Networking API GW, NATGW,IGW,Egress-only GW

Question 1

Part is pre­sent­ed from EC2 instances be­hind an ap­pli­ca­tion load bal­ancer, part is
pro­vid­ed via an API Gate­way and Lamb­da functions. Protect against common layer attacks

Answer 1

WAF on the API Gate­way and on the ALB

Question 2

reasons for using EC2 Enhanced Networking

Answer 2

Lower & Consistent latency
Better packet per second performance

Question 3

You are having problems establishing a Dynamic Site-to-Site VPN between AWS and a client site

Answer 3

Customer router cannot use BGP

Question 4

A VPC you manage has a collection of 10 EC2 instances running across two AZs in two private subnets, with IPv4 addresses only. You need to make sure the instances have outgoing only access to the internet. What should you do?

Answer 4

Deploy NAT Gateway

Question 5

You have added a rule to a NACL which allows traffic through to a VPC subnet but are finding that it’s not working as expected. What possible things should you investigate? (Choose all which apply)

Answer 5

NACL are stateless, make sure you have a rule for the response
NACLs are processed in order, lower numbers FIRST
NACL to be assigned to the correct subnet

Question 6

You have a web application which consists of a variable number of EC2 instances in an Auto Scaling Group, registered to a target group of an application load balancer. You need to only allow connections to the EC2 instances via tcp/80 from the load balancer, and you need to block connections from a set of 5 IP addresses known to be attempting exploits. What is the best practice way of accomplishing this set of requirements. (choose 2)

Answer 6

Add rules to the NACL around the ALB sub­net
block­ing the bad IPs

Add an al­low rule on the EC2 SG al­low­ing the
ALB SG

Question 7

A VPC you have designed will have a mixture of IPv4 and IPv6 services. For IPv6 you need to allow the instances to contact the IPv6 internet, but not the IPv6 internet to contact the instances, what combination of routing/gateway services and configuration is required (choose one)

Answer 7

Out­go­ing only IPv6 re­quires an egress only in­ternet gate­way and a : :/0 route

Question 8

A VPC in the us-east-1 region is configured with public and private subnets in 3 Availability Zones. You need to ensure that instances in all subnets can download software updates from the public IPv4 internet. What is the minimum number of gateways required for this requirement while allowing the failure of ANY 2 AZs not to impact the services in the 1 remaining AZ. (choose one)

Answer 8

1 IGW, 3 NAT­GW, 4 Route Ta­bles, 4 Routes

Question 9

An electronics company is hosting several web applications for their European customers. All the applications are deployed using the same AWS account in eu-west-1. Each application is deployed by using a common AWS CloudFormation template that launches a new VPC network. A cloud engineer was assigned to deploy the same AWS CloudFormation stack but notices a failure during the deployment.

What do you think is the root cause?

Answer 9

The AWS account used by the cloud engineer has reached the default maximum number of VPC networks allowed to be provisioned.

There are some limitations over the VPC creation per region:
5 VPCs
200 subnets
5 and up to 50 IPv4 CIDR blocks
1 IPv6

Question 10

A company has a newly-hired DevOps Engineer that will assist the IT Manager in developing a fault-tolerant and highly available architecture, which is comprised of an Elastic Load Balancer and an Auto Scaling group of EC2 instances deployed on multiple AZ’s. This will be used by a forex trading application that requires WebSockets, host-based and path-based routing, and support for containerized APPLICATIONS.

Which of the following is the most suitable type of Elastic Load Balancer that the DevOps Engineer should recommend to the IT Manager?

Answer 10

Application Load Balancer
(NOT Network Load Balancer as it’s not supporting path-based routing and host-based routing)

Question 11

A financial start-up has recently adopted a hybrid cloud infrastructure with AWS Cloud. They are planning to migrate their online payments system that supports an IPv6 ADDRESS and uses an Oracle database in a RAC configuration. As the AWS Consultant, you have to make sure that the application can initiate outgoing traffic to the Internet but blocks any incoming connection from the Internet.

Which of the following options would you do to properly migrate the application to AWS?

Question 12

A leading energy company is trying to establish a static VPN connection between an on-premises network and their VPC in AWS. As their SysOps Administrator, you created the required virtual private gateway, customer gateway and the VPN connection, including the router configuration on the customer side. Although the VPN connection status seems okay in the console, the connection is not entirely working when you connect to an EC2 instance in their VPC from one of the on-premises virtual machines.

How can you resolve this issue?

Answer 12

Add a Virtual Private Gateway (VGW) route with the destination of your on-premises network in the route table.

NOT Create a VPC endpoint is incorrect because a VPC endpoint only allows secure communication between a VPC and a supported AWS service, such as Amazon S3, without traversing the internet.

Question 13

A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. However, the online portal is still unreachable over the public internet after the deployment.

How can the Administrator fix this issue?

Answer 13

Allow ephemeral ports in the Network ACL by adding a new rule to allow outbound traffic on ports 1024 – 65535.

Question 14

A leading tech consultancy firm has an AWS Virtual Private Cloud (VPC) with one public subnet and a new blockchain application that is deployed to an m3.large EC2 instance. After a month, your manager instructed you to ensure that the application can support IPv6 address.

Which of the following should you do to satisfy the requirement?

Answer 14

1. Associate an IPv6 CIDR Block with the VPC and Subnets
2. Update the Route Tables
3. Update the Security Group Rules
4. Change the Instance Type to m4.large
5. Assign IPv6 Addresses to the EC2 Instance

NOT Egress-only GW AND NO IPv6 GW

Question 15

A live chat application is hosted in AWS which can be embedded as a widget in any website. It uses WebSockets to provide full-duplex communication between the users. The application is hosted on an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones with an Application Load Balancer in front to balance the incoming traffic. As part of the security audit of the company, there is a requirement that the client’s IP address, latencies, request paths, and server responses are properly logged.

How can you meet the given requirement in this scenario? (Select TWO.)

Answer 15

1. Enable access logging for your application load balancer.
2. Set up a standard S3 bucket where the load balancer will store the logs.

NOT CloudWatch

Question 16

A company has a requirement to connect their on-premises network to a new VPC on AWS to complete their hybrid cloud architecture. As the SysOps Administrator of the company, you are responsible in both managing their cloud infrastructure as well as establishing connectivity to their other corporate data centers.

Which of the following should provide your resources on AWS the connectivity to external networks? (Select TWO.)

Answer 16

Assigning an Internet Gateway to the VPC AND creating a Virtual Private Gateway

NO additional ENIs

Question 17

A SysOps Administrator recently finished setting up a new virtual private cloud with a size of /16 IPv4 CIDR block including one subnet with a size /24 IPv4 CIDR block in AWS. He also launched an On-Demand EC2 instance with an NGINX AMI from the AWS Marketplace, which will be used to host the WordPress website of the company. The security group of the instance has been modified to enable inbound traffic from port 22 to allow the Administrator to connect to it using SSH. The Administrator attempted to connect to the instance but it failed to establish a connection. The Administrator added an Internet Gateway (igw-1a2b3c4d) in the VPC yet the problem still persists. The main route table has two entries as shown below:

DESTINATION TARGET
10.0.0.0/16 local
10.0.0.0/16 igw-1a2b3c4d

Which of the following options can the Administrator do to solve this issue?

Answer 17

Change the destination of the IGW to 0.0.0.0/0.

NOT Attach a NAT Gateway

Question 18

A leading insurance firm has a VPC in the US East (N. Virginia) region for their head office in New York and another VPC in the US West (N. California) for their regional office in California. There is a requirement to establish a low latency, high-bandwidth connection between their on-premises data center in Chicago and both of their VPCs in AWS.

As the SysOps Administrator of the firm, how could you implement this in a cost-effective manner?

Answer 18

Set up an AWS Direct Connect connection to the on-premises data center. Launch a new AWS Direct Connect Gateway with a virtual private gateway and connect the VPCs from US East and US West regions. Integrate the Direct Connect connection to the Direct Connect Gateway.

Question 19

A data analytics company is heavily using AWS and has two VPCs in their account: VPC-A (10.10.0.0/16) and VPC-B (192.168.0.0/16). As their Systems Administrator, you established a VPC peering connection between the two VPCs which has an ID of pcx-tutsd0j0.

Which of the following route entries need to be added to the route tables to ensure that traffic can flow across the VPCs? (Select TWO.)

Answer 19

In VPC-A – Destination: 192.168.0.0/16 and Target: pcx-tutsd0j0
In VPC-B – Destination: 10.10.0.0/16 and Target: pcx-tutsd0j0

targeting the ID, NOT IP

Question 20

A leading financial firm is planning to host their new online accounting application in AWS which should support IPv6 address. As their SysOps Administrator, you set up a virtual private cloud (VPC) with a single public subnet and an Internet gateway to enable communication over the Internet.

Which of these options is not needed to satisfy the given requirement?

Answer 20

Launch an Egress-onli IGW

For an EC2 instance to be able to communicate to the Internet over IPv6, the following configuration should be done in the VPC:
Associate a /56 IPv6 CIDR block with the VPC. The size of the IPv6 CIDR block is fixed (/56) and the range of IPv6 addresses is automatically allocated from Amazon’s pool of IPv6 addresses (you cannot select the range yourself).
Create a subnet with a /64 IPv6 CIDR block in your VPC. The size of the IPv6 CIDR block is fixed (/64).
Create a custom route table, and associates it with your subnet, so that traffic can flow between the subnet and the Internet gateway.

Question 21

A test site runs on a group of Amazon EC2 instances in us-east1 on a VPC. The application needs to have an incoming and outgoing connection to the internet.

Which steps should a SysOps administrator perform to provide internet connectivity to the EC2 instances in the us-east1 region? (Select TWO.)

Answer 21

– Create an Internet Gateway and attach it to the VPC in us-east1.

– Create a route entry on the VPC’s routing table for the subnet that points to the internet gateway.

NOT Provision a NAT gateway to a public subnet in us-east1

Question 22

A company has an application that is hosted on a fleet of EC2 instances with an Application Load Balancer that evenly distributes the incoming traffic. There once was an incident where a Junior DevOps Engineer accidentally made changes in the ALB in production that brought the whole application down. These situations should not happen again and hence, you have to monitor any activity or changes made to your AWS resources.

Which of the following services does not help you capture the monitoring information about the ELB activity?

Answer 22

ELB health checks are used to determine whether the EC2 instances behind the ELB are healthy or not. But it does not help in capturing the monitoring information for the ELB itself.

Question 23

A leading commercial bank is hosting its personal banking portal on a fleet of EC2 instances behind an Application Load Balancer. To reduce latency, a CloudFront distribution has been launched with the load balancer as its origin. The SysOps Administrator received a report from your IT Security team that they discovered a lot of SQL injection attempts and cross-site scripting attacks on the online portal.

Which of the following service can help mitigate this attack?

Answer 23

AWS WAF
WS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.

NOT AWS Network Firewall is incorrect because this is mainly used to perform deep packet inspection on the inbound traffic of your Amazon VPC. This service is specifically designed to identify potential hacking attempts, but not to actively protect your web applications from SQL Injection or XSS.

Question 24

A popular sports website, which provides news, opinions, and videos on various sports events around the world, is hosted in AWS. The website’s architecture has an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones with an Application Load Balancer (ALB) to evenly distribute the incoming traffic. Lately, online readers have been giving the site a low rating because of the slow loading time of their site. Due to the upcoming FIFA World cup competition, it is expected that the traffic will continue to surge in the coming weeks ahead.

Which of the following services can be used as a cost-effective solution to scale and improve the site’s loading time?

Answer 24

Set up a CloudFront distribution.

NOT Enable Enhanced Networking is incorrect, as Enhanced Networking is mainly used to allow high-performance networking capabilities between EC2 instances. This won’t affect the speed of user traffic coming from/into the instances.

Question 25

A SysOps Administrator sends a ping command on a home computer, which has an IP address of 110.237.99.166, to an EC2 instance that has a private IP address of 172.31.17.140. However, the response ping is dropped and does not reach the home computer. To troubleshoot the issue, the Administrator checked the flow logs of the VPC and saw the following entries as shown below.

2 123456789010 eni-1235b8ca 110.237.99.166 172.31.17.140 0 0 1 4 336 1432917027 1432917142 ACCEPT OK
2 123456789010 eni-1235b8ca 172.31.17.140 110.237.99.166 0 0 1 4 336 1432917094 1432917142 REJECT OK

Which is the most likely root cause of this issue?

Answer 25

Network ACL permits inbound ICMP traffic but does not permit outbound ICMP traffic.

Question 26

An application hosted in an On-Demand EC2 instance was launched in a private subnet in your VPC with an IPv4 CIDR block. It was working well and can fetch data from the Internet until it suddenly stopped working. Upon checking your route table, you noticed that the route to 0.0.0.0/0 has a status of blackhole as shown below:
BLACKHOLE
Which of the following is most likely the cause of this issue?

Answer 26

the NAT Instance or NAT Gateway that was previously attached was deleted.

NOT The Internet Gateway was detached from your VPC is incorrect. Although detaching the Internet Gateway will affect the Internet connectivity of your application, this is unlikely to cause the blackhole status in your route table.

Question 27

A company is using several S3 buckets to store important inventory records of the online supply chain portal. They have an internal management application hosted on a private subnet of the VPC that needs to modify the contents of the S3 bucket and send a report to a partner company via the public Internet. The SysOps Administrator has created a gateway VPC endpoint for S3 as preparation for this requirement.

Which of the following actions should the Administrator do next?

Answer 27

updating the private subnet’s route table to directly connect to the S3 VPC endpoint and sending the outbound Internet traffic to a NAT gateway

NOT Updating the private subnet’s route table to directly send all traffic to the public VPC endpoint is incorrect because a NAT gateway is required to be able to send traffic from your private subnet to the Internet.

Question 28

A startup deployed several EC2 instances in a VPC to host a web application. After creating the instances, the SysOps Administrator tries to establish an SSH connection in one of them. However, it seems that the Administrator is unable to connect to the instance.

What are the possible troubleshooting options for this problem? (Select TWO.)

Answer 28

– Verify that the instance passes both the System Status and Instance Status checks.

– Verify that an Internet Gateway is attached to your VPC by navigating to the Internet Gateways pane and viewing the VPC column, which displays the ID and the name of the VPC, if there is one.

Verifying that you have created a NAT Instance for your VPC is incorrect because you are not required to have a NAT instance just so you could establish an SSH connection into your EC2 instances.