AWS Developer 3 - Networking Using Amazon VPC Flashcards
- Your client decided to move to AWS and asked you to define the logically isolated virtual network in AWS using the predefined IP address range. Which of the following will you need to create to accomplish this?
A. Public subnet
B. Private subnet
C. Virtual private cloud
D. NAT gateway
C. Virtual Private Cloud (VPC) logically isolates the virtual network in AWS using the predefined IP address range.
- You created the VPC using the given range of the CIDR block by your network team. However, your application became so popular that you need to add new features, high availability, and redundancy, so your AWS architect asked you increase the size of the VPC. Is it possible to resize it?
A. Yes, it can be extended by adding four secondary IPv4 CIDR blocks
B. No, it is not possible to resize IPv4 CIDR blocks, but you can resize IPv6 CIDR blocks.
C. No, it is not possible to resize the VPC.
D. Yes, it is possible to resize the VPC, but you cannot reduce it.
- A. Yes, the VPC can be extended by adding 4 secondary IPv4 CIDR blocks, and you can decrease your VPC by deleting those secondary CIDR blocks.
- You are designing your AWS network and need to create the largest VPC and smallest VPC based on your application requirements. What are the largest and and smallest IPv4 PVCs that you are allowed to create in AWS?
A. Largest /16 and smallest /30
B. Largest /8 and smallest /32
C. Largest /56 and smallest /64
D. Largest /16 and smallest /28
D. AWS VPCs can vary in size from 16 addresses (/28 netmask), which is the smallest, to 65,56 addresses (/16 netmask), which is the largest.
- A user has created a VPC with one public subnet and one private subnet. The user wants to run the patch updates for the instances in the private subnet, but the instances are not able to connect to the Internet. How can the instances from the user’s private subnet connect to the internet?
A. Attach the Internet Gateway to the private subnet.
B. Allow inbound traffic for port 80 to allow Internet updates in the security group.
C. Use a NAT gateway or NAT instance with an elastic IP.
D. The instance on the private subnet can never connect to the internet.
C. You need to use a NAT device (NAT gateway of NAT instance) to enable instances in a private subnet to connect to the Internet to do patching and software updates, but this prevents the incoming traffic initiated from the Internet from entering these instances.
- Your client asked you to automatically provision the VPC and all its related components quickly, so you decided to use the VPC wizard in the AWS Management VPC console. What options are provided for you by default in the VPC wizard? (Choose all that apply.)
A. Amazon VPC with a single public subnet only.
B. Amazon VPC with public and private subnets and AWS site-to-site VPN access.
C. Amazon VPC with public and private subnet and AWS site-to-site VPN Access.
D. Amazon VPC with a private subnet only and and AWS site-to-site VPN access.
A, B, C, D. You can create four types of VPCs using the VPC wizard:
Amazon VPC with a single public subnet only
Amazon VPC with private and public subnets
Amazon VPC with public and private subnets and AWS site-to-site VPN Access
- VPC endpoints allow you to privately connect to your services from those hosted only on AWS VPC without requiring an Internet gateway, a NAT device, or a VPC connection. What two types of endpoints are available in Amazon VPC?
A. Site-to-site endpoints
B. Gateway endpoints
C. Interface endpoints
D. Point-to-site endpoints
B, C. Amazon VPC offers two types of endpoints: gateway endpoints and interface endpoints. Endpoints allow you to privately connect your VPC to your services hosted on AWS without requiring an Internet gateway, NAT device, or VPN connection.
- Security groups in a VPC operate at the instance level, where you specify which traffic is allows to or from an Amazon EC2 instance. NACLs operate at the subnet level and evaluate all the traffic entering and exiting a subnet. Which of the following is not true?
A. Security groups can be used to set both allow and deny rules.
B. NACLs do not filter traffic between instances in the same subnet.
C. NACLs perform stateless filtering, while security groups perform stateful filtering
D. NACLs can be used to set both allow and deny rules.
A. Security groups can be used to set only allow rules, not deny rules; however, network ACLS can be used to both allow and deny rules.
- True or False: Transitive peering relationships are supposed in Amazon VPC peering. For example, if I peer VPC X to VPC Y and I peer VPC Y to VPC Z, does that mean, VPCs X and Z are peered?
B. No, transitive peering relationships are not supported in AWS.
- Which of the following is false about elastic IP address pricing?
A. You will not incur costs when the elastic IP address is associated with a running EC2 instance.
B. You will not incur costs when the elastic IP address is associated with a stopped EC2 instance.
C. You will not incur costs when the IP address is from a BYOIP address pool.
D. You will not incur costs when the instance has only one static IP address attached to it.
B. False: You will incur costs when the elastic IP address is associated with a stopped IP.
- A user has created a VPC with two public subnets and three security groups. The user has launched an instance in a public subnet and attached an elastic IP. He is still unable to connect to that EC2 instance. the Internet gateway has also been created. What could be the reason for the connection error?
A. The Internet gateway is not configured with the route table to route traffic.
B. The private IP is not present for the instance.
C. The private IP is not present for the instance.
D. Traffic is denied on the security group.
A. You need to configure the Internet gateway with the route table to route traffic, and then the user will be able to connect to the EC2 instance.