VPC-5
· The client that initiates the request chooses the ephemeral port range. The range varies depending on the client's operating system. · - Many Linux kernels (including the Amazon Linux kernel) use ports xxxx · - Requests originating from Elastic Load Balancing use ports xxx · - Windows operating systems through Windows Server 2003 use ports xxx · - Windows Server 2008 and later versions use ports xxx · - A NAT gateway uses ports xxx · - AWS Lambda functions use ports xxx
- Many Linux kernels (including the Amazon Linux kernel) use ports 32768-61000. · - Requests originating from Elastic Load Balancing use ports 1024-65535. · - Windows operating systems through Windows Server 2003 use ports 1025-5000. · - Windows Server 2008 and later versions use ports 49152-65535. · - A NAT gateway uses ports 1024-65535. · - AWS Lambda functions use ports 1024-65535.
Which of the following statements are true? (Choose two.) 1 Custom VPCs do not have internet gateways attached by default. 2 Custom VPCs have internet gateways attached by default. 3 The default VPC has an internet gateway attached by default. 4 The default VPC does not have an internet gateway attached by default.
1 and 3
What is the size of the default subnet in each availability zone within the default VPC? 1 /24 2 /20 3 /16 4 /28
2
A Solutions Architect needs to capture information about the traffic that reaches an Amazon Elastic Load Balancer. The information should include the source, destination, and protocol. What is the most secure and reliable method for gathering this data? A: Use Amazon CloudWatch Logs to review detailed logging information B: Create a VPC flow log for the subnets in which the ELB is running C: Enable Amazon CloudTrail logging and configure packet capturing D: Create a VPC flow log for each network interface associated with the ELB
D
What throughput does a NAT gateway have?
5Gbps of bandwidth with automatic scaling up to 45Gbps
Three Amazon VPCs are used by a company in the same region. The company has two AWS Direct Connect connections to two separate company offices and wishes to share these with all three VPCs. A Solutions Architect has created an AWS Direct Connect gateway. How can the required connectivity be configured? A: Associate the Direct Connect gateway to a transit gateway B: Create a transit virtual interface between the Direct Connect gateway and each VPC C: Create a VPC peering connection between the VPCs and route entries for the Direct Connect Gateway D: Associate the Direct Connect gateway to a virtual private gateway in each VPC
A
You have recently launched an EC2 instance that is hosting your new web application. The volume of users is expected to grow in the coming days as you are planning to post the product on producthunt.com. What AWS services will you use in order to handle the demand and keep the users satisfied? (Choose two answers) A: Use AWS Global Accelerator B: Set up two EC2 instances and create an Elastic Load Balancer C: Enable AWS Shield Standard D: Set up an Amazon GuardDuty
A and B
You can associate an AWS Direct Connect gateway with either of the following gateways:
A transit gateway when you have multiple VPCs in the same Region. A virtual private gateway.
A Pharmaceuticals company is looking for a simple solution to connect its VPCs and on-premises networks through a central hub. As a Solutions Architect, which of the following would you suggest as the solution that requires the LEAST operational overhead? A: Partially meshed VPC peering can be used to connect the Amazon VPCs to the on-premises networks B: Use AWS Transit Gateway to connect the Amazon VPCs to the on-premises networks C: Fully meshed VPC peering can be used to connect the Amazon VPCs to the on-premises networks D: Use Transit VPC Solution to connect the Amazon VPCs to the on-premises networks
B
A Solutions Architect is designing an application on AWS that will connect to the on-premise data center through a VPN connection. The solution must be able to log network traffic over the VPN. Which service logs this network traffic? · A. AWS(Amazon Web Service) CloudTrail logs · B. Amazon VPC flow logs · C. Amazon S3 bucket logs · D. Amazon CloudWatch logs
B
A business uses Site-to-Site VPN connections to provide safe access to AWS Cloud services from on-premises. Users are experiencing slower VPN connectivity as a result of increased traffic through the VPN connections to the Amazon EC2 instances. Which approach will result in an increase in VPN throughput? · A. Implement multiple customer gateways for the same network to scale the throughput. · B. Use a transit gateway with equal cost multipath routing and add additional VPN tunnels. · C. Configure a virtual private gateway with equal cost multipath routing and multiple channels. · D. Increase the number of tunnels in the VPN configuration to scale the throughput beyond the default limit.
B
A new AWS customer creates a Site-to-Site VPN between its on-premises datacenter and AWS. According to the firm's security policy, traffic originating on-premises shall remain inside the private IP space of the company while talking with an Amazon Elastic Container Service (Amazon ECS) cluster containing a sample web application. Which solution satisfies this criterion? · A. Configure a gateway endpoint for Amazon ECS. Modify the route table to include an entry pointing to the ECS cluster. · B. Create a Network Load Balancer and AWS PrivateLink endpoint for Amazon ECS in the same VPC that is hosting the ECS cluster. · C. Create a Network Load Balancer in one VPC and an AWS PrivateLink endpoint for Amazon ECS in another VPC. Connect the two VPCs by using VPC peering. · D. Configure an Amazon Route 53 record with Amazon ECS as the target. Apply a server certificate to Route 53 from AWS Certificate Manager (ACM) for SSL offloading.
B
Management has chosen to allow IPv6 on all AWS VPCs. After a period of time, a solutions architect attempts to create a new instance and gets an error indicating that the subnet does not have enough accessible IP address space.What is the solution architect's role in resolving this? · A. Check to make sure that only IPv6 was used during the VPC creation. · B. Create a new IPv4 subnet with a larger range, and then launch the instance. · C. Create a new IPv6-only subnet with a large range, and then launch the instance. · D. Disable the IPv4 subnet and migrate all instances to IPv6 only. Once that is complete, launch the instance.
B
A shared services VPC is being setup for use by several AWS accounts. An application needs to be securely shared from the shared services VPC. The solution should not allow consumers to connect to other instances in the VPC. How can this be setup with the least administrative effort? (choose 2) A: Use AWS ClassicLink to expose the application as an endpoint service B: Create a Network Load Balancer (NLB) C: Configure security groups to restrict access D: Use AWS PrivateLink to expose the application as an endpoint service E: Setup VPC peering between each AWS VPC
B and D
A company has deployed an API in a VPC behind an internal Network Load Balancer (NLB). An application that consumes the API as a client is deployed in a second account in private subnets. Which architectural configurations will allow the API to be consumed without using the public Internet? (Select TWO.) A: Configure a ClassicLink connection for the API into the client VPC. Access the API using the ClassicLink address B: Configure a PrivateLink connection for the API into the client VPC. Access the API using the PrivateLink address C: Configure an AWS Direct Connect connection between the two VPCs. Access the API using the private address D: Configure an AWS Resource Access Manager connection between the two accounts. Access the API using the private address E: Configure a VPC peering connection between the two VPCs. Access the API using the private address
B and E
A Solutions Architect is designing a solution that includes a managed VPN connection.To monitor whether the VPN connection is up or down, the Architect should use: · A. an external service to ping the VPN endpoint from outside the VPC. · B. AWS CloudTrail to monitor the endpoint. · C. the CloudWatch TunnelState Metric. · D. an AWS Lambda function that parses the VPN connection logs.
C
A business hosts a web service on Amazon EC2 instances that are routed via an Application Load Balancer. The instances are distributed across two Availability Zones through an Amazon EC2 Auto Scaling group. At all times, the corporation requires a minimum of four instances to achieve the needed service level agreement (SLA) requirements while keeping expenses low. How can the organization maintain compliance with the SLA if an Availability Zone fails? A. Add a target tracking scaling policy with a short cooldown period. B. Change the Auto Scaling group launch configuration to use a larger instance type. C. Change the Auto Scaling group to use six servers across three Availability Zones. D. Change the Auto Scaling group to use eight servers across two Availability Zones.
C
A company plans to run a monitoring application on an Amazon EC2 instance in a VPC. Connections are made to the instance using its private IPv4 address. A solutions architect needs to design a solution that will allow traffic to be quickly directed to a standby instance if the application fails and becomes unreachable. Which approach will meet these requirements? A) Deploy an Application Load Balancer configured with a listener for the private IP address and register the primary instance with the load balancer. Upon failure, de-register the instance and register the secondary instance. B) Configure a custom DHCP option set. Configure DHCP to assign the same private IP address to the secondary instance when the primary instance fails. C) Attach a secondary elastic network interface (ENI) to the instance configured with the private IP address. Move the ENI to the standby instance if the primary instance becomes unreachable. D) Associate an Elastic IP address with the network interface of the primary instance. Disassociate the Elastic IP from the primary instance upon failure and associate it with a secondary instance.
C
A company uses Application Load Balancers (ALBs) in multiple AWS Regions. The ALBs receive inconsistent traffic that varies throughout the year. The engineering team at the company needs to allow the IP addresses of the ALBs in the on-premises firewall to enable connectivity. Which of the following represents the MOST scalable solution with minimal configuration changes? A: Develop an AWS Lambda script to get the IP addresses of the ALBs in different Regions. Configure the on-premises firewall's rule to allow the IP addresses of the ALBs B: Migrate all ALBs in different Regions to the Network Load Balancer (NLBs). Configure the on-premises firewall's rule to allow the Elastic IP addresses of all the NLBs C: Set up AWS Global Accelerator. Register the ALBs in different Regions to the Global Accelerator. Configure the on-premises firewall's rule to allow static IP addresses associated with the Global Accelerator D: Set up a Network Load Balancer (NLB) in one Region. Register the private IP addresses of the ALBs in different Regions with the NLB. Configure the on-premises firewall's rule to allow the Elastic IP address attached to the NLB
C
A web application development business has deployed hundreds of Application Load Balancers (ALBs) across several regions. The firm want to build an allow list for all load balancers' IP addresses on its firewall device. A solutions architect is searching for a one-time, highly available solution to this requirement that will also assist lower the number of IPs that the firewall must accept.What recommendations should the solutions architect make to satisfy these requirements? · A. Create a AWS Lambda function to keep track of the IPs for all the ALBs in different Regions. Keep refreshing this list. · B. Set up a Network Load Balancer (NLB) with Elastic IPs. Register the private IPs of all the ALBs as targets to this NLB. · C. Launch AWS Global Accelerator and create endpoints for all the Regions. Register all the ALBs in different Regions to the corresponding endpoints. · D. Set up an Amazon EC2 instance, assign an Elastic IP to this EC2 instance, and configure the instance as a proxy to forward traffic to all the ALBs.
C
An organization is extending a secure development environment into AWS. They have already secured the VPC including removing the Internet Gateway and setting up a Direct Connect connection. What else needs to be done to add encryption? A: Setup the Border Gateway Protocol (BGP) with encryption B: Configure an AWS Direct Connect Gateway C: Setup a Virtual Private Gateway (VPG) D: Enable IPSec encryption on the Direct Connect connection
C
A business has two virtual private clouds (VPCs) labeled Management and Production. The Management VPC connects to a single device in the data center using VPNs via a customer gateway. The Production VPC is connected to AWS through two AWS Direct Connect connections via a virtual private gateway. Both the Management and Production VPCs communicate with one another through a single VPC peering connection.What should a solutions architect do to minimize the architecture's single point of failure? · A. Add a set of VPNs between the Management and Production VPCs. · B. Add a second virtual private gateway and attach it to the Management VPC. · C. Add a second set of VPNs to the Management VPC from a second customer gateway device. · D. Add a second VPC peering connection between the Management VPC and the Production VPC.
C Explanation: "To protect against a loss of connectivity in case your customer gateway device becomes unavailable, you can set up a second Site-to-Site VPN connection to your VPC and virtual private gateway by using a second customer gateway device."
A Solutions Architect is designing a web application that runs on Amazon EC2 instances behind an Elastic Load Balancer. All data in transit must be encrypted. Which solution options meet the encryption requirement? (choose 2) A: Use an Application Load Balancer (ALB) with a TCP listener, then terminate SSL on EC2 instances B: Use a Network Load Balancer (NLB) with an HTTPS listener, then install SSL certificates on the NLB and EC2 instances C: Use an Application Load Balancer (ALB) with an HTTPS listener, then install SSL certificates on the ALB and EC2 instances D: Use a Network Load Balancer (NLB) with a TCP listener, then terminate SSL on EC2 instances E: Use an Application Load Balancer (ALB) in passthrough mode, then terminate SSL on EC2 instances
C and D
Can you disable IPv4 support for your VPC?
No. Your VPC can operate in dual-stack mode — your resources can communicate over IPv4, or IPv6, or both. IPv4 and IPv6 communication are independent of each other. You cannot disable IPv4 support for your VPC and subnets since this is the default IP addressing system for Amazon VPC and Amazon EC2.
Traffic Mirroring Concept o Target — o Filter — o Session —
o Target — The Destination. o Filter — A set of rules and condition. o Session — An entity that describes Mirroring from Source to Destination.
A business hosts an application on Amazon EC2 instances in two VPCs spread across several AWS Regions. The instances interact with one another over the internet. The security team want to guarantee that no communication occurs over the internet between the instances.What actions should a solutions architect take to achieve this? · A. Create a NAT gateway and update the route table of the EC2 instancesג€™ subnet. · B. Create a VPC endpoint and update the route table of the EC2 instancesג€™ subnet. · C. Create a VPN connection and update the route table of the EC2 instancesג€™ subnet. · D. Create a VPC peering connection and update the route table of the EC2 instancesג€™ subnet.
D
A company created a VPC with a single subnet then launched an On-Demand EC2 instance in that subnet. You have attached an Internet gateway (IGW) to the VPC and verified that the EC2 instance has a public IP. The main route table of the VPC is as shown below: (see notes) However, the instance still cannot be reached from the Internet when you tried to connect to it from your computer. Which of the following should be made to the route table to fix this issue? A: Add this new entry to the route table: 0.0.0.0/27 -> Your Internet Gateway B: Modify the above route table: 10.0.0.0/27 -> Your Internet Gateway C: Add the following entry to the route table: 10.0.0.0/27 -> Your Internet Gateway D: Add this new entry to the route table: 0.0.0.0/0 -> Your Internet Gateway
D
A company is planning to launch a High Performance Computing (HPC) cluster in AWS that does Computational Fluid Dynamics (CFD) simulations. The solution should scale-out their simulation jobs to experiment with more tunable parameters for faster and more accurate results. The cluster is composed of Windows servers hosted on t3a.medium EC2 instances. As the Solutions Architect, you should ensure that the architecture provides higher bandwidth, higher packet per second (PPS) performance, and consistently lower inter-instance latencies. Which is the MOST suitable and cost-effective solution that the Architect should implement to achieve the above requirements? A: Use AWS ParallelCluster to deploy and manage the HPC cluster to provide higher bandwidth, higher packet per second (PPS) performance, and lower inter-instance latencies. B: Enable Enhanced Networking with Intel 82599 Virtual Function (VF) interface on the Windows EC2 Instances. C: Enable Enhanced Networking with Elastic Fabric Adapter (EFA) on the Windows EC2 Instances. D: Enable Enhanced Networking with Elastic Network Adapter (ENA) on the Windows EC2 Instances.
D
A company plans to use an Amazon VPC to deploy a web application consisting of an elastic load balancer, a fleet of web and application servers, and an Amazon RDS MySQL database that should not be accessible from the Internet. The proposed design must be highly available and distributed over two Availability Zones. What would be the MOST appropriate VPC design for this specific use case? A: Two public subnets for the elastic load balancer, two public subnets for the web servers, and two public subnets for Amazon RDS. B: One public subnet for the elastic load balancer, two private subnets for the web servers, and two private subnets for Amazon RDS. C: One public subnet for the elastic load balancer, one public subnet for the web servers, and one private subnet for the database. D: Two public subnets for the elastic load balancer, two private subnets for the web servers, and two private subnets for RDS.
D
An on-premise data center will be connected to an Amazon VPC by a hardware VPN that has public and VPN-only subnets. The security team has requested that traffic hitting public subnets on AWS that's destined to on-premise applications must be directed over the VPN to the corporate firewall. How can this be achieved?A: Configure a NAT Gateway and configure all traffic to be directed via the virtual private gateway B: In the VPN-only subnet route table, add a route that directs all Internet traffic to the virtual private gateway C: In the public subnet route table, add a route for your remote network and specify the customer gateway as the target D: In the public subnet route table, add a route for your remote network and specify the virtual private gateway as the target
D
A company has established a dedicated network connection from its on-premises data center to AWS Cloud using AWS Direct Connect (DX). The core network services, such as the Domain Name System (DNS) service and Active Directory services, are all hosted on-premises. The company has new AWS accounts that will also require consistent and dedicated access to these network services. Which of the following can satisfy this requirement with the LEAST amount of operational overhead and in a cost-effective manner? A: Create a new AWS VPN CloudHub. Set up a Virtual Private Network (VPN) connection for additional AWS accounts. B: Set up another Direct Connect connection for each and every new AWS account that will be added. C: Set up a new Direct Connect gateway and integrate it with the existing Direct Connect connection. Configure a VPC peering connection between AWS accounts and associate it with Direct Connect gateway. D: Create a new Direct Connect gateway and integrate it with the existing Direct Connect connection. Set up a Transit Gateway between AWS accounts and associate it with the Direct Connect gateway
D Explanation: VPC peering is not supported in a Direct Connect connection. VPC peering does not support transitive peering relationships
A company hosted a web application on a Linux Amazon EC2 instance in the public subnet that uses a default network ACL. The instance uses a default security group and has an attached Elastic IP address. The network ACL has been configured to block all traffic to the instance. The Solutions Architect must allow incoming traffic on port 443 to access the application from any source. Which combination of steps will accomplish this requirement? (Select TWO.) A: In the Security Group, create a new rule to allow TCP connection on port 443 to destination 0.0.0.0/0 B: In the Network ACL, update the rule to allow both inbound and outbound TCP connection on port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0 C: In the Network ACL, update the rule to allow outbound TCP connection on port 32768 - 65535 to destination 0.0.0.0/0 D: In the Security Group, add a new rule to allow TCP connection on port 443 from source 0.0.0.0/0 E: In the Network ACL, update the rule to allow inbound TCP connection on port 443 from source 0.0.0.0/0 and outbound TCP connection on port 32768 - 65535 to destination 0.0.0.0/0
D and E · To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client's source port. · The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL. By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic from the ephemeral port range. ·
Direct Connect: route propagation is enabled on VGW and not on CGW
Direct Connect: route propagation is enabled on VGW and not on CGW
Do NOT modify the Default NACL, instead create custom NACLs.
Do NOT modify the Default NACL, instead create custom NACLs.
EFA: • Leverages Message Passing Interface (MPI) standard
EFA: • Leverages Message Passing Interface (MPI) standard
Am I charged for network bandwidth between instances in different subnets?
If the instances reside in subnets in different Availability Zones, you will be charged $0.01 per GB for data transfer.
Default VPCs come with both an ________________ and _______________
Internet gateway public subnets
NAT Gateways have security groups?
No
Can I specify which VPC is my default VPC? Can I delete it?
Not at this time. You can delete the default VPC.
How are you charged for traffic mirroring?
Per hour
Note: SSH is TCP or UDP?
TCP
An Elastic IP address doesn't incur charges as long as all the following conditions are true:
The Elastic IP address is associated with an EC2 instance. The instance associated with the Elastic IP address is running. The instance has only one Elastic IP address attached to it. The Elastic IP address is associated with an attached network interface, such as a Network Load Balancer or NAT gateway.
Can I have more than two network interfaces attached to my EC2 instance?
The total number of network interfaces that can be attached to an EC2 instance depends on the instance type.
You must specifically create a network path between your cluster's VPC and your data resources otherwise COPY and UNLOAD commands might fail if the VPC is not configured correctly. · True · False
True
VPC sharing: The VPC owner shares what with whom? What cannot be shared?
Using VPC sharing, an account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations. The owner account cannot share the VPC itself.
VPC endpoints only work in the same region.
VPC endpoints only work in the same region.
Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?
Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed.
How do you use DHCP in VPC?
You can create several sets of DHCP options in AWS. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC. You can also set up your VPC to use no DHCP options at all.
A transit VPC is what?
a common strategy for connecting multiple, geographically disperse VPCs and remote networks in order to create a global network transit center. A transit VPC simplifies network management and minimizes the number of connections required to connect multiple VPCs and remote networks.
Direct Connect:Maximum resilience is achieved how?
by separate connections terminating on separate devices in more than one location.
A full mesh architecture allows what?
direct connections between all nodes of a network. On AWS this translates into direct connections between VPCs or regions without having to go through a central transit or hub VPC. Every VPC is connected to every other VPC.
DNS resolution in VPC: enableDnsSupport - what does it do? default? enableDnsHostname - what does it do? default? If you use custom DNS domain names in a private zone in Route 53, what should you do?
enableDnsSupport (= DNS Resolution setting) - default true - helps decide if DNS resolution is supported for the VPC - if true, queries the AWS DNS server at 169.254.169.253 enableDnsHostname (= DNS Hostname setting) - false by default for newly created VPC, true by default for Default VPC - won't do anything unless enableDnsSupport=true - if true, will assign public hostname to EC2 instance if it has a public IP If you use custom DNS domain names in a private zone in Route 53, you must set both these attributes to true.
When is the default VPC created by AWS?
on first time provisioning EC2 Instance in the region
To identify the location of your resources relative to your accounts, you must use what?
the AZ ID, which is a unique and consistent identifier for an Availability Zone.
When you launch an instance into a nondefault VPC, we provide the instance with a private DNS hostname and we might provide a public DNS hostname, depending on what?
the DNS attributes you specify for the VPC and if your instance has a public IPv4 address.
VPC Endpoint services: If ___________________ the solution is fault tolerant!
the NLB is in multiple AZ, and the ENIs in multiple AZ,
The OS-bypass capabilities of EFAs are not supported on Windows instances. If you attach an EFA to a Windows instance, what happens?
the instance functions as an Elastic Network Adapter, without the added EFA capabilities.
VPC - Reachability Analyzer , what does it do? Use cases?
• A network diagnostics tool that troubleshoots network connectivity between two endpoints in your VPC(s) • It builds a model of the network configuration, then checks the reachability based on these configurations (it doesn't send packets) • When the destination is • Reachable - it produces hop-by-hop details of the virtual network path • Not reachable - it identifies the blocking component(s) (e.g., configuration issues in SGs, NACLs, Route Tables, ...) • Use cases: troubleshoot connectivity issues, ensure network configuration is as intended, ...
Transit Gateway: Site-to-Site VPN ECMP What is it? Use cases?
• ECMP = Equal-cost multi-path routing • Routing strategy to allow to forward a packet over multiple best path • Use case: create multiple Site to-Site VPN connections to increase the bandwidth of your connection to AWS
Routing to the bastion host, how is it done? If 1 bastion host: If 2 bastion hosts: If NLB:
• If 1 bastion host, use an elastic IP with ec2 user-data script to access it • If 2 bastion hosts, use an Network Load Balancer (layer 4) deployed in multiple AZ • If NLB, the bastion hosts can live in the private subnet directly • Note: Can't use ALB as the ALB is layer 7 (HTTP protocol)
Note: • IPv4 cannot be disabled for your VPC and subnets. So, if you cannot launch an EC2 instance in your subnet , why? Solution?
• It's not because it cannot acquire an IPv6 (the space is very large) • It's because there are no available IPv4 in your subnet • Solution: create a new IPv4 CIDR in your subnet
Site-to-Site VPN Connections Customer Gateway Device (On-premises) What IP address to use?
• Public Internet-routable IP address for your Customer Gateway device • If it's behind a NAT device that's enabled for NAT traversal (NAT-T), use the public IP address of the NAT device • Important step: enable Route Propagation for the Virtual Private Gateway in the route table that is associated with your subnets • If you need to ping your EC2 instances from on-premises, make sure you add the ICMP protocol on the inbound of your security groups
High availability for bastion hosts:
• Run 2 across 2 AZ • Run 1 across 2 AZ with 1 ASG 1:1:1