TD Exam 2 - Long review

Question 1

Why should classic load balancers be avoided

Answer 1

Each unique HTTPS name requires an individual CLB, so it does not scale

Question 2

Which layer is ALB

Answer 2

Layer 7

Question 3

Which protocols are supported by ALB

Answer 3

HTTP and HTTPS

Question 4

What are some Layer 7 protocols not understood by ALB

Answer 4

SMTP, SSH, custom gaming protocols…

Question 5

What are some listeners not supported by ALB

Answer 5

TCP, UDP, TLS

Question 6

What load balancer should you use if you need to make decisions based on L7 content (cookies, custom header, user location, etc)

Answer 6

ALB

Question 7

What is a security trade-off of ALB

Answer 7

SSL always terminates on ALB - No unbroken SSL chain
A new connection is made to the application

Question 8

What is needed if ALB uses HTTPS

Answer 8

The ALB must have SSL cert(s)

Question 9

Which is faster, ALB or NLB

Answer 9

NLB

Question 10

What is an advantage of ALB with regards to Healthchecks

Answer 10

ALB evaluates app health at layer 7 (can make an app-layer request)

Question 11

What can be used to direct connections in ALB

Answer 11

Rules

Question 12

What can ALB rule conditions be based on

Answer 12

Host header
Http header
Http request method
Path pattern
Query string
Source IP

Question 13

What are some actions ALB can do with rules

Answer 13

Forward
Redirect
Fixed response
Authenticate-oidc
Authenticate-cognito

Question 14

What should you do if you need to forward connections to the instance without terminating it on load balancer

Answer 14

Use NLB

Question 15

Which layer do NLBs work on

Answer 15

Layer 4

Question 16

What protocols are supported by NLB

Answer 16

TCP, TLS, UDP, TCP_UDP

Question 17

How much faster are NLBs compared to ALBs

Answer 17

Much faster (1/4 of latency)

Question 18

What is a limitation of Healthchecks for NLB

Answer 18

Only checks ICMP / TCP handshakes

Question 19

Which Load Balancer can have a static IP

Answer 19

NLB; ALB can with workarounds I think

Question 20

What is a security advantage of NLB

Answer 20

They forward TCP to instances, the HTTPS encryption is unbroken
(With TCP listener)

Question 21

Which Load Balancers can be used with Private Link

Answer 21

NLB

Question 22

Can Lambda@Edge run inside a VPC

Answer 22

No

Question 23

Which languages are supported by Lambda@Edge

Answer 23

Node and Python

Question 24

Where would you place your Lambda@Edge to perform A/B testing

Answer 24

Viewer request

Question 25

In CloudFront, how can you have a different version of an image depending on the customer without redirects or url changes

Answer 25

With a Lambda@Edge function on the viewer request
Change the url with the Lambda

Question 26

How can you do a gradual S3 origin migration in CLoudFront

Answer 26

With Lambda@Edge on the origin request

Question 27

How can you deliver different objects based on device in CLoudFront

Answer 27

Lambda@Edge Origin Request

Question 28

How can you vary the content displayed by country in CloudFront

Answer 28

Lambda@Edge Origin Request

Question 29

What are the units of distribution in CloudFront

Answer 29

Distributions

Question 30

What are the price classes in CloudFront

Answer 30

Which edge locations to use

Question 31

In CloudFront, where do you associate WAF

Answer 31

At a distribution level

Question 32

In CloudFront, where do you specify an alternate domain name

Answer 32

In the distribution

Question 33

In CloudFront, where do you specify TLS and certifications

Answer 33

At the distribution level

Question 34

What are the protocols supported by DataSync

Answer 34

SMB and NFS

Question 35

Where does DataSync run

Answer 35

As a VM onprem

Question 36

What are some features of DataSync

Answer 36

Schedule, throttle, recover from failure

Question 37

What are some destinations of DataSync

Answer 37

S3, EFS, FSx

Question 38

When should you use DataSync

Answer 38

When you need reliable transfer of large amounts of data

Question 39

What is redshift

Answer 39

A PB-scale data warehouse

Question 40

What type of db is Redshift

Answer 40

OLAP (Column-based)

Question 41

What is OLTP

Answer 41

Online Transaction Processing, row/transactions

Question 42

What is OLAP

Answer 42

Online Analytical Processing (Column based)

Question 43

What does Redshift allow with S3

Answer 43

Direct query to S3 using REdshift Spectrum

Question 44

What does Redshift allow with other DBs

Answer 44

Direct query with federated query

Question 45

What interface is supported by Readshift

Answer 45

SQL-like (JDBC/ODBC)

Question 46

Is Redshift serverless

Answer 46

No

Question 47

What should you use for ad-hoc queries of S3 objects

Answer 47

Athena

Question 48

How are rules processed for NACLs

Answer 48

In order, lowest rule number first. Once match occurs, processing stops. * is an implicit deny if nothing else matches

Question 49

What type of firewall are NACLs

Answer 49

Seubnet-level stateless firewall

Question 50

Why do should NACLs be used in conjunction with SGs

Answer 50

To add explicit denys

Question 51

How many NACLs can a subnet have

Answer 51

One

Question 52

How many subnets can a NACL be associated with

Answer 52

Many

Question 53

Are Security Groups stateless or stateful

Answer 53

Stateful

Question 54

What is a major limitation of Security Groups

Answer 54

You cannot do specific deny (like block bad actor IPs)

Question 55

What do SGs support

Answer 55

IP/CIDR and logical AWS ressources, including other SGs and itself

Question 56

What are SGs attached to

Answer 56

To an Elastic Network Interface

Question 57

What actually happens when you attach an SG to an instance

Answer 57

It is attached to it’s primary ENI

Question 58

How can you use SGs to allow 2 instances to communicate

Answer 58

Reference each other’s SGs in it’s own SG rules

Question 59

What do SG references apply to

Answer 59

Anything which has the SG attached

Question 60

What are benefits of SG references

Answer 60

It scales well (new instances)
No need to handle changing IPs

Question 61

What is an advantage of self-referencing SGs

Answer 61

Means intra-app communication is allowed if you have multiple instances running an app

Question 62

What are the 3 important values associated to ASG

Answer 62

Minimum, Desired and Maximum

Question 63

What is used to update ASGs based on metrics

Answer 63

Scaling policies

Question 64

Where do auto-scaling groups run

Answer 64

On a VPC across one or more subnets

Question 65

What are the 2 potential sources for instance config for ASG

Answer 65

Launch templates or launch configurations

Question 66

What do Scaling Policies adjust

Answer 66

The desired capacity

Question 67

What do ASGs define

Answer 67

Where instances are launched

Question 68

What are the 3 types of scaling policies

Answer 68

Manual
Scheduled
Dynamic scalings

Question 69

What are the 3 subtypes of dynamic scaling

Answer 69

Simple
Stepped scaling
Target tracking

Question 70

What is a Cooldown Period in ASGs

Answer 70

Period to wait after a scaling event before another one can happen

Question 71

What is an advantage of an ASG using an ALB Healthcheck rather than EC2 status check

Answer 71

Can monitor state of HTTP/HTTPS requests

Question 72

Why is RDS Proxy needed

Answer 72

Prevent constant open/closing of DB connections (like with Lambda)
Helps with handling db failure

Question 73

Where does RDS Proxy run

Answer 73

In a VPC (Across all AZs)

Question 74

Is RDS Proxy managed

Answer 74

Yes

Question 75

What is behind RDS Proxy

Answer 75

Long-term connection pool

Question 76

What does RDS Proxy do in practice

Answer 76

Makes connections much faster than connecting directly to db
Connections to RDS from proxy can be reused
Multiplexing

Question 77

What happens with RDS Proxy if db is unresponsive

Answer 77

It waits, the connection between client and RDS proxy is established anyways

Question 78

Can RDS Proxy be used with Aurora

Answer 78

Yes

Question 79

Where is an RDS Proxy accessible from

Answer 79

Only from a VPC

Question 80

When using RDS Proxy, do you need to change your app

Answer 80

No, the app sees it as a normal db endpoint

Question 81

Can RDS enforce SSL/TLS

Answer 81

Yes

Question 82

What are some characteristics of API Gateway

Answer 82

HA, Scalable, handles authorization, throttling, caching, transformations, openapi spec, direct integration

Question 83

Can API Gateway connect to onprem service

Answer 83

Yes

Question 84

What APIs are supported by API Gateway

Answer 84

HTTP, REST and WebSocket

Question 85

What are the endpoint types for API Gateway

Answer 85

Edge Optimized
Regional
Private (only accessed within a VPC)

Question 86

Does API Gateway support stages

Answer 86

Yes

Question 87

Where do you enable canary for API Gateway

Answer 87

It is on a specific stage

Question 88

What does API Gateway give when the throtting limit is reached

Answer 88

429

Question 89

What does a 502 from API Gateway mean

Answer 89

Bad Gateway exception - the lambda is returning something invalid

Question 90

What is the timeout for API Gateway

Answer 90

29s

Question 91

What do you get when you go beyond the timeout for API Gateway

Answer 91

504

Question 92

What does 503 mean from API Gateway

Answer 92

Backing endpoint is offline; Major service issue

Question 93

What is AWS Config used for

Answer 93

Record configuration changes over time on resources
Auditing of changes, compliance with standards

Question 94

Does AWS Config prevent changes happening

Answer 94

No

Question 95

What type of service is AWS Config

Answer 95

Regional service

Question 96

What can AWS Config be integrated with

Answer 96

SNS
EventBridge & Lambda

Question 97

Where does AWS Config store it’s data

Answer 97

S3

Question 98

What does AWS Inspector do

Answer 98

It scans EC2 instances and its OS (also containers) for vulnerabilities and deviations against best practices

Question 99

What does AWS Inspector output

Answer 99

A report of findings ordered by priority

Question 100

Does Inspector need an agent

Answer 100

Not for Network assessment, but for network and host assessment yes

Question 101

Can Inspector check CVEs

Answer 101

Yes

Question 102

What do you use to check for CVEs and CIS of EC2

Answer 102

Inspector

Question 103

What does GuardDuty do

Answer 103

It is a continues security monitoring service
Analyses supported data sources
Uses AI
Identifies unexpected and unauthorised activity

Question 104

What does synchronous data replication

Answer 104

RDS Multi-AZ Instance mode

Question 105

How do you access the primary db instance in RDS multi-AZ

Answer 105

With the database CNAME (DNS record)

Question 106

What can happen from the standby in RDS Multi-AZ

Answer 106

Backups & snapshots (to S3)

Question 107

Do reads occur in the secondary instance in instance-mode multi-AZ RDS

Answer 107

no

Question 108

How long does the failover take in RDS multi-AZ

Answer 108

60-120 seconds

Question 109

What happens during failover for RDS multi-az instance mode

Answer 109

DNS CNAME changes to point to secondary

Question 110

How can you reduce failover time for RDS multi-AZ instance mode

Answer 110

Remove DNS caching in app for the dns name

Question 111

How many standby replicas can you have in multi-az instance mode rds

Answer 111

Only one

Question 112

What are differences between multi-az RDS cluster mode and Aurora

Answer 112

You can have more than 2 readers in Aurora
Instances have separate local storage in cluster mode

Question 113

What is RDS multi-AZ cluster mode

Answer 113

One write, many readers, still synchronous replication

Question 114

How many instances can you have in RDS multi-AZ cluster mode

Answer 114

2 readers and one writer

Question 115

What are differences between RDS multi-AZ instance and cluster mode

Answer 115

You can use reader instances in cluster mode, and you can have 2

Question 116

Do you need to change app code to take advantage of RDS multi az cluster mode

Answer 116

Yes, to handle the fact that there are read-only instances

Question 117

In RDS multi-AZ cluster mode, when is data seen as committed

Answer 117

When 1+ read finishes writing

Question 118

In RDS multi-AZ Cluster mode, where does the cluster endpoint point

Answer 118

To the writer

Question 119

In RDS multi-AZ Cluster mode, what is the cluster endpoint point used for

Answer 119

Read, Writes and admin

Question 120

What does a reader endpoint do in RDS multi-az cluster mode

Answer 120

Directs reads to an available reader (can include writer)

Question 121

What are instance endpoints in RDS ulti-AZ cluster mode

Answer 121

They point at specific instances, used for testing and fault finding

Question 122

What is the failover in RDS cluster mode multi-AZ

Answer 122

35s

Question 123

What is Amazon Database Migration Service

Answer 123

A managed database migration service

Question 124

What does DMS use

Answer 124

A Replication instance running on ec2

Question 125

What are the 3 modes you can run DMS jobs

Answer 125

Full load (transfer everything)
CDC (Change data capture)
Or both

Question 126

What is a use case for CDC mode of DMS job

Answer 126

If you’re using another service to transfer the bulk of the data

Question 127

How can you do schema conversion with DMS

Answer 127

Using Schema Conversion Tool

Question 128

When is Schema Conversion Tool Used

Answer 128

When converting from one db type to another

Question 129

What should you do about DMS when having a large amount of Data

Answer 129

You can use Snowball
Use SCT locally to write to snowball
Load data from snowball into s3, then from s3 to target db
Then do CDC

Question 130

What does AWS Control Tower do

Answer 130

Enables Quick and easy setup of multi-account env

Question 131

What is the difference between Control Tower and AWS Organizations

Answer 131

Control Tower uses other AWS services, including orgnizations

Question 132

What is a Control Tower Landing Zone

Answer 132

It is the multi-account environment

Question 133

What are some features of Landing Zone

Answer 133

SSO/ID Federation, Centralised Logging and Auditing

Question 134

What is Landing Zone Guard Rails

Answer 134

It is used to detect/mandate rules/standards across all accounts

Question 135

What is Landing Zone Account Factory

Answer 135

It Automates and Standardises new account creation

Question 136

Where do you create a Control Tower Landing zone

Answer 136

From an account that becomes the management account

Question 137

What provides the SSO for aws

Answer 137

IAM Identity center

Question 138

What are some AWS services used by Control Tower

Answer 138

AWS Organizations, AWS Config, CloudFormation

Question 139

What are the 3 types of Control Tower Guard rails

Answer 139

Mandatory, Strongly recommended or elective

Question 140

What are Control Tower preventive Guard rails

Answer 140

They stop you from doing things, they use AWS ORG Service Control Policy

Question 141

What are Control Tower detective guard rails

Answer 141

They do compliance checks using AWS Config

Question 142

What are the 2 types of identities in AWS

Answer 142

IAM User and IAM Role

Question 143

What is the number limit of IAM Users

Answer 143

5000

Question 144

What are the 2 types of policies associated with a role

Answer 144

Trust policy and Permissions policy

Question 145

What is a roleTrust Policy

Answer 145

Who can assume the role

Question 146

What generates temporary credentials

Answer 146

Security Token Service

Question 147

Where do you specify the role of an ECS task

Answer 147

in the task definition, in the taskRoleArn section

Question 148

What is Kinesis Firehose

Answer 148

Fully managed service to load data for data lakes, data stores and analytics service
Fully serverless

Question 149

Is FireHose Real-Time

Answer 149

Near-Real-Time (60s)

Question 150

What are the valid destinations for Kinesis Firehose

Answer 150

HTTP endpoints
splunk
Redshift
ElasticSearch
Destination bucket

Question 151

Are Kinesis streams real-time

Answer 151

Yes, 200 ms

Question 152

How many master accounts can an organization have

Answer 152

One

Question 153

Can organizations pool service usage to get discounts

Answer 153

Yes

Question 154

What are Service Control Policies

Answer 154

They are account permissions boundaries

Question 155

What can SCPs be attached to

Answer 155

It can be attached to accounts, OUs or the whole organization

Question 156

Can all accounts be affected by SCPs

Answer 156

No, the management account ignores SCPs

Question 157

Can SCPs affect root users

Answer 157

Yes, the SCP restricts the whole account

Question 158

Do SCPs grant permissions

Answer 158

No

Question 159

What do SCPs do

Answer 159

They limit permissions that can be assigned

Question 160

How many VPCs are involved in VPC peering

Answer 160

2

Question 161

Can you do VPC peering with 3 VPCs

Answer 161

No

Question 162

What is VPC peering

Answer 162

A direct encrypted network link between 2 vpcs

Question 163

Can you do VPC peering cross-region

Answer 163

Yes

Question 164

Can you do VPC peering cross-account

Answer 164

Yes

Question 165

Can you use Security Groups over vpc peers

Answer 165

Yes, but only in the same region

Question 166

Does VPC peering support transitive peering

Answer 166

No

Question 167

What configs are necessary to ensure peering works

Answer 167

Routing (route tables in both vpcs), Sgs and NACL could filter also

Question 168

What is a limitation of VPC peering

Answer 168

Cannot be done if the VPCs have CIDR range overlap

Question 169

Is site-to-site HA

Answer 169

Yes, if designed and implemented correctly

Question 170

Do you need a static IP for onprem when setting up VPN

Answer 170

yes

Question 171

What is geolocation routing

Answer 171

You tag records with country, continent, subdivision or default
Then check location of user (normally the resolver)

Question 172

What is the order of checking in geolocation routing

Answer 172

Starts with state, if match returns record
Then Country
Then continent
Then default (optionally)
It returns the most specific record or NO ANSWER

Question 173

What can geolocation routing be used for

Answer 173

Regional restrictions, language-specific content or load balancing across regional endpoints

Question 174

Does geolocation routing return the closest record

Answer 174

No, just the most relevant

Question 175

What does geoproximity routing do

Answer 175

It gives the CLOSEST record

Question 176

What can resources be tagged with in R53 geoproximity routing

Answer 176

AWS region, or lat and long

Question 177

What does a bias do in geoproximity routing

Answer 177

Affects the effective area of a resource

Question 178

What kind of storage does EBS provide

Answer 178

Block storage

Question 179

Can EBS be encrypted

Answer 179

Yes, using KMS

Question 180

Can EBS be across AZs

Answer 180

No

Question 181

What kind of resiliency does EBS have

Answer 181

Some built-in resiliency if a physical device fails, but it can<t withstand an AZ failure

Question 182

Can you attach EBS to multiple instances

Answer 182

Yes, but app needs to manage concurrency
By default, think of it as being attached to one instance at a time

Question 183

Can you backup EBS

Answer 183

Yes, with a snapshot in S3

Question 184

How can you migrate EBS between AZs

Answer 184

Create a snapshot, then create a volume in a different az from the snapshot

Question 185

How can you configure private access to AWS Public services from a private VPC

Answer 185

Use VPC Gateway endpoints or VPC interface endpoints

Question 186

What services are supported by VPC Gateway endpoints

Answer 186

DynamoDB and S3

Question 187

What services are supported by VPC Interface Endpoint

Answer 187

Everything but DynamoDB

Question 188

What is a Gateway endpoint associated with

Answer 188

It is per service per region

Question 189

How does a Gateway endpoint work

Answer 189

A prefix list is added to the route table

Question 190

Which type of VPC endpoint is HA by default (Gateway or interface)

Answer 190

Gateway

Question 191

How do you change what a Gateway endpoint can access

Answer 191

Endpoint policy

Question 192

Can Gateway endpoint access inter-region services

Answer 192

No

Question 193

How can you make sure a bucket can only be used from within a specific VPC

Answer 193

Set up a bucket policy

Question 194

If you don’t use a VPC endpoint, what do you need to access AWS public services from within a VPC

Answer 194

NAT GW or public subnet

Question 195

Where is a Gateway endpoint located

Answer 195

From within a VPC, but it has a private tunnel to the service

Question 196

Are gateway endpoints accessible from outside it’s VPC

Answer 196

No

Question 197

Are interface endpoints HA

Answer 197

Not by default

Question 198

How do you control access to interface endpoints

Answer 198

Via Security Groups

Question 199

What protocols are supported by interface endpoints

Answer 199

TCP only

Question 200

What IP version can you use with interface endpoints

Answer 200

IPv4 only

Question 201

What is used by interface endpoints

Answer 201

PrivateLink

Question 202

What does a PrivateLink do

Answer 202

It allows you to inject AWS or 3rd party services in a VPC

Question 203

How do you specify what can be done with an interface endpoint

Answer 203

Endpoint policies

Question 204

How do interface endpoints work

Answer 204

They have a DNS name

Question 205

What are the different ways to un interface endpoints with regards to DNS

Answer 205

Use AZ DNS name
Use region DNS name
Use provateDNS to force it’s usage when the public DNS name of the service is called

Question 206

Which kind of VPC endpoint use routing to give private access to AWS public services

Answer 206

Gateway endpoint

Question 207

What is Glue

Answer 207

Serverless ETL and data catalog
Moves and transforms data between source and destination

Question 208

What is datapipeline

Answer 208

It can do ETL using EMR (uses server)

Question 209

What does Glue generate

Answer 209

AWS Glue Data Catalog

Question 210

What is a data catalog

Answer 210

Persistent metadata about data sources in a region
One catalog per region per account

Question 211

How are catalogs discovered

Answer 211

Using crawlers

Question 212

What do crawlers do

Answer 212

Connect to data stores, determine schema and create metadata in the catalog