VPC Summary Flashcards

1
Q

Think of VPC as…

A

…a logical datacenter in AWS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

1 Subnet =

A

1 AZ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Groups are…

A

…stateful

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Network ACLs are…

A

…stateless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Can you peer VPCs in same account?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Can you peer VPCs in different accounts?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Transitive peering?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

When creating a NAT instance…

A

…disable Source/Destination Check on the instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

NAT instances must be in which subnet?

A

Public

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

For NAT instance to work…

A

…must have elastic IP address, must be a route out of the private subnet to the NAT instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How much traffic do NAT instances support?

A

Depends on the instance size. If bottlenecking, increase the instance size

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

You can create high availability using…

A

…AutoScaling Groups, multiple subnets in different AZs, a script to automate failover

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

T/F: NAT instances are behind a security group.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

NAT gateways…

A

…scale automatically up to 10 Gbps, no need to patch, not associated with security groups, automatically assigned a public IP, do not need to disable source/dest check

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Default NACL…

A

…automatically created with a VPC and by default it allows all inbound and outbound traffic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Custom NACL…

A

…denies all inbound and outbound traffic until you add rules

17
Q

T/F: Each subnet in your VPC must be associated with a network ACL

A

True

18
Q

If you don’t explicitly associate a subnet with a network ACL…

A

…the subnet is automatically associated w/ default network ACL

19
Q

Can you associate a network ACL with multiple subnets?

A

Yes, but a subnet can only be associated with one NACL at a time

20
Q

When you associate a network ACL with a subnet…

A

…the previous association is removed

21
Q

NACL rules…

A

…evaluated in order, starting with the lowest numbered rule

22
Q

NACL inbound and outbound rules are…

A

…separate. Each rule can either allow or deny traffic

23
Q

NACLs are stateless, so…

A

…responses to allowed inbound traffic are subject to the rules of outbound traffic (and vice versa)

24
Q

Block IP addresses using…

A

…NACLs not Security Groups

25
Q

A NAT is used to…

A

…provide internet traffic to EC2 instances in private subnets

26
Q

A Bastion is used to…

A

…securely administer EC2 instances using SSH or RDP in private subnets

27
Q

If you want resiliency…

A

…always have 2 public subnets and 2 private subnets. Make sure each subnet is in different AZs

28
Q

With ELBs, make sure…

A

…they are in 2 public subnets in 2 different AZs

29
Q

With Bastion hosts…

A

…put them behind an autoscaling group w/ a minimum size of 2. Use Route53 (round robin or health check) to automatically fail over

30
Q

To make NAT instances resilient…

A

…need one in each public subnet, each with their own public IP, and you need to write a script to fail between the two. Instead, where possible, use NAT gateways