Exam/Practice Questions - VPC - General
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user's data centre. The user's data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario? A. Destination: 20.0.1.0/24 and Target: i-12345 B. Destination: 0.0.0.0/0 and Target: i-12345 C. Destination: 172.28.0.0/12 and Target: vgw-12345 D. Destination: 20.0.0.0/16 and Target: local
A
A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH? A. Allow Inbound traffic on port 22 from the user's network B. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP C. The user can connect to a instance in a private subnet using the NAT instance D. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet
A
A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP) assigned to an instance in the public or private subnet? A. 20.0.0.255 B. 20.0.0.132 C. 20.0.0.122 D. 20.0.0.55
A
A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created. What can be the reason for the error? A. The internet gateway is not configured with the route table B. The private IP is not present C. The outbound traffic on the security group is disabled D. The internet gateway is not configured with the security group
A
A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet? A. Destination: 0.0.0.0/0 and Target: i-a12345 B. Destination: 20.0.0.0/0 and Target: 80 C. Destination: 20.0.0.0/0 and Target: i-a12345 E. Destination: 20.0.0.0/24 and Target: i-a12345
A
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario? A. VPC will create a routing instance and attach it with a public subnet B. VPC will create two subnets C. VPC will create one internet gateway and attach it to VPC D. VPC will launch one NAT instance with an elastic IP
A
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp)? A. Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp) B. Allow Inbound on port 3306 from source 20.0.0.0/16 C. Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp. D. Allow Outbound on port 80 for Destination NAT Instance IP
A
A user has launched an EC2 instance and installed a website with the Apache webserver. The webserver is running but the user is not able to access the website from the Internet. What can be the possible reason for this failure? A. The security group of the instance is not configured properly. B. The instance is not configured with the proper key-pairs. C. The Apache website cannot be accessed from the Internet. D. Instance is not configured with an elastic IP.
A
In regards to VPC, select the correct statement: A. You can associate multiple subnets with the same Route Table. B. You can associate multiple subnets with the same Route Table, but you can't associate a subnet with only one Route Table. C. You can't associate multiple subnets with the same Route Table. D. None of these.
A
You are the AWS architect at YCDIT2, Inc. Your client has a VPC with public and private subnets is created by the VPC wizard. The VPC CIDR is 10.0.0.0/16. The public subnet is 10.0.1.0/24. The architecture you put together includes deploying a web server in the public subnet, receiving HTTP traffic on port 80; it also includes a Database server tier in the private subnet receiving traffic on port 3306. The client SysOps is configuring a security group for the public subnet called WebSG, and the private subnet's security group called DbSG. Which of the below entries is required in the web server security group? A. Destination: DB Security group ID (DbSG), Port: 3306,Direction: Outbound B. Destination: 0.0.0.0/0, Port: 80, Direction: Outbound C. Source 10.0.1.0/24, Port: 3306, Direction: Inbound D. Source 10.0.0.0/16, Port: 80, Direction: Inbound
A
You have an Amazon VPC with one private subnet and one public subnet with a Network Address Translator (NAT) server. You are creating a group of Amazon Elastic Cloud Compute (EC2) instances that configure themselves at startup via downloading a bootstrapping script from Amazon Simple Storage Service (S3) that deploys an application via GIT. Which setup provides the highest level of security? A. Amazon EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT B. Amazon EC2 instances in public subnet, no EIPs, route outgoing traffic via the Internet Gateway (IGW) C. Amazon EC2 instances in private subnet, assign EIPs, route outgoing traffic via the Internet Gateway (IGW) D. Amazon EC2 instances in public subnet, assign EIPs, route outgoing traffic via the NAT
A
You have five VPCs in a 'hub and spoke' configuration, with VPC 'A' in the center and individually paired with VPCs 'B', 'C', 'D', and 'E', which make up the 'spokes'. There are no other VPC connections. Which of the following VPCs can VPC 'B' communicate with directly? A. VPC 'A' B. VPCs 'A' and 'C' C. VPCs 'C', 'D', and 'E' D. VPCs 'A' and 'E'
A
You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the Internet. Why is the Internet unreachable from this instance? A. The instance does not have a public IP address B. The Internet gateway security group must allow all outbound traffic. C. The instance security group must allow all inbound traffic. D. The instance "Source/Destination check" property must be enabled.
A
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group (WebSecGrp)? A. Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound B. Configure port 80 for Destination 0.0.0.0/0 Outbound C. Configure port 3306 for source 20.0.0.0/24 InBound D. Configure port 80 InBound for source 20.0.0.0/16
A With wizard creation, outbound is not open by default. Refer Link
You are the AWS SME at YCDIT2, Inc. Your AWS SysOps administrator created a VPC with a public subnet. He created and attached an Internet Gateway to the VPC, and launched an EC2 instance with a public IP in the subnet. He also created a security group for the EC2 instance. When trying to connect to the EC2 instance from the Internet, he was not able to. From the statements below, which could be a possible reason for his inability to connect? (*Choose 2*) A. There is no entry in the route table pointing to the internet gateway as a Target B. The admin did not configure the security group after he created it C. The security group is denying any outbound traffic to the Internet D. The admin forgot to create a NACL for the EC2 instance
A,B This was discussed in Lecture 41: Core Knowledge - AWS VPC Set of Questions #5 I had originally guessed A and C
You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer's DNS name. Which options are probable causes of this behavior? *Choose 2 answers* A. The load balancer was not configured to use a public subnet with an Internet gateway configured B. The Amazon EC2 instances do not have a dynamically allocated private IP address C. The security groups or network ACLs are not property configured for web traffic. D. The load balancer is not configured in a private subnet with a NAT instance. E. The VPC does not have a VGW configured.
A,C
Which of the following are characteristics of Amazon VPC subnets? *Choose 2 answers* A. Each subnet maps to a single Availability Zone B. A CIDR block mask of /25 is the smallest range supported C. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP. D. By default, all subnets can route between each other, whether they are private or public E. Each subnet spans at least 2 Availability zones to provide a high-availability environment
A,D
Which of the following are characteristics of Amazon VPC subnets? (*Choose 2*) A. Each subnet maps to a single Availability Zone B. A CIDR block mask of /25 is the smallest range supported C. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP D. By default, all subnets in a VPC can route to one another without additional configuration E. Each subnet spans at least 2 Availability zones to provide a high-availability environment
A,D For additional information please review lecture # 27 - AWS VPC Set of Questions #11 - 3rd Question
How many internet gateways can I attach to my custom VPC A. 1 B. One per Availability Zone. C. 3 D. 2
A. Further information: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
Select the *incorrect statement*. A. In Amazon VPC, an instance does not retain its private IP. B. You may have only 1 internet gateway per VPC. C. It is possible to have private subnets in a VPC. D. In Amazon VPC, an instance retains its private IP.
A. An instance does retain it's private IP address
Using the VPC wizard, you have created a VPC with CIDR 10.0.0.0/16 with a VPN-only private subnet and Hardware VPN Access connection. You need to connect to an instance in the private subnet over SSH. How should you define the instance's security group rule to allow SSH? A. Allow Inbound traffic for SSH (port 22) from the corporate network B. Allow port 22 on the security group of the VPN-only subnet to allow SSH inbound C. Create a public subnet, Implement a NAT instance and use it to connect to the VPN-only subnet instances D. Allow Inbound traffic on port 22 to allow you to connect to a private subnet over the Internet
A. For additional Information Please Review Lecture 20 - AWS VPC Set of Questions # 4 - 1st Question
A user wants to access RDS from an EC2 instance using IP addresses. Both RDS and EC2 are in the same region, but different AZs. Which of the below mentioned options help configure that the instance is accessed faster? A. Configure the Private IP of the Instance in RDS security group. B. Security group of EC2 allowed in the RDS security group C. Configuring the elastic IP of the instance in RDS security group D. Configure the Public IP of the instance in RDS security group
A. Configure the Private IP of the Instance in RDS security group (Recommended as the data is transferred within the the Amazon network and not through internet - Refer link)
A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25. The user is trying to create the private subnet with CIDR 20.0.0.128/25. Which of the below mentioned statements is true in this scenario? A. It will not allow the user to create the private subnet due to a CIDR overlap B. It will allow the user to create a private subnet with CIDR as 20.0.0.128/25 C. This statement is wrong as AWS does not allow CIDR 20.0.0.0/25 D. It will not allow the user to create a private subnet due to a wrong CIDR range
B
A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario? A. It will delete the subnet and make the EC2 instance as a part of the default subnet B. It will not allow the user to delete the subnet until the instances are terminated C. It will delete the subnet as well as terminate the instances D. Subnet can never be deleted independently, but the user has to delete the VPC first
B
You are attempting to connect to an instance in Amazon VPC without success You have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place. Which VPC component should you evaluate next? A. The configuration of a NAT instance B. The configuration of the Routing Table C. The configuration of the internet Gateway (IGW) D. The configuration of SRC/DST checking
B
You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access? A. Deploy a NAT instance into the public subnet. B. Assign an Elastic IP address to the fourth instance C. Configure a publically routable IP Address in the host OS of the fourth instance. D. Modify the routing table for the public subnet.
B
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario? A. AWS VPC will automatically create a NAT instance with the micro size B. VPC bounds the main route table with a private subnet and a custom route table with a public subnet C. User has to manually create a NAT instance D. VPC bounds the main route table with a public subnet and a custom route table with a private subnet
B This is more of a question for VPC created through the Wizard. Refer VPC Creation Scenario The way it is implemented is the :- Main Route Table which points to NAT is associated with the Subnets. As there is no internet access, they are private. Also, any new subnet created are by default associated with the Main Route Table making them private. Custom Route table is associated with Internet Gateway with the Subnets associated being public. Any new subnets created need to be explicitly associated with the Custom Route table to make it public For NAT, it is created by the wizard depending upon the selection used.
Your company has seven offices including HQ. The company just implemented an application on AWS in a VPC. The application will be accessed by company employees from all seven locations. Latency and performance are not a big concern, however, the solution needs to be fast, easy to deploy, and cost effective. How would you architect the solution? A. Deploy an OpenSSL server on an EC2 instance in your VPC. Have the employees establish SSL based remote access when they need to access the application B. Establish a site-to-site IPSec VPN from each location to the VPC's VGW and adjust routing to allow access to the application C. Establish a Direct Connect connection from each location to the VPC D. You can not connect multiple locations concurrently to your AWS VPC
B For additional information please review Lecture # 23 - AWS VPC Set of Questions # 6 - 2nd Question
You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? *Choose 2 answers* A. Configure web server VPC security groups to allow traffic from your customers' IPs. B. Configure your web servers to filter traffic based on the ELB's "X-forwarded-for" header. C. Configure ELB security groups to allow traffic from your customers' IPs and deny all outbound traffic. D. Configure a VPC NACL to allow web traffic from your customers' IPs and deny all outbound traffic.
B,C A. Configure web server VPC security groups to allow traffic from your customers' IPs (Web server is behind the ELB and customer IPs will never reach web servers) B. Configure your web servers to filter traffic based on the ELB's "X-forwarded-for" header (get the customer IPs and create a custom filter to restrict access. Refer link) C. Configure ELB security groups to allow traffic from your customers' IPs and deny all outbound traffic (ELB will see the customer IPs so can restrict access, deny all is basically have no rules in outbound traffic, implicit, and its stateful so would work) D. Configure a VPC NACL to allow web traffic from your customers' IPs and deny all outbound traffic (NACL is stateless, deny all will not work)
When using the VPC wizard to create a VPC with private and public subnets, which of the below statements stands correct? (*Choose two*) A. AWS VPC will automatically create a NAT instance with the micro size B. VPC bounds the main route table with a private subnet and a custom route table with a public subnet C. User has to select a NAT instance instead of the NAT gateway if needed during the wizard configuration D. VPC bounds the main route table with a public subnet and a custom route table with a private subnet
B,C For additional information please review lecture # 24 - AWS VPC Set of Questions # 8 - 3rd Question
At which of the following levels can VPC Flow Logs be created? (*Choose 3*) A. Instance Level B. Network Interface Level C. Subnet Level D. VPC Level E. Security Group Level F. Network Access Control List Level
B,C,D No at the instance level
When you create a custom VPC, which of the following are created automatically? (*Choose 3*): A. NAT Gateway B. Access Control List C. Security Group D. Internet Gateway E. Route Table F. Subnets
B,C,E When you create a custom VPC, a default Security Group, Access control List, and Route Table are created automaticaly. You must create your own subnets, Internet Gateway, and NAT Gateway (if you need one.)
Which of the following are true for Security Groups? (*Choose 3*) A. Security Groups process rules in number order when deciding whether to allow traffic. B. Security Groups operate at the instance level. C. Security Groups operate at the subnet level. D. Security Groups evaluate all rules before deciding whether to allow traffic. E. Security Groups support both "allow" and "deny" rules. F. Security Groups support "allow" rules only.
B,D,F Security Groups operate at the instance level, they support 'allow' rules only, and they evaluate all rules before deciding whether to allow traffic.
By default, how many VPCs am I allowed in each AWS Region?
5
A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increases the fault tolerance of the connection to VPC-1? Choose 2 answers A. Establish a hardware VPN over the internet between VPC-2 ana the on-premises network. B. Establish a hardware VPN over the internet between VPC-1 and the on-premises network. C. Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2. D. Establish a new AWS Direct Connect connection and private virtual interface in adifferent AWS region than VPC-1. E. Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1
B,E I got the same question in the SA Exam. B is for sure the answer as establishing a VPN connection to the same VPC is the recommended solution.. However, I was not able to get to the other correct option and marked E as the second answer by the process of elimination. Direct Connect does not work across region so eliminating D. Also Direct Connect does not work with VPC Peering so eliminating VPC-2 options A & C. Why not C? C is with a different VPC i.e. VPC 2 which is peering with VPC 1 but peering will not allow you to access VPC 1 resources.
You are trying, unsuccessfully, to connect to the EC2 instance you just created in your AWS VPC environment. As part of your troubleshooting effort to fix this, you verified that the VPC has an Internet Gateway (IGW) attached to it, and that the instance has an associated Elastic IP (EIP), and the correct security group rules are in place. Which other VPC components should you evaluate? (*Choose two*) A. The configuration of a NAT instance B. The configuration of the Route Table C. The configuration of the internet Gateway (IGW) D. The configuration of SRC/DST checking E. The EC2 Instance subnet's N. ACL configuration
B,E For additional information please review Lecture # 26 - AWS VPC Set of Questions # 10 - 3rd Question
Your company just partnered with an online training provider. You got assigned the task to architect the solution. The online training provider requested, for security reasons, that any traffic originated from your company's AWS environment and destined to the online provider, be sourced from a maximum of one or two fixed public IP addresses. Your AWS application instances, that should originate this traffic, are behind an ELB. Auto Scaling is also used to increase the application layer instances from 2 to 8 depending on the traffic load received from the ELB. The solution must be highly available. How would you architect the required solution? A. Assign two EC2 instances fixed public IPs, force the other instances to send their online provider traffic to these two instances all the time. B. Configure two NAT instances, one per AZ. Allocate and attach Elastic IP addresses to these instances, route the application EC2 instances traffic destined to the online provider through these two NAT instances, and provide the two Elastic IP addresses to your provider as the fixed source public IPs C. Use Elastic IPs on the VPC Internet Gateway Public IP since all Internet Traffic passes through them D. Use the ELB public IP addresses as the first IP addresses required
B. This was discussed in Lecture 45: Core Knowledge - AWS VPC Set of Questions #9 A. There are no fixed public IPs B. Correct C. IGW's do not perform NAT/PAT D. Instance originated/initiated traffic out to the Internet does not go through the ELB
You have three separate VPCs in your AWS account in one region, currently the VPCs are operating separately. However, a new file sharing solution is launched in VPC-1 and you want the other two VPCs, VPC-2, and VPC-3 resources to be able to upload and download files from this file sharing solution. How can you architect a solution to allow the three VPCs to share the file sharing solution? Taking into account cost effectiveness and speed of deployment. A. Establish two peering connections between VPC-1 and VPC-2, and VPC-2 and VPC-3 B. Establish a peering connection between VPC-1 and VPC-2, and another between VPC-1 and VPC-3 C. Move the file sharing solution to your data center, and deploy VPN connections from each VPC to the data center D. You can not share resources between VPCs in AWS
B. For additional information please review Lecture # 25 - AWS VPC Set of Questions # 9 - 2nd Question
You are the architect at YCDIT2, Inc. Your client has a multi AZ infrastructure on AWS, and plans , in few months, to have a centralized, custom, dashboard in the client's data center. The dashboard will need to interact with the multi AZ infrastructure. Data from the Multi AZ will be pulled from the data center. Latency and performance (bandwidth) are key. The solution needs to be up and running within few months. How would you architect the solution? A. Use redundant VPN connections to two VGW routers in the region, this should give you access to the infrastructure in all AZs B. Use direct connect connection to the client VPC, as this will provide access to all AZs in the region, and will also provide better bandwidth and lower latency C. Use one direct connect connection from the data center to each AZ in the region D. You can not interact with multiple AZs from one location
B. For additional information please review Lecture 22 - AWS VPC Set of Questions # 6 - 2nd Question
Are you permitted to conduct your own vulnerability scans on your own VPC without alerting AWS first? A. Yes. B. No.
B. No
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created both Public and VPN-Only subnets along with hardware VPN access to connect to the user's data centre. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC? A. Yes, the console will delete all the setups and also delete the virtual private gateway B. No, the console will ask the user to manually detach the virtual private gateway first and then allow deleting the VPC C. Yes, the console will delete all the setups and detach the virtual private gateway D. No, since the NAT instance is running
C
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet? A. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet's CIDR B. The user can modify the first subnet CIDR from the console C. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created D. The user can modify the first subnet CIDR with AWS CLI
C
A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created? A. It can connect to the AWS services, such as S3 and RDS by default B. It will have all the inbound traffic by default C. It will have all the outbound traffic by default D. It will by default allow traffic to the internet gateway
C
A user has recently started using EC2. The user launched one EC2 instance in the default subnet in EC2-VPC Which of the below mentioned options is not attached or available with the EC2 instance when it is launched? A. Public IP address B. Internet gateway C. Elastic IP D. Private IP address
C
If you want to launch Amazon Elastic Compute Cloud (EC2) Instances and assign each Instance a predetermined private IP address you should: A. Assign a group or sequential Elastic IP address to the instances B. Launch the instances in a Placement Group C. Launch the instances in the Amazon virtual Private Cloud (VPC) D. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already E. Launch the Instance from a private Amazon Machine image (AMI)
C
When will you incur costs with an Elastic IP address (EIP)? A. When an EIP is allocated. B. When it is allocated and associated with a running instance. C. When it is allocated and associated with a stopped instance. D. Costs are incurred regardless of whether the EIP is associated with a running instance.
C
You need to design a VPC for a web-application consisting of an Elastic Load Balancer (ELB). a fleet of web/application servers, and an RDS database The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the database is not available from the Internet? A. One public subnet for ELB one public subnet for the web-servers, and one private subnet for the database B. One public subnet for ELB two private subnets for the web-servers, two private subnets for RDS C. Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS D. Two public subnets for ELB two public subnets for the web-servers, and two public subnets for RDS
C
A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is *not required* for the NAT security group? A. For Inbound allow Source: 20.0.1.0/24 on port 80 B. For Outbound allow Destination: 0.0.0.0/0 on port 80 C. For Inbound allow Source: 20.0.0.0/24 on port 80 D. For Outbound allow Destination: 0.0.0.0/0 on port 443
C The Question is targeting the security group configuration for NAT. NAT is basically to allow outgoing internet access for instances in the private group. You would configure the NAT and have outbound configurations enabled for http(80)/https(443) calls usually for package downloads. #C is incorrect as the instance is in Public Subnet and handled through Internet Gateway and needs to configured for the instance. for NAT instance it should allow Inbound from private subnets to them to communicate to internet - For Inbound allow Source: 20.0.1.0/24 on port 80 allow outbound to Internet as it needs to reach internet - For Outbound allow Destination: 0.0.0.0/0 on port 80 and port 443 It does not require, For Inbound allow Source: 20.0.0.0/24 on port 80, as the public subnets already have access to Internet. So #C is not required. Refer AWS documentation - NAT SG
You need to design a VPC for a web-application consisting of an ELB a fleet of web application servers, and an RDS DB. The entire infrastructure must be distributed over 2 AZ. Which VPC configuration works while assuring the DB is not available from the Internet? A. One Public Subnet for ELB, one Public Subnet for the web-servers, and one private subnet for the DB B. One Public Subnet for ELB, two Private Subnets for the web-servers, and two private subnets for the RDS C. Two Public Subnets for ELB, two private Subnet for the web-servers, and two private subnet for the RDS D. Two Public Subnets for ELB, two Public Subnet for the web-servers, and two public subnets for the RDS
C ELB is a managed service whose scalability is maintained by AWS. However, underlying it still launches instances to handle the traffic which is scaled accordingly. When you configure ELB you need to specify public Subnets (in case of external load balancer), in which the ELB instances would be launched. If you specific a Single Subnet and that AZ goes down, the ELB is non functional even though you have your underlying instances in multiple AZs. So the best practice is to have multiple subnets associated with ELB.
Select the incorrect statement A. In Amazon EC2, the private IP addresses only returned to Amazon EC2 when the instance is stopped or terminated B. In Amazon VPC, an instance retains its private IP addresses when the instance is stopped. C. In Amazon VPC, an instance does NOT retain its private IP addresses when the instance is stopped. D. In Amazon EC2, the private IP address is associated exclusively with the instance for its lifetime
C So, with that distinction, we see that the correct answer is C. An EC2-VPC instances DOES retain its private IP when stopped. Thus it is incorrect. I highly recommend everyone review the lifecycle grid at the bottom of the above link, VERY informative.
You are the AWS SME at YCDIT2, Inc. One of the AWS administrators created a VPC with CIDR 10.0.0.0/16, a public and VPN-only subnets with hardware VPN access using the VPC wizard. She has just created the VPC and did not launch any instances, nor has she modified anything after the VPC was launched. Now she wants to delete this VPC using the AWS console. How can she achieve this? A. The console will delete the VPC, its components including the Virtual Private Gateway B. The console will request detaching the Virtual Private Gateway first, then would allow deleting the VPC C. The console will delete the VPC, its components, and will also detach the Virtual Private Gateway D. She can't since the NAT instance is running
C This was discussed in Lecture 44: Core Knowledge - AWS VPC Set of Questions #8
Which two components provide connectivity with external networks? When attached to an Amazon VPC which two components provide connectivity with external networks? *Choose 2 answers* A. Elastic IPs (EIP) B. NAT Gateway (NAT) C. Internet Gateway (IGW) D. Virtual Private Gateway (VGW)
C,D A. Elastic IPs (EIP) (Does not provide connectivity, public IP address will do as well) B. NAT Gateway (NAT) (Not Attached to VPC and still needs IGW) C. Internet Gateway (IGW) D. Virtual Private Gateway (VGW) NAT still requires IGW for allowing instances in Private subnet to connect to Internet also it is not attached to VPC Also, EIP, IGW, VGW are all attached to a VPC, however EIP does not provide connectivity and a public IP address can be used as well.
You are the AWS Solutions Architect at YCDIT2, Inc. You have been assigned a task to design a VPC for a web-application consisting of an Elastic Load Balancer (ELB), a fleet of web/application servers, and an RDS database. The entire Infrastructure must be highly available using two Availability zones. Which of the below configurations would work? (*Choose 2*) A. One public subnet for the web-servers, One public subnet for ELB ,and one private subnet for the database B. Two private subnets for the web-servers, One public subnet for ELB, Two private subnets for database C. Two private subnets for the web-servers, Two public subnets for ELB, and two private subnets for database D. Two public subnets for the web-servers, Two public subnets for ELB, and two public subnets for database
C,D As it doesn't say that the DB's have to be private. For additional information please review Lecture # 28 - AWS VPC Set of Question # 12 - 2nd Question
At which EC2 instance states can the source/destination check attribute be changed? (*Choose two*) A. When the NAT instance state is terminated B. When the NAT instance state is pending C. When the NAT instance state is running D. When the NAT instance state is stopped
C,D For additional Information Please review Lecture 19 - AWS VPC Set of Questions # 3 - 3rd Question
Your company has peered two VPCs in the same region, VPC-A and VPC-B as shown in the figure. Moreover, your company's HQ is connected to VPC-A using a Direct Connect connection. This connection to VPC-A is critical, and you are asked to make this setup more fault tolerant, and ensure that company HQ has connectivity to VPC-A at all times. How can you architect this solution quickly and cost effectively? (*Choose 2*) A. Peer the corporate network to VPC-B B. Connect Corporate network to VPC-B by a VPN connection such that it has another path to VPC-A C. Configure a second VPN connection between HQ and VPC-A from another customer gateway at the HQ D. Configure a second Direct Connect connection between VPC-A and HQ
C,D For additional information please review lecture # 29 - AWS VPC Set of Questions # 13 - 1st Question
Using AWS direct connection, with public and private VIFs you can: (*Choose 3*) A. Connect to AWS services over the private VIF B. Connect to your private VPC subnets over the public VIF C. Connect to your private VPC subnets over the private VIF, and to Public AWS services over the public VIF D. Substitute your internet connection at your DC with AWS's public Internet through the use of a NAT gateway in your VPC E. Once connected to your VPC through Direct conect you can connect to all AZs within the region F. Using IPSec VPN you can connect over the public VIF to remote AWS regions as well
C,E,F For additional information please review Lecture 22 - AWS VPC Set of Questions # 6 - 3rd Question
Your company has entered an agreement with two other vendors to jointly sell each other's line of products. All three are using VPCs in AWS in the same region. Agreement is , each of the three companies can directly access stock and pricing information of this line of products from the other VPCs. The EC2 instances hosting stock and pricing information in the the three VPCs' are on non-overlapping IP subnets. How can you architect this solution quickly and cost effectively? A. Implement an AWS direct connection in a full mesh between the three VPCs B. Use one of the three company VPCs as a hub and implement a VPN Cloud hub using VPN connections from the other two VPCs C. Create a full mesh VPC peering connections between the three VPCs and adjust your routing tables to enable traffic flow between them D. These are different AWS accounts and you can not create VPC peering between them
C. - All in the same region - "Full mesh" as each of them can access the other. - Non-overlapping subnet's CIDR blocks A. Costly and takes time B. Cloud hub is for alternate sites. C. Full mesh between each VPC's D. Incorrect, as you can do VPC Peering with other AWS accounts. "Full Mesh" means there is a peering connection between all parties e.g. A,B,C A<->B A<->C B<->C
You have just created a 2nd VPC and launched an EC2 instance in a subnet of that VPC. You want this instance to be publicly available, but you forgot to assign a public IP address during creation. How might you make your instance reachable from the outside world? A. Go back and create a Public IP address. Associate it with your Internet Gateway. B. Create an Internet Gateway and associate it with the private IP address of your instance with it. C. Create an Internet gateway and an Elastic IP address. Associate the Elastic IP with the EC2 instance. D. Create an Elastic IP address for your instance.
C. An IGW is provided by default in a default VPC, but not in a manually created VPC. A Public IP address is needed, and of the options provided an EIP is the best option. Further information: https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/default-vpc.htmlhttps://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/working-with-vpcs.htmlhttps://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-ip-addressing.html
You are the AWS Solutions Architect at YCDIT2, Inc. You have been assigned a task to design a VPC for a web-application consisting of an internet-facing Elastic Load Balancer (ELB), a fleet of web/application servers, and an RDS database. The entire Infrastructure must be highly available using two Availability zones. The database should not be accessible from the Internet. Which of the below configurations would work? A. One public subnet for the web-servers, One public subnet for ELB ,and one private subnet for the database B. Two private subnets for the web-servers, One public subnet for ELB, Two private subnets for database C. Two private subnets for the web-servers, Two public subnets for ELB, and two private subnets for database D. Two public subnets for the web-servers, Two public subnets for ELB, and two public subnets for database
C. For additional information please review Lecture # 28 - AWS VPC Set of Questions # 12 - 1st Question The ELB needs to be in 2 AZ's and since we are using an ELB, the web servers can be in a private subnet.
Which of the following is a chief advantage of using VPC endpoints to connect your VPC to services such as S3? A. VPC Endpoints offer a faster path through the public internet than you can realize with a NAT instance. B. VPC endpoints are dedicated hardware devices that cannot be accessed without the correct IAM credentials. C. Traffic between your VPC and the other service does not leave the Amazon network. D. VPC Endpoints require public IP addresses, offering rapid connectivity from the public internet.
C. In contrast to a NAT gateway, traffic between your VPC and the other service does not leave the Amazon network when using VPC endpoints.
You have created a VPC with CIDR 10.0.0.0/24. The VPC has two subnets: public (10.0.0.0/25) and private (10.0.0.128/25). For an anticipated project you want to increase the CIDR range your VPC CIDR block, How can you do this? A. Change the subnet sizes to /28 subnets, then you will have more room to grow your VPC CIDR B. You can always change a VPC's original CIDR block as needed C. You can add additional VPC CIDR blocks, but can't change the existing one D. Delete all the subnets first, only then you can modify the size of the VPC
C. For additional Information Please Review Lecture 20 - AWS VPC Set of Questions # 4 - 2nd Question
You are the AWS SME at YCDIT2, Inc. You created a VPC with both public and private subnets. The VPC has the CIDR 10.0.0.0/16. The private subnet is 10.0.1.0/24 and the public subnet is 10.0.0.0/24. The goal is to host a web server in the public subnet receiving traffic on port 80, and a DB server in the private subnet receiving traffic on port 3306. The database servers will require in-frequent Internet access for patching and updates. When you are configuring the security group of the NAT instance (NATSG), which of the below mentioned entries is *not required*? A. Allow Source: 10.0.1.0/24, Direction: Inbound, Port: 80 B. Allow Destination: 0.0.0.0/0, Direction: Outbound, Port: 80 C. Allow Source: 10.0.0.0/24, Direction: Inbound, Port: 80 D. Allow Destination: 0.0.0.0/0, Direction: Outbound, Port: 443
C. For additional Information Please review lecture 18 - AWS VPC Set of Questions # 2 - 2nd Question
After creating a VPC with CIDR 10.0.0.0/16. with the lack of proper architecture, The AWS SysOps admin created one large subnet of CIDR 10.0.0.0/16. later on, another subnet was needed to host another tier of an application being deployed. The admin is trying to create another subnet of CIDR 10.0.1.0/24. Can she create the second subnet without disrupting services to the first subnet? A. Yes, she can configure the new subnet, and AWS will automatically adjust the VPC subnets so both can exist. B. Yes, Edit the fist subnet from the console to make room for the second one C. No, It is not possible to create a second subnet as the intended one overlaps with the existing one. D. Yes, Delete the VPC and create a new one
C. For additional information please review Lecture 20 - 3rd Question
Your company has peered two VPCs in the same region, VPC-A and VPC-B. Moreover, your company's HQ is connected to VPC-A using a VPN connection. You want to make this setup more fault tolerant, and ensure that company HQ has connectivity to VPC-A at all times. How can you architect this solution quickly and cost effectively? A. Peer the corporate network to VPC-B B. Connect Corporate network to VPC-B by a VPN connection such that it has another path to VPC-A C. Configure a second VPN connection between HQ and VPC-A from another customer gateway at the HQ D. Configure a second VPC peering between VPC-A and VPC-B
C. For additional information please review Lecture 23 - AWS VPC Set of Questions - 1st Question
How can you predefine which private IPv4 addresses would be assigned to your EC2 instances ENI interfaces? A. Assign a group or sequential Elastic IP address to the instances B. Launch the instances in a Placement Group C. Launch the instances in Amazon virtual Private Cloud (VPC) D. Launch the Instance from a private Amazon Machine image (AMI)
C. For additional information please review lecture # 27 - AWS VPC Set of Question # 11 - 1st Question
You are the AWS Architect at YCDIT2, Inc. Your client plans to connect their Data Center to their AWS VPC in preparation for an application launch in few months. The application they are launching is chatty and has components in AWS and in the data center, and will be hosted in private AWS subnets in their AWS VPC. It also requires bandwidth and latency guarantees at all times. The solution has to be fault tolerant. Which connectivity method would you recommend for them? A. One VPN connection with two tunnels between one Customer Gateway and one VGW router on AWS side B. Two Public VIFs over two Direct connect connections. From two Customer routers to two different DX routers C. Two Direct connect connections using two Customer routers and two private VIFs to two different Direct connect routers D. One direct connect connection with one private VIF, and a backup VPN connection from two customer routers
C. This was discussed in Lecture 42: Core Knowledge - AWS VPC Set of Questions #6
Which of the below statements is true for any VPC security group, by default, when it is created? A. All inbound traffic rule will be explicitly denied B. All inbound traffic is allowed by default C. All outbound traffic is allowed by default D. Traffic to the internet gateway is allowed by default
C. For additional Information Please Review Lecture 18 - AWS VPC Set of Questions # 2 - 1st Question
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario? A. The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range B. It is not possible to create a subnet with the same CIDR as VPC C. The second subnet will be created D. It will throw a CIDR overlaps error
D
A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user's datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization's proxy policy. How can the user make this happen? A. Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT B. Setting up a proxy policy in the internet gateway connected with the public subnet C. It is not possible to setup the proxy policy for a public subnet D. Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway
D
A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario? A. It will not allow to delete the VPC as it has subnets with route tables B. It will not allow to delete the VPC since it has a running route instance C. It will terminate the VPC along with all the instances launched by the wizard D. It will not allow to delete the VPC since it has a running NAT instance
D
A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet? A. Use the internet gateway with a private IP B. Allow outbound traffic in the security group for port 80 to allow internet updates C. The private subnet can never connect to the internet D. Use NAT with an elastic IP
D
A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. Which of the below mentioned statements is true with respect to the Instance requiring access to the Internet? A. The instance will always have a public DNS attached to the instance by default B. The user can directly attach an elastic IP to the instance C. The instance will never launch if the public IP is not assigned D. The user would need to create an internet gateway and then attach an elastic IP to the instance to connect from internet
D
In a default VPC, all Amazon EC2 instances are assigned 2 IP addresses at launch. What are they? A. A Public IP Address & Secret IP Address B. An Elastic IP Address & Public IP Address C. An IPv6 Address and Elastic IP Address D. A Private IP Address & Public IP Address
D
Security groups act like a firewall at the instance level, whereas _________ are an additional layer of security that act at the subnet level A. Route Tables B. VPC Security Groups C. DB Security Groups D. Network ACLs
D
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user's data centre. Which of the below mentioned options is a valid entry for the main route table in this scenario? A. Destination: 20.0.0.0/24 and Target: vgw-12345 B. Destination: 20.0.0.0/16 and Target: ALL C. Destination: 20.0.1.0/16 and Target: vgw-12345 D. Destination: 0.0.0.0/0 and Target: vgw-12345
D D is the right answer as it needs to reach out to all the destination through the VPN gateway. See Scenario #3
[PROFESSIONAL] You have deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28. You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances The web. Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route53 for DNS Web (raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch. Which of the following could the root caused? (*Choose 2 answers*) A. The Internet Gateway (IGW) of your VPC has scaled-up adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches. B. AWS reserves one IP address in each subnet's CIDR block for Route53 so you do not have enough addresses left to launch all of the new EC2 instances. C. AWS reserves the first and the last private IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances. D. The ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches E. AWS reserves the first four and the last IP address in each subnet's CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
D,E ELB is a managed service whose scalability is maintained by AWS. However, underlying it still launches instances to handle the traffic which is scaled accordingly. When you configure ELB you need to specify public Subnets (in case of external load balancer), in which the ELB instances would be launched. If you specific a Single Subnet and that AZ goes down, the ELB is non functional even though you have your underlying instances in multiple AZs. So the best practice is to have multiple subnets associated with ELB.
A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other? A. Destination : 20.0.0.0/24 and Target : VPC B. Destination : 20.0.0.0/16 and Target : ALL C. Destination : 20.0.0.0/0 and Target : ALL D. Destination : 20.0.0.0/16 and Target : Local
D.
You are the AWS architect at YCDIT2, Inc. You have been tasked to design and launch an EC2 NAT instance in a public subnet in your client's VPC. After creating and successfully testing the NAT Instance. You have also updated you private subnet's route table such that the NAT device is the target for traffic destined to the Internet. However, the private subnet EC2 instances are still not able to connect to the Internet for updates and patch download. Which of the following steps could be a possible reason for this problem? A. NAT instance is launched with only one ENI in the public subnet B. The NAT instance has not been configured with the proper NAT rules to process the private instance's traffic intended for the internet C. The NAT instance will not work, you need to configure static, one-to-one NAT on the VPC Internet Gateway for private subnet's instances to connect to the Internet D. Disabling the Source/Destination Check attribute on the NAT instance
D. For additional Information Please review lecture 19 - AWS VPC Set of Questions # 3 - 2nd Question
You used the VPC wizard to create a VPC with public and private subnets. The VPC CIDR is 10.0.0.0/16, and the the private subnet CIDR is 10.0.0.0/24. Which of the below main route table entries is required to allow the instances in the VPC to communicate with one another? A. Destination : 10.0.0.0/24 and Target : VPC B. Destination : 10.0.0.0/16 and Target : ALL C. Destination : 10.0.0.0/0 and Target : ALL D. Destination : 10.0.0.0/16 and Target : Local
D. For additional information please review Lecture # 24 - AWS VPC Set of Questions #8 - 2nd Question
Your company just implemented an HR application on AWS in a VPC. The application will provide payroll and benefits information to the employees and needs to be accessed from all twenty Company locations. Latency and performance are not a big concern, however, the solution needs to be fast and easy to deploy and cost effective. Your solutions should also allow the twenty locations to communicate with one another. How would you architect the solution? A. Deploy an OpenSSL server on an EC2 instance in your VPC. Have the employees establish SSL based remote access when they need to access the HR application B. Establish a site-to-site IPSec VPN from each location to the VPC's VGW and adjust routing to allow access to the application C. You can not connect multiple locations concurrently to your AWS VPC D. You need to contact AWS first to increase the 10 VPNs per VGW limit, then configure VPN Cloudhub to connect the 20 locations
D. For additional information please review Lecture #23 - AWS VPC Set of Questions # 6 - 3rd Question
You are the AWS Architect at YCDIT2, Inc. You are helping a junior engineer understand why she is not able to delete the IGW that was configured and used for the test VPC in your AWS test environment. Which of the below would help her understand this better? A. IGW can not be deleted without deleting the VPC and all its resources B. IGW is serving Internet traffic, the user has to wait until traffic ceases before deletion C. You can not delete an IGW after is has been created D. The IGW is attached to the VPC and it has to be detached first before attempting the deletion.
D. For additional information please review lecture # 27 - AWS VPC Set of Question # 11 - 2nd Question
Which of the following is true? A. Both Security Groups and Network Access Control Lists are stateless. B. Both Security Groups and Network Access Control Lists are stateful. C. Security Groups are stateless and Network Access Control Lists are stateful. D. Security Groups are stateful and Network Access Control Lists are stateless.
D. Security Groups are stateful and Network Access Control Lists are stateless.
You created a subnet in a custom VPC and launched an EC2 instance in that subnet. During the EC2 instance creation, using AWS console, you did not choose the option to assign a public IP address to your instance. This instance now needs access to the Internet, but it has no public IP address. How would you solve this internet connectivity issue for this EC2 instance? A. The instance will always have a public DNS attached to the instance by default B. Allocate and attach an Elastic IP directly to the instance C. The instance would not launch if the public IP is not assigned D. Create an internet gateway, attach it to the VPC, do the needed route table configuration for a public subnet. Adjust security group, and N ACLs configurations to facilitate this, and finally, attach an elastic IP to the instance to connect to the Internet
D. For additional information please review Lecture 21 - 2nd Question
Which of the following allows you to SSH or RDP into an EC2 instance located in a private subnet? A. NAT Gateway B. NAT Instance C. Internet Gateway D. Bastion Host
D. A Bastion host allows you to securely administer (via SSH or RDP) an EC2 instance located in a private subnet. Don't confuse Bastions and NATs, which allow outside traffic to reach an instance in a private subnet.
A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum required number of VPC subnets to achieve this? A. 1 B. 2 C.3 D.4
D. 4 For additional information please review Lecture # 26 - AWS VPC Set of Questions # 10 - 1st Question Need at least 2 for the RDS and public web tier
A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). Web facing instances will be served by an Elastic Load Balancer (ELB). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum required number of VPC subnets to achieve this? A. 1 B. 2 C. 3 D. 4
D. 4 For additional information please review lecture # 26 - AWS VPC Set of Questions #10 - 2nd Question
A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum number of subnets that need to be configured in the VPC? A. 1 B. 2 C. 3 D. 4
D. 4 (2 public subnets for web instances in multiple AZs and 2 private subnets for RDS Multi-AZ)
A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24) and a public subnet (20.0.0.0/24). The user's data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will happen? A. It will allow traffic communication on both the CIDRs of the data centre B. It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24 C. It will not allow traffic communication on any of the data centre CIDRs D. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24
D. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24 (as the CIDR block would be overlapping)
True or False: A subnet can span multiple Availability Zones.
False, Each subnet must reside entirely within one Availability Zone and cannot span zones.
True or False: When peering VPCs, you may peer your VPC only with another VPC in your same AWS account.
False. You may peer a VPC to another VPC that's in your same account, or to any VPC in any other account.
True or False: You can accelerate your application by adding a second Internet Gateway to your VPC.
False. You may have only one Internet Gateway per VPC.
Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application. Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else" If so how? A. No Two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (iebroadcast) boundaries B. Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP C. Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP D. Yes, Both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol
Its #C #A is incorrect as instances in 2 different AZ within the same region can talk to each other #B, they need not be in the same security group. #D, as a security group is stateful you just need outbound in monitoring and inbound in monitored instance.
If you wanted to block a certain IP range accessing the environment, what options could be considered?
NACL's or Security Groups. NACL's would be preferred due to the following: 1) Security groups do not have Deny rules (only the implicit deny) 2) NACL can do Deny rules Better to deny closer to the source and SG's are closer to instances.
If there are 2 instances, A and B, in the same VPC but different subnets and A can ping B, but B cannot ping A, what resources can be looked at as the potential problem and which resources can be ignored?
Route tables can be ignored as there is always a route entry allowing anything within the VPC CIDR to communicate with any other instance in the same CIDR. Security groups or NACLS could prevent this communication. For Security groups, if there were no changes made to the default settings, all outbound traffic is allowed.
True or False: When I create a new security group, all outbound traffic is allowed by default.
True
True or False: An Application Load Balancer must be deployed into at least two subnets.
True
True or False: By default, new subnets in a custom VPC can communicate with each other across Availability Zones.
True In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs. Plus a Default SG with an allow rule 'All traffic, All protocols, All ports, from anything using this Default SG'. Further information:
What does VPC stand for?
Virtual Private Cloud
Which of the following offers the largest range of internal IP addresses? a. /16 b. /24 c. /28 d. /20
a. The /16 offers 65,536 possible addresses.
By default, instances in new subnets in a custom VPC can communicate with each other across Availability Zones. a. False b. True
b (True) In a custom VPC with new subnets in each AZ, there is a Route that supports communication across all subnets/AZs. Plus a Default SG with an allow rule 'All traffic, All protocols, All ports, from anything using this Default SG'.
