Chapter 1: (251-300) Domain 1—Design Resilient Architectures
Which of the following can a VPC interface endpoint connect to? (Choose two.) A. An API gateway B. A VPN C. A Kinesis data stream D. DynamoDB
A, C. This is another tough question. An interface endpoint provides a private IP address for connecting to a specific entry point for a specific AWS service. Anything that's more general—like DynamoDB—isn't a valid candidate. Additionally, a VPN (B) doesn't make sense, as a VPN is a different type of connection altogether. In this case, that leaves a specific API gateway and a specific Kinesis data stream (A and C).
Which of the following statements are true about both the default VPC and custom VPCs? (Choose two.) A. They have NACLs automatically created. B. They have internet gateways automatically created. C. They have subnets automatically created. D. They have security groups automatically created.
A, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well.
Which of the following are created automatically when you create a new custom VPC? (Choose two.) A. Security group B. NAT gateway C. Subnet D. Route table
A, D. This is a little tricky. While the default VPC automatically creates a subnet, additional VPCs do not. You do automatically get a security group, route table, and NACL, so in this case, you'd want to choose options A and D.
Which of the following can a VPC gateway endpoint connect to? (Choose two.) A. S3 B. Route 53 C. A Kinesis data stream D. DynamoDB
A, D. This is pretty tough and is arguably right at the boundary of what the CSA Associate exam might ask. A gateway endpoint handles all traffic for a supported AWS service. Further, it's not a specific portion of that service, so you can rule out a particular Kinesis data stream (C). That leaves A, B, and D. A and D make sense, while routing private traffic to Route 53 does not.
How many internet gateways can each VPC have? A. One B. Two C. Three D. One for each AZ in which the VPC exists
A. A VPC can only have a single internet gateway.
How quickly are changes made to the security group within a custom VPC applied? A. Immediately B. Within 60-90 seconds C. The next time each instance restarts, or within 24 hours if the instance does not restart D. Security groups aren't associated with VPCs.
A. Changes to a security group take place immediately. As a note, option D is a bit misleading. While security groups operate at various levels, they absolutely affect VPCs, so D is false
Which types of rules do security groups allow? A. Allow rules only B. Allow and deny rules C. Deny rules only D. Allow, deny, and permit rules
A. Security groups only provide for allow rules (A). All other traffic is automatically denied, so allow rules are the only means of allowing traffic in.
You have a hub-and-spoke network model, with VPC C at the center of the hub. There are six spokes, VPCs A, B, D, E, F, and G. Which VPCs can communicate with VPC A directly? (Choose two.) A. VPCs A and B B. VPC C C. VPC A D. Any additional VPCs peered directly with VPC A
B, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B), as well as any other peered VPCs (option D).
Which of the following is true about security groups? A. They evaluate all rules before deciding whether to allow traffic. B. They evaluate rules from top to bottom before deciding whether to allow traffic. C. They evaluate rules in numeric order before deciding whether to allow traffic. D. They evaluate orders from high to low before deciding whether to allow traffic.
A. Security groups evaluate all the rules on the group before deciding how to handle traffic
Which of the following statements are true? (Choose two.) A. The default VPC has an internet gateway attached by default. B. Custom VPCs do not have internet gateways attached by default. C. The default VPC does not have an internet gateway attached by default. D. Custom VPCs have internet gateways attached by default.
A, B. The default VPC does have an internet gateway attached to it, but custom VPCs do not. This is an important exam topic!
Which of these are types of VPC endpoints? (Choose two.) A. Interface endpoint B. Peering endpoint C. Gateway endpoint D. Service endpoint
A, C. A VPC endpoint comes in two flavors: an interface endpoint, which provides an elastic network interface and a private IP address, and a gateway endpoint, targeted for a specific route in your route table.
Which of the following allow a private instance to communicate with the Internet? (Choose two.) A. A NAT gateway B. An internet gateway C. A NAT instance D. A bastion host
A, C. Both a NAT instance and a NAT gateway provide for outgoing traffic to route to the Internet from instances within a private subnet.
Which of the following statements are true? (Choose two.) A. The default VPC has a NACL created by default. B. All incoming traffic is allowed by the default security group on a VPC. C. All outgoing traffic is allowed by the default security group on a VPC. D. The default security group for the default VPC allows inbound HTTP traffic.
A, C. Option A is true for both the default and custom VPCs: All VPCs have NACLs automatically created. While all outgoing traffic is allowed out by default (C), incoming traffic is restricted by default (B)—this includes inbound HTTP traffic (D)..
Security groups use which models for traffic? (Choose two.) A. Traffic is denied by default. B. Traffic is allowed by default. C. Traffic is only allowed if there are specific allow rules. D. Traffic is only denied if there are specific deny rules.
A, C. Security groups disallow all traffic unless there are specific allow rules for the traffic in the security group.
Which of the following are created automatically as part of the default VPC? (Choose two.) A. Internet gateway B. NAT gateway C. NACL D. IAM role
A, C. The key here is "default VPC." While subnets are not created in additional custom VPCs, the default VPC does get an internet gateway automatically (as well as a subnet). And all new VPCs get route tables, NACLs, and security groups.
You have created a custom VPC, created instances within that VPC, and stood up web servers on those instances. What are the simplest steps you might need to perform to serve this web content to the public Internet? (Choose two.) A. Add an internet gateway to the VPC. B. Create a NAT gateway for the instances. C. Create an ALB and point it at the instances. D. Set a public IP for the instances.
A, D. First, realize it's possible that almost any of these answers could be a part of a larger solution. However, the question asks for the simplest—or most direct—solutions. Given that, the solutions that are best are giving the instances public IP addresses (D) and adding an internet gateway to the VPC. You also will likely need routes in and out, security groups, etc.
Select the statement that is true. A. In a NACL, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out. B. In a security group, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out. C. In both NACLs and security groups, explicit rules must exist for both inbound and outbound traffic for a single request to get in and come back out. D. Neither NACLs nor security groups require both inbound and outbound explicit rules for the same piece of traffic.
A. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically
What is the size of the default subnet in each availability zone within the default VPC? A. /20 B. /16 C. /28 D. /24
A. This is really tough and requires pure memorization. The default VPC has a CIDR block of /16, but the default subnet in each AZ is a /20.
Which of the following statements about a VPC endpoint are true? (Choose two.) A. It is a hardware device. B. It is a virtual device. C. It is automatically redundant. D. It scales vertically.
B, C. A VPC endpoint is a virtual device that provides redundancy via AWS (and automatically). This makes options B and C correct, and A wrong. VPC endpoints scale horizontally, not vertically.
Why would you use a VPC endpoint to connect your VPC to S3 storage? (Choose two.) A. To reduce the number of public IP addresses required by your VPC B. To avoid leaving the AWS network when traffic flows between the VPC and S3 C. To increase security of the VPC-to-S3 traffic D. To increase the speed as compared to using a NAT instance
B, C. A VPC endpoint provides a connection over the Amazon network between your VPC and a service, such as S3 (B). This avoids leaving the network and routing over the public Internet, which inherently provides greater security for the traffic involved (C).
All EC2 instances in the default VPC have which of the following by default? (Choose two.) A. An elastic IP address B. A public IP address C. A private IP address D. HTTP access for incoming requests
B, C. All EC2 instances in the default VPC have both a public and private IP address. They do not have an elastic IP address, and the security group that is created by default does not allow any inbound traffic (until changed manually).
You have a hub-and-spoke network model, with VPC G at the center of the hub. There are six spokes, VPCs A, B, C, D, E, and F. Which of the following are true? (Choose two.) A. VPCs A and B can communicate with each other directly. B. VPCs G and B can communicate with each other directly. C. VPCs A and C cannot communicate with each other directly. D. VPCs G and D cannot communicate with each other directly.
B, C. Any spoke in a hub-and-spoke model can only directly communicate with the hub (option B is true, while A is false). And the hub (VPC G) can communicate with all spokes (so C is true, but D is false).
You have created a custom VPC, created instances within that VPC, attached an internet gateway to the VPC, and stood up web servers on those instances. However, users are unable to access the web content. What might be the problem? (Choose two.) A. The security group doesn't allow outbound HTTP traffic. B. The security group doesn't allow inbound HTTP traffic. C. The instances don't have elastic IP addresses. D. The NACL for the VPC's subnet allows all inbound traffic.
B, C. Given the internet gateway, the most likely issues are the instances being accessible via IP (which C addresses) and traffic for web/HTTP being disallowed (B).
Which of the following statements about a VPC endpoint are true? (Choose two.) A. It requires a VPN connection. B. It can connect to DynamoDB. C. The VPC it is attached to must have an internet gateway. D. It never routes traffic over the public Internet.
B, D. A VPC endpoint can connect to S3 and DynamoDB, as well as a host of additional AWS services, so B is true. It does not require an internet gateway or a VPN connection and does not route traffic over the public Internet (D).
Which of the following are created automatically for the default VPC but not for custom VPCs? (Choose two.) A. A route table B. A subnet C. A security group allowing outbound traffic D. An internet gateway
B, D. All VPCs have NACLs, security groups, and route tables automatically created. However, only the default VPC has a default subnet and an internet gateway created as well, different from the custom VPC
Which of the following statements is false? A. A subnet cannot span multiple availability zones. B. A VPC can peer with no more than two other VPCs. C. A VPC can peer with VPCs in other AWS accounts. D. A subnet can be public or private if a VPC has an internet gateway attached.
B. A VPC can peer with unlimited other VPCs, so B is false. A subnet cannot span AZs, a VPC can peer with VPCs in other accounts, and a VPC having an internet gateway has no bearing on the public or private status of subnets within it.
Into how many subnets must an ALB be deployed (at a minimum)? A. One B. Two C. Three D. Five
B. ALBs are redundant across at least two subnets.
Which of the following is true about a new subnet created in a custom VPC that was set up with the default configuration? A. It needs a custom route table created. B. It can communicate with other subnets across availability zones. C. It will not have a NACL. D. It will have an internet gateway attached
B. All custom VPCs have a route table (so A is false) and a NACL (so C is false) and will not have an internet gateway (D is false). This leaves B, which is true: subnets can communicate with each other across availability zones by default.
How many VPCs can you create in a single AWS region by default? A. 3 B. 5 C. 10 D. 20
B. Five VPCs are allowed per region, per account, unless you contact AWS to raise this default limit.
Which of the following offers the most available IP addresses? A. /20 B. /16 C. /28 D. /18
B. In general, the smaller the number after the slash, the larger the CIDR block. /16 is the largest valid block. A /16 offers 65,536 IPv4 addresses
Select the statement that is true. A. Security groups are stateless and NACLs are stateful. B. Security groups are stateful and NACLs are stateless. C. Both security groups and NACLs are stateless. D. Both security groups and NACLs are stateful.
B. NACLs are stateless—rules and must exist for inbound and outbound. Security groups are stateful—anything allowed in is allowed back out automatically.
Select the statement that is true. A. In a NACL, traffic that is allowed in is automatically allowed back out. B. In a security group, traffic that is allowed in is automatically allowed back out. C. In both NACLs and security groups, explicit rules must exist for both inbound and outbound traffic for a single request to getin and come back out. D. Neither NACLs nor security groups require both inbound and outbound explicit rules for the same piece of traffic.
B. NACLs are stateless—rules must exist for inbound and outbound—and security groups are stateful—anything allowed in is allowed back out automatically.
Is the default VPC created by AWS public? A. Only if you set it to be public at creation time B. Yes C. Only for traffic over port 80 D. No
B. The default VPC has an internet gateway, and instances are given public IP addresses, so option B is correct. You do not create the default VPC (A), and security groups control specific access, not the public or private nature of the VPC and instances within it (C).
What is the size of the CIDR block created in the default VPC? A. /20 B. /16 C. /28 D. /24
B. This is a case of rote memorization. Default VPCs get a /16 CIDR block assigned to them.
You created a new instance in the default VPC. You want this instance to be publicly available and serve web content. What steps do you need to take? (Choose two.) A. Create an private IP for the instance. B. Create a public IP for the instance. C. Neither A nor B, these are done automatically. D. Update the security group to allow traffic over HTTP and HTTPS to the instance.
C, D. All EC2 instances in the default VPC have both a public and private IP address. Therefore, the only addition to serve web content would be to allow the web traffic in via security group.
You have a hub-and-spoke network model, with VPC B at the center of the hub. There are three spokes, VPCs A, C, and E. Which of the following are not true? (Choose two.) A. VPCs A and B can communicate with each other directly. B. VPCs C and B can communicate with each other directly. C. VPCs A and C can communicate with each other directly. D. VPCs C and E can communicate with each other directly.
C, D. Any spoke in a hub-and-spoke model can only directly communicate with the hub. This makes A and B true and C and D false; so the right answers are C and D.
Which of the following are not created as part of the default VPC? (Choose two.) A. Internet gateway B. Security group C. NAT gateway D. Bastion host
C, D. Default VPCs have a default subnet, along with a NACL, security group, and internet gateway, and a route table as well.
You created a new instance in a custom VPC. You want this instance to be publicly available and serve web content. What steps do you need to take? (Choose two.) A. Create an elastic IP for the instance. B. Create an internet gateway for the VPC. C. Update the security group to allow traffic over HTTP and HTTPS to the instance. D. Both A and B
C, D. Instances in any non-default VPCs need to be made public via an elastic or public IP (A), and the VPC itself needs an internet gateway (B). Further, you need to allow in web traffic via the security group (C). So this is an "All of the above" situation, translating into options C and D.
Which of the following is true about instances in a VPC using a VPC endpoint to connect to S3 storage? (Choose two.) A. They must have a public IP. B. They must route traffic through a NAT instance to get to the endpoint. C. They do not send their traffic over the public Internet to reach the VPC endpoint. D. They must have routes to the VPC endpoint in the VPC routing table
C, D. Instances that take advantage of a VPC endpoint do not need to have a public IP address or use a NAT instance. Instead, assuming they have a route to the endpoint (D), they send traffic over the AWS network to the connected service (C).
Which of the following are created automatically as part of the default VPC? (Choose two.) A. NAT instance B. NAT gateway C. Subnet D. Route table
C, D. The key here is "default VPC." While subnets are not created in additional custom VPCs, the default VPC does get a subnet automatically (as well as an internet gateway). And all new VPCs get route tables, NACLs, and security groups.
What benefit does adding a second internet gateway to your VPC provide? A. Increased network throughput via two channels into the VPC B. The second VPC can be used to facilitate VPC endpoints with S3 and DynamoDB. C. You can't add a second internet gateway to a single VPC. D. You can't have two internet gateways within the same region
C. A single VPC can have a single internet gateway. This limit isn't based on region (D) but on VPC (C).
You are attempting to create a VPC in an AWS account and getting an error. When you look at the console, you see that the region you're trying to create the VPC in already has five VPCs. What step should you take to create the VPC you need? A. You can't. Each region can only have five VPCs. B. Configure the VPC to be peered with an existing VPC to get around the five-VPC per-region limit. C. Contact AWS and explain your need for a higher number of VPCs in the region. D. Create the VPC in a different region.
C. A single region can only have five VPCs by default, but this limit can be raised by contacting AWS.
At what level do security groups operate? A. The subnet level B. The VPC level C. The instance level D. All of the above
C. The best way to remember this is to consider the process for creating an instance: you must select the security group for every instance. So security groups operate at the instance level (C).
How do you change a VPC that is set to use dedicated hosting tenancy to use default tenancy? A. You can change the hosting tenancy of the VPC without affecting the running instances. B. Stop all instances in the VPC, and then you can change the VPC's hosting tenancy. C. Remove all instances in the VPC, and then you can change the VPC's hosting tenancy. D. You can't; you must re-create the VPC.
D. A VPC cannot be changed from dedicated hosting tenancy to default hosting. You have to re-create the VPC.
Which of the following does a VPC endpoint require? A. Internet gateway B. NAT instance C. VPN connection D. None of the above
D. A VPC endpoint does not require any of these to connect; it is a private connection outside of these constructs altogether, which is part of why it is an attractive solution for internal AWS communication
Why would you choose a NAT instance over a NAT gateway? A. NAT instances are faster than NAT gateways. B. NAT instances auto-size to accommodate traffic increases, while NAT gateways do not. C. NAT instances are automatically kept updated with patches by AWS, while NAT gateways are not. D. You wouldn't; NAT gateways are, in general, a better solution than NAT instances.
D. All of the statements about NAT instances are false in A through C. Further, a NAT gateway is preferable to a NAT instance because it is managed by AWS rather than you, the architect.
Which of these allow you to SSH into an EC2 instance within a private subnet? A. A NAT gateway B. An internet gateway C. A NAT instance D. A bastion host
D. Only a bastion host (D) makes SSH available to private instances. You can use a NAT gateway or NAT instance to route traffic from these instances out, but a bastion host allows for SSH into private instances.
In which order are rules evaluated when a security group decides if traffic is allowed? A. Top to bottom B. High to low numeric order C. Low to high numeric order D. All rules are evaluated before a decision is made
D. Security groups evaluate all the rules on the group before deciding how to handle traffic.
What is the size of the CIDR block created in a custom VPC? A. /20 B. /16 C. /28 D. You must select a size at VPC creation.
D. There is no default CIDR block for custom VPCs. While the default VPC has a /16 CIDR block, custom VPCs must have this entered in.
Which of the following statements is false? A. One VPC can have a single internet gateway. B. One VPC can have multiple subnets. C. A single instance retains its public IP within a VPC when stopped and restarted. D. A single instance does not retain its public IP within a VPC when stopped and restarted.
D. VPCs can have a single internet gateway and multiple subnets. However, instances within a VPC with a public address have that address released when it is stopped and are reassigned a new IP when restarted.