VPC Flashcards Preview

AWS > VPC > Flashcards

Flashcards in VPC Deck (23)
Loading flashcards...
1
Q

What is CIDR

What are the 2 pieces of CIDR?

A

A method for defining IP ranges

The IP and the subnet mask /0 - /32

2
Q

How do the ranges for subnet masks work when Starting at 192.168.0.0

A

/32 => Allows for 1 IP (2^0) –> 192.168.0.0
/31 => Allows for 2 IP (2^1) –> 192.168.0.0 - 192.168.0.1
/30 => Allows for 4 IP (2^2) –> 192.168.0.0 - 192.168.0.3
/29 => Allows for 4 IP (2^2) –> 192.168.0.0 - 192.168.0.8

/28 - 16
/27 - 32
/26 - 64
/25 - 128
/24 - 256 (2 ^ 8)

/16 - (2^ 16) –> 192.168.0.0 - 192.168.255.255

/0 - All IPs

3
Q

In terms of Octets, how do CIDR ranges work?

A

If you break the IP down in to 4 Octets from left to write

/32 means no octet can change (1 IP)
/24 means last octet can change (256 IPs)
/16 means last 2 octets can change (65,536 IPs)
/8 means last 3 octets can change
/0 means all octets can change.

4
Q

What are some of the important ranges for private IP addresses?

What are the min and max ranges for CIDR on a VPC?

What is the maximum number or CIDRs you can have on a VPC?

What should you be careful of when creating CIDRs

A
  1. 0.0.0/8 - Big private netowrks
  2. 16.0.0/12 - AWS default VPC range
  3. 168.0.0/16 - Home networks

/28 - /16 (16 - 65,536)

5

That they do not overlap with other IP ranges you have defined for your other private networks, otherwise they will not be able to communicate.

5
Q

How many IPs are reserved by AWS per CIDR range?

Exam tip, if you need 29 IP addresses, what CIDR range would you choose?

A

5

/27

6
Q

What is an internet gateway?

How many internet gateways can a VPC be attached to?

How many VPCs can an internet gateway be attached to?

A

It allows resources like EC2 in a VPC to connect to the internet. However this isn’t enough to provide internet access. The route tables must also be edited.

1

1

7
Q

What is the AWS default VPC CIDR Range

A

172.16.0.0/12 - AWS default VPC range

8
Q

What is a bastian host?

A

An instance you forward traffic from to reach a host on a private network

9
Q

What is s Network Address Translation (NAT)?

Where must the NAT be launched from?

What setting must be disabled on EC2

What else must it have?

A

Allows an EC2 instance in a private network to connect to the internet

A public subnet

Source/destination check

An elastic IP address associated with it

10
Q

What is a NAT gateway?

Who manages security groups for a NAT gateway?

A

AWS Managed NAT with higher bandwidth, and HA (Within a Single AZ)

There are no security groups for a NAT gateway

11
Q

How do you configure an NAT Gateway for HA

In terms of a Bastian host, what is the difference between the NAT Gateway and a NAT instance?

Does a NAT gateway work with IPv6?

A

Must create multiple NAT Gateways in multiple AZs for fault-tolerance.

A NAT gateway cannot be used as a bastian host, but a NAT instance can.

No

12
Q

What is the maximum bandwidth for a NAT Gateway?

What about for an EC2 instance?

A

45GBps

Depends on the instance type.

13
Q

What is DNS Resolution (enableDNSSupport)?

What will your application query if this is turned on?

What does the DNS Hostname setting (enableDnsHosnames) do?

What does setting these both to true enable?

A

Allows you to resolve the public DNS names within the internet via Route53.

The AWS DNS server or the reserved IP address at the base of the VPC IPv4 network range

If it is not enabled, your public instance will only have a private DNS name. If it is enabled, it will also have a public DNS name

It enables your to reach instances on a private network via a private domain name like web.mycompany.private (intranet)

14
Q

What is a NACL?

What does it mean for a NACL to be stateless?

What does it mean for a Security Group to be stateful?

What does the default NACL allow?

How many NACLs can a subnet be associated with?

How many subnets can a NACL be associated with?

What changes are needed to a NACL when adding subnets within a NACL?

How does priority work on a NACL rule?

A

It’s like a firewall at the subnet level

It means that both requests and responses will be evaluated based on the NACL rules regardless of if a request was initially allowed or not.

It mean that the SG will remember if a network request is a response to a request that was already allowed to cross the security group. In this case the response will not be evaluated against the security group

It allows everything in and everything out

1

Many

You must update the NACL rules

It is based on the rule number? The lower the number, the higher the priority. HIGHER PRIORITY RULES WILL OVERRIDE LOWER PRIORITY RULES

15
Q

What is an ephemeral port and how does it work?

A

Clients connect to a host like a webserver on a fixed port. Ex port 80. This request is coming from an ephemeral port. The client will also receive a response on this port

16
Q

How can you troubleshoot network connectivity between 2 endpoints?

A

By using the VPC Reachability Analyzer

17
Q

What is VPC peering?

Can 2 VPCs that are transitively connected communicate?

What else must you update in order for the VPCs to communicate?

A

Privately connect 2 VPCs using AWS network and make them behave as if they were in the same network.

No, only VPCs that are directly connected can communicate

The route tables

18
Q

What is a VPC endpoint? (Private link)

What about HA for a VPC endpoint?

What must be used with VPC endpoints?

A

Endpoints within your VPC that allow you to initiate a private connection to AWS services.

They’re redundant and scale horizontally

Network load balancer & ENI

19
Q

What are the types of VPC endpoints?

A

Elastic network interface that has a private IP address with an attached security group. Most AWS services are supported by this.

Gateway Endpoints - Provisions a gateway and must be used as a target in a route table. Only supports S3 and Dynamo DB

20
Q

Where would you look to see a record of requests travelling through your VPC?

What’s another example of something you could check in these logs?

What are the 2 locations where these logs can be output to?

Why would you choose one output location over the other?

A

VPC flow logs.

If a request is denied.

S3 or Cloudwatch Logs

If you put the data in S3, you could analyze it with Athena in cloudwatch logs, you could do a quick visual inspection

21
Q

What is VPN site to site?

How do you set up a site to site VPN?

How if the customer gateway is public, which IP address should you use to connect to it?

If the customer gateway is private, which IP address should you use to connect to it?

A

A connection from your VPC to an on prem network. It goes over the public internet, but the traffic is encrypted.

On the AWS side you must set up a VPN a virtual private gateway (VGW) on the on-prem side, you must set up a customer gateway.

The public IP address.

A NAT must be set up on the customer side and the VGW must connect to that.

22
Q

What is one key step when creating a s2s VPC?

What must you enabled to to allow pinging of you ec2 instance from on-prem?

A

Enabling route propagation.

ICMP

23
Q

What is AWS Cloud hub?

Where does traffic from cloud hub travel?

A

Allows you to secure traffic between multiple sites?

Over the public internet.