Practice test 3 (actual 4)

Question 1

I want to use dedicated hosts for one year then migrate them to default tenancy after. Is this possible?

Answer 1

you can change the tenancy of an instance from dedicaded to host and vise versa (correct)

you cannot change the tenancy from (dedicated/host) to default, or default to dedicated/host ever..

Question 2

What is the difference between target tracking and simple scaling policy for an Auto Scale group for the EC2 instances consuming messages from SQS?

Answer 2

Target tracking. divide Approximate Number of Messages (cloud watch metric) in Q by numeber of instances in the In Service state in autoscale group. This provides acceptable and most accurate backlog per instance which is best.

Simple scale policy based on cloudwatch metrics and alarms. after scaling activity has started, the policy must wait for the replacement to complete and cooldown period to expire. it won’t be able to react quickly.

Step scalign would work but not be as good or efficiont as target.

Question 3

i want to use cloud watch alarms to automatically recover EC2 instances if they become impaired. what happens to the instances when they recover - true/false… regarding pub and priv ip metadata, termination etc…

Answer 3

correct / true:
instance retains it’s public ipv4 address if it has one
recovered instance is identical to original, instance id, private ip, elastic ip, metadata.
during the recovery, the instance is migrated during reboot, and in mem data is lost.

incorrect - terminated ec2 instances can be recovered if they are configured at the launch of the instance.

Question 4

global company, procurement workflow, distributed app. orders booked in one reagion must be visible in all regions in one second or less. db failover must have a short recovery time objective. uptime critical. what is the moste cost effective solution? options:

Answer 4

RDS for Mysql or postgres with x region read replica. (async replication, more than one second.)

Aurora global db (correct)

Dynamo global tables (incorrect “ dynamo would be more costly in this scenario, “ - maybe due to r/w traffic)

answer aurora. my answer. dynamo. i did not read the options, but they were not clear about the app neening SQL which it would.

Question 5

EC2 fleet with to ELB in 2 zones A and B. A has one instance, B has 4 instances. What traffic distribution would you get with cross zone LB enabled vs disabled?

Answer 5

x zone enabled. One instance in A gets 20% and each of the 4 in B gets 20%.

x zone disabled - A gets 50% , each in B gets 12.5%.

Question 6

NAT instance vs gateway true/false options

Answer 6

Correct / true:
Nat instance can be a bastion server
Security groups can be associated with a nat instance
Nat instance supports port forwarding (but not with NAT gateway. this was incorrect)

flow logs NACLs traffic metrics supported by both.

Question 7

high performance computing recommended network components, what is best (elastic …. adapters)?

Answer 7

Elastic fabric adapter attach to ec2 most high perf network. the fabric means it bypasses OS to get to hardware interface for speed

incorrect - elastic network interface, elastic network adapter (high perf computing but not as fast as EFA), elastic ip.

Question 8

configuring security groups for 2 tier app with pub web servers and private db. what is true false for an inbound rule for a security group

Answer 8

True statements about what can be the source or dest. of a rule:

• range of ip address in cidr block x.x.x.x/16 or ipv6
• specific ip address in format x x x x/32
• Another security group id in same VPC or in a peer connection VPC.
• The same security group id

False statement: use internet gateway id as the custom source for an inbound rule

Question 9

configuring security groups for 2 tier app with pub web servers and private db. what is true false for an inbound rule for a security group

Answer 9

True statements
range of ip address in cidr block x.x.x.x/Y
Another security group in this VPC or in a peer connecttion VPC.
The same security group
Can use the SG from an ALB

False statement: use internet gateway id as the custom source for an inbound rule

Question 10

real time health data processed into analytics workflow. more users, stystem slow unresponsive. and does not have retry. Need a scalable solution with minimal implementation overhead. How?

Answer 10

Correct - Kinesis data streams to ingest, process with Lambda or run analytics with Kinesis data analytics. (I knew this would work but the words minimal implementation is contradictory to notes, be careful. Note the words real time because data streams has 200 ms latency

Incorrect SQS for ingestion, Lambda for processing. “ this can work but data streams custom made for streaming real time data.

Question 11

EC2 in private subnet, read write big volumes to S3 in same region. Nat gateway configured for all internet bound traffic. Best cost optimal solution, without impacting the ability to communicate with S3 or internet.

Answer 11

VPC gateway endpoint for S3 and dynamo only. needs an endpoint policy. update route table VPC gateway endpoint as a target to direct S3 traffic to the endpoint. There is no additional charge for a gateway endpoint.

incorrect - internet gateway., gateway LB,

also there is a vpc interface endpoint for communicating to any aws service in another vpc, can be many things. uses private link. provisions an Elastic network interface and a security group. Cost involved $

Question 12

company has hybrid cloud on prem. wants a web log archive, only most frequently accessed logs are available as cache locally, while backing up all logs to S3.

Answer 12

Be careful. the answer provided is not well described in notes, but does match aws docs.

This relates to AWS Storage gateway type Volume gateway. other types are Tape, File, and FSx File.

iSCSI = Volume (cached or stored)
NFS / SMB = File
FSX File = Windows

AWS says: Volume Gateway presents cloud-backed iSCSI block storage volumes to your on-premises applications. Volume Gateway stores and manages on-premises data in Amazon S3 on your behalf and operates in either cache mode or stored mode. (Note similarity/diff File gateway is NFS (Net File Sys), SMB compatible, cached on prem, push to S3)

The following 2 types refer to on prem data:

In the cached Volume Gateway mode, your primary data is stored in Amazon S3, while retaining your frequently accessed data locally in the cache for low latency access. In the stored Volume Gateway mode, your primary data is stored on prem and your entire dataset is available for low latency access on premises while also asynchronously getting backed up to Amazon S3. In both cases it is backed up to EBS block storage for fast recovery

AWS Volume Gateway - Cached Volume (correct)

AWS Volume Gateway - Stored Volume (incorrect)

Question 13

company has licence based commercial db system on prem. wants to migrate to open source cost effective db in cloud. Wants to handle complex database config - indexes, FK, stored procs. How?

Answer 13

Correct
AWS Schema conversion tool (as it says. plus migrates indexes, FK, procs!)

Database migration service. (dbs remain operational during migration. supports same-same and different migrations.

incorrect: Glue,
Basic schema copy (this is real but will not migrate secondary indexes, FK, stored procs),
snowball.

Question 14

migrate SQS standard to fifo with batching. Steps?

Answer 14

Delete existing Q and recreate as fifo (Jol correct)
Name of the fifo Q ends in .fifo (Jol correct)
The throughput of the Fifo Q does not exceed 3000 messages per sec. (correct, jol got wrong)

Fifo queues support 3000 msg/s with batching (300 x 10 per batch) and 300 msgs/sec without batching. this was the error i made. (messages operations can be send, delete, receive )

Question 15

org is using Service Control Policies SCP for central control of perms in accounts. This is a special feature of an organisation. What is true/false about SCP?

Answer 15

True / correct
SCP affects all users and roles in attached accounts including the root user.
SCP do not affect the service linked role
If a user or role has an IAM permission policy that grants access to an action that is not allowed or denied by the SCP the user or role can’t perform the action. SCP trumps user/role perm policy.

More info
No permissions are granted by SCP this is the user/role level. It is a guardrail or limit.

Effective permissions are the intersection between the SCP and the user/role, very similar to IAM permissions boundaries (boundary) which are applied to individual IAM users and roles, mainly to developers.

SCP don’t affect resource based policy, only users/roles.

Question 16

company has organisations set up for departments. they have EC2 and RDS. They want shared, centrally managed VPCs to all departments using apps that need high degree of connectivity. How?

Answer 16

correct : VPC sharing to share one or more subnets with other aws accounts belonging to same parent org. Sharing is all about the resources in subnets, EC2, RDS, redshift, and Lambda (?) as in docs.

Incorrect: VPC sharing to share the whole VPC … (and as above) You can’t share a vpc with sharing, only subnets.

incorrect: vpc peering, not centrally managed, gives access to whole vpc.

Question 17

Web app on ECS elastic container service. website slows down when traffic spikes, and poor availability. dev team has cloud watch alarms with notifications. How to automate?

Answer 17

correct: Auto scaling to scale out ECS cluster when ECS services CPU utilization rises above a threshold.

There is an Elastic Load Balancer involved.

documented options
ECS Service Average CPU Utilization
ECS Service Average Memory Utilization
ALB Request Count Per Target

incorrect: as above but “….. ALB target group’s CPU utilization….” unfortunately very close because there is a LB involved, but wrong.

Question 18

business has 2 aws accounts and all resources are in us-west-2 region. try to launch EC2 in each of the 2 accounts, such that the instances are in the same AZ us-west-2. after selecting the same default subnet for EC2 when launching in each account, the AZs are still different for each instance. Why?

Answer 18

Correct: They must use AZ ID to uniquely identify the AZ across 2 accounts. AZ is specified for each instance

Incorcect: Use the default VPC to uniquely identify the AZ across 2 accounts. VPC spans a region, therefore cannot be used to identify an AZ.

Question 19

company uses SQS, consumers need additional time to process messages, … to postpone for a few seconds. How?

Answer 19

Correct; Delay Queues to pospone delivery to the Q for a few seconds

“Delay queues let you postpone the delivery of new messages to a queue for several seconds, for example, when your consumer application needs additional time to process messages. If you create a delay queue, any messages that you send to the queue remain invisible to consumers for the duration of the delay period. The default (minimum) delay for a queue is 0 seconds. The maximum is 15 minutes.”

incorrect: visibility timeout. this will not postpone delievery, it stops other consumers reading the same message from the Q.

Question 20

standardizing EC2 instances with AMI. rules about copying to different accounts and regions. options true / false:

Answer 20

Correct:
Can share AMI with another account
Copy AMI across regions
Copy AMI backed by encrypted snapshot, cannot result in unencrypted snapshot. This is the only scenario that is forbidden. Alowed: unencrypted to encrypted, encrypted to encrypted….

incorrect answers were the opposite of above. including encrypted to unencrypted.

Question 21

Route 53 what is Alias, CNAME, A,

Answer 21

Alias - direct queries to selected aws resources like s3, CF, or another record in the same route 53 hosted zone. eg hello.abc.com to goodbye.abc.com

CNAME direct dns queries to any dns record. commonly used do redirect from domain.com to another-domain.com

A record. points a domain to an iP address. not to another domain. PTR is a reverse domain lookup from ip to domain name.

Question 22

SQS queue facts; quotas, message throughput, retention, group id, long polling wait time

Answer 22

Delay queue default 0 max 15 minutes.
Long polling max wait time 20 sec

Message group ids in FIFO only, no quota on number of groups, must have a group id in FIFO.

Backlog messages unlimited
Messages per queue in flight. standard queue 120,000 messages not yet deleted. for Fifo 20,000 messages

FIFO message throughput 300 trans per sec Send, Receive, Delete.
Batching (x10) 3000 trans per sec which means 300 api calls each with a batch of 10. raise a support request to increase.

High throughput FIFO queues can go up to 6000 no batching, 60,000 with batching.

message size, min 1 byte, max 256 KB.

visibility timeout default is 30 sec. min 0 sec, max 12 hours.

Question 23

big data analytics company real time vehicle tracking. data processing has I/O intensive and throughput intensive db work. No SQL database hosted on EC2. Must Support 25,000 iops per volume, which EBS volume type?

Answer 23

Correct - Provisioned IOPS SSD io1 - designed for critical, io intensive work, throuhhput intensive database work. supports
* 50 iops per GiB to a max of 64,000 iops
* max of 1000 MiB per sec of throughput per volume

incorrect -
General purpose SSD gp2 -
* max iops per volume 16,000 for gp2 and gp3.
* Throughput 250 MiB/s for gp2 (2=250), and for gp3: 1000 MiB/s (3= 3 zeros)

incorrect
Throughput optimised HDD st1 has
* 500 iops per volume for st1, 250 iops per vol for sc1 (cold)
* 500 MiB/s throughput for st1, 250 MiB/s for sc1 (cold)

IOPS per volume ladder
256,000 = io2 block express (multiply prev by 4)
64,000 = io1 and io2 (multiply by 4)
16,000 = gp2 and gp3 ….. START SSD ^^ (multiply prev by 32)
500 = st1 (same as throughput)
250 = sc1 (same as throughput.) HDD

more info on io2 and io2 block express
IOPS per volume - io2 = 64,000 …. io2 Block x = 256,000
MAX throughput per vol - io2 = 1000 MiB/s …. io2 block x 4000 MiB/s

Question 24

Launch configuration tenancy setting in auto scale group vs VPC tenancy rules matrix. simple rule applies.

Answer 24

Launch config tenancy (LCT) = default
VPC Tenancy (VT) = default
Result = shared tenancy instance

LCT = default
VT = dedicated
Result = dedicated

LCT = dedicated
VT = default
Result = dedicated

Dedicated trumps default every time.

Question 25

aws organisations to manage departments own accounts. DEPArtments in different countries, and regions. wants consistent resource provisioning across depts, and pre defined configs for EC2 types, iam roles, etc. options

Answer 25

Not covered in lectures

Correct: use cloud formation StackSets to deploy the same template across aws accounts and regions. Extend the functionality of stacks, CRUD stacks across multi accounts and regions with a single operation. use a single CF template controlled by org administrator.

incorrect: as above “… use CloudFormation templates….” – cannot deploy the same template across accounts and regions.

Question 26

EC2 dedicated host vs instance

Answer 26

Dedicated host. ec2 instance on physical server dedicated to you. visibility and control. can use server bound licences

Dedicated instance. physically isolated from other instances. may share hardwary with otehr instances from the same account, that are not dedicated. cannot be used for server bound licence.

Reserved instance - not physically isolated, reduce costs by reserving / committing.

Question 27

company move on prem data to s3, EFS, FSx for Win, easily quickly, cost effectively. Best fit to automate and accellerate data transfer?

Answer 27

Correct : AWS data sync. automates and accelerates moving large data sets to AWS, 10 x faster than comand line tools. integrates with
* s3,
* EFS,
* FSx for Windows,
* Cloud watch and cloud trail.
* Also: FSx for Lustre,
* Fsx for Open ZFS,
* FSx for NetApp ontap.
* has a data sync agent that can read NFS, SMB, S3 on outposts? HDFS.

Incorrect: AWS transfer family which is FTP and related secure options. Used for S3 and EFS but not FSx for windows.

incorrect File gateway. interface from NFS on SMB to S3 target only. not to the other options.

Question 28

CloudWatch alarm can recover an impaired EC2 instance, what storage volumes are ok with this?

Answer 28

correct - instance can be recovered if it has an EBS volume

incorrect - instance can be recovered if it has an instance store.

Question 29

company with windows based apps on prem. move to cloud, assume not hybrid. need shared storage solution that multiple applications can access without the need for replication. integrate with AD domain. options

Answer 29

Correct: FSx for Windows File Server. Has AD integration, single and multi AZ deployments. managed backups, encryption of data at rest or intransit. HDD and SSD options. change throupput and size of storage any time.

Incorrect - File Gateway hybrid storage. not suited to be used by mulitple applications to access in parallel (can’t find a reference for this?) . data stored in S3 in most cases but there is a FSx Windows option. above is better but it looks like this answer is partially correct? Also read the question, it did not need hybrid on prem cloud storage.

Question 30

gaming app leaderboard. high elasticity, low latency, real time processing. Options for true/false about ElastiCache.

Answer 30

Correct: ElastiCache can
* improve latency and througput for read heavy workloads
* improve the performance of compute intensive workloads (i don’t agree this was the best answer, but take note)
* AWS documents list many compute servecis like lamdda and ecs as users so this may be a factor.

incorrect: improve the performance of extract transform load ETL workloads because these grab all the data not frequently access data.

Question 31

Scenario:
* Custom VPC
* Attach internet gateway IG
* Subnet in VPC
*Route in subnet route table that directs internet bound traffic to the IG
* Launch EC2 instance and Nat instance in subnet
Which entities are doing the NAT for EC2 instance?

Answer 31

Trick question
NAT gateway is not configuered to route traffic
Internet Gateway can and will do the NAT.

Subnet has a route to the IG therefore it is a public subnet. private subnets do not have route.

Question 32

Custom VPC
Attach internet gateway IG
Subnet in VPC
Route in subnet route table that directs internet bound traffic to the IG
Launch EC2 instance and Nat instance in subnet
Which entities are doinhg the NAT for EC2 instance?

Answer 32

Trick question
Subnet has a route to the IG therefore it is a public subnet. private subnets do not have route to internet.

Also:
Internet Gateway can and will do the NAT.

NAT gateway is not configuered to route traffic

Question 33

Spot instances, blocks, requests, termination stopping incorrect question, too complex to cover

Answer 33

Not covered.

Question 34

company has on prem data centre, direct connect, and on prem DNS. Wants to resolve dns queries from on prem to cloud and vise versa. How to configure

Answer 34

Create outbound endpoint on Route 53 resolver which will conditionally forward queries from VPC to on prem

Create an inbound endpoint on Route 53 so that on prem can forward queries to Route 53.

the one i got wrong had confusing wording, if i had carefully read it i would have selected correctly.

Question 35

MS AD used on prem. company has hybrid cloud. need to run SQL server based app, with directory aware workloads. Configure a AD trust relationship to enable SSO. options for AD…

Answer 35

Correct - Managed Microsoft AD
incorrect - Simple AD. should be obvious from trust and SSO.
incorrect - ad connector - can’t be used for directory aware workloads, can be used for on prem users to log into AWS applications with AD creds.

Question 36

bank moved to cloud, using EC2 autoscaling for web. My sql relational db is a bottleneck. urgently need managed autoscaling for relational db. option

Answer 36

correct: aurora serverless. on demand auto scaling aurora. it will start up and shut down scales up capacity based on needs. no need for instances. cost effective for infrequent, intermintent, unpredictable workloads. pay per sec. migrate between standard and serverless in the console.

incorrect. Aurora.

Question 37

ELB and EC2 fleet. in flight requests from LB to EC2 getting dropped when an instance becomes unhealthy. options to address

Answer 37

Sticky sessions
idle timeout
cross zone LB
connection draining (correct.)

Question 38

Kinesis data streams and firehose data sources, thoughput

Answer 38

Sources for Data streams:
* Kinesis agent
* Mobile or compute clients or applications
* SDK or Kinesis Producer Library

Sources for Firehose
* ALL OF THE SAME Data Streams sources!
* Pluse Data Streams as a source
* Cloudwatch logs
* IoT

Throughput
Data streams
* ingest 1mb/sec per shard or 1000 msg/sec
* output 2MB/s per shard all consumers,
* enhanced mode 2mb/s per shard per consumer
* data is ordered per shard with a sequence no.
* storage for 1- 365 days with replay function (diff to FH)

Destinations for firehose
* S3
* Redshift (S3 first then copy to RS).
* Open search
* 3rd party apps like splunk and data dog
* http endpoint.

Firehose is
* near real time, up to 60 sec per batch
* autoscales for traffic.
* writes in batches.