VPC 4

Question 1

Internet Gateways

Two types of IGWs?

Answer 1

IGWs and Egress-Only IGWs

Question 2

Internet Gateways

Do IGWs support one-way / two-way IPv6 traffic?

Answer 2

Yes, plain IGW handles full IPv4 and IPv6.

Question 3

Internet Gateways

What’s an Egress-only IGW used for?

Answer 3

IPv6 only when you don’t want all internal things to be publicly-available

Question 4

Internet Gateways

What does an IGW do with IPv4 addresses?

Answer 4

All VPC IPv4 traffic is via RFC1918 addresses; IGW does STATIC NAT for their public IPs.

Question 5

Internet Gateways

What does an IGW do with IPv6 addresses?

Answer 5

Nothing: all IPv6 addresses are publicly-routable. No NATing done.

Question 6

Flow Logs

High-level, what’s in VPC Flow Logs?

Answer 6

Metadata only, no content (need packet sniffer for that)

Question 7

Flow Logs

Where can you attach a monitor?

Answer 7

All ENIs in a single VPC, one subnet in a single VPC, a specific ENI

Question 8

Flow Logs

Is Flow Logs real-time?

important

Answer 8

No, definite delay before you see them

Question 9

Flow Logs

Where does Flow Logs send it’s logs?

Answer 9

S3 or CloudWatch Logs

Question 10

Flow Logs

What filtering can you set on Flow Logs?

Answer 10

Capture all, only accepted, or only rejected

Question 11

Flow Logs

5 key parts of a Flow Log record, in order?

Answer 11

src ip, dest ip, source port, dest port, protocol

Question 12

Flow Logs

What are important values for protocol?

Answer 12

ICMP is 1, TCP is 6, UDP is 7

Question 13

Flow Logs

See entries for inbound accepted to EC2, outbound rejected. What happened?

important

Answer 13

NACL. Security Group would have accepted both or rejected both

Question 14

Flow Logs

What 4 things won’t Flow Logs capture?

Answer 14

Anything to 169.254.169.254, DHCP, AmazonProvidedDNS, Amazon Windows License