Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

AWS Solutions Architect Professional > Network > Flashcards

Network Flashcards

1
Q

On a multi-tier architecture, what are the most common 3 tier combination used?

A

-Presentation tier (user interface)
-Application or logic tier
-Data tier

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Assign True of False to the following statements:
-VPC Endpoints allow resources inside your VPC to comunicate with other AWS Services without coming into contact with the public network. This is done by granting the Endpoint an IP belonging to the network inside the VPC.
-There are 3 types of VPC Endpoints: Gateway VPC Endpoints, Interface Endpoints and Gateway Load Balancing Endpoints
-Gateway VPC Endpoints work by redirecting any requests inside the VPC targeting its service (uses a prefix list) to itself, serving as a proxy to access the service. It can only be pointed to S3.
- Interface VPC endpoints are Elastic Network Interfaces (ENI) with a VPC private address. It must serve as an entry point to all traffic pointed to its service. They are powered by AWS Private Link and can be configured for any AWS service. They use Security Groups for security.
- Gateway Load Balancing Endpoints works the same as the Interface Endpoint, however it can only target Gateway Load Balancers configured to control traffic to other services.

A

-True
-True
-False, Gateway Endpoints can be pointed to either S3 or DynamoDB
-False, Interface Endpoints can’t be pointed to DynamoDB
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Explain how a Gateway VPC Endpoint works.Can it be extended through peering?

A

Gateway Endpoints need DNS resolution enabled in the VPC to work properly. Any domain name or IP pointing to the service that a resource tries to access inside the VPC is redirected to the endpoint. This is done through the changing of the routing table of the VPC. Gateway Endpoints can’t be extended outside the VPC (peering, VPN, DX, TGW)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the differences between a Gateway VPC Endpoint and an Interface VPC Endpoint?

A

-Gateway Endpoints are free, while Interface Endpoints are billed for each hour the VPC endpoint remains provisioned in each Availability Zone and for each gigabyte processed through the VPC endpoint.
-Gateway Endpoints are only available for S3 and DynamoDB, while Interface Endpoints are available for all services except DynamoDB.
-A Gateway Endpoint will automatically reroute requests to its service, while EC2 instances have to be configured to access the Interface Endpoint
-Gateway Endpoints work on a VPC level, while Interface endpoints work on a Subnet Level
- Interface Endpoints can be used to connect with anything outside de Subnet, including On-Premises and other regions, while Gateway Endpoints can only access their respective services.
- Gateway Endpoints need DNS Resolution enabled to work, while Interface Endpoints need DNS Hostnames and DNS Support

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

True or False: Resources like Amazon S3 can block access based on Endpoint DNS but not on IP, since Endpoints use Private IPs and blocking based on IP can only be done if using Public IP

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the function of AWS Private Link

A

Private Link allows you to connect VPCs using TCP without the need for VPC peering. Requires an NLB in one VPC and an ENI on the other to work, and if NLB and ENI are in multiple AZs the solution becomes fault tolerant.. The access granted by Private Link is unidirectional

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Assign True of False to the following statements:
-AWS PrivateLink, an consequently VPC Endpoints, support both IPv4 and IPv6
-Endpoint Services cannot be tagged
-Interface Endpoints can be accessed from Direct Connect and Site-to-Site VPN

A

-False, PrivateLink supports only IPv4
-True
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What kind of DNS names can be created for interface endpoints?

A

-Endpoint-specific regional DNS hostname :An endpoint-specific DNS hostname is automatically generated and includes all zonal DNS hostnames generated for the interface endpoint. The hostname includes a unique endpoint identifier, service identifier, Region, and vpce.amazonaws.com in its name. For example: vpce-0fe5b17a0707d6abc-29p5708s.ec2.us-east-1.vpce.amazonaws.com
-Zonal Specific DNS Hostnames: You can generate a zonal-specific DNS hostname for each Availability Zone in which the endpoint is available. The hostname includes the Availability Zone in its name. For example:

vpce-0fe5b17a0707d6abc-29p5708s-us-east-1a.ec2.us-east-1.vpce.amazonaws.com

Zonal DNS hostnames support cross-zone load balancing to distribute traffic across registered targets in all activated Availability Zones. With this configuration, be aware that regional data transfer charges might apply for any data that is transferred between Availability Zones.
Private DNS Hostname: You can use a private DNS hostname to alias the automatically created zonal-specific or regional-specific DNS hostnames into a friendly hostname such as: myservice.example.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Assign True of False to the following statements:
-VPC peering is the practice of connecting 2 VPC through their routing tables and without passing through the public net. It is highly available by default because it does not depend on any specific hardware or service
- VPC Peering is transitive, so connecting VPC A to VPC B and B to C connects A to C.
-VPC peering can be configured between different regions or AWS Accounts
- You cannot establish a peering connection between VPCs with an overlapping IPv4 CIDR block, even if you plan on using it with no overlapping IPv6 CIDR blocks
- Establishing Peering between 2 VPCs costs no money, but you are billed by the data transfer between the VPCs, regardless of AZ or Region.

A

-True
-False, VPC peering is not transitive
-True
-True
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Amazon Direct Connect (DX)? What are its available connection bandwidths?

A

Amazon Direct Connect is an AWS service that allows you to setup a physical connection between a local network and a VPC. It has 3 possible speeds, 1Gb/s, 10Gb/s and 100Gb/s.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the strategies that can be employed to obtain a Direct Connect (DX) connection?

A

-Setup on a location that already has a DX configured
-Colaboration with a partner that already has equipment setup on a DX location (does not have to provide equipment on this option)
-Performing a direct connection from your local network to a DX node alongside AWS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Assign True of False to the following statements:
-Direct Connect accepts both IPv4 and IPv6
-After the Direct Connect setup, the DX connection itself generates no costs for the customer
- Direct Connect is not redundant by default, being necessary to configure additional DXs or VPC for failover.
-Any data passed through the DX is encrypted by default
-It is possible to create Link Aggragation Groups (LAG) to increase speed and failover by joining multiple DX into a single logical unit. Up to 4 connections can be joined, and they must have the same bandwidth.

A

-True
-False, Direct Connect is billed by both port hours and data transfer fees. It is generally more expensive than a VPN.
-True
-False, to make it so data passing through DX is encrypted you must configure a VPN inside it.
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the types of Virtual Interfaces (VIFs) available for Direct Connect?

A

-Public VIF: Connects to public AWS Endpoints (S3 buckets, EC2 service, anything AWS)
-Private VIF: Connects to your private VPC (EC2 instances, Interface Endpoints, etc ). Can only connect directly to a Virtual Private Gateway or a Direct Connect Gateway.
-Transit Virtual Interface: Connects to your VPC using a Transit Gateway

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What service could you use to setup a Direct Connection to VPCs in different regions / cross account?

A

You could use Direct Connect Gateway, where you connect to the gateway then it performs the connection to the VPCs. You can also use it to connect multiple on-premises data centers by connecting the trough their respective DXs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are the kinds of AWS VPN services?

A

-AWS Client VPN, which is used to connect Users to AWS or on-prem networks
-AWS Site-to_Site VPN, which is use to connect a on-prem network to Amazon VPCs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does the Site-to-site VPN connection work?

A

It is necessary to setup a Customer Gateway to point the on premise VPN to AWS and a Virtual Private Gateway to be pointed to and attach it to your VPC. After that, 2 connection are created though the gateway that lead to different AZs inside the VPC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Assign True of False to the following statements:
- Public net can be accessed by the On-prem server through the Site-to-site VPN if it uses a NAT Gateway to do so
- Public net can be accessed by the On-prem server through the Site-to-site VPN if it uses a NAT Instance to do so
- Public net cannot be accessed by the AWS Network through the On-prem network.
-Site-to-site VPN can be accelerated using Global Accelerator

A

-False, NAT Gateways restrictions will block the corporate data center
-True
-False, public network can be accessed through the corporate data center
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Can you connect multiple Customer Gateways to the same Virtual Private Gateway in site-to-site VPN?

A

Yes, you can use CloudHub to connect up to 10 Customer Gateways to the same VPG. If you want to connect one Customer Gateway to multiple VPGs you need multiple site-to-site VPNs, with Direct Connect Gateways probably being a better solution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

True of False: You can benefit from a single Site-to-Site VPC through multiple VPCs by using VPC peering to connect all VPCs to the one connected through Site-to-Site VPN and having copies or proxies of the on-prem resources on it.

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

How does monitoring work for Site-to-Site VPNs?

A

Site-to-Site VPN tunnels can be monitored by Cloudwatch, which collects the raw data being transmited end converts it into real-time metrics. These statistics are recorded for 15 months.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Explain the billing for Site-to-Site VPNs

A

Site-to-Site VPNs are billed by the amount of data transfered outside AWS through them and a fixed cost to mantain the connection. Additionally, is the connection uses Global Accelerator there is an addicional billing for 2 Global Accelerators per VPN connection and a premium on the Transfer Out billing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Assign True of False to the following statements:
-Client VPNs function exactly as normal VPN connections, with a Client VPN Endpoint being created at AWS and being accessed by the user
-Client VPN accepts both IPv4 and IPv6
- Client VPNs can access resources through VPC Peering, Site-to-Site VPNs and NAT Gateways
- Client VPNs can be monitored through Cloudwatch, with logs being generated in real-time
- Billing is calculated based on number of active connections and number of subnets associated with Client VPN

A

-True
-False, works only with IPv4
-True
-False, logs are generated every 5 minutes
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Assign True of False to the following statements:
-Transit Gateway allows you to connect multiple different VPCs in a transitive manner
-Transit Gateways can perform peering with each other, even in other Regions, and all VPCs connected to this gateways can peer each other
-Works by implementing it’s own routing table
-Can work with Direct Connect Gateway and VPN connections
-Supports IP Multicast
-Only works between VPCs in the same region
-VPCs connected can access each other’s NAT Gateways, ELBs, Private Links and EFSs
- Can be Shared through RAM
- Billing is calculated base on number of connections and volume of data processed in GB

A

-True
-True
-True
-True
-True
-False
-True
-True
-True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What are the differences between a Public Subnet and a Private Subnet?

A

Public Subnet have routing tables that send 0.0.0.0/0 to an Internet Gateway (IGW) responsible for accessing the internet, meanwhile Private Subnets access the internet through NAT Gateways or NAT Instances setup in a Public Subnet, and all 0.0.0.0/0 traffic must be configured to be redirected to the NAT.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Explain the differences between NACLs and security groups
-NACLs affect the entire subnet or VPC, while security groups only affect individual instances -NACLs only support ALLOW and DENY rules, while, while security groups only support ALLOW rules (implicit DENY) -NACLs are stateless, which means return traffic must be explicitly allowed, while Security Groups are stateful, which means return traffic is always allowed as long as the input traffic was allowed -NACLs only work with blocks of IP adresses, while Security Groups can other reference Security Groups in the same region (can also reference SGs of peered connections, even if cross-account)
26
Explain the following concepts: - TLD - ccTLD - gTLD - SLD - FQDN
- TLD means Top Level Domain, at it is the topmost domain (most to the right) of an url. An example of a TLD is .com - ccTLD is a country-code TLD, a TLD that is reserved for use by a nation. An example of a ccTLD is .br - gTLD is a generic TLD, a TLD that does not have a country designation. An example of a gTLD is .com. - SLD means Second Level Domain, and it comes after the TLD. An example of an SLD is .google in www.google.com - An FQDN is a Fully Qualified Domain Name, and it contains the entire domain string. An example of a FQDN is www.google.com
27
Complete the following: - _______ is the topmost domain (most to the right) of an url. An example of a is .com - _______ is a TLD that is reserved for use by a nation. An example is .br - _______ is a TLD that does not have a country designation. An example is .com. - _______, and it comes after the TLD. An example is .google in www.google.com - _______ contains the entire domain string. An example is www.google.com
- TLD, or Top Level Domain - ccTLD, or country-code TLD - gTLD, or generic TLD - SLD, or Second Level Domain - FQDN, or Fully Qualified Domain Name
28
Explain DNS Zones
A DNS Zone is a group of nodes on the domain hierarchy that possesses authority over a subset of domains. Generally, the highr up top a node is on the zone, more authority it has over the zone.
29
Explain the following DNS network functions: - Registrant - Registrar - Registry operator/ Registry
- A registrant is someone who registers a domain name with a registrar - A registrar sells domain names. Whenever a domain is purchased, it must inform registry responsible for the domain - A registry is responsible for creating and managing zone files and mantaining the database of domain names for each TLD
30
What are the main type of DNS records accepted by Route 53 and what do they mean?
- A records: Maps domains to IPv4 - AAAA records: Maps domain to IPv6 - CNAME records: Maps domain to another domain, which must have an A or AAAA record associated to it. It also cannot be the top domain inside a zone (ex: example.com is forbidden, but www.example.com is not) - NS: Maps a Domain to its authoritative name server
31
Complete the following: - ______ records map domains to IPv4 - ______ records map domains to IPv6 - ______ records map domains to other domains, which must have an A or AAAA record associated to them. - ______ records map a domain to its authoritative name server
-A -AAAA -CNAME -NS (Name Server)
32
What info can you find in a DNS Record?
- The domain name - The domain TTL (in seconds) - The class of the protocol. Is almost always IN (Internet protocol) - The record type - The value to which the domain is mapped
33
What is a DNS Name Server?
Name servers are specialized servers that handle DNS queries and provide DNS resolution. They store and manage DNS records for specific domains. Name servers can be authoritative for a domain or act as a caching server to improve DNS lookup performance.
34
In a DNS lookup for www.example.com, in what order are the domain name servers accessed?
- 1st: Root Server, returns .com Server - 2nd: .com Server, returns example.com Server - 3rd: example.com Server, returns the ip of www.example.com.
35
Explain what is a Route 53 Hosted Zone?
A Hosted Zone is similar to a DNS Zone File, it contains DNS Records belonging to the same domain and that can be managed together. It then provides authoritative name servers for all Hosted Zones.
36
Assign True or False for each statement below: - Route 53 allows you to create and manage DNS Records of various types, allowing for highly customizable DNS Routing - Route 53 is highly available by default, with each Hosted Zone being assigned a set of Virtual DNS servers by the system - Route 53 has autoscaling built-in by default, but it must be turned on by the user - Performing any action on Route 53 needs the adequate IAM permissions granted to the user so he has the authority to perform the desired operations. - It is possible to transfer Domains between registrars, but not between AWS accounts
-True -True -False, it scales by default -True -False, Domains can be transfered between accounts through the AWS CLI
37
Explain how Route 53 Health checks work
Route 53 can setup health checks for PUBLIC services it interacts with. There are 3 types of health check: - Endpoint Health Check: Monitors an endpoint through IP or domain. Can be configured in regards of frequency - Calculated Health Checks: A health check that checks the status of other health checks. Useful if you only need to take action if a number of n resources fail, so you only take action when n health cheks fail. parent health check can monitor up to 256 child health checks -Cloudwatch Health Checks: Health Checks that monitor Cloudwatch Alarms based on specific metrics.
38
Explain the difference between Public Hosted Zones and Private Hosted Zones
Public Hosted Zones define how you want to reroute traffic in the internet, while Private ones define how you want to reroute trafiic inside VPCs. Private Hosted Zones don't need to reroute traffic to the same VPC, being capable of reddirecting traffic to multiple ones (Relação n para n).
39
What are some important Private Hosted Zone configurations that are important to know regarding VPCs?
-To use Private Hosted Zones, you must set the enableDNSHostnames and enableDNSSupport settings to True. -Route 53 DNS resolver ha 3 possible IPs, 169.254.169.253 for IPv4, fd00:ec2::253 for IPv6 and your private IPv4 CIDR + 2 (ex: if your block 10.11.12.0, the the IP is 10.11.12.2)
40
What routing policies are supported by private hosted zones?
-Simple -Failover -Weighted -Multi-value answer -Geolocation -Latency-based (All except Geoproximity and IP based)
41
True or False: There are no types of records you cannot create inside a private hosted zone
False, you cannot create NS records inside private hosted zones
42
What are the differences between CNAME records and Route 53 aliases
- CNAME returns a Domain, while alias returns the IP of that Domain - Alias can point to zone apex Domain (example.com) - Alias can route traffic to AWS resource endpoints - Alias records evaluate target health by default using a function called Evaluate Target Health
43
When you create a record in Route 53 you also define a routing policy for it. What routing policy types are available?
-Simple (Standard) -Failover (When you want active-passive failover) -Weighted (Multiple resources inspecific proportions) -Latency (Resource with best latency) -Geolocation (Routing based on client location) -Geoproximity (Routing based on resource location) -IP-Based (Specific routing for specific IPs) -Multivalue (Up to 8 possible records at random)
44
Explain DNSSEC extension
DNSSEC extension protects your Domain from DNS Spoofing or man-in-the-middle attacks. It does so by detectin if a DNS response has come from Route 53 and if it has been tampered with. DNSSEC works only with public host zones.
45
What are possible AWS Service Endpoints you can point your alias record to?
- S3 Websites - ELB - Cloudfront - API Gateway - Global Accelerator - Route 53 Record - Elastic Beanstalk - VPC Interface Endpoint - CANNOT be set for EC2 DNS Name
46
Explain the trade-offs between having a higher or lower Record TTL
The TTL defines how long a record can stay cached before having to be updated on route 53 again. Therefore, Records with a high TTL have a lower cost, since you need to hit Route 53 less frequently, but they run the risk of becoming stale.
47
Assign True or False indicating if each routing strategy below can have a health check associated to it or not: -Simple: _______________ -Weighted: ____________ -Failover: ______________ -Geoproximity: ________ -Geolocation: __________ -IP-based: _____________ -Latency: ______________ -Multivalue: ___________
-False -True -True -? -True -? -True -True
48
What is a route 53 resolver? What are it's use cases?
A Route 53 resolver helps you redirect DNS traffic between multiple networks, and it should be used on a hybrid architecture use case.
49
Assign True or False to following statementes regarding Route 53 Resolver Endpoints: - An Inbound Endpoint redirects DNS queries from the internet to your Route 53 Resolver, while an Outbound Endpoints redirects from the Route 53 Resolver to outside DNS servers - You can configure Inbound Endpoints, Outbound Endpoints or Endpoints capable of handling both Inbound and Outbound Traffic - All endpoints must be located within at least 2 subnets accross different AZs - When creating your Resolver Endpoints, it is necessary to create the appropriate inbound and outbound traffic rules for your VPC adn forwarding rules to your endpoints - The endpoints are made of ENIs with different IP addresses
- True - False, there are no endpoint types that can handle both inbound and outbound traffic - True - True - True
50
Whats the name of the AWS Service you can use to check which resources a web request passes through when accessing a resource inside your AWS Account?
AWS Network Access Analyzer
51
How does AWS global accelerator work?
Global accelerator works by providing you with 2 fixed Anycast IP addresses that can be used to route data through AWS' internal network by going through edge locations
52
What is AWS CloudFront?
It's a service for setting up a Content Delivery Network that allows you to improve read performance by caching content
53
True or False: Cloudfront can't help you agains DDoS and other application/network layer attacks, you must use WAF for that
False, Cloudfront can help against those kinds of attacks and has AWS Shield integration
54
What kinds of data origins does Cloudfront support?
-S3 Bucket -S3 Bucket configured as website -MediaStore Container & MediaPackage Endpoint -Custom Origin (HTTP). Ex: EC2, ELB, API Gateway
55
When should you use Cloudfront and when should you use S3 Cross Region Replication?
Cloudfront is good for static content that must be available everywhere. Meanwhile, S3 Cross Region Replication is good for dynamic content that must be available at low latency in some specific regions
56
What are Cloudfront origin groups?
They are a group of related origins configured so if one of them fails Cloudfront can reroute the requests a different origin inside the group
57
True or False: Cloudfront can block requests based on the requester's country
True
58
Cloudfront pricing depends on which subset of Edge Location regions you select to use with it. What are the available subsets of Edge Locations?
- Price Class All: All regions, best performance (Brasil only available here) - Price Class 200: Most regions with the exception of the most expensive ones - Price Class 100: Only the least expensive regions
59
True or False: Cloudfront has a Signed URL feature that allows anyone to access that specific path
True
60
Complete with what kind of information on each header of the answer to a Cloudfront request: X-CACHE:________________ X-AMZ-CF-ID:____________ X-AMZ-CF-POP:__________ SERVER:_________________
-X-CACHE: Indicates the operation performed by the cache to answer the request -X-AMZ-CF-ID: The ID of the Cloudfront request -X-AMZ-CF-POP: The edge location to which the request was rerouted -SERVER: Can be used to tell if any error comes from Cloudfront or your origin
61
What are the 2 types of request logs that can be generated by CloudFront and what are their differences
-Standard Logs (Access Logs): Free logs generated by and stored by CloudFront on S3. -Real-time Logs: Real time logs about the requests made to Cloudfront which are then streamed to Kinesis. Their usage incurs the Kinesis fees plus additional Real-time logs fees.
62
True or False: By default, Cloudfront only accepts GET and POST HTTP requests, but this can be changed
False, by default it accepts only GET and HEAD requests
63
If your Cloudfront cant access your origin due to a firewall, what error will it return?
Error 504 - Timeout
64
What can a site-to-site VPN connect to on AWS?
-Virtual Private Gateway -Transit Gateway -EC2 instance with VPN software
65
True or False: A Direct Connect gateway can access VPCs in any region using a virtual private gateway
False, it can only connect to VPCs inside the region where the connection was established
66
True or False: CloudFront can block you based on your access country
True
67
True or False: To configure peering between 2 transit gateways, you must set both of them to use dynamic outing, so they can share their routes with each other
False, to configure transit gateway peering you must configure a static route between the transit gateways so that data can be routed between them
68
How do you create an encrypted connection to your transit gateway inside Direct Connect?
You create a public VIF on the Direct Connect connecting it to the AWS Site-to-site VPN service than configure a site-to-site VpN targeting the transit gateway
69
In a context of AWS load balancers, what is SNI?
SNI (Server Name Indication) is a protocol that allow a load balancer to load more than one certificate in a single web server.
70
What kinds of AWS Load Balancers are there?
-Classic Load Balancer -Network Load Balancer -Application Load Balancer -Gateway Load Balancer
71
Which AWS Load Balancers support SNI?
-NLBs and ALBs
72
True or False: Using HTTPS instead of HTTP can help preven man-in-the-middle attacks
True
73
What are the main protocols used by each type of Load Balancer and in what layer do they act?
-Classic Load Balancer: Layers 4 and 7, HTTP, HTTPS, TCP, SSL -Application Load Balancer: Layer 7, HTTP, HTTPS, WebSocket -Network Load Balancer: Layer 4, TCP, TLS (Secure TCP), UDP -Gateway Load Balancer: Layer 3 (Network Protocol), IP
74
ALBs can implement Routing Rules for _________
path, header, query string
75
What are the available target groups for ALBs?
-EC2 instances -ECS Tasks -Lambda Functions -IP Addresses
76
True or False: ALBs are more performatic than NLBs (100ms vs 400ms)
False, ALBs and NLBs are flipped
77
True or False: NLBs can handle millions of requests per second
True
78
True or False: NLBs have 4 Static IPs per adress, but cannot handle Elastic IPs
False, NLBs have only 1 static IP oer address and they can use Elastic IPs
79
What are NLBs' available target Groups?
-EC2 instances -Private IP Addresses -ALBs
80
What's the main use case for Gateway Load Balancers?
To use security tools such as packet inspectors and firewall to increase network security by creating single point of entry and exit
81
To use the Gateway load balncer you must use the ________ protocol on port ________
-GENEVE -6081
82
What does enabling Cross-Zone Load Balancing do?
It makes it so that treffic is distributed equally between instances in differente AZs instead os equally between AZs
83
What restrictions are there for the usage of Cross-Zone Load Balancing on each ELB?
-CLB: Disabled by default, no charges if enables -ALB: Enabled by defaut, can't be turned off, no additional charges -NLB: Disabled by default, charges for inter AZ data if enables -GLB: Disabled by default, charges for inter AZ data if enables
84
What are Sticky Sessions (Session Affinity)?
It's a setting you can configure so a Client is always redirected to the same instance behind a load balancer
85
When should you use ELB sticky sessions?
When you don't want the user to lose their session data
86
What kinds of ELBs can use sticky sessions?
CLBs, NLBs and ALBs
87
True or False: The use of Sticky sessions has no known disadvantages
False, it can imbalance the load by overloadingsome EC2 instances
88
What are the existing routing algorithms used by ELBs and which kinds of ELBs can use each of them?
-Least Outstanding Requests, ALB and CLB (HTTP, HTTPS) -Round Robin, ALB and CLB (TCP) -Flow Hash, NLB
89
How does the Least Outstanding Requests ELB rerouting algorithm work?
It selects the instance with the least number of pending/unfinished requests to receive the next request
90
How does the Round Robin ELB rerouting algorithm work?
It equally choses targets from the Target Group
91
How does the Flow Hash ELB rerouting algorithm work?
Selects a target based on the protocol, source/destination IP address, source/destination port, and TCP sequence number. Each TCP/UDP connection is routed to a single target for the life of the connection
92
True or False: When you make an request to an ALB, the application sees the client IP, not the ALB's IP
False, it sees the ALB's IP and the client IP is tored in the X-Forwarded-For Header
93
True or False: ALBs are the only types of ELB with dynamic port mapping
True
94
True or False: When you make an request to an NLB, the application sees the client IP, not the NLB's IP
True
95
What are the min and max size of an AWS VPC CIDR?
/28 and /16 respectively
96
True or False: 4 ips are reserved in every AWS subnet for AWS use, the 3 first ones and the last
False, it is the first 4 ones and the last
97
For a private subnet to access the internet, it must connect to a ________ or _______ in a public subnet
-NAT Gateway -NAT Instance
98
What is a NAT instance?
It is an EC2 instance you use to perform the NAT protocol
99
For NAT Gateways to work, you must disable the EC2 setting _________
Source/destination check
100
What is a NAT Gateway?
It is a managed AWS solution used for executing NAT Protocol
101
What are the differences between NAT Gateways and NAT Instances?
-NAT Instances are not resilient to failure and their bandwidth is limited to the instance type -NAT Instances are cheap -NAT Instance Failover must be managed manually -NAT Gateways are resilient to failure within a single AZ -NAT Gateways can be deployed to multiple AZs por HA -NAT Gateway has an Elastic IP, making external sources se NAT Gateway as source
102
What are Bastion Hosts?
They are public EC2 instances that tou use to SSH to private EC2 instances
103
Which service offers a more secure way to access private instances without needing to SSH to a bastion host?
SSM Session Manager
104
True or False: VPC peering can work accross regions and accounts
True
105
Hwo can you configure a Transit Gateway so all subnets can Acess the internet but they cannot communicate with each other
-Set one of the VPCs to be the "Egress VPC" with the internet gateway -Configure 2 route tables, 1 for the Egress VPC and another for the other VPCs -Make its so all traffic from the other VPCs that is not 0.0.0.0/0 (targeting the egress VPC) is sent to a black hole
106
True or False: On a Transit Gateway, you can configure each VPC to use a specific route table
True
107
True or False: You can configure VPC Endpoint policies to restrict resource access through them
True
108
What the difference between Static Routing and Dynamic Routing in regards to Site-to-site VPNs?
Static routing creates a fixed connection based on a fixed IP Adress. Dynamic routing uses Border Gateway Protocol to automatically update the routing tables, with only the CGW and VPG IDs being needed
109
True or False: Client VPN is not compatible with VPC Peering
False
110
What is the best way to connect 2 Direct Connect locations while bypassing AWS Regions?
Point both Direct Conects to the same Direct Connection Gateway. This will allow instance on both of them to communicate with each other.
111
True or False: Internally, AWS Network Firewall uses Network Load Balancers
False, it uses Gateway Load Balancers
112
Where can AWS Network Firewall send logs to?
S3, Cloudwatch Logs, Kinesis Data Firehose
113
What's the main advantage of a manually configured load balancer over an ELB?
It is cheaper
114
What are GLBs' available target Groups?
-EC2 instances -Private IPs
115
True or False: Besides ELBs, Cloudfront can also perform SNI
True
116
What is ELB Connection Draining?
It is the times it takes for an online instance to finish it's pending requests before being taken off-air. During this time, no new requests are sent to it.
117
True or False: You cannot disable ELB connection draining, but you can set the drain time to 1 second
False, you can disable connection draining by setting the draining time to 0 seconds
118
How many Elastic IPs can each AWS Account have?
5 (It is possible to request an increase)
119
What are the netork components an ENI can have?
-One primary private IPv4 address, one or more secondary IPv4 addresses -One public IPv4 address -One or more security group -A MAC Address
120
True or False: All Route 53 DNS Records must have a TTL associated to them
False, Alias records do not need to have TTLs
121
True or False: You can use VPC Peering to: -Connect to DNS servers in other VPCs -Reach EC2 Instances in other VPCs -Communicate with the Other VPC using IPv6 -Use Direct Connect connection, VPNs to other Networks, NAT Devices to access the internet and Internet Gateways -Use an S3 Gateway Endpoint in another VPC -Use Interface VPC Endpoints
-False -True -True -False -False -True
122
In what cases should you use Cloudfront and in what cases should you use Global Accelerator?
-Cloudfront is good for dynamic content and content that is served at the edge -Global Accelerator is good for non-HTTP use cases such as gaming (UDP), IoT (MQTT) and Voice over IP -Global Accelerator is good for HTTP cases that require Static IPAdresses or fast regional failover -Global Accelerator is good for fast regional failover between multiple regions
123
True or False: Cloudfront can only use an HTTP origin if the origin is Public (Has public IP)
True
124
True or False: Cloudfront has no way of blocking access to users based on their Geolocation. You must use Route 53 to do so.
False, it can restrict by itself
125
How can you force a Cloudfront cache to refresh after it's origin is changed?
You can perform a cache invalidation for some or all files on the cache
126
What is the difference between Unicast IP and Anycast IP?
-Unicast: Each server holds 1 IP Address -Anycast: All servers hold the same IP address and the client is routed to the closest one
127
How can you make it so an S3 bucket's objects can only be accessed through a specific Cloudfront distribution?
You must use an Origin Access Control (OAC) on the Cloudformation distribution after giving it access to the bucket through a Bucket Policy
128
How do you turn off a specific OAC on Cloudfront?
Go on it's settings and enable the "Never sign origin requests" option.
129
True or False: Cloudfront is incompatible with HTTPS
False, Cloudfront can be configured to use both HTTPS on the user connection and the origin connection
130
When configuring an S3 Cloudfront origin to need HTTPS, what the available configurations possible?
-Redirect HTTP to HTTPs -HTTPS Only
131
True or False: The only way to restrict access to files using Cloudfront is to restrict access to origin using OACs
False, you can also force users to need signed URLs or signed cookies to access files
132
What types of origins can have their access restricted by using Cloudfront OACs?
-S3 (Not S3 websites) -Lambda URL -Elemental Media Package v2 -Elemental Media Store
133
How can you restrict access to an ALB so that it can only be accessed through Cloudfront?
Configure Cloudfront to add a custom HTTP header to requests and configure the ALB to only forward requests that have this header
134
There are 2 ways to pre-process Cloudfront request: Cloudfront Functions and Lambda@Edge. What are the main use cases of Cloudfront Functions?
-Cache Key processing -Header Manipulation (Insert, Delete, Edit) -URL Redirection based on request info (Not Header) -Request validation
135
There are 2 ways to pre-process Cloudfront request: Cloudfront Functions and Lambda@Edge. What are the main use cases of Lambda@Edge?
-More complex processing -Functions that require access to file systems or the body of the request
136
True or False: Both Lambda@Edge and Cloudfront Functions can process only Viewer requests and responses
False, Lambda@Edge can also process Origin requests and responses
137
What languages do Cloudfront Functions accept?
Only JavaScript
138
True or False: Both Lambda@Edge and Cloudfront Functions run on the Edge Location
False: Lambda@Edge runs ate the Regional Edge Cache
139
What are some examples of what you can use Lambda@Edge to do on Cloudfront?
-Inspect cookies to rewrite URL destination for A/B testing -Inspect Headers to redirect URL -Make network calls to other services
140
True or False: You can add tags to Edge Functions
False
141
What does AWS Global Accelerator work with?
-Elastic IPs -EC2 instances -ALBs -NLBs
142
True or False: AWS Global Accelerator supports Client IP Address Preservation fo all resources
False, it does not support them for NLBs or Elastic IPs
143
True or False: AWS Global Accelerator is resilient against DDoS because it has integrations with AWS Shield
True
144
What are the main benefits of Global Accelerator?
-Fast regional failover -Routing to lowest latency (Anycast IP) -Good for disaster recovery (Automatic Failover)

AWS Solutions Architect Professional (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions