VPC Connectivity – Networking and Connectivity – SOA-C02 Study Guide

VPC Connectivity

This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:

5.1 Implement networking features and connectivity

CramSaver

If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.

1. You have a group of EC2 instances in a private subnet. You must configure a NAT gateway to allow these instances to have Internet access. Does the route table of the private subnet need to be modified for this configuration to work?

2. A new subnet has been created within a VPC. The administrator has not assigned a route table to the new subnet. What is the result of this configuration?

Answers

1. Answer: A route entry must be added to the route table associated with the private subnet. You should create a default route that points to the NAT gateway. The NAT gateway must be placed in a public subnet.

2. Answer: The main route table is assigned to this subnet. Every VPC has a main route table that you can modify. The main route table is used by default for all subnets. However, this may create security concerns, especially if the main route table has a route to the Internet gateway.

Subnets

When you create a VPC, you must configure a CIDR range that specifies the entire block of addresses that can be used within the VPC. Subnets are ranges of IP addresses within that CIDR range. For example, if the CIDR range of a VPC is 10.1.0.0/16, you can create a public subnet with the 10.1.1.0/24 address range, as shown in Figure 11.5.

FIGURE 11.5 Creating a subnet

A VPC spans all of the availability zones (AZs) in the region but cannot span multiple regions. Each subnet is local to an AZ. In Figure 11.5, eu-west-3a is chosen for the AZ. By creating multiple subnets in different AZs, you can establish highly available applications using a load balancer.

Route Tables

Each VPC is automatically configured with a main route table. This is the default route table associated with subnets. You can also create your own custom route tables. All route tables include a local route that allows traffic to flow within the CIDR range of the VPC.

You modify the route tables for your public subnets with a default route that points all outbound traffic to the Internet gateway. You can see an example of this in Figure 11.6. You could also create a narrow set of specific routes if you don’t want to enable general Internet access from your VPC.

FIGURE 11.6 Public route table

NAT Gateway

The NAT gateway is an AWS managed service that allows instances in private subnets to connect to the Internet but prevents the Internet from initiating connections to these instances because the NAT service is egress only. Previously, you needed to launch a NAT instance running on EC2 to accomplish this. The NAT gateway must reside in a public subnet and requires a public Elastic IP. You can adjust the route table for your private subnets to use the NAT gateway as a default route, as shown in Figure 11.7.

FIGURE 11.7 Private route table

ExamAlert

Each subnet is mapped to an AZ. A VPC exists inside a single AWS region and cannot span multiple regions. Instances can be spread across multiple AZs within a region by placing the VMs on different subnets.