VPC

Question 1

True or false: Network ACLs can span multiple VPCs

Answer 1

False. A Network ACL belongs to a single VPC

Question 2

Can you associate a route table with more than one subnet?

Answer 2

Yes. Route tables can be associated with multiple subnets.

Question 3

True or false: Subnets can only be associated with one Network ACL at a time

Answer 3

True

Question 4

If a VPC-A has an Internet Gateway and is peered with VPC-B that is not internet connected, is it possible to use the peering connection for access between VPC-B and the internet?

Answer 4

No, this is called edge-to-edge routing and is not supported

Question 5

What are VPC Flow Logs?

Answer 5

Information about the traffic flowing in and out of interfaces in the VPC is stored in and can be viewed using CloudWatch logs.

Question 6

Can you change the tenancy for a VPC after it has been created?

Answer 6

No

Question 7

What is a CIDR block?

Answer 7

It is a range of IP addresses available for a subnet in a VPC

Question 8

True or false: Network ACLs can be associated with multiple subnets at the same time

Answer 8

True

Question 9

True or false: NAT Gateways scale automatically

Answer 9

True

Question 10

True or false: Every subnet must be associated with exaclty one NetworkACL

Answer 10

True. If you do not explicitly assign one, a subnet is associated with the default Network ACL for that VPC.

Question 11

When creating a Network ACL, by default is everything allowed or denied?

Answer 11

Denied

Question 12

Do NAT Gateways sit in front of or behind a Security Group? What about NAT Instances?

Answer 12

In front. NAT Instances are behind

Question 13

What is ICMP?

Answer 13

Internet control Message Protocol, which allows messaging between devices in an IP network

Question 14

True or false: A security group is limited to a single VPC

Answer 14

True

Question 15

What is VPC peering?

Answer 15

It allows you to connect a VPC to another VPC using private IP addresses.

Question 16

What protocols are supported by NAT Gateways?

Answer 16

TCP, UDP, ICMP

Question 17

What does an internet gateway do?

Answer 17

1. It provides an endpoint for internet/bound traffic that route tables can point to
2. Performs network address translation (NAT), between a public IP address and the private IP address of the instance

Question 18

A subnet which is associated with a route table containing a route to an internet gateway is known as what?

Answer 18

Public subnet

Question 19

True or false: VPCs with overlapping CIDR blocks cannot be peered

Answer 19

True

Question 20

When creating a subnet, does AWS automatically include a route to the internet from the main route table for the VPC?

Answer 20

No, you must add that yourself

Question 21

What is the definition of a VPC?

Answer 21

Virtual Private Cloud - amazon lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over this network, including selection of IP address range, subnets and network gateways

Question 22

True or false: to make a subnet public, you must associate it with an internet gateway

Answer 22

False. Route tables point to internet gateways, and subnets are associated with route tables.

Question 23

Can VPC peering occur between VPCs in different regions?

Answer 23

No

Question 24

In what order are rules evaluated in a Network ACL?

Answer 24

Numerically by rule number

Question 25

Are public IP addresses automatically assigned to instances launched within subnets in VPCs you create?

Answer 25

Not by default, but you can change the Auto-assign IP setting to Yes for the subnet. In the default VPC, they are automatically assigned.

Question 26

Can you use VPC peering across accounts?

Answer 26

Yes

Question 27

Does the default VPC automatically include a route to the internet gateway for IPv6 traffic?

Answer 27

No

Question 28

What do you do if your NAT Gateway does not have enough bandwidth to handle the traffic being sent to it?

Answer 28

Split the workload into multiple subnets and great a separate NAT Gateway for each

Question 29

Explain why you have to disable Source/Destination check when creating a NAT instance

Answer 29

Normally, ec2 instances must have source/destination checking enabled, which means that either the source or the destination of the traffic must be the Instance. However, with a NAT, the source or dest might be the subnet we are building the NAT for, so we want to disable Source/Destination Checking

Question 30

Can Network ACLs span multiple availability zones?

Answer 30

Yes, Network ACLs operate at the level of the VPC

Question 31

If the first rule in a Network ACL allows a packet, and the second rule denies it, is the packet allowed or denied?

Answer 31

It is allowed. As soon as a given packet meets the criteria of a rule, subsequent rules are not evaluated against the packet

Question 32

True or false: Flow log configurations cannot be changed once they are set up

Answer 32

True

Question 33

What is default vs dedicated tenancy?

Answer 33

Default tenancy means your VPC will share hardware with other VPCs. Dedicated tenancy mans your VPC will exist on dedicated hardware. Dedicated tenancy is much more expensive than default tenancy.

Question 34

Can Security Groups span multiple Availability Zones?

Answer 34

Yes

Question 35

What does a route table's target respresent?

Answer 35

The AWS resource that is responsible for routing the packet

Question 36

What is Network Address Translation?

Answer 36

NAT acts as a bridge between private subnets and the internet, so that they can get to the internet without allowing public access

Question 37

True or false: You can only have one internet gateway per VPC

Answer 37

True

Question 38

What is a Bastion?

Answer 38

A Bastion is an instance which is used to administer instances located in private subnets by permitting SSH and RDP traffic

Question 39

True or false: You must manually create a public IP Address when creating a NAT Gateway

Answer 39

False. Public IP addresses are assigned to NAT Gateways automatically

Question 40

What is a NAT Instance?

Answer 40

An EC2 instance that acts as a gateway to the internet for a private subnet

Question 41

What are Flow Logs?

Answer 41

Logs which capture information about the traffic going in and out of a VPC, subnet or network interface. They can be accessed from CloudWatch

Question 42

True or false: When a new subnet is created, it is automatically associated with the main route table

Answer 42

True. which is why the main route table should not offer internet access

Question 43

Does the default Network ACL that comes with a new VPC allow or deny traffic?

Answer 43

Allows it

Question 44

NACL is stateful or stateless?

Answer 44

NACLS are stateless, meaning both inbound and outbound rules will be check for entrance into the subnet.

Question 45

Can you associate a subnet with more than one route table?

Answer 45

No. A subnet can only be associated with a single route table at a time.

Question 46

What is a NAT Gateway?

Answer 46

An AWS resource which allows instances in a private subnet to connect to the internet or other AWS services, but does not allow public access

Question 47

How can you make a private subnet public?

Answer 47

The subnet is private because it is associated with a route table that does not have a route to the internet gateway. To make the subnet public, associate it with a route table that does have a route to the internet gateway

Question 48

How many VPCs are allowed per region?

Answer 48

5

Question 49

What is are some differences between a Security Group and a Network ACL?

Answer 49

1. Security Groups apply to instances, NACLs apply to entire subnets. 2. Security Groups only allow permissions, NACLs both allow and deny permissions. 3. Security Groups are stateful, meaning inbound rules apply outbound. 4. NACLs are stateless, so you must set both inbound and outbound rules.

Question 50

Are security groups stateful or stateless?

Answer 50

Stateful - This means if the inbound rule is set the outbound rule has the same settings.

Question 51

What does a route table's destination represent?

Answer 51

The IP adress range where the packet will ultimately end up

Question 52

At what three levels can flow logs operate?

Answer 52

VPC Subnet Network Interface

Question 53

How many subnets can one VPC have?

Answer 53

200, but you can submit a request to Amazon for more

Question 54

How many IP addresses does amazon reserve when you create a subnet?

Answer 54

5. So a /24 subnet which has 256 available addresses will only give you 251

Question 55

True or false: NAT Instances must have an Elastic IP to work

Answer 55

True

Question 56

When you create a new VPC, what else is created by default?

Answer 56

1. A default route table 2. A default network access control list 3. A default security group No subnets are created

Question 57

When creating a Network ACL, by default is everything alallowed or denied?

Answer 57

Denied

Question 58

True or False: NAT instances and NAT gateways are available for both IPv4 and IPv6

Answer 58

False. IPv4 only

Question 59

If you need to block incoming traffic from a specific IP address, can you do so with Security Groups, Network ACLs, both or neither

Answer 59

Network ACLs. Only Network ACLs can block traffic,

Question 60

What are differences between the default VPC and a custom VPC?

Answer 60

1. Default VPCs are user-friendly, so you can immediately start deploying resources 2. All subnets in a default VPC have a route out to the internet 3. In a default VPC, each EC2 instance has both a public and private IP address

Question 61

What is transitive peering?

Answer 61

1. There is one central VPC, and individual VPCs are peered directly with it. 2. Transitive peering allows the second VPC to then be peered with a third, allowing the first and third VPCs to share resources. This is not permitted in AWS.

Question 62

What is NACL?

Answer 62

Act like a frewall which controls traffic to and from subnet.

Question 63

What does Default NACL allow?

Answer 63

Allows everything outbound and inbound.

Question 64

How many NACL per subnet:

Answer 64

1 NACL per subnet. New subnets are assigned the Defualt NACL.

Question 65

Define NACL rules:

Answer 65

1. rule numbers 1-32766 2. Lower the number higher the presidence (eg. 1 is higher than 200) 3. (\*) denies a request in case or no rule match 4. AWS reccommends rule be 100

Question 66

Newly created NACL will:

Answer 66

Deny eveyrthing

Question 67

NACL are great for:

Answer 67

Blocking a specific IP at the subnet level.

Question 68

Route tables point to:

Answer 68

Internet gateways

Question 69

Subnets are associated with:

Answer 69

Route tables

Question 70

AWS reserves 5 IPs address:

Answer 70

First 4 and last 1 IP address in each Subnet

Question 71

* ExamTip: * If you need 29 IP addresses for EC2 instances, you can’t choose a Subnet of size /27 (32 IP):

Answer 71

• You need at least 64 IP, Subnet size /26 (64-5 = 59 \> 29,but 32-5 = 27 \< 29)

Question 72

Because VPC is priavte, only Private IP ranges allowed:

Answer 72

10.0.0.0 - 10.255.255.255 (10.0.0.0/8) ## Footnote 172. 16.0.0 - 172.31.255.255 (172.16.0.0/12) 192. 168.0.0 - 192.168.255.255 (192.168.0.0/16)

Question 73

Default AWS CIDR IP ADDR:

Answer 73

172.16.0.0/12

Question 74

How many IP addresses on Subnets are reserved:

Answer 74

5 ## Footnote • Ex, if CIDR block 10.0.0.0/24, reserved IP are: 10. 0.0.0: Network address 10. 0.0.1: Reserved by AWS for the VPC router 10. 0.0.2: Reserved by AWS for mapping to Amazon-provided DNS 10. 0.0.3: Reserved by AWS for future use 10. 0.0.255:Network broadcast address.AWS does not support broadcast in aVPC, therefore the address is reserved

Question 76

Max CIDR per VPC:

Answer 76

5

Question 77

Max VPc in region:

Answer 77

5 (soft limit)

Question 78

VPC CIDR IP overlap:

Answer 78

VPC CIDR should not overlap with other networks.

Question 79

VPC CIDR Max size:

Answer 79

Max size is /16 = 65,536 IP addr.

Question 80

VPC CIDR Min size:

Answer 80

Min size is /28 = 16 IP addresses

Question 81

VPC defaults:

Answer 81

1• All new accounts have a default VPC 2• New instances are launched into default VPC if no subnet is specified 3• Default VPC have internet connectivity and all instances have public IP 4• We also get a public and a private DNS name