6.4. Reflection Checkpoint

Phase 6 covers the networking domain — work through these before the final review:

1. What makes a subnet "public" in AWS? Is it the subnet name or the route table?
2. A NACL allows inbound TCP 443 but traffic still fails. What likely missing rule causes this, and why?
3. Security groups vs. NACLs: which supports explicit deny, and which is stateful?
4. What is the difference between a VPC interface endpoint and a gateway endpoint for S3?
5. A Site-to-Site VPN shows "tunnel UP" but instances can't reach on-premises hosts. What is the most likely configuration issue?
6. Route 53 Latency routing vs. Geolocation routing: which routes based on measured network performance?
7. CloudFront OAC vs. OAI: which is current/recommended for restricting S3 bucket access?
8. Lambda@Edge vs. CloudFront Functions: which executes at all 400+ edge locations, and which supports network calls?
9. Global Accelerator vs. CloudFront: which do you choose for a gaming application using UDP?
10. VPC Flow Logs show no entries at all for a connection attempt. Does this mean the traffic was allowed? What does it likely mean?

💾 CHECKPOINT — Session 5 (Phase 6) Complete Files saved: complete-guide.md (Phases 1–6), keywords.json, relationships.json Resume Point: Write Phase 7 (Exam Readiness and Strategy) — final phase.