VPC Flashcards

1
Q

Subnets and Availability Zones?

A

One Subnet equals = 1 availability zone.

You cannot have a subnet that crosses multiple availability zones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a security group

A

1) Your first line of defense against hackers.
2) It is a virtual FireWall
3) Associated to an EC instance.
4) Multiple security groups can be associated with an EC2 instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Groups are stateful

A

Whenever you add an inbound rule, it also adds an outbound rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Security group denial

A

Everything is denied/blocked by default, so you need to select what you want to allow, not what you want to. deny.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Security Groups outbound

A

All outbound traffic is allowed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

NACL State

A

Network Access Control Lists are stateless.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a VPC ?

A

Think of it as a virtual data centre in the cloud.

* You are given one on account setup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does a VPC do?

A

Lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define.
* You have complete control over your virtual networking environment. (IP Addresses, subnets, route tables and gateways)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

VPC and VPN

A

YOu can create hardware VPNS connections between your corporate data centre and your VPC and leverage the AWS cloud as an extension of your DC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

How you do access a VPC ?

A

1) Internet Gateway (Internet access)

2) A virtual private gateway (VPN Access)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Subnets and Availability Zones

A

1 subnet = 1 availability zone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security groups and Subnets

A

Security groups can span subnets.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

AWS approved Internal IP Ranges:

A
  1. 0.0.0 - 10/8
  2. 16.0.0. - 172.16/12
  3. 168.0.0 - 192.168/16
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

VPC limit per region ?

A

Soft: 5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Default vs Custom VPC ?

A

All subnets in a default VPC have a route to the internet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

VPC peering

A

Allows you to connect 1 vpc with another via a direct network route using private ip addresses.
Instances behave as if they were on the same private network.
You can peer VPCs with other AWS accounts as well as with other VPCs in the same account.
Always in a hub and spoke, not transitive peering.

17
Q

VPC consists of:

A
Internet gateways
virtual private gateways
route tables
Network Access Control Lists
Subnets
Security Groups
18
Q

IP Address Restrictions CIDR blocks:

A

The first 4 and last IP Address in each subnet CIDR block are not available for you to use and cannot be assigned.

19
Q

VPCs and Multiple Internet Gateways

A

you can only have 1 internet gateway per VPC.

20
Q

NAT Instances

A

This is a community amazon-AMI.
Can be used as a bastion server.
disable SRC / DST check on the instance.
Must be on a public subnet.
Traffic support is directly correlated to the NAT instance size.
You can create HA using autoscaling groups.
Can script an automated failover

21
Q

Nat Gateways

A

Preferred by Enterprises.
scale automatically up to 10 Gbps
No patching.
Not associated with a security group
automatically assigned a public ip address
remember to update route tables post-implementation.
higher level of security.
managed 100% by Amazon.
no need to disable source-destination checks.

22
Q

NACL

A

private NACL’s deny everything by default.

23
Q

NACL rule numbering

A

ipv4 - start at 100, and go up in increments of 100
ipv6 - start at 101, and go up in increments of 100

Rules are evaluated in order, lowest to highest.

24
Q

Default NACL

A

Your VPC comes with a default NACL, and by default it allows all inbound / outboard traffic.

25
Q

Custom NACLs

A

Remember you need to build inbound and outbound NACL rules. They are seperate due to being stateless. .

26
Q

NACLS and Subnets:

A

Each subnet must be assigned to a default NACL and if you don’t assign one then it is associated with the default.

A NACL can be associated with multiple subnets, but a subnet can only be associated with a single NACL.

27
Q

NACLs vs Security Groups

A

Block IPs using NACLs not Security Groups

28
Q

VPC flow logs can be created at how many levels?

A

1) VPC
2) Subet
3) Network Interface Level

29
Q

IP Traffic not Monitored:

A

1) DNS Traffic to the Amazon DNS Server
2) Traffic generated by a windows instance for activation.
3) traffic to and from 169.254.169.254 for metadata
4) DHCP traffic
5) Traffic to the reserved IP address for the default VPC router.

30
Q

VPC Endpoints

A

is an inside gateway or interface that allows you connect to an endpoint outside of the VPC.

31
Q

Application Load Balancers

A

You will need at least 2 public subnets in order to deploy an application load balancer.

32
Q

VPC flow log tagging

A

You cannot tag a VPC flow log.