TD Exam 2 - Long review Flashcards
1
Q
Why should classic load balancers be avoided
A
Each unique HTTPS name requires an individual CLB, so it does not scale
2
Q
Which layer is ALB
A
Layer 7
3
Q
Which protocols are supported by ALB
A
HTTP and HTTPS
4
Q
What are some Layer 7 protocols not understood by ALB
A
SMTP, SSH, custom gaming protocols…
5
Q
What are some listeners not supported by ALB
A
TCP, UDP, TLS
6
Q
What load balancer should you use if you need to make decisions based on L7 content (cookies, custom header, user location, etc)
A
ALB
7
Q
What is a security trade-off of ALB
A
SSL always terminates on ALB - No unbroken SSL chain
A new connection is made to the application
8
Q
What is needed if ALB uses HTTPS
A
The ALB must have SSL cert(s)
9
Q
Which is faster, ALB or NLB
A
NLB
10
Q
What is an advantage of ALB with regards to Healthchecks
A
ALB evaluates app health at layer 7 (can make an app-layer request)
11
Q
What can be used to direct connections in ALB
A
Rules
12
Q
What can ALB rule conditions be based on
A
Host header
Http header
Http request method
Path pattern
Query string
Source IP
13
Q
What are some actions ALB can do with rules
A
Forward
Redirect
Fixed response
Authenticate-oidc
Authenticate-cognito
14
Q
What should you do if you need to forward connections to the instance without terminating it on load balancer
A
Use NLB
15
Q
Which layer do NLBs work on
A
Layer 4
16
Q
What protocols are supported by NLB
A
TCP, TLS, UDP, TCP_UDP
17
Q
How much faster are NLBs compared to ALBs
A
Much faster (1/4 of latency)
18
Q
What is a limitation of Healthchecks for NLB
A
Only checks ICMP / TCP handshakes
19
Q
Which Load Balancer can have a static IP
A
NLB; ALB can with workarounds I think
20
Q
What is a security advantage of NLB
A
They forward TCP to instances, the HTTPS encryption is unbroken
(With TCP listener)
21
Q
Which Load Balancers can be used with Private Link
A
NLB
22
Q
Can Lambda@Edge run inside a VPC
A
No
23
Q
Which languages are supported by Lambda@Edge
A
Node and Python
24
Q
Where would you place your Lambda@Edge to perform A/B testing
A
Viewer request
25
In CloudFront, how can you have a different version of an image depending on the customer without redirects or url changes
With a Lambda@Edge function on the viewer request
Change the url with the Lambda
26
How can you do a gradual S3 origin migration in CLoudFront
With Lambda@Edge on the origin request
27
How can you deliver different objects based on device in CLoudFront
Lambda@Edge Origin Request
28
How can you vary the content displayed by country in CloudFront
Lambda@Edge Origin Request
29
What are the units of distribution in CloudFront
Distributions
30
What are the price classes in CloudFront
Which edge locations to use
31
In CloudFront, where do you associate WAF
At a distribution level
32
In CloudFront, where do you specify an alternate domain name
In the distribution
33
In CloudFront, where do you specify TLS and certifications
At the distribution level
34
What are the protocols supported by DataSync
SMB and NFS
35
Where does DataSync run
As a VM onprem
36
What are some features of DataSync
Schedule, throttle, recover from failure
37
What are some destinations of DataSync
S3, EFS, FSx
38
When should you use DataSync
When you need reliable transfer of large amounts of data
39
What is redshift
A PB-scale data warehouse
40
What type of db is Redshift
OLAP (Column-based)
41
What is OLTP
Online Transaction Processing, row/transactions
42
What is OLAP
Online Analytical Processing (Column based)
43
What does Redshift allow with S3
Direct query to S3 using REdshift Spectrum
44
What does Redshift allow with other DBs
Direct query with federated query
45
What interface is supported by Readshift
SQL-like (JDBC/ODBC)
46
Is Redshift serverless
No
47
What should you use for ad-hoc queries of S3 objects
Athena
48
How are rules processed for NACLs
In order, lowest rule number first. Once match occurs, processing stops. * is an implicit deny if nothing else matches
49
What type of firewall are NACLs
Seubnet-level stateless firewall
50
Why do should NACLs be used in conjunction with SGs
To add explicit denys
51
How many NACLs can a subnet have
One
52
How many subnets can a NACL be associated with
Many
53
Are Security Groups stateless or stateful
Stateful
54
What is a major limitation of Security Groups
You cannot do specific deny (like block bad actor IPs)
55
What do SGs support
IP/CIDR and logical AWS ressources, including other SGs and itself
56
What are SGs attached to
To an Elastic Network Interface
57
What actually happens when you attach an SG to an instance
It is attached to it's primary ENI
58
How can you use SGs to allow 2 instances to communicate
Reference each other's SGs in it's own SG rules
59
What do SG references apply to
Anything which has the SG attached
60
What are benefits of SG references
It scales well (new instances)
No need to handle changing IPs
61
What is an advantage of self-referencing SGs
Means intra-app communication is allowed if you have multiple instances running an app
62
What are the 3 important values associated to ASG
Minimum, Desired and Maximum
63
What is used to update ASGs based on metrics
Scaling policies
64
Where do auto-scaling groups run
On a VPC across one or more subnets
65
What are the 2 potential sources for instance config for ASG
Launch templates or launch configurations
66
What do Scaling Policies adjust
The desired capacity
67
What do ASGs define
Where instances are launched
68
What are the 3 types of scaling policies
Manual
Scheduled
Dynamic scalings
69
What are the 3 subtypes of dynamic scaling
Simple
Stepped scaling
Target tracking
70
What is a Cooldown Period in ASGs
Period to wait after a scaling event before another one can happen
71
What is an advantage of an ASG using an ALB Healthcheck rather than EC2 status check
Can monitor state of HTTP/HTTPS requests
72
Why is RDS Proxy needed
Prevent constant open/closing of DB connections (like with Lambda)
Helps with handling db failure
73
Where does RDS Proxy run
In a VPC (Across all AZs)
74
Is RDS Proxy managed
Yes
75
What is behind RDS Proxy
Long-term connection pool
76
What does RDS Proxy do in practice
Makes connections much faster than connecting directly to db
Connections to RDS from proxy can be reused
Multiplexing
77
What happens with RDS Proxy if db is unresponsive
It waits, the connection between client and RDS proxy is established anyways
78
Can RDS Proxy be used with Aurora
Yes
79
Where is an RDS Proxy accessible from
Only from a VPC
80
When using RDS Proxy, do you need to change your app
No, the app sees it as a normal db endpoint
81
Can RDS enforce SSL/TLS
Yes
82
What are some characteristics of API Gateway
HA, Scalable, handles authorization, throttling, caching, transformations, openapi spec, direct integration
83
Can API Gateway connect to onprem service
Yes
84
What APIs are supported by API Gateway
HTTP, REST and WebSocket
85
What are the endpoint types for API Gateway
Edge Optimized
Regional
Private (only accessed within a VPC)
86
Does API Gateway support stages
Yes
87
Where do you enable canary for API Gateway
It is on a specific stage
88
What does API Gateway give when the throtting limit is reached
429
89
What does a 502 from API Gateway mean
Bad Gateway exception - the lambda is returning something invalid
90
What is the timeout for API Gateway
29s
91
What do you get when you go beyond the timeout for API Gateway
504
92
What does 503 mean from API Gateway
Backing endpoint is offline; Major service issue
93
What is AWS Config used for
Record configuration changes over time on resources
Auditing of changes, compliance with standards
94
Does AWS Config prevent changes happening
No
95
What type of service is AWS Config
Regional service
96
What can AWS Config be integrated with
SNS
EventBridge & Lambda
97
Where does AWS Config store it's data
S3
98
What does AWS Inspector do
It scans EC2 instances and its OS (also containers) for vulnerabilities and deviations against best practices
99
What does AWS Inspector output
A report of findings ordered by priority
100
Does Inspector need an agent
Not for Network assessment, but for network and host assessment yes
101
Can Inspector check CVEs
Yes
102
What do you use to check for CVEs and CIS of EC2
Inspector
103
What does GuardDuty do
It is a continues security monitoring service
Analyses supported data sources
Uses AI
Identifies unexpected and unauthorised activity
104
What does synchronous data replication
RDS Multi-AZ Instance mode
105
How do you access the primary db instance in RDS multi-AZ
With the database CNAME (DNS record)
106
What can happen from the standby in RDS Multi-AZ
Backups & snapshots (to S3)
107
Do reads occur in the secondary instance in instance-mode multi-AZ RDS
no
108
How long does the failover take in RDS multi-AZ
60-120 seconds
109
What happens during failover for RDS multi-az instance mode
DNS CNAME changes to point to secondary
110
How can you reduce failover time for RDS multi-AZ instance mode
Remove DNS caching in app for the dns name
111
How many standby replicas can you have in multi-az instance mode rds
Only one
112
What are differences between multi-az RDS cluster mode and Aurora
You can have more than 2 readers in Aurora
Instances have separate local storage in cluster mode
113
What is RDS multi-AZ cluster mode
One write, many readers, still synchronous replication
114
How many instances can you have in RDS multi-AZ cluster mode
2 readers and one writer
115
What are differences between RDS multi-AZ instance and cluster mode
You can use reader instances in cluster mode, and you can have 2
116
Do you need to change app code to take advantage of RDS multi az cluster mode
Yes, to handle the fact that there are read-only instances
117
In RDS multi-AZ cluster mode, when is data seen as committed
When 1+ read finishes writing
118
In RDS multi-AZ Cluster mode, where does the cluster endpoint point
To the writer
119
In RDS multi-AZ Cluster mode, what is the cluster endpoint point used for
Read, Writes and admin
120
What does a reader endpoint do in RDS multi-az cluster mode
Directs reads to an available reader (can include writer)
121
What are instance endpoints in RDS ulti-AZ cluster mode
They point at specific instances, used for testing and fault finding
122
What is the failover in RDS cluster mode multi-AZ
35s
123
What is Amazon Database Migration Service
A managed database migration service
124
What does DMS use
A Replication instance running on ec2
125
What are the 3 modes you can run DMS jobs
Full load (transfer everything)
CDC (Change data capture)
Or both
126
What is a use case for CDC mode of DMS job
If you're using another service to transfer the bulk of the data
127
How can you do schema conversion with DMS
Using Schema Conversion Tool
128
When is Schema Conversion Tool Used
When converting from one db type to another
129
What should you do about DMS when having a large amount of Data
You can use Snowball
Use SCT locally to write to snowball
Load data from snowball into s3, then from s3 to target db
Then do CDC
130
What does AWS Control Tower do
Enables Quick and easy setup of multi-account env
131
What is the difference between Control Tower and AWS Organizations
Control Tower uses other AWS services, including orgnizations
132
What is a Control Tower Landing Zone
It is the multi-account environment
133
What are some features of Landing Zone
SSO/ID Federation, Centralised Logging and Auditing
134
What is Landing Zone Guard Rails
It is used to detect/mandate rules/standards across all accounts
135
What is Landing Zone Account Factory
It Automates and Standardises new account creation
136
Where do you create a Control Tower Landing zone
From an account that becomes the management account
137
What provides the SSO for aws
IAM Identity center
138
What are some AWS services used by Control Tower
AWS Organizations, AWS Config, CloudFormation
139
What are the 3 types of Control Tower Guard rails
Mandatory, Strongly recommended or elective
140
What are Control Tower preventive Guard rails
They stop you from doing things, they use AWS ORG Service Control Policy
141
What are Control Tower detective guard rails
They do compliance checks using AWS Config
142
What are the 2 types of identities in AWS
IAM User and IAM Role
143
What is the number limit of IAM Users
5000
144
What are the 2 types of policies associated with a role
Trust policy and Permissions policy
145
What is a roleTrust Policy
Who can assume the role
146
What generates temporary credentials
Security Token Service
147
Where do you specify the role of an ECS task
in the task definition, in the taskRoleArn section
148
What is Kinesis Firehose
Fully managed service to load data for data lakes, data stores and analytics service
Fully serverless
149
Is FireHose Real-Time
Near-Real-Time (60s)
150
What are the valid destinations for Kinesis Firehose
HTTP endpoints
splunk
Redshift
ElasticSearch
Destination bucket
151
Are Kinesis streams real-time
Yes, 200 ms
152
How many master accounts can an organization have
One
153
Can organizations pool service usage to get discounts
Yes
154
What are Service Control Policies
They are account permissions boundaries
155
What can SCPs be attached to
It can be attached to accounts, OUs or the whole organization
156
Can all accounts be affected by SCPs
No, the management account ignores SCPs
157
Can SCPs affect root users
Yes, the SCP restricts the whole account
158
Do SCPs grant permissions
No
159
What do SCPs do
They limit permissions that can be assigned
160
How many VPCs are involved in VPC peering
2
161
Can you do VPC peering with 3 VPCs
No
162
What is VPC peering
A direct encrypted network link between 2 vpcs
163
Can you do VPC peering cross-region
Yes
164
Can you do VPC peering cross-account
Yes
165
Can you use Security Groups over vpc peers
Yes, but only in the same region
166
Does VPC peering support transitive peering
No
167
What configs are necessary to ensure peering works
Routing (route tables in both vpcs), Sgs and NACL could filter also
168
What is a limitation of VPC peering
Cannot be done if the VPCs have CIDR range overlap
169
Is site-to-site HA
Yes, if designed and implemented correctly
170
Do you need a static IP for onprem when setting up VPN
yes
171
What is geolocation routing
You tag records with country, continent, subdivision or default
Then check location of user (normally the resolver)
172
What is the order of checking in geolocation routing
Starts with state, if match returns record
Then Country
Then continent
Then default (optionally)
It returns the most specific record or NO ANSWER
173
What can geolocation routing be used for
Regional restrictions, language-specific content or load balancing across regional endpoints
174
Does geolocation routing return the closest record
No, just the most relevant
175
What does geoproximity routing do
It gives the CLOSEST record
176
What can resources be tagged with in R53 geoproximity routing
AWS region, or lat and long
177
What does a bias do in geoproximity routing
Affects the effective area of a resource
178
What kind of storage does EBS provide
Block storage
179
Can EBS be encrypted
Yes, using KMS
180
Can EBS be across AZs
No
181
What kind of resiliency does EBS have
Some built-in resiliency if a physical device fails, but it can
182
Can you attach EBS to multiple instances
Yes, but app needs to manage concurrency
By default, think of it as being attached to one instance at a time
183
Can you backup EBS
Yes, with a snapshot in S3
184
How can you migrate EBS between AZs
Create a snapshot, then create a volume in a different az from the snapshot
185
How can you configure private access to AWS Public services from a private VPC
Use VPC Gateway endpoints or VPC interface endpoints
186
What services are supported by VPC Gateway endpoints
DynamoDB and S3
187
What services are supported by VPC Interface Endpoint
Everything but DynamoDB
188
What is a Gateway endpoint associated with
It is per service per region
189
How does a Gateway endpoint work
A prefix list is added to the route table
190
Which type of VPC endpoint is HA by default (Gateway or interface)
Gateway
191
How do you change what a Gateway endpoint can access
Endpoint policy
192
Can Gateway endpoint access inter-region services
No
193
How can you make sure a bucket can only be used from within a specific VPC
Set up a bucket policy
194
If you don't use a VPC endpoint, what do you need to access AWS public services from within a VPC
NAT GW or public subnet
195
Where is a Gateway endpoint located
From within a VPC, but it has a private tunnel to the service
196
Are gateway endpoints accessible from outside it's VPC
No
197
Are interface endpoints HA
Not by default
198
How do you control access to interface endpoints
Via Security Groups
199
What protocols are supported by interface endpoints
TCP only
200
What IP version can you use with interface endpoints
IPv4 only
201
What is used by interface endpoints
PrivateLink
202
What does a PrivateLink do
It allows you to inject AWS or 3rd party services in a VPC
203
How do you specify what can be done with an interface endpoint
Endpoint policies
204
How do interface endpoints work
They have a DNS name
205
What are the different ways to un interface endpoints with regards to DNS
Use AZ DNS name
Use region DNS name
Use provateDNS to force it's usage when the public DNS name of the service is called
206
Which kind of VPC endpoint use routing to give private access to AWS public services
Gateway endpoint
207
What is Glue
Serverless ETL and data catalog
Moves and transforms data between source and destination
208
What is datapipeline
It can do ETL using EMR (uses server)
209
What does Glue generate
AWS Glue Data Catalog
210
What is a data catalog
Persistent metadata about data sources in a region
One catalog per region per account
211
How are catalogs discovered
Using crawlers
212
What do crawlers do
Connect to data stores, determine schema and create metadata in the catalog
213
