________ endpoints, basically, at the moment, just support S3 and DynamoDB.

Answer 15

interface, gateway, gateway

Question 16

__________ allows you to connect 1 VPC with another via a direct network route using private IP addresses. Instances behave as if they were on the same private network.

Answer 16

VPC peering

Question 17

True or False. And you cannot peer VPCs with other AWS accounts, only with VPCs in the same account.

Answer 17

False. You can peer VPCs with other AWS accounts, as well as other VPCs in the same account.

Question 18

True or False. Transitive peering works with Direct Connect as well as VPN connections, and it supports IP multicast, and provides an effective way of simplifying your network topology.

Answer 18

Peering is always done in a star configuration,
so this is a hub-and-spoke model. So you have one central VPC that peers with 4 others. You can’t have transitive peering.

Transit Gateway is fantastic technology that, basically, stops you from having to have all these different peering connections, et cetera, et cetera. You just set up Transit Gateway. You connect one thing to it at once, so it could be a VPN connection or a VPC peering connection or whatever. And then, Transit Gateway will allow you to communicate directly to everything else.

Question 19

________ is a service that allows you simplify your VPN network topology

Answer 19

VPN Hub