VPCs

Question 1

What does VPC stand for?

Answer 1

Virtual Private Cloud

Question 2

What is a VPC?

Answer 2

• Think virtual data center in the cloud
• A logically isolated section of AWS where you can launch AWS resources in a virtual network that you define

Question 3

What is VPC Peering?

Answer 3

• Allows you to connect one VPC with another via a direct network route using private IP addresses
• Instances behave as if they were on the same private network

Question 4

Can VPC Peering be done between two VPCs in different AWS accounts?

Answer 4

Yes

Question 5

Suppose VPC A is peered with VPC B, and VPC B is paired with VPC C. Is VPC A considered peered with VPC C?

Answer 5

NO. VPC Peering is NOT transitive!

Question 6

Can you use VPC Peering to peer two VPC in different AWS regions?

Answer 6

Yes

Question 7

What does IGW stand for?

Answer 7

Internet Gateway

Question 8

What are the key components of a VPC?

Answer 8

• Gateway (IGW or Virtual Private Gateway)
• Route Tables
• Network Access Control Lists
• Subnets
• Security Groups

Question 9

Can you have two VPC subnets in the same AZ?

Answer 9

Yes

Question 10

Can you have a subnet stretched across multiple AZs?

Answer 10

No

Question 11

When you create a VPC, what infrastructure is created by default?

Answer 11

• A Default Route Table
• A Network ACL
• A Default Security Group

(Note that it does NOT create subnets or IGWs)

Question 12

If I launch a VPC into US-East-1a in my account, and someone else launches a VPC into US-East-1a in their account, does this mean the two VPCs are in the same AZ?

Answer 12

Not necessarily, The AZ’s are randomized

Question 13

How many IP Addresses does Amazon Reserve per subnet?

Answer 13

5

Question 14

What is the maximum number of IGWs you can have per VPC?

Answer 14

1

Question 15

Can you have a security group spanning multiple VPCs?

Answer 15

No

Question 16

Can you create an ELB with only one public subnet?

Answer 16

No, to create an ELB you need at least 2 public subnets

Question 17

What is a Bastion Host?

Answer 17

A hardened, secure request forwarder allowing you to SSH/RDP in to private subnets in order to administer them (Idea is about lowering surface area of attack)

Question 18

Can you use a NAT Gateway as a Bastion Host?

Answer 18

No

Question 19

Are Bastion Hosts usually placed in a private subnet or a public subnet?

Answer 19

They are placed in a public subnet so you can access the private subnet

Question 20

What is Direct Connect and what are its primary use cases?

Answer 20

• Idea is that it directly connects your data center to AWS
• Useful for high throughput workloads (lots of network traffic)
• Useful if you need a stable and reliable secure connection

Question 21

What is AWS Global Accelerator?

Answer 21

A service in which you create accelerators to improve availability and performance of your applications for local and global users

Question 22

How many static IP addresses does AWS assign to you for Global Accelerator?

Answer 22

2

(Note you can also bring your own static IPs!)

Question 23

How do you control traffic in AWS Global Accelerator?

Answer 23

Use traffic dials. This is done within an endpoint group

Question 24

What is a VPC Endpoint?

Answer 24

A VPC Endpoint enables you to privately connect your VPC to supported AWS Services without requiring an internet gateway, or connecting to the public internet

Question 25

What are the two types of VPC Endpoints?

Answer 25

* Interface Endpoints * Gateway Endpoints

Question 26

For what services are VPC Gateway Endpoints supported?

Answer 26

* Amazon S3 * DynamoDB

Question 27

Suppose you want to peer a VPC with tens or thousands of other customer VPCs. What is the best way to accomplish this?

Answer 27

**AWS PrivateLink**

Question 28

Does AWS PrivateLink require VPC Peering?

Answer 28

**No**. There's no NAT, no route tables, no IGWs, etc.

Question 29

What is required to use AWS PrivateLink?

Answer 29

* A Network Load Balancer on the service VPC * An ENI on the customer VPCs

Question 30

What is **AWS Transit Gateway** used for?

Answer 30

* It allows you to have transitive peering between thousands of VPCs and on-premises data centers * Think **simplify network topology** * Always works on a hub-and-spoke model

Question 31

Can you use AWS Transit Gateway across multiple regions?

Answer 31

**Yes**

Question 32

Can you use AWS Transit Gateway across multiple accounts?

Answer 32

**Yes**

Question 33

Do AWS Transit Gateways work with Direct Connect?

Answer 33

**Yes**

Question 34

When using AWS Transit Gateways, how can I limit how VPCs talk to one another?

Answer 34

Use **route tables**

Question 35

What is the ONLY AWS Service that supports **IP Multicast**?

Answer 35

**AWS Transit Gateway**

Question 36

What is the use case for **AWS VPN CloudHub**?

Answer 36

* Connecting multiple sites, each with a VPN Connection, together over a hub-and-spoke model * It operates over the public internet, but all traffic between the customer gateways and the VPN CloudHub is encrypted

Question 37

When using VPCs, will private IPs or public IPs produce a lower network cost? Why?

Answer 37

Private IPs result in lower cost for cross-AZ traffic (within the same region). The cost difference is mainly due to Data Transfer Out charges for Public IPs vs. the lower Data Transfer charges for Private IPs on the AWS network.

Question 38

In general, does AWS charge you more/less/or the same for communicating between VPCs in different AZs within the same region vs. communicating between VPCs in different regions?

Answer 38

communicating between VPCs in different AZs in the same region is **less expensive** than communicating between VPCs in different regions.

Question 39

How can you use VPCs and cut all network costs? What is the problem with that approach?

Answer 39

* Use private IP addresses * group all EC2 instances in a single AZ * This is a problem because it leaves a single point of failure

Question 40

What is the definition of a **public subnet**?

Answer 40

One that **has at least one route in its routing table that uses an IGW**

Question 41

Does VPC peering support edge to edge routing?

Answer 41

**No**

Question 42

What components define the internal segmentation boundaries of a VPC?

Answer 42

- Subnets (logical segmentation within an AZ) - CIDR range (custom IP address ranges)

Question 43

How is traffic directed within the VPC and to the internet?

Answer 43

**Route Tables**

Question 44

In the context of VPCs, what is a **route table**?

Answer 44

A **path between subnets**, to the IGW, or to a VGW

Question 45

What does **VGW** strand for?

Answer 45

**V**irtual Private **G**ate**w**ay

Question 46

What are the two layers of security controls for VPC, and where do they apply?

Answer 46

1. **Security Groups** -- _stateful_ firewall applied at the _instance/ENI_ level 2. **NACLs** -- _stateless_ firewall applied at the _subnet_ level

Question 47

What two components allow for traffic to flow _outside_ the VPC?

Answer 47

1. IGW (for public internet access) 2. VGW (for VPN/Direct Connect to On-premises)

Question 48

What are the 3 key difference between a Security Group and an NACL?

Answer 48

SGs are **Stateful**, apply to **instances** and support **ALLOW only** NACLs are **Stateless**, apply to **subnets** and support **both ALLOW and DENY**