Which Virtual Private Network (VPN) protocols are supported under the AWS managed VPN connection option?
Only IPsec is a supported VPN protocol
How will you vertically-scale Virtual Private Network (VPN) throughput in a Virtual Private Cloud (VPC) when terminating the VPN on Amazon Elastic Compute Cloud (Amazon EC2) with minimal downtime?
To vertically-scale, you need to change the instance type to a larger instance. Setting up a standby instance and moving the IP to this instance will result in the least amount of downtime. The downtime will be equal to the time required for the instance to re-create Internet Protocol Security (IPsec) tunnels and establish Border Gateway Protocol (BGP) neighbor relationships. This will be done automatically, or it will have to be initiated manually by you depending on the software on the Amazon EC2 instance. If you stop an existing instance and change its instance type, you also suffer the additional downtime required to boot an instance.
Which of the following is required to create a 1 Gbps AWS Direct Connect connection?
AWS Direct Connect supports 1000BASE-LX or 10GBASE-LR connections over single mode fiber using Ethernet transport. Your device must support 802.1Q VLANs; however, the use of 802.1Q is required for creating the virtual interface. It is not required for creating the connection.
The Letter of Authorization – Connecting Facility Assignment (LOA-CFA) document downloaded via the AWS Management Console provides the AWS Direct Connect location provider with which of the following?
A LOA-CFA provides details of the port assignment on the AWS side of the crossconnect with full demarcation and interface details. It is the customer’s responsibility to provide details for their end of the cross-connect. No other region or customer information is provided on the document.
You have set up a transit Virtual Private Cloud (VPC) architecture. You are connected to the hub VPC using AWS Direct Connect and a detached Virtual Private Gateway (VGW). You want all hybrid IT traffic to the production spoke VPC to pass through the transit hub VPC. You also want on-premises traffic to the test VPC to bypassing the transit VPC, reaching the test spoke VPC directly. How will you architect this solution, considering least latency and maximum security?
The test VPC can be accessed directly over private VIF. It is not a good practice to access Amazon EC2 instances using public IPs when a more secure alternative exists. Option C is possible, but it induces additional latencies.
You have created a Virtual Private Cloud (VPC) with an IPv4 CIDR of 10.0.0.0/27. What is the maximum number of IPv4 subnets that you can create?
The minimum size subnet that you can have in a VPC is /28. A /27 Classless Inter- Domain Routing (CIDR) may contain two /28 subnets.
You create a new Virtual Private Cloud (VPC) in us-east-1 and provision three subnets inside this VPC. Which of the following statements is true?
When you provision a VPC, each route table has an immutable local route that allows all subnets to route traffic to one another.
Your networking group has decided to migrate all of the 192.168.0.0/16 Virtual Private Cloud (VPC) instances to 10.0.0.0/16. Which of the following is a valid option?
You cannot add different RFC1918 CIDR ranges to an existing VPC, and you also cannot use new CIDR ranges on existing subnets. In addition, NAT Gateways will not support custom NAT. The only option presented that works is peering to a new VPC.
What do Amazon CloudFront Origin Access Identities (OAIs) do?
This is the easiest way to ensure that content in an Amazon S3 bucket is only accessed by Amazon CloudFront.
Voice calls to international numbers from inside your company must go through an opensource Session Border Controller (SBC) installed on a custom Linux Amazon Machine Image (AMI) in your Virtual Private Cloud (VPC) public subnet. The SBC handles the real-time media and voice signaling. International calls often have garbled voice, and it is difficult to understand what people are saying. What may increase the quality of international voice calls?
Enhanced networking can help reduce jitter and network performance. Placement groups and lower latency will not assist with flows leaving the VPC. Network interfaces do not affect network performance. An Application Load Balancer will not assist with performance issues.
Your big data team is trying to determine why their proof of concept is running slowly. For the demo, they are trying to ingest 100 TB of data from Amazon Simple Storage Service (Amazon S3) on their c4.8xl instance. They have already enabled enhanced networking. What should they do to increase Amazon S3 ingest rates?
Using more than one instance will increase the performance because any given flow to Amazon S3 will be limited to 25 Gbps. Moving the instance will not increase Amazon S3 bandwidth. Placement groups will not increase Amazon S3 bandwidth either. Amazon S3 cannot be natively placed behind a Network Load Balancer.
You have created an AWS CloudFormation stack to manage network resources in an account with the intent of allowing unprivileged users to make changes to the stack. When a user attempts to make a change and update the stack, however, the user gets a permission denied error when a resource is updated. What might be the cause?
A stack can have an IAM service role attached to it that specifies the actions that AWS CloudFormation is allowed to perform while managing the stack. If the stack does not have an attached IAM service role, then the stack uses the caller’s credentials—those of the unprivileged user in this case. Stack policies can also allow resources to be preserved, but all actions are permitted without a policy. If the user did not have permission to call CloudFormation:UpdateStack, then the error would have occurred before any resource updates were attempted.
You are trying to resolve host names from an instance in VPC A for instances that resides in VPC B. The two VPCs are peered within the same region. What action must be taken to enable this?
DNS resolution is supported over VPC peering connections; however, DNS resolution must be enabled for the peering connection.
When using Amazon Route 53, the EDNS0 extension is used when you want to do which of the following?
To improve the accuracy of geolocation routing, Amazon Route 53 supports the ednsclient- subnet extension of EDNS0.
What happens when you associate an Amazon CloudFront distribution with an AWS Lambda@Edge function?
When you associate an Amazon CloudFront distribution with an AWS Lambda@Edge function, Amazon CloudFront intercepts requests and responses at Amazon CloudFront edge locations. Lambda@Edge functions execute in response to Amazon CloudFront events in the region or edge location that is closest to your customer.
After deploying Amazon RDS in a new subnet within a VPC, application developers report that they cannot connect to the database from another subnet within the VPC. What action must be taken?
Security groups control access to Amazon RDS.
Which of the following techniques is used to mitigate the impact on Amazon Route 53 of malicious actors?
AWS edge locations classify and prioritize traffic to mitigate the impact of malicious actors.
You are responsible for your company’s AWS resources, and you notice a significant amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates that the source of the traffic is scanning for open ports on your Amazon Elastic Compute Cloud (Amazon EC2) instances. Which one of the following resources can deny the IP address from reaching the instances in your VPC?
Network ACL rules can deny traffic.
AWS uses what framework to provide independent confirmation around the efficacy of guest-to-guest separation on Amazon Elastic Compute Cloud (Amazon EC2) hypervisors?
The PCI DSS audit report contains statements about guest-to-guest separation in the AWS hypervisor. If this guest-to-guest separation assurance is insufficient for your own threat model, Amazon Elastic Compute Cloud (Amazon EC2) Dedicated Instances are also available.
You place an application load balancer in front of two web servers that are stateful. Users begin to report intermittent connectivity issues when accessing the website. Why is the site not responding?
Sticky sessions will enable a session to be kept with the same web server to facilitate stateful connections.
You create a new instance, and you are able connect over Secure Shell (SSH) to its private IP address from your corporate network. The instance does not have Internet access, however. Your internal policies forbid direct access to the Internet. What is required to enable access to the Internet?
Because you can access the instance but not the Internet, there is not a default route to the Internet through the on-premises network.
You create Virtual Private Cloud (VPC) peering connections between VPC A and VPC B and between VPC B and VPC C. You can communicate between VPC A and VPC B and communicate between VPC B and VPC C, but not between VPC A and VPC C. What must be done to allow traffic between VPC A and VPC C?
VPC peering connections are not transitive.