AWS VPC Fundamentals

Questions and Answers

What is a limitation of using a NAT instance?

Scalability

Bottlenecks (correct)

High availability

Support for IPv6

What is a benefit of using a NAT gateway over a NAT instance?

Need to patch the instance

Requires security groups

Is highly available in each AZ (correct)

Can be used as a Bastion host

What is a characteristic of security groups?

Can only assign deny rules

Can block specific IP addresses

Function at the subnet level

Are stateless (correct)

What is a limitation of security groups?

Can block specific IP addresses

What is a characteristic of Network ACLs?

Have separate inbound and outbound rules

What is a benefit of using Network ACLs over security groups?

Can block specific IP addresses

What is a unique feature of Amazon VPC in relation to other VPCs on AWS?

It is logically isolated from other VPCs.

Which of the following statements about default VPCs is correct?

Instances in the default VPC always have both a public and private IP address.

What is the maximum number of route tables that can be created within a single VPC?

200

What is the primary role of the VPC router?

To perform routing between availability zones (AZs) and to the internet.

Which of the following describes how many VPCs you can create in a specific region by default?

Up to 5 per region.

What is dedicated tenancy in a VPC used for?

To ensure instances are launched on dedicated hardware.

What is a key benefit of using AWS VPN CloudHub?

It provides a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity

What is a key feature of a transit VPC?

It simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks

What is a limitation of VPC peering connections?

They can only have one peering connection between any two VPCs at a time

What is a benefit of using AWS PrivateLink?

It eliminates the exposure of data to the public Internet

What is a key feature of a software VPN?

It is recommended for compliance purposes or for leveraging gateway devices not supported by Amazon VPC’s VPN solution

What is a characteristic of VPC peering connections?

They do not rely on a separate piece of physical hardware

What is the minimum subnet mask that can be used when creating a VPC?

/16

Which of the following is NOT true about the default rule that allows all VPC subnets to communicate with one another?

It allows communication between subnets in different VPCs.

What is the purpose of an Internet Gateway (IGW) in a VPC?

To allow instances in a VPC to communicate with the internet.

Which of the following is a valid reason why instances in a subnet might not be able to communicate with the internet?

The subnet is associated with a route table that does not have a route to the IGW.

Which of the following statements about NAT instances is TRUE?

NAT instances can be used to enable private subnets to communicate with the internet.

What is the purpose of an Egress-only Internet Gateway?

To allow instances in a VPC to communicate with the internet, but not to allow incoming traffic from the internet.

What is the purpose of a Network ACL?

To enforce security policies on traffic entering or leaving a VPC.

Which of the following statements about AWS Direct Connect is TRUE?

It provides a private connection between your on-premises network and AWS, reducing network costs and improving performance.

Which of these statements accurately describes the relationship between Network ACLs and Security Groups?

Network ACLs are the first line of defense, and Security Groups provide a second layer of security.

What is the purpose of a Virtual Private Gateway (VGW) in an AWS S2S VPN configuration?

To establish a secure, encrypted connection between your on-premises network and AWS.

What are the two primary advantages of AWS Direct Connect Plus VPN over traditional VPNs?

It allows for higher bandwidth and provides end-to-end encryption.

Which of the following statements is TRUE about the default Network ACL in an AWS VPC?

It allows all inbound and outbound traffic.

What is the primary purpose of AWS PrivateLink?

To connect services across different accounts and VPCs

Which of the following statements accurately describes a gateway endpoint?

It serves as a target for a specified route in a route table for certain services.

Which two services are supported by gateway endpoints?

Amazon S3 and DynamoDB

What advantage does VPC sharing provide to organizations?

It enables central management of VPC resources across multiple accounts.

What is a limitation of enabling flow logs for a VPC?

You cannot change the configuration of flow logs after creation.

Which type of endpoint allows access to services hosted by other AWS accounts?

Interface VPC endpoint

Which AWS service cannot utilize AWS PrivateLink for connections?

EC2-Classic instances

How does using AWS PrivateLink benefit network architecture?

It simplifies connections between different AWS accounts and services.

Which characteristic distinguishes ClassicLink from AWS PrivateLink?

ClassicLink is used for EC2-Classic instances only.

What is the purpose of VPC Flow Logs?

To capture information about IP traffic to and from network interfaces.

Study Notes

Amazon VPC Overview

• Amazon VPC allows provisioning of a logically isolated section in the AWS cloud, akin to having a private data center within AWS.
• Offers complete control over the virtual networking environment including IP ranges, subnets, route tables, and gateways.
• Each VPC is isolated from others and spans a single region.
• A default VPC is created per region with subnets in each Availability Zone (AZ).
• Users can create up to 5 VPCs per region and define dedicated tenancy for instances.
• Instances in the default VPC have both public and private IP addresses.

VPC Components and Connectivity

• Possible VPC connections include hardware VPNs, dedicated connections, and various gateway options.
• Each VPC can have internet connectivity via an Internet Gateway (IGW), which is a redundant, highly available component.
• VPC routing allows communication between AZs, enabling traffic forwarding and connection to the IGW.

Routing Rules and Tables

• VPC can have up to 200 route tables, with 50 entries per table; subnets must be associated with one route table.
• By default, the main route table allows communications between all subnets.
• Internet Gateways must be attached to a subnet’s route table to enable internet access.

Subnet Management

• Subnets map directly to Availability Zones and must reside entirely within a single AZ.
• Types include public, private, and VPN subnets.
• CIDR blocks determine IP ranges for VPC and cannot be changed after creation.
• Reserved IP addresses exist at both ends of subnet CIDR blocks and cannot be used.

Internet Gateways and NAT

• An Internet Gateway allows communication between VPC and the internet, operating in a highly available manner.
• NAT Instances, manually managed, enable internet access from private subnets but can create bottlenecks.
• NAT Gateways, automatically managed by AWS, provide a scaled, highly available private subnet access solution without security group management.

Security Features

• Security groups act as a firewall at the instance level, allowing only permit rules and are stateful.
• Network ACLs operate at the subnet level, allowing both permit and deny rules, and are stateless.

VPC Connectivity Options

• AWS Managed VPN comprises a Virtual Private Gateway on AWS and a Customer Gateway on the client side.
• AWS Direct Connect provides a dedicated connection from an on-premises network to AWS, available in 1 Gbps or 10 Gbps options.
• Software VPN allows full management of both ends of the VPN connection, useful for compliance needs.

VPC Peering and PrivateLink

• VPC peering allows routing traffic between two VPCs using private IP addresses with no overlapping CIDR ranges.
• AWS PrivateLink provides private connectivity, enhancing security by reducing exposure to the public internet.

VPC Endpoints and Shared Services

• VPC endpoints (Interface and Gateway) facilitate communication with AWS services without public IP exposure, enhancing security.
• Gateway endpoints support Amazon S3 and DynamoDB traffic only.
• Shared Services VPCs allow multiple AWS accounts to create resources within a centrally managed VPC, promoting resource sharing across organizations.### Amazon VPC Benefits
• Separate Amazon VPCs can be created for each account, with each owner responsible for connectivity and security.
• VPC sharing allows IT teams to manage VPCs, relieving application developers from VPC configuration while granting necessary access.
• Shared Amazon VPCs enable leveraging implicit routing, benefitting applications requiring high interconnectivity within the same trust boundaries.
• Reduces the number of VPCs to manage while maintaining separate accounts for billing and access control.
• Simplifies network topologies through features like AWS PrivateLink, AWS Transit Gateway, and Amazon VPC peering for interconnecting shared VPCs.
• AWS PrivateLink enhances resource access security for applications behind a Network Load Balancer.

VPC Flow Logs

• Flow Logs capture IP traffic data for network interfaces within a VPC, storing information in Amazon CloudWatch Logs.
• Flow logs can be created at various levels but cannot be enabled for peered VPCs unless they belong to the same account.
• Flow logs cannot be tagged or have their configurations changed post-creation; deletion and recreation are necessary for adjustments.
• Certain IP traffic is excluded from monitoring in flow logs.

High Availability Approaches for Networking

• Creating subnets across multiple Availability Zones (AZs) establishes Multi-AZ presence for a VPC.
• Best practice includes setting up at least two VPN tunnels into the Virtual Private Gateway for redundancy.
• Direct Connect lacks inherent High Availability (HA); a secondary connection should be established via another Direct Connect or a VPN.
• Route 53’s health checks offer basic DNS resolution redirection.
• Elastic IPs provide flexibility for changing backing resources without disrupting name resolution.
• To ensure Multi-AZ redundancy for NAT Gateways, deploy gateways in each AZ and route private subnets to the local gateway.

Description

Learn about Amazon Virtual Private Cloud (VPC) and its features, such as logically isolated sections of AWS, virtual networking control, and connection to corporate data centers.