Understand what a VPC is and its core and optional components.
An Amazon VPC is a logically isolated network in the AWS Cloud. An Amazon VPC is made up of the following core elements: subnets (public, private, and VPN-only), route tables, DHCP option sets, security groups, and network ACLs. Optional elements include an IGW, EIP addresses, endpoints, peering connection, NAT instances, VPGs, CGWs, and VPN connections.
Understand the purpose of a subnet.
A subnet is a segment of an Amazon VPC’s IP address range where you can place groups of isolated resources. Subnets are defined by CIDR blocks—for example, 10.0.1.0/24 and 10.0.2.0/24—and are contained within an Availability Zone.
Identify the difference between a public subnet, a private subnet, and a VPN-Only subnet.
If a subnet’s traffic is routed to an IGW, the subnet is known as a public subnet. If a subnet doesn’t have a route to the IGW, the subnet is known as a private subnet. If a subnet doesn’t have a route to the IGW, but has its traffic routed to a VPG, the subnet is known as a VPN-only subnet.
Understand the purpose of a route table.
A route table is a set of rules (called routes) that are used to determine where network traffic is directed. A route table allows Amazon EC2 instances within different subnets to communicate with each other (within the same Amazon VPC). The Amazon VPC router also enables subnets. IGWs, and VPGs to communicate with each other.
Understand the purpose of an IGW.
An IGW is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances is your Amazon VPC and the Internet. IGWs are fully redundant and have no bandwidth constraints. An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic and performs network address translation for instances that have been assigned public IP addresses.
Understand what DHCP option sets provide to an Amazon VPC.
The DHCP option sets element of an Amazon VPC allows you to direct Amazon EC2 host name assignment to your own resources. You can specify the domain name for instance within an Amazon VPC and identify the IP addresses of custom DNS servers, NTP servers, and NetBIOS servers.
Know the difference between an Amazon VPC public IP address and an EIP address.
A public IP address is an AWS-owned IP that can be automatically assigned to instances launched within a subnet. An EIP address is an AWS –owned public IP address that you allocate to your account and assign to instances or network interface on demand.
Understand what endpoints provide to an Amazon VPC.
An Amazon VPC endpoints enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect. Endpoints support services within the region only.
Understand Amazon VPC peering.
An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. Peering connections are created through a request/accept protocol. Transitive peering is not supported, and peering is only available between Amazon VPCs within the same region.
Know the difference between a security group and a network ACL.
A security group applies at the instance level. You can have multiple instances in multiple subnets that are members of the same security groups. Security groups are stateful, which means that return traffic is automatically allowed, regardless of any outbound rules. A network ACL is applied on a subnet level, and traffic is stateless. You need to allow both inbound and outbound traffic on the network ACL in order for Amazon EC2 instances in a subnet to be able to communicate over a particular protocol.
Understand what a NAT provides to an Amazon VPC. A NAT instance or NAT gateway enables instances in a private subnet to initiate outbound traffic to the Internet. This allows outbound Internet communication to download patches and updates, for example, but prevents the instances from receiving inbound traffic initiated by someone on the Internet.
Understand the components needed to establish a VPN connection from a network to an Amazon VPC.
A VPG is the VPN concentrator on the AWS side of the VPN connection between the two networks. A CGW represents a physical device or a software application on the customer’s side of the VPN connection. The VPN connection must be initiated from the CGW side, and the connection consists of two IPSec tunnels.
Exercises
The best way to become familiar with Amazon VPC is to build your own custom Amazon VPC and then deploy Amazon EC2 instances into it, which is what you’ll be doing in this section. You should repeat these exercises until you can create and decommission Amazon VPCs with confidence.
For assistance completing these exercise, refer to the Amazon VPC User Guide located at http://aws.amazon.com/documentation/vpc/.
EXERCISE 4.1
Create a Custom Amazon VPC
- Sign in to the AWS Management Console as an administrator or power user.
- Select the Amazon VPC icon to launch the Amazon VPC Dashboard.
- Create an Amazon VPC with a CIDR block equal to 192.168.0.0/16, a name tag of My First VPC, and default tenancy.
You have created your first custom VPC.
EXERCISE 4.2
Create Two Subnets for Your Custom Amazon VPC
- Create a subnet with a CIDR block equal to 192.168.1.0/24 and a name tag of My First Public Subnet. Create the subnet in the Amazon VPC from Exercise 4.1, and specify an Availability Zone for the subnet (for example, US-East-la).
- Create a subnet with a CIDR block equal to 192.168.2.0/24 and a name tag of My First Private Subnet. Create the subnet in the Amazon VPC from Exercise 4.1, and specify a different Availability Zone for the subnet than previously specified (for example, US-East-1b).
You have now created two new subnets, each its own Availability Zone. It’s important to remember that one subnet equals one Availability Zone, You cannot stretch a subnet across multiple Availability Zones.
EXERCISE 4.3
Connect Your Custom Amazon VPC to the Internet and Establish Routing
For assistance with this exercise, refer to the Amazon EC2 key pair documentation at:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
For additional assistance with this exercise, refer to the NAT instances documentation at:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATInstance
- Create an Amazon EC2 key pair in the same region as your custom Amazon VPC.
- Create an IGW with a name tag of My First IGW and attach it to your custom Amazon VPC.
- Add a route to the main route table for your custom Amazon VPC that directs Internet traffic (0.0.0.0/0) to the IGW.
- Create a NAT gateway, place it in the public subnet of your custom Amazon VPC, and assign it an EIP.
- Create a new route table with a name tag of MY First Private Route Table and place it within your custom Amazon VPC. Add a route to it that directs Internet traffic (0.0.0.0/0) to the NAT gateway and associate it with the private subnet.
You have now created a connection to the Internet for resources within you Amazon VPC. You established routing rules that direct Internet traffic to the IGW regardless of the originating subnet.
EXERCISE 4.4
Launch an Amazon EC2 Instance and Test the Connection to the Internet
- Launch a t2.micro Amazon Linux AMI as an Amazon EC2 instance into the public subnet of your custom Amazon VPC, Give it a name tag of My First Public Instance, and select the newly-created key pair for secure access to the instance.
- Securely access the Amazon EC2 instance in the public subnet via SSH with the newly-created key pair.
- Execute an update to the operating system instance libraries by executing the following command:
sudo yum update –y
- You should see output showing the instance downloading software from the Internet and installing it.
You have now provisioned an Amazon EC2 instance in a public subnet. You can apply patches to the Amazon EC2 instance in the public subnet, and you have demonstrated connectivity to the Internet.
Review Questions
What is the minimum size subnet that you can have in an Amazon VPC?
- /24
- /26
- /28
- /30
You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Amazon VPC, and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet in which to place their databases. They also require that the web servers and database servers be highly available and that there be a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability?
- 2
- 3
- 4
- 1
Which of the following is an optional security control that can be applied at the subnet layer of a VPC?
- Network ACL
- Security Group
- Firewall
- Web application firewall
What is the maximum size IP address range that you can have in an Amazon VPC?
- /16
- /24
- /28
- /30
You create a new subnet and then add a route to your route table that routes traffic out from that subnet to the Internet using an IGW. What type of subnet have you created?
- An internal subnet
- A private subnet
- An external subnet
- A public subnet
What happens when you create a new Amazon VPC? - A main route table is created by default.
- Three subnets are created by default—one for each Availability Zone.
- Three subnets are created by default in one Availability Zone.
- An IGW is created by default.
You create a new VPC in US-East-1 and provision three subnets inside this Amazon VPC. Which of the following statements is true?
- By default, these subnets will not be able to communicate with each other; you will need to create routes.
- All subnets are public by default.
- All subnets will be able to communicate with each other by default.
- Each subnet will have identical CIDR blocks.
How many IGWs can you attach to an Amazon VPC at any one time?
- 1
- 2
- 3
- 4
What aspect of an Amazon VPC is stateful?
- Network ACLs
- Security groups
- Amazon DynamoDB
- Amazon S3
You have created a custom Amazon VPC with both private and public subnets. You have created NAT instance and deployed this instance to a public subnet. You have attached an EIP address and added your NAT to the route table. Unfortunately, instances in your private subnet still cannot access the Internet. What may be the cause of this?
- Your NAT is in a public subnet, but it needs to be in a private subnet.
- Your NAT should be behind an Elastic Load Balancer.
- You should disable source/destination checks on the NAT.
- Your NAT has been deployed on a Windows instance, but your other instances are Linux. You should redeploy the NAT onto a Linux instance.
Which of the following will occur when an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance in an Amazon VPC with an associated EIP is stopped and started? (Choose 2 answers)
- The EIP will be dissociated from the instance.
- All data on instance-store devices will be lost.
- All data on Amazon EBS devices will be lost.
- The ENI is detached.
- The underlying host for the instance is changed.
How many VPC Peering connections are required for four VPCs located within the same AWS region to able to send traffic to each of the others?
- 3
- 4
- 5
- 6
Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS?
- A VPC peering connection
- A DHCP option set
- A routing rule
- An IGW
Which of the following is the Amazon side of an Amazon VPN connection?
- An EIP
- A CGW
- An IGW
- A VPG
What is the default limit for the number of Amazon VPCs that a customer may have in a region?
- 5
- 6
- 7
- There is no default maximum number of VPCs within a region.
You are responsible for your company’s AWS resources, and you notice a significant amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates the source of the traffic is scanning for open ports on you EC2-VPC instances. Which one of the following resources can deny the traffic from reaching the instances?
- Security group
- Network ACL
- NAT instance
- An Amazon VPC endpoint
Which of the following is the security protocol supported by Amazon VPC? - SSH
- Advanced Encryption Standard (AES)
- Point-to-Point Tunneling Protocol (PPTP)
- IPsec
Which of the following Amazon VPC resources would you use in order for EC2-VPC instances to send traffic directly to Amazon S3?
- Amazon S3 gateway
- IGW
- CGW
- VPC endpoint
What properties of an Amazon VPC must be specified at the time of creation? (Choose 2 answers)
- The CIDR block representing the IP address range
- One or more subnets for the Amazon VPC
- The region for the Amazon VPC
- Amazon VPC Peering relationships
Which Amazon VPC feature allows you to create a dual-homed instance?
- EIP address
- ENI
- Security groups
- CGW
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/
My Linkedin - https://www.linkedin.com/in/rajeshkumarin
- What is Mobile Virtual Network Operator? - April 18, 2024
- What is Solr? - April 17, 2024
- Difference between UBUNTU and UBUNTU PRO - April 17, 2024
