AWS VPC
| Overview |
|---|
| Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications. |
1. A company has a set of resources hosted in an AWS VPC. Having acquired another company with its own set of resources hosted in AWS, it is required to ensure that resources in the VPC of the parent company can access the resources in the VPC of the child company. How can this be accomplished?
A. Establish a NAT Instance to establish communication across VPCs.
B. Establish a NAT Gateway to establish communication across VPCs.
C. Use a VPN Connection to peer both VPCs
D. Use VPC Peering to peer both VPCs.
D. Use VPC Peering to peer both VPCs.
A VPC Peering Connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC Peering Connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS region. For more information on VPC Peering, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html NAT Instance, NAT Gateway and VPN do not allow for VPC-VPC connectivitity.
2. A company has an on-premises infrastructure which they want to extend to the AWS Cloud. There is a need to ensure that communication across both environments is possible over the Internet. What would you create in this case to fulfill this requirement?
A. Create a VPC peering connection between the on-premises and the AWS Environment.
B. Create an AWS Direct connection between the on-premises and the AWS Environment.
C. Create a VPN connection between the on-premises and the AWS Environment.
D. Create a Virtual private gateway connection between the on-premises and the AWS Environment.
C. Create a VPN connection between the on-premises and the AWS Environment.
For more information on Virtual private connection, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmlOption A is invalid because A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. It is not used for connection between on-premise environment and AWS.Option D is invalid because A virtual private gateway is the Amazon VPC side of a VPN connection. For the communication to take place between the on-premise servers to AWS EC2 instances with in the VPC, we need to set up the customer gateway at the on-premise location.Note:The question says that “There is a need to ensure that communication across both environments is possibleover the Internet.” AWS Direct Connect does not involve the Internet.A VPC VPN Connection utilizes IPSec to establish encrypted network connectivity between your intranet and Amazon VPC over the Internet. VPN Connections can be configured in minutes and are a good solution if you have an immediate need, have low to modest bandwidth requirements, and can tolerate the inherent variability in Internet-based connectivity.AWS Direct Connect does not involve the Internet;instead, it uses dedicated, private network connections between your intranet and Amazon VPC.
3. A company has assigned two web servers instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet? Choose the correct answer from the options given below
A. Attach an Internet Gateway to the VPC and route it to the subnet.
B. Add an Elastic IP address to the instance.
C. Use Amazon Elastic Load Balancer to serve requests to your instances located in the internal subnet.
D. None of the above
A. Attach an Internet Gateway to the VPC and route it to the subnet.
If the Internet Gateway is not attached to the VPC, which is a prerequisite for the instances to be accessed from the Internet, the instances will not be reachable. For more information on Internet Gateways, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
4. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings. The IT Security department has identified a DoS attack from a suspecting IP. How can you protect the subnets from this attack?
A. Change the Inbound Security Groups to deny access from the suspecting IP.
B. Change the Outbound Security Groups to deny access from the suspecting IP.
C. Change the Inbound NACL to deny access from the suspecting IP.
D. Change the Outbound NACL to deny access from the suspecting IP.
C. Change the Inbound NACL to deny access from the suspecting IP.
Option A and B are invalid because the Security Groups already block traffic by default. You can use NACL’s as an additional security layer for the subnet to deny traffic. Option D is invalid since just changing the Inbound Rules is sufficient. AWS Documentation mentions the following: A Network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information on Network Access Control Lists, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
5. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings. The web servers must be accessible only to customers on an SSL connection and the database must only be accessible to web servers in a public subnet. Which solution meets these requirements without impacting other running applications?
Select 2 answers from the options given below.
A. Createa network ACL on the Web Server’s subnets, allow HTTPS port 443 inbound andspecify the source as 0.0.0.0/0
B. Createa Web Server security group that allows HTTPS port 443 inbound traffic from anywhere(0.0.0.0/0) and apply it to the Web Servers.
C. Createa DB Server security group that allows MySQL port 3306 inbound and specify thesource as the Web Server security group.
D. Createa network ACL on the DB subnet, allow MySQL port 3306 inbound for Web Serversand deny all outbound traffic.
B. & C.
This sort of setup is explained in the AWS documentation.
To ensure that traffic can flow into your web server from anywhere on secure traffic, you need to allow inbound security at 443.
And then, you need to ensure that traffic can flow from the database server to the web server via the database security group.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
6. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings. The web servers must be accessible only to customers on an SSL connection and the database should only be accessible to web servers in a public subnet. As an architect, which of the following would you not recommend for such an architecture?
A. Create a separate web server and database server security group.
B. Ensurethe web server security group allows HTTPS port 443 inbound traffic fromanywhere (0.0.0.0/0) and apply it to the web servers.
C. Ensurethe web server security group allows MySQL port 3306 inbound traffic fromanywhere (0.0.0.0/0) and apply it to the web servers.
D. Ensurethe DB server security group allows MySQL port 3306 inbound and specify thesource as the web server security group.
C. Change the security groups for the cluster.
The question is describing a scenario where it has been instructed that the database servers should only be accessible to web servers in the public subnet.You have been asked which one of the following is not a recommended architecture based on the scenario.The answer is option C. “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.”Here in this Option C, we are allowing all the incoming traffic from the internet to the database port which is not acceptable as per the architecture._A similar setup is given in AWSDocumentation:
- To ensure that traffic can flow into your web server from anywhere on secure traffic, you need to allow inbound security at 443
- You need to then ensure that traffic can flow from the database server to the web server via the database security group.The below snapshot from AWS Documentation shows the rules tables for the security groups which relate to the same requirements as the question. For more information on this use case scenario, please visit the following URL https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html The requirement in the question states that the database servers should only be accessible to web servers in the public subnet. The answer option C – “Ensure the web server security group allows MySQL port 3306 inbound traffic from anywhere (0.0.0.0/0) and apply it to the web servers.” is not a recommended architecture for the above scenario. Here, we allow all the incoming traffic from the Internet to the database port which is not acceptable as per the architecture.
7. A company wants to host a web application and a database layer in AWS. This will be done with the use of subnets in a VPC.
Which of the following is a proper architectural design for supporting the required tiers of the application?
A. Use a public subnet for the web tier and a public subnet for the database layer.
B. Use a public subnet for the web tier and a private subnet for the database layer.
C. Use a private subnet for the web tier and a private subnet for the database layer.
D. Use a private subnet for the web tier and a public subnet for the database layer.
D. Use a private subnet for the web tier and a public subnet for the database layer.
For more information on public and private subnets in AWS, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
8. A customer has an instance hosted in the AWS Public Cloud. The VPC and subnet used to host the instance have been created with the default settings for the Network Access Control Lists. An IT Administrator needs to be provided secure access to the underlying instance. How can this be accomplished?
A. Ensure the Network Access Control Lists allow Inbound SSH traffic from the IT Administrator’s Workstation.
B. Ensure the Network Access Control Lists allow Outbound SSH traffic from the IT Administrator’s Workstation.
C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator’s Workstation.
D. Ensure that the security group allows Outbound SSH traffic from the IT Administrator’sWorkstation.
C. Ensure that the security group allows Inbound SSH traffic from the IT Administrator’s Workstation.
Ensure that the security group allows Inbound SSH traffic from the IT Administrator’s Workstation. Since Security groups are stateful, we do not have to configure outbound traffic. What enters the inbound traffic is allowed in the outbound traffic too.Note:The default network ACL is configured to allow all traffic to flow in and out of the subnets to which it is associated. Since the question does not mention that it is a custom VPC we would assume it to be the default one.Based on that Option C is the correct answer.
9. A data processing application in AWS must pull data from an Internet service. A Solutions Architect is to design a highly available solution to access this data without placing bandwidth constraints on the application traffic.
Which solution meets these requirements?
A. Launch a NAT gateway and add routes for 0.0.0.0/0
B. Attach a VPC endpoint and add routes for 0.0.0.0/0
C. Attach an Internet gateway and add routes for 0.0.0.0/0
D. Deploy NAT instances in a public subnet and add routes for 0.0.0.0/0
C. Attachan Internet gateway and add routes for 0.0.0.0/0
An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.
For more information on the Internet gateway, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
Note: NAT gateway is also a highly available architecture and is used to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. It can only scale up to 45 Gbps. NAT instances’s bandwidth capability depends up on the instance type.
VPC Endpoints are used to enable private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies. So it cannot be used to connect to internet.
An Internet gateway is horizontally-scaled, redundant, and highly available. It imposes no bandwidth constraints.
10. A retailer exports data daily from its transactional databases into an S3 bucket in the Sydney region. The retailer’s Data Warehousing team wants to import this data into an existing Amazon Redshift cluster in their VPC at Sydney. Corporate security policy mandates that data can only be transported within a VPC.
What combination of the following steps will satisfy the security policy? Choose 2 answers from the options given below.
A. Enable Amazon Redshift Enhanced VPC Routing.
B. Create a Cluster Security Group to allow the Amazon Redshift cluster to access Amazon S3.
C. Create a NAT gateway in a public subnet to allow the Amazon Redshift cluster to access Amazon S3.
D. Create and configure an Amazon S3 VPC endpoint.
A. & D.
Amazon Redshift Enhanced VPC Routing provides VPC resources, the access to Redshift.
Redshift will not be able to access the S3 VPC endpoints without enabling Enhanced VPC routing, so one option is not going to support the scenario if another is not selected.
NAT instance (the proposed answer) cannot be reached by Redshift without enabling Enhanced VPC Routing.
11. A Solutions Architect is designing an online shopping application running in a VPC on EC2 Instances behind an ELB Application Load Balancer. The instances run in an Auto Scaling group across multiple Availability Zones. The application tier must read and write data to a customer managed database cluster. There should be no access to the database from the Internet, but the cluster must be able to obtain software patches from the Internet. Which VPC design meets these requirements?
A. Public subnets for both the application tier and the database cluster
B. Public subnets for the application tier, and private subnets for the database cluster
C. Public subnets for the application tier and NAT Gateway, and private subnets for thedatabase cluster
D. Public subnets for the application tier, and private subnets for the database clusterand NAT Gateway
C. Public subnets for the application tier and NAT Gateway, and private subnets for thedatabase cluster
We always need to keep Nat gateway on public Subnet only, because it needs to communicate internet. Aws says that “To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside. You must also specify an Elastic IP address to associate with the NAT gateway when you create it. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet.”For more information on this setup, please refer to the below URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
12. A VPC has been setup with a subnet and an internet gateway. The EC2 instance is set up with a public IP but you are still not able to connect to it via the Internet. The right security groups are also in place. What should you do to connect to the EC2 Instance from the Internet?
A. Set an Elastic IP Address to the EC2 Instance.
B. Set a Secondary Private IP Address to the EC2 Instance.
C. Ensure the right route entry is there in the Route table.
D. There must be some issue in the EC2 Instance. Check the system logs.
C. Ensure the right route entry is there in the Route table.
You have to ensure that the Route table has an entry to the Internet Gateway because this is required for instances to communicate over the Internet. The diagram shows the configuration of the public subnet in a VPC: Option A is incorrect. Since you already have a public IP assigned to the instance, this should have been enough to connect to the Internet. Option B is incorrect. Private IPs cannot be accessed from the Internet. Option D is incorrect. The Route table is causing the issue and not the system.For more information on AWS public subnet, please visit the link below. http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html
13. An application consists of the following architecture:
a. EC2 Instances in multiple AZ’s behind an ELB b. The EC2 Instances are launched via an Auto Scaling Group. c. There is a NAT instance which is used so that instances can download updates from the Internet.
Which of the following is a bottleneck in the architecture?
A. The EC2 Instances
B. The ELB
C. The NAT Instance
D. The Auto Scaling Group
C. The NAT Instance
Since there is only one NAT instance, this is a bottleneck for the architecture. For high availability, launch NAT instances in multiple Available Zones and make it as part of an Auto Scaling Group.
For more information on NAT Instances, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html
14. An application consists of the following architecture:
a. EC2 Instances are in multiple AZ’s behind an ELB. b. The EC2 Instances are launched via an Auto Scaling Group. c. There is a NAT instance used so that instances can download updates from the internet. Due to the high bandwidth being consumed by the NAT instance, it has been decided to use a NAT Gateway. How should this be implemented?
A. Use NAT Instances along with the NAT Gateway.
B. Host the NAT instance in the private subnet.
C. Migrate the NAT Instance to NAT Gateway and hostthe NAT Gateway in the public subnet.
D. Convert the NAT instance to a NAT Gateway.
C. Migrate the NAT Instance to NAT Gateway and hostthe NAT Gateway in the public subnet.
One can simple start using the NAT Gateway service and stop using the deployed NAT instances. But you need to ensure that the NAT Gateway is deployed in the public subnet. For more information on migrating to a NAT Gateway, please visit the following URL: https://aws.amazon.com/premiumsupport/knowledge-center/migrate-nat-instance-gateway/
15. An application currently using a NAT Instance is required to use a NAT Gateway. Which of the following can be used to accomplish this?
A. Use NAT Instances along with the NAT Gateway.
B. Host the NAT Instance in the private subnet.
C. Migrate from a NAT Instance to a NAT Gateway and host the NAT Gateway in the public subnet.
D. Convert the NAT Instance to a NAT Gateway.
C. Migrate from a NAT Instance to a NAT Gateway and host the NAT Gateway in the public subnet.
One can simply start and stop using the NAT Gateway service using the deployed NAT instances. But you need to ensure that the NAT Gateway is deployed in the public subnet.
For more information on migrating to a NAT Gateway, please visit the following URL:
https://aws.amazon.com/premiumsupport/knowledge-center/migrate-nat-instance-gateway/
16. An application needs to access data in another AWS account in the same region. Which of the following can be used to ensure that the data can be accessed as required?
A. Establish a NAT instance between both accounts.
B. Use a VPN between both accounts.
C. Use a NAT Gateway between both accounts.
D. Use VPC Peering between both accounts.
D. Use VPC Peering between both accounts.
Options A and C are incorrect because these are used when private resources are required to access the Internet.
Option B is incorrect because it’s used to create a connection between the On-premises and AWS resources.
AWS Documentation mentions the following about VPC Peering:
A VPC Peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC Peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region.
For more information on VPC Peering, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
17. An application running on EC2 Instances processes sensitive information stored on Amazon S3. This information is accessed over the Internet. The security team is concerned that the Internet connectivity to Amazon S3 could be a security risk. Which solution will resolve the security concern?
A. Access the data through an Internet Gateway.
B. Access the data through a VPN connection.
C. Access the data through a NAT Gateway.
D. Access the data through a VPC endpoint for Amazon S3.
D. Access the data through a VPC endpoint for Amazon S3.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
For more information on VPC endpoints, please refer to the URL below.
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html Option A is incorrect. An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet.
Option B is incorrect. A VPN, or Virtual Private Network, allows you to create a secure connection to another network over the Internet.
Option C is incorrect. You can use a network address translation (NAT) gateway to enable instances in a private subnet to connect to the Internet or other AWS services, but prevent the internet from initiating a connection with those instances.
18. An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?
A. The Outbound Security Group needs to be modified to allow outbound traffic.
B. The Outbound Network ACL needs to be modified to allow outbound traffic.
C. Nothing, it can be accessed from any IP address using SSH.
D. Both the Outbound Security Group and Outbound Network ACL need to be modified toallow outbound traffic.
B. The Outbound Network ACL needs to be modified to allow outbound traffic.
For an EC2 Instance to allow SSH, you can have the below configurations for the Security and Network ACL for Inbound and Outbound Traffic.The reason why Network ACL has to have both an Allow for Inbound and Outbound is because network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). Whereas for Security groups, responses are stateful. So if an incoming request is granted, by default an outgoing request will also be granted.Options A and D are invalid because Security Groups are stateful. Here, any traffic allowed in the Inbound rule is allowed in the Outbound rule too. Option C is in. For more information on Network ACLs, please refer to the link below. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
19. An IT company has a set of EC2 Instances hosted in a VPC. They are hosted in a private subnet. These instances now need to access resources stored in an S3 bucket. The traffic should not traverse the internet. The addition of which of the following would help fulfill this requirement?
A. VPC Endpoint
B. NAT Instance
C. NAT Gateway
D. Internet Gateway
A. VPC Endpoint
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. For more information on AWS VPC endpoints, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
20. Currently, you have a NAT Gateway defined for your private instances. You need to make the NAT Gateway highly available. How can this be accomplished?
A. Create another NAT Gateway and place is behind an ELB.
B. Create a NAT Gateway in another Availability Zone.
C. Create a NAT Gateway in another region.
D. Use Auto Scaling groups to scale the NAT Gateway.
B. Create a NAT Gateway in another Availability Zone.
If you have resources in multiple Availability Zones and they share one NAT Gateway, in the event that the NAT Gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT Gateway in each Availability Zone and configure your routing to ensure that resources use the NAT Gateway in the same Availability Zone. For more information on the NAT Gateway, please refer to the below URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
21. Currently, you’re helping design and architect a highly available application. After building the initial environment, you discover that a part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before the changes are applied and the application begins working correctly? Choose the correct answer from the options below.
A. Generally, it takes 2-5 minutes in order for the rules to propagate.
B. Immediately after a reboot of the EC2 Instances belong to that security group.
C. Changes apply instantly to the security group, and the application should be able torespond to 443 requests.
D. It will take 60 seconds for the rules to apply to all Availability Zones withinthe region.
C. Changes apply instantly to the security group, and the application should be able torespond to 443 requests.
This is given in the AWS Documentation:”Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.When you add or remove rules, they are automatically applied to all instances associated with the security group”. For more information on Security Groups, please refer to the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
22. Having created a Redshift cluster in AWS, you are trying to use SQL Client tools from an EC2 Instance, but aren’t able to connect to the Redshift Cluster. What must you do to ensure that you are able to connect to the Redshift Cluster from the EC2 Instance?
A. Install Redshift client tools on the EC2 Instance first.
B. Modify the VPC Security Groups.
C. Use the AWS CLI instead of the Redshift client tools.
D. Modify the NACL on the subnet.
B. Modify the VPC Security Groups.
By default, any cluster that you create is closed to everyone. IAM credentials only control access to the Amazon Redshift API-related resources: the Amazon Redshift console, command line interface (CLI), API, and SDK. To enable access to the cluster from SQL client tools via JDBC or ODBC, you use security groups: If you are using the EC2-Classic platform for your Amazon Redshift cluster, you must use Amazon Redshift security groups.If you are using the EC2-VPC platform for your Amazon Redshift cluster, you must use VPC security groups. For more information on Amazon Redshift, please refer to the below URL: http://docs.aws.amazon.com/redshift/latest/mgmt/overview.html
23. Instances in your private subnet hosted in AWS, need access to important documents in S3. Due to the confidential nature of these documents, you have to ensure that this traffic does not traverse through the internet. As an architect, how would you you implement this solution?
A. Consider using a VPC Endpoint.
B. Consider using an EC2 Endpoint.
C. Move the instances to a public subnet.
D. Create a VPN connection and access the S3 resources from the EC2 Instance.
A. Consider using a VPC Endpoint.
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other services does not leave the Amazon network. For more information on VPC Endpoints, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
24. There is a requirement for EC2 Instances in a private subnet to access an S3 bucket. It is required that the traffic does not traverse to the Internet. Which of the following can be used to fulfill this requirement?
A. VPC Endpoint
B. NAT Instance
C. NAT Gateway
D. Internet Gateway
A. VPC Endpoint
A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
For more information on AWS VPC endpoints, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html
25. There is a requirement to get the IP addresses for resources accessed in a private subnet. Which of the following can be used to fulfill this purpose?
A. Trusted Advisor
B. VPC Flow Logs
C. Use CloudWatch metrics
D. Use CloudTrail
B. VPC Flow Logs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
For more information on VPC Flow Logs, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html
Incorrect answers: AWS Trusted Advisor is your customized cloud expert! It helps you to observe best practices for the use of AWS by inspecting your AWS environment with an eye toward saving money, improving system performance and reliability, and closing security gaps.
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS infrastructure.
Cloud watch Metric is mainly for used for performance metrics.
26. There is a requirement to host a database server. This server should not be able to connect to the Internet except while downloading required database patches. Which of the following solutions would best satisfy all the above requirements? Choose the correct answer from the options below.
A. Setup the database in a private subnet with a security group which only allowsoutbound traffic.
B. Setup the database in a public subnet with a security group which only allows inboundtraffic.
C. Setup the database in a local data center and use a private gateway to connect theapplication to the database.
D. Setup the database in a private subnet which connects to the Internet via a NAT Instance.
D. Setup the database in a private subnet which connects to the Internet via a NATInstance.
This setup coincides with Scenario 2 of setting up a VPC as per AWS documentation:Scenario 2: VPC with Public and Private Subnets (NAT)The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want to run a public-facing web application, while maintaining back-end servers that aren’t publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate with the database servers. For more information on the VPC Scenario for public and private subnets, please see the below link: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
27. There is an application which consists of EC2 Instances behind a classic ELB. An EC2 proxy is used for content management to backend instances. The application might not be able to scale properly.
Which of the following can be used to scale the proxy and backend instances appropriately? Choose 2 answers from the options given below.
A. Use Auto Scaling for the proxy servers.
B. Use Auto Scaling for the backend instances.
C. Replace the Classic ELB with Application ELB.
D. Use Application ELB for both the front end and backend instances.
A. & B.
When you see a requirement for scaling, consider the Auto Scaling service provided by AWS. This can be used to scale both proxy servers and backend instances.
For more information on Auto Scaling, please visit the following URL:
https://docs.aws.amazon.com/autoscaling/plans/userguide/what-is-aws-auto-scaling.html
28. You are planning on hosting a web and MySQL database application in an AWS VPC. The database should only be accessible by the web server. Which of the following would you change to fulfill this requirement?
A. Network Access Control Lists
B. AWS RDS Parameter Groups
C. Route Tables
D. Securityg roups
D. Securityg roups
Security group associated with the db instance should allow port 3306 traffic from EC2 instance. The AWS Documentation additionally mentions the following: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don’t specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC. For more information on VPC Security Groups, please visit the link below. https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
29. You are required to connect 2 VPCs in different accounts. How can this be achieved?
A. Use Security Groups to map both VPCs.
B. Use the VPC Route Tables to map both VPCs.
C. Use Consolidating billing to connect both accounts.
D. Use VPC Peering to connect both VPCs.
D. Use VPC Peering to connect both VPCs.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. For more information on VPC Peering, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
30. You currently have 2 development environments hosted in 2 different VPCs in an AWS account in the same region. There is now a need for resources from one VPC to access another. How can this be accomplished?
A. Establish a Direct Connect connection.
B. Establish a VPN connection.
C. Establish VPC Peering.
D. Establish Subnet Peering.
C. Establish VPC Peering.
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. For more information on VPC peering, please visit the URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.html
31. You have an EC2 Instance placed inside a subnet. You have created the VPC from scratch, and added the EC2 Instance to the subnet. It is required to ensure that this EC2 Instance has complete access to the Internet, since it will be used by users on the Internet. Which of the following options would help accomplish this?
A. Launch a NAT Gateway and add routes for 0.0.0.0/0
B. Attach a VPC Endpoint and add routes for 0.0.0.0/0
C. Attach an Internet Gateway and add routes for 0.0.0.0/0
D. Deploy NAT Instances in a public subnet and add routes for 0.0.0.0/0
C. Attach an Internet Gateway and add routes for 0.0.0.0/0
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic. For more information on the Internet Gateway, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
32. You have been tasked with creating a VPC network topology for your company. The VPC network must support both internet-facing applications and internal-facing applications accessed only over VPN. Both Internet-facing and internal-facing applications must be able to leverage at least 3 AZs for high availability. At a minimum, how many subnets must you create within your VPC to accommodate these requirements?
A. 2
B. 3
C. 4
D. 6
D. 6
Since each subnet corresponds to one Availability Zone and you need 3 AZs for both the internet and intranet applications, you will need 6 subnets. For more information on VPC and subnets, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
33. You have created your own VPC and subnet in AWS and launched an instance in that subnet. On attaching an Internet Gateway to the VPC, you see that the instance has a public IP. The route table is shown below:
The instance still cannot be reached from the Internet. Which of the below changes need to be made to the route table to ensure that the issue is resolved?
A. Add the following entry to the route table 0.0.0.0/0 Internet Gateway
B. Modify the above route table 10.0.0.0/16 Internet Gateway
C. Add the following entry to the route table 10.0.0.0/16 ->Internet Gateway
D. Add the following entry to the route table – 0.0.0.0/16->Internet Gateway
A. Add the following entry to the route table 0.0.0.0/0 Internet Gateway
The route table needs to be modified as shown below to ensure that routes from the Internet reach the instance: Hence by default, all other options become invalid. For more information on Route Tables, please visit the below URL: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html
34. You have set up a Redshift cluster in AWS and are trying to access it, but are unable to do so. What should be done so that you can access the Redshift Cluster?
A. Ensure the Cluster is created in the right Availability Zone.
B. Ensure the Cluster is created in the right region.
C. Change the security groups for the cluster.
D. Change the encryption key associated with the cluster.
C. Change the security groups for the cluster.
When you provision an Amazon Redshift cluster, it is locked down by default so nobody has access to it. To grant other users inbound access to an Amazon Redshift cluster, you associate the cluster with a security group.
For more information on Redshift Security Groups, please refer to the below URL:
https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-security-groups.html
35. You need to ensure that instances in a private subnet can access the Internet. The solution should be highly available and ensure less maintenance overhead. Which of the following would ideally fit this requirement?
A. Host the NAT Instance in the private subnet.
B. Host the NAT Instance in the public subnet.
C. Use the NAT Gateway in the private subnet.
D. Use the NAT Gateway in the public subnet.
D. Use the NAT Gateway in the public subnet.
Shown below is a comparison of the NAT Gateway and NAT Instances as per the AWS Documentation. The documentation states that the NAT Gateway is highly available and requires less management. For more information on the above comparison, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-comparison.html
36. You need to host a set of web servers and database servers in an AWS VPC. Which of the following is a best practice in designing a multi-tier infrastructure?
A. Use a public subnet for the web tier and a public subnet for the database layer.
B. Use a public subnet for the web tier and a private subnet for the database layer.
C. Use a private subnet for the web tier and a private subnet for the database layer.
D. Use a private subnet for the web tier and a public subnet for the database layer.
B. Use a public subnet for the web tier and a private subnet for the database layer.
The ideal setup is to ensure that the web server is hosted in the public subnet so that it can be accessed by users on the internet. The database server can be hosted in the private subnet.The below diagram from AWS Documentation shows how this can be setup: For more information on public and private subnets in AWS, please visit the following URL:https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
37. You plan on creating a VPC from scratch and launching EC2 Instances in the subnet. What should be done to ensure that the EC2 Instances are accessible from the Internet?
A. Attach an Internet Gateway to the VPC and add a route for 0.0.0.0/0 to the Route table.
B. Attach an NAT Gateway to the VPC and add a route for 0.0.0.0/0 to the Route table.
C. Attach an NAT Gateway to the VPC and add a route for 0.0.0.0/32 to the Route table.
D. Attach an Internet Gateway to the VPC and add a route for 0.0.0.0/32 to the Routetable.
A. Attach an Internet Gateway to the VPC and add a route for 0.0.0.0/0 to the Route table.
For more information on the Internet Gateway, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
38. You plan on hosting a web application consisting of a web server and a database server. These servers are going to be hosted on different EC2 Instances in different subnets in a VPC. Which of the following can be used to ensure that the database server only allows traffic from the web server?
A. Make use of Security Groups.
B. Make use of VPC Flow Log
C. Make use of Network Access Control Lists.
D. Make use of IAM Roles.
A. Make use of Security Groups.
Security groups can be used to control traffic into an EC2 Instance. The below snapshot from AWS Documentation shows the rules tables for security groups in a sample web and database server setup: For more information on this use case scenario, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html Note: NACL is used when you want deny the access for ParticularIP address or the CIDR block(Set of IP address). So, The simple funda here is that if the requirement allows the traffic, then you can go with the Security Group. if the requirement mentioned likedenies (Not allow) the traffic, then you can go with the NACL.
39. You want to set up a public website on AWS. Your requirements are as follows:
You want the database and the application server running on AWS VPC.You want the database to be able to connect to the Internet, specifically for patch upgrades.You do not want to receive any incoming requests from the Internet to the database. Which of the following solutions would best satisfy all the above requirements for this planned public AWS website? Choose the correct answer from the options below.
A. Setup the database in a private subnet with a security group which only allowsoutbound traffic.
B. Setup the database in a public subnet with a security group which only allowsinbound traffic.
C. Setup the database in a local data center and use a private gateway to connect theapplication to the database.
D. Setup the public website on a public subnet and set up the database in a privatesubnet which connects to the Internet via a NAT Instance.
D. Setup the public website on a public subnet and set up the database in a privatesubnet which connects to the Internet via a NAT Instance.
For more information on the VPC Scenario for public and private subnets, please see the below link:http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
40. Your current setup in AWS consists of the following architecture:2 public subnets, one subnet which has web servers accessed by users across the Internet and another subnet for the database server. Which of the following changes to the architecture adds a better security boundary to the resources hosted in this setup?
A. Consider moving the web server to a private subnet.
B. Consider moving the database server to a private subnet.
C. Consider moving both the web and database servers to a private subnet.
D. Consider creating a private subnet and adding a NAT Instance to that subnet.
B. Consider moving the database server to a private subnet.
The ideal setup is to host the web server in the public subnet so that it can be accessed by users on the Internet. The database server can be hosted in the private subnet.The below diagram from AWS
41. Your infrastructure in AWS currently consists of a private and public subnet. The private subnet consists of database servers and the public subnet has a NAT Instance which helps the instances in the private subnet to communicate with the Internet. The NAT Instance is now becoming a bottleneck. Which of the following changes to the current architecture can help prevent this issue from occurring in the future?
A. Use a NAT Gateway instead of the NAT Instance.
B. Use another Internet Gateway for better bandwidth.
C. Use a VPC connection for better bandwidth.
D. Consider changing the instance type for the underlying NAT Instance.
A. Use a NAT Gateway instead of the NAT Instance.
The NAT Gateway is a managed resource which can be used in place of a NAT Instance. While you can consider changing the instance type for the underlying NAT Instance, this does not guarantee that the issue will not reoccur in the future. For more information on the NAT Gateway, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html
42. Your IT Security department has mandated that all traffic flowing in and out of EC2 instances needs to be monitored. Which of the below services can help achieve this?
A. Trusted Advisor
B. VPC Flow Logs
C. Use CloudWatch metrics
D. Use CloudTrail
B. VPC Flow Logs
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs. For more information on VPC Flow Logs, please visit the following URL: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html