Exam Essentials

Question 1

Understand the global infrastructure.

Answer 1

AWS provides a highly available technology infrastructure platform with multiple locations worldwide. These locations are composed of regions and Availability Zones. Each region is located in a separate geographic area and has multiple, isolated locations known as Availability Zones.

Question 2

Understand regions.

Answer 2

An AWS region is a physical geographic location that consists of a cluster data centers. AWS regions enable the placement of resources and data in multiple locations around the globe. Each region is completely isolated from the other regions. This achieves the greatest possible fault tolerance and stability. Resources aren’t replicated across regions unless organizations choose to do so.

Question 3

Understand Availability Zones.

Answer 3

An Availability Zone is one or more data centers within a region that are designed to be isolated from failures in other Availability Zones. Availabilityy Zones provide inexpensive, low latency network connectivity to other zones in the same region. By placing resources in separate Availability Zones, organizations can protect their website or applicationfrom a service disruption impacting a single location.

Question 4

Understand the hybrid deployment model.

Answer 4

A hybrid deployment model is an architectural pattern providing connectivity for infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud.

Question 5

Know what Amazon S3 is and what it is commonly used for.

Answer 5

Amazon S3 is secure, durable, and highly scalable cloud storage that can be used to store an unlimited amount of data in almost any format using a simple web services interface. Common use cases include backup and archive, content storage and distribution, big data analytics, static website hosting, cloud native application hosting, and disaster recovery.

Question 6

Understand how object storage differs from block and file storage.

Answer 6

Amazon S3 cloud object storage manages data at the application level as objects using a REST API built on HTTP. Block storage manages data at the operating system level as numbered addressable blocks using protocols such as SCSI or Fibre Channel. File storage manages data as shared files at the operating system level using a protocol such as CIFS or NFS.

Question 7

Understand the basics of Amazon S3.

Answer 7

Amazon S3 stores data in objects that contain data and metadata. Objects are identified by a user-defines key and are stored in a simple flat folder called a bucket. Interfaces include a native REST interface, SDKs for many languages, an AWS CLI, and the AWS Management Console.

Know how to create a bucket; how to upload, download, and delete objects; how to make objects public; and how to open an object URL.

Question 8

Understand the durability, availability, and data consistency model of Amazon S3.

Answer 8

Amazon S3 standard storage is designed for 11 nines durability and four nines availability of objects over a year. Other storage classes differ. Amazon S3 is eventually consistent, but offers a read-after-write consistency for PUTs to new objects.

Question 9

Know how to enable static website hosting on Amazon S3.

Answer 9

To create a static website on Amazon S3, you must create a bucket with the website hostname, upload your static content and make it public, enable static website hosting on the bucket, and indicate the index and error page objects.

Question 10

Know how to protect your data on Amazon S3.

Answer 10

Encrypt data in flight using HTTPS and at rest using SSE or client-side encryption. Enable versioning to keep multiple versions of an object in a bucket. Enable MFA Delete to protect against accidental deletion. Use ACLs, S3 bucket policies, and AWS IAM policies for access control. Use pre-signed URLs for time-limited download access. Use cross-region replication to automatically replicate data to another region.

Question 11

Know the use case for each of the Amazon S3 storage classes.

Answer 11

Standard is for general purpose data that needs high durability, high performance, and low latency access. Standard-IA is for data that is less frequently accessed, but that needs the same performance and availability when accessed. RRS offers lower durability at lower cost for easily replicated data. Amazon Glacier is for storing rarely accessed archival data at lowest cost, when a three to five hour retrieval time is acceptable.

Question 12

Know how to use lifecycle configuration rules.

Answer 12

Lifecycle rules can be configured in the AWS Management Console or the APIs. Lifecycle configuration rules define actions to transition objects from one storage class to another based on time.

Question 13

Know how to use Amazon S3 event notifications.

Answer 13

Event notifications are set at the bucket level and can trigger a message in Amazon SNS or Amazon SQS or an action in AWS Lambda in response to an upload or a delete of an object.

Question 14

Know the basics of Amazon Glacier as a standalone service.

Answer 14

Data is stored in encrypted archives that can be as large as 40TB. Archives typically contain TAR or ZIP files. Vaults are containers for archives, and vaults can be locked for compliance.

Question 15

Know the basics of launching an Amazon EC2 instance.

Answer 15

To launch an instance, you must specify an AMI, which defines the software on the instance at launch, and an instance type, which defines the virtual hardware supporting the instance (memory, vCPUs, etc.).

Question 16

Know what architectures are suited for what Amazon EC2 pricing options.

Answer 16

Spot Instances are best suited for workloads that can accommodate interruption. Reserved Instances are best for consistent, long-term compute needs. On-Demand Instances provide flexible compute to respond to scaling needs.

Question 17

Know how to combine multiple pricing options that result in cost optimization and scalability.

Answer 17

On-Demand Instances can be used to scale up a web application running on Reserved Instances in response to a temporary traffic spike. For a workload with several Reserved Instances reading from a queue, it’s possible to use Spot Instances to alleviate heavy traffic in a cost-effective way. Those are just two of countless examples.

Question 18

Know the benefits of enhanced networking.

Answer 18

Enhanced networking enables you to get significantly higher PPS performance, lower network jitter, and lower latencies.

Question 19

Know the capabilities of VM Import/Export.

Answer 19

VM Import/Export allows you to import existing VMs to AWS as Amazon EC2 instances or AMIs. Amazon EC2 instances that were imported through VM Import/Export can also be exported back to a virtual environment.

Question 20

Know the methods for accessing an instance over the internet.

Answer 20

You can access an Amazon EC2 instance over the web via public IP address, elastic IP address, or public DNS name. There are additional ways to access an instance within an Amazon VPC, including private IP addresses and ENIs.

Question 21

Know the lifetime of an instance store.

Answer 21

Data on an instance store is lost when the instance is stopped or terminated. Instance store data survives an OS reboot.

Question 22

Know the properties of the Amazon EC2 pricing options.

Answer 22

On-Demand Instances require no up-front commitment, can be launched any time, and are billed by the hour. Reserved Instances require an up-front commitment and vary in cost depending on whether they are paid all up front, partially up front, or not up front. Spot Instances are launched when your bid price exceeds the current spot price. Spot Instances will run until the spot price exceeds your bid price, in that case the instance will get a two minute warning and terminate.

Question 23

Know what determines network performance.

Answer 23

Every instance type is rated for low, moderate, high, or 10 Gbps network performance, with larger instance types generally having higher ratings. Additionally, some instance types offer enhanced networking, which provides additional improvement in network performance.

Question 24

Know what instance metadata is and how it’s obtained.

Answer 24

Metadata is information about an Amazon EC2 instance, such as an instance ID, instance type, and security groups. Metadata can be obtained from within the instance or it can be obtained through an HTTP call to a specific IP address.

Question 25

Know how security groups protect instances.

Answer 25

Security groups are virtual firewalls controlling traffic in and out of your Amazon EC2 instances. They are deny by default, and you can allow traffic by adding rules specifying traffic direction, port, protocol, and destination address(via CIDR block). They are applied at the instance level, meaning that traffic between instances in the same security group must adhere to the rules of that security group. They are stateful, meaning that an outgoing rule will allow the response without a correlating incoming rule.

Question 26

Know how to interpret the effect of security groups.

Answer 26

When an instance is a member of multiple security groups, the effect is a union of all the rules in all of the groups.

Question 27

Know the different Amazon EBS volume types, their characteristics, and their appropriate workloads.

Answer 27

Magnetic volumes provide an average performance of 100 IOPS and can be provisioned up to 1 TB. They are good for cold and infrequently accessed data. General-purpose SSD volumes provide three IOPS/GB up to 10,000 IOPS, with smaller volumes able to burst 3,000 IOPS. They can be provisioned up to 16 TB and are appropriate for dev/test environments, small databases, and so forth. Provisioned IOPS SSD can provide up to 20,000 consistent IOPS for volumes up to 16 TB. They are the best choice for workloads such as large databases executing many transactions.

Question 28

Know how to encrypt an Amazon EBS volume.

Answer 28

Any volume type can be encrypted at launch. Encryption is based on AWS KMS and is transparent to applications on the attached instances.

Question 29

Understand the concept and processes of snapshots.

Answer 29

Snapshots provide a point-in-time backup of an Amazon EBS volume and are stored in Amazon S3. Subsequent snapshots are incremental - they only store deltas. When you request a snapshot, the point-in-time snapshot is created immediately and the volume may continue to be used, but the snapshot may remain in pending status until all the modified blocks have been transferred to Amazon S3. Snapshots may be copied between regions.

Question 30

Know how Amazon EBS-optimized instances affect Amazon EBS performance.

Answer 30

In addition to the IOPS that control the performance in and out of the Amazon EBS volume, use Amazon EBS-optimized instances to ensure additional, dedicated capacity for Amazon EBS I/O.

Question 31

Understand what a VPC is and its core and optional components.

Answer 31

An Amazon VPC is a logically isolated network in the AWS Cloud. An Amazon VPC is made up of the following core elements: subnets (public, private, and VPN-only), route tables, DHCP option sets, security groups, and network ACLs. Optional elements include IGW, EIP addresses, endpoints, peering connections, NAT instances, VPGs, CGWs, and VPN connections.

Question 32

Understand the purpose of a subnet.

Answer 32

A subnet is a segment of an Amazon VPC’s IP address range where you can place groups of isolated resources. Subnets are defined by CIDR blocks and are contained within an Availability Zone.

Question 33

Identify the difference between a public subnet, a private subnet, and a VPN-Only subnet.

Answer 33

If a subnet’s traffic is routed to an IGW, the subnet is known as a public subnet. If a subnet doesn’t have a route to the IGW, the subnet is known as private subnet. If a subnet doesn’t have a route to the IGW, but has its traffic routed to a VPG, the subnet is known as a VPN-Only subnet.

Question 34

Understand the purpose of a route table.

Answer 34

A route table is a set of rules (called routes) that are used to determine where network traffic is directed. A route table allows Amazon EC2 instances within different subnets to communicate with each other as long as they are in the same VPC. The Amazon VPC router also enables subnets, IGWs, and VPGs to communicate with each other.

Question 35

Understand the purpose of an IGW.

Answer 35

An IGW is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances in your Amazon VPC and the Internet. IGWs are fully redundant and have no bandwidth constraints. An IGW provides a target in your Amazon VPC route tables for Internet routable traffic and performs network address translation for instances that have been assigned public IP addresses.

Question 36

Understand what DHCP option sets provide to an Amazon VPC.

Answer 36

The DHCP option sets allows an administrator of Amazon VPC to direct an Amazon EC2 host name assignment to their own resources. They can specify the domain name for instances within an Amazon VPC and identify the IP addresses of custom DNS servers, NTP servers, and NetBIOS servers.

Question 37

Know the difference between an Amazon VPC public IP address and an EIP address.

Answer 37

A public IP address is an AWS owned IP that can be automatically assigned to instances launched within a subnet. An EIP address is an AWS-owned public IP address that you allocate to your account and assign to instances or network interfaces on demand.

Question 38

Understand what endpoints provide to an Amazon VPC.

Answer 38

An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect. Endpoints support services within the region only.

Question 39

Understand Amazon VPC peering.

Answer 39

An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. Peering connections are created through a request/accept protocol. Transitive peering is not supported, and peering is only available between Amazon VPCs in the same region.

Question 40

Know the difference between a security group and a network ACL.

Answer 40

A security group applies at the instance level. You can have multiple instances in multiple subnets that are members of the same security groups. Security groups are stateful, which means that return traffic is automatically allowed, regardless of any inbound or outbound rules. A network ACL is applied on the subnet level, and traffic is stateless. You need to allow both inbound and outbound traffic on the network ACL in order for Amazon EC2 instances in a subnet to be able to communicate over a particular protocol.

Question 41

Understand what a NAT provides to an Amazon VPC.

Answer 41

A NAT instance or NAT gateway enables instances in a private subnet to initiate outbound traffic to the Internet. This allows outbound Internet communication to download patches and updates, for example, but prevents the instances from receiving inbound traffic initiated by someone on the Internet.

Question 42

Understand the components needed to establish a VPN connection from a network to an Amazon VPC.

Answer 42

A VPG is the VPN concentrator on the AWS side of the VPN connection betweeen the two networks. A CGW represents a physical device or a software application on the customer’s side of the VPN connection. The VPN connection must be initiated from the CGW side, and the connection consists of two IPSec tunnels.

Question 43

Understand what the Elastic Load Balancing service provides.

Answer 43

Elastic Load Balancing is a highly available service that distributes traffic across Amazon EC2 instances and includes options that provide flexibility and control of incoming requests to Amazon EC2 instances.

Question 44

Know the types of load balancers the Elastic Load Balancing service provides and when to use each one.

Answer 44

An Internet facing load balancer is, as the name implies, a load balancer that takes requests from clients over the Internet and distributes them to Amazon EC2 instances that are registered with the load balancer.

An internal load balancer is used to route traffic to your Amazon EC2 instances in VPCs with private subnets.

An HTTPS load balancer is used when you want to encrypt data between your load balancer and your back-end instances.

Question 45

Know the types of listeners the Elastic Load Balancing service provides and the use case and requirements for using each one.

Answer 45

A listener is a process that checks for connection requests. It is configured with a protocol and a port for front-end (client to load balancer) connections and a protocol and a port for back-end connections (load balancer to back end instance).

Question 46

Understand the configuration options for Elastic Load Balancing.

Answer 46

Elastic Load Balancing allows you to configure many aspects of the load balancer, including idle connection timeout, cross zone load balancing, connection draining, proxy protocol, sticky sessions, and health checks.

Question 47

Know what an Elastic Load Balancing health check is and why it is important.

Answer 47

Elastic Load Balancing supports health checks to test the status of the Amazon EC2 instances behind an Elastic Load Balancing load balancer.

Question 48

Understand what the Amazon CloudWatch service provides and what use cases there are for using it.

Answer 48

Amazon CloudWatch is a service that you can use to monitor your AWS resources and your applications in real time. With Amazon CloudWatch, you can collect and track metrics, create alarms that send notifications, and make changes to the resources being monitored based on rules you define.

Question 49

Know the differences between the two types of monitoring - basic and detailed - for Amazon CloudWatch.

Answer 49

Amazon CloudWatch offers basic or detailed monitoring for supported AWS products. Basic monitoring sends data points to Amazon CloudWatch every five minutes for a limited number of preselected metrics at no charge. Detailed monitoring sends data points to Amazon CloudWatch every minutes and allows data aggregation for an additional charge. If you want to use detailed monitoring, you must enable it.

Question 50

Understand Auto Scaling and why it is an important advantage of the AWS Cloud.

Answer 50

A distinct advantage of deploying applications to the cloud is the ability to launch and then release servers in response to variable workloads. Provisioning servers on demand and then releasing them when they are no longer needed can provide significant cost savings for workloads that are not steady state.

Question 51

Know when and why to use Auto Scaling.

Answer 51

Auto Scaling is a service that allows you to scale your Amazon EC2 capacity automatically by scaling out and scaling in according to criteria that you define. With Auto Scaling, you can ensure that the number of running Amazon EC2 instances increases during demand spikes or peak demand periods to maintain application performance and decreases automatically during demand lulls or troughs to minimize costs.

Question 52

Know the supported Auto Scaling plans.

Answer 52

Auto Scaling has several schemes or plans that you can use to control how you want Auto Scaling to perform. The Auto Scaling plans are named Maintain Current Instance Levels, Manual Scaling, Scheduled Scaling, and Dynamic Scaling.

Question 53

Understand how to build an Auto Scaling launch configuration and an Auto Scaling group and what each is used for.

Answer 53

A launch configuration is the template that Auto Scaling uses to create new instances and is composed of the configuration name, AMI, Amazon EC2 instance type, security group, and instance key pair.

Question 54

Know what a scaling policy is and what use cases to use it for.

Answer 54

A scaling policy is used by Auto Scaling with CloudWatch alarms to determine when your Auto Scaling group should scale out or scale in. Each CloudWatch alarm watches a single metric and sends messages to Auto Scaling when the metric breaches a threshold that you specify in your policy.

Question 55

Understand how Elastic Load Balancing, Amazon CloudWatch, and Auto Scaling are used together to provide dynamic scaling.

Answer 55

Elastic Load Balancing, Amazon CloudWatch, and Auto Scaling can be used together to create a highly available application with a resilient architecture on AWS.