Topic 6A

Question 1

Cloud deployment Model

Answer 1

classifies how the service is owned and provisioned.

Public (multi tenant) is a service offered by CSPs (cloud service providers). This can be ascription based or pay as you go. As a shared resource, there are risks regarding performance and security. Multi-cloud architectures are where an organization uses services from multiple CSPs.

Hosted Private—is hosted by a third party for the exclusive use of the organization. This is more secure and can guarantee better performance but is correspondingly more expensive.

Question 2

Private—cloud infrastructure

Answer 2

is completely private to and owned by the organization. In this case, there is likely to be one business unit dedicated to managing the cloud while other business units make use of it.

Question 3

cloud computing

Answer 3

organizations exercise greater control over the privacy and security of their services. This type of delivery method is geared more toward banking and governmental services that require strict access control in their operations.

Question 4

Community Cloud

Answer 4

where several organizations share the costs of either a hosted private or fully private cloud. This is usually done in order to pool resources for a common concern, like standardization and security policies.

Question 5

Single-tenant architecture

Answer 5

provides dedicated infrastructure to a single customer, only the customer can access the infrastructure. Offers the highest level of security. Customer has complete control over the infrastructure. It can be more expensive than multi-tenant architecture.

Question 6

Multi-tenant architecture

Answer 6

when multiple customers share the same infrastructure, with each customer’s data and applications separated logically from other customers. This model is cost-effective but can increase the risk of unauthorized access or data leakage if not properly secured.

Question 7

Hybrid architecture

Answer 7

uses public and private cloud infrastructure. This model provides greater flexibility and control over sensitive data and applications by allowing customers to store sensitive data on private cloud infrastructure while using public cloud infrastructure for less sensitive workloads. However, it also requires careful management to ensure proper integration and security between the public and private clouds.

Question 8

Serverless architecture

Answer 8

when the cloud provider manages the infrastructure and automatically scales resources up or down based on demand. This model can be more secure than traditional architectures because the cloud provider manages and secures the infrastructure. However, customers must still take steps to secure access to their applications and data.

Question 9

hybrid cloud

Answer 9

describes a computing environment combining public and private cloud infrastructures, although any combination of cloud infrastructures constitutes a hybrid cloud. In a hybrid cloud, companies can store data in a private cloud but also leverage the resources of a public cloud when needed.

Question 10

Hybrid cloud issues

Answer 10

The complexity of managing multiple cloud environments and integrating them with on-premises infrastructure, which can create security gaps and increase the risk of data breaches.

Another concern is the potential for unauthorized access to data and applications, particularly when sensitive information is stored in the public cloud.

Using multiple cloud providers can make it challenging to enforce consistent security policies across all environments.

can also lead to issues with data consistency stemming from synchronization problems among multiple locations.

Legal compliance is difficult to mandate is complex.

monitoring the hybrid environment can be more complex due to the requirement for specialized expertise and tools.

potential for increased network latency due to large data transfer volumes between on-premises and cloud environments that impact application performance

Question 11

service-level agreements (SLAs)

Answer 11

formally outline all performance, availability, and support expectations between the cloud service provider and the organization

Guaranteeing expected levels of service can be challenging when dealing with the integration of different cloud and on-premises systems.

Question 12

anything as a service (XaaS)

Answer 12

The concept that most types of IT requirements can be deployed as a cloud service model.

Most common implementations are infrastructure, software, and platform

Question 13

Software as a service (SaaS)

Answer 13

model of provisioning software applications.

Rather than purchasing software licenses for a given number of seats, a business accesses software hosted on a supplier’s servers on a pay-as-you-go or lease arrangement (on-demand).

allows developers to provision on-demand applications much more quickly than previously.

applications are developed and tested in the cloud without the need to test and deploy on client computers.

Question 14

Platform as a service (PaaS)

Answer 14

provides resources somewhere between SaaS and IaaS.

A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top.

This platform could be based on Oracle and MS SQL or PHP and MySQL. Examples include Oracle Database (oracle.com/database)

Question 15

Infrastructure as a service (IaaS)

Answer 15

a means of provisioning IT resources such as servers, load balancers, and storage area network (SAN) components quickly.

Rather than purchase these components and the Internet links they require, you rent them as needed from the service provider’s datacenter.

Question 16

shared responsibility model

Answer 16

describes the balance of responsibility between a customer and a cloud service provider (CSP) for implementing security in a cloud platform.

The division of responsibility becomes more or less complicated based on whether the service model is SaaS, PaaS, or IaaS

A responsibility matrix sets outs these duties in a clear, tabular format

Question 17

Cloud service provider responisibilites

Answer 17

Physical security of the infrastructure
Securing computer, storage, and network equipment
Securing foundational elements of networking, such as DDoS protection
Cloud storage backup and recovery
Security of cloud infrastructure resource isolation among tenants
Tenant resource identity and access control
Security, monitoring, and incident response for the infrastructure
Securing and managing the datacenters located in multiple geographic regions

Question 18

Cloud Service Customer responsibilities

Answer 18

User identity management
Configuring the geographic location for storing data and running services
User and service access controls to cloud resources
Data and application security configuration
Protection of operating systems, when deployed
Use and configuration of encryption, especially the protection of keys

Question 19

Centralized computing architecture

Answer 19

refers to a model where all data processing and storage is performed in a single location, typically a central server.

All users and devices rely on the central server to access and process data and depend upon the server administrator and controlling organization’s trustworthiness regarding security and privacy decisions.

Question 20

decentralized computing architecture

Answer 20

a model in which data processing and storage are distributed across multiple locations or devices.

No single device or location is responsible for all data processing and storage.

Decentralized computing architectures are an increasingly important design trend impacting modern infrastructures.

Used in flexible and resilient environments

Question 21

noteworthy examples of decentralized architecture

Answer 21

Blockchain is a distributed ledger technology that allows for secure, transparent, and decentralized transactions.

Peer-to-peer (P2P) networks are networks designed to distribute processing and data storage among participating nodes instead of relying on a central server.

Content delivery networks (CDNs) distribute content across multiple servers to improve performance, reliability, and scalability.

Internet of Things (IoT) devices can be connected in a decentralized network to share data and processing power.

Distributed databases distribute data across multiple servers, ensuring that data is always available, even if one server goes down.

TOR (The Onion Router) is a network that enables anonymous communication and browsing. TOR routes traffic through a network of volunteer-operated servers, or nodes, to hide a user’s location and internet activity.

Question 22

Virtualization

Answer 22

A computing environment where multiple independent operating systems can be installed to a single hardware platform and run simultaneously.

Question 23

high availability (HA)

Answer 23

refers to storage provisioned with a guarantee of 99.99% uptime or better.

As with on-premises architecture, the CSP uses redundancy to make multiple disk controllers and storage devices available to a pool of storage resources.

Data may be replicated between pools or groups, with each pool supported by separate hardware resources.

Question 24

Data replication

Answer 24

allows businesses to copy data to where it can be utilized most effectively

requires low latency network connections, security, and data integrity.

CSPs offer several data storage performance tiers (cloud.google.com/storage/docs/storage-classes). The terms “hot storage” and “cold storage” refer to how quickly data is retrieved. Hot storage retrieves data more quickly than cold, but the quicker the data retrieval, the higher the cost.

Question 25

CSPs availability

Answer 25

divide the world into regions.

Each region is independent of the others.

The regions are divided into availability zones.

The availability zones have independent datacenters with their own power, cooling, and network connectivity.

You can choose to host data, services, and VM instances in a particular region to provide a lower latency service to customers

Question 26

CSPs offer several tiers of replication representing different high availability service levels:

Answer 26

Local replication—replicates your data within a single ata center in the region where you created your storage account. The replicas are often in separate fault domains and upgrade domains.

Regional replication (also called zone-redundant storage)—replicates your data across multiple datacenters within one or two regions. This safeguards data and access in the event a single datacenter is destroyed or goes offline.

Geo-redundant storage (GRS)—replicates your data to a secondary region that is distant from the primary region. This safeguards data in the event of a regional outage or a disaster.

Question 27

Application virtualization

Answer 27

more limited type of VDI.

the client either accesses an application hosted on a server or streams the application from the server to the client for local processing.

Most application virtualization solutions are based on Citrix XenApp

Question 28

Containerization

Answer 28

dispenses with the idea of a hypervisor and instead enforces resource separation at the operating system level.

OS defines isolated “cells” for each user instance to run in.

Each cell or container is allocated CPU and memory resources, but the processes all run through the native OS kernel.

These containers may run slightly different OS distributions but cannot run different types of guest OSes

Alternatively, the containers might run separate application processes, in which case the variables and libraries required by the application process are added to the container.

Question 29

Serverless computing

Answer 29

a cloud computing model in which the cloud provider manages the infrastructure and automatically allocates resources as needed, charging only for the actual usage of the application.

In this approach, organizations do not need to manage servers and other infrastructure, allowing them to focus on developing and deploying applications.

Example: chatbots designed to simulate conversations with human users to automate customer support, sales, marketing tasks, and mobile backends.

Question 30

virtual private cloud (VPC)

Answer 30

services such as authentication, web applications, and communications aren’t developed and managed as applications running on VM instances within the cloud. Instead, the applications are developed as functions and microservices, each interacting with other functions to facilitate client requests.

Billing is based on execution time rather than hourly charges.

Question 31

Microservices

Answer 31

an architectural approach to building software applications as a collection of small and independent services focusing on a specific business capability.

Each microservice is designed to be modular, with a well-defined interface and a single responsibility.

This approach allows developers to build and deploy complex applications more efficiently by breaking them down into smaller, more manageable components.

enable teams to work independently on different application features, making it easier to scale and update individual components without affecting the entire system.

Risks associated with this model are largely attributed to integration issues.

Question 32

Microservices and Infrastructure as Code (IaC)

Answer 32

developers can define and deploy infrastructure as code, ensuring consistency and repeatability across different environments.

a software engineering practice that manages computing infrastructure using machine-readable definition files.

Machine-readable definition files are written in formats like YAML, JSON, and HCL (HashiCorp Configuration Language.) They contain information about the desired infrastructure state, including configuration settings, networking requirements, security policies, and other settings.

Reduces the risk of manual intervention errors.

Question 33

Load Balancinh

Answer 33

Distributes network traffic across multiple servers or services to improve performance and provide high availability.

In the cloud, load balancers are intermediaries (proxies) between users and back-end resources like virtual machines or containers.

They distribute incoming requests to different resources using sophisticated algorithms and handle server capacity, response time, and workload.

Question 34

Edge Computing

Answer 34

Optimizes the geographic location of resources and services to enable faster processing and reduced latency.

Instead of routing all data to a centralized cloud datacenter, edge computing utilizes distributed computing resources to minimize the distance data needs to travel, reducing network latency and improving responsiveness.

Edge computing is particularly beneficial for applications that require real-time or low-latency processing, such as IoT devices, content delivery networks (CDNs), and latency-sensitive applications.

Question 35

Auto-Scaling

Answer 35

Is an automated process that adjusts the computing resources allocated to an application based on demand.

Auto-scaling allows cloud infrastructure to dynamically scale resources up or down to match the real-time workload requirements.

For example, during periods of high demand, additional resources are provisioned automatically to handle the increased load, ensuring optimal performance and responsiveness. In contrast, when demand decreases, unnecessary resources are released back into a shared pool to reduce operating costs or to make them available to other workloads.

Question 36

As virtual networks become more complex and expand to large volumes, they become more difficult to manage. Network functions can be divided into three “planes”:

Answer 36

Control plane—makes decisions about how traffic should be prioritized, secured, and where it should be switched.

Data plane—handles the switching and routing of traffic and imposition of security access controls.

Management plane—monitors traffic conditions and network status.

Question 37

software-defined networking (SDN)

Answer 37

The application can be used to define policy decisions on the control plane.

These decisions are then implemented on the data plane by a network controller application, which interfaces with the network devices using APIs.

The interface between the SDN applications and the SDN controller is described as the “northbound” API, while that between the controller and appliances is the “southbound” API.

SDN can be used to manage compatible physical appliances, but also virtual switches, routers, and firewalls.

Question 38

network functions virtualization (NFV)

Answer 38

The architecture supporting the rapid deployment of virtual networking using general-purpose VMs and containers

Question 39

Interconnection Security Agreements (ISAs)

Answer 39

establish the security requirements and responsibilities between the organization and the cloud service provider to safeguard sensitive data and ensure compliance with industry regulations to help ensure the confidentiality, integrity, and availability of data and systems within the cloud environment.

ISAs help ensure data and system protection within the cloud environment and define encryption methods, access controls, vulnerability management, and data segregation techniques. The agreement must also specify data ownership, audit rights, and data backup, recovery, and retention procedures

Question 40

Cloud architecture feature considerations

Answer 40

Cost
Scalability
Resilience
Ease of deployment
Ease of recovery
SLAs and ISAs
Power
Compute

Question 41

Software-Defined Wide Area Network (SD-WAN)

Answer 41

enables organizations to connect their various branch offices, datacenters, and cloud infrastructure over a wide area network (WAN).

One of the key advantages of SD-WAN is its ability to provide enhanced security features and considerations.

enables organizations to connect their various branch offices, datacenters, and cloud infrastructure over a wide area network (WAN).

One of the key advantages of SD-WAN is its ability to provide enhanced security features and considerations.

Question 42

Secure Access Service Edge (SASE)

Answer 42

combines the protection of a secure access platform with the agility of a cloud-delivered security architecture.

SASE offers a centralized approach to security and access, providing end-to-end protection and streamlining the process of granting secure access to all users, regardless of location.