VPC Flashcards Preview

Amazon AWS Certified Solutions Architect Associate > VPC > Flashcards

Flashcards in VPC Deck (28)
Loading flashcards...
1
Q

NAT Gateways characteristics

A
  • Redundant inside the AZ
  • Starts at 5 Gbps and scales to 45 Gbps
  • No need to patch
  • Not associated with Security Groups
  • Automatically assigned a public IP address
2
Q

What is allowed/disallowed in the default network ACL of a VPC?

A

By default, it allows all outbound and inbound traffic

3
Q

What is allowed/disallowed by default when a new ACL is created?

A

By default, a new custom network ACL denies all inbound and outbound traffic until you add rules

4
Q

Does a subnet need to be associated with an ACL?

A

Yes. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

5
Q

Can a subnet be associated with multiple ACLs?

A

No, only with one. When you associate a network ACL with a subnet, the previous association is removed.

6
Q

Can an ACL be associated with multiple subnets?

A

Yes

7
Q

How does the rules of a network ACL work?

A

Network ACLs contain a numbered list of rules that is evaluated in order, starting with the lowest numbered rule.

8
Q

Are network ACLs stateful or stateless?

A

Stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Network ACLs have separate inbound and outbound rules, and each rule can either allow or deny traffic.

9
Q

Can I block specific IP address with Security Groups or network ACLs?

A

Block IP addresses with network ACLs, not Security Groups.

10
Q

How many public subnets are needed to deploy an application load balancer?

A

At least 2

11
Q

Are network ACLs a layer of security for instances or subnets?

A

Security Groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.

12
Q

By default, how many VPCs am I allowed in each region?

A

5

13
Q

Can a subnet span multiple AZs?

A

No

14
Q

When peering VPCs, can I peer with VPCs in another account?

A

Yes

15
Q

By default, can new subnets in a custom VPC communicate with each other across AZs?

A

Yes

16
Q

Which IPs in each subnet’s CIDR block are reserved by Amazon?

A

AWS reserve both the first four and the last IP addresses.

First four:

  • 10.0.0.0: Network address.
  • 10.0.0.1: VPC router-
  • 10.0.0.2: DNS…
  • 10.0.0.3: Future use.

Last:
- 10.0.0.255: broadcast.

17
Q

Does the private IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

Yes. The private IP address remains associated with the network interface when the instance is stopped and restarted and is released when the instance is terminated.

18
Q

Does the public IP address associated with an EC2 instance remains associated when the instance is stopped and restarted?

A

No. We release the public IPv4 address and assign a new one when you restart it. The instance retains, however, its associated Elastic IP addresses (if any).

19
Q

Which component allows me to SSH or RDP into an EC2 instance located in a private subnet?

A

Bastion Host

20
Q

How to achieve High Availability when using NAT Gateways?

A

If you have resources in multiple AZs and they share a NAT Gateway, in the event the NAT Gateway’s AZ goes down, resources in the other AZ lose internet access.

To create an AZ-independent architecture, create a NAT Gateway in each AZ and configure your routing to ensure resources use the NAT Gateway in the same AZ.

21
Q

Are Security Groups stateful or stateless?

A

Security Groups are stateful. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

22
Q

AWS Direct Connect

A
  • Direct Connect directly connects your data center to AWS
  • Useful for high-throughput workloads
  • Helpful when you need a stable and reliable secure connection
23
Q

VPC Endpoints

A
  • Use case: When you want to connect AWS services without leaving the Amazon internal network
  • 2 types of VPC endpoints: Interface endpoints and gateway endpoints
  • Gateway endpoints: Support S3 and DynamoDB
24
Q

VPC Peering

A
  • Allows you to connect 1 VPC with another via a direct network route using private IP addresses
  • Instances behave as if they were on the same private network
  • You can peer VPCwith other AWS accounts as well with other VPC in the same account
  • Peering is in a start configuration. No transitive peering.
  • You can peer between regions
25
Q

Can you do VPC peering between regions?

A

Yes

26
Q

AWS PrivateLink

A
  • To peer VPCs to tens, hundreds, or thousands of customer VPCs
  • Doesn’t require VPC peering. No route tables, NAT gateways, internet gateways.
  • Requires a Network Load Balancer on the service VPC and an ENI on the client VPC
27
Q

AWS Transit Gateway

A
  • You can route tables to limit how VPCs talk to one another
  • Works with Direct Connect as well as VPN connections
  • Supports IP multicast (not supported by any other AWS service)
28
Q

AWS VPN CloudHub

A

The AWS VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. Use this approach if you have multiple branch offices and existing Internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.