Compute

Question 1

Instance Types

Answer 1

M=General Purpose
C=Compute Optimised
R=Memory Optimised

Question 2

Security Groups Default Traffic Rules?

Answer 2

By default, SGs can access all traffic going out and no traffic coming in. you can not specify deny rules, only allow rules. THere is a DEFAULT SG called ‘default’ which cannot be deleted

Question 3

Reserved v Convertable Reserved EC2 Puchase Plans

Answer 3

Reserved = 1yr or 3yr. 72% discount. Fixed instance type/os.
Upfront/Partial upfront or neither.

Convertible Reserved = allow change of instance types, family, tenancy etc.
Savings Plan. 1 or 3yr - commit to amount of money per hour.

Question 4

Dedicated Host v Dedicated Instance EC2 Puchase Type

Answer 4

Dedicated Hosts - A dedicated physical host for you that doesnt change. For compliance and licensing needs.

Dedicated Instance - hardware dedicated to you but may share with other instances for same account. Hardware can change after a start/stop.

Question 5

EC2 Capacity Reservation

Answer 5

Reserve capacity in specific region. Charged on Demand rate whether you run instances or not. Suitable for short term uninteruptable workloads that must be in a specific AZ.

Question 6

Are AMIs region or global?

Answer 6

REGION Specific. They can be copied across region but cant launch an instance in Region A using an AMI stored in Region B.

Question 7

ALB Layer?

Answer 7

ALB is on Layer 7. It uses Target Groups to identify hosts.

Question 8

What Target Groups can an ALB be ?

Answer 8

When you create a Target Group, you specify what Target Types it uses. Once created, you cant change Target Type

Instances (E2 or ECS)
Lambda Functions
Private IP Address

Question 9

What Target Groups can an NLB be ?

Answer 9

NLB (Layer 4), can handle millions request per second (100ms). It can have ONE static IP per AZ.

Target Groups can be EC2 and Private IP only. Only needs ONE subnet.

For exam, if you see extreme performance TCP, UDP or Static IP - think NLB

Question 10

ASG Scaling Policies

Answer 10

Target Tracking (Metrics cpu /mem)
Simple/Step Scaling (CloudWatch)
Scheduled (Time Based)
Predictive (Historic Data)

Question 11

Scaling Cooldown

Answer 11

Default Cooldown is 300 seconds. No new instances will launch or terminate during this period.

Question 12

Default NACL rules

Answer 12

NACL is STATELESS first level of defense at SUBNET level. Default NACL allows ALL inbound AND outbound traffic through. NACL can both ALLOW and DENY traffic at IP Address level.

Newly created ACL denies all inbound and outbound traffic.

Question 13

How to connect two VPCs together

Answer 13

VPC PEERING

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.

Question 14

How do you ensure users go to same Target when using ELB when they are using credentials or state to ensure they don’t have to log in each time

Answer 14

using Sticky Sessions in the ELB.

Question 15

what LB should you use for TCP and UDP protocols.?

Answer 15

network

Question 16

Can ALB route traffic based on geographical location?

Answer 16

NO.

Application Load Balancers can route traffic based on the hostname, request URL path, and other factors but cannot route based on the client’s geographical location, which requires services like Amazon Route 53

Question 17

Which LBs can you attatch a static fixed IP address to.?

Answer 17

Network Load Balancer has one static IP address per AZ and you can attach an Elastic IP address to it.

Application Load Balancers and Classic Load Balancers have a static DNS name.

Question 18

Is Cross Zone LB enabled by default?x

Answer 18

For ALB it is ENABLE.
For NLB it is disabled by default

Question 19

Which feature in both Application Load Balancers and Network Load Balancers allows you to load multiple SSL certificates on one listener?

Answer 19

SNI - Server Name Indication

Server Name Indication (SNI) allows you to expose multiple HTTPS applications each with its own SSL certificate on the same listener

Question 20

Do you pay for cross AZ LBs?

Answer 20

For ALB, cross zone is enabled by default and its free.

FOr NLB, its disabled but you pay if switched on.

Question 21

what happens to a container if you terminated it in ECS whilst in RUNNING state ?

Answer 21

that container instance is automatically removed, or deregistered, from the cluster.

Question 22

what happens to a container if you terminated it in ECS whilst in STOPPED state ?

Answer 22

that container instance isn’t automatically removed from the cluster. You will need to deregister your container instance in the STOPPED state by using the Amazon ECS console or AWS Command Line Interface. Once deregistered, the container instance will no longer appear as a resource in your Amazon ECS cluster.

Question 23

What is REDRIVE Policy in SQS

Answer 23

Use a redrive policy to specify the maxReceiveCount. The maxReceiveCount is the number of times a consumer can receive a message from a source queue before it is moved to a dead-letter queue. For example, if the maxReceiveCount is set to a low value such as 1, one failure to receive a message would cause the message to move to the dead-letter queue. To ensure that your system is resilient against errors, set the maxReceiveCount high enough to allow for sufficient retries.

Question 24

Kinesis Data Stream v Kinesis FireHose

Answer 24

To reiterate, Kinesis data streams are used in places where an unbounded stream of data needs to worked on in real time.

Kinesis Firehose delivery streams are used when data needs to be delivered to a storage destination, such as S3.

Question 25

In Bean Stalk, doing a rolling update, only 2 batches out of 5 completed. What will beanstalk do with the 3 that failed?

Answer 25

Elastic Beanstalk will replace the failed instances with instances running the application version from the most recent successful deployment

Question 26

What metrics are avialable for Target Tracking Policy ?

Answer 26

ASGAverageCPUUtilization

ASGAverageNetworkIn

ASGAverageNetworkOut

ALBRequestCountPerTarget

Question 27

How do you ssh into a private subnet?

Answer 27

you need to use a bastion host as a jump host in the public subnet.

Question 28

Load Balancer FAQ

Answer 28

Load Balancer can route traffic across AZs in SIGNLE REGION.

The Load Balancer communicates with the underlying EC2 instances using their private IPs. Therefore, your targets do not need public IP addresses to receive requests from users over the internet.

Elastic Load Balancing provides fault tolerance for your applications by automatically balancing traffic across targets – Amazon EC2 instances, containers, IP addresses, and Lambda functions – in multiple Availability Zones while ensuring only healthy targets receive traffic.

Question 29

How is EC2 Billed

Answer 29

EC2 usage is billed in one-second increments, with a minimum of 60 seconds

Question 30

What type of EC2 instance is the only one to use CREDITS for CPU usage?

Answer 30

Burstable performance instances,
which are T3, T3a, and T2 instances, are designed to provide a baseline level of CPU performance with the ability to burst to a higher level when required by your workload. Burstable performance instances are the only instance types that use credits for CPU usage.

Question 31

Can ASG have EC2 instances from a different AZ or different Region ?

Answer 31

Different AZ yes
Different Reagion no

Question 32

What is the correct format for Elastic BeanStalk config files for your settings?

Answer 32

.ebextensions/<mysettings>.config</mysettings>

Question 33

In beanstalk, if you want to NOT lose your DATABASE when you destroy/re-create beanstalk, what do you need to do ?

Answer 33

For a DB for example. defined externally and referenced through environment variables -

• Any resources created as part of your .ebextensions is part of your Elastic Beanstalk template and will get deleted if the environment is terminated.

Question 34

Max Memory For Lambda

Answer 34

10gb

Question 35

Dedicated Instance v Dedicated Host

Answer 35

Both use physical hardware just for your account but HOST will use same machine each time, supports BYOL (Bring Your Own License) and Per Host billing

Dedicated Instance may share hardware from other instances from same AWS account.

Question 36

How to Ensure Lambda functions does not hit latency bottlenecks as a result of the traffic spike.

Answer 36

IF you have a known spike period, you can use Scheduled Lambda Provsioned Concurrency.

This will automatically provision / initialize your lambda invocations to ensure less latency when the spike hits.

Question 37

How can you can give EC2 instances in one account (“account A”) permissions to access resources such as S3 buckets on account B ?

Answer 37

Create an IAM role with S3 access in Account B and set Account A as a trusted entity. Create another role (instance profile) in Account A and attach it to the EC2 instances in Account A and add an inline policy to this role to assume the role from Account B

You can give EC2 instances in one account (“account A”) permissions to assume a role from another account (“account B”) to access resources such as S3 buckets. You need to create an IAM role in Account B and set Account A as a trusted entity. Then attach a policy to this IAM role such that it delegates access to Amazon S3

Then you can create another role (instance profile) in Account A and attach it to the EC2 instances in Account A and add an inline policy to this role to assume the role from Account B like so -

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “sts:AssumeRole”,
“Resource”: “arn:aws:iam::AccountB_ID:role/ROLENAME”
}
]
}

Question 38

When would you use BeanStalk Immutable Deployment ?

Answer 38

Similar to Rolling Update WIth Additional batches, an immutable deployment doesn’t reduce performance whilst deployment happens. Immutable leaves the old instanes running, starts a whole set of new instances, then terminates the old ones.

The benefit it has over ROlling Update is that rollback is much easier and quicker so good for apps that needs instant/minimal rollback.

Question 39

WHich API must be implmeneted by lambda to support Container Images?

Answer 39

Lambda Runtime API

Question 40

What are the options for BeanStalk environments?

Answer 40

Web server environment or Worker environment

They cannot be changed after creation.

Basically web installs nginx/apache whereas Worker uses SQS.

When you create an environment, Elastic Beanstalk provisions the resources required to run your application. AWS resources created for an environment include one elastic load balancer (ELB in the diagram), an Auto Scaling group, and one or more Amazon Elastic Compute Cloud (Amazon EC2) instances.

For Worker Environment, you also get SQS queue.

Question 41

best way to manage configuration externally, securely, and have it load dynamically into the application at runtime on Beanstalk?

Answer 41

AWS Systems Manager Parameter Store provides secure, hierarchical storage for configuration data management and secrets management. You can store data such as passwords, database strings, and license codes as parameter values. For the given use-case, as the DevOps team does not want to re-deploy the application every time there are configuration changes, so they can use the SSM Parameter Store to store the configuration externally.

S3 could also work but more work to ensure KMS is setup.

Question 42

Where to find clients IP address

Answer 42

The X-Forwarded-For request header helps you identify the IP address of a client when you use an HTTP or HTTPS load balancer. Because load balancers intercept traffic between clients and servers, your server access logs contain only the IP address of the load balancer. To see the IP address of the client, use the X-Forwarded-For request header. Elastic Load Balancing stores the IP address of the client in the X-Forwarded-For request header and passes the header to your server.

Question 43

How to access IMDS Meta Data for EC2

Answer 43

IMDS has two versions
IMDSv1 - directly accesses the IP
IMDSv2 - more secure.

Sine 2023, IMDSv2 is the default. This requires a TOKEN to be fetched first.

Example:
TOKEN=curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"

curl -H “X-aws-ec2-metadata-token: $TOKEN” http://169.254.169.254/latest/meta-data/

Question 44

can you specify publicly routable IP addresses to an ALB

Answer 44

NO

When the target type is IP, you can specify IP addresses from specific CIDR blocks only. You can’t specify publicly routable IP addresses.

Question 45

What are the 3 TARGET types for LBs

Answer 45

Instance - The targets are specified by instance ID

IP - The targets are IP addresses

Lambda - The target is a Lambda function

Question 46

How to replicate elasticBeanStalk environmenet on a different AWS Account.

Answer 46

Exam 6. Q20

Question 47

Do ASG span AZ and/or Region ?

Answer 47

AZ only. THey are regional.

Question 48

LB v ASG health checks

Answer 48

When a Load Balancer detects an unhealthy instance, it simply stops sending traffic to the instance. It does not terminate the instance

When Auto Scaling detects an unhealthy instance, it terminates the instance and automatically replaces it to maintain the Desired Capacity.

Question 49

B

Question 50

How to make ASG replace EC2 if LB health checks fail.

Question 51

How does ASG work ?

Answer 51

you attatch LaunchTemplate (reaplces LaunchConfig). LaunchTemplate describes the type of EC2 setup you want and then how many you want running (min,max)

By default, ASG uses instance health checks to ensure the instance is up. It will replace any unreachable instances.

It does not check the app is unreachable. You use LB HealthCheck for that which would stop traffic to any unreachable instances.

You CAN however use the LB healthCheck for the ASG which would then replace the EC2 if LB health checks failed.

Question 52

How to find load balancer logs including clientss IP and latency and server responses etc.

Answer 52

Elastic Load Balancing provides access logs that capture detailed information about requests sent to your load balancer. Each log contains information such as the time the request was received, the client’s IP address, latencies, request paths, and server responses. You can use these access logs to analyze traffic patterns and troubleshoot issues.

Access logs is an optional feature of Elastic Load Balancing that is disabled by default. After you enable access logs for your load balancer, Elastic Load Balancing captures the logs and stores them in the Amazon S3 bucket that you specify as compressed files. You can disable access logs at any time.

You are charged storage costs for Amazon S3, but not charged for the bandwidth used by Elastic Load Balancing to send log files to Amazon S3

Question 53

what metrics are available by default for Target Tracking Scaling Policy.

Answer 53

ASGAverageCPUUtilization, ASGAverageNetworkIn,
ASGAverageNetworkOut, ALBRequestCountPerTarget

Question 54

zonal v regional reservered instances

Answer 54

Regional: When you purchase a Reserved Instance for a Region, it’s referred to as a regional Reserved Instance. A regional Reserved Instance does not provide a capacity reservation.

Zonal: When you purchase a Reserved Instance for a specific Availability Zone, it’s referred to as a zonal Reserved Instance. Zonal Reserved Instances provide capacity reservations as well as discounts.

Question 55

Can ALB route to public IP ?

Answer 55

NO. You can not specify publicly routable IP addresses to an ALB

Question 56

What error code do you get if a LB has NO targets

Answer 56

503 - SERVICE UNAVAILABLE