VPC Flashcards Preview

2019 - AWS CSAA - MINE > VPC > Flashcards

Flashcards in VPC Deck (45)
Loading flashcards...
1
Q

What configuration needs to be done on a NAT instance for it to be able to do NAT?

A

Disable Source/Destination check on the instance.

2
Q

Where does the NAT instance need to be placed? In a private or public subnet?

A

NAT instances must be in a public subnet.

3
Q

What needs to be done on the private subnet for it to be able to use a NAT instance in the public subnet?

A

There must be a route out of the private subnet to the NAT instance.

4
Q

What depends on the amount of traffic that NAT instances can support?

A

It depends on the NAT instance size.

5
Q

How can high availability for the NAT instance be achieved?

A

You can create high availability using Auto Scaling groups, multiple subnets in different AZs, and a script to automate failover.

6
Q

What security consideration do I need to have with NAT instances?

A

The NAT instance must be behind a security group.

7
Q

What are the advantages of NAT Gateways over NAT instances?

A
  • Scale automatically up to 10Gbps - No need to patch - Not associated with Security Groups - Automatically assigned a public IP address - No need to disable Source/Destination checks (do need to update the route tables of course) - More secure than NAT instances
8
Q

What is allowed/disallowed in the default network ACL of a VPC?

A

By default, it allows all outbound and inbound traffic

9
Q

Does a subnet need to be associated with an network ACL?

A

Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

10
Q

Can a subnet be associated with multiple network ACLs?

A

No, only with one. When you associate a network ACL with a subnet, the previous association is removed.

11
Q

Can an ACL be associated with multiple subnets?

A

Yes

12
Q

How do the rules of a network ACL work?

A

Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule. It stops evaluating when it hits a rule that fits.

13
Q

Are network ACLs stateful or stateless?

A

Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

14
Q

Can I block specific IP address with Security Groups or network ACLs?

A

Block IP addresses with network ACLs, not Security Groups.

15
Q

How many public subnets are needed to deploy an application load balancer?

A

At least 2

16
Q

Can I enable Flow Logs for VPCs peered with my VPC?

A

Only if the peered VPC is in my account.

17
Q

Can I tag Flow Logs?

A

No

18
Q

Can I change a VPC Flow Log configuration after its creation?

A

No

19
Q

What traffic is not monitored in VPC Flow Logs?

A

The following traffic is not monitored.

  • Traffic from instances to Amazon DNS servers.
  • Traffic generated by a Windows instance for Windows license activation.
  • Traffic to and from 169.254.169.254 for instance metadata.
  • DHCP traffic.
  • Traffic to reserved IP address for the default VPC router.
20
Q

How many Internet Gateways can I attach to my custom VPC?

A

1

21
Q

Are network ACLs a layer of security for instances or subnets?

A

Security Groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

22
Q

Are you permitted to conduct your own vulnerability scans on your VPC without contacting AWS first?

A

No

23
Q

By default, how many VPCs am I allowed in each region?

A

5

24
Q

Can a subnet span multiple AZs?

A

No

25
Q

Which is a chief advantage of using VPC endpoints?

A

Traffic between your VPC and the other service foes not leave the Amazon network.

26
Q

What is created automatically when a VPC is created?

A
  • Security Group
  • Network ACL
  • Route Table
27
Q

Which suffix offers the largest range of internal IP addresses? (/16, /20, /24, /28)

A

/16

28
Q

When peering VPCs, can I peer with VPCs in another account?

A

Yes

29
Q

By default, can new subnets in a custom VPC communicate with each other across AZs?

A

Yes

30
Q

How to allow an application in a custom VPC to communicate back to an on-premise data center?

A

Either: - Using a site-to-site VPN (requiring the VPC to have an Internet Gateway attached), or - Using Direct Connect The VPC in which the application sits, must be configured so that it does not have an IP address range that conflicts with that of the on-premise VLAN in which the back-end services sit.

31
Q

What is Customer Gateway?

A

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.

32
Q

What is a Virtual Private Gateway?

A

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection. A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance.

33
Q

Are these valid options to combine and configure to establish a successful site-to-site VPN connection from your on-premise network to an AWS VPC? - An on-premise Customer Gateway - A private subnet in your VPC - A Virtual Private Gateway - A VPC with hardware VPN access

A

Yes

34
Q

Which IPs in each subnet’s CIDR block are reserved by Amazon?

A

AWS reserve both the first four and the last IP addresses.

First four:

  • 10.0.0.0: Network address.
  • 10.0.0.1: VPC router
  • 10.0.0.2: DNS…
  • 10.0.0.3: Future use.

Last:

  • 10.0.0.255: broadcast.
35
Q

Does the private IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

Yes. The private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.

36
Q

Does the public IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

No. We release the public IPv4 address and assign a new one when you restart it. The instance retains, however, its associated Elastic IP addresses (if any).

37
Q

At what levels can VPC Flow Logs be created?

A
  • Network interface
  • Subnet
  • VPC
38
Q

Which component allows me to SSH or RDP into an EC2 instance located in a private subnet?

A

Bastion/Jump Host

39
Q

Can a subnet span AZ’s ?

A

No

40
Q

NAT gw characteristics?

A

Preferred by enterprises

Redundant inside AZ

No patching

Not associated with security groups

Automatically assigned a public IP

No need to disable source and destination checks

41
Q

Can a NACL be associated with multiple subnets?

A

Yes, but a subnet can only be associated with one ACL

42
Q

What is direct connect?

A

Connect your DataCenter to AWS

Useful for high throughput

You need a stable/secure connection

43
Q

What can you use to connect your VPC to some AWS service privately without a gateway, NAT, VPN connection or AWS direct connection, without traffic leaving the AWS network?

A

VPC endpoint

44
Q

What are the two types of VPC end points?

A

Interface and Gateway

45
Q

What services do gateway endpoints support?

A

Amazon S3

DynamoDB