Podcast
Questions and Answers
What is a limitation of using a NAT instance?
What is a limitation of using a NAT instance?
What is a benefit of using a NAT gateway over a NAT instance?
What is a benefit of using a NAT gateway over a NAT instance?
What is a characteristic of security groups?
What is a characteristic of security groups?
What is a limitation of security groups?
What is a limitation of security groups?
Signup and view all the answers
What is a characteristic of Network ACLs?
What is a characteristic of Network ACLs?
Signup and view all the answers
What is a benefit of using Network ACLs over security groups?
What is a benefit of using Network ACLs over security groups?
Signup and view all the answers
What is a unique feature of Amazon VPC in relation to other VPCs on AWS?
What is a unique feature of Amazon VPC in relation to other VPCs on AWS?
Signup and view all the answers
Which of the following statements about default VPCs is correct?
Which of the following statements about default VPCs is correct?
Signup and view all the answers
What is the maximum number of route tables that can be created within a single VPC?
What is the maximum number of route tables that can be created within a single VPC?
Signup and view all the answers
What is the primary role of the VPC router?
What is the primary role of the VPC router?
Signup and view all the answers
Which of the following describes how many VPCs you can create in a specific region by default?
Which of the following describes how many VPCs you can create in a specific region by default?
Signup and view all the answers
What is dedicated tenancy in a VPC used for?
What is dedicated tenancy in a VPC used for?
Signup and view all the answers
What is a key benefit of using AWS VPN CloudHub?
What is a key benefit of using AWS VPN CloudHub?
Signup and view all the answers
What is a key feature of a transit VPC?
What is a key feature of a transit VPC?
Signup and view all the answers
What is a limitation of VPC peering connections?
What is a limitation of VPC peering connections?
Signup and view all the answers
What is a benefit of using AWS PrivateLink?
What is a benefit of using AWS PrivateLink?
Signup and view all the answers
What is a key feature of a software VPN?
What is a key feature of a software VPN?
Signup and view all the answers
What is a characteristic of VPC peering connections?
What is a characteristic of VPC peering connections?
Signup and view all the answers
What is the minimum subnet mask that can be used when creating a VPC?
What is the minimum subnet mask that can be used when creating a VPC?
Signup and view all the answers
Which of the following is NOT true about the default rule that allows all VPC subnets to communicate with one another?
Which of the following is NOT true about the default rule that allows all VPC subnets to communicate with one another?
Signup and view all the answers
What is the purpose of an Internet Gateway (IGW) in a VPC?
What is the purpose of an Internet Gateway (IGW) in a VPC?
Signup and view all the answers
Which of the following is a valid reason why instances in a subnet might not be able to communicate with the internet?
Which of the following is a valid reason why instances in a subnet might not be able to communicate with the internet?
Signup and view all the answers
Which of the following statements about NAT instances is TRUE?
Which of the following statements about NAT instances is TRUE?
Signup and view all the answers
What is the purpose of an Egress-only Internet Gateway?
What is the purpose of an Egress-only Internet Gateway?
Signup and view all the answers
What is the purpose of a Network ACL?
What is the purpose of a Network ACL?
Signup and view all the answers
Which of the following statements about AWS Direct Connect is TRUE?
Which of the following statements about AWS Direct Connect is TRUE?
Signup and view all the answers
Which of these statements accurately describes the relationship between Network ACLs and Security Groups?
Which of these statements accurately describes the relationship between Network ACLs and Security Groups?
Signup and view all the answers
What is the purpose of a Virtual Private Gateway (VGW) in an AWS S2S VPN configuration?
What is the purpose of a Virtual Private Gateway (VGW) in an AWS S2S VPN configuration?
Signup and view all the answers
What are the two primary advantages of AWS Direct Connect Plus VPN over traditional VPNs?
What are the two primary advantages of AWS Direct Connect Plus VPN over traditional VPNs?
Signup and view all the answers
Which of the following statements is TRUE about the default Network ACL in an AWS VPC?
Which of the following statements is TRUE about the default Network ACL in an AWS VPC?
Signup and view all the answers
What is the primary purpose of AWS PrivateLink?
What is the primary purpose of AWS PrivateLink?
Signup and view all the answers
Which of the following statements accurately describes a gateway endpoint?
Which of the following statements accurately describes a gateway endpoint?
Signup and view all the answers
Which two services are supported by gateway endpoints?
Which two services are supported by gateway endpoints?
Signup and view all the answers
What advantage does VPC sharing provide to organizations?
What advantage does VPC sharing provide to organizations?
Signup and view all the answers
What is a limitation of enabling flow logs for a VPC?
What is a limitation of enabling flow logs for a VPC?
Signup and view all the answers
Which type of endpoint allows access to services hosted by other AWS accounts?
Which type of endpoint allows access to services hosted by other AWS accounts?
Signup and view all the answers
Which AWS service cannot utilize AWS PrivateLink for connections?
Which AWS service cannot utilize AWS PrivateLink for connections?
Signup and view all the answers
How does using AWS PrivateLink benefit network architecture?
How does using AWS PrivateLink benefit network architecture?
Signup and view all the answers
Which characteristic distinguishes ClassicLink from AWS PrivateLink?
Which characteristic distinguishes ClassicLink from AWS PrivateLink?
Signup and view all the answers
What is the purpose of VPC Flow Logs?
What is the purpose of VPC Flow Logs?
Signup and view all the answers
Study Notes
Amazon VPC Overview
- Amazon VPC allows provisioning of a logically isolated section in the AWS cloud, akin to having a private data center within AWS.
- Offers complete control over the virtual networking environment including IP ranges, subnets, route tables, and gateways.
- Each VPC is isolated from others and spans a single region.
- A default VPC is created per region with subnets in each Availability Zone (AZ).
- Users can create up to 5 VPCs per region and define dedicated tenancy for instances.
- Instances in the default VPC have both public and private IP addresses.
VPC Components and Connectivity
- Possible VPC connections include hardware VPNs, dedicated connections, and various gateway options.
- Each VPC can have internet connectivity via an Internet Gateway (IGW), which is a redundant, highly available component.
- VPC routing allows communication between AZs, enabling traffic forwarding and connection to the IGW.
Routing Rules and Tables
- VPC can have up to 200 route tables, with 50 entries per table; subnets must be associated with one route table.
- By default, the main route table allows communications between all subnets.
- Internet Gateways must be attached to a subnet’s route table to enable internet access.
Subnet Management
- Subnets map directly to Availability Zones and must reside entirely within a single AZ.
- Types include public, private, and VPN subnets.
- CIDR blocks determine IP ranges for VPC and cannot be changed after creation.
- Reserved IP addresses exist at both ends of subnet CIDR blocks and cannot be used.
Internet Gateways and NAT
- An Internet Gateway allows communication between VPC and the internet, operating in a highly available manner.
- NAT Instances, manually managed, enable internet access from private subnets but can create bottlenecks.
- NAT Gateways, automatically managed by AWS, provide a scaled, highly available private subnet access solution without security group management.
Security Features
- Security groups act as a firewall at the instance level, allowing only permit rules and are stateful.
- Network ACLs operate at the subnet level, allowing both permit and deny rules, and are stateless.
VPC Connectivity Options
- AWS Managed VPN comprises a Virtual Private Gateway on AWS and a Customer Gateway on the client side.
- AWS Direct Connect provides a dedicated connection from an on-premises network to AWS, available in 1 Gbps or 10 Gbps options.
- Software VPN allows full management of both ends of the VPN connection, useful for compliance needs.
VPC Peering and PrivateLink
- VPC peering allows routing traffic between two VPCs using private IP addresses with no overlapping CIDR ranges.
- AWS PrivateLink provides private connectivity, enhancing security by reducing exposure to the public internet.
VPC Endpoints and Shared Services
- VPC endpoints (Interface and Gateway) facilitate communication with AWS services without public IP exposure, enhancing security.
- Gateway endpoints support Amazon S3 and DynamoDB traffic only.
- Shared Services VPCs allow multiple AWS accounts to create resources within a centrally managed VPC, promoting resource sharing across organizations.### Amazon VPC Benefits
- Separate Amazon VPCs can be created for each account, with each owner responsible for connectivity and security.
- VPC sharing allows IT teams to manage VPCs, relieving application developers from VPC configuration while granting necessary access.
- Shared Amazon VPCs enable leveraging implicit routing, benefitting applications requiring high interconnectivity within the same trust boundaries.
- Reduces the number of VPCs to manage while maintaining separate accounts for billing and access control.
- Simplifies network topologies through features like AWS PrivateLink, AWS Transit Gateway, and Amazon VPC peering for interconnecting shared VPCs.
- AWS PrivateLink enhances resource access security for applications behind a Network Load Balancer.
VPC Flow Logs
- Flow Logs capture IP traffic data for network interfaces within a VPC, storing information in Amazon CloudWatch Logs.
- Flow logs can be created at various levels but cannot be enabled for peered VPCs unless they belong to the same account.
- Flow logs cannot be tagged or have their configurations changed post-creation; deletion and recreation are necessary for adjustments.
- Certain IP traffic is excluded from monitoring in flow logs.
High Availability Approaches for Networking
- Creating subnets across multiple Availability Zones (AZs) establishes Multi-AZ presence for a VPC.
- Best practice includes setting up at least two VPN tunnels into the Virtual Private Gateway for redundancy.
- Direct Connect lacks inherent High Availability (HA); a secondary connection should be established via another Direct Connect or a VPN.
- Route 53’s health checks offer basic DNS resolution redirection.
- Elastic IPs provide flexibility for changing backing resources without disrupting name resolution.
- To ensure Multi-AZ redundancy for NAT Gateways, deploy gateways in each AZ and route private subnets to the local gateway.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Learn about Amazon Virtual Private Cloud (VPC) and its features, such as logically isolated sections of AWS, virtual networking control, and connection to corporate data centers.