AWS Solution Architect—Associate Level

Lesson 4: Amazon Virtual Private Cloud (VPC)

 What You’ll Learn

Virtual Private Cloud

Public, Private, and Elastic IP addresses

Public and Private Subnets

Internet Gateway

Route Tables

NAT Gateway

Security Groups

Network ACLs

VPC Best Practices

Amazon VPC Overview
Overview of Virtual Private Cloud Concepts
 Amazon VPC Terminology
The following are the terms that are used in VPCs:

VPC subnet

Route Table

Elastic IPs

Internet Gateway

VPC NAT Gateway

Network ACLs

Security Group
 Amazon VPC Definition

Amazon’s definition of a VPC:

“Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual
network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data
center, with the benefits of using the scalable infrastructure of AWS.”
 Amazon VPC Diagram
A VPC is your own virtual network in the Amazon cloud used as the network layer for your EC2 resources.

Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance
Main Route Table
Default Subnet 1
172.31.0.0/20 Internet Gateway Destination Target
Availability Zone A
172.31.0.0/16 local
Router
Private: 172.31.16.5 0.0.0.0/0 igw-id
Public: 203.0.113.23
EC2 Instance

Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
Amazon VPC is a component of which AWS service?

Compute

Analytics

Networking

Databases
 Amazon VPC is a component of which AWS service?

Compute

Analytics

Networking

Databases

c.

Amazon VPC is a component of the Networking service.

Amazon VPC allows you to _____.

control the IP addresses used in your local data center

launch resources into a virtual network that you've defined

create physical networks wherever you want

associate Security Groups with your IAM users

 Amazon VPC allows you to _____.

control the IP addresses used in your local data center

launch resources into a virtual network that you've defined

create physical networks wherever you want

associate Security Groups with your IAM users

b.

Amazon Virtual Private Cloud (Amazon VPC) allows you to launch Amazon Web Services (AWS)
resources into a virtual network that you've defined.
Amazon VPC
Using Virtual Private Clouds in AWS
 Default Amazon VPC

Each Amazon account comes with a default

VPC that is preconfigured for you to start
using straight away.

Availability Zone 1

Preconfigured

Availability Zone 2

Virtual Private Cloud

Region
 Default Amazon VPC (contd.)
The CIDR (Classless Inter-Domain Routing) block for a default VPC is always a /16 netmask, for example,
172.31.0.0/16.

Private: 172.31.0.5
Public: 203.0.113.17
EC2 Instance

Default Subnet 1 Main Route Table

172.31.0.0/20 Internet Gateway
Destination Target
Availability Zone A

Router 172.31.0.0/16 local

Private: 172.31.16.5
Public: 203.0.113.23 0.0.0.0/0 igw-id
EC2 Instance

Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
65,536 Private IP addresses
172.31.0.0/16
Region
 Custom VPC

Internet Gateway
The default VPC is great for launching Main Route Table

new instances when you are testing AWS, Destination Target

10.0.0.5
but creating a custom VPC allows you to 198.51.100.1 (EIP)
10.0.0.6 172.31.0.0/16 local
secure your resources. 198.51.100.2 (EIP)
10.0.0.7
198.51.100.3 (EIP) 0.0.0.0/0 igw-id
Web Servers
Public Subnet
10.0.0.0/24 VGW Customer Gateway
Availability Zone A

Customer
10.0.0.5 Router VPN Connection
Network
10.0.0.6
10.0.0.7
Database
VPN-only subnet Servers Main Route Table

10.0.0.0/24 Destination Target

Availability Zone B 172.31.0.0/16 local

VPC 0.0.0.0/0 igw-id

10.0.0.0/16
Region
 Hardware VPN Access
Connect your VPCs to your existing data center using Hardware VPN Access so you can extend your data
center into the cloud and create a hybrid environment.

Customer Gateway
Customer Network
Los Angeles

VPN Connection Customer Gateway

Customer Network
Chicago
VPN Connection

Availability Zone Availability Zone Customer Gateway

VPN Connection Customer Network
New York
Router Virtual Private Gateway

VPN Connection
Customer Gateway
Customer Network
Miami
 VPC Peering
VPC Peering - A peering connection allows you to route traffic between two VPCs using the private IP addresses
so EC2 instances in either network can communicate directly with each other.

O
VPC B VPC C
10.0.0.0/16 192.168.0.0/16

P P

VPC A
192.16.0.0/16
 Default VPC Deletion
If you delete the default VPC, you have to contact AWS Support to get it restored.

Private: 172.31.0.5
Public: 203.0.113.17

EC2 Instance

Default Subnet 1 Main Route Table

172.31.0.0/20
Internet Gateway
Destination Target
Availability Zone A

Router 172.31.0.0/16 local

Private: 172.31.16.5
Public: 203.0.113.23 0.0.0.0/0 igw-id

EC2 Instance

Default Subnet 2
172.31.16.0/20
Availability Zone B
Default VPC
172.31.0.0/16
Region
Demo 1: Creating a custom VPC
Demonstrate how to create a custom VPC.
What is attached to the default VPC?

Availability Zone

VPC Peering Connection

Internet Gateway

None of the above

 What is attached to the default VPC?

Availability Zone

VPC Peering Connection

Internet Gateway

None of the above

c.

The default VPC has an IGW attached, meaning that each subnet is public or has Internet access. Any
EC2 instance launched into the default VPC will have both a public and private IP address attached.
Why would you create a custom VPC?

To customize the VPC to your own configuration

To save money

To avoid AWS from having access to your EC2 instances

To make allowances for cases where you delete the default VPC
 Why would you create a custom VPC?

To customize the VPC to your own configuration

To save money

To avoid AWS from having access to your EC2 instances

To make allowances for cases where you delete the default VPC

a.

Creating a custom VPC allows you to customize your virtual network by defining your own IP address
range, create subnets that are both private and public, and strengthen your security settings.
IP Addresses
Using IP Addresses in Amazon VPC
 Private IP Addresses
Private IP address is not reachable over the Internet.
It is used for communication between instances in the same network. When you launch a new instance, it’s
given a private IP address and an internal DNS host name that resolves to the private IP address of the
instance.

10.0.0.1
10.0.0.1 10.0.0.2
 Public IP Addresses
A public IP address is reachable from the Internet. You can use public IP addresses for communication between
your instances and the Internet.

74.85.2.2
10.0.0.1 10.0.0.2
74.85.2.2
 Elastic IP Addresses
Elastic IP address is a static/public persistent public IP address that is allocated to your account and can be
associated to and from your instances as required.

74.85.2.2

10.0.0.1 10.0.0.2
74.85.2.2
Demo 2: Creating an Elastic IP Address
Demonstrate how to create an Elastic IP Address.
When is an Elastic IP address released from your account?

When the EC2 instance it is attached to is restarted

When the EC2 instance it is attached to is terminated

Until you choose to release it

Until you delete the default VPC

 When is an Elastic IP address released from your account?

When the EC2 instance it is attached to is restarted

When the EC2 instance it is attached to is terminated

Until you choose to release it

Until you delete the default VPC

c.

It remains in your account until you choose to release it; till then it can be associated with and from your
instances as required.
Subnets
Using subnets in Amazon VPC
 Subnet Definition

Amazon’s definition of a Subnet:

“A range of IP addresses in your VPC; you can launch AWS resources into a subnet that you select. Use a public subnet for
resources that must be connected to the Internet and a private subnet for resources that won't be connected to the Internet.”

Subnets

172.31.0.0/20 172.31.16.0/20
 Subnet Diagram
A VPC can span multiple Availability Zones, but a subnet is always mapped to a single Availability Zone.
Amazon
Route 53

Load
Balancer

192.168.0.X 192.168.254.X 192.168.254.X

VPC subnet
Availability Zone

VPC Subnet 2 VPC Subnet 2

VPC Subnet 1
Availability Zone 1 Availability Zone 2 Availability Zone 2
VPC subnet
VPN Gateway
192.168.0.0/16 Availability Zone Internet Gateway

Virtual Private Cloud

Region
 Public and Private Subnets

Public subnets are used for resources

that need to be connected to the Internet.
Private subnets are resources that don’t
need an Internet connection or those that
you want to protect from the Internet.

Public subnet

Availability Zone

Internet
Private subnet

Availability Zone

Virtual Private Cloud

Region
Demo 3: Creating Subnets
Demonstrate how to create a public and private subnet.
A subnet can _____.

span multiple Availability Zones

span multiple Regions

provide up to 65,536 private IP addresses by default

only be mapped to one Availability Zone

 A subnet can _____.

span multiple Availability Zones

span multiple Regions

provide up to 65,536 private IP addresses by default

only be mapped to one Availability Zone

d.

A subnet can only be mapped to one Availability Zone and the default subnet is always /20, which
provides up to 4,096 addresses per subnet, a few of which are reserved for AWS use.
Internet Gateways
Using Internet Gateways in Amazon VPC
 Internet Gateway Definition

Amazon’s definition of an Internet Gateway:

“An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication
between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your
network traffic.”

WAN

LAN, Wi-Fi

Internet gateway

wireless terminals
 Internet Gateway Diagram
To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway.

Public subnet

Availability Zone

Internet
gateway
Internet
Private subnet

Availability Zone

Virtual Private Cloud

Region
 Internet Gateway Requirements

1 An Internet gateway must be attached to your VPC.

All instances in your subnet must have either a 2

public IP address or an Elastic IP address.

3 Your subnet's route table must point to the Internet

gateway.

All network access control and security group rules 4

must be configured to allow the required traffic to
and from your instance.
Demo 4: Creating Internet Gateways
Demonstrate how to create an Internet Gateway.
An Internet Gateway allows _____.

Internet access to your VPC as soon as you attach it

communication between instances in your VPC and the Internet

high bandwidth constraints on your network traffic

you to attach one Internet Gateway per subnet

 An Internet Gateway allows _____.

Internet access to your VPC as soon as you attach it

communication between instances in your VPC and the Internet

high bandwidth constraints on your network traffic

you to attach one Internet Gateway per subnet

b.
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows
communication between instances in your VPC and the Internet. It therefore imposes no availability
risks or bandwidth constraints on your network traffic. Once attached to your VPC, there are several
other steps that must be met before Internet access is available.
Route Tables
Using Route Tables in Amazon VPC
 Route Table Overview

Amazon’s definition of a route table:

“A route table contains a set of rules, called routes, which
are used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a route

table; the table controls the routing for the subnet. A subnet
can only be associated with one route table at a time, but
you can associate multiple subnets with the same route
table.” Route Table
 Internet Gateway Diagram
Every VPC has a default route table. It is best to leave it in its original state and create a new route table to
customize the network traffic routes.

Custom Route Table

Destination Target
0.0.0.0/0 Internet Gateway

VPC subnet
Availability Zone

Internet Internet Router

Gateway

Main Route Table

VPC subnet
Destination Target
Availability Zone
10.0.0.0/16 local Virtual Private Cloud
Region
Demo 5: Creating Route Tables
Demonstrate how to create a custom route table.
Which of the following is NOT true about route tables?

A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.

Multiple subnets can be associated with the same route table.

It is recommended to only use the default route table.

Each subnet in your VPC must be associated with a route table.

 Which of the following is NOT true about route tables?

A route table contains a set of rules, called routes, which is used to determine where
network traffic is directed.

Multiple subnets can be associated with the same route table.

It is recommended to only use the default route table.

Each subnet in your VPC must be associated with a route table.

c.

Every VPC has a default route table. It’s good practice to leave this in its original state and create a new
route table to customize the network traffic routes.
NAT Devices
Using NAT devices in Amazon VPC
 NAT Devices Overview
You can use a Network Address Translation (NAT) device to enable instances in a private subnet to connect to
the Internet or other AWS services, but prevents the Internet from initiating connections with the instances.

From NAT device

Subnet

Internet From
Internet Private subnet
 NAT Devices Overview (contd.)
You can connect your private subnet database to other AWS resources if you use a NAT device.

Custom route
table
NAT device Private subnet
Availability Zone

Internet Internet Router

Gateway

Private subnet

Availability Zone
Virtual Private Cloud
Main route
table Region
 NAT Gateway versus NAT Device
AWS provides two kinds of NAT devices: a NAT gateway or a NAT instance.

AWS cloud

NAT NAT
Gateway instance
 NAT Gateway
A NAT Gateway must be launched into a public subnet.

NAT
Gateway

Public subnet Private subnet

Private Subnet Route Table

Destination Target
0.0.0.0/0 NAT Gateway
Demo 6: Creating a NAT Gateway
Demonstrate how to create a NAT Gateway.
Why does AWS recommend using a NAT Gateway?

It’s a managed service.

It provides better availability and bandwidth than NAT instances.

It provides redundancy in the AZ where it is created.

All of the above are correct.

 Why does AWS recommend using a NAT Gateway?

It’s a managed service.

It provides better availability and bandwidth than NAT instances.

It provides redundancy in the AZ where it is created.

All of the above are correct.

d.

AWS recommends a NAT Gateway as it’s a managed service that provides better availability and
bandwidth than NAT instances. Each NAT gateway is created in a specific Availability Zone and
implemented with redundancy in that zone.
What does a NAT Gateway require to function properly?

To be launched in a private subnet and have an Elastic IP address

To be launched in a public subnet and have an Elastic IP address

To be launched in a private subnet and have an private IP address

To be launched in a public subnet and have an private IP address

 What does a NAT Gateway require to function properly?

To be launched in a private subnet and have an Elastic IP address

To be launched in a public subnet and have an Elastic IP address

To be launched in a private subnet and have an private IP address

To be launched in a public subnet and have an private IP address

b.

A NAT Gateway must be launched into a public subnet and have an Elastic IP address as it needs
Internet connectivity.
Security Groups
Using Security Groups in Amazon VPC
 Security Groups Overview

Amazon’s definition of a Security Group:

“A security group acts as a virtual firewall that controls the traffic for one or more instances. You
add rules to each security group that allow traffic to or from its associated instances.”
 Security Group Diagram
Security Groups control what can and what cannot access our instances that reside in the VPC.

Custom route
table
NAT device Private subnet
Availability Zone
Security Groups

Internet Internet Router

Gateway

Private subnet

Availability Zone
Virtual Private Cloud
Main route
table Region
 Security Groups for Webservers
Let’s take a look at some examples:
The webserver needs to receive traffic from the Internet on HTTP and HTTPS ports.

HTTP

HTTPS

All other
traffic

Security group
 Security Groups for Database Servers
Let’s take a look at a database server security group.

SQL
Server

RDP

All other
traffic Database Server

Security group
 Security Groups Rules

By default, security groups allow all outbound traffic.

Security group rules are always permissive.

Security groups are stateful.

You can modify the rules of a security group at any time

and the rules are applied immediately.

Security group
Demo 7: Creating a Security Group
Demonstrate how to create a Security Group.
Which of the following statements about Security Groups is NOT true?

Security group rules are always permissive.

Security groups are stateless.

Security group rules can be modified at any time.

Security Group rules are applied immediately.

 Which of the following statements about Security Groups is NOT true?

Security group rules are always permissive.

Security groups are stateless.

Security group rules can be modified at any time.

Security Group rules are applied immediately.

b.

Security groups are stateful—for any request that comes from your instance, the response traffic for that
request is automatically allowed to flow in regardless of what inbound security group rules have been
configured.
Network ACL
Using Network ACLs in Amazon VPC
 Network ACL Overview

Amazon’s definition of a Network ACL:

“A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in
and out of one or more subnets.

You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your
VPC.”
 Network ACL Overview (contd.)
A Network ACL is placed between the route table and the Subnet.

Network ACL

NAT Device
Custom Route
Public subnet
Table
Availability Zone

Internet Internet Router

Gateway

Main Route VPC subnet

Table
Availability Zone
Network ACL
Virtual Private Cloud
Region
 Network ACL Overview (contd.)
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it
is associated.

Instance Instance Instance Instance Inbound

Port Allow/
Security Group Security Group Security Group Rule # Type Protocol Source
Range Deny
100 All traffic All All 0.0.0.0/0 ALLOW

Subnet Subnet * All traffic All All 0.0.0.0/0 DENY

10.0.0.0/24 10.0.0.0/24

Network ACL Network ACL

Outbound
Routing Table Routing Table
Port Allow/
Rule # Type Protocol Source
Range Deny
100 All traffic all all 0.0.0.0/0 ALLOW
Router * All traffic all all 0.0.0.0/0 DENY
VPC
10.0.0.0/16
Virtual Private Internet
Gateway Gateway
 Network ACL Rules

Each subnet in your VPC must be associated with an ACL.

A subnet can only be associated with one ACL. However, an ACL can be associated with
multiple subnets.

An ACL contains a list of numbered rules which are evaluated in order, starting with
the lowest.

ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound
traffic.
Demo 8: Network ACL Overview
Demonstrate where to look for Network ACL settings.
Which of the following statements about Network ACLs is NOT true?

Each subnet in your VPC must be associated with an ACL.

A subnet can only be associated with one ACL; however, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with the
highest.

ACLs are stateless.

 Which of the following statements about Network ACLs is NOT true?

Each subnet in your VPC must be associated with an ACL.

A subnet can only be associated with one ACL; however, an ACL can be associated with
multiple subnets.
An ACL contains a list of numbered rules which are evaluated in order, starting with the
highest.

ACLs are stateless.

c.

An ACL contains a list of numbered rules which are evaluated in order, starting with the lowest.
Amazon VPC Best Practices
Overview of Amazon VPC recommended best practices
 VPC Best Practices

Public and Private Subnets

1. The default network ACL is configured to allow all traffic to flow

Provide NAT to Private
Subnets in and out of the subnets with which it is associated.
2. Use private subnets to secure resources that don't need to be

Choose CIDR Blocks available from the Internet such as database servers.

Amazon VPC Limits

 VPC Best Practices (contd.)

Public and Private Subnets

Use NAT Gateway over NAT instances, to provide secure Internet
Provide NAT to Private access to your private subnets
Subnets
1. to save storage costs.

Choose CIDR Blocks

Amazon VPC Limits

 VPC Best Practices (contd.)

Public and Private Subnets

1. Amazon VPC can contain 16 to 65536 IP addresses.
Provide NAT to Private 2. Create separate Amazon VPC for Development, Staging, and
Subnets
Production environments.
3. Create one Amazon VPC with Separate Subnets. save storage co
Choose CIDR Blocks

Amazon VPC Limits

 VPC Best Practices (contd.)

Public and Private Subnets

1. 5 VPCs per region
2. 200 subnets per VPC
Provide NAT to Private
Subnets 3. 200 route tables per VPC
4. 500 security groups per VPC

Choose CIDR Blocks 5. 50 in/outbound rules per VPC

6. Some rules can be increased by raising a ticket with AWS
support
Amazon VPC Limits
 VPC Best Practices (contd.)

Security Groups and

Network ACLs
Use Security groups for white list and Network ACLs for blacklist.

Tier Security Groups

Standardize Security Group

Naming Conventions

Span Amazon VPC

 VPC Best Practices (contd.)

Security Groups and

Network ACLs
1. Create different security groups for different tiers of your

Tier Security Groups infrastructure architecture inside your VPC.

2. If you create Amazon VPC security groups for each and every
tier/service separately, it will be easier to open a port to a
Standardize Security Group
Naming Conventions particular service.

Span Amazon VPC

 VPC Best Practices (contd.)

Security Groups and

Network ACLs
1. Following a security group naming convention inside Amazon

Tier Security Groups VPC will improve operations/management for large scale
deployments inside VPC.
2. It avoids manual errors, leaks, and saves cost and time.
Standardize Security Group
Naming Conventions

Span Amazon VPC

 VPC Best Practices (contd.)

Security Groups and

Network ACLs

Span your Amazon VPC across multiple subnets in multiple

Tier Security Groups Availability Zones inside a Region. This helps in architecting high
availability inside your Amazon VPC.
Standardize Security Group
Naming Conventions

Span Amazon VPC

Amazon VPC Costs
Overview of the Amazon VPC associated costs
 Amazon VPC Costs

If you create a hardware VPN Connection to your VPC using a Virtual Private Gateway, you are charged for each "VPN
Connection-hour" that your VPN connection is provisioned and available.

Customer Gateway
Customer Network
Los Angeles

VPN Connection Customer Gateway

Customer Network
Chicago
VPN Connection

Availability Zone Availability Zone Customer Gateway

VPN Connection Customer Network
New York
Router Virtual Private Gateway

VPN Connection
Customer Gateway
Customer Network
Miami
 Amazon VPC Costs (contd.)

If you create a NAT gateway in your VPC, you are charged for each “NAT Gateway-hour" that your NAT gateway is
provisioned and available.

NAT Gateway

Public subnet Private subnet

Private Subnet Route Table

Destination Target

0.0.0.0/0 NAT Gateway

Practice Assignment: Designing a Custom VPC
Create a custom VPC using the concepts learned in this lesson
 Build a Custom VPC

Using the concepts learned in this lesson, recreate the custom VPC as
shown in the demonstrations:

VPC Name: SIMPLILEARN_VPC

CIDR: 10.0.0.0/16
Subnets: 1 public (10.0.1.0) and 1 private (10.0.2.0) placed in separate
availability zones
Internet Gateway: 1
NAT Gateway: 1
Route Table: 1 (in the public subnet)
Security Groups: SIMPLILEARN_WEBSERVER_SG and
SIMPLILEARN_DBSERVER_SG
Key Takeaways
 Key Takeaways

• Amazon’s definition of a VPC: “Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon
Web Services (AWS) resources into a virtual network that you've defined. This virtual network closely resembles
a traditional network that you'd operate in your own data center, with the benefits of using the scalable
infrastructure of AWS.”

• Private IP address is not reachable over the Internet; it’s used for communication between instances in the same
network.

• A public IP address is reachable from the Internet. You can use public IP addresses for communication between
your instances and the Internet.

• Elastic IP address is a static/public persistent public IP address that persists after an instance restarts.
 Key Takeaways (contd.)

• AWS defines a subnet as a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. A subnet is always mapped to a single Availability Zone. You can use a public subnet for
resources that must be connected to the Internet and a private subnet for resources that won't be connected to
the Internet.

• To allow your VPC the ability to connect to the Internet, you need to attach an Internet Gateway. You can only
attach one IGW per VPC.

• A route table determines where network traffic is directed. It does this by defining a set of rules.

• Every subnet has to be associated with a route table and a subnet can only be associated with one route table;
however, multiple subnets can be associated with the same subnet.

• You can use a NAT device to enable instances in a private subnet to connect to the Internet or other AWS
services. However, it will prevent the Internet from initiating connections with the instances.
 Key Takeaways (contd.)

• A security group acts as a virtual firewall that controls the traffic for one or more instances.

• You add rules to each security group that allows traffic to or from its associated instances.

• A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for
controlling traffic in and out of one or more subnets.
 What is the minimum subnet size you can have?
1

/16

/10

/28

/24
 What is the minimum subnet size you can have?
1

/16

/10

/28

/24

Explanations: The allowed block size is between a /28 netmask and /16 netmask. In other words, the VPC can contain
from 16 to 65,536 IP addresses.
 In a custom VPC, you created three subnets. Can they communicate with each other by default?
2

Yes

No
 In a custom VPC, you created three subnets. Can they communicate with each other by default?
2

Yes

No

Explanations: By default all subnets in a VPC can communicate with each other.
 What aspect of a VPC is stateful?
3

Security Groups

Network ACLs

Elastic IP Addresses

NAT Gateways
 What aspect of a VPC is stateful?
3

Security Groups

Network ACLs

Elastic IP Addresses

NAT Gateways

Explanations: Security groups are stateful-if you send a request from your instance, the response traffic for that request is
allowed to flow in regardless of inbound security group rules.
 Which of the following routes do you need to add to allow your subnet Internet access?
4

Destination: 0.0.0.0/0 --> Target: Your Internet Gateway

Destination: 0.0.0.0/16 --> Target: 0.0.0.0/28

Destination: 10.0.1.0/0 --> Target: 0.0.0.0/28

Destination: 0.0.0.0/0 --> Target: Direct Connect

 Which of the following routes do you need to add to allow your subnet Internet access?
4

Destination: 0.0.0.0/0 --> Target: Your Internet Gateway

Destination: 0.0.0.0/16 --> Target: 0.0.0.0/28

Destination: 10.0.1.0/0 --> Target: 0.0.0.0/28

Destination: 0.0.0.0/0 --> Target: Direct Connect

Explanations: You need to allow a route for all traffic to access the Internet Gateway.
 What is the default limit for VPCs in an AWS Region?
5

10

Unlimited
 What is the default limit for VPCs in an AWS Region?
5

10

Unlimited

Explanations: By default you can have five VPCs per Region. If you need more, you need to raise a ticket with AWS
Support to increase the limit.
This concludes the lesson “Amazon VPC.”

The next lesson is “Amazon EC2.”