Practice Test

True/False: A Network Access Control List (NACL) in AWS VPC operates at the subnet level.

  • True
  • False

Answer: True

Explanation: Network Access Control Lists (NACLs) are stateless; they operate at the subnet level and evaluate traffic entering or exiting a subnet.

Which of the following cannot be used to control traffic in a VPC?

  • Security groups
  • Network ACLs
  • IAM roles
  • Subnet masks

Answer: IAM roles

Explanation: While security groups, network ACLs and subnet masks are all used for controlling traffic within a VPC, IAM roles are used for managing user permissions and do not directly control traffic.

True/False: In AWS VPC, Security Groups are stateful, while Network ACLs are stateless.

  • True
  • False

Answer: True

Explanation: In AWS, Security Groups are stateful, meaning if you send a request from your instance, the response traffic for that request is automatically allowed back in, irrespective of inbound security rules. Network ACLs, however, are stateless, meaning they do not keep track of connection states.

Can a security group be associated with multiple EC2 instances within a VPC?

  • Yes
  • No

Answer: Yes

Explanation: In Amazon VPC, a security group can be associated with multiple instances, providing a convenient way to manage traffic rules for similar instances.

In AWS VPC, does a security group act at the instance level or the subnet level?

  • Instance Level
  • Subnet Level

Answer: Instance Level

Explanation: Security groups in an AWS VPC operate at the instance level, not the subnet level. This provides a high level of control over inbound and outbound traffic.

True/False: By default, an Amazon VPC blocks all inbound traffic and allows all outbound traffic.

  • True
  • False

Answer: False

Explanation: By default, a VPC allows all outbound traffic but blocks all inbound traffic that hasn’t been specifically allowed.

How many security groups can you assign to an EC2 instance in a VPC?

  • One
  • Up to 5
  • Up to 50

Answer: Up to 5

Explanation: In a VPC, you can assign up to 5 security groups to an EC2 instance.

True/False: A VPC automatically comes with a default NACL that allows all inbound and outbound IPv4 traffic.

  • True
  • False

Answer: True

Explanation: When you create a new VPC, it automatically comes with a default NACL that allows all inbound and outbound IPv4 traffic.

Can inbound and outbound rules in a VPC security group be set independently of each other?

  • Yes
  • No

Answer: Yes

Explanation: Inbound and outbound rules in a VPC security group can be managed separately allowing granular control over access and security.

What is the effect of deleting a VPC’s default network ACL?

  • The VPC becomes inaccessible
  • The VPC reverts to its previous state
  • No effect, since a VPC’s default NACL cannot be deleted

Answer: No effect, since a VPC’s default NACL cannot be deleted

Explanation: A VPC’s default network ACL cannot be deleted, therefore deleting it would have no effect.

True/False: A custom network ACL by default denies all inbound and outbound traffic until you add rules.

  • True
  • False

Answer: True

Explanation: A custom network ACL you create does block all inbound and outbound until you add inbound and outbound rules.

Interview Questions

What is a VPC in AWS?

A VPC (Virtual Private Cloud) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud, providing you a private section of the AWS cloud where you can launch AWS resources in a virtual network that you define.

What are Network ACLs in Amazon VPC?

Network Access Control Lists (ACLs) are a firewall for controlling traffic in and out of a VPC subnet. They provide a rule-based tool for inbound and outbound traffic at the protocol and subnet level.

Can you modify the default network ACL?

Yes, you can modify the default network ACL. However unlike a custom network ACL, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic by default.

What is the primary function of AWS Security Groups within a VPC?

Security Groups act as a virtual firewall for your instance to control the inbound and outbound traffic. When you launch an instance, you can associate one or more security groups with the instance.

How many Security Groups can you assign to an EC2 instance?

You can assign up to 5 security groups to an EC2 instance.

Can Network ACLs and Security Groups control both inbound and outbound traffic?

Yes, both Network ACLs and Security Groups are designed to control inbound (ingress) and outbound (egress) traffic.

Do Network ACLs stateful or stateless, and what is the importance of that?

Network ACLs are stateless, meaning they do not keep track of the state of a network connection. Each packet that flows through the network ACL is evaluated against all rules in the ACL separately, without regard to any other packet.

Are Security Groups in AWS stateful or stateless?

Security Groups in AWS are stateful, meaning if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

Can you specify the range of IP addresses for a VPC and its subnets?

Yes, when you create a VPC, you must specify an IPv4 CIDR block (a range of private IPv4 addresses). You can then add one or multiple subnets within this IP address range.

What is the main difference between a Network ACL and a Security Group in a VPC?

The main difference is that Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. In contrast, Security Groups operate at the instance level and evaluate traffic for a particular EC2 instance.

What are the components of a Security Group rule in a VPC?

A rule in a security group includes the following components: Protocol type (TCP, UDP, ICMP), Port range, and Source or Destination, which can be a CIDR block or a Security Group.

Who can access resources that I have shared in a subnet that has an associated Network ACL that allows all inbound traffic?

All resources that are connected to that subnet can access the shared resources, provided their associated security groups also allow the necessary outbound traffic.

Can changes made to a Network ACL or Security Group take effect immediately?

Yes, changes made to a Network ACL or Security Group rules are automatically applied to all instances associated with it, and the changes take effect immediately.

Is there a limit on the number of rules that you can add to a Network ACL in AWS VPC?

Yes, by default AWS allows you to create up to 20 inbound and 20 outbound rules per Network ACL.

What are the default rules for a new security group in AWS VPC?

By default, a new security group includes an outbound rule that allows all outbound traffic, and does not include inbound rules. This means that no inbound traffic originating from another host is allowed unless you add inbound rules to the security group.

Leave a Reply

Your email address will not be published. Required fields are marked *