VPC and Network Security

Question 1

What is automatically created when creating a VPC?

Answer 1

Creating a new VPC creates a default SG, a default NACL and a route table. Nothing more

Question 2

For what are First 4 and last IP in subnet are reserved?

Answer 2

0=network addr, 1=VPC router, 2=DNS server, 3=future use, 255=broadcast

Question 3

How many IGW can each VPC have?

Answer 3

1

Question 4

What is the problem because net subnet created is first associated to default route table?

Answer 4

so don’t keep a route open to internet in default RT, instead create a new RT, add route out to IGW for Ipv4 and v6, and associate all public subnets to this RT

Question 5

What do subnets by default have disabled?

Answer 5

Subnets by default have “auto assign public IP” disabled. Enable it if launching public EC2s in that subnet

Question 6

What do you need to disable because EC2 only allows traffic for which it itself is the source or destination but NAT needs to pass-through traffic from others?

Answer 6

Remember to disable “Source/Dest check” on NAT instance (Not needed on NATGW)

Question 7

How do you allow traffic out via NAT?

Answer 7

Add a route to default RT in VPC with destination=0.0.0.0/0, target=NAT instance/NATGW

Question 8

How to get IPv4 and how IPv6?

Answer 8

NATGW does IPv4
Egress only IGW does IPv6

Question 9

What does ALB at least require?

Answer 9

!! ALB requires at least 2 subnets in 2 different AZs to be deployed for a VPC. Cannot have a single AZ ALB

Question 10

What is recommended way for private instances to access S3 etc. without going to internet via NAT?

Answer 10

A VPC Endpoint

Question 11

Are NACLS Stateful or stateless?

Answer 11

Stateless. have to open inbound and outbound separately.

Question 12

Are Security groups stateful or stateless?

Answer 12

Stateful. therefore opening inbound opens outbound ephemeral ports as needed

Question 13

Where do NACL lives?

Answer 13

Within one VPC, can be applied to multiple subnets but each subnet can be tied to only one NACL

Question 14

What is difference between new NACL and default NACL?

Answer 14

Default NACL for a VPC stats with allow all
New created NACL has all inbound and outbound on DENY

Question 15

How are rules applied in NACL?

Answer 15

In order of rule. Lower number wins in conflict –unlike IAM where most restrictive wins

Question 16

Where does CloudHSM need to be created?

Answer 16

In same region as VPC and other resources using it

Question 17

WWhat does CloudHSM create?

Answer 17

A new SG with ports 2223-2225 (to talk to EC2) so need to open these ports your own SG

Question 18

CloudHSM cluster is created in at least 2 AZ

Question 19

How to start CloudHSM?

Answer 19

1) Initialize a Hardware Security Module in one of the subnets 2) download a certification signing request (CSR) 3) sign it i.e. generate a private key, create a self-signed cert (public key) using it, sign the CSR using both keys 4) upload the signed certificate and issuing certificate (public key)

Question 20

What are the users in CloudHSM?

Answer 20

1) Precrypto Officer (PRECO) is default 2) Crypto Officer (CO) 3) Crypto User (CU) 4) Appliance User (AU)

Question 21

What is a Transit Gateway?

Answer 21

Any VPC connected to TGW automatically becomes available to every other VPC and network. Use route tables to control access

Question 22

How does traffic flow between VPC to TGW?

Answer 22

Traffic from VPCs to TGW always flows over AWS private network- including inter-region

Question 23

there are two types of VPC Endpoint available to choose. How do you choose the right one? Gateway Endpoint vs Interface Endpoint

Answer 23

Use Gateway Endpoint if the AWS service is either DynamoDB or S3.
Interface Endpoint for everything else