Networking: Amazon Virtual Private Cloud

Question 1

Need to identify the instances that are generating the most traffic using a NAT gateway

Answer 1

Use VPC flow logs on the NAT gateway ENI and use CloudWatch insights to filter based on source IP address

Question 2

Latency on a NAT instance has increased, need a solution that scales with demand cost-efficiently

Answer 2

Swap with a NAT gateway

Question 3

NAT gateway is NOT highly available across AZs, only within an AZ

Answer 3

Use multiple NAT gateways for HA across AZs

Question 4

NAT instance deployed but not working

Answer 4

Make sure to disable source/destination checks

Question 5

Need to enable access to S3 without the instances using public IP addresses

Answer 5

Use a NAT gateway or VPC endpoint

Question 6

EC2 instance in private subnet cannot reach the Internet. Route table has a route to a NAT gateway with a status of “Blackhole”

Answer 6

Indicates the NAT gateway has been deleted

Question 7

Need to connect to S3 from EC2 using private network only. Must also ensure that only the instances can access the bucket

Answer 7

Create a VPC endpoint and a bucket policy with a Condition that limits S3 actions to the VPC endpoint as the source

Question 8

VPC endpoint setup to allow private IP address connectivity to S3 bucket, permissions configured, but instances still can’t connect

Answer 8

Make sure the subnet has a target in the route table for the VPC endpoint

Question 9

Need to manage EC2 instances in a private subnet from an office using SSH but instances cannot have internet access

Answer 9

Add a VGW and configure routing in the VPC and establish a VPN to the office

Question 10

Need encryption in-transit and at-rest for hybrid environment

Answer 10

Use an AWS VPN and use KMS keys for data encryption

Question 11

Network change was made that resulted in application to DB connection issues

Answer 11

Analyze using VPC Flow Logs

Question 12

Inbound and outbound internet connectivity required for EC2 instances

Answer 12

Need to attach an internet gateway to the VPC and add an entry in the route table for the subnet that points to the internet gateway

Question 13

Web application has EC2 with public IPs behind an ALB. EC2 instances cannot connect to external service

Answer 13

Need to create an attach an IGW to the VPC and update the route table

Question 14

VPC peering connection setup between two different VPCs. Instances in private subnets still can’t communicate

Answer 14

Make sure the route tables are updated

Question 15

A company has configured a VPC peering connection between two VPCs and needs to set up connectivity between instances in private subnets

Answer 15

Configure the VPC route tables with routes pointing to the address range of the other VPC

Question 16

Company backing up one VPC to another in different region. All data must be private and encrypted

Answer 16

Use inter-region VPC peering which encrypts across the AWS global network

Question 17

Malicious IP identified and must be blocked from all ingress and egress connectivity

Answer 17

Add a rule to a network ACL for all affected subnets

Question 18

VPC connected to data center by VPN. User pings private subnet instance from on-prem computer and fails. VPC Flow Logs show accept for inbound but reject for outbound traffic

Answer 18

Modify the network ACL to allow outbound traffic

Question 19

Malicious traffic coming from a single IP address

Answer 19

Use a NACL for the web server subnet to deny IP address

Question 20

Admin has setup instance for remote access and can SSH from internet but cannot ping

Answer 20

Most likely reason is that the instance’s security group does not have a rule allowing ICMP

Question 21

Admin connecting to EC2 instance using SSH from office but gets connection timeout from home

Answer 21

Most likely doesn’t have the home network IP range in the security group allow rule for SSH