Practice test 3 (actual 4) Flashcards
(38 cards)
I want to use dedicated hosts for one year then migrate them to default tenancy after. Is this possible?
you can change the tenancy of an instance from dedicaded to host and vise versa (correct)
you cannot change the tenancy from (dedicated/host) to default, or default to dedicated/host ever..
What is the difference between target tracking and simple scaling policy for an Auto Scale group for the EC2 instances consuming messages from SQS?
Target tracking. divide Approximate Number of Messages (cloud watch metric) in Q by numeber of instances in the In Service state in autoscale group. This provides acceptable and most accurate backlog per instance which is best.
Simple scale policy based on cloudwatch metrics and alarms. after scaling activity has started, the policy must wait for the replacement to complete and cooldown period to expire. it won’t be able to react quickly.
Step scalign would work but not be as good or efficiont as target.
i want to use cloud watch alarms to automatically recover EC2 instances if they become impaired. what happens to the instances when they recover - true/false… regarding pub and priv ip metadata, termination etc…
correct / true:
instance retains it’s public ipv4 address if it has one
recovered instance is identical to original, instance id, private ip, elastic ip, metadata.
during the recovery, the instance is migrated during reboot, and in mem data is lost.
incorrect - terminated ec2 instances can be recovered if they are configured at the launch of the instance.
global company, procurement workflow, distributed app. orders booked in one reagion must be visible in all regions in one second or less. db failover must have a short recovery time objective. uptime critical. what is the moste cost effective solution? options:
RDS for Mysql or postgres with x region read replica. (async replication, more than one second.)
Aurora global db (correct)
Dynamo global tables (incorrect “ dynamo would be more costly in this scenario, “ - maybe due to r/w traffic)
answer aurora. my answer. dynamo. i did not read the options, but they were not clear about the app neening SQL which it would.
EC2 fleet with to ELB in 2 zones A and B. A has one instance, B has 4 instances. What traffic distribution would you get with cross zone LB enabled vs disabled?
x zone enabled. One instance in A gets 20% and each of the 4 in B gets 20%.
x zone disabled - A gets 50% , each in B gets 12.5%.
NAT instance vs gateway true/false options
Correct / true:
Nat instance can be a bastion server
Security groups can be associated with a nat instance
Nat instance supports port forwarding (but not with NAT gateway. this was incorrect)
flow logs NACLs traffic metrics supported by both.
high performance computing recommended network components, what is best (elastic …. adapters)?
Elastic fabric adapter attach to ec2 most high perf network. the fabric means it bypasses OS to get to hardware interface for speed
incorrect - elastic network interface, elastic network adapter (high perf computing but not as fast as EFA), elastic ip.
configuring security groups for 2 tier app with pub web servers and private db. what is true false for an inbound rule for a security group
True statements about what can be the source or dest. of a rule:
- range of ip address in cidr block x.x.x.x/16 or ipv6
- specific ip address in format x x x x/32
- Another security group id in same VPC or in a peer connection VPC.
- The same security group id
False statement: use internet gateway id as the custom source for an inbound rule
configuring security groups for 2 tier app with pub web servers and private db. what is true false for an inbound rule for a security group
True statements
range of ip address in cidr block x.x.x.x/Y
Another security group in this VPC or in a peer connecttion VPC.
The same security group
Can use the SG from an ALB
False statement: use internet gateway id as the custom source for an inbound rule
real time health data processed into analytics workflow. more users, stystem slow unresponsive. and does not have retry. Need a scalable solution with minimal implementation overhead. How?
Correct - Kinesis data streams to ingest, process with Lambda or run analytics with Kinesis data analytics. (I knew this would work but the words minimal implementation is contradictory to notes, be careful. Note the words real time because data streams has 200 ms latency
Incorrect SQS for ingestion, Lambda for processing. “ this can work but data streams custom made for streaming real time data.
EC2 in private subnet, read write big volumes to S3 in same region. Nat gateway configured for all internet bound traffic. Best cost optimal solution, without impacting the ability to communicate with S3 or internet.
VPC gateway endpoint for S3 and dynamo only. needs an endpoint policy. update route table VPC gateway endpoint as a target to direct S3 traffic to the endpoint. There is no additional charge for a gateway endpoint.
incorrect - internet gateway., gateway LB,
also there is a vpc interface endpoint for communicating to any aws service in another vpc, can be many things. uses private link. provisions an Elastic network interface and a security group. Cost involved $
company has hybrid cloud on prem. wants a web log archive, only most frequently accessed logs are available as cache locally, while backing up all logs to S3.
Be careful. the answer provided is not well described in notes, but does match aws docs.
This relates to AWS Storage gateway type Volume gateway. other types are Tape, File, and FSx File.
iSCSI = Volume (cached or stored)
NFS / SMB = File
FSX File = Windows
AWS says: Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on your behalf and operates in either cache mode or stored mode. (Note similarity/diff File gateway is NFS (Net File Sys), SMB compatible, cached on prem, push to S3)
The following 2 types refer to on prem data:
In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access. In the stored Volume Gateway mode, your primary data is stored on prem and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3. In both cases it is backed up to EBS block storage for fast recovery
AWS Volume Gateway - Cached Volume (correct)
AWS Volume Gateway - Stored Volume (incorrect)
company has licence based commercial db system on prem. wants to migrate to open source cost effective db in cloud. Wants to handle complex database config - indexes, FK, stored procs. How?
Correct
AWS Schema conversion tool (as it says. plus migrates indexes, FK, procs!)
Database migration service. (dbs remain operational during migration. supports same-same and different migrations.
incorrect: Glue,
Basic schema copy (this is real but will not migrate secondary indexes, FK, stored procs),
snowball.
migrate SQS standard to fifo with batching. Steps?
Delete existing Q and recreate as fifo (Jol correct)
Name of the fifo Q ends in .fifo (Jol correct)
The throughput of the Fifo Q does not exceed 3000 messages per sec. (correct, jol got wrong)
Fifo queues support 3000 msg/s with batching (300 x 10 per batch) and 300 msgs/sec without batching. this was the error i made. (messages operations can be send, delete, receive )
org is using Service Control Policies SCP for central control of perms in accounts. This is a special feature of an organisation. What is true/false about SCP?
True / correct
SCP affects all users and roles in attached accounts including the root user.
SCP do not affect the service linked role
If a user or role has an IAM permission policy that grants access to an action that is not allowed or denied by the SCP the user or role can’t perform the action. SCP trumps user/role perm policy.
More info
No permissions are granted by SCP this is the user/role level. It is a guardrail or limit.
Effective permissions are the intersection between the SCP and the user/role, very similar to IAM permissions boundaries (boundary) which are applied to individual IAM users and roles, mainly to developers.
SCP don’t affect resource based policy, only users/roles.
company has organisations set up for departments. they have EC2 and RDS. They want shared, centrally managed VPCs to all departments using apps that need high degree of connectivity. How?
correct : VPC sharing to share one or more subnets with other aws accounts belonging to same parent org. Sharing is all about the resources in subnets, EC2, RDS, redshift, and Lambda (?) as in docs.
Incorrect: VPC sharing to share the whole VPC … (and as above) You can’t share a vpc with sharing, only subnets.
incorrect: vpc peering, not centrally managed, gives access to whole vpc.
Web app on ECS elastic container service. website slows down when traffic spikes, and poor availability. dev team has cloud watch alarms with notifications. How to automate?
correct: Auto scaling to scale out ECS cluster when ECS services CPU utilization rises above a threshold.
There is an Elastic Load Balancer involved.
documented options
ECS Service Average CPU Utilization
ECS Service Average Memory Utilization
ALB Request Count Per Target
incorrect: as above but “….. ALB target group’s CPU utilization….” unfortunately very close because there is a LB involved, but wrong.
business has 2 aws accounts and all resources are in us-west-2 region. try to launch EC2 in each of the 2 accounts, such that the instances are in the same AZ us-west-2. after selecting the same default subnet for EC2 when launching in each account, the AZs are still different for each instance. Why?
Correct: They must use AZ ID to uniquely identify the AZ across 2 accounts. AZ is specified for each instance
Incorcect: Use the default VPC to uniquely identify the AZ across 2 accounts. VPC spans a region, therefore cannot be used to identify an AZ.
company uses SQS, consumers need additional time to process messages, … to postpone for a few seconds. How?
Correct; Delay Queues to pospone delivery to the Q for a few seconds
“Delay queues let you postpone the delivery of new messages to a queue for several seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.”
incorrect: visibility timeout. this will not postpone delievery, it stops other consumers reading the same message from the Q.
standardizing EC2 instances with AMI. rules about copying to different accounts and regions. options true / false:
Correct:
Can share AMI with another account
Copy AMI across regions
Copy AMI backed by encrypted snapshot, cannot result in unencrypted snapshot. This is the only scenario that is forbidden. Alowed: unencrypted to encrypted, encrypted to encrypted….
incorrect answers were the opposite of above. including encrypted to unencrypted.
Route 53 what is Alias, CNAME, A,
Alias - direct queries to selected aws resources like s3, CF, or another record in the same route 53 hosted zone. eg hello.abc.com to goodbye.abc.com
CNAME direct dns queries to any dns record. commonly used do redirect from domain.com to another-domain.com
A record. points a domain to an iP address. not to another domain. PTR is a reverse domain lookup from ip to domain name.
SQS queue facts; quotas, message throughput, retention, group id, long polling wait time
Delay queue default 0 max 15 minutes.
Long polling max wait time 20 sec
Message group ids in FIFO only, no quota on number of groups, must have a group id in FIFO.
Backlog messages unlimited
Messages per queue in flight. standard queue 120,000 messages not yet deleted. for Fifo 20,000 messages
FIFO message throughput 300 trans per sec Send, Receive, Delete.
Batching (x10) 3000 trans per sec which means 300 api calls each with a batch of 10. raise a support request to increase.
High throughput FIFO queues can go up to 6000 no batching, 60,000 with batching.
message size, min 1 byte, max 256 KB.
visibility timeout default is 30 sec. min 0 sec, max 12 hours.
big data analytics company real time vehicle tracking. data processing has I/O intensive and throughput intensive db work. No SQL database hosted on EC2. Must Support 25,000 iops per volume, which EBS volume type?
Correct - Provisioned IOPS SSD io1 - designed for critical, io intensive work, throuhhput intensive database work. supports
* 50 iops per GiB to a max of 64,000 iops
* max of 1000 MiB per sec of throughput per volume
incorrect -
General purpose SSD gp2 -
* max iops per volume 16,000 for gp2 and gp3.
* Throughput 250 MiB/s for gp2 (2=250), and for gp3: 1000 MiB/s (3= 3 zeros)
incorrect
Throughput optimised HDD st1 has
* 500 iops per volume for st1, 250 iops per vol for sc1 (cold)
* 500 MiB/s throughput for st1, 250 MiB/s for sc1 (cold)
IOPS per volume ladder
256,000 = io2 block express (multiply prev by 4)
64,000 = io1 and io2 (multiply by 4)
16,000 = gp2 and gp3 ….. START SSD ^^ (multiply prev by 32)
500 = st1 (same as throughput)
250 = sc1 (same as throughput.) HDD
more info on io2 and io2 block express
IOPS per volume - io2 = 64,000 …. io2 Block x = 256,000
MAX throughput per vol - io2 = 1000 MiB/s …. io2 block x 4000 MiB/s
Launch configuration tenancy setting in auto scale group vs VPC tenancy rules matrix. simple rule applies.
Launch config tenancy (LCT) = default
VPC Tenancy (VT) = default
Result = shared tenancy instance
LCT = default
VT = dedicated
Result = dedicated
LCT = dedicated
VT = default
Result = dedicated
Dedicated trumps default every time.
