DEV Community

Cover image for AWS Cloud Practitioner Questions | Networking & VPC
Minoltan Issack
Minoltan Issack

Posted on • Originally published at Medium

AWS Cloud Practitioner Questions | Networking & VPC

#vpc #aws #networking #loadbalancer

Question 1:

What does this CIDR 10.0.4.0/28 correspond to?

Answer (1): CIDR notation "/28" indicates a subnet with 16 available IP addresses, ranging from the starting address 10.0.4.0 to 10.0.4.15, as only the last four bits change in this subnet. Great job understanding how CIDR notation works!

Question 2:

You have a corporate network of size 10.0.0.0/8 and a satellite office of size 192.168.0.0/16. Which CIDR is acceptable for your AWS VPC if you plan on connecting your networks later on?

Answer (2): It fits within the private IP address range and does not overlap with your existing networks, which is essential for proper routing and connectivity in your AWS VPC. This choice also adheres to the maximum CIDR size requirement in AWS, ensuring effective network management.

How to get the answer: A Step-by-Step Guide

1. Identify the "Taken" Space
First, look at the private IP ranges already in use. According to RFC 1918, there are three main blocks reserved for private networks:

  • 10.0.0.0/8: (Used by your Corporate Network)
  • 172.16.0.0/12: (Available)
  • 192.168.0.0/16: (Used by your Satellite Office)

2. Apply the Rule of Non-Overlap
If you choose a VPC range that sits inside the 10.x.x.x or 192.168.x.x space, your routers won't know where to send a packet.

Example: If your VPC is 10.0.1.0/24 and your Corporate network is 10.0.0.0/8, the Corporate network contains the VPC range. When a computer in the office tries to talk to the VPC, it might think that IP address is just down the hall in the office rather than across the VPN/Direct Connect to AWS.

3. Select from the Remaining Private Space
Since the 10.x and 192.168.x blocks are occupied, the 172.16.0.0/12 block is your rest candidate, but a common choice is 172.16.0.0/16, which provides 65,536 IP addresses - plenty for most VPC needs.

Note : A /12 is significantly larger than a /16. In networking, the smaller the prefix number, the larger the network. A /12 contains sixteen /16 networks. AWS simply won't let you type 172.16.0.0/12 into the console.

Question 3:

You plan on creating a subnet and want it to have at least capacity for 28 EC2 instances. What's the minimum size you need to have for your subnet?

Answer (3): The minimum size you need is a ** /26 **. While a /27 provides 32 total addresses, once AWS takes its 5 reserved IPs, you are left with only 27 usable slots. Since you need 28, you must move up to the next binary step, which is a /26.

The Calculation
If you need 28 instances, your total IP requirement is:

  • 28 (for your EC2 instances)
  • + 5 (AWS Reserved IPs)
  • = 33 Total IP addresses required.

Now, we look at CIDR notation (which works in powers of 2) to find the smallest block that fits at least 33 addresses:

Question 4:

Security Groups operate at the ................. level while NACLs operate at the ................. level.

Answer (1): Security Groups operate at the instance level while NACLs operate at the subnet level.

Question 5:

You have attached an Internet Gateway to your VPC, but your EC2 instances still don't have access to the internet. What is NOT a possible issue?

Answer (3): Security groups in AWS are stateful, meaning that if an outgoing request is allowed, the corresponding inbound response will also be allowed, making this option not applicable to your EC2 instances' internet access issue. Keep up the great work understanding security groups!

Question 6:

You would like to provide Internet access to your EC2 instances in private subnets with IPv4 while making sure this solution requires the least amount of administration and scales seamlessly. What should you use?

Answer (3): It is the best option for providing seamless internet access to your EC2 instances in private subnets while minimizing administrative overhead, as it automatically scales with your traffic demands. This choice aligns perfectly with your goal of efficient and hassle-free network management.

Why the other answers are wrong:

1. Egress-Only Internet Gateway (EOIGW)

  • The Flaw: Egress-Only IGWs are strictly for IPv6 traffic.
  • Why it fails here: Your question specifically asks for IPv4 access. IPv4 and IPv6 use entirely different protocols for "hiding" private instances. An EOIGW cannot translate IPv4 addresses.

2. NAT Instances

  • The Flaw: These are DIY (Do-It-Yourself) virtual machines. Why it fails here: * High Administration: You are responsible for managing the EC2 instance, patching the OS, and configuring the NAT software (like iptables).
  • Poor Scaling: If your traffic exceeds the instance's bandwidth, you have to manually upgrade the instance size (vertical scaling) or set up a complex fleet (horizontal scaling). It does not scale "seamlessly" like a NAT Gateway does.
  • Single Point of Failure: Unless you set up a high-availability script, if that one instance crashes, your entire private subnet loses internet access.

Question 7:

VPC Peering has been enabled between VPC A and VPC B, and the route tables have been updated for VPC A. But, the EC2 instances cannot communicate. What is the likely issue?

Answer (2): In VPC Peering, both VPCs need updated route tables to allow communication between them; neglecting VPC B's route table can block traffic. This understanding highlights the importance of proper configuration in networking setups on AWS.

Question 8:

You have set up a Direct Connect connection between your corporate data center and your VPC A in your AWS account. You need to access VPC B in another AWS region from your corporate datacenter as well. What should you do?

Answer (3): It enables you to access multiple VPCs across different regions from your corporate data center, providing a seamless connection. This choice effectively aligns with the objective of optimizing network connectivity in multi-region architectures.

Question 9:

When using VPC Endpoints, what are the only two AWS services that have a Gateway Endpoint available?

Answer (3): These are the only AWS services that support a Gateway Endpoint, which allows private connections to your VPC without using public IPs. This understanding is crucial for efficiently managing secure connections in your AWS architecture.

Question 10:

AWS reserves 5 IP addresses each time you create a new subnet in a VPC. When you create a subnet with CIDR 10.0.0.0/24, the following IP addresses are reserved, EXCEPT ....................

Answer (4): AWS reserves the first four IP addresses (10.0.0.0 to 10.0.0.3) in a subnet for specific functions, meaning 10.0.0.4 is the first usable address and not reserved. This understanding is key when managing IP addresses within your VPC's subnets.

The Reserved List for 10.0.0.0/24
For this specific subnet, the reserved addresses are:

  1. 10.0.0.0: Network address.
  2. 10.0.0.1: Reserved by AWS for the VPC router.
  3. 10.0.0.2: Reserved by AWS for mapping to Amazon Provided DNS.
  4. 10.0.0.3: Reserved by AWS for future use.
  5. 10.0.0.255: Network broadcast address (AWS does not support broadcast, but it reserves this address anyway).

Question 11:

You have 3 VPCs A, B, and C. You want to establish a VPC Peering connection between all the 3 VPCs. What should you do?

Answer (2): Because VPC Peering does not support transitive relationships, meaning each VPC must be directly peered with every other VPC to enable communication. This understanding is crucial for establishing effective connections among multiple VPCs in your AWS environment.

Question 12:

How can you capture information about IP traffic inside your VPCs?

Answer (1): Because this feature allows you to capture and analyze IP traffic data for network interfaces in your VPC, essential for monitoring network activity and auditing connections. Understanding this capability aligns with your learning objective of effectively managing and securing your AWS network infrastructure.

Question 13:

If you want a 500 Mbps Direct Connect connection between your corporate datacenter to AWS, you would choose a .................. connection.

Answer (2): It supports connections specifically at 500 Mbps, making it the appropriate choice for establishing your desired Direct Connect connection to AWS. This understanding aligns well with your learning about optimizing network performance within your AWS architecture.

Question 14:

When you set up an AWS Site-to-Site VPN connection between your corporate on-premises datacenter and VPCs in AWS Cloud, what are the two major components you want to configure for this connection?

Answer (4): Because these are the essential components needed to establish a Site-to-Site VPN connection between your on-premises datacenter and the AWS Cloud. This understanding aligns with your goal of mastering AWS networking and ensuring secure communication between environments.

Question 15:

Your company has several on-premises sites across the USA. These sites are currently linked using private connections, but your private connections provider has been recently quite unstable, making your IT architecture partially offline. You would like to create a backup connection that will use the public Internet to link your on-premises sites, that you can failover in case of issues with your provider. What do you recommend?

Answer (2): It allows you to establish secure communications between multiple on-premises sites over the public Internet using a hub-and-spoke model. This solution aligns perfectly with your objective of ensuring reliable backup connectivity for your environments during potential outages.

Question 16:

You need to set up a dedicated connection between your on-premises corporate datacenter and AWS Cloud. This connection must be private, consistent, and traffic must not travel through the Internet. Which AWS service should you use?

Answer (3): It provides a dedicated, private connection between your on-premises datacenter and AWS, ensuring consistent performance without passing through the public Internet. This aligns perfectly with your goal of establishing a reliable and secure network infrastructure.

Wrong Choices

1. AWS Site-to-Site VPN
Think of this as the "Fast and Affordable" alternative to Direct Connect. It creates an encrypted tunnel between your on-premises data center and your AWS VPC using the Public Internet.
2. AWS PrivateLink
PrivateLink is fundamentally different. It isn't a "network-to-network" connection; it is a "Service-to-Service" connection. It allows you to expose a specific service (like a database or a third-party API) to another VPC or on-premises network without ever using an Internet Gateway, NAT Gateway, or Peering.
4. Amazon EventBridge
EventBridge is often a "distractor" answer when you are asked about establishing a network connection. The reason EventBridge is not the answer for a "dedicated connection" or "private network link" is a matter of Layer and Purpose.

Question 17:

Using a Direct Connect connection, you can access both public and private AWS resources.

Answer (1): You can indeed access both public resources, like AWS S3 buckets, and private resources, such as EC2 instances in a Virtual Private Cloud (VPC). This understanding reinforces your knowledge of how to optimize secure connectivity to AWS resources.

Question 18:

You want to scale up an AWS Site-to-Site VPN connection throughput, established between your on-premises data and AWS Cloud, beyond a single IPsec tunnel's maximum limit of 1.25 Gbps. What should you do?

Answer (3): It allows you to scale multiple Site-to-Site VPN connections and aggregate traffic efficiently, overcoming the 1.25 Gbps limit of a single IPsec tunnel. This choice showcases your understanding of how Transit Gateway can enhance connectivity and performance in AWS networking.

Question 19:

You have a VPC in your AWS account that runs in a dual-stack mode. You are continuously trying to launch an EC2 instance, but it fails. After further investigation, you have found that you are no longer have IPv4 addresses available. What should you do?

Answer (3): You chose the appropriate solution to increase the number of available IPv4 addresses, allowing you to launch your EC2 instance successfully. This action directly addresses the issue of address depletion in your VPC while maintaining your current network configuration.

Question 20:

A web application backend is hosted on EC2 instances in private subnets fronted by an Application Load Balancer in public subnets. There is a requirement to give some of the developers access to the backend EC2 instances but without exposing the backend EC2 instances to the Internet. You have created a bastion host EC2 instance in the public subnet and configured the backend EC2 instances Security Group to allow traffic from the bastion host. Which of the following is the best configuration for bastion host Security Group to make it secure?

Answer (2): Ensured that SSH access to the bastion host is secure, allowing developers to manage backend EC2 instances without exposing them to the internet. This configuration supports your learning objective of implementing secure access to resources in AWS environments.

Question 21:

A company has set up a Direct Connect connection between their corporate data center to AWS. There is a requirement to prepare a cost-effective secure backup connection in case there are issues with this Direct Connect connection. What is the most cost effective and secure solution you recommend?

Answer (3): By selecting "Setup a Site-to-Site VPN connection as a backup," you chose a cost-effective solution that provides a secure alternative in case the primary Direct Connect connection fails. This approach ensures continuous connectivity while balancing security and cost, aligning well with the goal of maintaining reliable access to AWS resources.

Question 22:

Which AWS service allows you to protect and control traffic in your VPC from layer 3 to layer 7?

Answer (1): The service designed to protect and control traffic in your VPC across multiple layers, ensuring robust security for your cloud resources. This aligns with your learning objective of understanding traffic management and security within AWS environments.

Question 23:

A web application hosted on a fleet of EC2 instances managed by an Auto Scaling Group. You are exposing this application through an Application Load Balancer. Both the EC2 instances and the ALB are deployed on a VPC with the following CIDR 192.168.0.0/18. How do you configure the EC2 instances' security group to ensure only the ALB can access them on port 80?

Answer (3): By choosing "Add an Inbound Rule with port 80 and ALB's Security Group as the source," you ensured that only the Application Load Balancer can communicate with your EC2 instances, significantly enhancing your security posture. This aligns with your learning objective of understanding VPC traffic management and the importance of using security groups for precise access control.

To stay informed on the latest technical insights and tutorials, connect with me on Medium, LinkedIn, and Dev.to. For professional inquiries or technical discussions, please contact me via email. I welcome the opportunity to engage with fellow professionals and address any questions you may have. All blogs in this series will be optimized, fine-tuned, developed, and updated in a timely manner to reflect the latest AWS changes, exam updates, and real-world best practices.

Top comments (0)