AWS SOA-C01 exam preparation: Private VPC

0
votes

I am currently preparing for the AWS SysOps Administrator Associate exam using the study guide book (https://www.amazon.com/dp/1119561558/). In the review question for chapter 8 - Bastion Hosts there are two questions about "Private VPC" which I cannot get my head around:

"2) Which of the following does a bastion host provide to a private VPC?"

  • My Answer: Access to the resources in the VPC through a host inside the VPC
  • Correct Answer: Access to the resources in the VPC through a host outside the VPC

"15) You have just inherited a new network architecture that has a private VPC with numerous resources within it and a bastion host for administrative access. Which of the following would you do first?"

  • My Answer: Remove any Internet gateways on the private VPC.
  • Correct Answer: Whitelist any IPs that need to access the bastion host.

As far as I understand it, a typical VPC architecture is to have a public subnet, with an Internet Gateway and the bastion host in it, and a private subnet with neither.

But what exactly is meant with "private VPC" here? If it is a VPC that is not accessible from the outside at all? But how can a bastion host outside the VPC then access it? Or do they really mean a private subnet? But how can a subnet be really private, if it has an Internet Gateway in it? In other courses the IG is defined as exactly the thing that makes a subnet public...

Am I totally misunderstand something conceptually here?

1
amazon-web-servicesamazon-vpc
Note that you referred to this as the study guide "from Amazon" by which you apparently meant from the well-know web site that sells books, which was not my initial assumption. This does not appear to be an officially sanctioned Amazon/AWS study guide.Michael - sqlbot
@Michael-sqlbot You're right, sorry. Other books of this series with the exact same branding and everything are "Official" study guides, this one is not.Christian

1 Answers

1
votes

2)

Your answer and understanding is correct. Bastion host is inside vpc. This is also written in aws docs:

A Linux bastion host in each public subnet with an Elastic IP address to allow inbound Secure Shell (SSH) access to EC2 instances in public and private subnets.

15)

I would agree with: "Whitelist any IPs that need to access the bastion host". The rationale is that removing internet gateway can have many negative consequences, most notably, not being able to login to bastion host to do any admin work, instances in private subnets not being able to download patches, or newly launch instances in ASG not being able to download software they need by means of User Data.

So removing old IPs from Security Group of bastion host belonging to old admin and adding your own IP makes most sense.

Don't know what is meant here by "private VPC". For myself, a private VPC would be one only accessible through a peering connection, one which does not have any public subnet, or one which only provides access to your app through VPC PrivateLink. In such cases you could use SSH Session Manager to login to the instances without the need for any bastion host and internet gateway.