AWS EC2 Network Features – Certification

EC2 Network Features

EC2 Network covers a lot of features for High Performance Computing, Ehanced Networking, low latency access

EC2 and VPC

  • All the EC2 instance types can be launched in a VPC
  • Instance types C4, M4 & T2 are available in VPC only and cannot be launched in EC2-Classic
  • Launching an EC2 instance within an VPC provides the following benefits
    • Assign static private IP addresses to instances that persist across starts and stops
    • Assign multiple IP addresses to your instances
    • Define network interfaces, and attach one or more network interfaces to the instances
    • Change security group membership for the instances while they’re running
    • Control the outbound traffic from the instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering)
    • Add an additional layer of access control to your instances in the form of network access control lists (ACL)
    • Run the instances on single-tenant dedicated hardware

EC2 Instance IP Addressing

  • Private IP address & Internal DNS Hostnames
    • Private IP address is the IP address that’s not reachable over the internet and can be resolved only within the network
    • When an instance is launched, the default network interface eth0 is assigned a private IP address and an internal DNS hostname which resolves to the private IP address and can be used for communication between the instances in the same network only
    • Private IP address and DNS hostname cannot be resolved outside the network that the instance is in
    • Private IP address behaviour
      • remains associated with the Instance when it is stopped or rebooted
      • is disassociated only when the instance is terminated
    • An instance when launched can be assigned a private IP address or EC2 will automatically assign an IP address to the instance within the address range of the subnet
    • An additional private IP addresses, known as secondary private IP addresses can also be assigned. Unlike primary private IP addresses, secondary private IP addresses can be reassigned from one instance to another.
  • Public IP address and External DNS hostnames
    • A public IP address is reachable from the Internet
    • Each instance assigned a public IP address is also given an External DNS hostname. External DNS hostname resolves to the public IP address outside the network and to the private IP address within the network.
    • Public IP address is associated with the primary Private IP address through NAT
    • Within a VPC, an instance may or may not be assigned a public IP address depending upon the subnet Assign Public IP attribute
    • Public IP address assigned to the pool is from the public IP address pool and is assigned to the instance, and not to the AWS account. It cannot be reused once disassociated and is released back to the pool
    • Public IP address behaviour
      • cannot be manually associated or disassciated with an instance
      • is released when an instance is stopped or terminated. Stopped instance when started receives a new public IP address
      • is released when an instance is assigned an Elastic IP address
      • is not assigned if there are more than one network interface attached to the instance
  • Multipe Private IP addresses
    • In EC2-VPC, multiple private IP addresses can be specified to the instances.
    • This can be useful in the following cases
      • Host multiple websites on a single server by using multiple SSL certificates on a single server and associating each certificate with a specific IP address.
      • Operate network appliances, such as firewalls or load balancers, that have multiple private IP addresses for each network interface.
      • Redirect internal traffic to a standby instance in case the instance fails, by reassigning the secondary private IP address to the standby instance.
    • Multiple IP addresses work with Network Interfaces
      • Secondary IP address can be assigned to any network interface, which can be attached or detached from an instance
      • Secondary IP address must be assigned from the CIDR block range of the subnet for the network interface
      • Security groups apply to network interfaces and not to IP addresses
      • Secondary private IP addresses can be assigned and unassigned to ENIs attached to running or stopped instances.
      • Secondary private IP addresses that are assigned to a network interface can be reassigned to another one if you explicitly allow it.
      • Primary private IP addresses, secondary private IP addresses, and any associated Elastic IP addresses remain with the network interface when it is detached from an instance or attached to another instance.
      • Although primary network interface cannot be moved from an instance, the secondary private IP address of the primary network interface can be reassigned to another network interface.

Elastic IP Addresses

  • An Elastic IP address is a static IP address designed for dynamic cloud computing.
  • Elastic IP address can help mask the failure of an instance or software by rapidly remapping the address to another instance in your account.
  • Elastic IP address is associated with the AWS account, not to a particular instance, and it remains associated with the account until released explicitly
  • When an instance is launched in the default vpc, it is assigned 2 IP address, a private and a public IP address, which is mapped to the private IP address through NAT
  • An instance launched in a non default vpc is assigned only a private IP address unless a public address is specifically requested or the subnet public ip attribute is enabled
  • For an instance, without a public IP address, to communicate to internet it must be assigned an Elastic IP address
  • When an Elastic IP address is assigned to an instance, the public IP address is disassociated with the instance
  • When the Elastic IP address is dissociated the public IP address is assigned back to the instance. However, if secondary network interface is attached to the instance, public IP address is not automatically assigned
  • Elastic IP addresses are not charged when associated with a running instance
  • However, Amazon imposes a small hourly fee for an unused Elastic IP address to ensure efficient use of Elastic IP addresses. So charges would be applied if it is not associated or associated to an instance in stopped state or associated to an unattached network interface.
  • All AWS accounts are limited to 5 EIPs (soft limit), because public (IPv4) Internet addresses are a scarce public resource

EC2 Classic, Default & Non Default Subnet Comparision

Elastic Network Interfaces (ENI)

  • Elastic Network Interfaces (ENIs) are virtual network interfaces that can be attached to the instances running in an VPC only
  • ENI consists of the following
    • A primary private IP address.
    • One or more secondary private IP addresses
    • One Elastic IP address per private IP address.
    • One public IP address, which can be auto-assigned to the elastic network interface for eth0 when an instance is launched, but only when elastic network interface for eth0 is created instead of using an existing network interface.
    • One or more security groups.
    • A MAC address.
    • A source/destination check flag.
    • A description.
  • ENI can be created without being attached to an instance
  • ENI can be attached to an instance, detached from that instance and attached to an other instance. Attributes of an ENI like elastic IP address, private IP address follow the ENI and when moved from one instance to an other instance & all traffic to the ENI will be routed to the new instance.
  • An instance in a VPC always has a default primary ENI attached (eth0) with a private ip address assigned from vpc range and cannot be detached
  • Additional ENI (eth1-ethn) can be attached to the instance and the number varies depending upon the instance type
  • Most important difference between eth0 and eth1 is that eth0 cannot be dynamically attached or detached from a running instance. Primary ENIs (eth0) are created automatically when an EC2 instance is launched and are also deleted automatically when the instance is terminated unless the administrator has changed a property of the ENI to keep it alive afterward
  • Multiple elastic network interfaces are useful for use cases:
    • Create a management network
      • Primary ENI eth0 handles backend with more restrictive control
      • Secondary ENI eth1 handles the public facing traffic
    • Licensing authentication
      • Fixed MAC address associated with a license authentication
    • Use network and security appliances in your VPC
      • configure a third party network and security appliances (load balancers, NAT, proxy) with the secondary ENI
    • Create dual-homed instances with workloads/roles on distinct subnets.
    • Create a low-budget, high-availability solution
      • If one of the instances serving a particular function fails, its elastic network interface can be attached to a replacement or hot standby instance pre-configured for the same role in order to rapidly recover the service
      • As the interface maintains its private IP, EIP, and MAC address, network traffic will begin flowing to the standby instance as soon as it is attached to the replacement instance
  • ENI Best Practices
    • ENI can be attached to an instance when it’s running (hot attach), when it’s stopped (warm attach), or when the instance is being launched (cold attach).
    • Primary (eth0) interface can’t be detached
    • Secondary (ethN) ENI can be detached when the instance is running or stopped.
    • ENI in one subnet can be attached to an instance in another subnet, but the same AZ and same VPC
  • When launching an instance from the CLI or API, both the primary (eth0) and additional elastic network interfaces can be specified
  • Launching an Amazon Linux or Microsoft Windows Server instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.
  • A warm or hot attach of an additional ENI may require bringing up the second interface manually, configure the private IP address, and modify the route table accordingly.
  • Instances running Amazon Linux or Microsoft Windows Server automatically recognize the warm or hot attach and configure themselves.
  • Attaching another ENI to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance.

Placement Groups

Refer to My Blog Post about Placement Groups

Network MTU

  • Maximum Transmission Unit (MTU) of a network connection is the size, in bytes, of the largest permissible packet that can be transferred over the connection.
  • Larger the MTU of the connection the more the data can be transferred in a single packet
  • Largest ethernet packet size supported over most of the internet is 1500 MTU
  • All Amazon EC2 instance types support 1500 MTU, and many current instance sizes support 9001 MTU, or Jumbo frames.
    • Compute optimized: C3, C4, CC2
    • General purpose: M3, M4, T2
    • GPU: CG1, G2
    • Memory optimized: CR1, R3
    • Storage optimized: D2, HI1, HS1, I2
  • Jumbo frames are Ethernet frames that allow more than 1500 bytes of data by increasing the payload size per packet, and thus increasing the percentage of the packet that is not packet overhead.
  • Jumbo frames should be used with caution for Internet-bound traffic or any traffic that leaves a VPC. Packets are fragmented by intermediate systems, which slows down this traffic.
  • For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible, and they are recommended in this case

Enhanced Networking

Refer to Blog Post about EC2 Enhanced Networking

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. A user is launching an EC2 instance in the US East region. Which of the below mentioned options is recommended by AWS with respect to the selection of the availability zone?
    1. Always select the US-East-1-a zone for HA
    2. Do not select the AZ; instead let AWS select the AZ
    3. The user can never select the availability zone while launching an instance
    4. Always select the AZ while launching an instance
  2. You have multiple Amazon EC2 instances running in a cluster across multiple Availability Zones within the same region. What combination of the following should be used to ensure the highest network performance (packets per second), lowest latency, and lowest jitter? Choose 3 answers
    1. Amazon EC2 placement groups (would not work for multiple AZs)
    2. Enhanced networking (provides network performance, lowest latency)
    3. Amazon PV AMI
    4. Amazon HVM AMI
    5. Amazon Linux
    6. Amazon VPC (Enhanced networking works only in VPC)
  3. Regarding the attaching of ENI to an instance, what does ‘warm attach’ refer to?
    1. Attaching an ENI to an instance when it is stopped
    2. Attaching an ENI to an instance when it is running
    3. Attaching an ENI to an instance during the launch process
  4. Can I detach the primary (eth0) network interface when the instance is running or stopped?
    1. Yes, You can.
    2. You cannot
    3. Depends on the state of the interface at the time
  5. By default what are ENIs that are automatically created and attached to instances using the EC2 console set to do when the attached instance terminates?
    1. Remain as is
    2. Terminate
    3. Hibernate
    4. Pause
  6. Select the incorrect statement
    1. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated
    2. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped.
    3. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped
    4. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime
  7. To ensure failover capabilities, consider using a _____ for incoming traffic on a network interface”.
    1. primary public IP
    2. secondary private IP
    3. secondary public IP
    4. add on secondary IP
  8. Which statements are true about Elastic Network Interface (ENI)? (Choose 2 answers)
    1. You can attach an ENI in one AZ to an instance in another AZ
    2. You can change the security group membership of an ENI
    3. You can attach an instance to tow different subnets within a VPC by using two ENIs
    4. You can attach an ENI in one VPC to an instance in another VPC

References

AWS Virtual Private Cloud – VPC – Certification

VPC Overview & Components

  • A virtual private cloud (VPC) is a virtual network dedicated to the AWS account. It is logically isolated from other virtual networks in the AWS cloud.
  • VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, and security settings.
  • VPC Sizing
    • VPC needs a set of IP addresses in the form of a Classless Inter-Domain Routing (CIDR) block for e.g, 10.0.0.0/16, which allows 2^16 (65536) IP address to be available 
    • Allowed CIDR block size is between
      • /28 netmask (minimum with 2^4 – 16 available IP address) and
      • /16 netmask (maximum with 2^16 – 65536 IP address)
    • CIDR block from private (non-publicly routable) IP address can be assigned
      • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
      • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
      • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)
    • It’s possible to specify a range of publicly routable IP addresses; however, direct access to the Internet is not currently supported from publicly routable CIDR blocks in a VPC
    • CIDR block once assigned to the VPC cannot be modified
    • Each VPC is separate from any other VPC created with the same CIDR block even if it resides within the same AWS account
  • VPC allows VPC Peering connections with other VPC within the same or different AWS accounts
  • Connection between your VPC and corporate or home network can be established, however the CIDR blocks should be not be overlapping for e.g. VPC with CIDR 10.0.0.0/16 can communicate with 10.1.0.0/16 corporate network but the connections would be dropped if it tries to connect to 10.0.37.0/16 corporate network cause of overlapping ip addresses.
  • VPC allows you to set tenancy option for the Instances launched in it. By default, the tenancy option is shared. If dedicated option selected, all the instances within it are launched on a dedicated hardware overriding the individual instance tenancy setting
  • Deletion of the VPC is possible only after terminating all instances within the VPC, and deleting all the components with the VPC for e.g. subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options

AWS VPC Components

IP Addresses

Instances launched in the VPC can have Private, Public and Elastic IP address assigned to it and are properties of ENI (Network Interfaces)

  • Private IP Addresses
    • Private IP addresses are not reachable over the Internet, and can be used for communication only between the instances within the VPC
    • All instances are assigned a private IP address, within the IP address range of the subnet, to the default network interface
    • Primary IP address is associated with the network interface for its lifetime, even when the instance is stopped and restarted and is released only when the instance is terminated
    • Additional Private IP addresses, known as secondary private IP address, can be assigned to the instances and these can be reassigned from one network interface to another
  • Public IP address
    • Public IP addresses are reachable over the Internet, and can be used for communication between instances and the Internet, or with other AWS services that have public endpoints
    • Public IP address assignment to the Instance depends if the Public IP Addressing is enabled for the Subnet.
    • Public IP address can also be assigned to the Instance by enabling the Public IP addressing during the creation of the instance, which overrides the subnet’s public IP addressing attribute
    • Public IP address is assigned from AWS pool of IP addresses and it is not associated with the AWS account and hence is released when the instance is stopped and restarted or terminated.
  • Elastic IP address
    • Elastic IP addresses are static, persistent public IP addresses which can be associated and disassociated with the instance, as required
    • Elastic IP address is allocated at an VPC and owned by the account unless released
    • A Network Interface can be assigned either a Public IP or an Elastic IP. If you assign an instance, already having an Public IP, an Elastic IP, the public IP is released
    • Elastic IP addresses can be moved from one instance to another, which can be within the same or different VPC within the same account
    • Elastic IP are charged for non usage i.e. if it is not associated or associated with a stopped instance or an unattached Network Interface

Elastic Network Interface (ENI)

  • Each Instance is attached with default elastic network interface (Primary Network Interface eth0) and cannot be detached from the instance
  • ENI has the following attributes
    • Primary private IP address
    • One or more secondary private IP addresses
    • One Elastic IP address per private IP address
    • One public IP address, which can be auto-assigned to the network interface for eth0 when you launch an instance, but only when you create a network interface for eth0 instead of using an existing ENI
    • One or more security groups
    • A MAC address
    • A source/destination check flag
    • A description
  • ENI’s attributes follow the ENI as it is attached or detached from an instance and reattached to another instance. When an ENI is moved from one instance to another, network traffic is redirected to the new instance.
  • Multiple ENIs can be attached to an instance and is useful for use cases:
    • Create a management network.
    • Use network and security appliances in your VPC.
    • Create dual-homed instances with workloads/roles on distinct subnets.
    • Create a low-budget, high-availability solution.

Route Tables

  • Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed
  • Each VPC has a implicit router to route network traffic
  • Each VPC has a Main Route table, and can have multiple custom route tables created
  • Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it
  • Subnet, if not explicitly associated to a route table, is implicitly associated with the main route table
  • Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted
  • Route priority is decided by matching the most specific route in the route table that matches the traffic
  • Route tables needs to be updated to defined routes for Internet gateways, Virtual Private gateways, VPC Peering, VPC Endpoints, NAT Device etc.

Internet Gateways – IGW

  • An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the Internet.
  • IGW imposes no availability risks or bandwidth constraints on the network traffic.
  • An Internet gateway serves two purposes:
    • To provide a target in the VPC route tables for Internet-routable traffic,
    • To perform network address translation (NAT) for instances that have been assigned public IP addresses.
  • Enabling Internet access to an Instance requires
    • Attaching Internet gateway to the VPC
    • Subnet should have route tables associated with the route pointing to the Internet gateway
    • Instances should have a Public IP or Elastic IP address assigned
    • Security groups and NACLs associated with the Instance should allow relevant traffic

NAT

NAT device enables instances in a private subnet to connect to the Internet or other AWS services, but prevents the Internet from initiating connections with the instances.

Refer to My Blog Post about VPC NAT

VPC Security

Security within a VPC is provided through

  • Security groups – Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level
  • Network access control lists (ACLs) – Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level
  • Flow logs – Capture information about the IP traffic going to and from network interfaces in your VPC

Security Groups & NACLs

Refer to My Blog Post about AWS Security vs NACLs

Flow logs

  • VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in the VPC and can help in monitoring the traffic or troubleshooting any connectivity issues
  • Flow log data is stored using Amazon CloudWatch Logs
  • Flow log can be created for the entire VPC, subnets or each network interface. If enabled, for entire VPC or subnet all the network interfaces are monitored
  • Flow logs do not capture real-time log streams for network interfaces.
  • Flow logs can be created for network interfaces that are created by other AWS services; for example, Elastic Load Balancing, RDS, ElastiCache, Redshift, and WorkSpaces

Subnets

  • Subnet spans a single Availability Zone, distinct locations engineered to be isolated from failures in other AZs, and cannot span across AZs
  • Subnet can be configured with an Internet gateway to enable communication over the Internet, or virtual private gateway (VPN) connection to enable communication with your corporate network
  • Subnet can be Public or Private and it depends on whether it has Internet connectivity i.e. is able to route traffic to the Internet through the IGW
  • Instances within the Public Subnet should be assigned a Public IP or Elastic IP address to be able to communicate with the Internet
  • For Subnets not connected to the Internet, but has traffic routed through Virtual Private Gateway only is termed as VPN-only subnet
  • Subnets can be configured to Enable assignment of the Public IP address to all the Instances launched within the Subnet by default, which can be overridden during the creation of the Instance
  • Subnet Sizing
    • CIDR block assigned to the Subnet can be the same as the VPC CIDR, in this case you can launch only one subnet within your VPC
    • CIDR block assigned to the Subnet can be a subset of the VPC CIDR, which allows you to launch multiple subnets within the VPC
    • CIDR block assigned to the subnet should not be overlapping
    • CIDR block size allowed is between
      • /28 netmask (minimum with 2^4 – 16 available IP address) and
      • /16 netmask (maximum with 2^16 – 65536 IP address)
    • AWS reserves 5 IPs address (first 4 and last 1 IP address) in each Subnet which are not available for use and cannot be assigned to an instance. for e.g. for a Subnet with a CIDR block 10.0.0.0/24 the following five IPs are reserved
      • 10.0.0.0: Network address
      • 10.0.0.1: Reserved by AWS for the VPC router
      • 10.0.0.2: Reserved by AWS for mapping to Amazon-provided DNS
      • 10.0.0.3: Reserved by AWS for future use
      • 10.0.0.255: Network broadcast address. AWS does not support broadcast in a VPC, therefore the address is reserved.
  • Subnet Routing
    • Each Subnet is associated with a route table which controls the traffic.
  • Subnet Security
    • Subnet security can be configured using Security groups and NACLs
    • Security groups works at instance level, NACLs work at the subnet level

VPC Endpoints

Refer to My Blog Post about VPC Endpoint

VPC Peering

Refer to My Blog Post about VPC Peering

VPC VPN Connections & CloudHub

Refer to My Blog Post about AWS VPC VPN CloudHub Connections

AWS Certification Exam Practice Questions

  • Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
  • AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
  • AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
  • Open to further feedback, discussion and correction.
  1. You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers
    1. Configure web server VPC security groups to allow traffic from your customers’ IPs
    2. Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
    3. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
    4. Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
  2. A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?
    1. Destination : 20.0.0.0/24 and Target : VPC
    2. Destination : 20.0.0.0/16 and Target : ALL
    3. Destination : 20.0.0.0/0 and Target : ALL
    4. Destination : 20.0.0.0/16 and Target : Local
  3. A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?
    1. Use the internet gateway with a private IP
    2. Allow outbound traffic in the security group for port 80 to allow internet updates
    3. The private subnet can never connect to the internet
    4. Use NAT with an elastic IP
  4. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?
    1. AWS VPC will automatically create a NAT instance with the micro size
    2. VPC bounds the main route table with a private subnet and a custom route table with a public subnet
    3. User has to manually create a NAT instance
    4. VPC bounds the main route table with a public subnet and a custom route table with a private subnet
  5. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?
    1. For Inbound allow Source: 20.0.1.0/24 on port 80
    2. For Outbound allow Destination: 0.0.0.0/0 on port 80
    3. For Inbound allow Source: 20.0.0.0/24 on port 80
    4. For Outbound allow Destination: 0.0.0.0/0 on port 443
  6. A user has created a VPC with CIDR 20.0.0.0/24. The user has used all the IPs of CIDR and wants to increase the size of the VPC. The user has two subnets: public (20.0.0.0/25) and private (20.0.0.128/25). How can the user change the size of the VPC?
    1. The user can delete all the instances of the subnet. Change the size of the subnets to 20.0.0.0/32 and 20.0.1.0/32, respectively. Then the user can increase the size of the VPC using CLI
    2. It is not possible to change the size of the VPC once it has been created
    3. User can add a subnet with a higher range so that it will automatically increase the size of the VPC
    4. User can delete the subnets first and then modify the size of the VPC
  7. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group (WebSecGrp)?
    1. Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound
    2. Configure port 80 for Destination 0.0.0.0/0 Outbound
    3. Configure port 3306 for source 20.0.0.0/24 InBound
    4. Configure port 80 InBound for source 20.0.0.0/16
  8. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet?
    1. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet’s CIDR
    2. The user can modify the first subnet CIDR from the console
    3. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created
    4. The user can modify the first subnet CIDR with AWS CLI
  9. A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24) and a public subnet (20.0.0.0/24). The user’s data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will happen?
    1. It will allow traffic communication on both the CIDRs of the data centre
    2. It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24
    3. It will not allow traffic communication on any of the data centre CIDRs
    4. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24 (as the CIDR block would be overlapping)
  10. A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?
    1. Destination: 0.0.0.0/0 and Target: i-a12345
    2. Destination: 20.0.0.0/0 and Target: 80
    3. Destination: 20.0.0.0/0 and Target: i-a12345
    4. Destination: 20.0.0.0/24 and Target: i-a12345
  11. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data centre. The user’s data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?
    1. Destination: 20.0.1.0/24 and Target: i-12345
    2. Destination: 0.0.0.0/0 and Target: i-12345
    3. Destination: 172.28.0.0/12 and Target: vgw-12345
    4. Destination: 20.0.0.0/16 and Target: local
  12. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario?
    1. The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range
    2. It is not possible to create a subnet with the same CIDR as VPC
    3. The second subnet will be created
    4. It will throw a CIDR overlaps error
  13. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created both Public and VPN-Only subnets along with hardware VPN access to connect to the user’s data centre. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC?
    1. Yes, the console will delete all the setups and also delete the virtual private gateway
    2. No, the console will ask the user to manually detach the virtual private gateway first and then allow deleting the VPC
    3. Yes, the console will delete all the setups and detach the virtual private gateway
    4. No, since the NAT instance is running
  14. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp)?
    1. Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)
    2. Allow Inbound on port 3306 from source 20.0.0.0/16
    3. Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp.
    4. Allow Outbound on port 80 for Destination NAT Instance IP
  15. A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created. What can be the reason for the error?
    1. The internet gateway is not configured with the route table
    2. The private IP is not present
    3. The outbound traffic on the security group is disabled
    4. The internet gateway is not configured with the security group
  16. A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. Which of the below mentioned statements is true with respect to the Instance requiring access to the Internet?
    1. The instance will always have a public DNS attached to the instance by default
    2. The user can directly attach an elastic IP to the instance
    3. The instance will never launch if the public IP is not assigned
    4. The user would need to create an internet gateway and then attach an elastic IP to the instance to connect from internet
  17. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario?
    1. VPC will create a routing instance and attach it with a public subnet
    2. VPC will create two subnets
    3. VPC will create one internet gateway and attach it to VPC
    4. VPC will launch one NAT instance with an elastic IP
  18. A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created?
    1. It can connect to the AWS services, such as S3 and RDS by default
    2. It will have all the inbound traffic by default
    3. It will have all the outbound traffic by default
    4. It will by default allow traffic to the internet gateway
  19. A user has created a VPC with CIDR 20.0.0.0/16 using VPC Wizard. The user has created a public CIDR (20.0.0.0/24) and a VPN only subnet CIDR (20.0.1.0/24) along with the hardware VPN access to connect to the user’s data centre. Which of the below mentioned components is not present when the VPC is setup with the wizard?
    1. Main route table attached with a VPN only subnet
    2. A NAT instance configured to allow the VPN subnet instances to connect with the internet
    3. Custom route table attached with a public subnet
    4. An internet gateway for a public subnet
  20. A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?
    1. It will not allow to delete the VPC as it has subnets with route tables
    2. It will not allow to delete the VPC since it has a running route instance
    3. It will terminate the VPC along with all the instances launched by the wizard
    4. It will not allow to delete the VPC since it has a running NAT instance
  21. A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario?
    1. It will delete the subnet and make the EC2 instance as a part of the default subnet
    2. It will not allow the user to delete the subnet until the instances are terminated
    3. It will delete the subnet as well as terminate the instances
    4. Subnet can never be deleted independently, but the user has to delete the VPC first
  22. A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP) assigned to an instance in the public or private subnet?
    1. 20.0.0.255
    2. 20.0.0.132
    3. 20.0.0.122
    4. 20.0.0.55
  23. A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization’s proxy policy. How can the user make this happen?
    1. Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT
    2. Setting up a proxy policy in the internet gateway connected with the public subnet
    3. It is not possible to setup the proxy policy for a public subnet
    4. Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway
  24. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data centre. Which of the below mentioned options is a valid entry for the main route table in this scenario?
    1. Destination: 20.0.0.0/24 and Target: vgw-12345
    2. Destination: 20.0.0.0/16 and Target: ALL
    3. Destination: 20.0.1.0/16 and Target: vgw-12345
    4. Destination: 0.0.0.0/0 and Target: vgw-12345
  25. Which two components provide connectivity with external networks? When attached to an Amazon VPC which two components provide connectivity with external networks? Choose 2 answers
    1. Elastic IPs (EIP) (Does not provide connectivity, public IP address will do as well)
    2. NAT Gateway (NAT) (Not Attached to VPC and still needs IGW)
    3. Internet Gateway (IGW)
    4. Virtual Private Gateway (VGW)
  26. You are attempting to connect to an instance in Amazon VPC without success You have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place. Which VPC component should you evaluate next?
    1. The configuration of a NAT instance
    2. The configuration of the Routing Table
    3. The configuration of the internet Gateway (IGW)
    4. The configuration of SRC/DST checking
  27. If you want to launch Amazon Elastic Compute Cloud (EC2) Instances and assign each Instance a predetermined private IP address you should:
    1. Assign a group or sequential Elastic IP address to the instances
    2. Launch the instances in a Placement Group
    3. Launch the instances in the Amazon virtual Private Cloud (VPC)
    4. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already
    5. Launch the Instance from a private Amazon Machine image (AMI)
  28. A user has recently started using EC2. The user launched one EC2 instance in the default subnet in EC2-VPC Which of the below mentioned options is not attached or available with the EC2 instance when it is launched?
    1. Public IP address
    2. Internet gateway
    3. Elastic IP
    4. Private IP address
  29. A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25. The user is trying to create the private subnet with CIDR 20.0.0.128/25. Which of the below mentioned statements is true in this scenario?
    1. It will not allow the user to create the private subnet due to a CIDR overlap
    2. It will allow the user to create a private subnet with CIDR as 20.0.0.128/25
    3. This statement is wrong as AWS does not allow CIDR 20.0.0.0/25
    4. It will not allow the user to create a private subnet due to a wrong CIDR range
  30. A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?
    1. Allow Inbound traffic on port 22 from the user’s network
    2. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
    3. The user can connect to a instance in a private subnet using the NAT instance
    4. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet
  31. A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum number of subnets that need to be configured in the VPC?
    1. 1
    2. 2
    3. 3
    4. 4
  32. Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers
    1. Each subnet maps to a single Availability Zone
    2. A CIDR block mask of /25 is the smallest range supported
    3. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP.
    4. By default, all subnets can route between each other, whether they are private or public
    5. Each subnet spans at least 2 Availability zones to provide a high-availability environment
  33. You need to design a VPC for a web-application consisting of an Elastic Load Balancer (ELB). a fleet of web/application servers, and an RDS database The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the database is not available from the Internet?
    1. One public subnet for ELB one public subnet for the web-servers, and one private subnet for the database
    2. One public subnet for ELB two private subnets for the web-servers, two private subnets for RDS
    3. Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS
    4. Two public subnets for ELB two public subnets for the web-servers, and two public subnets for RDS

References

AWS_VPC_User_Guide