Module 6: Creating a Network Environment

Question 1

Which definition describes a virtual private cloud (VPC)?

• A virtual private network (VPN) in the AWS Cloud
• An extension of an on-premises network into Amazon Web Services (AWS)
• A logically isolated virtual network that you define in the AWS Cloud
• A fully managed service that extends the AWS Cloud to customer premises

Answer 1

• A logically isolated virtual network that you define in the AWS Cloud

Question 2

Which actions are best practices for designing a virtual private cloud (VPC) ? ( Select THREE.)

• Match the size of the VPC Classless Inter-Domain Routing (CIDR) block to the number of hosts that are required for a workload.
• Use the same Classless Inter-Domain Routing (CIDR) block as on-premises network.
• Divide the VPC network range evenly across all Availability Zones available.
• Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
• Reserve some address space for future use.

Answer 2

(Using the CIDR as an on-premises network might cause routing issues if the two networks are connected through AWS Direct Connect or a VPN. It is always a good idea to provide enough addresses to accommodate significant growth. Subnet CIDR blocks cannot overlap.)

Question 3

A company wants to run a highly available web tier by using two EC2 instances and a load balancer. Which design is valid and provides the highest availability?

• One subnet in one Availability Zone. The subnet contains two EC2 instances
• One subnet, which spans two Availability Zones. Each Availability Zone contains one EC2 instance.
• Two different subnets in the same Availability Zone. Each subnet contains one EC2 instance.
• Two different subnets, one per Availability Zone. Each subnet contains one EC2 instance.

Answer 3

• Two different subnets, one per Availability Zone. Each subnet contains one EC2 instance.

Question 4

A company’s VPC has the CIDR block 172.16.0.0/21 (2048 addresses). It has two subnets (A and B). Each subnet must support 100 usable addresses now, but this number is expected to rise to at most 254 usable addresses soon. Which subnet addressing scheme meets the requirements and follows AWS best practices?

• Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (1024 addresses)
• Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (128 addresses)
• Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses)
• Subnet A: 172.16.0.0/22 (1024 addresses) Subnet B: 172.16.4.0/22 (128 addresses)

Answer 4

• Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses)

Question 5

Which combination of actions enables direct internet access for IPv4 hosts in a virtual private cloud (VPC)? (Select THREE.)

• Configuring the VPC domain in a Dynamic Host Configuration Protocol (DHCP) options set.
• Enabling Domain Name System (DNS) resolution for the VPC
• Configuring security groups and network access control lists (network ACLs) to permit internet traffic
• Creating a route for 0.0.0.0/0 that points to the internet gateway
• Creating a default route that points to the virtual private gateway
• Configuring hosts that have or obtain an internet-routable address

Answer 5

• Configuring security groups and network access control lists (network ACLs) to permit internet traffic
• Creating a route for 0.0.0.0/0 that points to the internet gateway
• Configuring hosts that have or obtain an internet-routable address

( A VGW is a virtual private gateway and is used for AWS Direct Connect. DNS resolution and VPC domain name configuration are not required for IP traffic.)

Question 6

A group of consultants requires access to an EC2 instance from the internet, for 3 consecutive days each week. The instance is shut down the rest of the week. The virtual private cloud (VPC) has internet access. How should you assign an IPv4 address to the instance to give the consultants access?

• Associate an Elastic IP address with the EC2 instance
• Enable automatic address assignment for the subnet
• Enable automatic address assignment for the EC2 instance
• Assign the IP address in the operating system (OS) boot configuration

Answer 6

• Associate an Elastic IP address with the EC2 instance
  (Using an Elastic IP address helps to ensure that the instance has the same internet address.)

Question 7

Several EC2 instances launch in a virtual private cloud (VPC) that has internet access. These instances should not be accessible from the internet, but they must be able to download updates from the internet. How should the instances launch?

• With Elastic IP addresses, in a subnet with a default route to an internet gateway
• With public IP addresses, in a subnet with a default route to an internet gateway
• Without public IP addresses, in a subnet with a default route to an internet gateway
• Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway

Question 8

You are configuring a bastion host to access EC2 instances in a virtual private cloud (VPC). What must you do to the security groups? (Select TWO.)

• Add a rule to the bastion host to deny all traffic from the internet
• Add a rule to the bastion host to allow traffic from your source IP address.
• Add a rule to the bastion host to allow return traffic to your source IP address.
• Add a rule to the private subnet EC2 instances to allow traffic from the bastion host security group.
• Add a rule to the private subnet EC2 instances to allow return traffic to the bastion host security group

Answer 8

(Security groups deny access by default. You can add only rules that allow traffic. Security groups are stateful, which means that you do not need to add rules for return traffic.)

Question 9

You have a virtual private cloud (VPC) with a public subnet and a secure subnet. All EC2 instances in the secure subnet must be able to communicate with specific internet addresses. How can you control traffic with a network access control list (network ACL)?

• Add rules to the default network ACL to allow traffic from and to allowed internet addresses.
• Add rules to the default network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
• Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.
• Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.

Answer 9

(Any current and future subnets that do not have an explicitly associated network ACL use the default network ACL. Rules specific to an individual subnet should not be placed in the default network ACL.)

Question 10

All of the EC2 instances in a subnet can communicate with a certain IPv4 network on the internet. How should you modify the security groups or current custom network access control list (network ACL) to deny traffic to and from several restricted addresses in the network?

• In the network ACL, deny traffic to and from the restricted addresses.
• In the security groups, deny traffic to and from the restricted addresses.
• In the network ACL, allow traffic only to and from address ranges that exclude the restricted addresses.
• In the security groups , allow traffic only to and from address ranges that exclude the restricted addresses.

Answer 10

(The answer is not “- In the security groups, allow traffic…)