AWS/Virtual Private Cloud ( VPC ) – Review Questions

Background

Finally, returning to my AWS Study.

I was really stuck on the Networking, specifically Virtual Private ( VPC) area.

Admittedly, my shallowness included :-

  1. Not enough Networking Background
    • Too many new words
  2. Lab
    • I knew I will not have the strength nor time to confirm intuition in a Lab setting
    • And, so will be either quick guess or pass on the question

 

 

Review Questions

  1. What is the minimum size subnet that you can have in an Amazon VPC?
    • A. /24
    • B. /26
    • C. /28
    • D. /30
  2. You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Amazon VPC, and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet in which to place their databases. They also require that the web servers and database servers be highly available and that there be a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability?
    • A. 2
    • B. 3
    • C. 4
    • D. 1
  3. Which of the following is an optional security control that can be applied at the subnet layer of a VPC?
    • A. Network ACL
    • B. Security Group
    • C. Firewall
    • D. Web application firewall
  4. What is the maximum size IP address range that you can have in an Amazon VPC?
    • A. /16
    • B. /24
    • C. /28
    • D. /30
  5. You create a new subnet and then add a route to your route table that routes traffic out from that subnet to the Internet using an IGW. What type of subnet have you created?
    • A. An internal subnet
    • B. A private subnet
    • C. An external subnet
    • D. A public subnet
  6. What happens when you create a new Amazon VPC?
    1. A. A main route table is created by default.
    2. B. Three subnets are created by default—one for each Availability Zone.
    3. C. Three subnets are created by default in one Availability Zone.
    4. D. An IGW is created by default.
  7. You create a new VPC in US-East-1 and provision three subnets inside this Amazon VPC. Which of the following statements is true?
    • A. By default, these subnets will not be able to communicate with each other; you will need to create routes.
    • B. All subnets are public by default.
    • C. All subnets will be able to communicate with each other by default.
    • D. Each subnet will have identical CIDR blocks.
  8. How many IGWs can you attach to an Amazon VPC at any one time?
    1. A. 1
    2. B. 2
    3. C. 3
    4. D. 4
  9. What aspect of an Amazon VPC is stateful?
    • A. Network ACLs
    • B. Security groups
    • C. Amazon DynamoDB
    • D. Amazon S3
  10. You have created a custom Amazon VPC with both private and public subnets. You have created a NAT instance and deployed this instance to a public subnet. You have attached an EIP address and added your NAT to the route table. Unfortunately, instances in your private subnet still cannot access the Internet. What may be the cause of this?
    • A. Your NAT is in a public subnet, but it needs to be in a private subnet.
    • B. Your NAT should be behind an Elastic Load Balancer.
    • C. You should disable source/destination checks on the NAT.
    • D. Your NAT has been deployed on a Windows instance, but your other instances are Linux. You should redeploy the NAT onto a Linux instance.
  11. Which of the following will occur when an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance in an Amazon VPC with an associated EIP is stopped and started? (Choose 2 answers)
    • A. The EIP will be dissociated from the instance.
    • B. All data on instance-store devices will be lost.
    • C. All data on Amazon EBS devices will be lost.
    • D. The ENI is detached.
    • E. The underlying host for the instance is changed.
  12. How many VPC Peering connections are required for four VPCs located within the same AWS region to be able to send traffic to each of the others?
    1. A. 3
    2. B. 4
    3. C. 5
    4. D. 6
  13. 13. Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS?
    1. A. A VPC peering connection
    2. B. A DHCP option set
    3. C. A routing rule
    4. D. An IGW
  14. Which of the following is the Amazon side of an Amazon VPN connection?
    • A. An EIP
    • B. A CGW
    • C. An IGW
    • D. A VPG
  15. What is the default limit for the number of Amazon VPCs that a customer may have in a region?
    1. A. 5
    2. B. 6
    3. C. 7
    4. D. There is no default maximum number of VPCs within a region
  16. You are responsible for your company’s AWS resources, and you notice a significant
    amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates the source of the traffic is scanning for open ports on your EC2-VPC instances. Which one of the following resources can deny the traffic from reaching the instances?

    • A. Security group
    • B. Network ACL
    • C. NAT instance
    • D. An Amazon VPC endpoint
  17. Which of the following is the security protocol supported by Amazon VPC?
    • A. SSH
    • B. Advanced Encryption Standard (AES)
    • C. Point-to-Point Tunneling Protocol (PPTP)
    • D. IPsec
  18. Which of the following Amazon VPC resources would you use in order for EC2-VPC
    instances to send traffic directly to Amazon S3?

    • A. Amazon S3 gateway
    • B. IGW
    • C. CGW
    • D. VPC endpoint
  19. What properties of an Amazon VPC must be specified at the time of creation? (Choose 2 answers)
    • A. The CIDR block representing the IP address range
    • B. One or more subnets for the Amazon VPC
    • C. The region for the Amazon VPC
    • D. Amazon VPC Peering relationships
  20. 20. Which Amazon VPC feature allows you to create a dual-homed instance?
    • A. EIP address
    • B. ENI
    • C. Security groups
    • D. CGW 

 

Additional Study Material

 

Web application firewall

Links

Link

  1. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
  2. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
  3. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.
  4. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns.
  5. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
  6. With AWS WAF you pay only for what you use.
    • AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives.
    • There are no upfront commitments.
  7. You can deploy AWS WAF
    • Amazon CloudFront as part of your CDN solution
    • Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

 

VPC Size

Links

Link

Q. How large of a VPC can I create?

  1.  IPv4
    • Currently, Amazon VPC supports five (5) IP address ranges
      • One (1) primary
      • and four (4) secondary for IPv4.
    • Each of these ranges can be between /28 (in CIDR notation) and /16 in size.
    • The IP address ranges of your VPC should not overlap with the IP address ranges of your existing network.
  2. IPv6
    • For IPv6, the VPC is a fixed size of /56 (in CIDR notation).
      • A VPC can have both IPv4 and IPv6 CIDR blocks associated to it.

 

 

Malik Drief :- When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones?

 

Question

Can some elaborate more on the below question, I was thinking that we have to configure VPC peering between??

When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones.

Answer

Link

Mike G Chambers

  1. You setup VPC peering to configure communication between two different VPCs.
  2. In this question we are talking about communication between two subnets inside of the same VPC.
  3. By default when you create a subnet, it’s associated with the default route table for that VPC, and as such each subnet can route to each other.
  4. The fact that in this case the subnets are in different Availability Zone is irrelevant.
  5. Hope that helped.

Siba Senapati

  1. As per the VPC lab, we need to add ICMP for allowing SSH from public subnet to private subnet.
  2. Not sure if there are other ways to communicate from one subnet to another subnet.

Axiom IO

ICMP is not for SSH, rather for pinging your instance in private VPC from public instance(bastion). What mike said makes sense to me.

 

Amazon VPC Limits

Links

Link

  1. Limits
    • Virtual Private Gateways
      • Default Maximum Virtual Private Gateways per Region is 5
      • Maximum Virtual Private Gateway per VPC is 1
    • VPCs per Region
      • Default Limit of 5
        • The limit for internet gateways per Region is directly correlated to this one.
        • Increasing this limit increases the limit on internet gateways per Region by the same amount.

EC2-VPC Instance resolve DNS Names outside of AWS

Question

Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS?

  • A. A VPC peering connection
  • B. A DHCP option set
  • C. A routing rule
  • D. An IGW

Answer

DHCP option

  1. Set allows customers to define DNS servers for DNS name resolution
  2. Establish domain names for instances within an Amazon VPC
  3. Define NTP servers
  4. And, define the NetBIOS name servers.

 

Amazon VPC resources would you use in order for EC2-VPC instances to send traffic directly to Amazon S3

Question

  1. Which of the following Amazon VPC resources would you use in order for EC2-VPC
    instances to send traffic directly to Amazon S3?

    • A. Amazon S3 gateway
    • B. IGW
    • C. CGW
    • D. VPC endpoint

Answer

  1. Endpoint
    • Understand what endpoints provide to an Amazon VPC.
    • An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect.
    • Endpoints support services within the region only.

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s