AWS VPC Quiz
To save administration headaches, Amazon recommend that you leave all security groups in web facing subnets open on port 22 to 0.0.0.0/0 CIDR, that way you can connect where ever you are in the world. A.) True B.) False
B
When peering VPCs, you may peer your VPC only with another VPC in your same AWS account. A.) True B.) False
B
A VPN connection consists of which of the following components? 1. Cross connect 2. Customer gateway 3. Virtual private gateway 4. Direct connect gateway A.) 2, 3 B.) 1, 4 C.) 1, 3 D.) 2, 4
A
An application load balancer must be deployed into at least two subnets. A.) True B.) False
A
By default, instances in new subnets in a custom VPC can communicate with each other across AZs. A.) True B.) False
A
Having just created a new VPC and launching an instance into its public subnet, you realize that you have forgotten to assign a public IP to the instance during creation. What is the simplest way to make your instance reachable from the outside world? A.) Create an Elastic IP address and associate it with your instance B.) Associate the private IP of your instance to the public IP of the Internet gateway C.) Nothing - by default all instances deployed into any public subnet will automatically receive a public IP D.) Create an Elastic IP and new network interface. Associated the Elastic IP to the new network interface and the new network interface to your instance
A
How many Internet gateways can be attached to your custom VPC? A.) 1 B.) 2 C.) 3 D.) 1 per availability zone
A
The local route table in the VPC allows which of the following? A.) All the instances running in different subnets within a VPC can communicate to each other B.) Only traffic to the internet can be routed C.) Multiple VPCs can talk with each other D.) An instance can use the local route and talk to the Internet
A
What is the maximum size of the CIDR block you can have for a VPC? A.) 16 B.) 32 C.) 28 D.) 10
A
What is the purpose of an Egress-only Internet gateway? 1. Allows VPC based IPv6 traffic to communicate to the Internet 2. Prevents IPv6 traffic accessing the Internet by utilizing security groups 3. Prevents IPv6 based Internet resources initiating a connection into a VPC 4. Allows instance communication over IPv4 or IPv6 to access the internet A.) 1, 3 B.) 2, 4 C.) 1, 4 D.) 2, 3
A
When you create a custom VPC, which of the following are created automatically? 1. NAT Gateway 2. Route table 3. Access Control List 4. Security Group 5. Subnets 6. Internet gateway A.) 2, 3, 4 B.) 1, 3, 4 C.) 1, 5, 6 D.) 1, 3, 5
A
When you create a new security group all outbound traffic is allowed by default. A.) True B.) False
A
You are permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first? A.) True B.) False
A
A subnet can span multiple AZ A.) True B.) False
B
In a default VPC, all EC2 instances are assigned 2 IP addresses at launch. What are they? A.) An elastic and public IP address B.) A public and private IP address C.) An IPv6 and an elastic IP address D.) A public and a secret IP address
B
Security groups act like a firewall at the instance level, whereas ____________ are an additional layer of security that act at the subnet level. A.) DB security groups B.) Network ACL C.) Route table D.) VPC security group
B
Which of the following is a chief advantage of using VPC endpoints to connect your VPC to services such as S3? A.) VPC endpoints require public IP addresses, offering rapid connectivity from the public internet B.) Traffic between your VPC and the other service does not leave the Amazon network C.) VPC endpoints are dedicated hardware devices that cannot be accessed without the correct IAM credentials D.) VPC endpoints offer a faster path through the public internet than you can realize with a NAT instance
B
Which statement is true? A.) Security groups are stateless and Network ACLs are stateful B.) Security groups are stateful and Network ACLs are stateless C.) Both security groups and Network ACLs are stateful D.) Both security groups are Network ACLs are stateless
B
Which statements are true for security groups? 1. Security groups evaluate all rules before deciding whether to allow traffic 2. Security groups support both "allow" and "deny" rules 3. Security groups operate at the subnet level 4. Security groups support only "allow" rules 5. Security groups process rules in numbered order when deciding to allow traffic 6. Security groups operate at the instance level A.) 2, 5, 6 B.) 1, 4, 6 C.) 1, 2, 3 D.) 3, 4, 6
B
You can accelerate your application by adding a second Internet gateway to your VPC. A.) True B.) False
B
You have created a VPC with two subnets. The web servers are running in a public subnet and the database server is running in a private subnet. You need to download an operating system patch to update the database server. How are you going to download the patch? A.) By attaching an Internet Gateway to the private subnet temporarily B.) By using a NAT gateway C.) By using peering to another VPC D.) By changing the security group of the database server and allowing Internet access
B
You have five VPCs in a 'hub and spoke' configuration, with VPC 'A' in the center and individually paired with VPCs 'B', 'C', 'D', and 'E', which make up the 'spokes'. There are no other VPC connections. Which of the following VPCs can VPC 'B' communicate with directly? A.) VPCs 'C', 'D', and 'E' B.) VPC 'A' C.) VPCs 'A' and 'E' D.) VPCs 'A' and 'C'
B
By default, how many VPCs am I allowed in each AWS region? A.) 1 B.) 2 C.) 5 D.) 6
C
How can your VPC talk with DynamoDB directly? A.) By using a direct connection B.) By using a VPN connection C.) By using a VPN endpoint D.) By using an instance in the public subnet
C
Select the incorrect statement. A.) In Amazon VPC, an instance retains its private IP B.) You may only have 1 Internet gateway per VPC C.) In Amazon VPC, an instance does not retain its private IP D.) It is possible to have private subnets in a VPC
C
What happens to the EIP address when you stop and start an instance? A.) The EIP is released to the pool and you need to re-attach it B.) The EIP is released temporarily during the stop and start C.) The EIP remains associated with the instance D.) The EIP is available for any other customer
C
Which of the following allows you to SSH or RDP into an EC2 instance located in a private subnet? A.) NAT instance B.) NAT gateway C.) Bastion host D.) Internet gateway
C
You have a web server and an app server running. You often reboot your app server for maintenance activities. Every time you reboot your app server, you need to update the connect string for the web server since the IP address of the app server changes. How do you fix this issue? A.) Allocate and IPv6 IP address to the app server B.) Allocate an Elastic Network Interface to the app server C.) Allocate an elastic IP address to the app server D.) Run a script to change the connection
C
At which of the following levels can VPC Flow Logs be created? 1. Security group level 2. VPC level 3. Subnet level 4. Network ACL level 5. Network interface level 6. Instance level A.) 1, 4, 6 B.) 2, 4, 5 C.) 1, 2, 4 D.) 2, 3, 5
D
How many IP addresses are reserved by AWS for internal purposes in a CIDR block that you can't use? A.) 2 B.) 3 C.) 4 D.) 5
D
To connect your corporate data center to AWS, you need at least which of the following components? 1. Internet gateway 2. Virtual private gateway 3. NAT gateway 4. Customer gateway A.) 1, 3 B.) 1, 2 C.) 3, 4 D.) 2, 4
D
You have created a web server in the public subnet, and now anyone can access the web server from the internet. You want to change this behavior and just have the load balancer talk with the web server and no one else. How do you achieve this? A.) By removing the internet gateway B.) By adding the load balancer in the route table C.) By allowing the load balancer access in the NACL of the public subnet D.) By modifying the security group of the instance and just having the load balancer talk with the web server
D
You want to explicitly "deny" certain traffic to the instance running in your VPC. How do you achieve this? A.) Using a security group B.) Adding an entry in the route table C.) By putting the instance in a private subnet D.) Using a Network ACL
D
