It is a service that lets you launch AWS resources in a virtual network that you define. If you’re preparing for the AWS Certified SysOps Administrator – Associate (SOA-C02) exam, you must have comprehensive knowledge about configuring a VPC.
1. Subnets
Every VPC is partitioned into smaller networks called subnets. You can configure subnets according to your needs. For instance, while setting up a subnet, you need to specify a CIDR block for the subnet, which will determine the number of IP addresses available for the resources within it.
Setting up a subnet involves the below steps in the VPC Dashboard:
- Go to Subnets -> Create Subnet.
- Fill in the necessary details and save changes.
2. Route Tables
Route tables contain a set of rules, known as routes, that determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the traffic for that subnet.
To set up a route table:
- Navigate to Route Tables -> Create Route Table.
- Enter the necessary details and select your VPC.
- Once done, click ‘Create’.
3. Network ACLs
Network Access Control Lists (ACLs) work as a firewall controlling traffic in and out of a subnet. They contain a numbered list of rules that AWS processes in ascending order to determine whether traffic is allowed in or out.
To create a network ACL:
- Navigate to Network ACLs -> Create Network ACL.
- Input necessary information and link it to your VPC.
4. Security Groups
A security group works as a virtual firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic. Unlike network ACLs, security groups only permit allowable traffic and do not explicitly deny it.
To create a security group, go to:
- Security Groups -> Create Security Group.
- Enter required details, associate it with your VPC, and specify the inbound and outbound rules.
5. NAT Gateway
A NAT (Network Address Translation) gateway enables instances in a private subnet to connect to the internet but prevents the internet from initiating a connection with those instances. NAT gateways are required when you want to allow outbound internet access for your instances but don’t want inbound traffic.
To set up a NAT gateway:
- Access the NAT Gateways -> Create NAT Gateway.
- Set up necessary details, including a public subnet where the NAT gateway should reside and an Elastic IP Address.
6. Internet Gateway
An internet gateway enables communication between resources in your VPC and the internet. Adding an internet gateway to your VPC ensures instances within it can access the internet directly.
To create an internet gateway:
- Access the Internet Gateways -> Create Internet Gateway.
- Link the created gateway to your VPC.
In conclusion, understanding how to configure a VPC, which involves working with subnets, route tables, network ACLs, security groups, NAT gateway, and internet gateway, is a critical skill for anyone preparing for the AWS Certified SysOps Administrator – Associate (SOA-C02) exam. Along with theoretical knowledge, practical implementation of each element in a meaningful way is necessary to gain proficiency in VPC configuration.
Practice Test
True or False: Network ACLs in a VPC operate at the instance level.
- True
- False
Answer: False
Explanation: Network ACLs operate at the subnet level, not the instance level.
Which of the following AWS services can you not utilize when configuring a VPC?
- NAT gateway
- Internet gateway
- Route 53
- ELB
Answer: Route 53
Explanation: Route 53 is a domain name system (DNS) web service and is not involved in the process of configuring a VPC itself. The other services listed are important components of a VPC configuration.
True or False: Security Groups within a VPC are stateful.
- True
- False
Answer: True
Explanation: Security Groups in a VPC are stateful, meaning that if you send a request from your instance, the response traffic for that request is allowed to return, regardless of outbound security group rules.
In a VPC configuration, what does NAT stand for and what is its function?
- Network Access Technology; allows public facing instances to access the internet
- Network Address Translation; enables private subnet instances to access the internet
- Network Allocation Table; manages IP addresses within a subnet
- None of the above
Answer: Network Address Translation; enables private subnet instances to access the internet
Explanation: NAT stands for Network Address Translation. A NAT gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.
True or False: In AWS, multiple route tables can be associated with a single subnet.
- True
- False
Answer: False
Explanation: In AWS, a subnet can only be associated with one route table at a time.
Which of the following cannot be included when configuring a VPC?
- Internet gateway
- Private IP addresses for instances in the subnet
- VPC size
- S3 bucket
Answer: S3 bucket
Explanation: S3 buckets are not included directly in the configuration of a VPC. They are accessed via endpoints within a VPC.
True or False: VPC is a component of AWS responsible for providing cloud infrastructure.
- True
- False
Answer: False
Explanation: VPC, or Virtual Private Cloud, is a virtual network dedicated to your AWS account. It is not a service that provides cloud infrastructure itself.
You can use Network ACLs to control traffic at which level?
- The instance level
- The subnet level
- The VPC level
- All of the above
Answer: The subnet level
Explanation: Network Access Control Lists (ACLs) control traffic in and out of a subnet, not an instance or the entire VPC.
True or False: Each subnet within a VPC must be linked to a different route table.
- True
- False
Answer: False
Explanation: Different subnets within a VPC can share the same route table.
Which service is necessary to allow your private subnet instances in a VPC to have outbound access to the Internet?
- NAT Gateway
- Security Group
- Internet Gateway
- AWS WAF
Answer: NAT Gateway
Explanation: A NAT gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
Interview Questions
What is a VPC in AWS?
VPC, or Virtual Private Cloud, is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud, allowing you to launch AWS resources into a virtual network that you’ve defined.
What is the role of subnets in VPC?
Subnets enable you to segment the IP address range of your VPC into multiple smaller blocks. Each subnet must be associated with a route table, which controls the traffic flow between subnets. You can use subnets to separate resources by security or operational needs.
How does a Route Table work in AWS VPC?
A Route Table contains a set of rules, called routes, that determine where network traffic is directed. Each subnet in your VPC must be associated with a route table and the route table controls the traffic in and out of that subnet.
What are Network Access Control Lists (NACLs)?
A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall at the subnet level. It lists rules which dictate the traffic that is allowed to reach the interfaces located in the associated subnet.
What is the role of a Security Group in a VPC?
Security groups operate at the instance level as a firewall. They control both inbound and outbound traffic at the instance level. You can add rules to each security group to allow traffic from specific IP addresses and protocols.
Describe a NAT Gateway in AWS VPC.
A NAT Gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. This is commonly used to allow private instances to download patches or updates for installed software.
What is an Internet Gateway in AWS VPC?
An Internet Gateway is a horizontally scalable, redundant, and highly available VPC component that allows communication between your VPC and the internet.
Can we change the size of a VPC after creation?
No, the size of a VPC, in terms of its IP address range, cannot be changed after it has been created. To use more IP addresses, you should plan to create a VPC with a larger CIDR block.
How many route tables can be associated with a subnet?
Each subnet in your VPC must be associated with a route table, and by default, a subnet can be associated with only one route table at a time. However, you can change the association to link a subnet with a different route table.
Can Security Groups and Network ACLs be employed together?
Yes, in fact, it is a best practice to use both to add an additional layer of security to your AWS resources. While Security Groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic, Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level.
What are stateless and stateful rules in Network ACLs?
Network Access Control Lists are stateless, which means that responses to allowed inbound traffic are subject to rules evaluation. Security Groups are stateful, if you send a request from your instance, the response traffic for that request is automatically allowed to flow in regardless of inbound security group rules.
What is the purpose of a VPC peering connection?
VPC Peering allows you to connect one VPC with another through a direct network route using private IP addresses. Instances in these VPCs can communicate with each other as if they are within the same network.
If a VPC is deleted, what happens to the instances that were running in the VPC?
If a VPC is deleted, all the Amazon EC2 instances that were running in the VPC are also deleted.
What kind of traffic is allowed by default in a new AWS VPC?
By default, AWS allows all outbound traffic and disallows all inbound traffic when a new VPC is created. This is controlled by Security Groups and Network ACLs.
How many VPCs and subnets can be created in an AWS account?
By default, you can create up to 5 VPCs per region per AWS account and up to 200 subnets per VPC. However, these limits can be increased upon request to AWS.