VPC

Question 1

VPC

Answer 1

Virtual Private Cloud

• Linked to specific region / CIDR range
• Public & private subnets inside VPC associated with each AZ
• Route tables to define access between internet and subnets

Question 2

IP Addresses

Answer 2

• IPv4
• • Public IPv4
• • EC2 instances get public IPs on start
• • Private IPv4 (private networks, static IPs)
• Elastic IP
• • Fixed public IPv4 addresses (ongoing cost if not used)
• IPv6

Question 3

Internet Gateway & NAT Gateways

Answer 3

• Internet gateways connect VPC to internet
• Public subnets have route to internet gateway
• NAT gateway can access internet while remaining private (route from private subnet to NAT gateway & from gateway to internet gateway

Question 4

Look up CIDRs

Answer 4

CIDR.xyz

Question 5

Network ACL for VPCs

Answer 5

NACL Network access control list

• Firewall to and from subnet level
• ALLOW and DENY
• Attached at subnet level
• Rules only include IP addresses
• Stateless

Question 6

ENI

Answer 6

Elastic Network Interface

Question 7

Security Groups w/VPCs

Answer 7

Security Groups

• Firewall controls traffic to and from an ENI / EC2 instance level
• ALLOW only
• Rules include IP addresses & other security groups
• Stateful

Question 8

VPC Flow Logs

Answer 8

*Log of IP address information
* * VPC FLow Logs
* * Subnet flow logs
* * ENI flow logs

• Helps monitor and troubleshoot
• Also captures ELBs, Elasticadche, RDS, etc.
• Send to S3, CloudWatch logs, Kinesis data firehose

Question 9

VPC Peering

Answer 9

Connect two VPC privately

• Peer them so they appear to be in the same network
• IP address must not overlap
• Not transitive. Each VPC must be added to peering conne tions

Question 10

VPC Endpoints

Answer 10

• Connect AWS services using private AWS network
• Better security, lower latency
• VPC endpoint Gateway: S# & Dynamo DB
• VPC endpoint Interface: the rest

Question 11

AWS PrivateLink

Answer 11

• Most secure & scalable way to expose a service to 1000’s of VPCs
• Doesn’t require VPC peering, internet gateway, NAT, route tables, etc.
• Requires a network load balancer (Service VPC) and ENI (Customer VPC)

Question 12

Site to Site VPN

Answer 12

• Site to Site VPN connect on-prem to VPN
• • Goes over public internet
• • Automatically encrypted
• • on-prem: Must use a customer gateway (CGW)
• • AWS side needs virtual private gateway (VPW)

Question 13

Direct Connect

Answer 13

• Direct connect (DX)
• • Establish physical connection between on-prem & AWS
• • secure, fast, and private
• • private network
• • takes at least a month due to provisioning

Question 14

Uses of Client VPN

Answer 14

• Connect from computer using OpenVPN to private network in AWS
• Connect to EC2 over private IP (like being in private VPC)

Question 15

Transit Gateway

Answer 15

• For having transitive peering between thousands of VPCV an on-prem, hub and spoke
• One single gateway provides this
• Works with direct connect gateway, VPN connections