AWS VPC
VPC Endpoints: what is gateway endpoint?
A gateway endpoint is a gateway that you specify as a target for a route in your route table for traffic destined to a supported AWS service. Supported for S3 and DynamoDB
What is an Internet Gateway?
A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet. This is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.
What is the name given to an isolated unit with its own set of physical infrastructure which is used to provide global accelerator services?
Similar to Availability Zones, network zones are isolated units with their own set of physical infrastructure and service IP addresses from a unique IP subnet. If one IP address from a network zone becomes unavailable, due to network disruptions or IP address blocking by certain client networks, your client applications can retry using the healthy static IP address from the other isolated network zone.
Are Security groups statful or stateless?
Stateful, this means you can only add allow rules (not deny)
Are Network Access Control Lists statful or stateless?
Stateless, this means you can add deny rules as well as allow rules.
What are the different components of a global accelerator?
Static IP Addresses, Accelerator, DNS Name, Network Zone, Listener, Endpoint Group, Endpoint
How many internet gateways can you have per VPC?
1
How many IP addresses does Amazon reserve by default within your subnet?
5
What is a NAT Instance?
A NAT instance is an EC2 instance that allows private instances to access the internet. These are out of date and likely shouldn't be used because they are a single source of failure and do not scale well.
When you create a VPC, what is created by default?
A default Route Table, Network Access Control List (NACL) and a default Security Group
Global Accelerator: what is a network zone?
A network zone services the static IP addresses for your accelerator from a unique IP subnet. Similar to an AWS Availability Zone, a network zone is an isolated unit with its own set of physical infrastructure. When you configure an accelerator, by default, Global Accelerator allocates two IPv4 addresses for it. If one IP address from a network zone becomes unavailable due to IP address blocking by certain client networks, or network disruptions, then client applications can retry on the healthy static IP address from the other isolated network zone.
What is a subnet?
A range of IP addresses in your VPC. This is a logical subdivision of an IP network. The practice of dividing a network into two or more networks is called submitting. This logically breaks up a VPC.
What is a VPC ?
A virtual network dedicated to your AWS account. This lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including a selection of your own IP address range, creation of subsets, and configuration of route tables and network gateways.
When you create a custom network ACL what are the default inbound and outbound rules?
All inbound and outbound traffic is denied by default when you create a custom NACL
VPC Endpoints: what is interface endpoint?
An interface endpoint is an elastic network interface with a private IP address from the IP address range of your subnet that serves as an entry point for traffic destined to a supported service.
What is a VPC endpoint?
Enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
How do you create a direct connect connection?
Create a virtual interface in the direct connect console. This is a public virtual interface Go to the VPC console and then to VPN connections. Create a customer gateway Create a virtual private gateway Attach the virtual private gateway to the desired VPC Select VPN Connections and create new VPN connection Select the Virtual Private Gateway and the Customer Gateway Once the VPN is available, setup the VPN on the customer gateway or firewall
A VPN connection consists of which of the following components?
Customer Gateway (to connect to the customers system) and Virtual Private Gateway (contains information regarding the AWS side of the VPN)
Global Accelerator: what is an endpoint group?
Each one of these is associated with a specific AWS Region. These include one or more endpoints in the Region. You can increase or reduce the percentage of traffic that would be otherwise directed to one of these by adjusting a setting called a traffic dial. The traffic dial lets you easily do performance testing or blue/green deployment testing, for example, for new releases across different AWS Regions.
What is the difference between a public and private subnet?
If a subnet is associated with a route table that has a route to an internet gateway, it's known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it's known as a private subnet.
What is the advantage of running your AWS VPN connection through your Direct Connect connection over using the ordinary Internet?
It is likely that if you choose to run your VPN through a Direct Connect from your datacenter to the AWS network that your VPN connection will be both faster, and more secure.
What does a Global Accelerator DNS name look like
It looks similar to randomcharcters.awsglobalaccelerator.com
What's the ratio of subnets to availability zones
It's one to one 1 subnet = 1 AZ
Can a VPC not be associated with a network ACL?
No, a VPC must be associated with a network ACL. If you don't explicitly associated a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
Can security groups span VPCs?
No, security groups cannot span VPCs
Is peering transitive in VPCs?
No, there is no transitive peering. You must create a peering connection between VPCs if you want them to interact.
When you create a VPC are subnets or internet gateways created?
No, when you create a VPC a default internet gateway and subnet is not created
Can you use a NAT gateway as a bastion host?
No, you cannot
NAT gateway best practice, if you have resources in multiple AZ's how many NAT gateways should you have?
One for each AZ for high availability. In the event that the NAT gateway's Availability Zone is down, resources in the other availability zones will lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each AZ and configure your routing to ensure that resources use NAT gateway in the same AZ
How many network ACLs can a subnet be associated with?
Only one, subnets cannot to more than one NACL. If you associated a NACL with a subnet, the subnet's previous association is removed.
VPC Endpoints: what is endpoint service?
Your own application in your VPC. Other AWS principals can create a connection from their VPC to your endpoint service
What is a NAT gateway?
These are redundant inside the availability zone, not a single instance You can only have on NAT gateway per AZ Preferred by the enterprise Starts at 5Gbps and scales currently to 45Gbps No need to patch Not associated w/ security group Automatically assigned a public ip address Remember to update your route tables No need to disable Source/Destination Checks
What do NACLs do?
They contain a numbered list of connection/access rules that is evaluated in order, starting with the lowest number rule
Global Accelerator: what is an endpoint?
This can be Network Load Balancers, Application Load Balancers, EC2 instances, or Elastic IP addresses. An Application Load Balancer endpoint can be an internet-facing or internal. Traffic is routed to endpoints based on configuration options that you choose, such as endpoint weights. For each endpoint, you can configure weights, which are numbers that you can use to specify the proportion of traffic to route to each one. This can be useful, for example, to do performance testing within a Region.
What is a Route Table?
This contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed.
What is Direct Connect?
This is a cloud service solution that makes it easy to establish a dedicated network connection from your premises between aws and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections.
What are UDP protocols?
This is a communications protocol that is primarily used for establishing low-latency and loss-tolerating connections between applications on the internet. It speeds up transmissions by enabling the transfer of data before an agreement is provided by the receiving party.
What is Global Accelerator?
This is a service in which you create accelerators to improve availability and performance of your applications for local and global users. This directs traffic to optimal endpoints over the AWS global network. This improves the availability and performance of your internet applications that are used by a global audience.
What is a bastion host?
This is a special-purpose computer on a network specifically designed and configured to withstand attacks. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer. It is hardened in this manner primarily due to its location and purpose, which is either on the outside of a firewall or in a demilitarized zone (DMZ) and usually involves access from untrusted networks or computers.
What is DNS (Domain Name System)?
This is a standard by which names used on the internet are resolved to their corresponding IP addresses. A DNS hostname is a name that uniquely and absolutely names a computer; it's composed of a host name and a domain name.
What are TCP protocols?
This is a suite of communication protocols used to interconnect network devices on the internet. TCP/IP can also be used as a communications protocol in a private computer network
Global Accelerator: what is a listener?
This processes inbound connections from clients to Global Accelerator, based on the port (or port range) and protocol that you configure. Global Accelerator supports both TCP and UDP protocols. Each one of these has one or more endpoint groups associated with it, and traffic is forwarded to endpoints in one of the groups. You associate endpoint groups with one of these by specifying the Regions that you want to distribute traffic to. Traffic is distributed to optimal endpoints within the endpoint groups associated with one of these.
What does an Internet Gateway do in a VPC?
This provides a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
How many default IP addresses does Global Accelerator provide you with?
This provides you with two default IP addresses however you can bring your own
What IP Traffic isn't monitored?
Traffic generated by instances when they contact the Amazon DNS server are not monitored. However if you use your own DNS server, then all traffic to that DNS server is logged. Traffic generated by a windows instance from Amazon Windows licenses activation will not be monitored. Traffic to and from 169.254.169.254 for instance metadata will not be monitored DHCP traffic is not monitored Traffic to the reserved IP address for the default VPC router is not monitored
An Application Load Balancer must be deployed into at least two subnets?
True, ALBs must be in two subnets
What is the benefit of Direct Connect?
Useful for high throughput workloads or if you need a stable and reliable secure connection from AWS to your data center.
What is a chief advantage of using VPC Gateway Endpoints to connect your VPC to services such as S3?
VPC Gateway Endpoints ensure traffic between your VPC and the other service does not leave the Amazon network
At what three levels can VPC flow logs be created?
VPC Level, Subnet Level, Network Interface Level
What are the different components of a VPC?
VPC consist of IGWS (virtual private gateways), Route Tables, Network Access Control Lists, Subnets, and Security Groups
What does VPC stand for?
Virtual Private Cloud
NAT Instance Tips
When creating a NAT instance, disable source/destination check on the instance NAT instances must be in a public subnet There must be a route out of the private subnet to the NAT instance, in order for this to work The amount of traffic that NAT instances can support depends on the instance size. If you are bottle-necking, increase the instance size. Must be behind a security group You can create high availability using Autoscaling Groups, multiple subnets in different AZs, and a script to automate failover...but it's not easy
Does your VPC automatically come with a default network ACL?
Yes it does and by default it allows all outbound and inbound traffic
Are AZ's randomized by account?
Yes, US-East-1A in your AWS account can be a completely different availability zone to US-East-1A in another AWS account
Are NACL's stateless?
Yes, they are stateless which means responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
Do network ACLs have inbound AND outbound rules?
Yes, they have separate inbound and out bound rules and each rule can either allow or deny traffic
Can you attach tags to your flow logs?
Yes, you can now tag flow logs
How many subnets can be associated with a Network ACL?
You can associated multiple subnets to one ACL
How can you block IP Addresses?
You can block IP addresses using Netwrok ACLs, not Security groups
How do you change a flowlogs configuration after it's created?
You cannot change it's configuration after it's created, for example you cannot associate a different IAM role with the flow log.
Can you enable flow logs that are peered with your VPC?
You cannot enable flow logs for VPCs that are peered with your VPC unless the peer VPC is in your account.
When you create a VPC what else is created in your AWS environment?
route table, security group, and a network ACLs