Networking

Question 1

What IP ranges can be used?

Answer 1

/16 (65532) to /28 (16)

Question 2

What IPs are reserved and for what purpose?

Answer 2

.0 -> Networking
.1 -> VPC Router
.2 -> DNS Server
.3 -> Future use
.255 -> Broadcasting (reserved to not allow the user)

Question 3

What are the parts of an ENI?

Answer 3

One or more IPv4 address
One or more IPv6 address
Security Groups
MAC address
Source/Destination checks

Question 4

What is eth0?

Answer 4

The primary network interface

Cannot be detached from the instance. But there can be additional network interfaces. (up to a limit)

Question 5

What needs to be considered using an Elastic IP?

Answer 5

• IPv6 is not supported (atm)
• When associating an EIP the currently attached IP will be send back to the IP pool
• The DNS host name will be changed
• Theres no charge for using an EIP but a charge when it is not used
• It is regional

Question 6

What are VPC Flow Logs?

Answer 6

Captures information of IP traffic in/out of the network.

Can be retrieved in the CloudWatch Logs

Question 7

What are the advantages of Direct Connect?

Answer 7

• Reduces bandwith costs
• Consistent network performance
• Private connectivity to AWS
• Network scaling possibilities

Question 8

How to set up Direct Connect?

Answer 8

1. Submit Connection Request
2. Download and send Letter of Authorization and Connecting
3. Create Virtual Interface
4. Download Router Configuration

Question 9

Options for a VPN?

Answer 9

• Virtual Private Gateway
• VPN CloudHub
• Software VPN

Question 10

Functions of Route53?

Answer 10

• Register domain names
• Route internet traffic to the resources to the domain
• Check the health of the resources

Question 11

What are the three types of health checks?

Answer 11

• Health of a specific resource, like web servers
• Status of CloudWatch alarms
• Status of other health checks

Question 12

Can you have a CF distribution with your own domain?

Answer 12

Yes

Question 13

What are Regional Edge Caches?

Answer 13

Between Origin and Edge Location.

Larger Cache with longer caching times

Question 14

What can be an Origin Server?

Answer 14

AWS resources such as S3, EC2, Elastic Load Balancing.

Or something outside of AWS.

Question 15

What is Private Content in CloudFront?

Answer 15

Enables to set access rights for the users, like signed URLs

Question 16

What is Device Detection

Answer 16

Detects the device and therefore can deliver different content based on that

Question 17

What is Geo Targeting?

Answer 17

Detects the country and can deliver content based on that

Question 18

How are Query String Parameters handled in CF?

Answer 18

Per default query parameters are not used for the origin - it can be configured to use those

Question 19

What is Object Versioning and Cache Invalidation?

Answer 19

Object Versioning: New Filename each time, so until deleted the old version is still online
Cache Invalidation: Old version is removed and replaced by the new version

Question 20

What is Zone Apex Support?

Answer 20

You can use your own domain for the distribution

Question 21

What is the primary cause(s) of an EC2 network bottleneck?

Answer 21

Geographical proximity, EC2 instance size, and lack of enhanced network features

Question 22

What AWS VPC feature would you choose to connect and improve network performance between two VPCs without transiting the public internet?

Answer 22

VPC Peering is a way to connect two VPCs and improve network performance.

Question 23

What information does a VPC Flow Log capture?

Answer 23

VPC Flow Logs capture IP traffic as metadata for a VPC.

Question 24

What connection speeds does AWS Direct Connect provide?

Answer 24

1 Gbps

10 Gbps

Question 25

What step is used to assign an Elastic IP (EIP) to an instance?

Answer 25

Association is the step used to assign an EIP to an instance.

Question 26

Which of the following does a dedicated connection require?

Single-mode fiber
Dual-mode fiber

Answer 26

Single-mode fiber

Question 27

Which of these is not a benefit of SSL Offloading?

Scalable HTTPS/SSL from a singular point
Improved networking
Ease of certificate management
Increased processing performance with SSL

Answer 27

SSL Offloading does not lead to improved networking.

Question 28

Which of these is not a benefit of Amazon CloudFront?

Increased CPU performance
Increased network performance
High transfer speeds from the origin
Low latency

Answer 28

Amazon CloudFront is a CDN, and it does not increase the CPU performance of an instance. The instance workload may lessen due to the request of cached content from CloudFront, but this does not mean the CPU performance of an instance has been increased.

Question 29

Which three make up the components of a load-balancer?

Answer 29

Load-balancer, Target Group, and Listener

Question 30

Which three are the components of an AWS VPN?

Answer 30

VPN Connection
Customer Gateway
Virtual Private Gateway

Question 31

What can the ALB do that the Network LB cannot?

Answer 31

Look at the content of a package (for example the header) and make decisions based on it

Question 32

When should you pre warm your LB and how?

Answer 32

When there’s a planned spike in Traffic you can contact AWS to increase the capacity of your LB

Question 33

What should be done when a 460 client closed connection error occured?

Answer 33

The user should increase the timeout

Question 34

Describe the three placement group types and their advantages

Answer 34

Cluster: all Instances are in one AZ and have a 10GBs connection
Partition: Instances are created in segments, all located in separate racks (and can be in multiple AZs) - for distributes workloads
Spread: Each instance is in a separate rack

Question 35

What is a Cache-Hit-Ratio?

Answer 35

Number of request served by the cache, compared to the origin

Question 36

What can be done to have a better Cache-Hit Ratio?

Answer 36

• Longer cache time
• Query Parameter cache (beware: they are case sensitive)
• Caching based on cookie values
• Caching based on Request Header
• Remove Accept-Encoding Header (when no need for compression)

Question 37

What are the two types of VPC endpoints?

Answer 37

Interface endpoint: powered by AWS PrivateLink

Gateway endpoint: S3/Dynamo DB

Question 38

When connection two VPCs, how many Peering connections are needed?

Answer 38

Just one

Question 39

What is Dual-Stack mode?

Answer 39

It runs IPv4 and IPv6

Question 40

What is Connection Draining?

Answer 40

A setup done in the console or CLI that causses the LB to stop sending request to unhealty instances, but makes sure that already existing connections are handled correctly

Question 41

What does “instance-monitoring Enabled=true” do on an auto scaling group

Answer 41

Enabling “detailed monitoring”, if “false” than normal monitoring is used

Question 42

How can you connect on-prem servers with an ELB?

Answer 42

With direct connect or via a VPN

Question 43

What is content-based routing?

Answer 43

Giving traffic to Target Gorups based on header information, such as the route /images or /forum

Question 44

What is a Slow Start

Answer 44

New instances behind an ELB do not get as much traffic as older instances

Question 45

ELB: What is a listener?

Answer 45

Handles requests based on conditions, such as ports or protocols.

An ELB has at least one listener

Question 46

ELB: What is a target group?

Answer 46

A set of resources the LB directs traffic to. Sits behind the listener

Question 47

ELB: What is a rule?

Answer 47

Defines rules on which target group the LB should direct traffic to, such as HTTP method or incoming IP

Question 48

ELB: What is an ELB node?

Answer 48

For every AZ an ELB directs traffic to a node has to be set (this is done by selecting the AZs traffic wil be directed to)

Question 49

ELB: What are the options to set a certificate to the LB?

Answer 49

1) Choose a certificate from ACM
2) Update a cert. from ACM
3) Choose a cert from IAM
4) Upload a cert from IAM

Question 50

ELB: How is a request handles with HTTPS as the listener?

Answer 50

The encrypted request is terminated on the LB and then encrypted again using a different certificate

Question 51

ELB: What is a “step scaling policy”?

Answer 51

policy that dictates different levels of scaling based on different utilization levels of a metric you’ve selected.

Question 52

VPN: What are the parts of an AWS managed VPN?

Answer 52

Cloud: Virtual Private Gateway
Connection: Tunnel via IPSec
On-Premise: Customer Gateway

Question 53

VPN: What is the Transit Gateway?

Answer 53

Central hub to connect multiple VPCs

Question 54

VPN: What is the AWS VPN CloudHub?

Answer 54

Uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs). Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.

Question 55

What is AWS PrivateLink?

Answer 55

AWS PrivateLink provides private connectivity between VPCs and services hosted on AWS or on-premises, securely on the Amazon network. By providing a private endpoint to access your services, AWS PrivateLink ensures your traffic is not exposed to the public internet.

Question 56

VPC: What makes a subnet public?

Answer 56

1) Internet Gateway - Subnet has a route (0.0.0.0/0) to the IG (igw-1234)

Question 57

VPC: What allows the subnets to talk to each other?

Answer 57

The local route in the Routes Table.
Destination: CIDR Range of the VPC (10.0.0.0/16 e.g.)
Target: local

Question 58

NACL: What are the configurable attributes of in/outbout rules?

Answer 58

Rule# (10 e.g.)
Type (HTTP)
Port (80)
Source(in) /Destination(out) (0.0.0.0/0)
Allow/Deny

Question 59

What does stateful/stateless means for NACL/SG?

Answer 59

stateful: if inbound traffic is allowed, then the request can leave again
stateless: traffic can go in, but not out if not specified

Question 60

What are the characteristics of a NAT Gateway (in terms of IPs, Subnet etc.)

Answer 60

It is located in a public subnet and has a public IP.
The private subnets that will use the NAT have a 0.0.0.0/0 destination route to the NAT Gateway (nat-012345)
The private subnets can only receive traffic after sending the request - the internet cannot directly talk to private subnets.
The Gateway is only accessible from the same AZ

Question 61

How to connect from a Bastion Host to an instance in a private subnet?

Answer 61

SSH with your key to the Bastion.

Use SSH Agent Forwarding to ssh into the private instance

Question 62

VPN: How is the route for a VPN connection to a Customer Gateway configured?

Answer 62

Destination: [CG] - 192.168.0.0/16 e.g.
Target: [VPG] - vgw-12345 e.g.

Question 63

VPN: How are security groups configured for on premise networks?

Answer 63

The souce must reflect the IP / IP Range of the on premise network.
for example: HTTPS - 443 - 192.168.0.0/16

Question 64

VPN-Direct Connect: What is the difference between Private and Public Virtual Interfaces?

Answer 64

Private: Goes directly to the customers VPC
Publice: Can connect to “open” services like S3

Question 65

How to establish/configure a VPC Peering connection?

Answer 65

Destination is the other VPC and the target is the VPC-Connection (pcx-1234)
Every subnet that wants to send or receive traffic needs to have a route

Question 66

VPC: Can a VPC peer with two VPCs that have the same IP range?

Answer 66

It depends:
There is no check of the origin, so there cannot be a complete overlap.
But it would be possible if the route is more specified, with a /24 instead of a /16

Question 67

VPC: Can you attach more than one route table to a subnet and can you attach one route table to multiple subnets?

Answer 67

No

Yes

Question 68

VPC: What happens to a subnet that does not have an explicit route table attached?

Answer 68

It receives the main route table

Question 69

Routing: What is the “Longest Prefix Match” and when are they exluded?

Answer 69

The Routing happens for the most specific match.

When the local route collides with Route Propergation the static/non-propergated route has precedence

Question 70

What are the typical 4xx error codes? (in ELB)

Answer 70

400 Bad Request - Invalid request header
401 Unauthorized - user access denied
403 Forbidden - blocked by the firewall
460 - Client closed connection before LB can answer
463 - Request with too many IP addresses in X-Forwarded-For Header

Question 71

What are the typical 5xx error codes? (in ELB)

Answer 71

500 Internal Server Error - Error within the LB
502 Bad Gateway - Error from the target Server (closed connection or malformed response)
503 Service Unavailable - No answering servers
504 Gateway Timeout - Targets do not repsonse

Question 72

You would like to receive an alert if more than 3 of your application servers fail to respond to a basic health check by the Elastic Load Balancer. Which metric could you use to configure this?

Answer 72

UnHealthyHostCount

Question 73

You need to configure a load balancer with a static IP address, which of the following would you recommend?

Answer 73

Network Load Balancer

Question 74

You are running an application on a load-balanced group of 10 EC2 instances. Which of the following metrics would use to check how many of your application servers are available?

Answer 74

HealthyHostCount

Question 75

What are Source/Destination checks?

Answer 75

AWS checks if the traffic to an instance corresponse being the source or destination with the traffic it sends or receives.

This check must be disabled for a NAT instance since the recipient of the traffic is not the NAT instance

Question 76

How are rules evaluated in the NACL?

Answer 76

In order - the first fitting rule that fits will be taken

Question 77

How many NACLs can be attached to a subnet?

Answer 77

Only one.

If another NACL is attached, the old one will be removed

Question 78

On which three levels can a VPC Flow Log be created?

Answer 78

• VPC
• Subnet
• Network Interface level

Question 79

What two resources are necessary to create a VPC Flow Log?

Answer 79

• Role

- Log Group (created in CloudWatch)

Question 80

VPC Flow Log: What are the restrictions regarding VPC Peering?

Answer 80

Only possible if the peered VPC is in the same account

Question 81

VPN: What is necessary to concect multipleregions with a Direct Connection connection?

Answer 81

A Direct Connect Gateway behind the Virtual Private Gateway

Question 82

DNS: What is SOA?

Answer 82

Start of Authority

Contains administrative information, as well als the TTL for the DNS record

Question 83

DNS: What is the Name Server (NS)?

Answer 83

Service based on the Top-Level Domain to give a DNS Server to a Domain

Question 84

DNS: What is an “A Record”

Answer 84

Address Record
Translates Domain to IP
Can be at domain or subdomain level

Question 85

DNS: What is a CNAME?

Answer 85

Canonical Name
Is an alias to an A-Record
www.xyz.de -> xyz.de
m.xyz.de -> mobile.xyz.de

Question 86

DNS: What is an Alias Record?

Answer 86

Specific to AWS

Maps a domain to another DNS entry, for example a Load Balancer

Question 87

Route53: What is Multivalue Answer?

Answer 87

You give a list of (max.) 12 IPs, AWS checks the health of those and returns (max.) 8 as targets

Question 88

Which protocol does AWS Direct Connect use to share routing information?

Answer 88

The Border Gateway Protocol (BGP) is the protocol used within the Direct Connect service for sharing routing information from the router in your Data Centre to AWS and vice versa.

Question 89

VPN: What is Direct Connect Multi-Account Support?

Answer 89

Possiblity to use direct connect with multiple accounts (Test, Dev, Prod) as long as they are under one payer account (in AWS Organisations)

Question 90

Using a NAT Gateway, how is the routing set up?

Answer 90

0.0.0.0/0 NAT-ID in the private subnet

Question 91

Using a NAT Gateway, what changes have to be made for the security group (if not 0.0.0.0/0 is allowed)?

Answer 91

Add the subnet range to the allowed sources

Source 10.0.1.0/24 on port 80/443

Question 92

By recommendation: What are the main/custom route tables used for?

Answer 92

main: private subnet
custom: public subnet

Question 93

VPC: What is the Egress-only Internet Gateway?

Answer 93

A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.

Question 94

VPC: What is a VPC Endpoint?

Answer 94

Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.

Question 95

VPC: What are the different types of VPC endpoints available on Amazon VPC?

Answer 95

Gateway type endpoints are available only for AWS services including S3 and DynamoDB. These endpoints will add an entry to your route table you selected and route the traffic to the supported services through Amazon’s private network.

Interface type endpoints provide private connectivity to services powered by PrivateLink, being AWS services, your own services or SaaS solutions, and supports connectivity over Direct Connect. More AWS and SaaS solutions will be supported by these endpoints in the future. Please refer to VPC Pricing for the price of interface type endpoints.

Question 96

VPC: How do instances without public IP addresses access the Internet?

Answer 96

1. Through a NAT gateway or a NAT instance
2. with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

Question 97

ELB: What happens to running instances if an ALB gets deleted?

Answer 97

Deleting a load balancer does not affect its registered targets. For example, your EC2 instances continue to run and are still registered to their target groups.

Question 98

What is Traffic Mirroring?

Answer 98

Direct access to the network packets flowing through your VPC by allowing you to mirror and forward them to another network interface in the same or another VPC in the same or another account.
Can be used for further monitoring and security appliances.

Question 99

What are the four layers of networking security

Answer 99

1. VPC Route Table
2. Subnet ACLs (NACL)
3. ENI Security Groups
4. Third-party host security features

Question 100

VPN: What is the Virtual Private Gateway?

Answer 100

Enables connectivity between the VPC and another network.

Question 101

What are the private IPv6 addresses?

Answer 101

Per default all IPv6 addresses are public

Question 102

How is the internet connection for a private subnet set up in a route table?

Answer 102

0.0.0.0/0 - NAT-GW ID

Question 103

What are the two (public / private) connection options for a VPN Gateway?

Answer 103

1) IPSec VPN Tunnel over the internet

2) private Direct Connect connection

Question 104

There are two VPC (A/B), how are the route tables set up for a peering connection?
VPC-A 172.16.0.0/16
VPC-B 10.0.0.0/16
Peering connection pcx-11112222

Answer 104

VPC A 172.16.0.0/16 Local
10.0.0.0/16 pcx-11112222
VPC B 10.0.0.0/16 Local
172.16.0.0/16 pcx-11112222

Question 105

How is inter-regional peering set up?

Answer 105

The same as for one region.

The region must be selected in the “Create Peering Connection” dialog

Question 106

Can you move an ENI to another instance?

Answer 106

Yes, as long as it is not the primary (eth0) ENI

Question 107

Where are Flow Log files stores and can be viewed?

Answer 107

In Cloud Watch Logs

Question 108

Is Direct Connect per default Highly Available?

Answer 108

No, the VPN gateway it uses in the VPC is, but the connection is not.
There need to be more than one line, ideally in two (+) regions

Question 109

What is CloudHub?

Answer 109

A VPN (gateway) that connects to multiple Customer Gateways

Question 110

What are the (three) functions of Route53?

Answer 110

• Register domain names
• Route internet traffic to resources based on rules
• Check the health of resources (instances or LBs)

Question 111

Route53: What is “failover routing”?

Answer 111

There is a primary and a secondary resource.

In case of a failure the traffic is directed to the secondary

Question 112

Route53: What is an alias in Route53?

Answer 112

Instead of pointing to an IP Route53 can also route to:

• CloudFront
• Elastic Beanstalk Application
• Elastic Load Balancer
• S3 Bucket (for static website hosting)
• Another Route53 resource record

Question 113

Route53: What are the three types of health checks?

Answer 113

• Health of a specific resource (EC2 instance e.g.)
• Status of a CloudWatch Alarm
• Other health checks (Example: there are health checks on 5 instances, the checks sets an alert if 3 of them are in alert)

Question 114

CloudFront: What is the Cache Behavior?

Answer 114

Set of rules how to cache the request based on the request URL

Question 115

CloudFront: How to enable regional edge caches?

Answer 115

It is done automatically at no additional costs

Question 116

CloudFront: What is the shortest possible caching time?

Answer 116

0 seconds - all requests go to the origin

Question 117

CloudFront: How to keep response items small?

Answer 117

Use GZIP (if accept-encoding: gzip is sent in the header)

Question 118

CloudFront: What is the Default Root Object?

Answer 118

File that is sent when there is a request to the “root” url

Question 119

CloudFront: What is Zone Apex Support?

Answer 119

Using your one domain

Question 120

What is a private VIF?

Answer 120

The logical interface between the customer location and the AWS services inside the VPC

Question 121

How to get the public /private IP address from the metadata?

Answer 121

169.254.169.254/latest/meta-data/public-ipv4
169.254.169.254/1.0/
meta-data/local-ipv4

Question 122

What CIDR Range will be assigned to a IPv6 VPN?

Answer 122

/56

Question 123

Can you add a secondary CIDR IP Range to a VPC?

Answer 123

Yes, as long as it does not overlap

Question 124

Does a VPC support “multicast”?

Answer 124

No

Question 125

Is IPv6 supported for VPC peering?

Answer 125

No

Question 126

Which of the following is true of an interface VPC endpoint? (Choose two.)
A. It supports TCP traffic.
B. It supports IPv6 traffic.
C. It supports UDP traffic.
D. It exists in only one availability zone.

Answer 126

It supports TCP traffic.

It exists in only one availability zone

Question 127

How can you restrict EC2 access to an S3 Bucket with a S3 Gateway Endpoint?

Answer 127

Create and add a security group, which specifies the S3 prefix list ID

Question 128

If using a IPv6 VPC, do you need to add a IPv4 CIDR as well?

Answer 128

yes

Question 129

Which are the two options for connecting a site to AWS using Direct Connect?

Answer 129

• dedicated connection between your
  equipment and AWS at a Direct Connect location or
• a hosted connection from an AWS
  Direct Connect Partner

Question 130

What is the difference between Public / Private and Transit virtual interface?

Answer 130

• A public virtual interface allows you to use public AWS endpoints over a Direct
  Connect connection.
• A private virtual interface is used for connecting to a VPC.
• A transit
  virtual interface is only for use with an Amazon VPC Transit Gateway.

Question 131

How many VPN connections can you create to a single VPC?

Answer 131

You can have up to 10 VPN connections to a VPC.

Question 132

How can you decrease the network overhead of a Direct Connect connection?

Answer 132

Using jumbo frames can decrease network overhead by allowing more data to be
sent across the connection in a single frame.

Question 133

How many routes are you allowed to advertise in a BGP session over a Direct Connect
connection over a private virtual interface?

Answer 133

You can advertise up to 100 routes over each BGP session over a private virtual interface.

Question 134

What happens if you advertise more than 100 routes over a BGP session over a Direct
Connect private virtual interface?

Answer 134

The oldest routes will be discarded to bring the total number of routes to 100 or
fewer

Question 135

You have a VPN connection and a Direct Connect connection between your datacenter
and a VPC. BGP sessions on both connections have the exact same prefixes. Which
connection will be preferred?

Answer 135

Direct Connect

Question 136

What are two differences between CloudHub and Direct Connect Gateway?

Answer 136

• CloudHub connects on-premises networks (via a VPN or Direct Connect link) and
  VPCs in only one region.
• Direct Connect Gateway connects on-premises networks and
  VPCs in any region.

Question 137

What’s the maximum number of Direct Connect dedicated connections you can have per
link aggregation group?

Answer 137

4

Question 138

You have an EC2 instance with a global unicast IPv6 address assigned. How can you
ensure that hosts on the Internet are able to resolve the IPv6 address of the instance?

Answer 138

Create a publicly resolvable AAAA record that points to the instance’s IPv6 address

Question 139

Your EC2 instance in the us-east-1 region is assigned the public IP address 203.0.113.25.
Whichis the DNS hostname?

Answer 139

ec2-203-0-113-25.compute-1.amazonaws.com

Question 140

. You created a default VPC and made no other changes to it. Which of the following is true
of an EC2 instance launched into this default VPC? (Choose two.)
A. Its primary private IP address has a /16 CIDR.
B. It’s in a public subnet.
C. It has a public IP address.
D. It has no outbound access

Answer 140

B. It’s in a public subnet.

C. It has a public IP address.

Question 141

Using a virtual private gateway, you’ve created a site-to-site VPN connection between a
VPC subnet and a datacenter. When creating routes to datacenter subnets, what should you specify as the target in the route table?

Answer 141

Virtual private gateway

Question 142

What’s the maximum number of instance recovery attempts allowed per day?

Answer 142

3

Question 143

What does NODATA mean in a VPC Flow log?

Answer 143

NODATA is written to the end of a flow log record when there’s no traffic to log
during a 10-minute capture window.

If there were too much traffic to log, SKIPDATA
would appear instead.

Question 144

When trying to add an alternative domain name to a CloudFront distribution, you get an
“InvalidViewerCertificateException” error. What could be the reason?

Answer 144

The custom certificate you’ve provided isn’t signed by a trusted certificate
authority (CA)

Question 145

How to identify an RTMP distribution?

Answer 145

rtmp://s*.cloudfront.net

Question 146

When does a CloudFront edge location first fetch a file from an origin?

Answer 146

When the edge location receives a request for the file

Question 147

Which network protocol is supported by CloudFront?

Answer 147

WebSocket

Question 148

How can you enable Internet users to access a CloudFront distribution without allowing
public access to its origin S3 bucket?

Answer 148

Use an origin access identity.

Question 149

Can a non public S3 bucket be a origin?

Answer 149

no

Question 150

Can a public web server be an origin?

Answer 150

yes

Question 151

Can you use publicly routable IP addresses in a Network Load Balancer?

Answer 151

no, only RFC 1918 or RFC 6598 addresses

Question 152

When browsing to the public URL of an application load balancer, users receive a “Bad
Gateway” error. The target group contains only EC2 instances. What could this indicate?

Answer 152

The target instance closed the connection from the load balancer e.g.
The error usually indicates that the load balancer received an unexpected response from
the target, such as a TCP reset or TCP FIN. The “Bad Gateway” error is generated by the
application load balancer, so receiving the error indicates users are able to connect to it.

Question 153

When browsing to the public URL of an application load balancer, users receive a
“Gateway Timeout” error. The target group contains only EC2 instances. What could this
indicate?

Answer 153

The “Gateway Timeout” error occurs when the target doesn’t respond.

Question 154

What services can you BYOIP?

Answer 154

NLB, EC2, NAT Gateway

Question 155

Which of the following is the cheapest S3 encryption option?
A. SSE-KMS customer-managed CMK
B. SSE-KMS AWS-managed CMK
C. Client-side encryption using KMS
D. SSE-ACL

Answer 155

SSE-KMS with AWS-managed CMK

Question 156

What is “low jitter” and which service provides it?

Answer 156

Direct Connect provides consistent latency, also known as low jitter. I

Question 157

You have an EC2 instance with an elastic IP address associated with it.
IPv6 is enabled
in the instance’s public subnet.
How can you ensure that hosts on the Internet are able to
reach the instance via IPv6?

Answer 157

Assign a global unicast IPv6 address to the instance

Question 158

Which VPC attributes determines whether the Amazon DNS server is
enabled?

Answer 158

enableDnsSupport