AWS

Question 1

What are the four disaster recovery strategies outlined by AWS in order of expense and RTO (low to high)?

Answer 1

Backup and Recover, Pilot Light, Warm Standby, Multi-size

Question 2

What is RPO and what does it stand for?

Answer 2

Recovery Point Objective. The optimal point in time from which you’ll be recovering from.

Question 3

What is RTO and what does it stand for?

Answer 3

Recovery Time Objective. The amount of time it will take for a backup system to be fully operational.

Question 4

What is the least expensive DR solution recommended by AWS?

Answer 4

Backup and Restore

Question 5

What durability does S3 have?

Answer 5

11 9s durability.

Question 6

When would you use Pilot Light?

Answer 6

When you don’t want to pay the cost of having unused compute infrastructure but want to limit RTO to tens of minutes.

Question 7

What happens when an EC2 instance that’s fronted by an ELB fails it’s health check?

Answer 7

The ELB stops sending it traffic.

Question 8

When attached an ENI to an EC2, what’s the difference between a cold, warm, and hot attach?

Answer 8

Cold: attaching when the EC2 is being launched, Warm: attaching when EC2 is stopped, Hot: attaching when EC2 is running

Question 9

When can you move an ENI from one instance to another?

Answer 9

When the ENI’s are in the same AZ and VPC but in different subnets

Question 10

Would you choose RDS read replicas or RDS Multi-Region if you wanted to minimize RTO?

Answer 10

You would choose RDS Mutli-Region since read replicas are not updated synchronously.

Question 11

Is DynomoDB an appropriate option for infrequently accessed data?

Answer 11

Yes

Question 12

Are NACLs stateless? Are Security group stateless?

Answer 12

NACLS are stateless, Security groups are stateful.

Question 13

What order are NACL rules evaluated in?

Answer 13

They are evaluated by rule number from lowest to highest.

Question 14

You have been evaluating the NACLs in your company. Currently, you are looking at the default network ACL. Which statement is true about NACLs?

Answer 14

The default configuration of the default NACL is Allow, and the default configuration of a custom NACL is Deny.

Question 15

What service can you use to ensure that resources you’ve deployed are within budget?

Answer 15

AWS Budgets

Question 16

How many AZs can a subnet span?

Answer 16

Just one.

Question 17

What addresses in the CIDR address block used by your Subnet are reserved and for what?

Answer 17

x. x.x.0 is the network address
x. x.x.1 is the VPC router
x. x.x.2 is for the DNS
x. x.x.3 is reserved for future use
x. x.x.255 is used for broadcast, which is in not supported by AWS

Question 18

How many internet gateways can you have per VPC?

Answer 18

Just one.

Question 19

Why wouldn’t you want to create a route out to the internet on your main route table in your VPC?

Answer 19

Any subnet created in your VPC will be associated with the main route table be default; if your main route table has a route table to the internet, all subnets will be public by default.

Question 20

Why would you use a NAT gateway?

Answer 20

To enable an instance in a private subnet to have access to the internet.

Question 21

How can you ensure an auto scaling group automatically scales out at a certain time every day?

Answer 21

Create a scheduled action

Question 22

How can you block a specific IP address from accessing your subnet?

Answer 22

Using a Network ACL. You cannot use a security group to block a specific IP address.

Question 23

How many network ACLs is your subnet associated with?

Answer 23

Exactly 1.

Question 24

What is a VPC Endpoint?

Answer 24

A virtual device that allows communications between your VPC components and AWS services

Question 25

What is the maximum bandwidth of a NAT Gateway?

Answer 25

They scale from 5 Gbps to 100 Gbps

Question 26

When would you use an interface endpoint as opposed to a gateway endpoint?

Answer 26

Use gateway endpoints when you need to access DynomoDB or S3; otherwise use an interface endpoint. The interface endpoint uses an ENI while the gateway endpoint sits at the edge of your VPC.

Question 27

Can you do transitive peering with VPCs?

Answer 27

No

Question 28

Can you peer VPCs across regions?

Answer 28

Yup

Question 29

Can you have overlapping CIDR address ranges when you peer two VPCs?

Answer 29

Nope

Question 30

If you need to connect your VPC to tens, hundreds, or thousands of VPCs, which service could you use?

Answer 30

AWS PrivateLink

Question 31

What does the service and customer need to create in their VPCs to use PrivateLink

Answer 31

The service needs to set up a Network Load balancer and the consumer needs to set up an ENI

Question 32

When would you use VPN CloudHub?

Answer 32

When you have multiple sites with VPN connections that need to connect together.

Question 33

If you want to avoid the complexity of peering together multiple VPCs, which service can you use?

Answer 33

Transit Gateway

Question 34

Can you use Transit Gateway to connect VPCs in multiple regions?

Answer 34

Yes

Question 35

How can you prevent VPCs from communicating with each other if they are connected through Transit Gateway?

Answer 35

Configure your route tables to prevent them from interacting.

Question 36

What can you do to simplify your network architecture if you have less than 10 VPCs that are connected to your data center using direct connect?

Answer 36

Use a direct connect gateway.

Question 37

Is a NAT gateway redundant in the AZ?

Answer 37

Yes

Question 38

What should you do to create an availability zone-independent architecture when setting up NATs?

Answer 38

Create one in each AZ.

Question 39

Is Direct Connect encrypted by default?

Answer 39

No

Question 40

What is AWS Personal Health Dashboard

Answer 40

The AWS Health Dashboard is the single place to learn about the availability and operations of AWS services. You can view the overall status of AWS services, and you can sign in to view personalized communications about your particular AWS account or organization. Your account view provides deeper visibility into resource issues, upcoming changes, and important notifications.

Question 41

What is the difference between a launch configuration and a launch template?

Answer 41

launch template is similar to a launch configuration, in that it specifies instance configuration information. Included are the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and the other parameters that you use to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a template. With versioning, you can create a subset of the full set of parameters and then reuse it to create other templates or template versions. For example, you can create a default template that defines common configuration parameters and allow the other parameters to be specified as part of another version of the same template.

Question 42

How long does it take to failover when using an RDS with Multi-AZ Deployment

Answer 42

1 to 2 minutes

Question 43

When using an RDS with Multi-AZ deployment, what does AWS do to fail over if your primary database fails?

Answer 43

When failing over, Amazon RDS simply flips the canonical name record (CNAME) for your DB instance to point at the standby, which is in turn promoted to become the new primary.

Question 44

Can you delete the default security group associated with your VPC?

Answer 44

You can’t delete this group, however, you can change the group’s rules.

Question 45

Can you remove the * All Traffic Deny NACL rule?

Answer 45

No

Question 46

How many security groups can be attached to an EC2 instance?

Answer 46

Up to 5

Question 47

What is AWS Managed VPN?

Answer 47

AWS Managed VPN lets you reuse existing VPN equipment and processes, and reuse existing internet connections.

It is an AWS-managed high availability VPN service.

It supports static routes or dynamic Border Gateway Protocol (BGP) peering and routing policies.

Question 48

What are the three most common properties found in an IAM statement?

Answer 48

Effect, Action, and Resource

Question 49

Is IAM Universal?

Answer 49

Yes

Question 50

What would you use IAM Federation for?

Answer 50

When you want to connect to AWS using AD credentials.

Question 51

What’s the file size range for an object in S3?

Answer 51

0 to 5 TB

Question 52

What’s the URL syntax for an S3 object?

Answer 52

http://[bucket-name].s3.[region].amazonaws.com/[key-name]

Question 53

What status code will you get back when you upload a file to S3?

Answer 53

HTTP 200

Question 54

How can you make an S3 object accessible publicly?

Answer 54

Enable the bucket to be public and then apply a policy to allow access to the object or the entire bucket

Question 55

Can you disable versioning on a bucket?

Answer 55

No, but you can suspend it

Question 56

What the retrieval times for Glacier Instant Retrieval, Glacier Flexible Retrieval, and Glacier Deep Archive?

Answer 56

Milliseconds
Minutes to hours
Default of 12 hours

Question 57

When using an object lock, what’s the difference between governance mode and compliance mode?

Answer 57

With governance mode, users with a special permission can overwrite the file. With compliance mode, no user (including root) can delete the object until the end of the retention period.

Question 58

What is the difference between SSE-S3, SSE-KMS, and SSE-C

Answer 58

SSE-S3: AWS automatically handles the encryption using a key that they manage
SSE-KMS: You use a key provided by KMS
SSE-C: You provide the key

Question 59

How do you enforce encryption in S3?

Answer 59

Use a bucket policy to ensure that PUT requests include an encryption parameter in the HTTP header

Question 60

How many PUT/COPY/POST/DELETE requests per second can you make in S3? How many GET/HEAD?

Answer 60

3,500 per prefix

5,500 per prefix

Question 61

What must you enable to upload a file over 5GB?

Answer 61

Multipart Uploads

Question 62

Why would you use a byte-range fetch?

Answer 62

Increase performance when downloading files

Question 63

What is the minimum and maximum time frame for reserving an instance?

Answer 63

1 to 3 years

Question 64

Can you attach and detach roles while an EC2 instance is running?

Answer 64

Yes

Question 65

What inbound and outbound traffic and allowed by default when creating a security group?

Answer 65

All inbound is denied by default and all outbound is allowed by default.

Question 66

What is the difference between users data and meta data?

Answer 66

User data is your bootstrap script, meta data is information about EC2

Question 67

When would you use Enhance Networking?

Answer 67

You need reliable throughput between 10 Gbps and 100 Gbps

Question 68

When would you use Elastic Fabric Adapter (EFA)

Answer 68

High Performance Computing
Machine Learning
OS-Bypass

Question 69

When would you use Cluster, Spread, and Partition placement groups?

Answer 69

Use cluster for lower networking latency / high throughput

Use spread for critical EC2 instances that need to be on separate hardware

Partition placement groups can be used to deploy large distributed and replicated workloads, such as HDFS, HBase, and Cassandra, across distinct racks