Chapter 2: Compute Services Flashcards
You need to deploy multiple EC2 Linux instances that will provide your company with virtual private networks (VPNs) using software called OpenVPN. Which of the following will be the most efficient solutions? (Choose two.)
Select a regular Linux AMI and bootstrap it using user data that will install and configure the OpenVPN package on the instance and use it for your VPN instances.
Search the community AMIs for an official AMI provided and supported by the OpenVPN company.
Search the AWS Marketplace to see whether there’s an official AMI provided and supported by the OpenVPN company.
Select a regular Linux AMI and SSH to manually install and configure the OpenVPN package.
Create a site-to-site VPN connection from the wizard in the AWS VPC dashboard.
A, C. Many third-party companies maintain official and supported AMIs running their software on the AWS Marketplace. AMIs hosted among the community AMIs are not always official and supported versions. Since your company will need several such instances, you’ll be better off automating the process by bootstrapping rather than having to configure the software manually each time. The site-to-site VPN tool doesn’t use OpenVPN.
As part of your company’s long-term cloud migration strategy, you have a VMware virtual machine in your local infrastructure that you’d like to copy to your AWS account and run as an EC2 instance. Which of the following will be necessary steps? (Choose two.)
Import the virtual machine to your AWS region using a secure SSH tunnel.
Import the virtual machine using VM Import/Export.
Select the imported VM from among your private AMIs and launch an instance.
Select the imported VM from the AWS Marketplace AMIs and launch an instance.
Use the AWS CLI to securely copy your virtual machine image to an S3 bucket within the AWS region you’ll be using.
B, C. The VM Import/Export tool handles the secure and reliable transfer for a virtual machine between your AWS account and local datacenter. A successfully imported VM will appear among the private AMIs in the region you selected. Direct S3 uploads and SSH tunnels are not associated with VM Import/Export.
Your AWS CLI command to launch an AMI as an EC2 instance has failed, giving you an error message that includes InvalidAMIID.NotFound. What of the following is the most likely cause?
You haven’t properly configured the ~/.aws/config file.
The AMI is being updated and is temporarily unavailable.
Your key pair file has been given the wrong (overly permissive) permissions.
The AMI you specified exists in a different region than the one you’ve currently specified.
D. AMIs are specific to a single AWS region and cannot be deployed into any other region. If your AWS CLI or its key pair was not configured properly, your connection would have failed completely. A public AMI being unavailable because it’s “updating” is theoretically possible but unlikely.
The sensitivity of the data your company works with means that the instances you run must be secured through complete physical isolation. What should you specify as you configure a new instance?
Dedicated Host tenancy
Shared tenancy
Dedicated Instance tenancy
Isolated tenancy
A. Only Dedicated Host tenancy offers full isolation. Shared tenancy instances will often share hardware with operations belonging to other organizations. Dedicated instance tenancy instances may be hosted on the same physical server as other instances within your account.
Normally, two instances running m5.large instance types can handle the traffic accessing your online e-commerce site, but you know that you will face short, unpredictable periods of high demand. Which of the following choices should you implement? (Choose two.)
Configure autoscaling.
Configure load balancing.
Purchase two m5.large instances on the spot market and as many on-demand instances as necessary.
Shut down your m5.large instances and purchase instances using a more robust instance type to replace them.
Purchase two m5.large reserve instances and as many on-demand instances as necessary.
A, E. Reserve instances will give you the best price for instances you know will be running 24/7, whereas on-demand makes the most sense for workloads that will run at unpredictable times but can’t be shut down until they’re no longer needed. Load balancing controls traffic routing and, on its own, has no impact on your ability to meet changing demand. Since the m5.large instance type is all you need to meet normal workloads, you’ll be wasting money by running a larger type 24/7.
Which of the following use cases would be most cost effective if run using spot market instances?
Your e-commerce website is built using a publicly available AMI.
You provide high-end video rendering services using a fault-tolerant process that can easily manage a job that was unexpectedly interrupted.
You’re running a backend database that must be reliably updated to keep track of critical transactions.
Your deployment runs as a static website on S3.
B. Spot market instances can be shut down with only a minimal (two-minute) warning, so they’re not recommended for workloads that require reliably predictable service. Even if your AMI can be relaunched, the interrupted workload will still be lost. Static S3 websites don’t run on EC2 infrastructure in the first place.
In the course of a routine infrastructure audit, your organization discovers that some of your running EC2 instances are not configured properly and must be updated. Which of the following configuration details cannot be changed on an existing EC2 instance?
AMI
Instance type
Security group
Public IP address
A. You can edit or even add or remove security groups from running instances and the changes will take effect instantly. Similarly, you can associate or release an elastic IP address to/from a running instance. You can change an instance type as long as you shut down the instance first. But the AMI can’t be changed; you’ll need to create an entirely new instance.
For an account with multiple resources running as part of multiple projects, which of the following key/value combination examples would make for the most effective identification convention for resource tags?
servers:server1
project1:server1
EC2:project1:server1
server1:project1
B. The first of two (and not three) strings in a resource tag is the key—the group to which the specific resource belongs. The second string is the value, which identifies the resource itself. If the key looks too much like the value, it can cause confusion.
Which of the following EBS options will you need to keep your data-hungry application that requires up to 20,000 IOPS happy?
Cold HDD
General-purpose SSD
Throughput-optimized HDD
Provisioned-IOPS SSD
D. Provisioned-IOPS SSD volumes are currently the only type that comes close to 20,000 IOPS. In fact, under the right circumstances, they can deliver up to 256,000 IOPS.
Your organization needs to introduce Auto Scaling to its infrastructure and needs to generate a “golden image” AMI from an existing EBS volume. This image will need to be shared among multiple AWS accounts belonging to your organization. Which of the following steps will get you there? (Choose three.)
- Create an image from a detached EBS volume, use it to create a snapshot, select your new AMI from your private collection, and use it for your launch configuration.
- Create a snapshot of the EBS root volume you need, use it to create an image, select your new AMI from your private collection, and use it for your launch configuration.
- Create an image from the EBS volume attached to the instance, select your new AMI from your private collection, and use it for your launch configuration.
- Search the AWS Marketplace for the appropriate image and use it for your launch configuration.
- Import the snapshot of an EBS root volume from a different AWS account, use it to create an image, select your new AMI from your private collection, and use it for your launch configuration.
B, C, E. Options B, C, and E are steps necessary for creating and sharing such an image. When an image is created, a snapshot is automatically created from which an AMI is built. You do not, however, create a snapshot from an image. The AWS Marketplace contains only public images; hopefully, no one will have uploaded your organization’s private image there!
Which of the following are benefits of instance store volumes? (Choose two.)
- Instance volumes are physically attached to the server that’s hosting your instance, allowing faster data access.
- Instance volumes can be used to store data even after the instance is shut down.
- The use of instance volumes does not incur costs (beyond those for the instance itself).
- You can set termination protection so that an instance volume can’t be accidentally shut down.- Instance volumes are commonly used as a base for the creation of AMIs.
A, C. The fact that instance volumes are physically attached to the host server and add nothing to an instance cost is a benefit. The data on instance volumes is ephemeral and will be lost as soon as the instance is shut down. There is no way to set termination protection for instance volumes because they’re dependent on the life cycle of their host instances.
You need to restrict access to your EC2 instance-based application to only certain clients and only certain targets. Which three attributes of an incoming data packet are used by a security group to determine whether it should be allowed through? (Choose three.)
- Network port
- Source address
- Datagram header size
- Network protocol
- Destination address
A, B, D. Ports and source and destinations addresses are considered by security group rules. Security group rules do not take packet size into consideration. Since a security group is directly associated with specific objects, there’s no need to reference the target address.
According to default behavior (and AWS recommendations), which of the following IP addresses could be assigned as the private IP for an EC2 instance? (Choose two.)
54.61.211.98
23.176.92.3
172.17.23.43
10.0.32.176
192.140.2.118
C, D. By default, EC2 uses the standard address blocks for private subnets, so all private addresses will fall within these ranges: 10.0.0.0 to 10.255.255.255, 172.16.0.0 to 172.31.255.255, and 192.168.0.0 to 192.168.255.255.
What do you have to do to securely authenticate to the GUI console of a Windows EC2 session?
* Use the private key of your key pair to initiate an SSH tunnel session.
* Use the public key of your key pair to initiate an SSH tunnel session.
* Use the public key of your key pair to retrieve the password you’ll use to log in.
* Use the private key of your key pair to retrieve the password you’ll use to log in.
D. The client computer in an encrypted operation must always use the private key to authenticate. For EC2 instances running Windows, you retrieve the password you’ll use for the GUI login using your private key.
You have an instance running within a private subnet that needs external network access to receive software updates and patches. Which of the following can securely provide that access from a public subnet within the same VPC? (Choose two.)
* Internet gateway
* NAT instance
* Virtual private gateway
* NAT gateway
* VPN
B, D. NAT instances and NAT gateways are AWS tools for safely routing traffic between private and public subnets and from there, out to the Internet. An Internet gateway connects a VPC with the Internet, and a virtual private gateway connects a VPC with a remote site over a secure VPN. A stand-alone VPN wouldn’t normally be helpful for this purpose.