3 - VPC
Your company has a two-tier environment in their on-premises data center which is composed of an application tier and database tier. You are instructed to migrate their environment to the AWS cloud, and to design the subnets in their VPC with the following requirements: a) There is an application load balancer that would distribute the incoming traffic among the servers in the application tier. b) The application tier and the database tier must not be accessible from the public Internet. The application tier should only accept traffic coming from the load balancer. c) The database tier contains very sensitive data. It must not share the same subnet with other AWS resources and its custom route table with other instances in the environment. d) The environment must be highly available and scalable to handle a surge of incoming traffic over the Internet. How many subnets should you create to meet the above requirements?
6
You are a Solutions Architect working for a large multi-national bank in the Asia-Pacific region. You designed an application architecture that is deployed to AWS, which has four Reserved EC2 instances. To be able to securely and easily manage these instances, you created a bastion host in your VPC. When your CTO found out, he was concerned and asked you about what you have done. How will you describe what a bastion host is to your boss?
A bastion host is an EC2 instance in a public subnet of your VPC and is typically accessed using SSH or RDP. Once remote connectivity has been established with a bastion host, it then acts as a 'jump' server, allowing you to use SSH or RDP to log into other EC2 instances deployed in private subnets.
You have created a VPC with a single subnet then you launched an On-Demand EC2 instance in that subnet. You have attached Internet gateway (IGW) to the VPC and verified that the EC2 instance has a public IP. The main route table of the VPC is as shown below. However, the instance still cannot be reached from the Internet when you tried to connect to it from your computer. Which of the following should be made to the route table to fix this issue?
Add this new entry to the route table: 0.0.0.0/0 -> Your Internet Gateway
A VPC has a non-default public subnet which has four On-Demand EC2 instances that can be accessed over the Internet. Using the AWS CLI, you launched a fifth instance that uses the same subnet, Amazon Machine Image (AMI), and security group which are being used by the other instances. Upon testing, you are not able to access the new instance. Which of the following is the most suitable solution to solve this problem?
Associate an Elastic IP address to the fifth EC2 instance.
A web application is deployed in an On-Demand EC2 instance in your VPC. There is an issue with the application which requires you to connect to it via an SSH connection. Which of the following is needed in order to access an EC2 instance from the Internet?
1) An Internet Gateway (IGW) attached to the VPC. 2) A route entry to the Internet gateway in the Route table of the VPC. 3) A Public IP address attached to the EC2 instance.
In your AWS VPC, you need to add a new subnet that will allow you to host a total of 20 EC2 instances. Which of the following IPv4 CIDR block can you use for this scenario?
172.0.0.0/27
You have a web application running on EC2 instances which processes sensitive financial information. All of the data are stored on an Amazon S3 bucket. The financial information is accessed by users over the Internet. The security team of the company is concerned that the Internet connectivity to Amazon S3 is a security risk. In this scenario, what will you do to resolve this security concern?
Change the web architecture to access the financial data through a Gateway VPC Endpoint.
You have two On-Demand EC2 instances inside your Virtual Private Cloud in the same Availability Zone but are deployed to different subnets. One EC2 instance is running a database and the other EC2 instance a web application that connects with the database. You want to ensure that these two instances can communicate with each other for your system to work properly. What are the things you have to check so that these EC2 instances can communicate inside the VPC? (Choose 2)
Check the Network ACL if it allows communication between the two subnets, and if all security groups are set to allow the application host to communicate to the database on the right port and protocol.
You have set up a VPC with public subnet and an Internet gateway. You set up an EC2 instance with a public IP as well. However, you are still not able to connect to the instance via the Internet. You checked its associated security group and it seems okay. What should you do to ensure you can connect to the EC2 instance from the Internet?
Check the main route table and ensure that the right route entry to the Internet Gateway (IGW) is configured.
A local bank has an in-house application which handles sensitive financial data in a private subnet. After the data is processed by the EC2 worker instances, they will be delivered to S3 for ingestion by other services. How should you design this solution so that the data does not pass through the public Internet?
Configure a VPC Gateway Endpoint along with a corresponding route entry that directs the data to S3.
A large insurance company has an AWS account that contains three VPCs (DEV, UAT and PROD) in the same region. UAT is peered to both PROD and DEV using a VPC peering connection. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?
Create a new VPC peering connection between PROD and DEV with the appropriate routes.
You recently launched a new FTP server using an On-Demand EC2 instance in a newly created VPC with default settings. The server should not be accessible publicly but only through your IP address 175.45.116.100 and nowhere else. Which of the following is the most suitable way to implement this requirement?
Create a new inbound rule in the security group of the EC2 instance with the following details: Protocol: TCP Port Range: 20 - 21 Source: 175.45.116.100/32
You are instructed by your manager to set up a bastion host to your Amazon VPC and that you should be the only person that can access it via SSH. What is the best way for you to achieve this?
Create a small EC2 instance and a security group which only allows access on port 22 via your IP address.
Your company is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage the fleet of Amazon EC2 instances running in both the public and private subnets. You have added a bastion host with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following bastion host deployment options will meet this requirement?
Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow RDP access to bastion only from the corporate IP addresses.
You are implementing a hybrid architecture for your company where you are connecting their Amazon Virtual Private Cloud (VPC) to their on-premises network. Which of the following can be used to create a private connection between the VPC and your company's on-premises network?
Direct Connect
You are a Solutions Architect working for an aerospace engineering company which recently adopted a hybrid cloud infrastructure with AWS. One of your tasks is to launch a VPC with both public and private subnets for their EC2 instances as well as their database instances respectively. Which of the following statements are true regarding Amazon VPC subnets?
Each subnet maps to a single Availability Zone and every subnet that you create is automatically associated with the main route table for the VPC.
A media company has two VPCs: VPC-1 and VPC-2 with peering connection between each other. VPC-1 only contains private subnets while VPC-2 only contains public subnets. The company uses a single AWS Direct Connect connection and a virtual interface to connect their on-premises network with VPC-1. Which of the following options increase the fault tolerance of the connection to VPC-1? (Select all that applies.)
Establish a hardware VPN over the Internet between VPC-1 and the on-premises network, then establish another AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1.
You are the Solutions Architect of a software development company where you are required to connect the on-premises infrastructure to their AWS cloud. Which of the following AWS services can you use to accomplish this?
IPsec VPN connection and AWS Direct Connect
You have designed and built a new AWS architecture. After deploying your application to an On-demand EC2 instance, you found that there is an issue in your application when connecting to port 443. After troubleshooting the issue, you added port 443 to the security group of the instance. How long will it take before the changes are applied to all of the resources in your VPC?
Immediately
You have an On-Demand EC2 instance located in a subnet in AWS which hosts a web application. The Route table attached to the VPC is shown below. You can establish an SSH connection into the EC2 instance from the internet. However, you are not able to connect to the web server using your Chrome browser. Which of the below steps would resolve the issue?
In the Security Group, add an Inbound HTTP rule.
You are a new Solutions Architect in your company. Upon checking the existing Inbound Rules of your Network ACL, you saw this configuration: Rule 100: ALL Traffic - Allow If a computer with an IP address of 110.238.109.37 sends a request to your VPC, what will happen?
It will be allowed
You are working as a Network Engineer for an electronics and communications company in Japan. You are told to implement a NAT instance in your VPC to allow certain EC2 instances to initiate connections to the Internet but restrict any requests coming from the Internet. In this scenario, what is the best way to configure a fault-tolerant NAT instance in your VPC?
Launch two NAT instances in two separate public subnets and add a route from the private subnet to each NAT instance to make it more fault tolerant.
You are working as a Solutions Architect in a top software development company in Silicon Valley. The company has multiple applications hosted in their VPC. While you are monitoring the system, you noticed that multiple port scans are coming in from a specific IP address block which are trying to connect to several AWS resources inside your VPC. The internal security team has requested that all offending IP addresses be denied for the next 24 hours for security purposes. Which of the following is the best method to quickly and temporarily deny access from the specified IP addresses?
Modify the Network Access Control List associated with all public subnets in the VPC to deny access from the IP Address block.
You are working as a Cloud Engineer in a leading technology consulting firm which is using a fleet of Windows-based EC2 instances with IPv4 addresses launched in a private subnet. Several software installed in the EC2 instances are required to be updated via the Internet. Which of the following services can provide you with a highly available solution to safely allow the instances to fetch the software patches from the Internet but prevent outside network from initiating a connection?
NAT Gateway
To protect your enterprise applications against unauthorized access, you configured multiple rules for your Network ACLs in your VPC. How are the access rules evaluated?
Network ACL Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.
You are a Solutions Architect working for a large insurance company that deployed their production environment on a custom Virtual Private Cloud in AWS with a default configuration. The VPC consists of two private subnets and one public subnet. Inside the public subnet is a group of EC2 instances which are created by an Auto Scaling group and all of the instances are in the same Security Group. Your development team has created a new web application which connects to mobile devices using a custom port. This application has been deployed to the production environment and you need to open this port globally to the Internet. Which of the following is the correct procedure?
Open the custom port on the Security Group. Your EC2 instances will be able to use this port immediately.
You are a Solutions Architect for a global news company. You are configuring a fleet of EC2 instances in a subnet which currently is in a VPC with an Internet gateway attached. All of these EC2 instances can be accessed from the Internet. You then launch another subnet and launch an EC2 instance in it, however you are not able to access the EC2 instance from the Internet. What could be the possible reasons for this issue?
The Amazon EC2 instance does not have a public IP address associated with it and the route table is not configured properly.
You launched an EC2 instance in your newly created VPC. You have noticed that the generated instance does not have an associated DNS hostname. Which of the following options could be a valid reason for this issue?
The DNS resolution and DNS hostname of the VPC configuration should be enabled.
One member of your DevOps team consulted you about a problem in connecting to one of the EC2 instances of your VPC over the Internet. Your environment is set up with four EC2 instances that all belong to a public subnet. The EC2 instances also belong to the same security group. Everything works well as expected except for one of the EC2 instances which is not able to send nor receive traffic over the Internet like the other three instances. What could be the possible reason for this issue?
The EC2 instance does not have a public IP address associated with it.
You are tasked to host a web application in a new VPC with private and public subnets. In order to do this, you will need to deploy a new MySQL database server and a fleet of EC2 instances to host the application. In which subnet should you launch the new database server into?
The private subnet
An online job site is using NGINX for its application servers hosted in EC2 instances and MongoDB Atlas for its database-tier. MongoDB Atlas is a fully automated third-party cloud service which is not provided by AWS, but supports VPC peering to connect to your VPC. Which of the following items are invalid VPC peering configurations?
Transitive Peering and Edge to Edge routing via a gateway
You are working as a Senior Solutions Architect for a data analytics company which has a VPC for their human resource department, and another VPC for their finance department. You need to configure your architecture to allow the finance department to access all resources that are in the human resource department and vice versa. Which type of networking connection in AWS should you set up to satisfy the above requirement?
VPC Peering
You were recently promoted to a technical lead role in your DevOps team. Your company has an existing VPC which is quite un-utilized for the past few months. The business manager instructed you to integrate your on-premises data center and your VPC. You explained the list of tasks that you'll be doing and mentioned about a Virtual Private Network (VPN) connection. The business manager is not tech-savvy but he is interested to know what a VPN is and its benefits. What is one of the major advantages of having a VPN in AWS?
You can connect your AWS cloud resources to on-premises data centers using VPN connections.
