VPC

Question 1

What are 3 IPs that are reserved for private IPs on a network?

Answer 1

1) 10.0.0.0 - 10.255.255.255
2) 172.16.0.0 - 172.31.255.255
3) 192.168.0.0 - 192.168.255.255

Question 2

Do you have to create your own VPC when running a new EC2 instance?

Answer 2

No, all new EC2 instances can be added to AWS’s default VPC.

Question 3

What is VPC peering?

Answer 3

Allows you to join two VPCs and instances behave as if they are part of the same network.

Question 4

What is a VPC?

Answer 4

A logical data center in the cloud

Question 5

What are the 5 main components of a VPC?

Answer 5

1) IGWs (or VPGs)
2) Route tables
3) Network Access Control Lists
4) Subnets (1 subnet == 1 AZ)
5) Security groups

Question 6

Are Security groups stateful or stateless?

Answer 6

Security groups are stateful if you open one port (e.g. 22) then the outbound is allowed

Question 7

What is a NACL?

Answer 7

Network Access Control List

Question 8

Are NACL stateful or stateless?

Answer 8

Stateless. You must specify inbound and outbound IP address rules

Question 9

Is transitive allowed for VPCs?

Answer 9

No, transitive peering is not allowed. Peering must be on a one to one basis, so separate connections must be made e.g. A and D VPC connection example

Question 10

When a custom VPC is created what is created by default?

Answer 10

1) Route table
2) NACL
3) A security group (default)

Question 11

What 2 things will not be created when a custom VPC is created?

Answer 11

1) Subnet

2) Default internet gateway

Question 12

Are all assigned AZs the same for two independent AWS accounts?

Answer 12

No, they are not

Question 13

How many IP addresses are reserved within your subnet?

Answer 13

5

Question 14

What is the maximum number of internet gateways you can have in a VPC?

Answer 14

1

Question 15

What does NAT stand for?

Answer 15

Network Address Translation

Question 16

What is a NAT instance used for?

Answer 16

A NAT instance is used to allow access to the internet.

Question 17

Where must NAT instances be situated?

Answer 17

They must be situated in a public subnet. There must be a route out of the private subnet to the NAT instance in order for this to work.

Question 18

What is the most likely bottle neck of traffic in a NAT instance based network architecture?

Answer 18

The size of the NAT instance. Increase the instance size to reduce the bottle neck.

Question 19

Are NAT instances in front or behind a security group?

Answer 19

Behind

Question 20

How does a NAT gateway work?

Answer 20

An instance within your private subnet connects directly to a NAT gateway and the NAT gateway connect to the internet.

Question 21

Are NAT gateways in front or behind a security group?

Answer 21

In front

Question 22

What are the advantages of using a NAT gateway?

Answer 22

1) Implements redundancy within an AZ
2) Preferred by enterprise
3) Can scale massively up to 456GBs
4) No need to patch (unlike NAT instances)
5) Automatically assigned a public IP address

Question 23

What is NAT based AZ independent architecture? and how will it reduce the potential for failure?

Answer 23

Adding NAT gateways in each AZ and configuring routing to ensure that resources use the NAT gateway in the same AZ

Question 24

What traffic with you custom VPC default ACL allow?

Answer 24

ALL outbound and inbound traffic!

Question 25

When you create a custom ACL, by default what traffic is allowed?

Answer 25

By default custom ACLs DENIES ALL inbound and outbound traffic until you add rules

Question 26

What will happen if you do not associate a subnet in a VPC with a network ACL?

Answer 26

If you do not associate a subnet with a ACL it wiill automatically associate with the default network ACL (ALLOWS ALL OUTBOUND AND INBOUND TRAFFIC)

Question 27

Can you block IP addresses using a security group?

Answer 27

No, you can only block an IP address using a NACL

Question 28

Can you associate a network ACL with multiple subnets?

Answer 28

Yes, however a subnet can only be associated with one NACL at a time

Question 29

How does a NACL work?

Answer 29

It is comprised of a list of rules which are ordered numerically starting with the lowest numbered rule.

NACLs have separate rules for inbound and outbound traffic and each can either allow or deny traffic

Question 30

What order must allow and deny rules go in?

Answer 30

Deny rules must always go before an allow rule

Question 31

What is the minimum number of public subnets needed to deploy an internet facing load balancer?

Answer 31

2

Question 32

Can you enable VPC flow logs for peered VPCs that are not in your account?

Answer 32

No they must be within your AWS account

Question 33

Can you change the configuration of a flow log? e.g. associating a new IAM role with the flow log?

Answer 33

No, you cannot change the configuration of a flow log once created

Question 34

Is all traffic monitored within a VPC flow log?

Answer 34

No

1) traffic to/from a DNS server is not logged
2) Traffic from a windows instance for windows license activation
3) Traffic to/from instance metadata /latest/user-data/

Question 35

What is a bastion host?

Answer 35

A bastion host enables you to securely connect to your Linux instances without exposing your environment to the Internet.

Access instances in your VPC through Secure Shell (SSH) connections on Linux (inside private subnets). Bastion hosts are also configured with security groups to provide fine-grained ingress control

Question 36

Can you use NAT gateway as a bastion host?

Answer 36

No

Question 37

What is Direct connect?

Answer 37

A method to directly connect your data center to AWS.

Question 38

What is the use case for a direct connect?

Answer 38

Useful for high throughput workloads (lots of network traffic) and if you need a stable and reliable, secure connection

Question 39

What is a VPC endpoint?

Answer 39

Allows you to privately connect your VPC to supported AWS services. ** ALL WITHIN AWS ENV **

e.g. Instance > VPC gateway > S3 bucket.

Question 40

What are the 2 types of VPC endpoints?

Answer 40

1) Loads e.g. machine learning services…..

2) Gateways e.g. S3 and DynamoDB

Question 41

What are the X steps to creating own VPC?

Answer 41

1) Create subnet
- -> Select VPC > Set AZ > name subnet
2) Configure access to instances in VPC
- -> Allow auto assignment of public IPs (off by default)
3) Create an internet gateway and attach to VPC
4) Configure the route table
- -> Need to allow route out to internet > Create 2 > 1 public where you assign 0.0.0.0/0 and ;;/0 and 1 private route table for internal IP access.
5) Create EC2 instance select VPC and subnet association

Question 42

What is a VPN

Answer 42

Virtual Private Network

Lets you establish a secure and private encrypted tunnel from your network or device to the AWS global network

Question 43

What are 2 features of a VPN?

Answer 43

1) customer gateway

2) Virtual private gateway

Question 44

Are all EC2 instances assigned a private and public IP address by default?

Answer 44

Yes

Question 45

By default how many VPCs can you have per region?

Answer 45

5

Question 46

True of False… by default instances in new subnets in a custom VPC can communicate with each across an AZ

Answer 46

True

Question 47

What is the purpose of an egress only internet gateway?

Answer 47

An egress internet only internet gateway is used to allow IPv6 based traffic within a VPC access to the internet whilst denying any connection back into the VPC

Question 48

Can you conduct your own vulnerability scans on your AWS environment?

Answer 48

Yes, but some may require alerting AWS

Question 49

How many subnets can you create per VPC?

Answer 49

200

Question 50

What is a route table?

Answer 50

A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.