HA Architecture

Question 1

What is a load balancer?

Answer 1

A physical or virtual device that is used to help you balance network load across multiple servers.

Question 2

What are the three different types of load balancers?

Answer 2

1. Application Load Balancer
2. Network Load Balancer
3. Classic Load Balancer

Question 3

What are application load balancers?

Answer 3

best suited for load balancing of http and https traffic. They operate at Layer 7 and are application-aware. Can create advanced request routing, sending specified requests to specific web servers.

Question 4

What are network load balancers?

Answer 4

Best suited for load balancing of TCP traffic where extreme performance is required. Operating at connection level (Layer 4), capable of handling millions of request per second while maintain ultra-low latencies

Question 5

What are classic load balancers?

Answer 5

Legacy elastic load balancers. You can load balance HTTP/HTTPS application and use Layer 7- specific features such as X-forwarded and sticky sessions. You can also use strict Layer 4 load balancing for applications that rely purely on the TCP Protocol

Question 6

What does the 504 error in a classic load balancer mean?

Answer 6

It means that the application is having issues. This could be either at the Web Server layer or at the Database Layer, not the actual load balancer. Identify the issue and scale it up or out where possible.

Question 7

What is the X-Forwarded-For?

Answer 7

It contains the public IP address of the user that is coming through via the load balancer.

Question 8

What is a target group in load balancing?

Answer 8

Where your load balancer routes the requests to targets within that target group. Can have groups of EC2 instances for each region / language / etc.

Question 9

True or False. You use classic load balancers for intelligent routing.

Answer 9

False. You use application load balancers for intelligent routing.

Question 10

True or False. Instances monitored by ELB are reported as: InService or OutofService.

Answer 10

True.

Question 11

True or False. When using a load balancer, you are given both a DNS name and an IP address.

Answer 11

False. They have their own DNS name. You are never given an IP address.

Question 12

What are sticky sessions?

Answer 12

Classic Load Balancer routes each request independently to the registered EC2 instance with the smallest load. Sticky session allows you to bind a user’s session to a specific EC2 instance. Ensures all requests from the user during the session are sent to the same instance.

Question 13

Why do you want to use sticky sessions?

Answer 13

Say you are saving something onto the EC2 locally, you want to enable sticky sessions to allow you to be able to retrieve that information readily.

Question 14

What if you sign on and notice that all the traffic is going to only one EC2 instance?

• Enable Sticky Sessions
• Disable Sticky Sessions?

Answer 14

Disable sticky sessions

Question 15

What is cross-zone load balancing?

Answer 15

Allows Elastic/Application load balancers to direct traffic across different zones to help ensure efficiency on your EC2 instances.

Question 16

A user is using Route53 and 100% of traffic is being sent to US-EAST-1A. You notice there is an EC2 instance in US-EAST-1B that isn’t getting any of the traffic, how can you make sure it gets it’s even share of the traffic?

Answer 16

Enable Cross Zone Load Balancing.

Question 17

What are path patterns?

Answer 17

Create a listener with rules to forward requests based on the URL path. Known as path-based routing.

Question 18

True or False. Sticky session enable your users to stick to the same EC2 instance. It can be useful if you are storing information locally to that instance.

Answer 18

True.

Question 19

True or False. Cross Zone Load balancing enables you to load balance across multiple endpoint locations.

Answer 19

False. Cross Zone Load balancing enables you to load balance across multiple availability zones.

Question 20

True or False. Path patterns allow you to direct traffic to different EC2 instances based on the URL contained in the request.

Answer 20

True.

Question 21

What are the three components of auto scaling?

Answer 21

• Groups - logical component
• Configuration Templates - instructions for each group on how to and what to launch
• Scaling Options - ways to scale your auto scaling group. ie dynamic scaling (resource based), schedule (monday morning 9 AM), etc.

Question 22

What are the 5 different scaling options (list them)?

Answer 22

1. maintain current instance levels at all times
2. scale manually
3. scale based on a schedule
4. scale based on demand
5. use predictive scaling

Question 23

True or False. Maintaining your current instance at all times involves Amazon to perform a periodic health check on running instances within auto-scaling group. If it finds an unhealthy instance, it prompts the user to notify.

Answer 23

False. Maintaining your current instance at all times involves Amazon to perform a periodic health check on running instances within auto-scaling group. If it finds an unhealthy instance, it terminates that instance and launches a new one.

Question 24

True or False. Manual scaling allows you to specify only the change in your maximum, minimum, or desired capacity of your auto-scaling group.

Answer 24

True. You can scale up / down the # of instances that you want to maintain.

Question 25

True or False. Scaling by schedule means that scaling actions are performed automatically as a function fo time and date.

Answer 25

True. For when you know when you will need more / less resources.

Question 26

True or False. Scale based on demand allows you to use scaling policies to define parameters that control the scaling process.

Answer 26

True.

Question 27

What is predictive scaling?

Answer 27

Utilizing auto-scaling in a way by combining predictive scaling and dynamic scaling (proactive and reactive approaches, respectively) to scale your Amazon EC2 capacity faster.

Question 28

True or False. HA Architecture is based around the below tenents:

• always design for failure
• use multiple AZ’s and multiple regions wherever you can

Answer 28

True.

Question 29

What is the difference between multi-AZ and Read Replicas for RDS?

Answer 29

Multi-AZ is for disaster recovery, read replica is for performance.

Question 30

What is the difference between scaling out and scaling up?

Answer 30

Scaling out is where we use auto-scaling groups and add additional EC2 instances. Scaling up is when you change the resources of your EC2 instance.

Question 31

How can you force a failover from one availability zone to another?

Answer 31

By doing a reboot.

Question 32

What is a cloud formation?

Answer 32

It’s a way of completely scripting your cloud environment.

Question 33

True or False. Quick start is a bunch of CloudFormation templates already built by AWS Solutions Architects allowing you to create complex environments very quickly.

Answer 33

True.

Question 34

What is Elastic Beanstalk?

Answer 34

Aimed at developers for those developers that are not as involved in AWS. An easier, less complicated version of CloudFormation. Can quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications.

Question 35

What are all the Compute AWS Services? List 8

Answer 35

EC2, Lightsail, ECR, ECS, EKS, Lambda, Batch, Elastic Beanstalk

Question 36

You have a website with three distinct services, each hosted by different web server autoscaling groups. Which AWS service should you use?

• S3 Static Websites
• Elastic Load Balancers (ELB)
• Application Load Balancers (ALB)
• Classic Load Balancers (CLB)
• Network Load Balancers (NLB)

Answer 36

Application Load Balancers (ALB).

The ALB has functionality to distinguish traffic for different targets (mysite.co/accounts vs. mysite.co/sales vs. mysite.co/support) and distribute traffic based on rules for target group, condition, and priority.

Question 37

What is scaling out?

Answer 37

Scaling out is where you have more of the same resource separately working in parallel (visualize services sitting side by side).

Question 38

What is scaling up?

Answer 38

Scaling up is where you make it bigger and bigger like and ugly tower with more floors being added after the initial design was finished

Question 39

In discussions about cloud services the words ‘availability’, ‘durability’, ‘reliability’ and ‘resiliency’ are often used. What does durability mean?

Answer 39

Durability refers to the on-going existence of the object or resource. Note that it does not mean you can access it, only that it continues to exist.

Question 40

Which term is used to refer to the likelihood that a resource ability to recover from damage or disruption?

Answer 40

Resiliency can be described as the ability to a system to self heal after damage or an event. Note that this does not mean that it will be available continuously during the event, only that it will self recover.

Question 41

Which term is used to refer to the likelihood that a resource will work as designed?

Answer 41

Reliability is closely related to availability, however a system can be ‘available’ but not be working properly. Reliability is the probability that a system will work as designed. This term is not used much in AWS, but is still worth understanding.

Question 42

In S3 the durability of my files is ________.

Answer 42

99.99999999%

Question 43

When you have deployed an RDS (not Aurora) database into multiple availability zones, can you use the secondary database as an independent read node?

Answer 43

No, the secondary database is for high availability or DR - not for improving read performance. The high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a Read Replica. For more information, see Working with Read Replicas of MariaDB, MySQL, and PostgreSQL DB Instances.

Question 44

True or False. AWS Global Accelerator uses the vast, congestion-free AWS global network to route TCP and UDP traffic to a healthy application endpoint in the closest AWS Region to the user.

Answer 44

True.

Question 45

True or False. Seamless failover is ensured as AWS Global Accelerator uses anycast IP address which means the IP does not change when failing over between regions so there are no issues with client caches having incorrect entries that need to expire.

Answer 45

True.

Question 46

True or False. Network Load Balancers intelligently route traffic for lowest latency.

Answer 46

False.

Question 47

True or False. A Route 53 failover routing policy uses a primary and standby configuration. Therefore, it sends all traffic to the primary until it fails a health check at which time it sends traffic to the secondary. Route 53 failover policy does not intelligently route traffic for the lowest latency.

Answer 47

True.

Question 48

True or False. Amazon CloudFront can be configured with “a pair of static IP addresses”.

Answer 48

False. Amazon CloudFront cannot be configured with “a pair of static IP addresses”.

Question 49

True or False. Route 53 can be used to load balance, however it does not have the ability to route based on information in the incoming request path.

Answer 49

True.

Question 50

What is CORS?

Answer 50

Cross-origin resource sharing (CORS) is a browser security feature that restricts cross-origin HTTP requests that are initiated from scripts running in the browser. If your REST API’s resources receive non-simple cross-origin HTTP requests, you need to enable CORS support

Question 51

True or False. Elastic Map Reduce (EMR) is a hosted Hadoop framework and is not used for analytics on streaming data.

Answer 51

True.

Question 52

True or False. Firehose can be used for running SQL queries.

Answer 52

False. Firehose cannot be used for running SQL queries.

Question 53

What is used to partition shards within streams (in Kinesis Data Streams)?

Answer 53

A partition key. Kinesis Data Streams segregates the data records belonging to a stream into multiple shards. It uses the partition key that is associated with each data record to determine which shard a given data record belongs to.

Question 54

True or False. SQS is not best suited to streaming data and Kinesis is a better solution.

Answer 54

True.

Question 55

True or False. Amazon Kinesis streams allows up to 1 MiB of data per second or 1,000 records per second for writes per shard. There is no limit on the number of shards so you can easily scale Kinesis Streams to accept 50,000 per second.

Answer 55

True

Question 56

True or False. The cooldown period is a configurable setting for your Auto Scaling group that helps to ensure that it doesn’t launch or terminate additional instances before the previous scaling activity takes effect.

Answer 56

True.

Question 57

True or False. To apply the restrictions across multiple member accounts you must use a Service Control Policy (SCP) in the AWS Organization. The way you would do this is to create a deny rule that applies to anything that does not equal the specific instance type you want to allow.

Answer 57

True.

Question 58

True or False. CloudFormation helps users to deploy resources in a consistent and orderly way. By ensuring the CloudFormation templates are created and administered with the right security configurations for your resources, you can then repeatedly deploy resources with secure settings and reduce the risk of human error.

Answer 58

True.

Question 59

A recent security audit uncovered some poor deployment and configuration practices within your VPC. You need to ensure that applications are deployed in secure configurations.

How can this be achieved in the most operationally efficient manner?

• Remove the ability for staff to deploy applications
• Use CloudFormation with securely configured templates
• Use AWS Inspector to apply secure configurations
• Manually check all application configurations before deployment

Answer 59

Use CloudFormation with securely configured templates.

CloudFormation helps users to deploy resources in a consistent and orderly way. By ensuring the CloudFormation templates are created and administered with the right security configurations for your resources, you can then repeatedly deploy resources with secure settings and reduce the risk of human error.

Question 60

True or False. Removing the ability of staff to deploy resources does help you to deploy applications securely and solves the problem of how to deploy applications in a secure manner in an operationally efficient manner.

Answer 60

Removing the ability of staff to deploy resources does not help you to deploy applications securely as it does not solve the problem of how to do this in an operationally efficient manner.

Question 61

True or False. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It is not used to secure the actual deployment of resources, only to assess the deployed state of the resources.

Answer 61

True.

Question 62

A website runs on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer (ALB) which serves as an origin for an Amazon CloudFront distribution. An AWS WAF is being used to protect against SQL injection attacks. A review of security logs revealed an external malicious IP that needs to be blocked from accessing the website.

What should a solutions architect do to protect the application?

• Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address
• Modify the security groups for the EC2 instances in the target groups behind the ALB to deny the malicious IP address
• Modify the network ACL on the CloudFront distribution add a deny rule for the malicious IP address

Answer 62

Modify the configuration of AWS WAF to add an IP match condition to block the malicious IP address.

A new version of the AWS Web Application Firewall was released in November 2019. With AWS WAF classic you create “IP match conditions”, whereas with AWS WAF (new version) you create “IP set match statements”. Look out for wording on the exam.

The IP match condition / IP set match statement inspects the IP address of a web request’s origin against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from.

AWS WAF supports all IPv4 and IPv6 address ranges. An IP set can hold up to 10,000 IP addresses or IP address ranges to check

Question 63

True or False. AWS WAF supports all IPv4 and IPv6 address ranges. An IP set can hold up to 10,000 IP addresses or IP address ranges to check.

Answer 63

True.

Question 64

True or False. The IP match condition / IP set match statement inspects the IP address of a web request’s origin against a set of IP addresses and address ranges. Use this to allow or block web requests based on the IP addresses that the requests originate from.

Answer 64

True.

Question 65

What is the difference between setting the AWS WAF classic and AWS WAF (new version)?

Answer 65

A new version of the AWS Web Application Firewall was released in November 2019. With AWS WAF classic you create “IP match conditions”, whereas with AWS WAF (new version) you create “IP set match statements”. Look

Question 66

True or False.

With target tracking scaling policies, you select a scaling metric and set a target value. Amazon EC2 Auto Scaling creates and manages the CloudWatch alarms that trigger the scaling policy and calculates the scaling adjustment based on the metric and the target value.

The scaling policy adds or removes capacity as required to keep the metric at, or close to, the specified target value. In addition to keeping the metric close to the target value, a target tracking scaling policy also adjusts to the changes in the metric due to a changing load pattern.

Answer 66

True.

Question 67

An issue has been reported whereby Amazon EC2 instances are not being terminated from an Auto Scaling Group behind an ELB when traffic volumes are low. How can this be fixed?

• Modify the scaling settings on the ELB
• Modify the lower threshold settings on the ASG
• Modify the scale down increment
• Modify the upper threshold settings on the ASG

Answer 67

CORRECT: “Modify the lower threshold settings on the ASG” is the correct answer.

The lower threshold may be set too high. With the lower threshold, if the metric falls below this number for the breach duration, a scaling operation is triggered. If it’s set too high you may find that your Auto Scaling group does not scale-in when required.

INCORRECT: “Modify the upper threshold settings on the ASG” is incorrect. The upper threshold is the metric that, if the metric exceeds this number for the breach duration, a scaling operation is triggered. This would be adjusted when you need to change the behaviour of scale-out events.

INCORRECT: “Modify the scale down increment” is incorrect. The scale down increment defines the number of EC2 instances to remove when performing a scaling activity. This changes the number of instances that are removed but does not change the conditions in which they are removed which is the problem we need to solve here.

INCORRECT: “Modify the scaling settings on the ELB” is incorrect. You do not change scaling settings on an ELB, you change them on the Auto Scaling group.

Question 68

A company has some statistical data stored in an Amazon RDS database. The company wants to allow users to access this information using an API. A solutions architect must create a solution that allows sporadic access to the data, ranging from no requests to large bursts of traffic.

Which solution should the solutions architect suggest?

• Set up an Amazon API Gateway and use Amazon ECS
• Set up an Amazon API Gateway and use Amazon EC2 with Auto Scaling
• Set up an Amazon API Gateway and use AWS Lambda functions
• Set up an Amazon API Gateway and use AWS Elastic Beanstalk

Answer 68

CORRECT: “Set up an Amazon API Gateway and use AWS Lambda functions” is the correct answer.

This question is simply asking you to work out the best compute service for the stated requirements. The key requirements are that the compute service should be suitable for a workload that can range quite broadly in demand from no requests to large bursts of traffic.

AWS Lambda is an ideal solution as you pay only when requests are made and it can easily scale to accommodate the large bursts in traffic. Lambda works well with both API Gateway and Amazon RDS.

INCORRECT: “Set up an Amazon API Gateway and use Amazon ECS” is incorrect as Lambda is a better fit for this use case as the traffic patterns are highly dynamic.

INCORRECT: “Set up an Amazon API Gateway and use AWS Elastic Beanstalk” is incorrect as Lambda is a better fit for this use case as the traffic patterns are highly dynamic.

INCORRECT: “Set up an Amazon API Gateway and use Amazon EC2 with Auto Scaling” is incorrect as Lambda is a better fit for this use case as the traffic patterns are highly dynamic.

Question 69

True or False. You can enable API caching in Amazon API Gateway to cache your endpoint’s responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.

Answer 69

True. When you enable caching for a stage, API Gateway caches responses from your endpoint for a specified time-to-live (TTL) period, in seconds. API Gateway then responds to the request by looking up the endpoint response from the cache instead of making a request to your endpoint. The default TTL value for API caching is 300 seconds. The maximum TTL value is 3600 seconds. TTL=0 means caching is disabled.

Question 70

An application is deployed on multiple AWS regions and accessed from around the world. The application exposes static public IP addresses. Some users are experiencing poor performance when accessing the application over the Internet.

What should a solutions architect recommend to reduce internet latency?

• Set up AWS Direct Connect locations in multiple Regions
• Set up AWS Global Accelerator and add endpoints
• Set up an Amazon CloudFront distribution to access an application
• Set up an Amazon Route 53 geoproximity routing policy to route traffic

Answer 70

CORRECT: “Set up AWS Global Accelerator and add endpoints” is the correct answer.

AWS Global Accelerator is a service in which you create accelerators to improve the availability and performance of your applications for local and global users. Global Accelerator directs traffic to optimal endpoints over the AWS global network. This improves the availability and performance of your internet applications that are used by a global audience. Global Accelerator is a global service that supports endpoints in multiple AWS Regions, which are listed in the AWS Region Table.

By default, Global Accelerator provides you with two static IP addresses that you associate with your accelerator. (Or, instead of using the IP addresses that Global Accelerator provides, you can configure these entry points to be IPv4 addresses from your own IP address ranges that you bring to Global Accelerator.)

The static IP addresses are anycast from the AWS edge network and distribute incoming application traffic across multiple endpoint resources in multiple AWS Regions, which increases the availability of your applications. Endpoints can be Network Load Balancers, Application Load Balancers, EC2 instances, or Elastic IP addresses that are located in one AWS Region or multiple Regions.

INCORRECT: “Set up AWS Direct Connect locations in multiple Regions” is incorrect as this is used to connect from an on-premises data center to AWS. It does not improve performance for users who are not connected to the on-premises data center.

INCORRECT: “Set up an Amazon CloudFront distribution to access an application” is incorrect as CloudFront cannot expose static public IP addresses.

INCORRECT: “Set up an Amazon Route 53 geoproximity routing policy to route traffic” is incorrect as this does not reduce internet latency as well as using Global Accelerator. GA will direct users to the closest edge location and then use the AWS global network.

Question 71

True or False. AMI IDs for EC2 instances differ across regions.

Answer 71

True.

Question 72

True or False. You are planning to use CloudFormation to deploy a Linux EC2 instance in two different regions using the same base Amazon Machine Image (AMI). How can you do this using CloudFormation?

• Use two different CloudFormation templates since CloudFormation templates are region-specific.
• Use Mappings to specify the base AMI since AMI IDs are different in each region
• Use parameters to specify the base AMI since AMI Ds are different in each region
• AMI IDs are identical across regions

Answer 72

Correct Answer: Use Mappings to specify the base AMI since AMI IDs are different in each region

Incorrect Answer: Use two different CloudFormation templates since CloudFormation templates are region-specific. - Templates are not region specific

Incorrect Answer: Use parameters to specify the base AMI since AMI IDs are different in each region. AMI IDs are different in each region, but this is not practical nor recommended because it is not smart to use the parameters to specify the base image.

Incorrect Answer: AMI IDs are identical across regions. They are different across regions.

Question 73

True or False. Using the Range HTTP header in a GET Object request, you can fetch a byte-range from an object, transferring only the specified portion. You can use concurrent connections to Amazon S3 to fetch different byte ranges from within the same object. This helps you achieve higher aggregate throughput versus a single whole-object request. Fetching smaller ranges of a large object also allows your application to improve retry times when requests are interrupted.

Answer 73

True.

Question 74

What port is SSL/TLS on?

Answer 74

443

Question 75

True or False. You can use AWS WAF with Network Load Balancer.

Answer 75

False. You cannot use AWS WAF with Network Load Balancer.

Question 76

True or False. You can use AWS WAF with Application Load Balancer.

Answer 76

True.

Question 77

True or False. You cannot use AWS Shield to protect against XSS attacks. Shield is used to protect against DDoS attacks.

Answer 77

True.

Question 78

True or False. You can use AWS Shield on both ALB and NLBs.

Answer 78

True.

Question 79

What are two metrics to use in SQS to help with dynamic scaling based on the number of jobs waiting in the queue?

Answer 79

To configure scaling you can use the backlog per instance metric with the target value being the acceptable backlog per instance to maintain. You can calculate these numbers as follows:

Backlog per instance: To calculate your backlog per instance, start with the ApproximateNumberOfMessages queue attribute to determine the length of the SQS queue (number of messages available for retrieval from the queue). Divide that number by the fleet’s running capacity, which for an Auto Scaling group is the number of instances in the InService state, to get the backlog per instance.

Acceptable backlog per instance: To calculate your target value, first determine what your application can accept in terms of latency. Then, take the acceptable latency value and divide it by the average time that an EC2 instance takes to process a message.

This solution will scale EC2 instances using Auto Scaling based on the number of jobs waiting in the SQS queue.

Question 80

True or False. With security groups rules are always allow rules. The best practice is to configure the source as another security group which is attached to the EC2 instances that traffic will come from.

Answer 80

True.

Question 81

True or False. Internet Gateways are used by instances in public subnets to access the Internet and are less secure than a VPC endpoint.

Answer 81

True

Question 82

True or False. A proxy instance will use the public Internet and is less secure than a VPC endpoint.

Answer 82

True.

Question 83

True or False. A NAT Gateway is used by instances in private subnets to access the Internet and this is less secure than an VPC endpoint.

Answer 83

True.

Question 84

True or False. Using Amazon CloudFront as the front-end provides the option to specify a custom message instead of the default message. To specify the specific file that you want to return and the errors for which the file should be returned, you update your CloudFront distribution to specify those values.

Answer 84

True.

Question 85

True or False. An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.

Answer 85

True.

Question 86

A VPC has a fleet of EC2 instances running in a private subnet that need to connect to Internet-based hosts using the IPv6 protocol. What needs to be configured to enable this connectivity?

• An Egress-Only Internet Gateway
• VPN CloudHub
• A NAT Gateway
• AWS Direct Connect

Answer 86

CORRECT: “An Egress-Only Internet Gateway” is the correct answer.

An egress-only Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances.

INCORRECT: “VPN CloudHub” is incorrect. VPN CloudHub enables a hub-and-spoke model for communicating between multiple sites over a VPN connection.

INCORRECT: “A NAT Gateway” is incorrect. A NAT Gateway is used for enabling Internet connectivity using the IPv4 protocol only.

INCORRECT: “AWS Direct Connect” is incorrect. AWS Direct Connect is a private connection between your data center and an AWS VPC.

Question 87

True or False. Security groups can be used with VPC Peering, but it is better to use PrivateLink.

Answer 87

True.

Question 88

True or False. To restrict access so that consumers cannot connect to other instances in the VPC the best solution is to use a security group to create an endpoint for the application. The endpoint type will be an interface endpoint and it uses a PrivateLink in the shared services VPC.

Answer 88

False. to restrict access so that consumers cannot connect to other instances in the VPC the best solution is to use PrivateLink to create an endpoint for the application. The endpoint type will be an interface endpoint and it uses a NLB in the shared services VPC.

Question 89

True or False. Amazon API Gateway does not decouples the client application from the back-end application-layer services by providing a single endpoint for API requests.

Answer 89

False. Amazon API Gateway decouples the client application from the back-end application-layer services by providing a single endpoint for API requests.

Question 90

True or False. If an API does not receive a high volume of traffic or requires extremely low latency, it would be more cost-efficient to use multiple EC2 instances and ELBs instead of API Gateway with AWS Lambda for back-end processing.

Answer 90

False. The API does not receive a high volume of traffic or require extremely low latency. It would not be cost-efficient to use multiple EC2 instances and Elastic Load Balancers. Instead, the best course of action would be to recreate the API using API Gateway which will allow the customer to only pay for what they use. AWS Lambda can likewise be used for the back-end processing reducing cost by utilizing pay for what you use serverless service.

Question 91

True or False. Amazon CloudFront can be used to stream video to users across the globe using a wide variety of protocols that are layered on top of HTTP. This can include both on-demand video as well as real time streaming video.

Answer 91

True.

Question 92

True or False. AWS Global Accelerator is a more expensive way of getting content closer to users compared to using CloudFront.

Answer 92

True.

Question 93

An application is running on Amazon EC2 behind an Elastic Load Balancer (ELB). Content is being published using Amazon CloudFront and you need to restrict the ability for users to circumvent CloudFront and access the content directly through the ELB.

How can you configure this solution?

• Use a Network ACL to restrict access to the ELB
• Create a VPC Security Group for the ELB and use AWS Lambda to automatically update the CloudFront internal service IP addresses when they change
• Create an Origin Access Identity (OAI) and associate it with the distribution
• Use signed URLs or signed cookies to limit access to the content

Answer 93

CORRECT: “Create a VPC Security Group for the ELB and use AWS Lambda to automatically update the CloudFront internal service IP addresses when they change” is the correct answer.

The only way to get this working is by using a VPC Security Group for the ELB that is configured to allow only the internal service IP ranges associated with CloudFront. As these are updated from time to time, you can use AWS Lambda to automatically update the addresses. This is done using a trigger that is triggered when AWS issues an SNS topic update when the addresses are changed.

INCORRECT: “Create an Origin Access Identity (OAI) and associate it with the distribution” is incorrect. You can use an OAI to restrict access to content in Amazon S3 but not on EC2 or ELB.

INCORRECT: “Use signed URLs or signed cookies to limit access to the content” is incorrect. Signed cookies and URLs are used to limit access to files but this does not stop people from circumventing CloudFront and accessing the ELB directly.

INCORRECT: “Use a Network ACL to restrict access to the ELB” is incorrect. A Network ACL can be used to restrict access to an ELB but it is recommended to use security groups and this solution is incomplete as it does not account for the fact that the internal service IP ranges change over time.

Question 94

A website runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The website has a mix of dynamic and static content. Customers around the world are reporting performance issues with the website.

Which set of actions will improve website performance for users worldwide?

• Migrate the website to an Amazon S3 bucket in the Regions closest to the users. Then create an Amazon Route 53 geolocation record to point to the S3 buckets
• Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon Route 53 record to point to the CloudFront distribution
• Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger instance sizes and register the instances with the ALB
• Launch new EC2 instances hosting the same web application in different Regions closer to the users. Use an AWS Transit Gateway to connect customers to the closest region

Answer 94

CORRECT: “Create an Amazon CloudFront distribution and configure the ALB as an origin. Then update the Amazon Route 53 record to point to the CloudFront distribution” is the correct answer.

Amazon CloudFront is a content delivery network (CDN) that improves website performance by caching content at edge locations around the world. It can serve both dynamic and static content. This is the best solution for improving the performance of the website.

INCORRECT: “Create a latency-based Amazon Route 53 record for the ALB. Then launch new EC2 instances with larger instance sizes and register the instances with the ALB” is incorrect. Latency routing routes based on the latency between the client and AWS. There is no mention in the answer about creating the new instances in another region therefore the only advantage is in using larger instance sizes. For a dynamic site this adds complexity in keeping the instances in sync.

INCORRECT: “Launch new EC2 instances hosting the same web application in different Regions closer to the users. Use an AWS Transit Gateway to connect customers to the closest region” is incorrect as Transit Gateway is a service for connecting on-premises networks and VPCs to a single gateway.

INCORRECT: “Migrate the website to an Amazon S3 bucket in the Regions closest to the users. Then create an Amazon Route 53 geolocation record to point to the S3 buckets” is incorrect as with S3 you can only host static websites, not dynamic websites.

Question 95

What is Global Accelerator better than Cloudfront for?

Answer 95

Global Accelerator is a good fit for non-HTTP use cases, such as gaming (UDP), IoT (MQTT), or Voice over IP, as well as for HTTP use cases that specifically require static IP addresses or deterministic, fast regional failover.

Question 96

What is the benefit of Static Addresses?

Answer 96

First, by using these addresses, you increase the Quality of Service (QoS) for your users by onboarding their traffic onto the AWS global network as close to them as possible. Typically, traffic must take multiple hops through the public internet, over potentially congested and non-redundant network paths, to reach your destination AWS Region. With AWS Global Accelerator, you get to leverage the AWS globally redundant network to help improve your application availability and performance. Second, you have the freedom to easily move your application between AWS Regions without changing your public interface. This means that you can plan for the future, knowing that if your needs change, you can easily migrate or add additional AWS Regions without worrying about how your users will connect to your applications.

Question 97

Does AWS Global Accelerator support IPv4 and IPv6?

Answer 97

The service currently supports IPv4 addresses.

Question 98

What’s the difference between routing based on the content of the request vs routing connections based on IP protocol data? What does NLBs & ALBs use?

Answer 98

Layer 7 - routing based on the content of the request

Layer 4 - routing connections based on IP protocol data

NLB - layer 4

ALB - layer 7

Question 99

What are the instance protocols for ALBs? NLBS? CLBs?

Answer 99

ALBs - HTTP/HTTPS

NLBs - TCP, TCP_UDP

CLBs - TCP, SSL, HTTP, HTTPS

Question 100

What are the load balancer protocols for ALBs? ELBs? CLBs?

Answer 100

ALBs - HTTP, HTTPS

ELBs - TCP, TLS, UDP, TCP_UDP

CLBs - TCP, SSL, HTTP, HTTPS

Question 101

True or False. ALBs support path-based routing, host-based routing, query string parameter-based routing and source IP address-based routing.

Answer 101

True.

Question 102

True or false NLBs support IP addresses, Lambda Functions and containers as targets.

Answer 102

False. ALBs support IP addresses, Lambda Functions and containers as targets

Question 103

True or False. ALBs support UDP and static IP addresses as targets

Answer 103

False. NLBs support UDP and static IP addresses as targets

Question 104

True or False. Only 1 subnet per AZ can be enabled for each ELB.

Answer 104

True.

Question 105

True or False. Internal only load balancers do not need an internet gateway.

Answer 105

True.

Question 106

What is an ELB listener? What do they do for NLB/ALB/CLB?

Answer 106

The process that checks for connection requests.

• Listeners for CLB provide options for TCP & HTTP/HTTPs.
• Listeners for ALB only provide options for HTTP & HTTPS.
• Listeners for NLB only provide TCP as an option.

Question 107

How many subnets do you need to specify for ALB/CLB/NLB?

Answer 107

ALB - 2 subnets must be specified

CLB - no subnets must be specified, unless you have “enable advanced VPC configuration”, in which case you need 2

NLB - 1 subnets must be specified

Question 108

What is deregistration delay?

Answer 108

The amount of time for ELB to wait before deregistering a product.

Question 109

True or False. You can only use Auto Scaling with the load balancer if using instance IDs in your target group.

Answer 109

True.

Question 110

What are three different ways to monitor ELBs? Which are defaulted to being on vs being off?

Answer 110

• CloudWatch - every 1 minute
  
  • ELB service only sends information when requests are active.
  • Can be used to trigger SNS notifications.
• Access Logs.
  
  • Disabled by default.
  • Includes information about the clients (not included in CloudWatch metrics).
  • Can identify requester, IP, request type etc.
  • Can be optionally stored and retained in S3.
• CloudTrail.
  
  • Can be used to capture API calls to the ELB.
  • Can be stored in an S3 bucket.

Question 111

True or False. CLB’s do not have pre-defined IPv4 addresses but are resolved using a DNS name.

Answer 111

True.

Question 112

True or False. CLBs do not support Elastic IPs.

Answer 112

True.

Question 113

True or False. For a CLB within a VPC only IPv4 is supported.

Answer 113

True.

Question 114

True or False. Cross-zone load balancing is enabled by default for CLB and ALB but not for NLB (when created through the console). Cross-zone load balancing is NOT enabled by default if the CLB is created from the CLI or API.

Answer 114

True.

Question 115

True or False. You can enable or disable cross-zone load balancing on the CLB and NLB at any time. For the ALB, cross-zone load balancing is always on and cannot be disabled.

Answer 115

True.

Question 116

True or False. When cross-zone load balancing is enabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones. When cross-zone load balancing is disabled, each load balancer node distributes traffic across the registered targets in its Availability Zone only.

Answer 116

True.

Question 117

True or False. Connection draining is enabled by default and provides a period of time for existing connections to close cleanly. When connection draining is in action a CLB will be in the status “InService: Instance deregistration currently in progress”.

Answer 117

True.

Question 118

True or False. CLB is instantaneous in detecting an increase in load and scale.

Answer 118

False. CLB can take 1 to 7 minutes to detect an increase in load and scale.

Question 119

True or False. Proxy protocol for TCP/SSL carries the source (client) IP/port information. The Proxy Protocol header helps you identify the IP address of a client when you have a load balancer that uses TCP for back-end connections. Ensure the client doesn’t go through a proxy or there will be multiple proxy headers.

Answer 119

True

Question 120

True or False. X-forwarded-for for HTTP/HTTPS carries the source IP/port information. To use an HTTPS listener the CLB must have an X.509 SSL/TLS server certificate – this will allow the CLB to terminate the secure session from the client to the CLB.

Answer 120

True.

Question 121

True or False.

• Proxy protocol only applies to L7.
• X-forwarded-for only applies to L4.

Answer 121

False.

• Proxy protocol only applies to L4.
• X-forwarded-for only applies to L7.

Question 122

True or False. Target groups can exist independently from the ALB. Target groups can have up to 1000 targets. A single target can be in multiple target groups, but, only one protocol and one port can be defined per target group.

Answer 122

True.

Question 123

True or False. The target type in a target group can be an EC2 instance ID, IP address (must be a valid private IP from an existing subnet) or AWS Lambda Function (ALB only). You can use public IP addresses as targets. You can use instance IDs and IP address targets within the same target group.

Answer 123

False. The target type in a target group can be an EC2 instance ID, IP address (must be a valid private IP from an existing subnet) or AWS Lambda Function (ALB only). You cannot use public IP addresses as targets. You cannot use instance IDs and IP address targets within the same target group.

Question 124

True or False. You can mix different types within a target group (EC2, ECS, IP).

Answer 124

False. You cannot mix different types within a target group (EC2, ECS, IP).

Question 125

True or False. Each ALB needs at least two listeners and can have up to 10.

Answer 125

False. Each ALB needs at least one listener and can have up to 10.

Question 126

What do listeners do?

Answer 126

Listeners define the port and protocol to listen on.

Question 127

Multiple True or False. If False, why? Re: Listeners

• Rules determine how the load balancer routes requests to the targets in one or more target groups.
• Each rule consists of a priority, one or more actions, an optional host condition, and an optional path condition.
• Any number of actions can be configured per rule.

One or more rules are required.

Each listener has a default rule and you can optionally define additional rules.

Up to 100 rules per ALB.

Rules determine what action is taken when the rule matches the client request.

Rules are defined on listeners.

You can add rules that specify different target groups based on the content of the request (content-based routing).

If no rules are found the default rule will be followed which directs traffic to the default target groups.

Answer 127

True. Rules determine how the load balancer routes requests to the targets in one or more target groups.

True. Each rule consists of a priority, one or more actions, an optional host condition, and an optional path condition.

False. Only one action can be configured per rule.

Question 128

Multiple True or False. If False, why? Re: Listeners

• 0 or more rules are required.
• Each listener has a default rule and you can optionally define additional rules.
• Up to 1000 rules per ALB.

Answer 128

False. One or more rules are required.

True. Each listener has a default rule and you can optionally define additional rules.

False. Up to 100 rules per ALB.

Question 129

Multiple True or False. If False, why? Re: Listeners

• Rules determine what action is taken when the rule matches the client request.
• Rules are defined on subnets.
• You can add rules that specify different target groups based on the content of the request (content-based routing).
• If no rules are found there will be “Error due to timeout”.

Answer 129

True. Rules determine what action is taken when the rule matches the client request.

False. Rules are defined on listeners.

True. You can add rules that specify different target groups based on the content of the request (content-based routing).

False. If no rules are found the default rule will be followed which directs traffic to the default target groups.

Question 130

How many conditions can a default rule have?

Answer 130

Default rules cannot have conditions.

Question 131

Multiple True or False. If False, why?

• Each rule has a priority and they are evaluated in order of lowest to highest.
• The default rule is evaluated first.
• You can change the value of a non-default rule at any time.
• You can change the value of the default rule only once.

Answer 131

• True. Each rule has a priority and they are evaluated in order of lowest to highest.
• False. The default rule is evaluated last.
• True. You can change the value of a non-default rule at any time.
• False. You cannot change the value of the default rule.