Amazon VPC

Last updated on November 14, 2024

Amazon VPC Cheat Sheet

  • Create a virtual network in the cloud dedicated to your AWS account where you can launch AWS resources
  • Amazon VPC is the networking layer of Amazon EC2
  • A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone.

Key Concepts

  • A virtual private cloud (VPC) allows you to specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.
  • A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won’t be connected to the internet.
  • To protect the AWS resources in each subnet, use security groups and network access control lists (ACLs).
  • Expand your VPC by adding secondary IP ranges.

EC2-VPC vs EC2-Classic

Amazon VPC

Default vs Non-Default VPC

Default

Non-Default VPC

If your account supports the EC2-VPC platform only, it comes with a default VPC that has a default subnet in each Availability Zone.

You can create your own non-default VPC, and configure it as you need. Subnets that you create in your non-default VPC and additional subnets that you create in your default VPC are called non-default subnets.

Your default VPC includes an internet gateway, which allows your instances to communicate with the internet, and each default subnet is a public subnet.

Instances can communicate with each other, but can’t access the internet. You can enable internet access for an instance launched into a non-default subnet by attaching an Internet Gateway and associating an Elastic IP address with the instance.

Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address.

By default, each instance that you launch into a non-default subnet has a private IPv4 address, but no public IPv4 address, unless you specifically assign one at launch, or you modify the subnet’s public IP address attribute.

To allow an instance in your VPC to initiate outbound connections to the internet but prevent unsolicited inbound connections from the internet, you can use a network address translation (NAT) device for IPv4 traffic. 

You can optionally associate an Amazon-provided IPv6 CIDR block with your VPC and assign IPv6 addresses to your instances. IPv6 traffic is separate from IPv4 traffic; your route tables must include separate routes for IPv6 traffic. 

A diagram of default VPC

AWS Training Amazon VPC

A diagram of non-default VPC

AWS Training Amazon VPC

Accessing a Corporate or Home Network

    • You can optionally connect your VPC to your own corporate data center using an IPsec AWS managed VPN connection, making the AWS Cloud an extension of your data center.
    • A VPN connection consists of:
      • a virtual private gateway (which is the VPN concentrator on the Amazon side of the VPN connection) attached to your VPC.
      • a customer gateway (which is a physical device or software appliance on your side of the VPN connection) located in your data center.
      • A diagram of the connection

AWS Training Amazon VPC

    • AWS Site-to-Site Virtual Private Network (VPN) connections can be moved from a virtual private gateway to an AWS Transit Gateway without having to make any changes on your customer gateway. Transit Gateways enable you to easily scale connectivity across thousands of Amazon VPCs, AWS accounts, and on-premises networks.
    • AWS PrivateLink enables you to privately connect your VPC to supported AWS services, services hosted by other AWS accounts (VPC endpoint services), and supported AWS Marketplace partner services. You do not require an internet gateway, NAT device, public IP address, AWS Direct Connect connection, or VPN connection to communicate with the service. Traffic between your VPC and the service does not leave the Amazon network.
    • AWS PrivateLink-Supported Services:
  • Tutorials dojo strip

  • Amazon IP Gateway 
  • Amazon Elastic Container Registry
  • Amazon AppStream 2.0
  • Amazon Elastic Container Service
  • AWS App Mesh
  • AWS Glue
  • Application Auto Scaling
  • AWS Key Management Service
  • Amazon Athena
  • Amazon Kinesis Data Firehouse
  • AWS Auto Scaling
  • Amazon Kinesis Data Streams
  • Amazon Cloud Directory
  • Amazon Rekognition
  • AWS CloudFormation
  • Amazon SageMaker and Amazon SageMaker Runtime
  • AWS CloudTrail
  • Amazon SageMaker Notebook
  • Amazon CloudWatch 
  • AWS Secrets Manager
  • Amazon CloudWatch Events
  • AWS Security Token Service
  • Amazon CloudWatch Logs
  • AWS Server Migration Service
  • AWS CodeBuild
  • AWS Service Catalog
  • AWS CodeCommit
  • Amazon SNS
  • AWS CodePipeline
  • Amazon SQS 
  • AWS Config
  • Amazon Systems Manager
  • AWS DataSync
  • AWS Storage Gateway 
  • Amazon EC2 API
  • AWS Transfer for SFTP
  • Amazon EC2 Auto Scaling
  • Amazon WorkSpaces
  • Amazon Elastic File System
  • Endpoint services hosted by other AWS accounts 
  • Elastic Load Balancing
  • Supported AWS Marketplace partner services
  • AWS CloudHSM
 
    • You can create a VPC peering connection between your VPCs, or with a VPC in another AWS account, and enable routing of traffic between the VPCs using private IP addresses. You cannot create a VPC peering connection between VPCs that have overlapping CIDR blocks.
    • Applications in an Amazon VPC can securely access AWS PrivateLink endpoints across VPC peering connections. The support of VPC peering by AWS PrivateLink makes it possible for customers to privately connect to a service even if that service’s endpoint resides in a different Amazon VPC that is connected using VPC peering.
    • AWS PrivateLink endpoints can now be accessed across both intra- and inter-region VPC peering connections.

VPC Use Case Scenarios

  • VPC with a Single Public Subnet
  • VPC with Public and Private Subnets (NAT)
  • VPC with Public and Private Subnets and AWS Managed VPN Access
  • VPC with a Private Subnet Only and AWS Managed VPN Access

Subnets

  • When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block (example: 10.0.0.0/16). This is the primary CIDR block for your VPC.
  • You can add one or more subnets in each Availability Zone of your VPC’s region.
  • You specify the CIDR block for a subnet, which is a subset of the VPC CIDR block.
  • A CIDR block must not overlap with any existing CIDR block that’s associated with the VPC.
  • Types of Subnets
    • Public Subnet – has an internet gateway
    • Private Subnet – doesn’t have an internet gateway
    • VPN-only Subnet – has a virtual private gateway instead
  • IPv4 CIDR block size should be between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).
  • The first four IP addresses and the last IP address in each subnet CIDR block are NOT available for you to use, and cannot be assigned to an instance.
  • You cannot increase or decrease the size of an existing CIDR block.
  • When you associate a CIDR block with your VPC, a route is automatically added to your VPC route tables to enable routing within the VPC (the destination is the CIDR block and the target is local).
  • You have a limit on the number of CIDR blocks you can associate with a VPC and the number of routes you can add to a route table.
  • The following rules apply when you add IPv4 CIDR blocks to a VPC that’s part of a VPC peering connection:
    • If the VPC peering connection is active, you can add CIDR blocks to a VPC provided they do not overlap with a CIDR block of the peer VPC.
    • If the VPC peering connection is pending-acceptance, the owner of the requester VPC cannot add any CIDR block to the VPC. Either the owner of the accepter VPC must accept the peering connection, or the owner of the requester VPC must delete the VPC peering connection request, add the CIDR block, and then request a new VPC peering connection.
    • If the VPC peering connection is pending-acceptance, the owner of the accepter VPC can add CIDR blocks to the VPC. If a secondary CIDR block overlaps with a CIDR block of the requester VPC, the VPC peering connection request fails and cannot be accepted.
  • If you’re using AWS Direct Connect to connect to multiple VPCs through a direct connect gateway, the VPCs that are associated with the direct connect gateway must not have overlapping CIDR blocks.
  • The CIDR block is ready for you to use when it’s in the associated state.
  • You can disassociate a CIDR block that you’ve associated with your VPC; however, you cannot disassociate the primary CIDR block.

Subnet Routing

  • Each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet.
  • Every subnet that you create is automatically associated with the main route table for the VPC.
  • You can change the association, and you can change the contents of the main route table.
  • You can allow an instance in your VPC to initiate outbound connections to the internet over IPv4 but prevent unsolicited inbound connections from the internet using a NAT gateway or NAT instance.
  • To initiate outbound-only communication to the internet over IPv6, you can use an egress-only internet gateway.

Subnet Security

  • Security Groups — control inbound and outbound traffic for your instances
    • You can associate one or more (up to five) security groups to an instance in your VPC.
    • If you don’t specify a security group, the instance automatically belongs to the default security group.
    • When you create a security group, it has no inbound rules. By default, it includes an outbound rule that allows all outbound traffic.
    • Security groups are associated with network interfaces.
  • Network Access Control Lists — control inbound and outbound traffic for your subnets
    • Each subnet in your VPC must be associated with a network ACL. If none is associated, automatically associated with the default network ACL.
    • You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time.
    • A network ACL contains a numbered list of rules that is evaluated in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
    • The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated.
    • For custom ACLs, you need to add a rule for ephemeral ports, usually with the range of 32768-65535. If you have a NAT Gateway, ELB or a Lambda function in a VPC, you need to enable 1024-65535 port range.
  • Flow logs — capture information about the IP traffic going to and from network interfaces in your VPC that is published to CloudWatch Logs.
  • Flow logs can help you with a number of tasks, such as:
    • Diagnosing overly restrictive security group rules
    • Monitoring the traffic that is reaching your instance
    • Determining the direction of the traffic to and from the network interfaces
  • Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.
  • After you’ve created a flow log, it can take several minutes to begin collecting and publishing data to the chosen destinations. Flow logs do not capture real-time log streams for your network interfaces.
  • VPC Flow Logs can be sent directly to an Amazon S3 bucket which allows you to retrieve and analyze these logs yourself.
  • Amazon security groups and network ACLs don’t filter traffic to or from link-local addresses or AWS-reserved IPv4 addresses. Flow logs do not capture IP traffic to or from these addresses.

Security Group

Network ACL

Operates at the instance level

Operates at the subnet level

Supports ALLOW rules only

Supports ALLOW rules and DENY rules

Is stateful: Return traffic is automatically allowed, regardless of any rules

Is stateless: Return traffic must be explicitly allowed by rules

We evaluate all rules before deciding whether to allow traffic

We process rules in number order when deciding whether to allow traffic 

Applies only to EC2 instances and similar services that use EC2 as a backend.

Automatically applies to all

Security group is specified when launching the instances, or is associated with the instance later on

Instances in the subnets it’s associated with

  • Diagram of security groups and NACLs in a VPC

AWS Training Amazon VPC

VPC Networking Components

  • Network Interfaces

    • a virtual network interface that can include:
      • a primary private IPv4 address
      • one or more secondary private IPv4 addresses
      • one Elastic IP address per private IPv4 address
      • one public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an instance
      • one or more IPv6 addresses
      • one or more security groups
      • a MAC address
      • a source/destination check flag
      • a description
    • Network interfaces can be attached and detached from instances, however, you cannot detach a primary network interface.
  • Route Tables

    • contains a set of rules, called routes, that are used to determine where network traffic is directed.
    • A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
    • You cannot delete the main route table, but you can replace the main route table with a custom table that you’ve created.
    • You must update the route table for any subnet that uses gateways or connections.
    • Uses the most specific route in your route table that matches the traffic to determine how to route the traffic (longest prefix match).
  • Internet Gateways

    • Allows communication between instances in your VPC and the internet.
    • Imposes no availability risks or bandwidth constraints on your network traffic.
    • Provides a target in your VPC route tables for internet-routable traffic, and performs network address translation for instances that have been assigned public IPv4 addresses.
    • The following table provides an overview of whether your VPC automatically comes with the components required for internet access over IPv4 or IPv6.
    • To enable access to or from the Internet for instances in a VPC subnet, you must do the following:
      • Attach an Internet Gateway to your VPC
      • Ensure that your subnet’s route table points to the Internet Gateway.
      • Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
      • Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance
 

Default VPC

Non-default VPC

Internet gateway

Yes

Yes, if you created the VPC using the first or second option in the VPC wizard. Otherwise, you must manually create and attach the internet gateway.

Route table with route to internet gateway for IPv4 traffic (0.0.0.0/0)

Yes

Yes, if you created the VPC using the first or second option in the VPC wizard. Otherwise, you must manually create the route table and add the route.

Route table with route to internet gateway for IPv6 traffic (::/0)

No

Yes, if you created the VPC using the first or second option in the VPC wizard, and if you specified the option to associate an IPv6 CIDR block with the VPC. Otherwise, you must manually create the route table and add the route.

Public IPv4 address automatically assigned to instance launched into subnet

Yes (default subnet)

No (non-default subnet)

IPv6 address automatically assigned to instance launched into subnet

No (default subnet)

No (non-default subnet)

  • Egress-Only Internet Gateways

    • VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.
    • An egress-only Internet gateway is stateful.
    • You cannot associate a security group with an egress-only Internet gateway.
    • You can use a network ACL to control the traffic to and from the subnet for which the egress-only Internet gateway routes traffic.
  • NAT

    • Enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating connections with the instances.
    • NAT Gateways
      • You must specify the public subnet in which the NAT gateway should reside.
      • You must specify an Elastic IP address to associate with the NAT gateway when you create it.
      • Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
      • Deleting a NAT gateway disassociates its Elastic IP address, but does not release the address from your account.
      • A NAT gateway supports the following protocols: TCP, UDP, and ICMP.
      • You cannot associate a security group with a NAT gateway.
      • A NAT gateway can support up to 55,000 simultaneous connections to each unique destination.
      • A NAT gateway cannot send traffic over VPC endpoints, VPN connections, AWS Direct Connect, or VPC peering connections.
      • A NAT gateway uses ports 1024-65535. Make sure to enable these in the inbound rules of your network ACL.
    • NAT Instance vs NAT Gateways

AWS Training Amazon VPC

  • DHCP Options Sets

    • Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network.
    • You can assign your own domain name to your instances, and use up to four of your own DNS servers by specifying a special set of DHCP options to use with the VPC.
    • Creating a VPC automatically creates a set of DHCP options, which are domain-name-servers=AmazonProvidedDNS, and domain-name=domain-name-for-your-region, and associates them with the VPC.
    • After you create a set of DHCP options, you can’t modify them. Create a new set and associate a different set of DHCP options with your VPC, or use no DHCP options at all.
  • DNS

    • AWS provides instances launched in a default VPC with public and private DNS hostnames that correspond to the public IPv4 and private IPv4 addresses for the instance.
    • AWS provides instances launched in a non-default VPC with private DNS hostname and possibly a public DNS hostname, depending on the DNS attributes you specify for the VPC and if your instance has a public IPv4 address.
    • Set VPC attributes enableDnsHostnames and enableDnsSupport to true so that your instances receive a public DNS hostname and Amazon-provided DNS server can resolve Amazon-provided private DNS hostnames.
      • If you use custom DNS domain names defined in a private hosted zone in Route 53, the enableDnsHostnames and enableDnsSupport attributes must be set to true.
  • VPC Peering
    • A networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network.
  • Elastic IP Addresses

    • A static, public IPv4 address.
    • You can associate an Elastic IP address with any instance or network interface for any VPC in your account.
    • You can mask the failure of an instance by rapidly remapping the address to another instance in your VPC.
    • Your Elastic IP addresses remain associated with your AWS account until you explicitly release them.
    • AWS imposes a small hourly charge when EIPs aren’t associated with a running instance, or when they are associated with a stopped instance or an unattached network interface.
    • You’re limited to five Elastic IP addresses.
  • VPC Endpoints

    • Privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
    • Endpoints are virtual devices.
    • Two Types
      • Interface Endpoints
        • An elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service.
        • Can be accessed through AWS VPN connections or AWS Direct Connect connections, through intra-region VPC peering connections from Nitro instances, and through inter-region VPC peering connections from any type of instance.
        • For each interface endpoint, you can choose only one subnet per Availability Zone. Endpoints are supported within the same region only.
        • You can add endpoint policies to interface endpoints. The Amazon VPC endpoint policy defines which principal can perform which actions on which resources. An endpoint policy does not override or replace IAM user policies or service-specific policies. It is a separate policy for controlling access from the endpoint to the specified service.
        • An interface endpoint supports IPv4 TCP traffic only.
      •  
      • Gateway Endpoints
        • A gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service.
        • You can create multiple endpoints in a single VPC, for example, to multiple services. You can also create multiple endpoints for a single service, and use different route tables to enforce different access policies from different subnets to the same service.
        • You can modify the endpoint policy that’s attached to your endpoint, and add or remove the route tables that are used by the endpoint.
        • Endpoints are supported within the same region only. You cannot create an endpoint between a VPC and a service in a different region.
        • Endpoints support IPv4 traffic only.
        • You must enable DNS resolution in your VPC, or if you’re using your own DNS server, ensure that DNS requests to the required service (such as S3) are resolved correctly to the IP addresses maintained by AWS.
    • You can create your own application in your VPC and configure it as an AWS PrivateLink-powered service (referred to as an endpoint service). You are the service provider, and the AWS principals that create connections to your service are service consumers.
  • ClassicLink

    • Allows you to link an EC2-Classic instance to a VPC in your account, within the same region. This allows you to associate the VPC security groups with the EC2-Classic instance, enabling communication between your EC2-Classic instance and instances in your VPC using private IPv4 addresses.

VPN Connections

VPN connectivity option

Description

AWS managed VPN

You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover. You configure your customer gateway on the remote side of the VPN connection.

AWS VPN CloudHub

If you have more than one remote network, you can create multiple AWS-managed VPN connections via your virtual private gateway to enable communication between these networks.

Third-party software VPN appliance

You can create a VPN connection to your remote network by using an Amazon EC2 instance in your VPC that’s running a third-party software VPN appliance. AWS does not provide or maintain third-party software VPN appliances; however, you can choose from a range of products provided by partners and open source communities.

AWS Direct Connect

You can also use AWS Direct Connect to create a dedicated private connection from a remote network to your VPC. You can combine this connection with an AWS-managed VPN connection to create an IPsec-encrypted connection.

  • Specify a private Autonomous System Number (ASN) for the virtual private gateway. If you don’t specify an ASN, the virtual private gateway is created with the default ASN (64512). You cannot change the ASN after you’ve created the virtual private gateway.
  • When you create a VPN connection, you must:
    • Specify the type of routing that you plan to use (static or dynamic)
    • Update the route table for your subnet
  • If your VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection. If your device does not support BGP, specify static routing.
  • VPG uses path selection to determine how to route traffic to your remote network. Longest prefix match applies.
  • Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy.

VPC Traffic Mirroring

  • Allows you to replicate the network traffic from EC2 instances within your VPC to security and monitoring appliances for content inspection, threat monitoring, troubleshooting, and more.
  • Both Nitro and non-Nitro instances are supported.

Amazon VPC Pricing

  • Charged for VPN Connection-hour
  • Charged for each “NAT Gateway-hour” that your NAT gateway is provisioned and available.
  • Data processing charges apply for each Gigabyte processed through the NAT gateway regardless of the traffic’s source or destination.
  • You also incur standard AWS data transfer charges for all data transferred via the NAT gateway.
  • Charges for unused or inactive Elastic IPs.

Amazon VPC Overview from AWS re:Invent

Free AWS Courses

Amazon VPC-related Cheat Sheets:

Note: If you are studying for the AWS Certified Advanced Networking Specialty exam, we highly recommend that you take our AWS Certified Advanced Networking – Specialty Practice Exams and read our Advanced Networking Specialty exam study guide.

AWS Certified Advanced Networking Specialty Practice Exams

Validate Your Knowledge

Question 1

An Amazon Virtual Private Cloud (VPC) has a fleet of EC2 instances hosted in a private subnet that connects to an Amazon S3 bucket via its VPC Gateway Endpoint. The VPC doesn’t have an attached Internet Gateway since the application is only used internally. You were instructed to configure the security group of the instances to only allow traffic to and from the public IP ranges of the S3 endpoint. To get the required IP ranges, you used the information provided by the aws ec2 describe-prefix-lists AWS CLI command. The solution worked but after a few weeks, you noticed that the outgoing requests are timing out and the instances can’t connect to the bucket any longer.

Which of the following is the most suitable solution that you can do to solve this issue with LEAST effort?

  1. Create a new customer-managed prefix-list that contains the public IP ranges of the S3 endpoint. Modify the outbound VPC security group rule to use the prefix-list in connecting to the Gateway VPC endpoint.
  2. Set up a CloudFront Function for the Amazon S3 bucket to have a static public IP range that doesn’t change.
  3. Create a Lambda function that updates the security group. Use the AWS-managed AmazonIpSpaceChanged topic in Amazon SNS as the trigger for the function.
  4. Configure the outbound VPC security group rule to use the AWS-managed prefix-list in connecting to the Gateway VPC endpoint.

Correct Answer: 4

The AWS prefix list ID logically represents the range of public IP addresses used by the service. All instances in subnets associated with the specified route tables automatically use the endpoint to access the service. Subnets that are not associated with the specified route tables do not use the endpoint. This enables you to keep resources in other subnets separate from your endpoint.

To view the current public IP address range for a service, you can use the describe-prefix-lists command:

A prefix list is a set of one or more CIDR blocks. There are two types of prefix lists:

-AWS-managed prefix-list — Represents the IP address ranges for an AWS service. You can reference an AWS-managed prefix-list in your VPC security group rules and in subnet route table entries. For example, you can reference an AWS-managed prefix-list in an outbound VPC security group rule when connecting to an AWS service through a gateway VPC endpoint. You cannot create, modify, share, or delete an AWS-managed prefix list.

-Customer-managed prefix-list — A set of IPv4 or IPv6 CIDR blocks that you define and manage. You can reference the prefix-list in your VPC security group rules and in subnet route table entries. This enables you to manage the IP addresses that you frequently use for these resources in a single group, instead of repeatedly referencing the same IP addresses in each resource. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix-list in their own resources.

In this scenario, you can use the AWS-managed prefix-lists in your security group to allow access to the VPC Gateway Endpoint of the Amazon S3 bucket. AWS will automatically update the underlying public IP ranges that are associated with these prefix-lists.

Hence, the correct answer is: Configure the outbound VPC security group rule to use the AWS-managed prefix-list in connecting to the Gateway VPC endpoint.

The option that says: Create a new customer-managed prefix-list that contains the public IP ranges of the S3 endpoint. Modify the outbound VPC security group rule to use the prefix-list in connecting to the Gateway VPC endpoint is incorrect. Although this option may work, you still have to manually update the prefix-list whenever the AWS public IP ranges were changed. A more suitable solution here is to use AWS-managed prefix-list.

The option that says: Set up a CloudFront Function for the Amazon S3 bucket to have a static public IP range that doesn’t change is incorrect because a CloudFront Function simply allows you to write lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations. Using CloudFront Functions in this situation is not applicable.

The option that says: Create a Lambda function that updates the security group. Use the AWS-managed AmazonIpSpaceChanged topic in Amazon SNS as the trigger for the function is incorrect. Although this can technically work, this solution still entails a lot of effort to implement. You can simply use an AWS-managed prefix-list for this scenario.

References:

https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/
https://docs.aws.amazon.com/vpc/latest/userguide/vpce-gateway.html
https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

Note: This question was extracted from our AWS Certified Advanced Networking Specialty Practice Exams.

Question 2

A company has multiple VPCs with IPv6 enabled for its suite of web applications. The Solutions Architect attempted to deploy a new Amazon EC2 instance but encountered an error indicating that there were no available IP addresses on the subnet. The VPC has a combination of IPv4 and IPv6 CIDR blocks, but the IPv4 CIDR blocks are nearing exhaustion. The architect needs a solution that will resolve this issue while allowing future scalability.

How should the Solutions Architect resolve this problem?

  1. Set up a new IPv4 subnet with a larger CIDR range. Associate the new subnet with the VPC and then launch the instance.
  2. Ensure that the VPC has IPv6 CIDRs only. Remove any IPv4 CIDRs associated with the VPC.
  3. Set up a new IPv6-only subnet with a large CIDR range. Associate the new subnet with the VPC then launch the instance.
  4. Disable the IPv4 support in the VPC and use the available IPv6 addresses.

Correct Answers: 1

mazon Virtual Private Cloud (VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure secure and easy access to resources and applications.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. You can also optionally assign an IPv6 CIDR block to your VPC, and assign IPv6 CIDR blocks to your subnets.

If you have an existing VPC that supports IPv4 only and resources in your subnet that are configured to use IPv4 only, you can enable IPv6 support for your VPC and resources. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other. You cannot disable IPv4 support for your VPC and subnets since this is the default IP addressing system for Amazon VPC and Amazon EC2.

By default, a new EC2 instance uses an IPv4 addressing protocol. To fix the problem in the scenario, you need to create a new IPv4 subnet and deploy the EC2 instance in the new subnet.

Hence, the correct answer is: Set up a new IPv4 subnet with a larger CIDR range. Associate the new subnet with the VPC and then launch the instance.

The option that says: Set up a new IPv6-only subnet with a large CIDR range. Associate the new subnet with the VPC then launch the instance is incorrect. While it is possible to create an IPv6-only subnet, this feature is only supported for nitro EC2 instance type. Additionally, the scenario does not specify the instance type. Therefore, this option is not applicable for non-Nitro instances, despite the VPC being IPv6-enabled.

The option that says: Ensure that the VPC has IPv6 CIDRs only. Remove any IPv4 CIDRs associated with the VPC is incorrect because you can’t have a VPC with IPv6 CIDRs only. The default IP addressing system in VPC is IPv4. You can only change your VPC to dual-stack mode where your resources can communicate over IPv4, or IPv6, or both, but not exclusively with IPv6 only.

The option that says: Disable the IPv4 support in the VPC and use the available IPv6 addresses is incorrect because you cannot disable the IPv4 support for your VPC and subnets since this is the default IP addressing system.

References:

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html
https://aws.amazon.com/vpc/faqs/

Note: This question was extracted from our AWS Certified Solutions Architect Associate Practice Exams.

For more AWS practice exam questions with detailed explanations, visit the Tutorials Dojo Portal:

Tutorials Dojo AWS Practice Tests

Additional Training Materials: Amazon VPC Video Courses on Udemy

  1. Amazon VPC Mastery for AWS Certifications
  2. Amazon Web Services – Understanding the VPC

Amazon VPC Cheat Sheet References: 

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
https://aws.amazon.com/vpc/details/
https://aws.amazon.com/vpc/pricing/
https://aws.amazon.com/vpc/faqs/

Tutorials Dojo portal

Level-Up Your Career this 2025

Learn AWS with our PlayCloud Hands-On Labs

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

FREE AWS, Azure, GCP Practice Test Samplers

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

Follow Us On Linkedin

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?