Module 7: Connecting Networks Flashcards
What is AWS Site-to-Site VPN?
- A sevice that provides SSL-encrypted links between websites in AWS
- A solution that provides encrypted sessions between AWS and on-premises systems by using TLS
- A service that provides the ability to access AWS and on-premises network by using OpenVPN clients
- A solution that provides a connection between a virtual private cloud (PC) and an on-premises network by using IPsec
- A solution that provides a connection between a virtual private cloud (PC) and an on-premises network by using IPsec
What does AWS Direct Connect provide?
- A dedicated network connection from an on-premises network to AWS that uses 802.1q
- A private telecommunications circuit from an on-premises network direct into AWS that uses Point-to-Point (PPP)
- An encrypted tunnel that connects an on-premises network to AWS over the internet
- An extension of the AWS Cloud into customer data centers that uses AWS hardware installed on premises
( the answer is not “a private telecommunications… and the answer is not “an extension of the AWS Cloud into customer data centers that uses AWS hardware installed on the premises. That is AWS Outposts.)
A company has two virtual private clouds (VPCs). VPC A has a Classless Inter-domain Routing (CIDR) block of 10.1.0.0/16. VPC B has CIDR block of 10.2.0.0/16. Both VPCs belong to the same AWS account. What is the smiplest way to connect the two VPCs so that they can route all traffic between them?
- AWS Site-to-Site VPN
-AWS Direct Connect
- VPC peering
- VPC endpoints
- VPC peering
(VPC peering enables full network connectivity between two VPCs in the same account or in different accounts.)
A company is implementing a system to back up on-premises systems to Amazon Web Services (AWS). Which network connectivity method will provide a solution with the most consistent performance?
- AWS Site-to-Site VPN
- AWS Direct Connect
- VPC peering
- VPC endpoints
- AWS Direct Connect
AWS Direct Connect creates a dedicated private network connection that does not cross the internet. Because of this, it has more consistent performance than an internet connection.
Systems in a secure subnet in a virtual private cloud (VPC) must access a bucket in Amazon S3. Which solution stops traffic from crossing the internet?
- Create a VPC gateway endpoint for Amazon S3
- Use a private IP address for the system
- Use the private IP address of Amazon S3
- Create a VPC peering connection to Amazon S3
- Create a VPC gateway endpoint for Amazon S3
( A VPC gateway endpoint adds a route for the Amazon S3 prefix list to the subnet route tables that you select. The route keeps traffic between the subnet and S3 inside the Amazon network, instead of using the default behavior of routing traffic across the internet.)
A company has three virtual private clouds (VPCs). VPCs A, B, and C have Classless Inter-Domain Routing (CIDR) blocks that do not overlap. Both A and C have separate VPC peering connections with B. However, A cannot communicate with C. What is the simplest and most cost-effective way to enable full communication between A and C?
- Add routes to B to enable traffic between A and C through B.
- Add a peering connection between A and C, and route traffic between A and C through the peering connection.
- Link all three VPCs through a transit VPC, and route all traffic through the transit VPC.
- Create VPC endpoints in A and C for the individual hosts that need to communicate with each other.
( The answer is not “Link all three VPCs through a transite VPC…)
A transit VPC is an architectural design pattern that uses software routers on EC2 instances. It is not simple or the most cost-effective solution for this use case. AWS Transit Gateway is a managed service that provides the capabilities of a transit VPC.
(The answer is not “Add routes to B to connect traffic between A and C through B. Transitive routing is not supported over VPC peering connections. Although A can communicate with B, and B can communicate with C, A cannot communicate w/ C through B.)
Because of a natural disaster, a company moved a secondary data center to a temporary facility with internet connectivity. It needs a secure connection to the company’s virtual private cloud (VPC) that must be operational as soon as possible. The data center will move again in 2 weeks. Which option meets the requirements?
- VPC peering
- VPC endpoints
- AWS Site-toSite VPN
- AWS Direct Connect
- AWS Site-to-Site VPN
(Answer is not VPC endpoints.
VPC endpoints provide an alternate method of accessing AWS services from within a VPC. They do not connect AWS and an on-premises network.)
What is the simplest way to connect 100 virtual private clouds (VPCs) together?
- Create a hub-and-spoke network by using AWS VPN CloudHub
- Chain VPCs together by using VPC peering
- Connect each VPC to all the other VPCs by using VPC peering
- Connect the VPCs to AWS Transit Gateway
- Connect the VPCs to AWS Transit Gateway
(AWS Transit gateway connects VPCs and on-premises networks through a central hub, and can scale to connect thousands of VPCs.)
A company’s security admin requires that EC2 instances in a specific subnet must connect to Amazon DynamoDB through a VPC endpoint. The company’s network standards require that the infrastructure support high availability. Which action meets these architecture requirements without adding another subnet?
- Associate a single VPC endpoint with the subnet
- Associate two VPC endpoints with the subnet
- Associate two VPC endpoints with the subnet and use Elastic Load Balancing
- Associate VPC endpoints through an Auto Scaling group that is connected to Elastic Load Balancing
The answer is not “Associate two VPC endpoints with the subnet and use ELB
( DynamoDB uses a VPC gateway endpoint, which adds a route for the Dynamo DB prefix list to the route table for an associated subnet. You cannot associate more than one VPC gateway endpoint for a service with the same subnet.)
(The answer is not “Associate VPC endpoints through an Auto Scaling…
( DynamoDB uses a VPC gateway endpoint, which adds a route for the Dynamo DB prefix list to the route table for an associated subnet. You cannot associate a VPC gateway endpoint through an Auto Scaling group.)
A company uses a single AWS Direct Connect connection between their on-premises network and their virtual private cloud (VPC). They want to ensure that the network connectivity is highly available by adding a backup connection. Which network connectivity method provides most cost-effective solution for the backup connection?
- Another AWS Direct Connect connection through the same Direct Connect location
- Another AWS Direct Connect connection through a different Direct Connect location
- An on-demand AWS Client VPN connection across the internet
- An on-demand AWS Site-to-Site VPN connection across the internet
- An on-demand AWS Site-to-Site VPN connection across the internet
The answer is not “Another AWS Direct Connect connection through a different Direct Connect location.
(Direct Connect requires hardware allocation and telecommunications circuit provisioning. It creates a persistent connection that exceeds the requirements of this use case.)