Chapter 4: Amazon Virtual Private Cloud (Amazon VPC)

1. C. The minimum size subnet that you can have in an Amazon VPC is /28.

• VPC中最小子网是/28

2. C. You need two public subnets (one for each Availability Zone) and two private subnets
   (one for each Availability Zone). Therefore, you need four subnets.

• 高可用至少需要2个AZ，每个AZ一个public subnet，一个private subnet，所以一共4个子网

3. A. Network ACLs are associated to a VPC subnet to control traffic flow.

• subnet层次的访问控制是通过ACL实现的

4. A. The maximum size subnet that you can have in a VPC is /16.

• 最大的子网不能超过vpc的，vpc的最大cidr是/16

5. D. By creating a route out to the Internet using an IGW, you have made this subnet
   public.

• 一般都将attach的IGW的subnet称为 public subnet，需要在路由表中定制一个指向IGW的路由，然后将路由attach到subnet上

6. A. When you create an Amazon VPC, a route table is created by default. You must
   manually create subnets and an IGW.

• 创建VPC的时候，默认只会创建一个route table

7. C. When you provision an Amazon VPC, all subnets can communicate with each other by default.

• 一个vpc内的子网，路由表都会指向local，所以可以通过内网互相访问

8. A. You may only have one IGW for each Amazon VPC.

• 每个vpc最多可以attch一个 IGW，因为操作控制台在IGW那里，由他选择没有挂IGW的vpc。

9. B. Security groups are stateful, whereas network ACLs are stateless.

• 安全组是vpc中有状态的服务。而ACL是没有状态的

10. C. You should disable source/destination checks on the NAT.

• nat网关或者instance有关于 source/destionation的配置。

11. B, E. In the EC2-Classic network, the EIP will be disassociated with the instance; in the EC2-VPC network, the EIP remains associated with the instance. Regardless of the
    underlying network, a stop/start of an Amazon EBS-backed Amazon EC2 instance always changes the host computer.

• 实例上存储的数据肯定丢失了；
• EIP是会与instance绑定的，但是instance的宿主服务器（host）可能会换成其他的

12. D. Six VPC Peering connections are needed for each of the four VPCs to send traffic to the other.

• vpc peering是没有传播机制的，两个VPC子网必须直接建立连接才能使用

13. B. A DHCP option set allows customers to define DNS servers for DNS name resolution,establish domain names for instances within an Amazon VPC, define NTP servers, and define the NetBIOS name servers.

• dhcp是用来定义DNS解析的内网主机

14. D. A CGW is the customer side of a VPN connection, and an IGW connects a network to the Internet. A VPG is the Amazon side of a VPN connection.

• VPG是AWS侧的vpn连接定义；
• CGW是客户侧的vpn连接定义；

15. A. The default limit for the number of Amazon VPCs that a customer may have in a
    region is 5.

• 每个region中可以定义5个VPC

16. B. Network ACL rules can deny traffic.

• 可以使用ACL来拒绝指定ip的访问流量；

17. D. IPsec is the security protocol supported by Amazon VPC.

• ipsec是传输安全协议，被vpc支持
• ssh是访问协议
• aes是加密算法

18. D. An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT device, VPN connection, or AWS Direct Connect.

• AWS的vpc endpoints可以与S3创建一个私有连接，不需要通过公网进行访问。
• VPC 终端节点使您能够将 VPC 私密地连接到支持的 AWS 服务和 VPC 终端节点服务 (由 PrivateLink 提供支持)，而无需 Internet 网关、NAT 设备、VPN 连接或 AWS Direct Connect 连接。VPC 中的实例无需公有 IP 地址便可与服务中的资源通信。VPC 和其他服务之间的通信不会离开 Amazon 网络

19. A, C. The CIDR block is specified upon creation and cannot be changed. An Amazon VPC is associated with exactly one region which must be specified upon creation. You can add a subnet to an Amazon VPC any time after it has been created, provided its address range falls within the Amazon VPC CIDR block and does not overlap with the address range of any existing CIDR block. You can set up peering relationships between Amazon VPCs after they have been created.

• 创建VPC的时候已经是在web控制台的右上角选择了region了。所以在输入框中只需要填写CIDR限制IP范围就行了。

20. B. Attaching an ENI associated with a different subnet to an instance can make the instance dual-homed.

• 当我们需要自己的EC2实例同时处于多个子网中时，就需要为其增加ENI，其实针对instance增加网卡的意思

知识点总结

• Understand what a VPC is and its core and optional components. An Amazon VPC is a logically isolated network in the AWS Cloud. An Amazon VPC is made up of the following core elements: subnets (public, private, and VPN-only), route tables, DHCP option sets, security groups, and network ACLs. Optional elements include an IGW, EIP addresses, endpoints, peering connections, NAT instances, VPGs, CGWs, and VPN connections.

• 了解什么是vpc以及他的核心组件，可选组件。

• VPC是一个在aws中逻辑隔离的云。

• VPC由如下必选组件组成：subnet（public、private、VPN-only），route table，DHCP 选项设置，安全组，ACLs。

• VPC可选组件：IGW，EIP，endpoints，peering connections，nat instances、VPGs、CGWs、一个VPN 连接；

• Understand the purpose of a subnet. A subnet is a segment of an Amazon VPC’s IP address range where you can place groups of isolated resources. Subnets are defined by CIDR blocks—for example, 10.0.1.0/24 and 10.0.2.0/24—and are contained within an Availability Zone.

• 了解子网的意义。一个子网是必须在VPC的IP地址范围内，可以用来做资源隔离。子网需要设置CIDR blocks，子网必须在一个可用区内；

• Identify the difference between a public subnet, a private subnet, and a VPN-Only subnet. If a subnet’s traffic is routed to an IGW, the subnet is known as a public subnet. If a subnet doesn’t have a route to the IGW, the subnet is known as a private subnet. If a subnet doesn’t have a route to the IGW, but has its traffic routed to a VPG, the subnet is known as a VPN-only subnet.

• 识别公共子网、私有子网和VPN-Only子网之间的区别。子网的流量是路由到IGW，被称作公共子网。如果一个子网没有路由到IGW，被称作私有子网。如果一个子网没有路由到IGW，但是有流量路由到VPG，这个子网被称作VPN-only子网;

• Understand the purpose of a route table. A route table is a set of rules (called routes)
  that are used to determine where network traffic is directed. A route table allows Amazon EC2 instances within different subnets to communicate with each other (within the same Amazon VPC). The Amazon VPC router also enables subnets, IGWs, and VPGs to communicate with each other.

• 理解路由表的意义；一个路由表是一系列route规则的集合，被用来决定网络流量的进出。一个路由表允许EC2实例在不同的子网之间进行交互。VPC路由表同时也拉通subnet、IGWs,VPGs之间互通；

• Understand the purpose of an IGW. An IGW is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances in your Amazon VPC and the Internet. IGWs are fully redundant and have no bandwidth constraints. An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic and performs network address translation for instances that have been assigned public IP addresses.

• 理解IGW的意义。一个IGW是可以水平扩展的，冗余、高可用的VPC组件，允许VPC内部的instances与互联网进行交互。IGWs是完全冗余的且没有带宽限制。一个IGW为vpc的route tables访问互联网提供了目标，同时支持公网IP的网络地址转换；

• Understand what DHCP option sets provide to an Amazon VPC. The DHCP option sets element of an Amazon VPC allows you to direct Amazon EC2 host name assignment to your own resources. You can specify the domain name for instances within an Amazon VPC and identify the IP addresses of custom DNS servers, NTP servers, and NetBIOS servers.

• 理解DHCP设置项对于VPC的意义。DHCP设置项允许你直接将EC2的host name设置到你的资源上。你可以设置instance的domain name，同时通过定制的DNS 服务器识别IP地址，NTP服务器以及NetBios服务器；

• Know the difference between an Amazon VPC public IP address and an EIP address. A public IP address is an AWS-owned IP that can be automatically assigned to instances launched within a subnet. An EIP address is an AWS-owned public IP address that you allocate to your account and assign to instances or network interfaces on demand.

• 了解公网IP地址和EIP在VPC内的差别。

• public IP：一个公共IP地址是AWS自有的IP地址，可以随时给子网内的不同instance设置。

• EIP：EIP地址是AWS自有的公共IP地址，绑定到你的账户以及instance 或者网卡上。

• Understand what endpoints provide to an Amazon VPC. An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect. Endpoints support services within the region only.

• 理解什么是VPC的endpoints。VPC endpoints帮助你在一个region内创建一个与其他AWS服务的私有连接，而不需要通过internet、NAT、VPN、专线来访问。注意：endpoints支持的服务只是在region内。

• Understand Amazon VPC peering. An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. Peering connections are created through a request/accept protocol. Transitive peering is not supported, and peering is only available between Amazon VPCs within the same region.

• 理解VPC PEERING。VPC peering 连接是一个拉通两个VPC之间通讯的方案，支持两个VPC之间的实例像是在同一个内网内通讯。Peering 连接通过request/accept协议创建。vpc peering只在同一个region之中的vpc可用；

• Know the difference between a security group and a network ACL. A security group applies at the instance level. You can have multiple instances in multiple subnets that are members of the same security groups. Security groups are stateful, which means that return traffic is automatically allowed, regardless of any outbound rules. A network ACL is applied on a subnet level, and traffic is stateless. You need to allow both inbound and outbound traffic on the network ACL in order for Amazon EC2 instances in a subnet to be able to communicate over a particular protocol.

• 了解security group和ACL的区别。一个安全组应用到instance级别。你可以有多个instance在多个子网中，同时基于相同的安全组。安全组是有状态的，这意味着流量的进出只要设置一个in的规则，out规则就不需要设置了。一个ACL被应用到一个子网上，同时流量是无状态的。你需要设置inbound和outbound流量在ACL上，为了子网内的EC2实例可以通过特定的协议交互。

• Understand what a NAT provides to an Amazon VPC. A NAT instance or NAT gateway enables instances in a private subnet to initiate outbound traffic to the Internet. This allows outbound Internet communication to download patches and updates, for example, but prevents the instances from receiving inbound traffic initiated by someone on the Internet.

• 理解什么是VPC的NAT。一个NAT实例或者NAT gateway设置了实例在private subnet内可以直接调用互联网流量。这个允许outbound互联网流量被用来下载补丁包或者升级。同时可以阻止instance接收互联网上的请求；

• Understand the components needed to establish a VPN connection from a network to an Amazon VPC. A VPG is the VPN concentrator on the AWS side of the VPN connection between the two networks. A CGW represents a physical device or a software application on the customer’s side of the VPN connection. The VPN connection must be initiated from the CGW side, and the connection consists of two IPSec tunnels.

• 理解如何建立一个VPN连接到VPC。VPG是一个AWS侧的VPN连接点。CGW是一个物理设备或者软件应用在客户侧VPN连接上。VPN连接必须从CGW侧初始化，同时这个连接是由两个IPSec组成的通道；