VPCs Flashcards
(104 cards)
1
Q
From a resilience perspective, what is the difference between a NAT instance and a NAT gateway?
A
A NAT instance are individual EC2 instances, NAT Gateways are highly available and spread over multiple AZs
2
Q
What do NAT instances and NAT gateways allow?
A
NAT instances and NAT gateways allow your private subnets to access the internet.
3
Q
What is a VPC?
A
Virtual Private Cloud (VPC) is a logically isolated section of AWS where you can launch resources in your own virtual network.
4
Q
What is a Bastion or jump box used for?
A
A Bastion is an instance in a public subnet that allows you to ssh to an instance in your private subnet.
5
Q
What is VPC peering?
A
VPC peering is the connection of one VPC to another via a direct network route.
VPC peering means that instances behave as if they were on the same private network
6
Q
Can VPC peering occur between regions?
A
Yes you can peer VPCs between regions
7
Q
Can subnets in a VPC span availability zones?
A
No subnets cannot span availability zones.
1 subnet = 1 availability zone
8
Q
How do you enable an instance in your private subnet to access the internet using a NAT Gateway?
A
You use a route table update to link your private subnet to the NAT Gateway which has access out to the internet
9
Q
By default, does a new NACL deny or allow all traffic?
A
By default a new NACL denies all traffic
10
Q
Are NAT Gateways or Instances resilient?
A
NAT Gateways are resilient.
NAT Instances are single EC2 instances with specially configured routing tables. They can also become overwhelmed if they are dealing with the traffic for thousands of other EC2 instances
11
Q
On what does the amount of traffic that a NAT instance can support depend?
A
The size of the instance determines the amount of traffic that a NAT instance can support
12
Q
Where is a NAT instance in relation to a security group?
A
A NAT instance will be behind a security group
13
Q
Do you need to patch NAT instances and NAT gateways?
A
You need to patch NAT instances but not NAT gateways
14
Q
Are NAT gateways redundant?
A
NAT gateways are redundant inside an AZ.
However if you have instances in multiple AZs and they share one NAT instance in a single AZ, then an outage in that AZ will mean no internet connectivity. You should use a NAT gateway in each AZ.
15
Q
When creating a new VPC does the default network ACL allow or deny all outbound and inbound traffic?
A
A default NACL automatically allows all outbound and inbound traffic.
16
Q
Do custom NACLS by default allow or deny all inbound and outbound traffic?
A
By default, all custom NACLS deny all inbound and outbound traffic
17
Q
What is the flow of traffic when using Global Accelerator?
A
Traffic from the user client > Edge Location > Global Accelerator > Endpoint Group > Endpoint
18
Q
Do you have to associate a subnet with a NACL?
A
Yes all subnets need to be associated with a NACL. If you don’t assign a NACL, then the default NACL gets associated.
19
Q
Do you block IP addresses with NACLs or Security Groups?
A
You block IP addresses with NACLs and not Security Groups
20
Q
What is the link between NACLs and Subnets?
A
You can associate a NACL with multiple subnets, but each subnet can only be associated with one NACL at any time.
21
Q
Do NACLs or Security Groups have a numbered list of rules that is evaluated in number order?
A
NACLs have a numbered list of rules that is evaluated in number order
22
Q
What are VPC Flow Logs?
A
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network instances in your VPC.
23
Q
How is VPC Flow Log data stored?
A
VPC Flow Log data is stored using CloudWatch.
24
Q
At what levels can VPC Flow Logs be created?
A
VPC Flow Logs can be created at VPC, Subnet and Network Interface levels.
25
Can you enable VPC Flow Logs for peered VPCs?
You can only enable VPC Flow Logs for peered VPCs if they are in your account.
26
Can you change the configuration of a VPC Flow Log once created?
No you cannot changed the configuration of a VPC Flow Log once created.
27
What IP traffic is not monitored by VPC Flow logs?
Traffic not monitored by VPC Flow Logs includes:
- Any traffic to AWS DNS servers
- Any Windows traffic for licence activation
- Traffic to and from 169.254.169.254 for instance metadata
- DHCP traffic
- Traffic to the reserved IP address for the default VPC router
28
What is a Bastion Host?
A Bastion Host is a specially hardened computer on a network designed and configured to withstand attacks.
It generally contains minimal applications or services and is generally used in order to connect to instances in a private subnet from a public subnet.
29
What is the difference between Bastions and NAT Gateways / NAT Instances?
Bastions are used to securely administer EC2 instances in private subnets. NAT Gateways / Instances are used to enable internet access to EC2 instances in a private subnet.
30
What is Direct Connect?
AWS Direct Connect establishes a dedicated network connection from your premises to AWS without traversing the internet.
31
When would you use Direct Connect?
You would use Direct Connect for high throughput workloads and to provide a stable, reliable and secure connection.
32
What is Global Accelerator?
Global Accelerator directs traffic to optimal endpoints over the AWS Global network to optimise performance and availability.
Rather than hopping across multiple networks, Global Accelerator allows you to leverage the AWS Network directly.
33
What are the components of Global Accelerator?
The Global Accelerator components are:
- 2 Static IP addresses to associate with your accelerator
- Accelerator
- DNS Name
- Network Zone
- Listener
- Endpoint Group
- Endpoint
34
What is a Listener?
A Listener processes inbound connections from clients to Global Accelerator based on port range and protocol that you configure.
You tell a listener on what port numbers you want to listen
35
What AWS services can endpoints be?
Endpoints can be:
- Network Load Balancers
- Application Load Balancers
- EC2 instances
- Elastic IP addresses
36
What is a VPC Endpoint?
A VPC Endpoint enables you to connect your VPC to supported AWS services without needing an Internet Gateway, NAT device or VPN connection.
37
What are the two types of VPC Endpoint?
Interface and Gateway Endpoints are the two types of VPC Endpoint.
38
What services do Gateway Endpoints currently support?
Gateway Endpoints currently support S3 and DynamoDB.
39
What is an Interface Endpoint?
An interface endpoint is an elastic network interface (ENI) with a private IP address that serves as an entry point for traffic destined to a supporting AWS service.
40
What is AWS PrivateLink?
AWS PrivateLink is a way to expose an application in your VPC to tens, hundreds or thousands of customer VPCs
41
What is required to enable PrivateLink?
PrivateLink requires a Network Load Balancer on the Service VPC and an ENI on the customer VPC.
42
What is not required to enable PrivateLink?
PrivateLink does not require any VPC peering, route tables, NAT or IGWs.
43
What does AWS Transit Gateway enable?
Transit Gateway allows you to have transitive peering between thousands of VPCs and on-premise data centres in a hub/spoke model.
44
What is VPN CloudHub?
VPN CloudHub is a means to connect together multiple sites that each have their own VPN connection.
45
Does VPN CloudHub traverse the internet?
Yes CloudHub does traverse the internet but all traffic is encrypted.
46
What are two tips to save money on Network costs?
In order to save money or Network costs:
- Use private IP addresses over public ones as this uses the AWS backbone network saving costs
- Group EC2 instances in the same AZ (although this will provide single point of failure issues)
47
What is created when you setup a new VPC?
By default a Route Table, a NACL and a Default Security Group are created when you setup a VPC.
No subnets or IGWs will be created
48
How many IGWs can you connect to your VPC?
You can only connect one IGW to your VPC
49
What should you do if your NAT instance is proving to be a bottleneck?
If your NAT instance is a bottleneck then you should increase the instance size
50
What do autoscaling groups provide?
Autoscaling groups provide high availability
51
What are the different levels on which NACLs and Security Groups operate?
NACLs operate on the subnet level whereas Security Groups operate on the instance level
52
What is the difference when connecting to other AWS services using a NAT Gateway or a VPC Endpoint?
In contrast to a NAT gateway, traffic between your VPC and other services do not leave the Amazon network when using VPC gateway endpoints.
53
What is a Gateway VPC endpoint?
A Gateway VPC endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service (S3 and DynamoDB).
54
What is the purpose of an egress-only internet gateway?
The purpose of an egress-only internet gateway is to allow IPv6 based traffic within a VPC to access the internet, whilst denying any internet based resources to connection back into the VPC.
55
By default does a Security Group include any rules?
By default, a security group includes an outbound rule that allows all outbound traffic.
56
What is an Elastic IP address?
An Elastic IP address is a public IPv4 address, which is reachable from the internet.
If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.
57
How many VPCs can you have without asking AWS for more?
You can have up to five Amazon VPCs per AWS account per AWS Region, but you can place a support request to increase the number.
58
Does your instance retain the same public IP address when re-started?
AWS releases your instance's public IP address when it is stopped, hibernated, or terminated.
Your stopped or hibernated instance receives a new public IP address when it is started.
59
Can you run penetration tests own your AWS infrastructure?
AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for 8 services only.
You should request authorization for other simulated events.
60
What service should you think of if there is a question about peering tens, hundreds or thousands of VPCs?
For such a peering you should consider PrivateLink
61
When would you use a Gateway endpoint vs an Interface endpoint?
• Use Gateway Endpoint if the AWS service is either DynamoDB or S3.
• Use Interface Endpoint for everything else.
62
A Security group is the firewall of ???
A Security group is the firewall of EC2 Instances.
63
A Network ACL is the firewall of ???
A Network ACL is the firewall of the VPC Subnets.
64
Do NACLS or Security Groups need to be explicitly assigned?
Network ACLs are applicable at the subnet level, so any instance in the subnet with an associated NACL will follow rules of NACL. That’s not the case with security groups, security groups has to be assigned explicitly to the instance.
65
Does a Security Group or a NACL support allow rules only?
Security group supports allow rules only (by default all rules are denied).
Network ACL supports allow and deny rules. By deny rules, you could explicitly deny a certain IP address to establish a connection.
66
Does a Security Group or a NACL apply the rules in order?
All rules in a security group are applied whereas rules are applied in their order (the rule with the lower number gets processed first) in Network ACL.
67
What is the ratio of NACLs to Subnets and Security Groups to Instances?
Subnet can have only one NACL, whereas Instance can have multiple Security groups.
68
From the perspective of allowing internet connectivity to instances, what is the difference between Internet Gateways and NAT Gateways?
Internet Gateway (IGW) allows instances with public IPs to access the internet whereas NAT Gateway (NGW) allows instances with no public IPs to access the internet.
69
What is the bandwidth limit of internet connectivity with an Internet Gateway?
The only limitation on bandwidth is the size of the Amazon EC2 instance, and it applies to all traffic — internal to the VPC and out to the Internet.
70
What causes a subnet to be deemed a Public Subnet?
A subnet is deemed to be a Public Subnet if it has a Route Table that directs traffic to the Internet Gateway.
71
What are the two main differences between an Internet Gateway and a NAT Gateway?
1. A NAT Gateway allows resources in a private subnet to access the internet (think yum updates, external database connections, wget calls, OS patch, etc).
2. A NAT Gateway only works one way. The internet at large cannot get through your NAT to your private resources unless you explicitly allow it.
72
What is the bandwidth limit of internet connectivity with a NAT Gateway?
A NAT gateway supports 5 Gbps of bandwidth and automatically scales up to 45 Gbps. (a NAT Instance is limited to the bandwidth associated with the EC2 instance type).
73
Based on what does Global Accelerator route traffic to optimal AWS endpoints?
Global Accelerator routes traffic to optimal AWS endpoints based on:
- Endpoint health
- Client locations
- User-configured weights
74
What are the Global Accelerator types?
The 2 Global Accelerator types are:
- Standard Accelerator
- Custom-routing Accelerator
75
What is the routing difference between Standard and Custom-routing Global Accelerator types?
Standard Accelerators automatically route traffic to a healthy endpoint nearest your user whereas Custom-routing Accelerators allow you to use your application logic to directly route to specific EC2 endpoints.
76
What endpoint types does Global Accelerator support?
Standard Accelerators support:
- Network Load Balancers
- Application Load Balancers
- EC2
- and Elastic IPs as endpoints.
Custom-routing Accelerators support only VPC subnet endpoints
77
What must you do in order to ensure that an ip can be blocked by a NACL?
In order to ensure that an ip is blocked you need to put the rule before the http / https ALLOW rule
78
What is the ratio between NACLs and subnets?
A NACL can be associated with multiple subnets, but a subnet can only be associated with one NACL
79
What happens if you don't associated a subnet with a NACL?
If you don't associate a subnet with a NACL then it gets associated to the default NACL
80
Do you block IP addresses with Security Groups or NACLs?
You block specific IP addresses with NACLs
81
Do NACLs by default allow or deny inbound and outbound traffic?
Default NACLs allow all inbound and outbound traffic, Custom NACLs deny all inbound and outbound traffic
82
What is used to provide internet traffic to EC2 instances in private subnets?
A NAT Gateway or NAT instance is used to provide internet traffic to EC2 instances in private subnets
83
What is X-Connect?
X-Connect is how the Direct Connect routers are linked
84
What is an accelerator?
An accelerator directs traffic to optimal endpoints over the AWS global network to improve availability and performance of internet apps
Each accelerator includes one or more listeners
85
What are Global Accelerator Endpoint Groups?
An endpoint group routes requests to one or more registered endpoints in AWS Global Accelerator.
When you add a listener in a standard accelerator, you specify the endpoint groups for Global Accelerator to direct traffic to. An endpoint group, and all the endpoints in it, must be in one AWS Region. You can add different endpoint groups for different purposes, for example, for blue/green deployment testing.
86
Regarding where they are, what is the difference between an interface and gateway endpoint?
diagram
87
What are the methods available to open applications in your VPC to other VPCs?
To open your VPC to other VPCs you can:
- Open the VPC to the internet
- VPC peering
- PrivateLink Connection
88
What is the only service that supports IP multicast?
Transit Gateway is the only service that supports IP multicast
89
What is the best service to use to simplify a complicated network topology?
Transit Gateway is the best service to use to simplify a complicated topology
90
If connecting to your services using a Private IP address, is that free?
If the service you connect to is in the same AZ then there is no cost. There will be a cost if the service instance is in a different AZ
91
What architecture should you use in order to keep your networking cost free?
In order for cost free networking you should group all your EC2 instances in the same AZ.
This does mean however that you will have single point of failure concerns
92
What must you remember to do when creating a NAT instance?
When creating a NAT instance you must remember to disable source/destination check on that instance
93
Where must NAT instances be hosted?
NAT instances must be hosted in a public subnet
94
Are NAT Gateways redundant?
NAT Gateways are redundant inside the AZ
So any resources in another AZ using the Gateway should ideally use their own Gateway
95
Can VPC flow logs be enabled for VPCs that are peered with your VPC?
You can only enable Flow Logs for peered VPCs if they are in your account
96
To provide internet connectivity what are Internet and NAT Gateways connected to ?
You attach an Internet Gateway to your VPC, whereas NAT Gateways are attached to your subnets to give them a route to the internet
97
What would you use to enable an instance in your private subnet to access AWS services without leaving the AWS network?
To reach services without leaving the AWS network or going across the internet you would use a VPC Gateway Endpoint
98
What is the difference between VPC gateway endpoint and VPC interface endpoint?
A VPC Gateway Endpoint serves as a target for a route in your route table for traffic destined for the service.
A VPC Interface Endpoint uses an elastic network interface (ENI) as an entry point for traffic destined to the service.
99
What are VPC Flow Logs used for?
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
100
What is a Customer Gateway?
A customer gateway is a resource that you create in AWS that represents the physical customer gateway device in your on-premises network.
101
What is a Bastion used for?
A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet.
102
What is an Elastic IP address?
An Elastic IP address is a public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.
103
How do security groups work?
Security groups control access at the instance-level (as they are associated with network interfaces), they support "allow" rules only, and they evaluate all rules before deciding whether to allow traffic into the instance(s).
104
To where can VPC Flow Log data be published?
Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.
