VPC Flashcards
(106 cards)
1
Q
What is VPC?
A
Virtual Data Center in the cloud. Lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
2
Q
True or False. You cannot set your own IP ranges on a VPC.
A
False, you can.
3
Q
What is a bastion host?
A
A special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer.
4
Q
What can you do with VPC?
A
- Launch instances into a subnet of your choosing
- Configure route tables between subnets
- Create an internet gateway and attach it to your VPC
5
Q
What is VPC Peerings? List 4 qualities.
A
- Allows you to connect one VPC with another via a direct network route using private IP addresses
- Instances behave as if they were on the same private network
- Peering is in a star configuration ie 1 VPC peers with 4 others
- You can peer between regions
6
Q
What is transitive peering and how can you implement it?
A
The transitive property states that: If a = b and b = c, then a = c. However, you CANNOT perform transitive peering in VPC. You need to set up a new peering relationship for a to peer to c.
7
Q
True or False. You can have multiple subnets in one availability zone.
A
True.
8
Q
True or False. You can have a subnet that spans multiple availability zones.
A
False, you can only have a subnet span 1 availability zone.
9
Q
True or False. You can only have one internet gateway linked to a VPC.
A
True.
10
Q
True or False. When you create a VPC a default Route Table is the only thing created.
A
False. You create a Route Table, network Access Control List (NACL) and a default Security Group.
11
Q
True or False. Creating a VPC won’t create any subnets nor will it create a default internet gateway.
A
True.
12
Q
True or False. US-East-1A in your account is the same availability zone to US-East-1A on someone else’s account.
A
False. The availability zones are randomized.
13
Q
True or False. Amazon always reserves 2 IP addresses within your subnets.
A
False. They reserve 5.
14
Q
True or False. You can have at max 2 gateways per VPC.
A
False. You can only have 1 internet gateway per VPC.
15
Q
True or False. Security Groups can’t span VPCs.
A
True.
16
Q
What are NAT Gateways?
A
A group of EC2 instances that allows your private subnet to communicate out to the internet without becoming public.
17
Q
What are NAT instances?
A
Individual EC2 instances that allow you to connect to the internet without exposing your private subnet.
18
Q
Difference between NAT instances and NAT gateway
A
NAT Instances - single EC2 instance
NAT Gateway - a highly available gateway that allows you to have private subnets communicate out to the internet without becoming public.
19
Q
True or False. When you create a NAT instance, you must disable source/destination check on the instance.
A
True.
20
Q
True or False. NAT instances does not have to be on a public subnet.
A
False. NAT instances MUST be on a public subnet.
21
Q
True or False. There must a route out of the private subnet to the NAT instance, in order for the private subnet to have access to the internet.
A
True. You would configure this in the route tables.
22
Q
What does the amount of traffic a NAT instance can support depend on? What should you do if you’re bottlenecking?
A
The size fo the EC2 instance. If you are bottlenecking, increase the instance size.
23
Q
True or False. NAT Gateways are redundant inside the Availability zone.
A
True.
24
Q
True or False. NAT gateways need to be associated with a security group.
A
False. They are not associated with any security group.
25
True or False. NAT gateways are automatically assigned to a public IP.
True.
26
What rules are set up when you create a new Network ACL?
All traffic is denied.
27
What is an ephemeral port?
short-lived transport protocol port for IP communications
28
What order do inbound/outbound rules occur in?
Numerical order. If you have a deny, you want to make sure that you do it before an allow, because if the allow the is before the deny, the rule will not work.
29
True or False. Network ACL act first before Security Groups.
True. If you deny an IP address in Network ACL, it will never even make it to the Security Groups
30
True or False. Network ACLs are stateless.
True. You need to add inbound and outbound traffic rules separately.
31
True or False. Just like Security Groups, Network ACLs are stateful.
False. Security Groups are stateful (you inbound rules will be mimicked over to outbound rules) whereas Network ACLs are stateless - you need to explicitly state the rules for both inbound and outbound.
32
True or False. When provisioning a load balancer you need a minimum of one public subnet.
False. You need at least two public subnets.
33
What is a VPC flow log?
A feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
34
What are the three levels at which you can configure a VPC flow log?
* VPC
* Subnet
* Network interface level
35
True or False. You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
True.
36
Is all traffic monitored on a VPC flow log?
No. The following is not:
* Traffic generated by instances when they contact the Amazon DNS server (not monitored). If you use your own DNS server, then all traffic to that DNS is logged
* Traffic generated by a Windows instance for Amazon Windows license activation is not monitored
* Traffic to and from 169.254.2169.254 for instance metadata
* DHCP traffic
* Traffic to the reserved IP address for the default VPC Router
37
What is a bastion host?
A special-purpose computer on a network specifically designed and configured to withstand attacks. Generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer.
38
True or False. A NAT Gateway or NAT Instance is used to provide internet traffic to EC2 instances in a private subnet.
True.
39
True or False. A Bastion is used to securely administer EC2 instances (using SSH or RDP).
True.
40
True or False. You can use a NAT Gateway as a Bastion Host.
False. You can NOT use a NAT Gateway as a Bastion Host.
41
What is direct connect useful for?
* Useful for high throughput workloads (lots of network traffic)
* when a high and reliable connection is needed
42
How do you configure a VPN over AWS Direct Connect?
* Create a virtual interface in the Direct Connect console. This is a **PUBLIC Virtual Interface**
* Select Public option
* Select VLAN, not in your current network
* Go to the VPC console and then to VPN connections. Create a Customer Gateway.
* Create a Virtual Private Gateway
* Attach the Virtual Private Gateway to the desired VPC.
* Select VPN connections and create new VPN Connection
* Select the virtual private gateway and the customer gateway
* Once the VPN is available, set up the VPN on the customer gateway or firewall
43
What is AWS global accelerator?
A service in which you create accelerators to improve the availability and performance of your applications for local and global users.
44
True or False. By default Global Accelerator provides you with two static IP addresses that you associate with your accelerator.
True.
45
True or False. You cannot bring your own IPs to the global accelerator.
False. You can bring your own.
46
What is the accelerator component of the global accelerator?
An accelerator directs traffic to optimal endpoints over the AWS global net3work to improve the availability and performance of your internet applications. Each accelerator has one or more listeners.
47
True or False. The DNS name aspect is global accelerator assigning each accelerator a default DNS that points to the static IP addresses that Global Accelerator assigns to you.
True
48
What is the network zone of the Global Accelerator program?
A network zone services the static IP addresses for your accelerator from a unique IP subnet. Similar to an AWS Availability Zone, a network zone is an isolated unit with its own set of physical infrastructure.
49
What is the listener of the Global Accelerator program?
A listener processes inbound connections from clients to Global Accelerator, based on the port (or port range) and protocol that you configure.
50
What is the endpoint group of the Global Accelerator program?
* Each endpoint group is associated with a specific AWS Region.
* Endpoint groups include one or more endpoints int eh Region
* You can increase or reduce the percentage of traffic that would be otherwise directed to an endpoint group by adjusting a setting called a traffic dial
* traffic dial lets you easily do performance testing or blue/green deployment testing for new releases across different AWS Regions, for example
51
What can endpoints of the Global Accelerator program be?
Endpoints can be network load balancers, application load balancers, ec2 instances or Elastic IP Addresses.
52
What are two types of VPC Endpoints?
* Interface Endpoints
* Gateway Endpoints
53
What is an interface endpoint?
An elastic network interface with a private IP address that serves as an entry point for traffic destined to be a supported service.
54
How do you set up an interface endpoint?
Attach an ENI to an EC2, you no longer need the internet to traverse the network.
55
True or False. When using a VPC endpoint and requesting s3, you need to include region.
True.
56
What gateway endpoints are supported by VPC Endpoints?
* S3
* Dynamo DB
57
Having just created a new VPC and launching an instance into its public subnet, you realise that you have forgotten to assign a public IP to the instance during creation. What is the simplest way to make your instance reachable from the outside world?
* Create an Elastic IP and new network interface. Associate the elastic IP to the new network interface, and the new network interface to your instance.
* Associate the private IP of your instance to other public IP of the internet gateway
* Create an Elastic IP address and associate it with your instance
* Nothin - by default all instances deployed into any public subnet will automatically receive a public IP
**Create an Elastic IP address and associate it with your instance.**
Although creating a new NIC & associating an EIP also results in your instance being accessible from the internet, it leaves your instance with 2 NICs & 2 private IPs as well as the public address and is therefore not the simplest solution. By default, any user-created VPC subnet WILL NOT automatically assign public IPv4 addresses to instances – the only subnet that does this is the “default” VPC subnets automatically created by AWS in your account.
58
True or False: A subnet can span multiple Availability Zones.
False. Each subnet must reside entirely within one Availability Zone and cannot span zones.
59
Are you permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first?
Depends on the type of scan and the service being scanned. Some scans can be performed without alerting AWS, some require you to alert them.
Until recently customers were not permitted to conduct penetration testing without AWS engagement. However that has changed. There are still conditions though.
60
True or False. By default, instances in new subnets in a custom VPC can communicate with each other across Availability Zones.
True. In a custom VPC with new subnets in each AZ, there is a route that supports communication across all subnets/AZs. Plus a default SG with an allow rule 'All traffic, all protocols, all ports, from anything using this default SG'.
61
True or False: You can accelerate your application by adding a second internet gateway to your VPC.
False. You may have only one internet gateway per VPC.
62
When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.
False. You may peer a VPC to another VPC that's in your same account, or to any VPC in any other account.
63
Which of the following is a chief advantage of using VPC endpoints to connect your VPC to services such as S3?
* Traffic between your VPC and the other service does not leave the Amazon network
* VPC Endpoints offer a faster path through the public internet than you can realize with a NAT instance
* VPC ENdpoints require public IP addresses, offering rapid connectivity from the public internet
* VPC endpoints are dedicated hardware devices that cannot be accessed without the correct IAM credentials
**Traffic between your VPC and the other service does not leave the Amazon network.**
In contrast to a NAT gateway, traffic between your VPC and the other service does not leave the Amazon network when using VPC endpoints.
64
Which of the following allows you to SSH or RDP into an EC2 instance located in a private subnet?
* Bastion Host
* NAT instance
* NAT gateway
* Internet Gateway
**Bastion Host.**
A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don't confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.
65
Which of the following is true?
* Security Groups are stateful and Network Access Control Lists are stateless
* Security Groups are stateless and Network Access Control Lists are stateful
Security Groups are stateful and Network Access Control Lists are stateless.
**stateless**: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic
Security groups are **stateful** — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. For VPC security groups, this also means that responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
66
True or False. When I create a new security group, all outbound traffic is allowed by default.
True.
67
By default, how many VPCs am I allowed in each AWS region?
* 1
* 2
* 6
* 5
5
68
True or False. In Amazon VPC, an amazon instance does not retain its private IP?
False. It does retain its private IP.
69
To save administration headaches, a consultant advises that you leave all security groups in web-facing subnets open on port 22 to 0.0.0.0/0 CIDR. That way, you can connect wherever you are in the world. Is this a good security design?
* Yes
* No
No.
0.0.0.0/0 would allow ANYONE from ANYWHERE to connect to your instances. This is generally a bad plan. The phrase 'web-facing subnets' does not mean just web servers. It would include any instances in that subnet some of which you may not strangers attacking. You would only allow 0.0.0.0/0 on port 80 or 443 to to connect to your public facing Web Servers, or preferably only to an ELB. Good security starts by limiting public access to only what the customer needs. Please see the AWS Security whitepaper for complete details.
70
True or False. A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. Security groups act at the instance level, not the subnet level.
True.
71
True or False. Network ACL’s function at the instance level.
False. Network ACL’s function at the subnet level.
72
What is AWS Global Accelerator?
AWS Global Accelerator is:
* networking service that helps you improve the availability and performance of the applications that you offer to your global users
* provides static IP addresses that provide a fixed entry point to your applications and eliminate the complexity of managing specific IP addresses for different AWS Regions and Availability Zones
* always routes user traffic to the optimal endpoint based on performance, reacting instantly to changes in application health, your user’s location, and policies that you configure.
73
True or False. You can use Global Accelerator to associate the static IP addresses provided by AWS Global Accelerator to regional AWS resources or endpoints, such as Network Load Balancers, Application Load Balancers, EC2 Instances, and Elastic IP addresses.
True.
74
True or False. With AWS Global Accelerator you cannot easily move endpoints between Availability Zones or AWS Regions. If wanted, you would need to update your DNS configuration or change client-facing applications.
False. You **can** easily move endpoints between Availability Zones or AWS Regions without needing to update your DNS configuration or change client-facing applications.
75
What is a global accelerator traffic dial?
Dial traffic up or down for a specific AWS Region by **configuring a traffic dial percentage** for your endpoint groups. This is especially useful for testing performance and releasing updates.
76
True or False. Using AWS Global Accelerator, you can control the proportion of traffic directed to each endpoint within an endpoint group by assigning weights across the endpoints.
True.
77
What is AWS VPC?
A Virtual Private Cloud (VPC) is a virtual network dedicated to a single AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing compute resources with security and robust networking functionality
78
True or False. An Interface endpoint uses AWS PrivateLink and is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supported service.
True.
79
True or False. You can't use PrivateLink to connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.
False. Using PrivateLink **you can connect** your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services.
80
An organization is extending a secure development environment into AWS. They have already secured the VPC including removing the Internet Gateway and setting up a Direct Connect connection. What else needs to be done to add encryption?
* Configure an AWS Direct Connect Gateway
* Setup a Virtual Private Gateway (VPG)
* Enable IPSec encryption on the Direct Connect connection
* Setup the Border Gateway Protocol (BGP) with encryption
**CORRECT**: "Setup a Virtual Private Gateway (VPG)" is the correct answer.
A VPG is used to setup an AWS VPN which you can use in combination with Direct Connect to encrypt all data that traverses the Direct Connect link. This combination provides an IPsec-encrypted private connection that also reduces network costs, increases bandwidth throughput, and provides a more consistent network experience than internet-based VPN connections.
**INCORRECT**: "Enable IPSec encryption on the Direct Connect connection" is incorrect. There is no option to enable IPSec encryption on the Direct Connect connection.
**INCORRECT**: "Setup the Border Gateway Protocol (BGP) with encryption" is incorrect. The BGP protocol is not used to enable encryption for Direct Connect, it is used for routing.
**INCORRECT**: "Configure an AWS Direct Connect Gateway" is incorrect. An AWS Direct Connect Gateway is used to connect to VPCs across multiple AWS regions. It is not involved with encryption.
81
A Solutions Architect is determining the best method for provisioning Internet connectivity for a data-processing application that will pull large amounts of data from an object storage system via the Internet. The solution must be redundant and have no constraints on bandwidth.
Which option satisfies these requirements?
* Create a VPC endpoint
* Deploy NAT Instances in a public subnet
* Use a NAT Gateway
* Attach an Internet Gateway
**CORRECT**: "Attach an Internet Gateway" is the correct answer.
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
An internet gateway supports IPv4 and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your network traffic.
**INCORRECT**: "Deploy NAT Instances in a public subnet" is incorrect. NAT instances are EC2 instances that are used, in a similar way to NAT gateways, by instances in private subnets to access the Internet. However they are not redundant and are limited in bandwidth.
**INCORRECT**: "Use a NAT Gateway" is incorrect as a NAT gateway does impose a limit of 45 Gbps.
**INCORRECT**: "Create a VPC endpoint" is incorrect. A VPC endpoint is used to access public services from a VPC without traversing the Internet.
82
True or False. AWS Direct Connect has two separate charges: port-hours and Data Transfer. Pricing is per port-hour consumed for each port type. Partial port-hours consumed are billed as full hours. The account that owns the port will be charged the port-hour charges.
Data Transfer via AWS Direct Connect will be billed in the same month in which the usage occurred.
True.
83
True or False. You can advertise up to 1000 routes over each Border Gateway Protocol session using AWS Direct Connect.
False. You can advertise up to 100 routes over each Border Gateway Protocol session using AWS Direct Connect.
84
What happens if I advertise more than 100 routes over a Border Gateway Protocol session?
Your Border Gateway Protocol session will go down if you advertise more than 100 routes over a Border Gateway Protocol session. This will prevent all network traffic flowing over that virtual interface until you reduce the number of routes to less than 100.
85
What are the three main functions of the Direct Connect gateway?
First; Direct Connect gateway will **enable you to interface with VPCs in any AWS Region** (except AWS China Region), enabling you to use your AWS Direct Connect connections to interface with more than one AWS Regions.
Second; you can **share a private virtual interface to interface with up to ten Virtual Private Clouds (VPCs), enabling you to reduce the number of Border gateway Protocol sessions** between your on-premises network and AWS deployments.
Third: **By attaching transit virtual interface(s) to a Direct Connect gateway and associating Transit Gateway(s) with the Direct Connect gateway, you can share transit virtual interface(s) to interface with up to three Transit Gateways, enabling you to reduce the number of Border Gateway Protocol sessions between your on-premises network and AWS deployments.**
86
If I use Direct Connect gateway, does my traffic to the desired AWS Region go via the associated home AWS Region?
No. When using Direct Connect gateway, your traffic will take the shortest path from your Direct Connect location to the destination AWS Region and vice versa regardless of the associated home AWS Region of the Direct Connect location that you are connected at.
87
Can a VGW (associated with a VPC) be part of more than one Direct Connect gateway?
No, a VGW-VPC pair cannot be part of more than one Direct Connect gateway.
88
Can I associate multiple VGWs (each associated with a VPC) to a Direct Connect gateway?
Yes, as long as the IP CIDR blocks of the Amazon VPC associated with the Virtual Private Gateway do not overlap.
89
True or False. Direct Connect gateway enables connectivity between on-premises networks and any AWS region's VPC.
True.
90
True or False. CloudHub does not enable connectivity between on-premise network using Direct Connect or VPN within the same region the VIF is associated with the VGW directly.
False. CloudHub **enables** connectivity between on-premise network using Direct Connect or VPN within the same region the VIF is associated with the VGW directly.
91
Does Direct Connect gateway break existing CloudHub functionality for customers?
No, Direct Connect gateway does not break existing CloudHub for customers. Direct Connect gateway enables connectivity between on-premise networks and any AWS region's VPC. CloudHub enables connectivity between on-premise network using Direct Connect or VPN within the same region the VIF is associated with the VGW directly. Existing CloudHub functionality will continue to be supported.
92
I have an existing private virtual interface associated with VGW, can I associate my existing private virtual interface with Direct Connect gateway?
No, an existing private virtual interface associated with VGW cannot be associated with the Direct Connect gateway. Please create a new private virtual interface, and at the time of creation, associate with your Direct Connect gateway.
93
I have created a Direct Connect gateway with one Direct Connect Private , and three non-overlapping VGWs (each associated with a VPC), what happens if I detach one of the VGW from the VPC?
Traffic from your on-premise network to the detached VPC will stop, and VGW's association with the Direct Connect gateway will be deleted.
94
Can I send traffic from one VPC associated with a Direct Connect gateway to another VPC associated with the same Direct Connect gateway?
No, Direct Connect gateway only supports routing traffic from Direct Connect VIFs to VGW (associated with VPC). In order to send traffic between 2 VPCs, you would **configure a VPC peering connection, the same as you do today.**
95
I currently have a VPN in us-east-1 attached to a VGW. If I associate this VGW to a Direct Connect gateway, can I send traffic from that VPN to a VIF attached to the Direct Connect gateway in a different region?
No, a Direct Connect gateway will not route traffic between a VPN and a Direct Connect VIF. To enable this use case, you would create a VPN in the region of the VIF and attach the VIF and the VPN to the same VGW.
96
Can I associate multiple AWS Transit Gateways to a Direct Connect gateway?
Yes, you can associate up to three AWS Transit Gateways to a Direct Connect gateway as long as the IP CIDR blocks announced from your AWS Transit Gateways do not overlap.
97
What is Bring your own Private ASN feature?
Configurable Private Autonomous System Number (ASN). This allows customers to set the ASN on the Amazon side of the BGP session for private VIFs on any newly created Direct Connect Gateway.
98
Why can't I assign a public ASN for the Amazon half of the BGP session?
Amazon is not validating ownership of the ASNs, therefore we're limiting the Amazon-side ASN to private ASNs. We want to protect customers from BGP spoofing.
99
What is transit virtual interface?
Transit virtual interface is a type of virtual interface you can create on any AWS Direct Connect 1/2/5/10 Gbps connection. Transit virtual interface can only be attached to a Direct Connect gateway. You can use the AWS Direct Connect gateway attached with one or more transit virtual interface to interface with up to three AWS Transit Gateways in any supported AWS Regions.
Similar to the private virtual interface, you can establish one IPv4 BGP session and one IPv6 BGP session over a single transit virtual interface.
100
True or False. Transit virtual interface is a type of virtual interface you can create on any AWS Direct Connect 1/2/5/10 Gbps connection. Transit virtual interface can only be attached to a Direct Connect gateway. You can use the AWS Direct Connect gateway attached with one or more transit virtual interface to interface with up to three AWS Transit Gateways in any supported AWS Regions.
True.
101
True or False. Similar to the private virtual interface, you can establish one IPv4 BGP session and one IPv6 BGP session over a single transit virtual interface.
True.
102
What is a local zone in reference to VPCs?
A Local Zone enables your end-users to run applications that require single-digit millisecond latencies. A VPC spans all of the Availability Zones in the Region. After creating a VPC, you can add one or more subnets in each Availability Zone. You can optionally add subnets in a Local Zone, which is an AWS infrastructure deployment that places compute, storage, database, and other select services closer to your end users. It only works in certain Regions however.
103
True or False. If you want your instance in a public subnet to communicate with the internet over IPv4, it must have a public IPv4 address or an Elastic IP address (IPv4)
True.
104
True or False. If a subnet's traffic is routed to an internet gateway, the subnet is known as a internet-only subnet.
False. If a subnet's traffic is routed to an internet gateway, the subnet is known as a **public** subnet.
105
True or False. If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.
True.
106
True or False. If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a Site-to-Site VPN connection, the subnet is known as a private subnet.
False. If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway for a Site-to-Site VPN connection, the subnet is known as a **VPN-only** subnet.
