{"id":493,"date":"2022-02-17T04:35:29","date_gmt":"2022-02-17T04:35:29","guid":{"rendered":"https:\/\/192.168.1.3\/wordpress\/?p=493"},"modified":"2025-02-10T06:09:02","modified_gmt":"2025-02-10T06:09:02","slug":"aws-solution-architect-associate-saac02-review-material-vpc","status":"publish","type":"post","link":"https:\/\/mylinuxsite.com\/wordpress\/?p=493","title":{"rendered":"AWS Solution Architect Associate (SAA-C02) Review Material &#8211; VPC"},"content":{"rendered":"\n<!--more Continue reading-->\n\n\n\n<h4 class=\"wp-block-heading\">General<\/h4>\n\n\n\n<ul class=\"wp-block-list\"><li>Calculate no. of IP in a CIDR:  <ul><li> x.x.x.x\/N  &#8211; ( 2^ (32 -N)) e.g. 10.10.0.0\/31 = (2^1) = 2 IPs<\/li><\/ul><\/li><li><strong>Max VPC is 5\/region<\/strong> (soft limit i.e. can request AWS to increase)<\/li><li><strong>Max 5 CIDR\/VPC<\/strong><\/li><li><strong>Min IPs is \/28<\/strong> <\/li><li><strong>Max IPs is \/16<\/strong><\/li><li><strong>Subnets<\/strong>:<ul><li>AWS will reserve 5 IPs (1st 4 and last 1) from the subnets IP range<\/li><li>Associated with an AZ<\/li><li>Requires an <strong>Internet Gateway<\/strong> if we want to make this as a public subnet<\/li><\/ul><\/li><li><strong>Internet Gateway<\/strong> <strong>(IGW)<\/strong>:<ul><li>Attach to only 1 VPC<\/li><li>Does not allow inbound traffic<\/li><li>Subnet must have a route pointing to IGW for outbound traffic to work<\/li><\/ul><\/li><li><strong>Bastion Host\/NAT Instance\/NAT Gateway<\/strong><ul><li><strong>Bastion Host<\/strong><ul><li>access private subnets from the internet<\/li><li>it&#8217;s just another EC2 instance running in the public subnet that is allowed to SSH to the EC2 instances in the private subnet<\/li><li>the private subnet SG must allow connection from this EC2 instance<\/li><\/ul><\/li><li><strong>NAT Instance<\/strong><ul><li>access the internet from the private subnet<\/li><li>another EC2 instance with NAT<\/li><li>must disable Source\/Destination check<\/li><li>must have an EIP attached<\/li><li>must configure  the route table of the private subnet to point to the NAT instance<\/li><li>not HA<\/li><li>behind a SG<\/li><\/ul><\/li><li><strong>NAT Gateway<\/strong><ul><li>Managed NAT<\/li><li><strong>Created on a specific AZ<\/strong>. So must create on every AZ if you have EC2 instances on different AZs.<\/li><li>No failover but resilient per AZ<\/li><li>2 connection types:<ul><li><strong>Public  &#8211; it will need to associate to an EIP<\/strong><\/li><li><strong>Private<\/strong> &#8211; can be used to connect to other VPC or on-prem<\/li><\/ul><\/li><\/ul><\/li><\/ul><\/li><li><strong>DNS Resolution Option<\/strong><ul><li>Enabled by default<\/li><li> Uses  net_cidr_base+2 or 169.254..169.253\u00a0as the DNS server<\/li><li>If not enabled, can use custom DNS (e.g. Route 53)<\/li><\/ul><\/li><li><strong>DNS Host Name<\/strong><ol><li>Not enabled by default<\/li><li>If enabled EC2 instance will get a public DNS. <\/li><li>If not enabled EFS alias cannot be resolved.<\/li><\/ol><\/li><li><strong>Network Access Control List (NACL)<\/strong><ul><li><strong>Stateless<\/strong> i.e. <em>inbound<\/em> rule and <em>outbound<\/em> rules are independent from each other<\/li><li>Attached to a VPC<\/li><li>Custom NACL default to deny everything.<\/li><li>Supports <strong>allow<\/strong> and <strong>deny<\/strong> rules<\/li><li>Rule are numbered and evaluated from lowest to highest.<\/li><li>Can be associated with more than 1 SG. But an <strong>SG can only have 1 NACL<\/strong><\/li><\/ul><\/li><li><strong>Security Group (SG)<\/strong><ul><li><strong>Stateful<\/strong> i.e.  automatically allow opposite traffic (e.g. allow inbound port 22 then the return traffic is automatically allowed) <\/li><li>Attached to an ENI. So if an EC2 has multiple interfaces then it can have multiple SG.<\/li><li>Supports <strong>allow<\/strong> rule only. So everything is denied unless specifically allowed.<\/li><\/ul><\/li><li><strong>VPC Peering<\/strong><\/li><li><strong>End Points<\/strong><ul><li><strong>Interface Endpoints<\/strong><ul><li>an ENI with private IP<\/li><li>through this ENI traffic will be routed to the destined service<\/li><\/ul><\/li><li><strong>Gateway Endpoints<\/strong><ul><li>Supports S3 and DynamoDB only<\/li><\/ul><\/li><\/ul><\/li><li><strong>Tenancy<\/strong>:<ol><li>Default<ul><li>instances launched in this VPC use the tenancy attribute specified at launch<\/li><\/ul><\/li><li>Dedicated<ul><li>ensure that instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch.<\/li><\/ul><\/li><\/ol><\/li><\/ul>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[11],"tags":[],"class_list":["post-493","post","type-post","status-publish","format-standard","hentry","category-aws-review-notes"],"_links":{"self":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=493"}],"version-history":[{"count":13,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions"}],"predecessor-version":[{"id":1465,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions\/1465"}],"wp:attachment":[{"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mylinuxsite.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}