Networking API GW, NATGW,IGW,Egress-only GW Flashcards
Part is presented from EC2 instances behind an application load balancer, part is
provided via an API Gateway and Lambda functions. Protect against common layer attacks
WAF on the API Gateway and on the ALB
reasons for using EC2 Enhanced Networking
Lower & Consistent latency
Better packet per second performance
You are having problems establishing a Dynamic Site-to-Site VPN between AWS and a client site
Customer router cannot use BGP
A VPC you manage has a collection of 10 EC2 instances running across two AZs in two private subnets, with IPv4 addresses only. You need to make sure the instances have outgoing only access to the internet. What should you do?
Deploy NAT Gateway
You have added a rule to a NACL which allows traffic through to a VPC subnet but are finding that it’s not working as expected. What possible things should you investigate? (Choose all which apply)
NACL are stateless, make sure you have a rule for the response
NACLs are processed in order, lower numbers FIRST
NACL to be assigned to the correct subnet
You have a web application which consists of a variable number of EC2 instances in an Auto Scaling Group, registered to a target group of an application load balancer. You need to only allow connections to the EC2 instances via tcp/80 from the load balancer, and you need to block connections from a set of 5 IP addresses known to be attempting exploits. What is the best practice way of accomplishing this set of requirements. (choose 2)
Add rules to the NACL around the ALB subnet
blocking the bad IPs
Add an allow rule on the EC2 SG allowing the
ALB SG
A VPC you have designed will have a mixture of IPv4 and IPv6 services. For IPv6 you need to allow the instances to contact the IPv6 internet, but not the IPv6 internet to contact the instances, what combination of routing/gateway services and configuration is required (choose one)
Outgoing only IPv6 requires an egress only internet gateway and a : :/0 route
A VPC in the us-east-1 region is configured with public and private subnets in 3 Availability Zones. You need to ensure that instances in all subnets can download software updates from the public IPv4 internet. What is the minimum number of gateways required for this requirement while allowing the failure of ANY 2 AZs not to impact the services in the 1 remaining AZ. (choose one)
1 IGW, 3 NATGW, 4 Route Tables, 4 Routes
An electronics company is hosting several web applications for their European customers. All the applications are deployed using the same AWS account in eu-west-1. Each application is deployed by using a common AWS CloudFormation template that launches a new VPC network. A cloud engineer was assigned to deploy the same AWS CloudFormation stack but notices a failure during the deployment.
What do you think is the root cause?
The AWS account used by the cloud engineer has reached the default maximum number of VPC networks allowed to be provisioned.
There are some limitations over the VPC creation per region:
5 VPCs
200 subnets
5 and up to 50 IPv4 CIDR blocks
1 IPv6
A company has a newly-hired DevOps Engineer that will assist the IT Manager in developing a fault-tolerant and highly available architecture, which is comprised of an Elastic Load Balancer and an Auto Scaling group of EC2 instances deployed on multiple AZ’s. This will be used by a forex trading application that requires WebSockets, host-based and path-based routing, and support for containerized APPLICATIONS.
Which of the following is the most suitable type of Elastic Load Balancer that the DevOps Engineer should recommend to the IT Manager?
Application Load Balancer
(NOT Network Load Balancer as it’s not supporting path-based routing and host-based routing)
A financial start-up has recently adopted a hybrid cloud infrastructure with AWS Cloud. They are planning to migrate their online payments system that supports an IPv6 ADDRESS and uses an Oracle database in a RAC configuration. As the AWS Consultant, you have to make sure that the application can initiate outgoing traffic to the Internet but blocks any incoming connection from the Internet.
Which of the following options would you do to properly migrate the application to AWS?
A leading energy company is trying to establish a static VPN connection between an on-premises network and their VPC in AWS. As their SysOps Administrator, you created the required virtual private gateway, customer gateway and the VPN connection, including the router configuration on the customer side. Although the VPN connection status seems okay in the console, the connection is not entirely working when you connect to an EC2 instance in their VPC from one of the on-premises virtual machines.
How can you resolve this issue?
Add a Virtual Private Gateway (VGW) route with the destination of your on-premises network in the route table.
NOT Create a VPC endpoint is incorrect because a VPC endpoint only allows secure communication between a VPC and a supported AWS service, such as Amazon S3, without traversing the internet.
A financial company is launching an online web portal that will be hosted in an Auto Scaling group of Amazon EC2 instances across multiple Availability Zones behind an Application Load Balancer (ALB). To allow HTTP and HTTPS traffic, the SysOps Administrator configured the Network ACL and the Security Group of both the ALB and EC2 instances to allow inbound traffic on ports 80 and 443. However, the online portal is still unreachable over the public internet after the deployment.
How can the Administrator fix this issue?
Allow ephemeral ports in the Network ACL by adding a new rule to allow outbound traffic on ports 1024 – 65535.
A leading tech consultancy firm has an AWS Virtual Private Cloud (VPC) with one public subnet and a new blockchain application that is deployed to an m3.large EC2 instance. After a month, your manager instructed you to ensure that the application can support IPv6 address.
Which of the following should you do to satisfy the requirement?
- Associate an IPv6 CIDR Block with the VPC and Subnets
- Update the Route Tables
- Update the Security Group Rules
- Change the Instance Type to m4.large
- Assign IPv6 Addresses to the EC2 Instance
NOT Egress-only GW AND NO IPv6 GW
A live chat application is hosted in AWS which can be embedded as a widget in any website. It uses WebSockets to provide full-duplex communication between the users. The application is hosted on an Auto Scaling group of On-Demand EC2 instances across multiple Availability Zones with an Application Load Balancer in front to balance the incoming traffic. As part of the security audit of the company, there is a requirement that the client’s IP address, latencies, request paths, and server responses are properly logged.
How can you meet the given requirement in this scenario? (Select TWO.)
- Enable access logging for your application load balancer.
- Set up a standard S3 bucket where the load balancer will store the logs.
NOT CloudWatch