Chapter 2 - Networking: VPC, ELB, API Gateway, AWS App Mesh, Direct Connect, Private Link, Global Accelerator, Transit Gateway, VPN

Question 1

What are the characteristics of VPC security groups? Choose 3.

1. You can specify allow rules, but not deny rules.
2. You can specify separate rules for inbound and outbound traffic.
3. You can specify deny rules, but not allow rules.
4. When you create a security group, it has no inbound rules.
5. When you create a security group, it has no outbound rules.

Answer 1

1. You can specify allow rules, but not deny rules.
2. You can specify separate rules for inbound and outbound traffic.
3. You can specify deny rules, but not allow rules.
4. When you create a security group, it has no inbound rules.
5. When you create a security group, it has no outbound rules.

Question 2

Which of the following statements are true for security groups? Choose 3.

1. Security groups are stateful.
2. Security groups are stateless.
3. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
4. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Answer 2

1. Security groups are stateful.
2. Security groups are stateless.
3. If you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
4. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Question 3

Which of the following statements are true for default security group? Choose 3.

1. If you don’t specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC.
2. Allows all inbound traffic from outside world.
3. Allows all inbound traffic from other instances associated with the default security group.
4. Allows all outbound traffic from the instance.
5. Denys all outbound traffic from the instance.

Answer 3

1. If you don’t specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC.
2. Allows all inbound traffic from outside world.
3. Allows all inbound traffic from other instances associated with the default security group.
4. Allows all outbound traffic from the instance.
5. Denys all outbound traffic from the instance.

Question 4

What are the default rules of a new security group? Choose 2.

1. Allows inbound traffic
2. Denys outbound traffic
3. Allows no inbound traffic
4. Allows all outbound traffic

Answer 4

1. Allows inbound traffic
2. Denys outbound traffic
3. Allows no inbound traffic
4. Allows all outbound traffic

Question 5

You want to create a public-facing web server to host a blog. You are planning to place the Linux EC2 web server in a VPC with a subnet having an IPv4 CIDR block. You also want to access the EC2 instance form your laptop. Which of the following steps are applicable? Choose 4.

1. Create a nondefault VPC with a single public subnet and internet gateway.
2. Attach route tables to the VPC which allows traffic to flow from the subnet to the Internet gateway.
3. Create a security group for your instance that allows traffic only through specific ports to enable inbound Http, Https and access from your home network address.
4. Create a security group for your instance that allows traffic only through specific ports to enable inbound Http. Https.
5. Launch an Amazon EC2 instance into your subnet and associate an Elastic IP address with your instance.

Answer 5

1. Create a nondefault VPC with a single public subnet and internet gateway.
2. Attach route tables to the VPC which allows traffic to flow from the subnet to the Internet gateway.
3. Create a security group for your instance that allows traffic only through specific ports to enable inbound Http, Https and access from your home network address.
4. Create a security group for your instance that allows traffic only through specific ports to enable inbound Http. Https.
5. Launch an Amazon EC2 instance into your subnet and associate an Elastic IP address with your instance.

Question 6

Which of the following statements are true regarding VPC and subnets? Choose 2.

1. A VPC spans all the Availability Zones in the region.
2. Each subnet must reside entirely within one Availability Zone and cannot span zones.
3. Each subnet can span more than one availability zones.
4. A VPC needs to be mapped to availability zones in a region.

Answer 6

1. A VPC spans all the Availability Zones in the region.
2. Each subnet must reside entirely within one Availability Zone and cannot span zones.
3. Each subnet can span more than one availability zones.
4. A VPC needs to be mapped to availability zones in a region.

Question 7

There are three subnets 1A, 2A, and 3A each with one EC2 instance. The figure above depicts the ip address of VPC, subnet and instances. The route tables attached to three subnets are also depicted on the right side of figure. Q7. Which subnet in the figure above is a public subnet?

1. 1A
2. 2A
3. 3A
4. None of the above

Answer 7

1. 1A
2. 2A
3. 3A
4. None of the above

Question 8

Which subnet in the figure above is a private subnet?

1. 1A
2. 2A
3. 3A
4. None of the above

Answer 8

1. 1A
2. 2A
3. 3A
4. None of the above

Question 9

Which subnet in the figure above is a vpn-only subnet?

1. 1A
2. 2A
3. 3A
4. None of the above

Answer 9

1. 1A
2. 2A
3. 3A
4. None of the above

Question 10

Which of the following statements are correct regarding CIDR block range of a VPC subnet? Choose 2.

1. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC).
2. The CIDR block of a subnet cannot be the same as the CIDR block for the VPC (for a single subnet in the VPC).
3. The CIDR block of a subnet cannot be a subset of the CIDR block for the VPC (for multiple subnets).
4. The CIDR block of a subnet can be a subset of the CIDR block for the VPC (for multiple subnets).

Answer 10

1. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC).
2. The CIDR block of a subnet cannot be the same as the CIDR block for the VPC (for a single subnet in the VPC).
3. The CIDR block of a subnet cannot be a subset of the CIDR block for the VPC (for multiple subnets).
4. The CIDR block of a subnet can be a subset of the CIDR block for the VPC (for multiple subnets).

Question 11

Which of the following statements are correct regarding IPv4 CIDR block range of a VPC subnet? Choose 2.

1. The allowed block size is between a min: /28 netmask and max: /16 netmask.
2. If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.
3. If you create more than one subnet in a VPC, the CIDR blocks of the subnets can overlap.
4. The allowed block size is between a min: /16 netmask and max: /28 netmask.

Answer 11

1. The allowed block size is between a min: /28 netmask and max: /16 netmask.
2. If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.
3. If you create more than one subnet in a VPC, the CIDR blocks of the subnets can overlap.
4. The allowed block size is between a min: /16 netmask and max: /28 netmask.

Question 12

How many IP addresses in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance?

1. 2
2. 3
3. 4
4. 5

Answer 12

1. 2
2. 3
3. 4
4. 5

Question 13

Which of the following rules apply when you add IPv4 CIDR blocks to a VPC that’s part of a VPC peering connection? Choose 3

1. If the VPC peering connection is active, you can add CIDR blocks to a VPC provided they do not overlap with a CIDR block of the peer VPC.
2. If the VPC peering connection is pending-acceptance, the owner of the requester VPC cannot add any CIDR block to the VPC, regardless of whether it overlaps with the CIDR block of the accepter VPC. Either the owner of the accepter VPC must accept the peering connection, or the owner of the requester VPC must delete the VPC peering connection request, add the CIDR block, and then request a new VPC peering connection.
3. If the VPC peering connection is pending-acceptance, the owner of the accepter VPC can add CIDR blocks to the VPC. If a secondary CIDR block overlaps with a CIDR block of the requester VPC, the VPC peering connection request fails and cannot be accepted.
4. If the VPC peering connection is active, you can add CIDR blocks to a VPC which overlap with a CIDR block of the peer VPC.

Answer 13

1. If the VPC peering connection is active, you can add CIDR blocks to a VPC provided they do not overlap with a CIDR block of the peer VPC.
2. If the VPC peering connection is pending-acceptance, the owner of the requester VPC cannot add any CIDR block to the VPC, regardless of whether it overlaps with the CIDR block of the accepter VPC. Either the owner of the accepter VPC must accept the peering connection, or the owner of the requester VPC must delete the VPC peering connection request, add the CIDR block, and then request a new VPC peering connection.
3. If the VPC peering connection is pending-acceptance, the owner of the accepter VPC can add CIDR blocks to the VPC. If a secondary CIDR block overlaps with a CIDR block of the requester VPC, the VPC peering connection request fails and cannot be accepted.
4. If the VPC peering connection is active, you can add CIDR blocks to a VPC which overlap with a CIDR block of the peer VPC.

Question 14

Which subnet security feature is extra layer of security and can be optional?

1. Security Groups
2. Network ACLs
3. Routing Table
4. Internet Gateway

Answer 14

1. Security Groups
2. Network ACLs
3. Routing Table
4. Internet Gateway

Question 15

You have created a VPC, Subnet, Instances as below:

A VPC with CIDR block 10.0.0.0/16

A subnet in that VPC with CIDR block 10.0.1.0/24

Instances running in that subnet with IP addresses 10.0.1.6 and 10.0.1.7

On-premises host networks using CIDR blocks 10.0.30.0/24 and 10.1.31.0/24

You have appropriately configured their security group settings so that inbound and outbound connection can be made between the VPC and your on-premise network. However when those instances in the VPC try to talk to hosts in the 10.0.30.0/24 address space in your corporate network, the traffic is dropped but they can talk to the instances in 10.1.31.0/24 address space? What could be the reason? Choose 2.

1. You have to also configure the Network ACL for communication between VPC and your corporate address space.
2. Your VPC address space 10.0.0.0/16 overlaps with one of your on-premise networks’ prefixes 10.0.30.0/24, so the traffic to the network’s prefix is dropped.
3. Your VPC instances can talk to hosts in the 10.1.31.0/24 space because that block isn’t part of 10.0.0.0/16.
4. You have not enabled flow logs.

Answer 15

1. You have to also configure the Network ACL for communication between VPC and your corporate address space.
2. Your VPC address space 10.0.0.0/16 overlaps with one of your on-premise networks’ prefixes 10.0.30.0/24, so the traffic to the network’s prefix is dropped.
3. Your VPC instances can talk to hosts in the 10.1.31.0/24 space because that block isn’t part of 10.0.0.0/16.
4. You have not enabled flow logs.

Question 16

Which of the following statements are correct about default VPC and default subnet? Choose 3.

1. A default subnet is a private subnet.
2. A default subnet is a public subnet.
3. Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames.
4. A default security group is associated with your default VPC.

Answer 16

1. A default subnet is a private subnet.
2. A default subnet is a public subnet.
3. Instances that you launch into a default subnet receive both a public IPv4 address and a private IPv4 address, and both public and private DNS hostnames.
4. A default security group is associated with your default VPC.

Question 17

By default, Amazon EC2 and Amazon VPC use which addressing protocol?

1. IPv6
2. TCP
3. IPv4
4. UDP

Answer 17

1. IPv6
2. TCP
3. IPv4
4. UDP

Question 18

It is necessary to associate an IPv6 CIDR block with your VPC?

1. True
2. False

Answer 18

1. True
2. False

Question 19

When you assign both IPv4 and IPv6 CIDR block to your VPC, which of the following statements are correct? Choose 2.

1. Your VPC resources can communicate over IPv6 only.
2. Your VPC resources can communicate over IPv4, or IPv6, or both.
3. IPv4 and IPv6 addresses are independent of each other; you must configure routing and security in your VPC separately for IPv4 and IPv6.
4. You must configure routing and security in your VPC only for IPv6.

Answer 19

1. Your VPC resources can communicate over IPv6 only.
2. Your VPC resources can communicate over IPv4, or IPv6, or both.
3. IPv4 and IPv6 addresses are independent of each other; you must configure routing and security in your VPC separately for IPv4 and IPv6.
4. You must configure routing and security in your VPC only for IPv6.

Question 20

What are the values you can configure within a DHCP option set for a VPC? Choose 3.

1. Domain-name-servers and Domain-name
2. Static Public IP address
3. ntp-servers and netbios-name-servers
4. netbios-node-type

Answer 20

1. Domain-name-servers and Domain-name
2. Static Public IP address
3. ntp-servers and netbios-name-servers
4. netbios-node-type

Question 21

How can you ensure that a network interface created in the subnet automatically receives a public IPv4 address? Choose 2

1. Modifying the public IP addressing attribute of your VPC.
2. Modifying the public IP addressing attribute of your AZ.
3. Modifying the public IP addressing attribute of your subnet.
4. Enabling or disabling the public IP addressing feature during instance launch, which overrides the subnet’s public IP addressing attribute.

Answer 21

1. Modifying the public IP addressing attribute of your VPC.
2. Modifying the public IP addressing attribute of your AZ.
3. Modifying the public IP addressing attribute of your subnet.
4. Enabling or disabling the public IP addressing feature during instance launch, which overrides the subnet’s public IP addressing attribute.

Question 22

Which are the features provided by Amazon Virtual Private Cloud that you can use to increase and monitor the security for your virtual private cloud (VPC)? Choose 3.

1. Security groups
2. Network access control lists (ACLs)
3. Flow logs
4. Cloudwatch

Answer 22

1. Security groups
2. Network access control lists (ACLs)
3. Flow logs
4. Cloudwatch

Question 23

Which of the following statements are true regarding security groups (SG) and network ACLs? Choose 2.

1. SG operates at instance level and network ACLs operates at subnet level.
2. SG supports allow rules only and network ACLs support allow and deny rules.
3. Network ACLs operates at instance level and SG operates at subnet level.
4. Network ACLs supports allow rules only and SG support allow and deny rules.

Answer 23

1. SG operates at instance level and network ACLs operates at subnet level.
2. SG supports allow rules only and network ACLs support allow and deny rules.
3. Network ACLs operates at instance level and SG operates at subnet level.
4. Network ACLs supports allow rules only and SG support allow and deny rules.

Question 24

You have ensured that an instance interface created in the subnet automatically receives a public IPv4 address by modifying the public IP addressing attribute of your subnet and enabling the public IP addressing feature during instance launch. How can you ensure that instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses and DNS resolution through the Amazon DNS server is supported for the VPC?

1. You don’t need to do anything, DNS hostnames are automatically provided by AWS once an instance gets a public ip address.
2. Set VPC attribute enableDnsHostnames and enableDnsSupport to true.
3. Set only VPC attribute to enableDnsHostnames true for ensuring instances with public IP addresses get corresponding public DNS hostnames. This will also ensure DNS resolution.
4. Set only VPC attribute to enableDnsSupport true for ensuring instances with public IP addresses get corresponding public DNS hostnames. This will also ensure DNS resolution.

Answer 24

1. You don’t need to do anything, DNS hostnames are automatically provided by AWS once an instance gets a public ip address.
2. Set VPC attribute enableDnsHostnames and enableDnsSupport to true.
3. Set only VPC attribute to enableDnsHostnames true for ensuring instances with public IP addresses get corresponding public DNS hostnames. This will also ensure DNS resolution.
4. Set only VPC attribute to enableDnsSupport true for ensuring instances with public IP addresses get corresponding public DNS hostnames. This will also ensure DNS resolution.

Question 25

You have a web server running on 5 EC2 instances in one subnet of your VPC. You add another EC2 instance to the subnet having same security group. After adding the new instance you made changes to the security group. How long will it take for the changes to take effect?

1. Immediately only for newest one instance and after 5 minutes for existing 5 instances.
2. Immediately for all six instances.
3. Immediately only for existing 5 instance and after 5 minutes for new instance.
4. After 5 minutes for all the six instances.

Answer 25

1. Immediately only for newest one instance and after 5 minutes for existing 5 instances.
2. Immediately for all six instances.
3. Immediately only for existing 5 instance and after 5 minutes for new instance.
4. After 5 minutes for all the six instances.

Question 26

Which of the following statements are true regarding security groups (SG) and network ACLs? Choose 2.

1. Network ACLs is stateful: Return traffic is automatically allowed, regardless of any rules.
2. SG is stateful: Return traffic is automatically allowed, regardless of any rules.
3. Network ACLs is stateless: Return traffic must be explicitly allowed by rules
4. SG is stateless: Return traffic must be explicitly allowed by rules

Answer 26

1. Network ACLs is stateful: Return traffic is automatically allowed, regardless of any rules.
2. SG is stateful: Return traffic is automatically allowed, regardless of any rules.
3. Network ACLs is stateless: Return traffic must be explicitly allowed by rules
4. SG is stateless: Return traffic must be explicitly allowed by rules

Question 27

How many security groups you can attach to an instance?

1. One
2. Three
3. Five
4. Two

Answer 27

1. One
2. Three
3. Five
4. Two

Question 28

You have instance A1 in subnet S1 and instance A2 in subnet S2 in a VPC. Both of them are attached to same custom security group called MyWebDMZ. How can you ensure that both the instance can talk to each other?

1. Instances associated with a security group can’t talk to each other unless you add rules allowing it in the security group.
2. Instances associated with same security group can’t talk to each other.
3. Instances have to be in the same subnet to talk with each other.
4. Instances associated with a security group can’t talk to each other unless you add rules allowing it in the network ACLs.

Answer 28

1. Instances associated with a security group can’t talk to each other unless you add rules allowing it in the security group.
2. Instances associated with same security group can’t talk to each other.
3. Instances have to be in the same subnet to talk with each other.
4. Instances associated with a security group can’t talk to each other unless you add rules allowing it in the network ACLs.

Question 29

Your VPC automatically comes with a modifiable default network ACL. Which of the following statements is true?

1. It allows all inbound and outbound IPv4 traffic.
2. It doesn’t Allow inbound but allows all outbound traffic.
3. It doesn’t allow outbound but allows all inbound.
4. It denies all inbound and outbound traffic until you add rules.

Answer 29

1. It allows all inbound and outbound IPv4 traffic.
2. It doesn’t Allow inbound but allows all outbound traffic.
3. It doesn’t allow outbound but allows all inbound.
4. It denies all inbound and outbound traffic until you add rules.

Question 30

You can create a custom network ACL and associate it with a subnet. Which of the following statements is true?

1. It allows all inbound and outbound IPv4 traffic.
2. It doesn’t allow inbound but allows all outbound traffic.
3. It doesn’t allow outbound but allows all inbound.
4. It denies all inbound and outbound traffic until you add rules.

Answer 30

1. It allows all inbound and outbound IPv4 traffic.
2. It doesn’t allow inbound but allows all outbound traffic.
3. It doesn’t allow outbound but allows all inbound.
4. It denies all inbound and outbound traffic until you add rules.

Question 31

Which of the following statements are correct about network ACL mapping to subnet? Choose 2.

1. Each subnet in your VPC must be associated with a network ACL.
2. It is optional to associate a subnet with network ACL.
3. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
4. Each subnet in your VPC must be associated with a custom security group and custom network ACL.

Answer 31

1. Each subnet in your VPC must be associated with a network ACL.
2. It is optional to associate a subnet with network ACL.
3. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
4. Each subnet in your VPC must be associated with a custom security group and custom network ACL.

Question 32

How many network ACLs can be associated with a subnet?

1. multiple
2. Five
3. Two
4. One

Answer 32

1. multiple
2. Five
3. Two
4. One

Question 33

How many subnets a network ACLs can be associated with?

1. multiple
2. Five
3. Two
4. One

Answer 33

1. multiple
2. Five
3. Two
4. One

Question 34

How are the rules evaluated in a security group (SG) and network ACLs? Choose 2.

1. Network ACLs evaluate all rules before deciding whether to allow traffic.
2. SG evaluate all rules before deciding whether to allow traffic.
3. Network ACLs process rules in number order when deciding whether to allow traffic.
4. SG process rules in number order when deciding whether to allow traffic.

Answer 34

1. Network ACLs evaluate all rules before deciding whether to allow traffic.
2. SG evaluate all rules before deciding whether to allow traffic.
3. Network ACLs process rules in number order when deciding whether to allow traffic.
4. SG process rules in number order when deciding whether to allow traffic.

Question 35

Your company is migrating two existing applications to AWS. Application portfolio has one internet application which will be accessed by its customers and one intranet application which will be accessed only by employees from corporate network. Your plan is to create one VPC and deploy each application instances individually in a separate subnet. You also want to ensure that whole design is fault tolerant and services should not be hampered in case one of AWS AZ goes down? How many minimum subnets should you create?

1. 2 subnets
2. 4 subnets
3. 1 subnets
4. 6 subnets

Answer 35

1. 2 subnets
2. 4 subnets
3. 1 subnets
4. 6 subnets

Question 36

What are AWS Privatelink features? Choose 3.

1. Simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet.
2. Provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.
3. Makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.
4. Improves the performance of EC2 instances.
5. To use AWS PrivateLink, create an interface VPC endpoint for a service outside of your VPC. This creates an elastic network interface in your subnet with a private IP address that serves as an entry point for traffic destined to the service.

Answer 36

1. Simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet.
2. Provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.
3. Makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.
4. Improves the performance of EC2 instances.
5. To use AWS PrivateLink, create an interface VPC endpoint for a service outside of your VPC. This creates an elastic network interface in your subnet with a private IP address that serves as an entry point for traffic destined to the service.

Question 37

How Network ACL evaluates rules? Choose 2.

1. Rules are evaluated starting with the lowest numbered rule.
2. Rules are evaluated starting with the highest numbered rule
3. As soon as a rule matches traffic, it is applied regardless of any lower-numbered rule that may contradict it.
4. As soon as a rule matches traffic, it is applied regardless of any higher-numbered rule that may contradict it.

Answer 37

1. Rules are evaluated starting with the lowest numbered rule.
2. Rules are evaluated starting with the highest numbered rule
3. As soon as a rule matches traffic, it is applied regardless of any lower-numbered rule that may contradict it.
4. As soon as a rule matches traffic, it is applied regardless of any higher-numbered rule that may contradict it.

Question 38

What feature Network ACL rules provides which ensures that if none of the rule matches the traffic is denied?

1. You have the flexibility to add a rule with highest number to specify deny unmatched traffic both for inbound and outbound.
2. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.
3. You have the flexibility to add a rule with lowest number to specify deny unmatched traffic both for inbound and outbound.
4. If a traffic doesn’t match any rule it is implicit ALLOW.

Answer 38

1. You have the flexibility to add a rule with highest number to specify deny unmatched traffic both for inbound and outbound.
2. Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied. You can’t modify or remove this rule.
3. You have the flexibility to add a rule with lowest number to specify deny unmatched traffic both for inbound and outbound.
4. If a traffic doesn’t match any rule it is implicit ALLOW.

Question 39

Which of the following are use cases for AWS Privatelink? Choose 3.

1. Maintain regulatory compliance. Preventing personally identifiable information (PII) from traversing the Internet helps maintain compliance with regulations such as HIPAA or PCI.
2. Advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level.
3. Fault tolerance by providing dual communication channel between on premise data center and AWS resources.
4. Securely access SaaS applications. With AWS PrivateLink, you can connect your VPCs to AWS services and SaaS applications in a secure and scalable manner.
5. Easily migrate services from on-premises locations to the AWS cloud. On-premises applications can connect to service endpoints in Amazon VPC over AWS Direct Connect or AWS VPN. Service endpoints will direct the traffic to AWS services over AWS PrivateLink, while keeping the network traffic within the AWS network.

Answer 39

1. Maintain regulatory compliance. Preventing personally identifiable information (PII) from traversing the Internet helps maintain compliance with regulations such as HIPAA or PCI.
2. Advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level.
3. Fault tolerance by providing dual communication channel between on premise data center and AWS resources.
4. Securely access SaaS applications. With AWS PrivateLink, you can connect your VPCs to AWS services and SaaS applications in a secure and scalable manner.
5. Easily migrate services from on-premises locations to the AWS cloud. On-premises applications can connect to service endpoints in Amazon VPC over AWS Direct Connect or AWS VPN. Service endpoints will direct the traffic to AWS services over AWS PrivateLink, while keeping the network traffic within the AWS network.

Question 40

Based on the above figure of a network ACL configured for a subnet, how the rules will be evaluated for a packet destined for the SSL port (443)?

1. Rule 110 will be directly matched and inbound packet will be allowed.
2. First the lower number rule 100 will be evaluated and then next 110 will be evaluated which matches.
3. All the six rule will be evaluated at once and packet match with a rule will be done.
4. Rules will be evaluated in descending order i.e. 140, 130, 120, 110 till the match.

Answer 40

1. Rule 110 will be directly matched and inbound packet will be allowed.
2. First the lower number rule 100 will be evaluated and then next 110 will be evaluated which matches.
3. All the six rule will be evaluated at once and packet match with a rule will be done.
4. Rules will be evaluated in descending order i.e. 140, 130, 120, 110 till the match.

Question 41

Based on the above figure of a network ACL configured for a subnet, how the rules will be evaluated for a packet destined for port 139 (NetBIOS)?

1. It doesn’t match any of the rules, therefor an error ‘rule not defined’ will be thrown.
2. It doesn’t match any of the rules, therefor it is implicit ALLOW.
3. It doesn’t match any of the rules, and the * rule ultimately denies the packet.
4. None of the above.

Answer 41

1. It doesn’t match any of the rules, therefor an error ‘rule not defined’ will be thrown.
2. It doesn’t match any of the rules, therefor it is implicit ALLOW.
3. It doesn’t match any of the rules, and the * rule ultimately denies the packet.
4. None of the above.

Question 42

What is the significance of inbound rule 140 and outbound rule 120? Choose 2.

1. Inbound rule 140 allows inbound IPv4 traffic from the Internet for ephemeral port range to cover the different types of clients that might initiate traffic to public-facing instances in your VPC.
2. Outbound rule 120 allows outbound IPv4 responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).
3. Inbound rule 140 with a wide port range is to ensure that at least one rule matches for incoming packet.
4. Outbound rule with a wide port range 120 is to ensure that at least one rule matches.

Answer 42

1. Inbound rule 140 allows inbound IPv4 traffic from the Internet for ephemeral port range to cover the different types of clients that might initiate traffic to public-facing instances in your VPC.
2. Outbound rule 120 allows outbound IPv4 responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).
3. Inbound rule 140 with a wide port range is to ensure that at least one rule matches for incoming packet.
4. Outbound rule with a wide port range 120 is to ensure that at least one rule matches.

Question 43

You want to troubleshoot why specific traffic is not reaching an instance and also want to diagnose overly restrictive security group rules. Which AWS service will you use?

1. AWS Cloudtrail
2. AWS Cloudwatch
3. AWS Flowlogs
4. AWS WAF

Answer 43

1. AWS Cloudtrail
2. AWS Cloudwatch
3. AWS Flowlogs
4. AWS WAF

Question 44

For which of the following resources you can create a flow log? Choose 3

1. VPC
2. Subnet
3. Network interface
4. Security Group

Answer 44

1. VPC
2. Subnet
3. Network interface
4. Security Group

Question 45

You’re using flow logs to diagnose overly restrictive or permissive security group rules or network ACL rules for your VPC which has one instance to start with. You use the ping command from your home computer to your instance. Your security group’s inbound rules allow ICMP traffic from your home computer IP address and the outbound rules do not allow ICMP traffic. Your network ACL permits inbound ICMP traffic from your home computer ip address but does not permit outbound ICMP traffic. Which of the following statements are correct regarding flow log records which will get displayed? Choose 2.

1. A REJECT record for the response ping because the security group denied for outgoing ICMP.
2. There will not be any log as outgoing is denied by both security group and network ACL.
3. An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
4. A REJECT record for the response ping that the network ACL denied.

Answer 45

1. A REJECT record for the response ping because the security group denied for outgoing ICMP.
2. There will not be any log as outgoing is denied by both security group and network ACL.
3. An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
4. A REJECT record for the response ping that the network ACL denied.

Question 46

You’re using flow logs to diagnose overly restrictive or permissive security group rules or network ACL rules for your VPC which has one instance to start with. You use the ping command from your home computer to your instance. Your security group’s inbound rules allow ICMP traffic from your home computer IP address and the outbound rules do not allow ICMP traffic. Your network ACL permits inbound ICMP traffic from your home computer ip address and also permit outbound ICMP traffic. Which of the following statements are correct regarding flow log records which will get displayed? Choose 2.

1. A REJECT record for the response ping because the security group denied for outgoing ICMP.
2. There will not be any log as outgoing is denied by security group.
3. An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
4. An ACCEPT record for the response ping.

Answer 46

1. A REJECT record for the response ping because the security group denied for outgoing ICMP.
2. There will not be any log as outgoing is denied by security group.
3. An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
4. An ACCEPT record for the response ping.

Question 47

You’re using flow logs to diagnose overly restrictive or permissive security group rules or network ACL rules for your VPC which has one instance to start with. You use the ping command from your home computer to your instance. Your security group’s inbound rules does not allow ICMP traffic from your home computer IP address and the outbound rules do not allow ICMP traffic. Your network ACL permits inbound ICMP traffic from your home computer ip address and also permit outbound ICMP traffic. Which of the following statements are correct regarding flow log records which will get displayed?

1. A REJECT record for the response ping because the security group denied for incoming ICMP.
2. A REJECT record for the response ping because the security group denied for outgoing ICMP.
3. There will not be any log as incoming and outgoing is denied by security group.
4. None of the above

Answer 47

1. A REJECT record for the response ping because the security group denied for incoming ICMP.
2. A REJECT record for the response ping because the security group denied for outgoing ICMP.
3. There will not be any log as incoming and outgoing is denied by security group.
4. None of the above

Question 48

What is VPC Peering? Choose 3

1. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
2. Instances in Master VPC can communicate with Secondary VPC as if they are within the same network.
3. Instances in either VPC can communicate with each other as if they are within the same network.
4. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account.

Answer 48

1. A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
2. Instances in Master VPC can communicate with Secondary VPC as if they are within the same network.
3. Instances in either VPC can communicate with each other as if they are within the same network.
4. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account.

Question 49

Which of the following statements are correct about VPC peering? Choose 3.

1. The VPCs has to be in same region.
2. The VPCs can be in different regions.
3. Traffic always stays on the global AWS backbone, and never traverses the public internet.
4. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.

Answer 49

1. The VPCs has to be in same region.
2. The VPCs can be in different regions.
3. Traffic always stays on the global AWS backbone, and never traverses the public internet.
4. AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.

Question 50

What are the benefits of VPC peering?

1. There is no single point of failure for communication or a bandwidth bottleneck.
2. A VPC peering connection helps you to facilitate the transfer of data or create a file sharing network.
3. Provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
4. Never traverses the public internet, which reduces threats, such as common exploits, and DDoS attacks.
5. All of the above.

Answer 50

1. There is no single point of failure for communication or a bandwidth bottleneck.
2. A VPC peering connection helps you to facilitate the transfer of data or create a file sharing network.
3. Provides a simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
4. Never traverses the public internet, which reduces threats, such as common exploits, and DDoS attacks.
5. All of the above.

Question 51

What are the steps involved to establish a VPC peering connection? Choose 3.

1. The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
2. To enable the flow of traffic between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
3. If required, update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.
4. There is no need to update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.

Answer 51

1. The owner of the requester VPC sends a request to the owner of the accepter VPC to create the VPC peering connection. The owner of the accepter VPC accepts the VPC peering connection request to activate the VPC peering connection.
2. To enable the flow of traffic between the VPCs using private IP addresses, the owner of each VPC in the VPC peering connection must manually add a route to one or more of their VPC route tables that points to the IP address range of the other VPC (the peer VPC).
3. If required, update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.
4. There is no need to update the security group rules that are associated with your instance to ensure that traffic to and from the peer VPC is not restricted.

Question 52

Which of the following three statements are correct about VPC peering connections?

1. Transitive peering relationships is supported.
2. A VPC peering connection is a one to one relationship between two VPCs.
3. A VPC can peer with multiple VPCs in one to many relationships.
4. Transitive peering relationships are not supported.

Answer 52

1. Transitive peering relationships is supported.
2. A VPC peering connection is a one to one relationship between two VPCs.
3. A VPC can peer with multiple VPCs in one to many relationships.
4. Transitive peering relationships are not supported.

Question 53

You are doing security audit of EC2 instances. You notice that for one of the instance there are two security groups attached to it. The first allows HTTP access over port 80 from CIDR block 0.0.0.0/0. Second allows SSH access over port 22 from your company ip address range 204.0.223.0/24. What request traffic can reach your instance?

1. SSH and HTTP traffic from 0.0.0.0/0.
2. SSH and HTTP traffic from 204.0.223.0/24.
3. SSH traffic from 204.0.223.0/24 and HTTP traffic from 0.0.0.0/0.
4. No traffic can reach your instance.

Answer 53

1. SSH and HTTP traffic from 0.0.0.0/0.
2. SSH and HTTP traffic from 204.0.223.0/24.
3. SSH traffic from 204.0.223.0/24 and HTTP traffic from 0.0.0.0/0.
4. No traffic can reach your instance.

Question 54

You are doing security audit of EC2 instances. You notice that for one of the instance there are two security groups attached to it. The first allows HTTP access over port 80 from CIDR block 0.0.0.0/0. Second allows SSH access over port 22 from your company ip address range 204.0.223.0/24. You add another rule to allow SSH access over port 22 from address range 0.0.0.0/0 in the first security group. What request traffic can reach your instance?

1. SSH and HTTP traffic from 0.0.0.0/0.
2. SSH and HTTP traffic from 204.0.223.0/24.
3. SSH traffic from 204.0.223.0/24 and HTTP traffic from 0.0.0.0/0.
4. No traffic can reach your instance.

Answer 54

1. SSH and HTTP traffic from 0.0.0.0/0.
2. SSH and HTTP traffic from 204.0.223.0/24.
3. SSH traffic from 204.0.223.0/24 and HTTP traffic from 0.0.0.0/0.
4. No traffic can reach your instance.

Question 55

Which of the following statements are correct about route table? Choose 2.

1. Each subnet must be associated with a route table, which controls the routing for the subnet.
2. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
3. Each subnet must be associated with multiple route table, which collectively controls the routing for the subnet.
4. A subnet can be associated with multiple route table at a time, but you can associate multiple subnets with the same route table.

Answer 55

1. Each subnet must be associated with a route table, which controls the routing for the subnet.
2. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.
3. Each subnet must be associated with multiple route table, which collectively controls the routing for the subnet.
4. A subnet can be associated with multiple route table at a time, but you can associate multiple subnets with the same route table.

Question 56

What are the properties of a main route table? Choose 2.

1. You can delete the main route table.
2. Your VPC automatically comes with a main route table that you can modify.
3. You cannot delete the main route table, but you can replace the main route table with a custom table that you’ve created.
4. You have to create main route table explicitly when you create VPC.

Answer 56

1. You can delete the main route table.
2. Your VPC automatically comes with a main route table that you can modify.
3. You cannot delete the main route table, but you can replace the main route table with a custom table that you’ve created.
4. You have to create main route table explicitly when you create VPC.

Question 57

What must you do to enable access to or from the internet for instances in a VPC subnet?

1. Attach an internet gateway to your VPC.
2. Ensure that your subnet’s route table points to the internet gateway.
3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
4. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
5. All of the above

Answer 57

1. Attach an internet gateway to your VPC.
2. Ensure that your subnet’s route table points to the internet gateway.
3. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
4. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.
5. All of the above

Question 58

Which of the following two statements are correct about internet gateway? Choose 2.

1. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.
2. An internet gateway perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
3. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and corporate VPN.
4. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between VPC endpoints and AWS resources.

Answer 58

1. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.
2. An internet gateway perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
3. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and corporate VPN.
4. An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between VPC endpoints and AWS resources.

Question 59

Which VPC component allows outbound communication over IPv6 from instances in your VPC to the Internet, and prevents the Internet from initiating an IPv6 connection with your instances?

1. Internet Gateway
2. Egress-Only Internet Gateways
3. NAT Gateway
4. NAT Instance

Answer 59

1. Internet Gateway
2. Egress-Only Internet Gateways
3. NAT Gateway
4. NAT Instance

Question 60

Which VPC component enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances? Choose 2.

1. Internet Gateway
2. Egress-Only Internet Gateways
3. NAT Gateway
4. NAT Instance

Answer 60

1. Internet Gateway
2. Egress-Only Internet Gateways
3. NAT Gateway
4. NAT Instance

Question 61

Which of the following two statements are correct about Egress-Only Internet Gateways?

1. An egress-only Internet gateway is stateful.
2. An egress-only Internet gateway is stateless.
3. An egress-only Internet gateway forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances.
4. An egress-only Internet gateway forwards traffic from the instances in the subnet to the Internet or other AWS services, and but doesn’t sends the response back to the instances.

Answer 61

1. An egress-only Internet gateway is stateful.
2. An egress-only Internet gateway is stateless.
3. An egress-only Internet gateway forwards traffic from the instances in the subnet to the Internet or other AWS services, and then sends the response back to the instances.
4. An egress-only Internet gateway forwards traffic from the instances in the subnet to the Internet or other AWS services, and but doesn’t sends the response back to the instances.

Question 62

What is a bastion host? Choose 3.

1. A bastion host is a server whose purpose is to provide access to a private subnet from an external network, such as the Internet.
2. Bastion hosts are instances that are in public subnet and are typically accessed using SSH or RDP.
3. It can acts as a ‘hop’ or ‘bridge’ server, allowing you to use SSH or RDP to log in to other instances in private subnet in your VPC.
4. Bastion host is a server to install firewall to protect your private subnet.

Answer 62

1. A bastion host is a server whose purpose is to provide access to a private subnet from an external network, such as the Internet.
2. Bastion hosts are instances that are in public subnet and are typically accessed using SSH or RDP.
3. It can acts as a ‘hop’ or ‘bridge’ server, allowing you to use SSH or RDP to log in to other instances in private subnet in your VPC.
4. Bastion host is a server to install firewall to protect your private subnet.

Question 63

You have following VPCs in your AWS account

• VPC A: CIDR block 172.16.0.0/16
• VPC B: CIDR block 10.0.0.0/16
• VPC C: CIDR block 172.16.0.0/16

Which of the following peering can be done? Choose 2.

1. A B
2. A C
3. B C

Answer 63

1. A B
2. A C
3. B C

Question 64

You have following VPCs in your AWS account

• VPC A: CIDR block 172.16.0.0/16, 172.1.0.0/16
• VPC B: CIDR block 10.0.0.0/16, 10.2.0.0/16
• VPC C: CIDR block 172.16.0.0/16, 172.2.0.0/16

Which of the following peering can be done?

1. A B
2. A C
3. B C

Answer 64

1. A B
2. A C
3. ​B C

Question 65

You are setting up a VPC for a single tier public facing web application. You also want your cloud web application to connect with in-premise application in the corporate network. Following are the configurations you have made:

• A VPC with CIDR block 10.0.0.0/16
• A public subnet in that VPC with CIDR block 10.0.1.0/24
• IP address of Web server instance running in the subnet is 10.0.1.4
• On premise corporate network of two offices CIDR 10.0.37.0/24 and 10.1.38.0/24

Which of the following statement is correct for above configuration? Choose 2.

1. Traffic is dropped when the VPC web server instance tries to connect with host in 10.0.37.0/24.
2. Traffic is dropped when the VPC web server instance tries to connect with host in 10.1.38.0/24.
3. Traffic will flow between VPC instance and host instance in 10.1.38.0/24.
4. Traffic will flow between VPC instance and host instance in 10.0.37.0/24.

Answer 65

1. Traffic is dropped when the VPC web server instance tries to connect with host in 10.0.37.0/24.
2. Traffic is dropped when the VPC web server instance tries to connect with host in 10.1.38.0/24.
3. Traffic will flow between VPC instance and host instance in 10.1.38.0/24.
4. ​Traffic will flow between VPC instance and host instance in 10.0.37.0/24.

Question 66

You want to run a public-facing web application, while maintaining back-end servers that aren’t publicly accessible. You will have to set up security and routing so that the web servers can communicate with the MySQL database servers. You also need to ensure that database servers can connect to the Internet for software updates but the Internet cannot establish connections to the database servers. How will you set up your VPC configuration? Choose 3.

1. Set up web servers in a public subnet and the database servers in a private subnet.
2. The DB instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet.
3. Security Group attached with DB Instance should only allow read or write database requests from the web servers by configuring source as web server’s security group.
4. The DB instances in the private subnet can access the Internet by using a web server EC2 instance that resides in the public subnet.

Answer 66

1. Set up web servers in a public subnet and the database servers in a private subnet.
2. The DB instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet.
3. Security Group attached with DB Instance should only allow read or write database requests from the web servers by configuring source as web server’s security group.
4. The DB instances in the private subnet can access the Internet by using a web server EC2 instance that resides in the public subnet.

Question 67

You have ensured that an instance interface created in the subnet automatically receives a public IPv4 address by modifying the public IP addressing attribute of your subnet and enabling the public IP addressing feature during instance launch. Which of the following statements are correct? Choose 3.

1. A public IP address is assigned from Amazon’s pool of public IP addresses; it’s not associated with your account.
2. When a public IP address is disassociated from your instance, it’s released back into the pool, and is no longer available for you to use.
3. You cannot manually associate or disassociate a public IP address.
4. The assigned IP addresses are persistent.

Answer 67

1. A public IP address is assigned from Amazon’s pool of public IP addresses; it’s not associated with your account.
2. When a public IP address is disassociated from your instance, it’s released back into the pool, and is no longer available for you to use.
3. You cannot manually associate or disassociate a public IP address.
4. The assigned IP addresses are persistent.

Question 68

How can you connect to a DB Instances deployed within a VPC from the Internet or from EC2 Instances outside the VPC? Choose 3.

1. It is not possible to connect to a DB instance deployed within a VPC.
2. Use a bastion host, set up in a public subnet with an EC2 instance that acts as a SSH Bastion. This public subnet must have an internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your RDS DB instance.
3. Use public connectivity, create your DB Instances with the Publicly Accessible option set to yes. With Publicly Accessible active, your DB Instances within a VPC will be fully accessible outside your VPC by default.
4. Set up a VPN Gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC.

Answer 68

1. It is not possible to connect to a DB instance deployed within a VPC.
2. Use a bastion host, set up in a public subnet with an EC2 instance that acts as a SSH Bastion. This public subnet must have an internet gateway and routing rules that allow traffic to be directed via the SSH host, which must then forward requests to the private IP address of your RDS DB instance.
3. Use public connectivity, create your DB Instances with the Publicly Accessible option set to yes. With Publicly Accessible active, your DB Instances within a VPC will be fully accessible outside your VPC by default.
4. Set up a VPN Gateway that extends your corporate network into your VPC, and allows access to the RDS DB instance in that VPC.

Question 69

How do instances in a VPC without public IP addresses can access the internet? Choose 2.

1. Inside a VPC, they can Route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet.
2. It is not possible.
3. For Amazon VPCs with a Site-to-Site VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter.
4. Inside a VPC, they can Route their traffic through Internet Gateway to access the internet.

Answer 69

1. Inside a VPC, they can Route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet.
2. It is not possible.
3. For Amazon VPCs with a Site-to-Site VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter.
4. Inside a VPC, they can Route their traffic through Internet Gateway to access the internet.

Question 70

Which of the following statements are correct about NAT devices? Choose 3.

1. You can use a NAT device to enable instances in a private subnet to connect to the internet (for example, for software updates) or other AWS services, but prevent the internet from initiating connections with the instances.
2. A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances.
3. When traffic goes to the internet, the source IPv4 address is replaced with the NAT device’s address and similarly, when the response traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses.
4. NAT devices are supported for both IP4 and IPv6 traffic.

Answer 70

1. You can use a NAT device to enable instances in a private subnet to connect to the internet (for example, for software updates) or other AWS services, but prevent the internet from initiating connections with the instances.
2. A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances.
3. When traffic goes to the internet, the source IPv4 address is replaced with the NAT device’s address and similarly, when the response traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses.
4. NAT devices are supported for both IP4 and IPv6 traffic.

Question 71

Which of the following are NAT devices offered by AWS? Choose 2.

1. NAT Private Gateway
2. NAT Internet Gateway
3. NAT gateway
4. NAT instance

Answer 71

1. NAT Private Gateway
2. NAT Internet Gateway
3. NAT gateway
4. NAT instance

Question 72

Which of the following is true about difference between NAT instances and NAT gateways? Choose 3.

1. Type and size: NAT Gateway: Choose a suitable instance type and size, according to your predicted workload. NAT instances: Uniform offering; you don’t need to decide on the type or size.
2. Bandwidth = NAT gateways: Can scale up to 45 Gbps. NAT instances: Depends on the bandwidth of the instance type.
3. Maintenance= NAT gateways: Managed by AWS.NAT instances: Managed by you.
4. Performance=NAT gateways: Software is optimized for handling NAT traffic. NAT instances: A generic Amazon Linux AMI that’s configured to perform NAT.

Answer 72

1. Type and size: NAT Gateway: Choose a suitable instance type and size, according to your predicted workload. NAT instances: Uniform offering; you don’t need to decide on the type or size.
2. Bandwidth = NAT gateways: Can scale up to 45 Gbps. NAT instances: Depends on the bandwidth of the instance type.
3. Maintenance= NAT gateways: Managed by AWS.NAT instances: Managed by you.
4. Performance=NAT gateways: Software is optimized for handling NAT traffic. NAT instances: A generic Amazon Linux AMI that’s configured to perform NAT.

Question 73

You created a NAT gateway and followed the steps to configure it, but when you do a test your instances in the private subnet cannot access the internet. What could be possible reasons? Choose 4.

1. The NAT gateway is not ready to serve traffic.
2. Your route tables are not configured correctly.
3. You should place the instance in a public subnet.
4. Your security groups or network ACLs are blocking inbound or outbound traffic.
5. You’re using an unsupported protocol.

Answer 73

1. The NAT gateway is not ready to serve traffic.
2. Your route tables are not configured correctly.
3. You should place the instance in a public subnet.
4. Your security groups or network ACLs are blocking inbound or outbound traffic.
5. You’re using an unsupported protocol.

Question 74

You are using a NAT instance to enable instances in a private subnet to connect to the internet for software updates, but prevent the internet internet from initiating connections with the instances. The NAT instance is in the public subnet and you have ensured that security groups, network ACLs and route tables are also appropriately configured. But on testing your instance in the private subnet cannot still access the internet. What could be the possible reason?

1. Your source instance should be in public subnet to access internet.
2. Your NAT instance should also be in the private subnet.
3. You should disable source/destination check in the NAT instance.
4. All of the above

Answer 74

1. Your source instance should be in public subnet to access internet.
2. Your NAT instance should also be in the private subnet.
3. You should disable source/destination check in the NAT instance.
4. All of the above

Question 75

Which of the following can be used as bastion server to access private subnet instances in a VPC?

1. NAT Instance
2. NAT Gateway
3. Transit Gateway
4. Bastion Instance

Answer 75

1. NAT Instance
2. NAT Gateway
3. Transit Gateway
4. Bastion Instance

Question 76

You want to run a public-facing web application, while maintaining back-end servers that aren’t publicly accessible. You will have to set up security and routing so that the web servers can communicate with the MySQL database servers. You also need to ensure that database servers can connect to the Internet for software updates but the Internet cannot establish connections to the database servers. How will you set up your VPC configuration?

1. Set up web servers in a public subnet and the database servers in a private subnet.
2. The DB instances in the private subnet can access the Internet by using a network address translation (NAT) instance that resides in the public subnet.
3. Security Group attached with DB Instance should only allow read or write database requests from the web servers by configuring source as web server’s security group.
4. The DB instances in the private subnet can access the Internet by using a web server EC2 instance that resides in the public subnet.
5. Security Group attached with NAT Instance should allow internet access from DB server in private subnet and route response back to it.

Answer 76

1. Set up web servers in a public subnet and the database servers in a private subnet.
2. The DB instances in the private subnet can access the Internet by using a network address translation (NAT) instance that resides in the public subnet.
3. Security Group attached with DB Instance should only allow read or write database requests from the web servers by configuring source as web server’s security group.
4. The DB instances in the private subnet can access the Internet by using a web server EC2 instance that resides in the public subnet.
5. Security Group attached with NAT Instance should allow internet access from DB server in private subnet and route response back to it.

Question 77

In the following diagram Subnet 3A is a VPN-only subnet. How can instances in the subnet reach internet or AWS service? Choose 2.

1. Any Internet-bound traffic must first traverse the virtual private gateway to corporate network, where the traffic is then subject to firewall and corporate security policies.
2. If the instances send any AWS-bound traffic, the requests must go over the virtual private gateway to corporate network and then egress to the Internet before reaching AWS.
3. Instances can send any AWS-bound traffic flow directly without going to corporate network.
4. Any Internet-bound traffic can flow through the internet gateway.

Answer 77

1. Any Internet-bound traffic must first traverse the virtual private gateway to corporate network, where the traffic is then subject to firewall and corporate security policies.
2. If the instances send any AWS-bound traffic, the requests must go over the virtual private gateway to corporate network and then egress to the Internet before reaching AWS.
3. Instances can send any AWS-bound traffic flow directly without going to corporate network.
4. Any Internet-bound traffic can flow through the internet gateway.

Question 78

What you must do to enable access to or from the internet for instances in a VPC subnet? Choose 4.

1. Attach an internet gateway to your VPC.
2. Attach a Transit Gateway or VPN Gateway to your VPC.
3. Ensure that your subnet’s route table points to the internet gateway.
4. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
5. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

Answer 78

1. Attach an internet gateway to your VPC.
2. Attach a Transit Gateway or VPN Gateway to your VPC.
3. Ensure that your subnet’s route table points to the internet gateway.
4. Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
5. Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

Question 79

You have configured a VPC with public and private subnet as shown in the diagram below with: Public subnet: web server instance, NAT instance for private subnet instances to access the internet. Private subnet: RDS instances, fleet of EC2 instances in an auto scaling group. These instances access internet through NAT instance in the public subnet for software updates. The software updates for instances in the private subnet is schedule to run every night from 11 pm – 1am. You observe recently that these updates has become very slow and some of the updates are getting time out before the maintenance window of two hours. You identify the bottleneck is NAT instance network bandwidth. What architecture changes you can do to resolve this problem?

1. Increase the number of NAT instances and change its instance type to one having more bandwidth.
2. Use NAT gateway instead of NAT instance.
3. Place NAT instance in the private subnet to increase network performance.
4. Change the maintenance window of private subnet instances so as not to overlap with one another.

Answer 79

1. Increase the number of NAT instances and change its instance type to one having more bandwidth.
2. Use NAT gateway instead of NAT instance.
3. Place NAT instance in the private subnet to increase network performance.
4. Change the maintenance window of private subnet instances so as not to overlap with one another.

Question 80

Which of the following are components of a VPC? Choose 3.

1. S3, Lambda, EC2, RDS
2. IP Address Range , Subnet,
3. Internet Gateway, NAT Gateway, Virtual private gateway, Egress-only Internet Gateway
4. Direct connect, Cloudfront and Route53
5. Peering Connection, VPC Endpoints

Answer 80

1. S3, Lambda, EC2, RDS
2. IP Address Range , Subnet,
3. Internet Gateway, NAT Gateway, Virtual private gateway, Egress-only Internet Gateway
4. Direct connect, Cloudfront and Route53
5. Peering Connection, VPC Endpoints

Question 81

Which of the following are VPC limits? Choose 2.

1. Default limit for number of VPC per region per account is 5
2. IP address range of VPC is between maximum of /16 and minimum of /28 netmask
3. Default limit for number of VPC per account is 5
4. IP address range of VPC is between a minimum of /16 and maximum of /28 netmask

Answer 81

1. Default limit for number of VPC per region per account is 5
2. IP address range of VPC is between maximum of /16 and minimum of /28 netmask
3. Default limit for number of VPC per account is 5
4. IP address range of VPC is between a minimum of /16 and maximum of /28 netmask

Question 82

What are the features of a VPC Subnet? Choose 3.

1. An internal subnet is for connection only from your corporate VPN.
2. A subnet is a range of IP addresses in your VPC.
3. Public subnet is for resources that must be connected to the internet.
4. Private is subnet for resources that won’t be connected to the internet.

Answer 82

1. An internal subnet is for connection only from your corporate VPN.
2. A subnet is a range of IP addresses in your VPC.
3. Public subnet is for resources that must be connected to the internet.
4. Private is subnet for resources that won’t be connected to the internet.

Question 83

You are the solution architect for a mortgage broker who has a web application running on an on-demand EC2 instance in a public subnet of VPC. The database servers are in the private subnet. This web application is for end customers to log in and check their application status. You are using security group to manage the user request reaching your instances in public and private subnet. Your IT monitoring team notice a brute force attack from an ip address outside the company network. How can you block the ip address so that request doesn’t reach your web servers?

1. Create a rule in security group attached to web server instance to block the ip address.
2. Create a rule in Network Access Control attached to web server instance to deny access to ip address.
3. Move the web servers instance from public subnet to private subnet.
4. Create a rule to block the ip address in the internet gateway.

Answer 83

1. Create a rule in security group attached to web server instance to block the ip address.
2. Create a rule in Network Access Control attached to web server instance to deny access to ip address.
3. Move the web servers instance from public subnet to private subnet.
4. Create a rule to block the ip address in the internet gateway.

Question 84

Your Company has a VPC for the HR department, and another VPC for the finance department. The HR department requires access to all resources that are in the accounting finance, and the finance department requires access to all resources in the HR department. To enable the two departments to have full access to each other’s’ resources you have created VPC peer connection. What updates needs to be done in the route table? Choose 2.

1. Add a route pointing to Finance department VPC CIDR block in the route table that’s associated with HR department subnets.
2. Add a route pointing to HR department VPC CIDR block in the route table that’s associated with Finance department subnets.
3. No need to add any entry in the Finance department subnet route tables.
4. No need to add any entry in the HR department subnet route tables.

Answer 84

1. Add a route pointing to Finance department VPC CIDR block in the route table that’s associated with HR department subnets.
2. Add a route pointing to HR department VPC CIDR block in the route table that’s associated with Finance department subnets.
3. No need to add any entry in the Finance department subnet route tables.
4. No need to add any entry in the HR department subnet route tables.

Question 85

Which VPC component enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection? ?

1. It is not possible
2. Egress only Internet Gateway
3. Transit Gateway
4. VPC Endpoints

Answer 85

1. It is not possible
2. Egress only Internet Gateway
3. Transit Gateway
4. VPC Endpoints

Question 86

Which of the following are types of VPC endpoints? Choose 2.

1. Interface endpoints
2. Internet endpoints
3. Gateway endpoints
4. Service endpoints

Answer 86

1. Interface endpoints
2. Internet endpoints
3. Gateway endpoints
4. Service endpoints

Question 87

Which of the following AWS services are supported by VPC Gateway endpoints? Choose 2.

1. Amazon S3
2. DynamoDB
3. Amazon RDS
4. Amazon EBS

Answer 87

1. Amazon S3
2. DynamoDB
3. Amazon RDS
4. Amazon EBS

Question 88

You have a VPC peering connection (pcx-22223333) between VPC A and VPC B, which are in the same AWS account. VPC A CIDR block is: 172.16.0.0/16. VPC B CIDR block is: 10.0.0.0/16. Which of the following is correct configuration of route tables to enable communication from both VPCs?

Question 89

You have three VPCs A, B, C. How many peer connection you need to configure so all the VPCs can access the resource of one another?

1. Two peer configuration. A-B and B-C peer configuration needs to be done. A-C transitive peering configuration will be automatically done.
2. Three peer configuration. A-B, B-C and C-A.
3. Two peer configuration. A-C and B-C peer configuration needs to be done. A-B transitive peering configuration will be automatically done.
4. None of the above.

Answer 89

1. Two peer configuration. A-B and B-C peer configuration needs to be done. A-C transitive peering configuration will be automatically done.
2. Three peer configuration. A-B, B-C and C-A.
3. Two peer configuration. A-C and B-C peer configuration needs to be done. A-B transitive peering configuration will be automatically done.
4. None of the above.

Question 90

You have 7 VPCs which you want to make a full mesh peering configuration so that every VPC can access the resources of each other? How many peering configuration you need to create.

1. 7
2. 14
3. 21
4. 28

Answer 90

1. 7
2. 14
3. 21
4. 28

Question 91

VPC A and VPC B are peered, and VPC A has a VPN connection to a corporate network. Which of the following two statements are true.

1. You cannot use VPC A to extend the peering relationship to exist between VPC B and the corporate network.
2. Traffic from the corporate network can’t directly access VPC B by using the VPN connection to VPC A.
3. You can use VPC A to extend the peering relationship to exist between VPC B and the corporate network.
4. Traffic from the corporate network can directly access VPC B by using the VPN connection to VPC A.

Answer 91

1. You cannot use VPC A to extend the peering relationship to exist between VPC B and the corporate network.
2. Traffic from the corporate network can’t directly access VPC B by using the VPN connection to VPC A.
3. You can use VPC A to extend the peering relationship to exist between VPC B and the corporate network.
4. Traffic from the corporate network can directly access VPC B by using the VPN connection to VPC A.

Question 92

Which of the following services are supported by VPC Interface endpoints? Choose 3.

1. Amazon API Gateway, Elastic Load Balancing, Amazon Kinesis Data Firehose, Amazon Kinesis Data Streams
2. Amazon SNS, Amazon SQS, AWS Storage Gateway
3. Amazon S3, DynamoDB, Amazon RDS
4. AWS CloudFormation, AWS CloudTrail, AWS CodeBuild, AWS CodeCommit, AWS CodePipeline

Answer 92

1. Amazon API Gateway, Elastic Load Balancing, Amazon Kinesis Data Firehose, Amazon Kinesis Data Streams
2. Amazon SNS, Amazon SQS, AWS Storage Gateway
3. Amazon S3, DynamoDB, Amazon RDS
4. AWS CloudFormation, AWS CloudTrail, AWS CodeBuild, AWS CodeCommit, AWS CodePipeline

Question 93

You have a VPC peering connection between VPC A and VPC B (pcx-abababab). VPC A has an internet gateway; VPC B does not. Which of the following two statements are correct?

1. You can use VPC A to extend the peering relationship to exist between VPC B and the internet.
2. You cannot use VPC A to extend the peering relationship to exist between VPC B and the internet.
3. Traffic from the internet can’t directly access VPC B by using the internet gateway connection to VPC A.
4. Traffic from the internet can directly access VPC B by using the internet gateway connection to VPC A.

Answer 93

1. You can use VPC A to extend the peering relationship to exist between VPC B and the internet.
2. You cannot use VPC A to extend the peering relationship to exist between VPC B and the internet.
3. Traffic from the internet can’t directly access VPC B by using the internet gateway connection to VPC A.
4. Traffic from the internet can directly access VPC B by using the internet gateway connection to VPC A

Question 94

You have a VPC peering connection between VPC A and VPC B (pcx-abababab). VPC A has a NAT device that provides internet access to instances in private subnets in VPC A. Which of the following two statements are correct?

1. You can use VPC A to extend the peering relationship to exist between VPC B and the internet through NAT device.
2. You cannot use VPC A to extend the peering relationship to exist between VPC B and the internet through NAT device.
3. Traffic from the internet can’t directly access VPC B by using the NAT device connection to VPC A.
4. Traffic from the internet can directly access VPC B by using the NAT device connection to VPC A.

Answer 94

1. You can use VPC A to extend the peering relationship to exist between VPC B and the internet through NAT device.
2. You cannot use VPC A to extend the peering relationship to exist between VPC B and the internet through NAT device.
3. Traffic from the internet can’t directly access VPC B by using the NAT device connection to VPC A.
4. Traffic from the internet can directly access VPC B by using the NAT device connection to VPC A.

Question 95

You have a VPC peering connection between VPC A and VPC B (pcx-abababab). VPC A has a VPC endpoint that connects it to Amazon S3. Which of the following two statements are correct?

1. VPC B can’t directly access Amazon S3 using the VPC endpoint connection to VPC A.
2. VPC B can directly access Amazon S3 using the VPC endpoint connection to VPC A.
3. Traffic from the Amazon S3 can directly flow to VPC B by using connection to VPC A.
4. Traffic from the Amazon S3 cannot directly flow to VPC B by using connection to VPC A.

Answer 95

1. VPC B can’t directly access Amazon S3 using the VPC endpoint connection to VPC A.
2. VPC B can directly access Amazon S3 using the VPC endpoint connection to VPC A.
3. Traffic from the Amazon S3 can directly flow to VPC B by using connection to VPC A.
4. Traffic from the Amazon S3 cannot directly flow to VPC B by using connection to VPC A.

Question 96

You have created a VPC with public and private subnet with instances in both the subnet. To provide internet access to instances in private subnet you are using NAT gateway. The private subnet instance daily stores and fetches data from S3 which is nearly 1 TB of size every day. This request and data is passed through the NAT gateway. You notice in your month’s billing that this is one of the major cost as NAT gateway is billed both in Price per NAT gateway as $/hour as well as Price per GB data processed ($). How can you minimize the data transfer cost?

1. There is no alternate way as instance in private subnet can access internet over NAT gateway only.
2. Use VPC Gateway Endpoint which supports Amazon S3.
3. Use Amazon S3 Gateway.
4. Use Customer Gateway

Answer 96

1. There is no alternate way as instance in private subnet can access internet over NAT gateway only.
2. Use VPC Gateway Endpoint which supports Amazon S3.
3. Use Amazon S3 Gateway.
4. Use Customer Gateway

Question 97

You have created a peering configuration between two VPCs in your organization as shown below.

Choose 3 options which is correct for VPC A subnet routing.

1. The traffic will not flow from VPC A to VPC B in the route table as 172.31.0.0/16 overlaps with 0.0.0.0/0 and 0.0.0.0/0 is mapped to internet gateway routing.
2. Any traffic from the VPC A subnet that’s destined for the 172.31.0.0/16 IP address range will flow through the peering connection.
3. Any traffic destined for a target within the VPC A (10.0.0.0/16) is covered by the Local route, and therefore is routed within the VPC.
4. Any traffic in VPC A other than Local and Peer VPC will flow through internet gateway.

Answer 97

1. The traffic will not flow from VPC A to VPC B in the route table as 172.31.0.0/16 overlaps with 0.0.0.0/0 and 0.0.0.0/0 is mapped to internet gateway routing.
2. Any traffic from the VPC A subnet that’s destined for the 172.31.0.0/16 IP address range will flow through the peering connection.
3. Any traffic destined for a target within the VPC A (10.0.0.0/16) is covered by the Local route, and therefore is routed within the VPC.
4. Any traffic in VPC A other than Local and Peer VPC will flow through internet gateway.

Question 98

You have created a VPC with public and private subnet with instances in both the subnet. To provide internet access to instances in private subnet you are using NAT gateway. The private subnet instance daily stores and fetches data from DynamoDB which is nearly 1 TB of size every day. This request and data is passed through the NAT gateway. You notice in our month’s billing that this is one of the major cost as NAT gateway is billed both in Price per NAT gateway as $/hour as well as Price per GB data processed ($). How can you minimize the data transfer cost?

1. There is no alternate way as instance in private subnet can access internet over NAT gateway only.
2. Use Amazon DynamoDB Gateway.
3. Use Customer Gateway
4. Use VPC Gateway Endpoint which supports Amazon DynamoDB.

Answer 98

1. There is no alternate way as instance in private subnet can access internet over NAT gateway only.
2. Use Amazon DynamoDB Gateway.
3. Use Customer Gateway
4. Use VPC Gateway Endpoint which supports Amazon DynamoDB.

Question 99

Your company has a VPC for the HR department, and another VPC for the finance department. The HR department requires access to all resources that are in the accounting finance, and the finance department requires access to all resources in the HR department. How can you achieve this?

1. Delete one VPC and move all the resources to another VPC.
2. Establish VPC peering connection between two VPCs.
3. Modify IAM policies in the two VPCs to enable access.
4. This is possible only when the two VPCs are in the same corporate AWS account.

Answer 99

1. Delete one VPC and move all the resources to another VPC.
2. Establish VPC peering connection between two VPCs.
3. Modify IAM policies in the two VPCs to enable access.
4. This is possible only when the two VPCs are in the same corporate AWS account.

Question 100

Your company has multiple IT departments, each with their own VPC. Some VPCs are located within the same AWS account, and others in a different AWS account. You want to enable the IT departments to have full access to each other’s’ resources. How can you achieve this?

1. Delete all VPCs and move the resources to one VPC.
2. Establish VPC peering connection between VPCs.
3. Modify IAM policies in the VPCs to enable access.
4. This is possible only when the VPCs are in the same corporate AWS account.

Answer 100

1. Delete all VPCs and move the resources to one VPC.
2. Establish VPC peering connection between VPCs.
3. Modify IAM policies in the VPCs to enable access.
4. This is possible only when the VPCs are in the same corporate AWS account.

Question 101

What are components of site to site VPN? Choose 3.

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Answer 101

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Question 102

Which component of site to site VPN is on the AWS VPC side?

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Answer 102

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Question 103

Which component of site to site VPN is on the customer remote network side?

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Answer 103

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Question 104

Which component act as hub that you can use to interconnect your virtual private clouds (VPC) and on-premises networks?

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Answer 104

1. Direct Connect
2. Virtual Private Gateway
3. AWS Transit Gateway
4. Customer Gateway

Question 105

Which security protocol is supported for AWS site to site VPN connections?

1. PPTP
2. L2F
3. L2TP
4. IPSec

Answer 105

1. PPTP
2. L2F
3. L2TP
4. IPSec

Question 106

A Site-to-Site VPN connection offers how many VPN tunnels between a virtual private gateway or transit gateway on the AWS side and a customer gateway on the remote (customer) side ?

1. 1
2. 2
3. 3
4. 4

Answer 106

1. 1
2. 2
3. 3
4. 4

Question 107

Your organization has adopted AWS and hosts applications that spans hundreds of VPCs. Which AWS service can minimize the operations burden of managing such a vast distributed network, Connecting and managing hundreds of VPCs via peering requiring massive route tables which is difficult to deploy, manage and can be error prone ?

1. AWS Direct Connect
2. AWS Site to Site VPN
3. AWS VPN Gateway
4. AWS Transit Gateway

Answer 107

1. AWS Direct Connect
2. AWS Site to Site VPN
3. AWS VPN Gateway
4. AWS Transit Gateway

Question 108

You have migrated your company’s in-premise application to AWS and deployed it inside a VPC. You have created security groups and network ACL as per the best practices for access over the internet (HTTP/HTTPS0 and SSH from corporate network. You want to create an alarm that alerts you if there have been 10 or more rejected attempts to connect to your instance over TCP port 22 (SSH) within a 1-hour period. How can you achieve this?

1. Create a filter and alarm in the CloudTrail.
2. Enable flow logs for your VPC and publish data directly to Cloudtrail logs, then in the CloudTrail select your VPC flow log group to create a metric filter and alarm to notify you through email.
3. Create a filter and alarm in the CloudWatch.
4. Enable flow logs for your VPC and publish data directly to CloudWatch logs, then in the CloudWatch select your VPC flow log group to create a metric filter and alarm to notify you through email.

Answer 108

1. Create a filter and alarm in the CloudTrail.
2. Enable flow logs for your VPC and publish data directly to Cloudtrail logs, then in the CloudTrail select your VPC flow log group to create a metric filter and alarm to notify you through email.
3. Create a filter and alarm in the CloudWatch.
4. Enable flow logs for your VPC and publish data directly to CloudWatch logs, then in the CloudWatch select your VPC flow log group to create a metric filter and alarm to notify you through email.

Question 109

You are the solution architect for a financial services company. Because of security reasons you have deployed an analytical application in a private subnet of VPC having IPv6 CIDR block. You are exploring the options to gives access to private subnet instances for downloading software updates without creating a public subnet. How will you achieve this requirement?

1. Use Egress only internet gateway
2. Use NAT Gateway
3. Use NAT Instance
4. Use Internet Gateway

Answer 109

1. Use Egress only internet gateway
2. Use NAT Gateway
3. Use NAT Instance
4. Use Internet Gateway

Question 110

When you create a custom VPC, which of the following is created for you by default? Choose 3.

1. Security Group
2. Network ACL
3. Route Table
4. Subnet

Answer 110

1. Security Group
2. Network ACL
3. Route Table
4. Subnet

Question 111

What are the benefits of having ELB? Choose 3.

1. High Availability
2. Health Checks
3. Security layer
4. High Server Performance

Answer 111

1. High Availability
2. Health Checks
3. Security layer
4. High Server Performance

Question 112

Choose three types of load balancers provided by AWS?

1. Application Load Balancers
2. Database Load Balancers
3. Network Load Balancers
4. Classic Load Balancers

Answer 112

1. Application Load Balancers
2. Database Load Balancers
3. Network Load Balancers
4. Classic Load Balancers

Question 113

What is the protocol supported by Application Load Balancer?

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Answer 113

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Question 114

What is the protocol supported by Network Load Balancer?

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Answer 114

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Question 115

What is the protocol supported by Classic Load Balancer?

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Answer 115

1. HTTP, HTTPS
2. TCP, UDP, TLS
3. TCP, SSL/TLS, HTTP, HTTPS
4. HTTP, HTTPS, TCP

Question 116

Which load balancer you should use if you need flexible application management?

1. Application Load Balancers
2. Database Load Balancers
3. Network Load Balancers
4. Classic Load Balancers

Answer 116

1. Application Load Balancers
2. Database Load Balancers
3. Network Load Balancers
4. Classic Load Balancers

Question 117

Which load balancer you should use if you have an existing application that was built within the EC2-Classic network?

1. Application Load Balancers
2. Network Load Balancers
3. Classic Load Balancers
4. Database Load Balancers

Answer 117

1. Application Load Balancers
2. Network Load Balancers
3. Classic Load Balancers
4. Database Load Balancers

Question 118

Which load balancer operates at the request level (layer 7) and can be used for HTTP/HTTPS application traffic?

1. Network Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Application Load Balancers

Answer 118

1. Network Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Application Load Balancers

Question 119

Which load balancer operates at the connection level (layer 4) and can be used for TCP and UDP traffic?

1. Network Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Application Load Balancers

Answer 119

1. Network Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Application Load Balancers

Question 120

When you enable an Availability Zone for your load balancer, Elastic Load Balancing creates a load balancer node in the Availability Zone. What is cross zone load balancing? Choose 2.

1. When disabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones.
2. When enabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones.
3. When disabled, each load balancer node distributes traffic across the registered targets in its Availability Zone only.
4. When enabled, each load balancer node distributes traffic across the registered targets in its Availability Zone only.

Answer 120

1. When disabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones.
2. When enabled, each load balancer node distributes traffic across the registered targets in all enabled Availability Zones.
3. When disabled, each load balancer node distributes traffic across the registered targets in its Availability Zone only.
4. When enabled, each load balancer node distributes traffic across the registered targets in its Availability Zone only.

Question 121

For a ELB there are two enabled Availability Zones, with 2 targets in Availability Zone A and 8 targets in Availability Zone B. Clients send requests, and Amazon Route 53 responds to each request with the IP address of one of the load balancer nodes. How the traffic will be distributed if cross zone load balancing is enabled?

1. Each of the 2 targets in Availability Zone A receives 50% of the traffic and each of the 8 targets in Availability Zone B receives 12.5% of the traffic.
2. Each of the 10 targets receives 10% of the traffic.
3. Each of the 2 targets in Availability Zone A receives 25% of the traffic and each of the 8 targets in Availability Zone B receives 6.25% of the traffic.
4. None of the above

Answer 121

1. Each of the 2 targets in Availability Zone A receives 50% of the traffic and each of the 8 targets in Availability Zone B receives 12.5% of the traffic.
2. Each of the 10 targets receives 10% of the traffic.
3. Each of the 2 targets in Availability Zone A receives 25% of the traffic and each of the 8 targets in Availability Zone B receives 6.25% of the traffic.
4. None of the above

Question 122

What are the three component of Application Load Balancer? Choose 3.

1. Load Balancer
2. Listener
3. Target Group
4. Firewall

Answer 122

1. Load Balancer
2. Listener
3. Target Group
4. Firewall

Question 123

Which of the following statements are true about internet facing load balancers? Choose 3.

1. The nodes of an Internet-facing load balancer have public IP addresses.
2. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes.
3. The DNS name of an Internet-facing load balancer is publicly resolvable to the private IP addresses of the nodes.
4. Internet-facing load balancers can route requests from clients over the Internet.

Answer 123

1. The nodes of an Internet-facing load balancer have public IP addresses.
2. The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP addresses of the nodes.
3. The DNS name of an Internet-facing load balancer is publicly resolvable to the private IP addresses of the nodes.
4. Internet-facing load balancers can route requests from clients over the Internet.

Question 124

For a ELB there are two enabled Availability Zones, with 2 targets in Availability Zone A and 8 targets in Availability Zone B. Clients send requests, and Amazon Route 53 responds to each request with the IP address of one of the load balancer nodes. How the traffic will be distributed if cross zone load balancing is not enabled?

1. Each of the 2 targets in Availability Zone A receives 50% of the traffic and each of the 8 targets in Availability Zone B receives 12.5% of the traffic.
2. Each of the 10 targets receives 10% of the traffic.
3. Each of the 2 targets in Availability Zone A receives 25% of the traffic and each of the 8 targets in Availability Zone B receives 6.25% of the traffic.
4. None of the above

Answer 124

1. Each of the 2 targets in Availability Zone A receives 50% of the traffic and each of the 8 targets in Availability Zone B receives 12.5% of the traffic.
2. Each of the 10 targets receives 10% of the traffic.
3. Each of the 2 targets in Availability Zone A receives 25% of the traffic and each of the 8 targets in Availability Zone B receives 6.25% of the traffic.
4. None of the above

Question 125

Which of the following statements are true about internal facing load balancers? Choose 3.

1. Internal -facing load balancers can route requests from clients over the Internet.
2. The nodes of an internal load balancer have only private IP addresses.
3. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes.
4. Internal load balancers can only route requests from clients with access to the VPC for the load balancer.

Answer 125

1. Internal -facing load balancers can route requests from clients over the Internet.
2. The nodes of an internal load balancer have only private IP addresses.
3. The DNS name of an internal load balancer is publicly resolvable to the private IP addresses of the nodes.
4. Internal load balancers can only route requests from clients with access to the VPC for the load balancer.

Question 126

How do you decide which load balancer to select for your application?

1. If need is to load balance HTTP requests, use Application Load Balancer.
2. For network/transport protocols (layer4 – TCP, UDP) load balancing, and for extreme performance/low latency applications, use Network Load Balancer.
3. If your application is built within the EC2 Classic network then you should use Classic Load Balancer.
4. All of the above.

Answer 126

1. If need is to load balance HTTP requests, use Application Load Balancer.
2. For network/transport protocols (layer4 – TCP, UDP) load balancing, and for extreme performance/low latency applications, use Network Load Balancer.
3. If your application is built within the EC2 Classic network then you should use Classic Load Balancer.
4. All of the above.

Question 127

Which of the following statement are correct as how internet and internal load balancers route requests to target? Choose 2.

1. Internet-facing route requests to your targets using public IP addresses and internal load balancers route requests to your targets using private IP addresses.
2. Internet-facing and internal load balancers route requests to your targets using private IP addresses.
3. Targets do not need public IP addresses to receive requests from an internal or an Internet-facing load balancer.
4. Targets need public IP addresses to receive requests from an internal or an Internet-facing load balancer.

Answer 127

1. Internet-facing route requests to your targets using public IP addresses and internal load balancers route requests to your targets using private IP addresses.
2. Internet-facing and internal load balancers route requests to your targets using private IP addresses.
3. Targets do not need public IP addresses to receive requests from an internal or an Internet-facing load balancer.
4. Targets need public IP addresses to receive requests from an internal or an Internet-facing load balancer.

Question 128

You are designing an application that will have multiple tiers, web servers that must be connected to the Internet and database servers that are only connected to the web servers, you want to design an architecture that uses both internal and Internet-facing load balancers. How load balancers will be connected with web and database tiers? Choose 2.

1. Create an internal load balancer and register the database servers with it.
2. Create an Internet-facing load balancer and register the web servers with it.
3. Create an Internet-facing load balancer and register the database servers with it.
4. The database servers receive requests from the Internet facing load balancer.

Answer 128

1. Create an internal load balancer and register the database servers with it.
2. Create an Internet-facing load balancer and register the web servers with it.
3. Create an Internet-facing load balancer and register the database servers with it.
4. The database servers receive requests from the Internet facing load balancer.

Question 129

What are the benefits of migrating from a classic load balancer to application load balancer?

1. Support for path-based routing
2. Support for host-based routing
3. Support for routing based on fields in the request, such as standard and custom HTTP headers and methods, query parameters, and source IP addresses.
4. All of the above

Answer 129

1. Support for path-based routing
2. Support for host-based routing
3. Support for routing based on fields in the request, such as standard and custom HTTP headers and methods, query parameters, and source IP addresses.
4. All of the above

Question 130

How do you configure subnets for Application Load Balancer? Choose 2.

1. You must specify one public subnet from at least one Availability Zones.
2. You can specify any number of public subnet per Availability Zone.
3. You can specify only one public subnet per Availability Zone.
4. You must specify one public subnet from at least two Availability Zones.

Answer 130

1. You must specify one public subnet from at least one Availability Zones.
2. You can specify any number of public subnet per Availability Zone.
3. You can specify only one public subnet per Availability Zone.
4. You must specify one public subnet from at least two Availability Zones.

Question 131

What are the three target types you can select in load balancer target group?

1. Instance
2. IP
3. SQS Queue
4. Lambda Function

Answer 131

1. Instance
2. IP
3. SQS Queue
4. Lambda Function

Question 132

What will happen to targets in an availability zone if that availability zone is disabled for an application load balancer? Choose 2.

1. The targets in that Availability Zone will not remain registered with the load balancer.
2. The targets in that Availability Zone will remain registered with the load balancer.
3. The load balancer will not route requests to the targets.
4. The load balancer will keep routing requests to target as they are still part of the target group attached to load balancer.

Answer 132

1. The targets in that Availability Zone will not remain registered with the load balancer.
2. The targets in that Availability Zone will remain registered with the load balancer.
3. The load balancer will not route requests to the targets.
4. The load balancer will keep routing requests to target as they are still part of the target group attached to load balancer.

Question 133

Which of the following are correct about application load balancer listener? Choose 3.

1. You must add one or more listeners.
2. You must add one listener.
3. A listener is a process that checks for connection requests, using the protocol and port that you configure.
4. The rules that you define for a listener determine how the load balancer routes requests to the targets in one or more target groups.

Answer 133

1. You must add one or more listeners.
2. You must add one listener.
3. A listener is a process that checks for connection requests, using the protocol and port that you configure.
4. The rules that you define for a listener determine how the load balancer routes requests to the targets in one or more target groups.

Question 134

What are the protocols and ports supported by application load balancer listener? Choose 2.

1. Protocols : HTTP, HTTPS
2. Ports : 1-65535
3. Protocols: TCP, UDP
4. Protocols : HTTP, HTTPS, TCP, UDP

Answer 134

1. Protocols : HTTP, HTTPS
2. Ports : 1-65535
3. Protocols: TCP, UDP
4. Protocols : HTTP, HTTPS, TCP, UDP

Question 135

Which of the following statements are correct about web sockets and application load balancer? Choose 2.

1. Application Load Balancers doesn’t provide native support for WebSockets.
2. You cannot use WebSockets with both HTTP and HTTPS listeners.
3. Application Load Balancers provide native support for WebSockets.
4. You can use WebSockets with both HTTP and HTTPS listeners.

Answer 135

1. Application Load Balancers doesn’t provide native support for WebSockets.
2. You cannot use WebSockets with both HTTP and HTTPS listeners.
3. Application Load Balancers provide native support for WebSockets.
4. You can use WebSockets with both HTTP and HTTPS listeners.

Question 136

What does target group attached to application load balancer does?

1. Route requests to one or more registered targets.
2. Route requests to one or more registered listeners.
3. Route requests to one or more registered targets in a specific subnet.
4. Route requests to one or more registered targets in a specific availability zone.

Answer 136

1. Route requests to one or more registered targets.
2. Route requests to one or more registered listeners.
3. Route requests to one or more registered targets in a specific subnet.
4. Route requests to one or more registered targets in a specific availability zone.

Question 137

If you choose target type IP for target group attached to application load balancer, which IP addresses you can specify from following CIDR blocks? Choose 3.

1. Any publicly routable IP addresses.
2. Any subnets of the VPC for the target group.
3. 10.0.0.0/8 (RFC 1918), 100.64.0.0/10 (RFC 6598)
4. 172.16.0.0/12 (RFC 1918), 192.168.0.0/16 (RFC 1918)

Answer 137

1. Any publicly routable IP addresses.
2. Any subnets of the VPC for the target group.
3. 10.0.0.0/8 (RFC 1918), 100.64.0.0/10 (RFC 6598)
4. 172.16.0.0/12 (RFC 1918), 192.168.0.0/16 (RFC 1918)

Question 138

You have an application whose web server maintains state information in order to provide a continuous experience to clients. How can you ensure that your application load balancer routes the requests to the same target in a target group for all the requests from the user during a session?

1. Have to programmatically handle at web api level to give stateful experience.
2. Enable sticky session attribute of the target group attached to load balancer.
3. Load balancer doesn’t support stateful session management.
4. Client should send its own generated session cookie each time with information about the target instance.

Answer 138

1. Have to programmatically handle at web api level to give stateful experience.
2. Enable sticky session attribute of the target group attached to load balancer.
3. Load balancer doesn’t support stateful session management.
4. Client should send its own generated session cookie each time with information about the target instance.

Question 139

How can you ensure that the load balancer stops sending requests to instances that are deregistering or unhealthy while keeping the existing session connection open so as to complete the in-flight requests to these instances ?

1. Programmatically keep sending requests to the same instance till session completes.
2. Enable sticky sessions.
3. Enable connection draining.
4. All of the above.

Answer 139

1. Programmatically keep sending requests to the same instance till session completes.
2. Enable sticky sessions.
3. Enable connection draining.
4. All of the above.

Question 140

How an application load balancer checks the status of registered targets?

1. Through health checks
2. Through connection draining checks
3. Through Session checks
4. Targets ping their status to load balancer

Answer 140

1. Through health checks
2. Through connection draining checks
3. Through Session checks
4. Targets ping their status to load balancer

Question 141

Which of the following statements are correct about an application load balancer health checks? Choose 3.

1. Each load balancer node routes requests only to the healthy targets in the enabled Availability Zones for the load balancer.
2. After your target is registered, it must pass at least two consecutive health check to be considered healthy.
3. After your target is registered, it must pass one health check to be considered healthy.
4. Health checks do not support WebSockets.

Answer 141

1. Each load balancer node routes requests only to the healthy targets in the enabled Availability Zones for the load balancer.
2. After your target is registered, it must pass at least two consecutive health check to be considered healthy.
3. After your target is registered, it must pass one health check to be considered healthy.
4. Health checks do not support WebSockets.

Question 142

Which of the following are correct about application load balancer listener rule? Choose 3.

1. Each listener has a default rule, and you can optionally define additional rules.
2. Each rule consists of a priority, one or more actions, and one or more conditions.
3. Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated last.
4. Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated first.

Answer 142

1. Each listener has a default rule, and you can optionally define additional rules.
2. Each rule consists of a priority, one or more actions, and one or more conditions.
3. Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated last.
4. Rules are evaluated in priority order, from the lowest value to the highest value. The default rule is evaluated first.

Question 143

Which of the following reasons are valid reasons to use application load balancers?

1. To have the ability to manage load between micro services and general requests.
2. To have better availability and fault tolerance of your application instances.
3. To balance load across application which are in containers
4. All of the above

Answer 143

1. To have the ability to manage load between micro services and general requests.
2. To have better availability and fault tolerance of your application instances.
3. To balance load across application which are in containers
4. All of the above

Question 144

You have configured an application load balancer in front of four instances running your web server. These four instances are distributed two each in two separate availability zone (AZ-A, AZ-B) enabled for the load balancer. As the load increases you have added two more instance in a new availability zone (AZ-C) to the target group. However you notice that the new target instance is taking longer than expected to enter the InService state and it might be failing health checks. What are the possible reasons you will check?

1. Security group of the instance may not be allowing traffic from load balancer.
2. Network access control list (ACL) of the new instance’s subnet may not be allowing traffic.
3. Availability zone AZ-C may not be enabled for the load balancer.
4. The health check ping path may not be existing in the instance.
5. All of the above.

Answer 144

1. Security group of the instance may not be allowing traffic from load balancer.
2. Network access control list (ACL) of the new instance’s subnet may not be allowing traffic.
3. Availability zone AZ-C may not be enabled for the load balancer.
4. The health check ping path may not be existing in the instance.
5. All of the above.

Question 145

What are the possible reasons you will check if clients cannot connect to an Internet-facing application load balancer? Choose 3.

1. Load balancer is attached to a public subnet.
2. Load balancer is attached to a private subnet.
3. The security group for the load balancer must allow inbound traffic from the clients and outbound traffic to the clients on the listener ports.
4. Network ACLs for the load balancer subnets must allow inbound traffic from the clients and outbound traffic to the clients on the listener ports.

Answer 145

1. Load balancer is attached to a public subnet.
2. Load balancer is attached to a private subnet.
3. The security group for the load balancer must allow inbound traffic from the clients and outbound traffic to the clients on the listener ports.
4. Network ACLs for the load balancer subnets must allow inbound traffic from the clients and outbound traffic to the clients on the listener ports.

Question 146

Which of the following two statement are correct for application load balancer health checks?

1. If there is at least one healthy target in a target group, the load balancer routes requests only to the healthy targets.
2. Load balancer will never send request to unhealthy targets.
3. If a target group contains only unhealthy targets, the load balancer routes requests to the unhealthy targets.
4. Load balancer will always send request to targets in a target group irrespective of health status.

Answer 146

1. If there is at least one healthy target in a target group, the load balancer routes requests only to the healthy targets.
2. Load balancer will never send request to unhealthy targets.
3. If a target group contains only unhealthy targets, the load balancer routes requests to the unhealthy targets.
4. Load balancer will always send request to targets in a target group irrespective of health status.

Question 147

Which load balancer you should use if you need extreme performance and static IP is needed for your application?

1. Application Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Network Load Balancers

Answer 147

1. Application Load Balancers
2. Classic Load Balancers
3. Database Load Balancers
4. Network Load Balancers

Question 148

What are the benefits of migrating from a classic load balancer to network load balancer?

1. Ability to handle volatile workloads and scale to millions of requests per second.
2. Support for static IP addresses for the load balancer. You can also assign one Elastic IP address per subnet enabled for the load balancer.
3. Support for routing requests to multiple applications on a single EC2 instance.
4. Support for containerized applications.
5. All of the above.

Answer 148

1. Ability to handle volatile workloads and scale to millions of requests per second.
2. Support for static IP addresses for the load balancer. You can also assign one Elastic IP address per subnet enabled for the load balancer.
3. Support for routing requests to multiple applications on a single EC2 instance.
4. Support for containerized applications.
5. All of the above.

Question 149

What are the protocols and ports supported by network load balancer? Choose 2.

1. Protocols: TCP, TLS, UDP, TCP_UDP
2. Ports: 1-65535
3. Protocols: HTTP, HTTPS
4. Protocols: HTTP, HTTPS, TCP, UDP

Answer 149

1. Protocols: TCP, TLS, UDP, TCP_UDP
2. Ports: 1-65535
3. Protocols: HTTP, HTTPS
4. Protocols: HTTP, HTTPS, TCP, UDP

Question 150

What are the possible target types for network load balancer target groups? Choose 2.

1. Instance
2. IP Address
3. Lambda function
4. SQS Queue

Answer 150

1. Instance
2. IP Address
3. Lambda function
4. SQS Queue

Question 151

You are using instance id as the target types for network load balancer target groups. What should you do so that the source IP addresses of the clients are preserved and provided to your applications?

1. Enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
2. You don’t need to do anything the source IP addresses of the clients are preserved and provided to your applications.
3. Enable sticky sessions in the load balancer.
4. Send the ip address through client cookie.

Answer 151

1. Enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
2. You don’t need to do anything the source IP addresses of the clients are preserved and provided to your applications.
3. Enable sticky sessions in the load balancer.
4. Send the ip address through client cookie.

Question 152

You are using instance ip address as the target types for network load balancer target groups. What should you do so that the source IP addresses of the clients are preserved and provided to your applications?

1. Enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
2. You don’t need to do anything the source IP addresses of the clients are preserved and provided to your applications.
3. Enable sticky sessions in the load balancer.
4. Send the ip address through client cookie.

Answer 152

1. Enable Proxy Protocol and get the client IP addresses from the Proxy Protocol header.
2. You don’t need to do anything the source IP addresses of the clients are preserved and provided to your applications.
3. Enable sticky sessions in the load balancer.
4. Send the ip address through client cookie.

Question 153

You are the solution architect for a SaaS application in which you provide different domain to each tenant. How will you configure multiple certificates for different domains using Elastic Load Balancing (ELB) so that multi-tenant SaaS applications can run behind the same load balancer? Choose 2.

1. Use a Subject Alternative Name (SAN) certificate to validate multiple domains behind the load balancer, including wildcard domains, with AWS Certificate Manager (ACM).
2. Use an Application Load Balancer (ALB), which supports multiple SSL certificates and smart certificate selection using Server Name Indication (SNI).
3. It is not possible.
4. Use a Classic Load Balancer, which supports multiple SSL certificates and smart certificate selection using Server Name Indication (SNI).

Answer 153

1. Use a Subject Alternative Name (SAN) certificate to validate multiple domains behind the load balancer, including wildcard domains, with AWS Certificate Manager (ACM).
2. Use an Application Load Balancer (ALB), which supports multiple SSL certificates and smart certificate selection using Server Name Indication (SNI).
3. It is not possible.
4. Use a Classic Load Balancer, which supports multiple SSL certificates and smart certificate selection using Server Name Indication (SNI).

Question 154

If you are using an internet facing ELB (Elastic Load Balancer), what are the security group configuration you need to do so that ELB can communicate with instances running a web server? Choose 3.

1. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP =0.0.0.0/0 (all IPv4 addresses)
2. ELB Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the instance security group
3. Instance Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = The ID of the ELB security group
4. Instance Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the ELB security group

Answer 154

1. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP =0.0.0.0/0 (all IPv4 addresses)
2. ELB Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the instance security group
3. Instance Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = The ID of the ELB security group
4. Instance Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the ELB security group

Question 155

If you are using an internal ELB (Elastic Load Balancer), what are the security group configuration you need to do so that ELB can communicate with instances running a web server? Choose 3.

1. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP =0.0.0.0/0 (all IPv4 addresses)
2. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = the IPv4 CIDR block of the VPC
3. ELB Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the instance security group
4. Instance Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = The ID of the ELB security group
5. Instance Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the ELB security group

Answer 155

1. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP =0.0.0.0/0 (all IPv4 addresses)
2. ELB Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = the IPv4 CIDR block of the VPC
3. ELB Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the instance security group
4. Instance Security Group Inbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Source IP = The ID of the ELB security group
5. Instance Security Group Outbound Setting: Protocol = TCP, Port for 80(HTTP) and 443(HTTPS), Destination IP = The ID of the ELB security group

Question 156

Which load balancer you will use for network/transport protocols (layer4 – TCP, UDP) load balancing, and for extreme performance/low latency applications?

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Answer 156

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Question 157

Which of the following is not an action type for listener rules?

1. authenticate-cognito
2. authenticate-oidc
3. SSL
4. fixed-response
5. forward
6. redirect

Answer 157

1. authenticate-cognito
2. authenticate-oidc
3. SSL
4. fixed-response
5. forward
6. redirect

Question 158

Which of the following is not a rule condition type for listener rules?

1. host-header
2. http-request-method
3. http-header
4. geo-location
5. path-pattern
6. query-string
7. source-ip

Answer 158

1. host-header
2. http-request-method
3. http-header
4. geo-location
5. path-pattern
6. query-string
7. source-ip

Question 159

You have configured an application load balancer listening on port 80 and mapped it to a target group of EC2 instances also listening on port 80. When a client request reaches load balancer with correct protocol and port, how many connection connection load balancer maintains between client and target EC2 instance?

1. 1
2. 2
3. 3
4. 4

Answer 159

1. 1
2. 2
3. 3
4. 4

Question 160

You want to perform maintenance activities on your EC2 instances such as deploying software upgrades or replacing back-end instances .What configuration should you do to your ELB and auto scale group so that your users experience is not impacted during maintenance activities?

1. Shut down all the instances for a period of time when you are doing upgrade or replacing instances.
2. Enable Connection draining on ELBs.
3. Wait for the instance to have zero user connection and then stop the instance for maintenance.
4. Abruptly stop the instance even when they have user connection as they can reconnect to another healthy instance on next try.

Answer 160

1. Shut down all the instances for a period of time when you are doing upgrade or replacing instances.
2. Enable Connection draining on ELBs.
3. Wait for the instance to have zero user connection and then stop the instance for maintenance.
4. Abruptly stop the instance even when they have user connection as they can reconnect to another healthy instance on next try.

Question 161

You have deployed your web application within an auto scaling group spanning three AZs in a region and attached to an application load balancer. You observe that instances in two AZs are receiving traffic but instances in third AZ is not receiving traffic? You verify that security group and network ACL setting for ALB and instances are as per guideline what could be the possible reason?

1. ALB works with only two AZs
2. Auto scaling works with only two AZs
3. Third AZ is not added to the ALB
4. None of the above

Answer 161

1. ALB works with only two AZs
2. Auto scaling works with only two AZs
3. Third AZ is not added to the ALB
4. None of the above

Question 162

What are the recommended security group rules for internet facing application load balancer? Choose 3.

1. Inbound : Source=0.0.0.0/0, Port Range = listener port
2. No need to configure outbound rule
3. Outbound : Destination=instance security group, Port Range=instance listener port
4. Outbound : Destination=instance security group, Port Range= health check port

Answer 162

1. Inbound : Source=0.0.0.0/0, Port Range = listener port
2. No need to configure outbound rule
3. Outbound : Destination=instance security group, Port Range=instance listener port
4. Outbound : Destination=instance security group, Port Range= health check port

Question 163

What are the recommended security group rules for internal facing application load balancer? Choose 3.

1. Inbound : Source= VPC CIDR, Port Range = listener port
2. No need to configure outbound rule
3. Outbound : Destination=instance security group, Port Range=instance listener port
4. Outbound : Destination=instance security group, Port Range= health check port

Answer 163

1. Inbound : Source= VPC CIDR, Port Range = listener port
2. No need to configure outbound rule
3. Outbound : Destination=instance security group, Port Range=instance listener port
4. Outbound : Destination=instance security group, Port Range= health check port

Question 164

Which service you can use with your Application Load Balancer to allow or block requests based on the rules in a web access control list (web ACL)?

1. Amazon Inspector
2. Amazon Guard Duty
3. Amazon Cognito
4. AWS WAF

Answer 164

1. Amazon Inspector
2. Amazon Guard Duty
3. Amazon Cognito
4. AWS WAF

Question 165

Which of the following load balancer supports TLS termination?

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Answer 165

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Question 166

Which of the following load balancer supports SSL termination? Choose 2.

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Answer 166

1. Application load balancer
2. Network load balancer
3. Classic load balancer
4. None of the above

Question 167

You have an ecommerce web application deployed in a VPC behind an application load balancer (ALB) and has EC2 instances in an auto scaling group in two availability zones. Both the availability zones are mapped to the load balancer. Security group and network ACLs are configured appropriately and instances in both the AZs are receiving traffic from ALB. You are also leveraging Route53 and Cloudfront in your architecture. How can you ensure that instances in both the AZ receive equal amount of traffic. ?

1. Configure Route53 simple routing policy to distribute traffic evenly across all instances.
2. Configure Route53 weighted routing policy to distribute traffic evenly across all instances.
3. No need to do anything Route53 will distribute traffic evenly across all instances.
4. Enable cross zone load balancing in the ALB configuration.

Answer 167

1. Configure Route53 simple routing policy to distribute traffic evenly across all instances.
2. Configure Route53 weighted routing policy to distribute traffic evenly across all instances.
3. No need to do anything Route53 will distribute traffic evenly across all instances.
4. Enable cross zone load balancing in the ALB configuration.

Question 168

Your company is in the transition phase of an application migration to AWS and want to use AWS to augment on-premises resources with EC2 instances. How can you configure Application Load Balancer to distribute application traffic across both your AWS and on-premises resources? Choose 3.

1. It is not possible to use Application Load Balancer for on premise instances as target.
2. Provision Direct Connect or VPN between on premise and AWS VPC. Use IP addresses based target groups in ALB.
3. Register all the resources (AWS and on-premises) to the same target group and associate the target group with a load balancer.
4. You can use DNS based weighted load balancing across AWS and on-premises resources using two load balancers i.e. one load balancer for AWS and other for on-premises resources.

Answer 168

1. It is not possible to use Application Load Balancer for on premise instances as target.
2. Provision Direct Connect or VPN between on premise and AWS VPC. Use IP addresses based target groups in ALB.
3. Register all the resources (AWS and on-premises) to the same target group and associate the target group with a load balancer.
4. You can use DNS based weighted load balancing across AWS and on-premises resources using two load balancers i.e. one load balancer for AWS and other for on-premises resources.

Question 169

Which of the following CloudWatch metrics are available for application load balancer?

1. The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
2. The total number of bytes processed by the load balancer over IPv4 and IPv6.
3. The number of targets that are considered healthy and unhealthy.
4. All of the above.

Answer 169

1. The total number of concurrent TCP connections active from clients to the load balancer and from the load balancer to targets.
2. The total number of bytes processed by the load balancer over IPv4 and IPv6.
3. The number of targets that are considered healthy and unhealthy.
4. All of the above.

Question 170

To analyze traffic patterns and troubleshoot issues, you want to capture detailed information about requests sent to your load balancer such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. Which AWS service or feature you will use?

1. Cloudwatch
2. Access logs
3. Request Tracing
4. Cloudtrail logs

Answer 170

1. Cloudwatch
2. Access logs
3. Request Tracing
4. Cloudtrail logs

Question 171

Which service you will use to capture detailed information about the traffic going to and from your Network Load Balancer?

1. Access logs
2. VPC Flow Logs
3. CloudTrail logs
4. CloudWatch metrics

Answer 171

1. Access logs
2. VPC Flow Logs
3. CloudTrail logs
4. CloudWatch metrics

Question 172

Which service you will use to capture detailed information about the TLS requests sent to your Network Load Balancer?

1. Access logs
2. VPC Flow Logs
3. CloudTrail logs
4. CloudWatch metrics

Answer 172

1. Access logs
2. VPC Flow Logs
3. CloudTrail logs
4. CloudWatch metrics

Question 173

How can you get a history of Application Load Balancing API calls made on your account for security analysis and operational troubleshooting purposes?

1. Access logs
2. VPC Flow Logs
3. CloudTrail
4. CloudWatch

Answer 173

1. Access logs
2. VPC Flow Logs
3. CloudTrail
4. CloudWatch

Question 174

Using which AWS service you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections?

1. AWS Transit Gateway
2. AWS VPN
3. AWS Direct Connect
4. AWS Storage Gateway

Answer 174

1. AWS Transit Gateway
2. AWS VPN
3. AWS Direct Connect
4. AWS Storage Gateway

Question 175

Which of the following statements are correct about AWS Direct Connect? Choose 3.

1. It is a network service that provides an alternative to using the Internet to connect customer’s on premise sites to AWS.
2. Enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection
3. Data that would have previously been transported over the Internet can now be delivered through a private network connection between AWS and your datacenter or corporate network.
4. It can reduce costs, increase bandwidth, and provide a more consistent network experience than Internet-based connections.

Answer 175

1. It is a network service that provides an alternative to using the Internet to connect customer’s on premise sites to AWS.
2. Enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection
3. Data that would have previously been transported over the Internet can now be delivered through a private network connection between AWS and your datacenter or corporate network.
4. It can reduce costs, increase bandwidth, and provide a more consistent network experience than Internet-based connections.

Question 176

In AWS what are the approaches in which you can leverage cost effective resources? Choose 4.

1. Appropriate provisioning and right sizing
2. Using appropriate purchasing options to meet use case
3. Using EC2 and VPC for deploying workloads
4. Geographic location selection
5. Using managed services and optimizing data transfer

Answer 176

1. Appropriate provisioning and right sizing
2. Using appropriate purchasing options to meet use case
3. Using EC2 and VPC for deploying workloads
4. Geographic location selection
5. Using managed services and optimizing data transfer

Question 177

Which of the following two services supports and helps in optimizing data transfer? Choose 2.

1. AWS RDS
2. AWS VPN
3. AWS Direct Connect
4. Amazon CloudFront content delivery network (CDN)

Answer 177

1. AWS RDS
2. AWS VPN
3. AWS Direct Connect
4. Amazon CloudFront content delivery network (CDN)

Question 178

A building construction company’s architects use CAD software installed in their workstation to design architecture blueprints. These blueprint files are very large. The company started using S3 and AWS Storage gateway for file storage and back up. After a while as number of users increased after rolling it out across different global office locations, it was found that transferring/fetching large data files speed was slow. What should they do to decrease the amount of time required to transfer data in a cost effective way?

1. Increase the bandwidth with your Internet service provider.
2. Create VPN connection with AWS resources.
3. Use AWS Direct Connect to connect with AWS resources.
4. Use AWS Transit Gateway to connect with AWS resources.

Answer 178

1. Increase the bandwidth with your Internet service provider.
2. Create VPN connection with AWS resources.
3. Use AWS Direct Connect to connect with AWS resources.
4. Use AWS Transit Gateway to connect with AWS resources.

Question 179

Choose 3 use cases for which AWS Direct Connect is suitable?

1. Applications that use real-time data feeds from on-premise.
2. Hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.
3. Transferring large data sets over the Internet from on-premise data centers.
4. Applications that can work solely on cloud and doesn’t need integration with on-premise.

Answer 179

1. Applications that use real-time data feeds from on-premise.
2. Hybrid environments that satisfy regulatory requirements requiring the use of private connectivity.
3. Transferring large data sets over the Internet from on-premise data centers.
4. Applications that can work solely on cloud and doesn’t need integration with on-premise.

Question 180

Which AWS service gives you the ability to build a hub-and-spoke network topology and flexibility to your Amazon Virtual Private Clouds (VPCs) and on-premises networks to a single gateway?

1. AWS DirectConnect
2. AWS Privatelink
3. AWS VPN
4. AWS Transit Gateway

Answer 180

1. AWS DirectConnect
2. AWS Privatelink
3. AWS VPN
4. AWS Transit Gateway

Question 181

You have created a VPC subnet with CIDR block 10.0.0.0/28. How many instances you can have in this subnet?

1. 11
2. 12
3. 14
4. 16

Answer 181

1. 11
2. 12
3. 14
4. 16

Question 182

You are configuring a subnet for your VPC where you want to deploy 16 EC2 instances. Which of the following CIDR block will be correct?

1. 10.0.0.0/28
2. 10.0.0.0/27
3. 10.0.0.0/29
4. 10.0.0.0/30

Answer 182

1. 10.0.0.0/28
2. 10.0.0.0/27
3. 10.0.0.0/29
4. 10.0.0.0/30

Question 183

Which of the following two services you can leverage to build a hybrid cloud architecture connecting your on premise application to cloud applications?

1. AWS Direct Connect
2. AWS VPN
3. AWS Transit Gateway
4. AWS Privatelink

Answer 183

1. AWS Direct Connect
2. AWS VPN
3. AWS Transit Gateway
4. AWS Privatelink

Question 184

You are the solution architect for a financial services company who is migrating their in-house application to AWS. Because of the sensitive financial data and security requirement you are planning to house the application instances in private subnet that are not publicly reachable. How can you connect a public-facing load balancer to instances that have private IP addresses?

1. Associate your internet-facing load balancer with private subnet of your instances.
2. It is not possible to connect internet-facing load balancer with private subnet of your instances.
3. Create a public subnet with NAT gateway. Map the public subnet to load balancer and NAT gateway to private instances.
4. Create public subnets in the same Availability Zones as the private subnets that are used by your private instances. Then associate these public subnets to the internet-facing load balancer.

Answer 184

1. Associate your internet-facing load balancer with private subnet of your instances.
2. It is not possible to connect internet-facing load balancer with private subnet of your instances.
3. Create a public subnet with NAT gateway. Map the public subnet to load balancer and NAT gateway to private instances.
4. Create public subnets in the same Availability Zones as the private subnets that are used by your private instances. Then associate these public subnets to the internet-facing load balancer.

Question 185

You are the solution architect for a financial services company who is migrating their in-house application to AWS. Because of the sensitive financial data and security requirement you are planning to house the application instances in private subnet that are not publicly reachable. Your architecture consists of

• A public-facing load balancer to distribute the load across the instances in the private subnets.
• Two tier: Application and Database tiers. Application tier consists of EC2 instances in auto scaling group. Database tier using RDS in a Multi-AZ deployment.
• Application and Database tiers should be in separate private subnets.
• Application which should be highly available and scalable.

How many minimum subnets you will need to create?

1. Total 4. Across Two AZs, each with two private subnets.
2. Total 6. Across Two AZs, each having one public subnet and two private subnets.
3. Total 6. One AZ, having two public subnet and four private subnets.
4. Total 5. One AZ, having one public subnet and four private subnets.

Answer 185

1. Total 4. Across Two AZs, each with two private subnets.
2. Total 6. Across Two AZs, each having one public subnet and two private subnets.
3. Total 6. One AZ, having two public subnet and four private subnets.
4. Total 5. One AZ, having one public subnet and four private subnets.

Question 186

You have created a VPC with CIDR block 10.0.0.0/24, which of the following two statements are correct? Choose 3.

1. It supports 256 IP addresses.
2. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 - 10.0.0.127) and the other uses CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 - 10.0.0.255).
3. The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
4. The first IP addresses and the last four IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.

Answer 186

1. It supports 256 IP addresses.
2. You can break this CIDR block into two subnets, each supporting 128 IP addresses. One subnet uses CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 - 10.0.0.127) and the other uses CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 - 10.0.0.255).
3. The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.
4. The first IP addresses and the last four IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.

Question 187

You have two public subnet in your VPC having one instance each. The security group of both the instance has ‘Local’ with VPC CIDR as default rule so that they can communicate with each other. You are using default Network ACL. However when you try to ping from one instance to another you are getting timeout. What could be the possible reason?

1. You need to add rule in their security group to allow RDP traffic as ping command is a type of RDP traffic.
2. You need to add rule in their security group to allow SSH traffic as ping command is a type of SSH traffic.
3. You need to add rule in their security group to allow ICMP traffic as ping command is a type of ICMP traffic.
4. The instances may not have public IP address.

Answer 187

1. You need to add rule in their security group to allow RDP traffic as ping command is a type of RDP traffic.
2. You need to add rule in their security group to allow SSH traffic as ping command is a type of SSH traffic.
3. You need to add rule in their security group to allow ICMP traffic as ping command is a type of ICMP traffic.
4. The instances may not have public IP address.

Question 188

You have created an online event ticket platform in which users can buy tickets for county and state fairs. The platform supports user request originating from multiple channels of desktop web, mobile web and native mobile app in iOS/Android. You have designed and deployed your instances in such a way that there are different instances to serve the request based on source channel. The request URL when user starts to buy a ticket are:

• Web: www.statefair.com/web/buytickets
• Mobile Web: www.statefair.com/mobileweb/buytickets
• Native mobile app: www.statefair.com/mobileapp/buytickets

Your architecture has one application load balancer to serve the requests originating from different channels. How can you configure the load balancer so that request are served by their respective instances?

1. Replace your application load balancer with network load balancer and configure path based routing in your application load balancer to route request to different target group of instances.
2. Replace your application load balancer with network load balancer and configure host based routing in your application load balancer to route request to different target group of instances.
3. Configure path based routing in your application load balancer to route request to different target group of instances.
4. Configure host based routing in your application load balancer to route request to different target group of instances.

Answer 188

1. Replace your application load balancer with network load balancer and configure path based routing in your application load balancer to route request to different target group of instances.
2. Replace your application load balancer with network load balancer and configure host based routing in your application load balancer to route request to different target group of instances.
3. Configure path based routing in your application load balancer to route request to different target group of instances.
4. Configure host based routing in your application load balancer to route request to different target group of instances.

Question 189

You have created an online event ticket platform in which users can buy tickets for county and state fairs. The platform supports user request originating from multiple channels of desktop web, mobile web and native mobile app in iOS/Android. You have designed and deployed your instances in such a way that there are different instances to serve the request based on source channel. The request URL when user starts to buy a ticket are:

• Web: web.statefair.com/buytickets
• Mobile Web: webmobile.statefair.com/buytickets
• Native mobile app: mobile.statefair.com/buytickets

Your architecture has one application load balancer to serve the requests originating from different channels. How can you configure the load balancer so that request are served by their respective instances?

1. Replace your application load balancer with network load balancer and configure path based routing in your application load balancer to route request to different target group of instances.
2. Replace your application load balancer with network load balancer and configure host based routing in your application load balancer to route request to different target group of instances.
3. Configure path based routing in your application load balancer to route request to different target group of instances.
4. Configure host based routing in your application load balancer to route request to different target group of instances.

Answer 189

1. Replace your application load balancer with network load balancer and configure path based routing in your application load balancer to route request to different target group of instances.
2. Replace your application load balancer with network load balancer and configure host based routing in your application load balancer to route request to different target group of instances.
3. Configure path based routing in your application load balancer to route request to different target group of instances.
4. Configure host based routing in your application load balancer to route request to different target group of instances.

Question 190

You have designed your web application to use a microservices architecture to structure your application as services that you can develop and deploy independently. You want to install one or more of these services on each EC2 instance, with each service accepting connections on a different port. How can you use a load balancer with this design? Choose 2.

1. Use a single Application Load Balancer to route requests to all the services for your application.
2. Use a single Classic Load Balancer to route requests to all the services for your application.
3. Register an EC2 instance with a target group, you can register it multiple times; for each service, register the instance using the port for the service.
4. You have to deploy each microservice in a separate instance as you can attach an instance only once to a target group.

Answer 190

1. Use a single Application Load Balancer to route requests to all the services for your application.
2. Use a single Classic Load Balancer to route requests to all the services for your application.
3. Register an EC2 instance with a target group, you can register it multiple times; for each service, register the instance using the port for the service.
4. You have to deploy each microservice in a separate instance as you can attach an instance only once to a target group.

Question 191

Your Amazon ECS service can optionally be configured to use Elastic Load Balancing to distribute traffic evenly across the tasks in your service.

1. TRUE
2. FALSE

Answer 191

1. TRUE
2. FALSE

Question 192

Which type of AWS cloud infrastructure deployment places compute, storage, database, and other select services closer to large population, industry, and IT centers, enabling you to deliver applications that require single-digit millisecond latency to end-users?

1. Availability Zone
2. Local Zone
3. Outpost
4. Region

Answer 192

1. Availability Zone
2. Local Zone
3. Outpost
4. Region

Question 193

You have an ecommerce application which has its web servers and databases in private subnet of a VPC. There are three stacks of web tier and data tier deployed in private subnet in three different AZ for fault tolerance and availability. Application load balancer receives the user request and balances the load across three stacks of web-data servers. The web tier instances in these three private subnet have to access a third party payment gateway over the internet for customer credit card processing. Which option will be highly available?

1. Provision a NAT gateway in a public subnet of each AZ and configure the routing to ensure that web server uses the NAT gateway in their respective AZ.
2. Provision a NAT gateway in in a public subnet of one AZ and configure the routing to ensure that web server in all three AZ uses the NAT gateway.
3. Provision a NAT gateway in a private subnet of each AZ and configure the routing to ensure that web server uses the NAT gateway in their respective AZ.
4. Provision a NAT gateway in in a private subnet of one AZ and configure the routing to ensure that web server in all three AZ uses the NAT gateway.

Answer 193

1. Provision a NAT gateway in a public subnet of each AZ and configure the routing to ensure that web server uses the NAT gateway in their respective AZ.
2. Provision a NAT gateway in in a public subnet of one AZ and configure the routing to ensure that web server in all three AZ uses the NAT gateway.
3. Provision a NAT gateway in a private subnet of each AZ and configure the routing to ensure that web server uses the NAT gateway in their respective AZ.
4. Provision a NAT gateway in in a private subnet of one AZ and configure the routing to ensure that web server in all three AZ uses the NAT gateway.

Question 194

Which of the following virtual interfaces you don’t need to create to begin using your AWS Direct Connect connection?

1. Private virtual interface
2. Public virtual interface
3. Transit virtual interface
4. VPC virtual interface

Answer 194

1. Private virtual interface
2. Public virtual interface
3. Transit virtual interface
4. VPC virtual interface

Question 195

Using AWS Direct Connect, you want to establish private connectivity between AWS and your datacenter to reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections. Your virtual interface is up and you’ve established a BGP peering session. If you cannot route traffic over the virtual interface, what steps you will take to diagnose the issue? Choose 3.

1. For a private virtual interface, ensure that your VPC route tables have prefixes pointing to the virtual customer gateway to which your private virtual interface is connected.
2. Ensure that you are advertising a route for your on-premises network prefix over the BGP session.
3. For a private virtual interface, ensure that your VPC security groups and network ACLs allow inbound and outbound traffic for your on-premises network prefix.
4. For a private virtual interface, ensure that your VPC route tables have prefixes pointing to the virtual private gateway to which your private virtual interface is connected.

Answer 195

1. For a private virtual interface, ensure that your VPC route tables have prefixes pointing to the virtual customer gateway to which your private virtual interface is connected.
2. Ensure that you are advertising a route for your on-premises network prefix over the BGP session.
3. For a private virtual interface, ensure that your VPC security groups and network ACLs allow inbound and outbound traffic for your on-premises network prefix.
4. For a private virtual interface, ensure that your VPC route tables have prefixes pointing to the virtual private gateway to which your private virtual interface is connected.

Question 196

What are the different options in AWS to connect your on-premise corporate data center to your VPC in the cloud?

1. AWS PrivateLink
2. AWS Direct Connect
3. AWS Managed VPN
4. AWS Transit Gateway or Transit VPC

Answer 196

1. AWS PrivateLink
2. AWS Direct Connect
3. AWS Managed VPN
4. AWS Transit Gateway or Transit VPC

Question 197

How can you capture client IP addresses in ELB access logs? Choose 3.

1. For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, you must use X-Forwarded-For headers
2. For Application Load Balancers with TCP/SSL listeners, you must enable Proxy Protocol support on the Classic Load Balancer and the target application.
3. For Classic Load Balancers with TCP/SSL listeners, you must enable Proxy Protocol support on the Classic Load Balancer and the target application.
4. For Network Load Balancers, you can register your targets by instance ID to capture client IP addresses without additional web server configuration.

Answer 197

1. For Application Load Balancers and Classic Load Balancers with HTTP/HTTPS listeners, you must use X-Forwarded-For headers
2. For Application Load Balancers with TCP/SSL listeners, you must enable Proxy Protocol support on the Classic Load Balancer and the target application.
3. For Classic Load Balancers with TCP/SSL listeners, you must enable Proxy Protocol support on the Classic Load Balancer and the target application.
4. For Network Load Balancers, you can register your targets by instance ID to capture client IP addresses without additional web server configuration.

Question 198

Your multinational company has IT departments in different regional headquarters around the globe. Each regional IT department has created VPCs in AWS region overlapping or near to their geographic location. What AWS networking capabilities you can leverage which will:

• Provide VPCs full access to each other’s resources or to provide a set of VPCs partial access to resources in a central VPC.
• Be simple and cost-effective way to share resources between regions or replicate data for geographic redundancy.
• Communicate privately and securely with one another for sharing data or applications.
• Stay on the AWS global network backbone and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.

1. Using VPC endpoints
2. It is not possible to Peer VPCs across regions.
3. Using Corporate Network Backbone
4. Using Inter-region VPC Peering

Answer 198

1. Using VPC endpoints
2. It is not possible to Peer VPCs across regions.
3. Using Corporate Network Backbone
4. Using Inter-region VPC Peering

Question 199

Which of the following statement is correct about AWS Region? Choose 2.

1. It is a physical location around the world which has cluster of data centers.
2. Each region maps to one data center at a geographic location.
3. Each AWS Region is an extension of an AWS Local Zone where you can run your latency sensitive applications using AWS services.
4. Each AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area.

Answer 199

1. It is a physical location around the world which has cluster of data centers.
2. Each region maps to one data center at a geographic location.
3. Each AWS Region is an extension of an AWS Local Zone where you can run your latency sensitive applications using AWS services.
4. Each AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area.

Question 200

Which of the following statement is not correct about AWS Local Zones?

1. AWS Local Zones place compute, storage, database, and other select AWS services closer to end-users.
2. With AWS Local Zones, you can easily run highly-demanding applications that require single-digit millisecond latencies.
3. Each AWS Local Zone location is an extension of an AWS Region where you can run your latency sensitive applications using AWS services
4. Each Local Zone maps to an AZ in a region.

Answer 200

1. AWS Local Zones place compute, storage, database, and other select AWS services closer to end-users.
2. With AWS Local Zones, you can easily run highly-demanding applications that require single-digit millisecond latencies.
3. Each AWS Local Zone location is an extension of an AWS Region where you can run your latency sensitive applications using AWS services
4. Each Local Zone maps to an AZ in a region.

Question 201

Which of the following statement is not correct about AZ? Choose 2.

1. An Availability Zone (AZ) is one discrete data centers with redundant power, networking, and connectivity in an AWS Region.
2. All AZ’s in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZ’s.
3. Traffic between AZ’s is not encrypted.
4. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.

Answer 201

1. An Availability Zone (AZ) is one discrete data centers with redundant power, networking, and connectivity in an AWS Region.
2. All AZ’s in an AWS Region are interconnected with high-bandwidth, low-latency networking, over fully redundant, dedicated metro fiber providing high-throughput, low-latency networking between AZ’s.
3. Traffic between AZ’s is not encrypted.
4. AZ’s give customers the ability to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.

Question 202

You have web server running on two EC2 instances behind an Application Load Balancer. How can you improve the fault tolerance of application using Auto Scaling? Choose 3.

1. After you create the Auto Scaling group, attach your existing load balancer to it.
2. Your Auto Scaling group region and Availability Zones not necessarily has to be same as the load balancer.
3. You have to create a new load balancer to attach to the Auto Scaling group.
4. Create your Auto Scaling group in the same region and Availability Zone as your load balancer.
5. Create an Auto Scaling group that launches copies of instances you’ve already configured, or create a launch configuration that uses an Amazon Machine Image (AMI) instead.

Answer 202

1. After you create the Auto Scaling group, attach your existing load balancer to it.
2. Your Auto Scaling group region and Availability Zones not necessarily has to be same as the load balancer.
3. You have to create a new load balancer to attach to the Auto Scaling group.
4. Create your Auto Scaling group in the same region and Availability Zone as your load balancer.
5. Create an Auto Scaling group that launches copies of instances you’ve already configured, or create a launch configuration that uses an Amazon Machine Image (AMI) instead.

Question 203

Which AWS service you will use to direct your users to application based on their geographic location, application health, and weights that you can configure. You also want to use static IP addresses that are globally unique for your application so that there is no need to update clients as your application scales. Your application has Application Load Balancers.

1. CloudFront
2. Route53
3. Application Load Balancer
4. Global Accelerator

Answer 203

1. CloudFront
2. Route53
3. Application Load Balancer
4. Global Accelerator

Question 204

Which of the following are components of AWS Global Accelerator? Choose 3.

1. Load Balancer, DNS Hosted Zone
2. Static IP addresses, Accelerator
3. DNS name, Listener
4. Endpoint group, Endpoint

Answer 204

1. Load Balancer, DNS Hosted Zone
2. Static IP addresses, Accelerator
3. DNS name, Listener
4. Endpoint group, Endpoint

Question 205

What are the use cases for using AWS Global Accelerator? Choose 2.

1. For applications, such as gaming, media, mobile applications, and financial applications, which need very low latency for a great user experience.
2. Useful for IoT, retail, media, automotive and healthcare use cases in which client applications cannot be updated frequently.
3. Speed up the delivery of your static content (e.g., images, style sheets, JavaScript, etc.) to viewers across the globe.
4. Private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.

Answer 205

1. For applications, such as gaming, media, mobile applications, and financial applications, which need very low latency for a great user experience.
2. Useful for IoT, retail, media, automotive and healthcare use cases in which client applications cannot be updated frequently.
3. Speed up the delivery of your static content (e.g., images, style sheets, JavaScript, etc.) to viewers across the globe.
4. Private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network.

Question 206

How is AWS Global Accelerator different from Amazon CloudFront? Choose 2.

1. Global Accelerator improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).
2. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).
3. Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.
4. CloudFront improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.

Answer 206

1. Global Accelerator improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).
2. CloudFront improves performance for both cacheable content (such as images and videos) and dynamic content (such as API acceleration and dynamic site delivery).
3. Global Accelerator improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.
4. CloudFront improves performance for a wide range of applications over TCP or UDP by proxying packets at the edge to applications running in one or more AWS Regions.

Question 207

What are two ways that you can customize how AWS Global Accelerator sends traffic to your endpoints?

1. Change the traffic dial to limit the traffic for one or more endpoint groups.
2. Change the traffic dial to limit the traffic for endpoints in a group.
3. Specify weights to change the proportion of traffic to the endpoint group.
4. Specify weights to change the proportion of traffic to the endpoints in a group.

Answer 207

1. Change the traffic dial to limit the traffic for one or more endpoint groups.
2. Change the traffic dial to limit the traffic for endpoints in a group.
3. Specify weights to change the proportion of traffic to the endpoint group.
4. Specify weights to change the proportion of traffic to the endpoints in a group.

Question 208

You have two endpoint groups for your AWS Global Accelerator, one for the us-west-2 Region and one for the us-east-1 Region. You’ve set the traffic dials to 50% for each endpoint group. Now if 100 requests coming to your accelerator, with 50 from the East Coast of the United States and 50 from the West Coast which of the following two statements are correct as how the traffic will be directed?

1. First 25 requests are directed to the endpoint group in us-west-2 and 25 are directed to the endpoint group in us-east-1.
2. The next 25 requests from the East Coast are served by us-west-2, and the next 25 requests from the West Coast are served by us-east-1.
3. First 50 request are served by us-west-2 and next 50 requests are served by us-east-1.
4. First 50 request are served by us-east-1 and next 50 requests are served by us-west-2.

Answer 208

1. First 25 requests are directed to the endpoint group in us-west-2 and 25 are directed to the endpoint group in us-east-1.
2. The next 25 requests from the East Coast are served by us-west-2, and the next 25 requests from the West Coast are served by us-east-1.
3. First 50 request are served by us-west-2 and next 50 requests are served by us-east-1.
4. First 50 request are served by us-east-1 and next 50 requests are served by us-west-2.

Question 209

What are the options for preserving and accessing the client IP address for AWS Global Accelerator for different endpoints? Choose 3.

1. Global Accelerator does not support client IP address preservation when you use an internal Application Load Balancer or an EC2 instance.
2. When you use an internet-facing Application Load Balancer as an endpoint with Global Accelerator, you can choose to preserve the source IP address of the original client for packets that arrive at the load balancer by enabling client IP address preservation.
3. When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled.
4. Global Accelerator does not support client IP address preservation for Network Load Balancer and Elastic IP address endpoints.

Answer 209

1. Global Accelerator does not support client IP address preservation when you use an internal Application Load Balancer or an EC2 instance.
2. When you use an internet-facing Application Load Balancer as an endpoint with Global Accelerator, you can choose to preserve the source IP address of the original client for packets that arrive at the load balancer by enabling client IP address preservation.
3. When you use an internal Application Load Balancer or an EC2 instance with Global Accelerator, the endpoint always has client IP address preservation enabled.
4. Global Accelerator does not support client IP address preservation for Network Load Balancer and Elastic IP address endpoints.