VPC Flashcards

Q: What is the difference between Security Groups and NACLs?

A: Security Groups are stateful (return traffic auto-allowed), instance-level, allow-only rules. NACLs are stateless (return traffic must be explicitly allowed), subnet-level, with allow and deny rules.

Q: How many IP addresses does AWS reserve in each subnet?

A: 5 IPs: network address, VPC router, DNS server, future use, and broadcast address.

Q: What is VPC Peering?

A: A networking connection between two VPCs. Non-transitive (A↔B, B↔C does not mean A↔C). Supports cross-region and cross-account.

Q: What is a NAT Gateway used for?

A: Allows instances in private subnets to access the internet (outbound) while preventing unsolicited inbound connections. Deployed in a public subnet.

Q: What is a VPC Endpoint?

A: Enables private connectivity to AWS services without traversing the internet. Gateway endpoints (S3, DynamoDB) and Interface endpoints (other services via PrivateLink).

Q: What is AWS Transit Gateway?

A: A hub that connects multiple VPCs and on-premises networks through a single gateway. Supports transitive routing, unlike VPC peering.

Q: What is a bastion host?

A: An EC2 instance in a public subnet used to securely SSH/RDP into instances in private subnets.

Q: What is the maximum CIDR block size for a VPC?

A: /16 (65,536 IP addresses).

Q: What is AWS PrivateLink?

A: Provides private connectivity between VPCs and services, keeping traffic on the AWS network. Used with Interface VPC Endpoints.

Q: What is VPC Flow Logs?

A: Captures information about IP traffic going to and from network interfaces in a VPC. Can be sent to CloudWatch Logs or S3.