AWS Cloud Practitioner Essentials > Module 5 - Networking > Flashcards

Module 5 - Networking Flashcards

(74 cards)

Study These Flashcards
1
Q

What is an Amazon Virtual Private Cloud (VPC)?

A

A logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

What is Amazon VPC?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a subnet in a Virtual Private Cloud?

A

a range of IP addresses in a VPC

See Subnets for your VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What characterizes a public subnet?

A

Resources in a public subnet can access the public internet. The subnet has a direct route to an internet gateway.

See Subnets for your VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What characterizes a private subnet?

A

The subnet does NOT have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.

See Subnets for your VPC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False?

Each subnet must reside entirely within one Availability Zone and cannot span zones.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or False

A VPC spans all of the Availability Zones in a Region.

A

True. After you create a VPC, you can add one or more subnets in each Availability Zone.

See VPC Basics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is an internet gateway?

A

A network connection between a VPC and the public internet.

See Enable internet access for a VPC using an internet gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How do you enable public traffic from the internet to a public subnet in a VPC?

A

By attaching an internet gateway to the VPC and configuring routing.

See Internet gateway basics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

True or False

A resource in a public subnet must have a public IPv4 or IPv6 address to connect to the public internet

A

True. Likewise, resources on the public internet can initiate a connection to resources in a public subnet using the public IPv4 or IPv6 address of the resource.

See Enable internet access for a VPC using an internet gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Fill in the blank

If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a ________ subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Fill in the blank

If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a ________ subnet.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a Virtual Private Network (VPN)?

A

A service that creates a secure, encrypted connection over a public network, e.g. the public internet. The encrypted connection is sometimes referred to as a secure tunnel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a Virtual Private Gateway?

A

The VPN endpoint on the Amazon side of a Site-to-Site VPN connection that can be attached to a single Virtual Private Cloud (VPC).

Applicable to Site-to-Site VPN.

See Virtual private gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

To establish a VPN connection to a Virtual Private Cloud (VPC), e.g. from an on-premises data center, you need what on the Amazon side?

A

A virtual private gateway, which allows traffic into the VPC only if it is coming from an approved network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is AWS Client VPN?

A

A fully managed, elastic, client-based VPN service that enables secure access to AWS resources (and resources in an on-premises network) from any location using an OpenVPN-based VPN client.

See What is AWS Client VPN?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

True or False

AWS Client VPN can be used to provide access to AWS cloud resources for remote workers

A

True. It can also be used to provide access to on-premise networks for remote workers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is AWS Site-to-Site VPN?

A

Site-to-Site VPN creates a secure VPN connection between an on-premise data center or branch office and AWS Cloud resources.

See What is AWS Site-to-Site VPN?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is AWS PrivateLink?

A

A service that allows you to connect a VPC to services and resources in other VPCs using private IP addresses, as if those services and resources were hosted directly in your VPC.

See What is AWS PrivateLink? and AWS PrivateLink concepts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True or False?

With AWS PrivateLink, you do not need to use an internet gateway, NAT device, public IP address, Direct Connect connection, or AWS Site-to-Site VPN connection to allow communication with the remote service or resource from your private subnets.

A

True. Consumers (i.e. the consuming VPC) create VPC endpoints to connect to endpoint services and resources that are hosted by providers.

See What is AWS PrivateLink? and AWS PrivateLink concepts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is AWS Direct Connect?

A

A service for establishing a dedicated private connection between an on-premise network and the AWS Cloud.

See What is Direct Connect?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

True or False?

Direct Connect bypasses the internet.

A

True. Direct Connect links your internal network to a Direct Connect location over a standard Ethernet fiber-optic cable. A Direct Connect location provides access to AWS in the Region with which it is associated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When does it make sense to use Direct Connect?

A
  • For consistent, low-latency, high bandwidth network connections.
  • For large-scale data transfer.
  • For hybrid-cloud architectures that require high performance.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

True or False?

In the AWS Direct Connect architecture, there is an endpoint at the AWS Direct Connect location that connects to your VPC’s Virtual private gateway in the AWS Cloud.

A

True. There is a dedicated physical connection from the customer’s on-premise router to a router at the AWS Direct Connect location. The latter connects to an AWS Direct Connect endpoint, which connects to a Virtual private gateway (attached to a VPC) in the AWS Cloud.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

When does Direct Connect make more sense than VPN?

A

When you need much higher bandwidth with a dedicated line.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Why might a company use both VPN and Direct Connect?
For redundancy. If something happens to the Direct Connect dedicated connection, VPN can be used to retain access.
26
What is an AWS Transit Gateway?
AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. Each new connection is made only once. ## Footnote See [What is AWS Transit Gateway for Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) and [How AWS Transit Gateway works](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html)
27
How does AWS Transit Gateway enable global expansion?
Inter-Region peering connects transit gateways together using the AWS Global Infrastructure. All network traffic between AWS data centers is automatically encrypted at the physical layer. ## Footnote See [What is AWS Transit Gateway for Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) and [How AWS Transit Gateway works](https://docs.aws.amazon.com/vpc/latest/tgw/how-transit-gateways-work.html)
28
What is a NAT gateway?
A Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services can't initiate a connection with those instances. ## Footnote See [NAT gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html)
29
What is Amazon API Gateway?
Amazon API Gateway is an AWS service for creating, publishing, maintaining, monitoring, and securing REST, HTTP, and WebSocket APIs at any scale. ## Footnote See [What is Amazon API Gateway?](https://docs.aws.amazon.com/apigateway/latest/developerguide/welcome.html)
30
What is a packet?
A unit of data sent over a network, e.g. the internet.
31
How does a packet from the internet enter a VPC?
Through an internet gateway.
32
What controls traffic permissions at the subnet level?
A network access control list (ACL) | The network ACL is a VPC component. ## Footnote See [Control subnet traffic with network access control lists](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) and [Network ACL rules](https://docs.aws.amazon.com/vpc/latest/userguide/nacl-rules.html)
33
What is a network ACL?
A virtual firewall that controls inbound and outbound traffic at the subnet level. ## Footnote See [Control subnet traffic with network access control lists](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) and [Network ACL rules](https://docs.aws.amazon.com/vpc/latest/userguide/nacl-rules.html)
34
Network ACLs perform what kind of packet filtering? | Stateless or stateful?
Stateless. They remember nothing and check both inbound and outbound packets that cross the subnet boundary.
35
# True or False? Network ACLs support both allow and deny rules.
True.
36
# True or False? Each AWS account includes a default network ACL.
True. By default, the default network ACL allows all inbound and outbound traffic, but can be modified. ## Footnote See [Default network ACL for a VPC](https://docs.aws.amazon.com/vpc/latest/userguide/default-network-acl.html)
37
# True or False All network ACLs have an explicit deny rule.
True. This rule makes sure that if a packet doesn’t match any of the other rules on the list, the packet is denied.
38
Explain how the explicit deny rule affects the default network ACL.
The explicit deny rule in the default network ACL has no effect because the other rules in the default network ACL explicitly allow all inbound and outbound traffic.
39
For custom network ACLs, all inbound and outbound traffic is ________ until you add rules to specify which traffic to allow.
Denied ## Footnote See [Custom network ACLs for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/custom-network-acl.html) and [Create a network ACL for your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/create-network-acl.html)
40
In a VPC, what is a security group?
A virtual firewall in the VPC that controls inbound and outbound traffic for specific AWS resources, e.g. an EC2 instance. ## Footnote See [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html)
41
Network ACLs filter packets at the ________ level, while Security Groups filter packets at the ________ level.
Network ACLs filter packets at the **subnet** level, while Security Groups filter packets at the **resource** level.
42
# True or False? When you first create a security group, by default it denies all inbound traffic and allows all outbound traffic.
True. But you can add, update or remove rules for a security group. ## Footnote See [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html)
43
# True or False? In security groups, you can specify allow rules but not deny rules.
True. Any traffic that does not match an allow rule is denied.
44
# True or False? A security group controls the traffic that is allowed to reach and leave the resources assigned to that security group.
True.
45
Security groups perform ________ packet filtering. | Stateless or Stateful?
Stateful. If you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Similarly, responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules. ## Footnote See [security group basics](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html#security-group-basics)
46
Network ACLs are ________ and Security Groups are ___________. | Hint: This is about state.
Network ACLs are **stateless** and Security Groups are **stateful**.
47
Network ACLs can have ________ rules. Security groups can have ________ rules.
Network ACLs can have **both allow and deny type** rules. Security groups can have **only allow type** rules.
48
In the Shared Responsibility Model, network ACLs and security groups are the responsibility of the ________. | AWS or the Customer?
The Customer
49
When creating a Virtual Private Cloud from the AWS Management Console, what do you specify after naming your VPC?
A region
50
# Fill in the blank When configuring a VPC, best practice is to create subnets in two or more ____________.
Availability Zones. This is a best practice for achieving high availability.
51
When creating a Virtual Private Cloud from the AWS Management Console, what do you specify after selecting a region?
A CIDR range defining the block of private IP addresses available to resources in the VPC.
52
# Fill in the blanks When creating subnets in a Virtual Private Cloud, you need to choose an ________ and assign a subset of the ________.
Availability Zone CIDR block
53
# Fill in the blank For a VPC subnet to be accessible from the internet, the VPC will need to attach to an _________________.
internet gateway
54
In a Virtual Private Cloud (VPC), what is a route table?
A table that routes traffic originating from the VPC. Each route specifies a destination (CIDR block or prefix list) and a target (such as an internet gateway, NAT gateway, VPC peering connection, or VPN connection). Traffic is routed to targets based on destination IP address. ## Footnote See [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html)
55
# Fill in the blank A VPC Routing Table answers the question, "If traffic is trying to reach this ____________ where do I send it next?"
destination Where you send it next is the target.
56
In a VPC route table, what is a destination?
The range of IP addresses where you want traffic to go (destination CIDR). ## Footnote See also [Route table concepts](https://docs.aws.amazon.com/vpc/latest/userguide/RouteTables.html)
57
In a VPC route table, what is a target?
The gateway, network interface, or connection through which to send the traffic that is headed for a destination; for example, an internet gateway. ## Footnote See also [Route table concepts](https://docs.aws.amazon.com/vpc/latest/userguide/RouteTables.html)
58
Can a VPC have more than one route table?
Yes, there is a main route table for the VPC and additional route tables can be created. Each subnet is associated with a route table. ## Footnote See [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html)
59
# Fill in the blank A VPC ____________ is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
peering connection Instances in either VPC can communicate with each other as if they are within the same network. ## Footnote See [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
60
# Fill in the blank AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a ____________ nor a ____________.
gateway VPN connection ## Footnote See [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
61
A VPC peering connection helps you to facilitate the transfer of ____________.
data ## Footnote See [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
62
All data transfer over a VPC peering connection that stays within an Availability Zone is ____________, even if it's between different accounts.
free Charges apply for data transfer over VPC peering connections that cross Availability Zones and Regions ## Footnote See [What is VPC peering?](https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
63
How are VPC Peering and AWS PrivateLink different?
VPC Peering creates a bi-directional connection between two VPCs, allowing all resources in one VPC to communicate with all resources in the other VPC. AWS PrivateLink provides uni-directional, service-specific access so that resources in one VPC can access a specific AWS service or application using a private endpoint.
64
What is edge networking/computing?
"the process of bringing information storage and computing abilities closer to the devices that produce that information and the users who consume it"
65
What is DNS?
Domain Name System. A service that translates domain names to IP addresses. ## Footnote See [Wikipedia Domain Name System](https://en.wikipedia.org/wiki/Domain_Name_System)
66
What is a DNS resolver?
"A type of DNS server responsible for translating domain names into IP addresses." ## Footnote See [What is a domain name system (DNS) resolver?](https://www.lenovo.com/us/en/glossary/dns-resolver/)
67
What is DNS resolution?
"the process of translating a domain name to an IP address"
68
What is Amazon Route 53?
"a highly available and scalable cloud Domain Name System (DNS) web service" ## Footnote See [What is Amazon Route 53?](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html)
69
What are three main features of Amazon Route 53?
1. Register domain names 2. DNS routing 3. Health checking ## Footnote [What is Amazon Route 53?](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/Welcome.html)
70
# Fill in the blank When Amazon Route 53 is used for DNS routing, it translates DNS queries for your domain names into __________.
IP addresses ## Footnote See [Configuring Amazon Route 53 as your DNS service](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-configuring.html) and [How Amazon Route 53 routes traffic for your domain](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html#welcome-dns-service-how-route-53-routes-traffic)
71
# Fill in the blank Amazon Route 53 uses ____________ to translate a domain name to a region and edge location closest to the end user.
Routing policies
72
What is Amazon CloudFront?
A content deliver network (CDN) service. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance. ## Footnote See [What is Amazon Cloudfront?](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html)
73
What is AWS Global Accelerator?
A networking service that uses the AWS global network to route traffic to the optimal regional endpoint based on health, client location, and policies that you configure, which increases the availability of your applications. ## Footnote See [What is AWS Global Accelerator?](https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global-accelerator.html)
74
# True or False Global Accelerator directs traffic through the AWS private global network.
True. Traffic travels over the well-monitored, congestion-free, redundant AWS global network to the endpoint. By maximizing the time that traffic is on the AWS network, Global Accelerator ensures that traffic is always routed over the optimum network path. ## Footnote See [Overview of how AWS Global Accelerator works](https://docs.aws.amazon.com/global-accelerator/latest/dg/introduction-how-it-works.html#how-it-works-summary)
AWS Cloud Practitioner Essentials
flashcards
Decks in class (15)
# Cards
Brainscape helps you reach your goals faster, through stronger study habits.
© 2026 Bold Learning Solutions. Terms and Conditions