AWS Solutions AA Exam Flashcards
What is a NAT gateway used for?
You can use a Network Address Translation gateway (NAT gateway) to enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances. To create a NAT gateway, you must specify the public subnet in which the NAT gateway should reside.
How to configure a NAT gateway?
You must also specify an Elastic IP address to associate with the NAT gateway when you create it. The Elastic IP address cannot be changed after you associate it with the NAT Gateway. After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet. If you no longer need a NAT gateway, you can delete it. Deleting a NAT gateway disassociates its Elastic IP address, but does not release the address from your account.
How do NAT gateways work in AZs?
Each NAT gateway is created in a specific Availability Zone and implemented with redundancy in that zone.
If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone.
How does instance placement tenancy work when you have launch configuration in VPC?
So, when you’re setting up your launch configuration, if you:
Do nothing about tenancy: Your instance will follow the VPC’s rules. If the VPC is like a neighborhood that’s all private houses (dedicated), then your instance will also be a private house.
If the VPC is like a big apartment complex (default), then your instance will be like an apartment.
Choose “dedicated” tenancy: You’re specifically asking for a private house, no matter what the neighborhood (VPC) usually does.
What is instance placement tenancy?
When you’re using Amazon’s cloud to create virtual computers (instances), you can also decide how these computers are physically hosted in Amazon’s data centers. This decision is about “instance placement tenancy,” which can sound a bit complicated, but it’s essentially about choosing between two main options for your virtual computer’s physical “neighborhood”:
Shared Housing (default): By default, your virtual computer shares physical hardware with other virtual computers owned by different people. It’s like renting an apartment in a big building where you have your own space, but the building itself is shared with others. This is the most common setup and works well for most needs.
Private House (dedicated): If you want, you can choose to have your virtual computer on its own dedicated physical hardware. This is like having a private house instead of an apartment. No other virtual computers, except yours, will be hosted on this physical machine. This option is used for special situations that require isolation from other users’ computers, often for added security or to meet specific regulatory requirements.
The choice between these two options is controlled in two places:
Launch Configuration: When you’re preparing your recipe (launch configuration) for your virtual computer, you can specify your preference for this physical hosting. If you don’t say anything, Amazon uses the default setting from your virtual private cloud (VPC).
Virtual Private Cloud (VPC): Your VPC settings can also influence this choice. If your VPC is set to dedicated tenancy, any virtual computer created in this VPC will automatically be set up in its own private house, unless specifically overridden.
So, when you’re setting up your launch configuration, if you:
Do nothing about tenancy: Your instance will follow the VPC’s rules. If the VPC is like a neighborhood that’s all private houses (dedicated), then your instance will also be a private house. If the VPC is like a big apartment complex (default), then your instance will be like an apartment.
Choose “dedicated” tenancy: You’re specifically asking for a private house, no matter what the neighborhood (VPC) usually does.
What is Amazon Aurora Serverless?
Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora (MySQL-compatible and PostgreSQL-compatible editions), where the database will automatically start-up, shut down, and scale capacity up or down based on your application’s needs. It enables you to run your database in the cloud without managing any database instances. It’s a simple, cost-effective option for infrequent, intermittent, or unpredictable workloads. You pay on a per-second basis for the database capacity you use when the database is active and migrate between standard and serverless configurations with a few clicks in the Amazon RDS Management Console.
What is Amazon DynamoDB?
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It’s a fully managed, multi-region, multi-master, durable database with built-in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second.
What is Amazon ElastiCache?
Amazon ElastiCache allows you to set up popular open-Source compatible in-memory data stores in the cloud. You can build data-intensive apps or boost the performance of your existing databases by retrieving data from high throughput and low latency in-memory data stores such as Redis and Memcached. Elasticache is used as a caching layer. It’s not a fully managed MySQL database.
How can you remove corrupted data at the earliest from Amazon DynamoDB table?
Amazon DynamoDB enables you to back up your table data continuously by using point-in-time recovery (PITR). When you enable PITR, DynamoDB backs up your table data automatically with per-second granularity so that you can restore to any given second in the preceding 35 days.
PITR helps protect you against accidental writes and deletes. For example, if a test script writes accidentally to a production DynamoDB table or someone mistakenly issues a “DeleteItem” call, PITR has you covered.
What does a recovered EC2 instance have the same with the terminated instance?
A recovered instance is identical to the original instance, including the instance ID, private IP addresses, Elastic IP addresses, and all instance metadata. If the impaired instance is in a placement group, the recovered instance runs in the placement group. If your instance has a public IPv4 address, it retains the public IPv4 address after recovery. During instance recovery, the instance is migrated during an instance reboot, and any data that is in-memory is lost.
How do security groups work in AWS?
Security groups are stateful, so allowing inbound traffic to the necessary ports enables the connection.
How do Network Access Control List (Network ACL) work of the subnet of EC2?
Network ACLs are stateless, so you must allow both inbound and outbound traffic.
To enable the connection to a service running on an instance, the associated network ACL must allow both inbound traffic on the port that the service is listening on as well as allow outbound traffic from ephemeral ports. When a client connects to a server, a random port from the ephemeral port range (1024-65535) becomes the client’s source port.
The designated ephemeral port then becomes the destination port for return traffic from the service, so outbound traffic from the ephemeral port must be allowed in the network ACL.
By default, network ACLs allow all inbound and outbound traffic. If your network ACL is more restrictive, then you need to explicitly allow traffic from the ephemeral port range.
If you accept traffic from the internet, then you also must establish a route through an internet gateway. If you accept traffic over VPN or AWS Direct Connect, then you must establish a route through a virtual private gateway (VGW).
What is scale up in vertical scalability?
Vertical scalability means increasing the size of the instance. For example, your application runs on a t2.micro. Scaling up that application vertically means running it on a larger instance such as t2.large. Scaling down that application vertically means running it on a smaller instance such as t2.nano. Scalability is very common for non-distributed systems, such as a database. There’s usually a limit to how much you can vertically scale (hardware limit). In this case, as the instance type was upgraded from t2.nano to u-12tb1.metal, this is a scale up example of vertical scalability.
What is scale up in horizontal scalability?
Horizontal Scalability means increasing the number of instances/systems for your application. When you increase the number of instances, it’s called scale out whereas if you decrease the number of instances, it’s called scale-in. Scale up is used in conjunction with vertical scaling and not with horizontal scaling. Hence this is incorrect.
What does high availability mean?
High availability means running your application/system in at least 2 data centers (== Availability Zones). The goal of high availability is to survive a data center loss. An example of High Availability is when you run instances for the same application across multi AZ. This option has been added as a distractor.
What is the best relational database in AWS in terms of scalability with high fault tolerancy?
Aurora features a distributed, fault-tolerant, and self-healing storage system that is decoupled from compute resources and auto-scales up to 128 TiB per database instance. It delivers high performance and availability with up to 15 low-latency read replicas, point-in-time recovery, continuous backup to Amazon Simple Storage Service (Amazon S3), and replication across three Availability Zones (AZs).
Since Amazon Aurora Replicas share the same data volume as the primary instance in the same AWS Region, there is virtually no replication lag. The replica lag times are in the 10s of milliseconds (compared to the replication lag of seconds in the case of MySQL read replicas). Therefore, this is the right option to ensure that the read replicas lag no more than 1 second behind the primary instance.
Which AWS offering can be considered to decouple a monolith architecture to sort out messaging between microservices?
Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS eliminates the complexity and overhead associated with managing and operating message-oriented middleware and empowers developers to focus on differentiating work. Using SQS, you can send, store, and receive messages between software components at any volume, without losing messages or requiring other services to be available.
Use Amazon SQS to transmit any volume of data, at any level of throughput, without losing messages or requiring other services to be available. Amazon SQS lets you decouple application components so that they run and fail independently, increasing the overall fault tolerance of the system. Multiple copies of every message are stored redundantly across multiple availability zones so that they are available whenever needed. Being able to store the messages and replay them is a very important feature in decoupling the system architecture, as is needed in the current use case.
Why cant we use AWS EventBridge for async messaging?
This event-based service is extremely useful for connecting non-AWS SaaS (Software as a Service) services to AWS services. With Amazon Eventbridge, the downstream application would need to immediately process the events whenever they arrive, thereby making it a tightly coupled scenario. Hence, this option is not correct.
What is a good AWS relational database solution to minimize data loss and storing every transaction on at least two nodes?
Set up an Amazon RDS MySQL DB instance with Multi-AZ functionality enabled to synchronously replicate the data
Can you route traffic to 3rd party websites with alias record?
Alias records let you route traffic to selected AWS resources, such as Amazon CloudFront distributions and Amazon S3 buckets. They also let you route traffic from one record in a hosted zone to another record. 3rd party websites do not qualify for these as we have no control over those. ‘Alias record’ cannot be used to map one domain name to another.
How does CNAME record work?
A CNAME record maps DNS queries for the name of the current record, such as acme.example.com, to another domain (example.com or example.net) or subdomain (acme.example.com or zenith.example.org).
CNAME records can be used to map one domain name to another. Although you should keep in mind that the DNS protocol does not allow you to create a CNAME record for the top node of a DNS namespace, also known as the zone apex. For example, if you register the DNS name example.com, the zone apex is example.com. You cannot create a CNAME record for example.com, but you can create CNAME records for www.example.com, newproduct.example.com, and so on.
Imagine you own a domain myshop.online, and you have created various online platforms for different purposes, such as a blog (blog.myshop.online), a support section (support.myshop.online), and a store (store.myshop.online). Now, you want all these services to be hosted on another domain you have, say, services.digital.
A CNAME (Canonical Name) record comes into play here. It acts like a redirect or alias from one domain to a different domain or subdomain. So, you can set up CNAME records for each of your subdomains to point to services.digital or its respective subdomains, like this:
A CNAME record for blog.myshop.online points to blog.services.digital.
A CNAME record for support.myshop.online points to support.services.digital.
A CNAME record for store.myshop.online points to store.services.digital.
This setup means whenever someone visits blog.myshop.online, the DNS system will see the CNAME record and take them to blog.services.digital instead, without the visitor seeing the change in the domain name.
However, there’s a limitation. If you wanted to point your main domain myshop.online directly to another domain using a CNAME record, you wouldn’t be allowed. The DNS standards prevent you from creating a CNAME record for the domain’s root level, also known as the zone apex. So, myshop.online cannot have a CNAME record, but any subdomains like www.myshop.online can.
What is good about Amazon Aurora Global Database?
An Aurora global database provides more comprehensive failover capabilities than the failover provided by a default Aurora DB cluster. By using an Aurora global database, you can plan for and recover from disaster fairly quickly. Recovery from disaster is typically measured using values for RTO and RPO.
Recovery time objective (RTO) – The time it takes a system to return to a working state after a disaster. In other words, RTO measures downtime. For an Aurora global database, RTO can be in the order of minutes.
Recovery point objective (RPO) – The amount of data that can be lost (measured in time). For an Aurora global database, RPO is typically measured in seconds.
With an Aurora global database, you can choose from two different approaches to failover:
Managed planned failover – This feature is intended for controlled environments, such as disaster recovery (DR) testing scenarios, operational maintenance, and other planned operational procedures. Managed planned failover allows you to relocate the primary DB cluster of your Aurora global database to one of the secondary Regions. Because this feature synchronizes secondary DB clusters with the primary before making any other changes, RPO is 0 (no data loss).
Unplanned failover (“detach and promote”) – To recover from an unplanned outage, you can perform a cross-Region failover to one of the secondaries in your Aurora global database. The RTO for this manual process depends on how quickly you can perform the tasks listed in Recovering an Amazon Aurora global database from an unplanned outage. The RPO is typically measured in seconds, but this depends on the Aurora storage replication lag across the network at the time of the failure.
How can you reduce the cost of Amazon SQS?
Amazon SQS provides short polling and long polling to receive messages from a queue. By default, queues use short polling. With short polling, Amazon SQS sends the response right away, even if the query found no messages. With long polling, Amazon SQS sends a response after it collects at least one available message, up to the maximum number of messages specified in the request. Amazon SQS sends an empty response only if the polling wait time expires.
Long polling makes it inexpensive to retrieve messages from your Amazon SQS queue as soon as the messages are available. Using long polling can reduce the cost of using SQS because you can reduce the number of empty receives.
What does Amazon GuardDuty do?
Amazon GuardDuty offers threat detection that enables you to continuously monitor and protect your AWS accounts, workloads, and data stored in Amazon S3. GuardDuty analyzes continuous streams of meta-data generated from your account and network activity found in AWS CloudTrail Events, Amazon VPC Flow Logs, and DNS Logs. It also uses integrated threat intelligence such as known malicious IP addresses, anomaly detection, and machine learning to identify threats more accurately.
What is Amazon Macie?
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data on Amazon S3. Macie automatically detects a large and growing list of sensitive data types, including personally identifiable information (PII) such as names, addresses, and credit card numbers. It also gives you constant visibility of the data security and data privacy of your data stored in Amazon S3.
What is Cloud Formation stack?
AWS CloudFormation stack is a set of AWS resources that are created and managed as a single unit when AWS CloudFormation instantiates a template. A stack cannot be used to deploy the same template across AWS accounts and regions.
What is Cloud Formation template?
AWS Cloudformation template is a JSON or YAML-format, text-based file that describes all the AWS resources you need to deploy to run your application. A template acts as a blueprint for a stack.
What is AWS Resource Access Manager (RAM)?
AWS Resource Access Manager (AWS RAM) is a service that enables you to easily and securely share AWS resources with any AWS account or within your AWS Organization.
What is AWS Cloud Formation StackSet?
AWS CloudFormation StackSet extends the functionality of stacks by enabling you to create, update, or delete stacks across multiple accounts and regions with a single operation. A stack set lets you create stacks in AWS accounts across regions by using a single AWS CloudFormation template. Using an administrator account of an “AWS Organization”, you define and manage an AWS CloudFormation template, and use the template as the basis for provisioning stacks into selected target accounts of an “AWS Organization” across specified regions.
What is AWS Database Migration Service?
AWS Database Migration Service helps you migrate databases to AWS quickly and securely. The source database remains fully operational during the migration, minimizing downtime to applications that rely on the database.
What is Amazon Glue?
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy for customers to prepare and load their data for analytics. AWS Glue job is meant to be used for batch ETL data processing.
What is AWS EMR?
Amazon EMR is the industry-leading cloud big data platform for processing vast amounts of data using open source tools such as Apache Spark, Apache Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto. With EMR you can run Petabyte-scale analysis at less than half of the cost of traditional on-premises solutions and over 3x faster than standard Apache Spark. For short-running jobs, you can spin up and spin down clusters and pay per second for the instances used. For long-running workloads, you can create highly available clusters that automatically scale to meet demand. Amazon EMR uses Hadoop, an open-source framework, to distribute your data and processing across a resizable cluster of Amazon EC2 instances.
What is Amazon Kinesis Data Streams?
Amazon Kinesis Data Streams (KDS) is a massively scalable and durable real-time data streaming service. KDS can continuously capture gigabytes of data per second from hundreds of thousands of sources such as website clickstreams, database event streams, financial transactions, social media feeds, IT logs, and location-tracking events.
What is the fully managed NoSQL persistent data store with in-memory caching in AWS?
Amazon DynamoDB