Premium

AWS Certified Solutions Architect – Associate Questions and Answers (Dumps and Practice Questions)



Question : Your company has offices, and all the employee related information is stored on AWS VPC based EC instances.
All the offices wants to connect the instances in VPC using VPN to fetch employee data stored on EC2 instance. What problem do you see in this scenerio ?
: Your company has offices, and all the employee related information is stored on AWS VPC based EC instances.
1. You can not create more than 1 VPN connections with single VPC
2. You can not create more than 10 VPN connections with single VPC
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Statically assigned routes can not be configured in case of more than 1 VPN with virtual private gateway.
5. None of above

Correct Answer : Get Lastest Questions and Answer : Configuring Multiple VPN Connections to Your Amazon VPC
You can create up to ten VPN connections for your VPC. You can use multiple VPN connections to link your remote offices to the same VPC. For example, if
you
have offices in Los Angeles, Chicago, New York, and Miami, you can link each of these offices to your VPC. You can also use multiple VPN connections to
establish redundant customer gateways from a single location.
Note
If you need more than ten VPN connections, complete the Request to Increase Amazon VPC Limits form to request an increased limit.
When you create multiple VPN connections, the virtual private gateway sends network traffic to the appropriate VPN connection using statically assigned
routes or BGP route advertisements, depending upon how the VPN connection was configured. Statically assigned routes are preferred over BGP advertised
routes in cases where identical routes exist in the virtual private gateway.
When you have customer gateways at multiple geographic locations, each customer gateway should advertise a unique set of IP ranges specific to the
location.
When you establish redundant customer gateways at a single location, both gateways should advertise the same IP ranges.
The virtual private gateway receives routing information from all customer gateways and calculates the set of preferred paths using the BGP best path
selection algorithm. The rules of that algorithm, as it applies to VPC, are:
1. The most specific IP prefix is preferred (for example, 10.0.0.0/24 is preferable to 10.0.0.0/16)
2. When the prefixes are the same, statically configured VPN connections, if they exist, are preferred. For matching prefixes where each VPN connection
uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred. Alternatively, you can prepend AS_PATH, so that the path is less
preferred.
3. Access Mostly Uused Products by 50000+ Subscribers
Gateway Protocol (EGP) origins, which are preferred to unknown origins.
4. When the origins are the same, the router IDs of the advertising routes are compared. The lowest router ID is preferred.
5. When the router IDs are the same, the BGP peer IP addresses are compared. The lowest peer IP address is preferred.




Question : You have in total offices, and all the employee related information is stored under AWS VPC instances. Now all the offices wants to
connect the instances in VPC using VPN. Which of the below help you to implement this ?

: You have in total offices, and all the employee related information is stored under AWS VPC instances. Now all the offices wants to
1. you can have redundant customer gateways between your data center and your VPC
2. you can have multiple locations connected to the AWS VPN CloudHub
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
5. 1,2 and 3

Correct Answer : Get Lastest Questions and Answer : AWS VPN CloudHub and Redundant Customer Gateways
You can establish multiple VPN connections to a single virtual private gateway from multiple customer gateways. This configuration can be used in
different ways; you can have redundant customer gateways between your data center and your VPC, or you can have multiple locations connected to the AWS VPN
CloudHub. If you have redundant customer gateways, each customer gateway advertises the same prefix (for example, 0.0.0.0/0) to the virtual private gateway. The
gateways will be used in an active/active mode, but if one customer gateway fails, the virtual private gateway directs all traffic to the working
customer gateway.
If you use the AWS VPN CloudHub configuration, multiple sites can access your VPC or securely access each other using a simple hub-and-spoke model. You
configure each customer gateway to advertise a site-specific prefix (such as 10.0.0.0/24, 10.0.1.0/24) to the virtual private gateway. The virtual
private gateway routes traffic to the appropriate site and advertises the reachability of one site to all other sites.
To configure the AWS VPN CloudHub, use the AWS Management Console to create multiple customer gateways, each with the unique public IP address of the
gateway and a unique autonomous system number (ASN). Then create a VPN connection from each customer gateway to a common VPN gateway. Use the
instructions that follow to configure each customer gateway to connect to the virtual private gateway.
To enable instances in your VPC to reach the virtual private gateway (and then your customer gateways), you must configure routes in your VPC routing
tables. For AWS VPN CloudHub, you can configure an aggregate route in your VPC routing table (for example, 10.0.0.0/16), and use more specific prefixes between customer gateways and the virtual private gateway.




Question : You are creating a CloudWatch Alarm on your AWS resources to check the health and performance of your QuickTechie.com website. If you
observe there are some alarms which indicate some problems and need some attention. However, there are some resources which can not be monitored with the default cloudwatch alarm,
and you need to create a custom CloudWatch for the same select which Which of the following requires a custom CloudWatch metric to monitor?

: You are creating a CloudWatch Alarm on your AWS resources to check the health and performance of your QuickTechie.com website. If you
1. when memory utilization reaches or exceeds 90%
2. when cpu utilization reaches or exceeds 90%
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Bandwidth Network in
4. Estimated charges on AWS Services

Correct Answer : Get Lastest Questions and Answer : Amazon CloudWatch is an Amazon Web Services utility allowing monitoring of various components like EC2 instances, EBS volumes and the
Elastic Load Balancer. For EC2 instances, we can monitor CPUUtilization, DiskReadBytes, DiskReadOps, DiskWriteBytes, NetworkIn and NetworkOut. More often
than not, end-users would want to monitor more parameters than the ones available. eg. Free Memory, Free Swap and so on.
Amazon CloudWatch provides custom metrics to help circumvent the problem. One can simply define a custom metric based on each one's need and continuously
feed it with data using a simple bash or python script running a while loop. Let's take an example of Free Memory.
Deleting a custom Metric A custom metric cannot be explicitly deleted. If the metric remains unused for 2 weeks, it gets automatically deleted.
Costing $0.50 per metric per month
Summary : You can see how easy it is to add a custom metric. In this example we have shown how to add a FreeMemory metric. There are several other useful
metrics such FreeSwap, ProcessAvailability, DiskSpace, etc that can also be added. Amazon CloudWatch monitors your Amazon Web Services (AWS) resources
and the applications you run on AWS in real-time.You can use CloudWatch to collect and track metrics, which are the variables you want to measure for your resources and
applications. CloudWatch alarms send notifications or automatically make changes to the resources you are monitoring based on rules that you define. For
example, you can monitor the CPU usage and disk reads and writes of your Amazon Elastic Compute Cloud (Amazon EC2) instances and then use this data to
determine whether you should launch additional instances to handle increased load.You can also use this data to stop under-used instances to save money.
In addition to monitoring the built-in metrics that come with AWS, you can monitor your own custom metrics. With CloudWatch, you gain system-wide visibility
into resource utilization, application performance, and operational health.


You can configure alarm actions to stop, start, or terminate an Amazon EC2 instance when certain criteria are met. In addition, you can create alarms
that initiate Auto Scaling and Amazon Simple Notification Service (Amazon SNS) actions on your behalf. The MemoryUtilization metric is a custom metric. In
order to use the MemoryUtilization metric, you must install the Monitoring Scripts for Amazon EC2 Instances


Related Questions

Question : You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
if considered any time one AZ can be down.
 : You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Each AZ with two instances = total 6 instances
2. Two AZs with three instances and remaining one not needed any other instances. = total 6 instances
3. Access Mostly Uused Products by 50000+ Subscribers
4. Two AZs with 6 instances and third one not needed any other instances = total 12 instances
Ans : 4
Exp : If One of the AZ is down then still 6 instances will be available in other AZs (in 4th option)



Question : You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs,
Select the correct architecture in this case, if considered any time one AZ can be down.
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Each AZ with two instances = total 6 instances
2. Two AZs with three instances and remaining one not needed any other instances. = total 6 instances
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Each AZ with three instances = toatl 9 instances
Ans : 4
Exp : If one of the AZ down then still 6 instances will be available.




Question : When you are using Synchronous replication to repliate the data in Amazon RDS in a second Availability Zone. To ensures that data is not
lost if the primary Availability Zone becomes unavailable. Which of the following will be a major concern in this canse
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. network performance
2. Server Performance
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 3
5. 1, 2 and 3

Ans : 1
Exp : Synchronous replication
: Data is atomically updated in multiple locations. This puts a dependency on network performance and availability. In
AWS, Availability Zones within a region are well connected, but physically separated. For example, when deployed in
Multi-AZ mode, Amazon RDS uses synchronous replication to duplicate data in a second Availability Zone. This ensures
that data is not lost if the primary Availability Zone becomes unavailable.

Asynchronous replication
Data is not atomically updated in multiple locations. It istransferred as network performance and availability allows, and
the application continues to write data that might not be fully replicated yet.
Many database systems support asynchronous data replication. The database replica can be located remotely, and the
replica does not have to be completely synchronized with the primary database server. This is acceptable in many
scenarios, for example, as a backup source or reporting/read-only use cases. In addition to database systems, you can
also extend it to network file systems and data volumes.





Question : You are designing your AWS architecture for Disaster Recovery, however for this it rquired paid license to use the software. As you know in
case of DR all the licenses are not used , only whenever something wrong happens then only software installed in different AZ's will be used. However, you have not
purchased extra licenses yet for the paid software, and you want to save the up-front cost for the software, which of the below will best suit you.

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Bring Your Own License
2. License included
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Any of the above will work
Ans : 2
Exp : Ensuring that you are correctly licensed for your AWS environment is as important as licensing for any other
environment. AWS provides a variety of models to make licensing easier for you to manage. For example, "Bring Your
Own License" is possible for several software components or operating systems. Alternately, there is a range of software
for which the cost of the license is included in the hourly charge. This is known as "License included."
"Bring your Own License" enables you to leverage your existing software investments during a disaster. "License
included" minimizes up-front license costs for a DR site that doesn't get used on a day-to-day basis.
If at any stage you are in doubt about your licenses and how they apply to AWS, contact your license reseller.



Question : In VPC you have one ec instace inside the subnet which can connect to internet to upgrade the software.
You launch a another instance in the same subnet with same security group configuration however, this instance is not able to upgrade the software from
intermet. What you have to do, so that it can upgrade the software by downloading updates.


: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Deploy a NAT instance into the public subnet.
2. Configure a publically routable IP address in /etc/hosts file.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Ensure that instances in your subnet have public IP addresses or Elastic IP addresses
Ans : 4
Exp : An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows
communication between instances in your VPC and the Internet. It therefore imposes no availability risks
or bandwidth constraints on your network traffic. An Internet gateway serves two purposes: to provide a
target in your VPC route tables for Internet-routable traffic, and to perform network address translation
(NAT) for instances that have been assigned public IP addresses.

To enable an instance in your public subnet to communicate with the Internet, it must have a public IP
address or an Elastic IP address that's associated with a private IP address on your instance.Your
instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The
Internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic
leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IP address
or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined
for public IP address or Elastic IP address of your instance has its destination address translated into the
instance's private IP address before the traffic is delivered to the VPC.




Question . You have laucnhed new instances in the VPC with default subnet and you ping www.Google.com from this instance, what would happen
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Yes, it would be able to ping. instances that you launch into a default subnet can automatically communicate with the Internet.
2. Yes, it would be able to ping, instances that you launch into a default subnet can not download anything from the Internet.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. None of above
Ans : 1
Exp : Your default VPC comes with an Internet gateway, and instances launched into a default subnet receive
a public IP address by default, unless you specify otherwise during launch, or you modify the subnet's
public IP address attribute. Therefore, instances that you launch into a default subnet can automatically
communicate with the Internet.

To enable an instance in your public subnet to communicate with the Internet, it must have a public IP
address or an Elastic IP address that's associated with a private IP address on your instance.Your
instance is only aware of the private (internal) IP address space defined within the VPC and subnet. The
Internet gateway logically provides the one-to-one NAT on behalf of your instance, so that when traffic
leaves your VPC subnet and goes to the Internet, the reply address field is set to the public IP address
or Elastic IP address of your instance, and not its private IP address. Conversely, traffic that's destined
for public IP address or Elastic IP address of your instance has its destination address translated into the
instance's private IP address before the traffic is delivered to the VPC






Question : Select the correct statements from below


: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Instances that you launch into a private subnet in a virtual private cloud (VPC) can't communicate with the Internet.
2. You can optionally use a network address translation (NAT) instance in a public subnet in
your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, but prevent
the instances from receiving inbound traffic initiated by someone on the Internet.
 3. Access Mostly Uused Products by 50000+ Subscribers
your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, and also allow
the instances from receiving inbound traffic initiated by someone on the Internet.

4. 1 and 2
5. 1 and 3

Ans : 4
Exp : Instances that you launch into a private subnet in a virtual private cloud (VPC) can't communicate with
the Internet.You can optionally use a network address translation (NAT) instance in a public subnet in
your VPC to enable instances in the private subnet to initiate outbound traffic to the Internet, but prevent
the instances from receiving inbound traffic initiated by someone on the Internet.

The main route table sends the traffic from the
instances in the private subnet to the NAT instance in the public subnet. The NAT instance sends the
traffic to the Internet gateway for the VPC. The traffic is attributed to the Elastic IP address of the NAT
instance. The NAT instance specifies a high port number for the response; if a response comes back,
the NAT instance sends it to an instance in the private subnet based on the port number for the response






Question : when one says VPC-x is .../ , that means any instances inside this VPC will have an ip ..X.Y where X and Y can be anything between


: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. 2 to 254
2. 1 to 256
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 10 to 123
Ans : 1
Exp : A VPC is denoted by a subnet mask. For example, when one says VPC-x is 10.123.0.0/16 , that means any instances inside this VPC will have an ip
10.123.X.Y where X and Y can be anything between 2 to 254.


Question : You are creating an instance inside the VPC to host a website. Select the correct statement for this
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. You cannot have an instance inside a VPC that does not belong to any subnets
2. You can have an instance inside a VPC that does not belong to any subnets
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 2 and 3

5. 1 and 3
Ans : 5
Exp : Subnets: A subnet is a sub-network inside a VPC. An example of a subnet inside a VPC (10.123.X.Y) is 10.123.1.A/24. This means any instance that
belongs to this subnet will have an ip 10.123.1.A where A can be anything between 2 and 254. These are also known as CIDR notations. An instance always
belongs to a subnet. You cannot have an instance inside a VPC that does not belong to any subnets. While spawning instances inside AWS-VPC, one must
specify which subnet the instance should belong to.



Question : You have defined following routing table

CIDR --- target
10.123.0.0/16 --- local
0.0.0.0/0 - igw (internet gateway)

Select the correct statement in this case

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. This table means that any traffic destined for 10.123.X.Y ip (where X and Y can be anything from 2 to 254) will be sent directly.
2. The traffic which is not destined for 10.123.X.Y ip (where X and Y can be anything from 2 to 254) will be directed to igw.
 3. Access Mostly Uused Products by 50000+ Subscribers
from outside VPC
4. 1 and 3
5. 1,2,3
Ans : 5
Exp : This table means that any traffic destined for 10.123.X.Y ip (where X and Y can be anything from 2 to 254) will be sent directly. The rest of the
traffic will be directed to igw.

Now, it's important to understand that a subnet is always attached to one and only one routing table. So, if we spawn an instance inside a subnet that
has the above-mentioned routing table attached to it, the instance still won't be accessible from outside VPC because it does not have a public ip.



Question : for an instance to be directly available from the internet it has to have

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. elastic ip
2. igw
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1, 2
5. 1,2, 3
Ans : 5
Exp : it's important to understand that a subnet is always attached to one and only one routing table. So, if we spawn an instance inside a subnet that
has
the above-mentioned routing table attached to it, the instance still won't be accessible from outside VPC because it does not have a public ip. One can
attach an elastic ip (which is a reusable public ip) to this instance and then access it. The instance in turn can access the internet. Remember, for an
instance to be directly available from the internet it has to have an elastic ip and it must be within a subnet that has a routing table where non-local
traffic is routed via an internet gateway. So, an elastic ip and an igw in the routing table are two criterion for an instance to be available directly
from
the internet. Subnets with such routing tables attached to them are also known as public subnets (non-local traffic routed to internet gateway), as any
instance with an elastic ip can be publicly available from this subnet.





Question : Select the correct statement from below.

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. you can specify a NAT (a gateway) instance as a target for non-local traffic inside a routing table
2. Even an instance in the private subnet has attached elastic ip, it won't be publicly available
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
5. 1 and 3

Ans : 4
Exp : Now, it's important to understand that a subnet is always attached to one and only one routing table. So, if we spawn an instance inside a subnet
that
has the above-mentioned routing table attached to it, the instance still won't be accessible from outside VPC because it does not have a public ip. One
can
attach an elastic ip (which is a reusable public ip) to this instance and then access it. The instance in turn can access the internet. Remember, for an
instance to be directly available from the internet it has to have an elastic ip and it must be within a subnet that has a routing table where non-local
traffic is routed via an internet gateway. So, an elastic ip and an igw in the routing table are two criterion for an instance to be available directly
from
the internet. Subnets with such routing tables attached to them are also known as public subnets (non-local traffic routed to internet gateway), as any
instance with an elastic ip can be publicly available from this subnet.

On the other hand, you can specify a NAT (a gateway) instance as a target for non-local traffic inside a routing table. You can keep the NAT box in a
public
subnet with an elastic ip attached to it. Now any subnet that has this type of routing table attached becomes a private subnet because they cannot be
exposed publicly. Even if you assign an elastic ip, it won't be publicly available (recall, for instance, to be publicly available means you need both an
elastic ip as well as a routing table that directs non-local traffic to the internet gateway). Here's an example of a private subnet:

CIDR --- target

10.123.0.0/16 --- local

0.0.0.0/0 - i-abcdef (instance ip of the NAT box)




Question : Network ACLs specify what type of traffic is allowed inside the subnet. Now you have following rules

rule number --- port --- protocol --- source -- action

100 ---- ALL --- ALL --- 0.0.0/0 -- allow

What does that mean




: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. This means that all traffic is allowed within this network.
2. This means that all inbound traffic is allowed within this network.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. None of above
Ans :1
Exp : Network ACLs, or network access control lists: Apart from routing tables, each subnet also assigned a network ACL. Network ACLs specify what type
of
traffic is allowed inside the subnet. By default it might have the following rules:

rule number --- port --- protocol --- source -- action

100 ---- ALL --- ALL --- 0.0.0/0 -- allow

This means that all traffic is allowed within this network. You can think of Network ACLs as subnet-wide security groups. They are effective while
isolating
subnets from each other, reducing the collision of domains, etc.

Entities such as RDS's and ELB's can be provisioned within VPC as well. The same rule applies for them as other ec2 instances. If they belong to public a
subnet, they can be accessed from the internet.

In a typical web application example, you will be spawning the ELB and a NAT box inside the public subnet and your db servers (or RDS instances) and web
servers in the private subnet. Since you have a NAT gateway (and a routing table attached to the private subnet that routes traffic via this NAT
gateway),
instances from private subnets can access the internet. But the reverse is not possible. If you do not want the instances from private subnets to access
the
internet, you can remove the NAT box from the private subnet's routing table. Since all this can be done dynamically via the web browser based console,
command line tools, or AWS webservices api, you can temporarily allow the instances from private subnets to access the internet (like while provisioning)
and then revoke it later (before joining the elb).


I'll be writing another post on how you can set up cross-availability zones - highly available services using AWS VPC from a network standpoint. This
will
serve the foundation of that post.





Question : QuickTechie.com is a Large Enterprises usually run Multiple Amazon VPC in single region and Active Directory and File Sharing
interconnected (Both reside in different VPC) that they may need to access them privately and securely inside AWS and not outside the VPC. What is the best solution for this requirement
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Amazon VPC Peering
2. Block all the inbound and outbound ports. Only allow application request ports.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Both the VPC subnets should have NAT instance
Ans : 1
Exp : Use Amazon VPC Peering : Amazon Web Services has introduced VPC peering feature which is quite useful one. AWS VPC peering connection is a
networking
connection between two Amazon VPCs that enables you to route traffic between them using private IP addresses. Currently it can be in same AWS region,
Instances in either VPC can communicate with each other as if they are within the same network. Since AWS uses the existing infrastructure of a VPC to
create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware (which
essentially
means there is no single point of failure for communication or a bandwidth bottleneck).

We have seen it is useful in following scenarios :
Large Enterprises usually run Multiple Amazon VPC in single region and some of their applications are so interconnected that they may need to access them
privately + securely inside AWS. Example Active Directory, Exchange, Common business services will be usually interconnected.
Large Enterprise have different AWS accounts for different business units/teams/departments , at times systems deployed by some business units in
different
AWS accounts need to be shared or need to consume a shared resource privately. Example: CRM , HRMS ,File Sharing etc can be internal and shared. In such


scenarios VPC peering comes very useful.
Customer can peer their VPC with their core suppliers to have tighter integrated access of their systems.
Companies offering Infra/Application Managed Services on AWS can now safely peer into customer Amazon VPC and provide monitoring and management of AWS
resources.





Question : Which of the following help to create network betwen On-Premise Data Center to Amazon VPC
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Secure IPSec tunnel to connect a corporate network with Amazon VPC
2. Secure communication between sites using the AWS VPN CloudHub
3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
5. All 1,2,3

Ans : 5
Exp : Plan your Tunnel between On-Premise DC to Amazon VPC:
Select the right mechanism to connect your on premises DC to Amazon VPC. This will help you to connect the EC2 instance via private IP's in a secure
manner.
Option 1: Secure IPSec tunnel to connect a corporate network with Amazon VPC
Option 2 : Secure communication between sites using the AWS VPN CloudHub
Option 3: Use Direct connect between Amazon VPC and on premise when you have lots of data to be transferred with reduced latency (or) you have spread
your
mission critical workloads across cloud and on premise. Example: Oracle RAC in your DC and Web/App tier in your Amazon VPC. Contact us if you need help
on
setting up direct connect between Amazon VPC and DC





Question : You have hundreds of EC instances inside your Amazon VPC and they are making lots of heavy web service/HTTP calls concurrently. Now to
secure communication among the instaces you set up NAT instances. Select the correct design for this scenerio
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. A single NAT instance with largest EC2 size can handle that bandwidth
2. span your EC2 across multiple subnets and create NAT's for each subnet
 3. Access Mostly Uused Products by 50000+ Subscribers
4. None of the above
Ans : 2
Exp : Spread your NAT instance with Multiple Subnets: What if you have hundreds of EC2 instances inside your Amazon VPC and they are making lots of heavy
web service/HTTP calls concurrently. A single NAT instance with even largest EC2 size cannot handle that bandwidth sometimes and may become performance
bottleneck. In Such scenarios, span your EC2 across multiple subnets and create NAT's for each subnet. This way you can spread your out going bandwidth
and
improve the performance in your VPC based deployments.

Plan your NAT Instance Type: Whenever your Application EC2 instances residing inside private subnet of Amazon VPC are making Web Service/HTTP/S3/SQS
calls
they go through NAT instance. If you have designed Auto scaling for your application tier and there are chances ten's of app EC2 instances are going to
make
lots of web calls concurrently, NAT instance will become a performance bottleneck at this juncture. Size your NAT instance capacity depending upon
application needs for avoiding performance bottlenecks. Using the NAT instances provides us with advantages of saving cost of Elastic IP and provides
extra
security by not exposing the instances to outside world for accessing the internet.




Question . You are using Amazon ELB for Web Applications e.g. www.QuickTechie.com , select the statement which helps it to design this architecture perfectly.
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. put all other EC2 instances( Tiers like App,cache,DB,BG etc) in private subnets as much possible
2. Only ELBs should be provisioned in Public Subnet as secure practice in Amazon VPC environment
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
5. All 1,2 and 3

Ans : 4
Exp : ELB on Amazon VPC: When using Amazon ELB for Web Applications, put all other EC2 instances( Tiers like App,cache,DB,BG etc) in private subnets as
much possible. Unless there is a specific requirement where instances need outside world access and EIP attached, put all instances in private subnet
only. Only ELBs should be provisioned in Public Subnet as secure practice in Amazon VPC environment.




Question : You are designing a Multi-tier web application, please select the correct design of security
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Create different security groups for different tiers of your infrastructure architecture inside your VPC.
2. Create sigle security group for different tiers of your infrastructure architecture inside your VPC.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
4. 1 and 3

Ans : 5
Exp : Tier your Security Groups : Create different security groups for different tiers of your infrastructure architecture inside your VPC. If you have
Web, App, DB tiers create different security group for each of them. Creating tier wise security groups will increase the infrastructure security inside
Amazon VPC. EC2 instances in each tier can talk only on application specified ports and not at all ports. If you create Amazon VPC security groups for each and
every tier/service separately it will be easier to open a port to a particular service. Don't use same security group for multiple tiers of instances,
this is a bad practice. Example: Open ports for security group instead of IP ranges : For example : People have tendency to open for port 8080 to 10.10.0.0/24 (web layer) range.
Instead of that, open port 8080 to web-security-group. This will make sure only web security group instances will be able to contact on port 8080. If
someone launches NAT instance with NAT-Security-Group in 10.10.0.0/24, he won't be able to contact on port 8080 as it allows access from only web
security group.
ment and the community in the form of losses suffered through poor viability will be prohibitive.



Question : You are designing a Disaster Recovery Setup plan using VPC for www.QuickTechie.com website. Select correct statement for this design where
it should help to replicate your data using private IPs


: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Create your Production site VPC CIDR : 10.0.0.0/16 and your DR region VPC CIDR: 172.16.0.0/16.
2. Create your Production site VPC CIDR : 10.0.0.0/16 and your DR region VPC CIDR: 10.0.0.0/16.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 3
5. 2 and 3
Ans : 4
Exp : Disaster Recovery or Geo Distributed Amazon VPC Setup : When you are designing a Disaster Recovery Setup plan using VPC or expanding to another
Amazon VPC region you can follow these simple rules. Create your Production site VPC CIDR : 10.0.0.0/16 and your DR region VPC CIDR: 172.16.0.0/16. Make sure
they do not conflict with on premises subnet CIDR block in event both needs to be integrated to on premise DC as well. After CIDR blocks creation , setup a
VPC tunnel between regions and to your on premise DC. This will help to replicate your data using private IP's.




Question : While designing your network architecture you have created VPC's in a region and inside each VPC you have two subnets. Now you decided to
create 10 IGW, each one for each subnet. And you are aware that you can not create more than 5 subnets per region hence asked AWS for permission to create more 10 IGW. But AWS
declined this request why ?

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. You can not have more than 5 IGW in a rgion this is the hard limit by AWS.
2. the only way to increase this limit is to increase the limit on VPCs per region
 3. Access Mostly Uused Products by 50000+ Subscribers
4. None of the above
Ans : 2 Exp : Internet gateways per region : 5
This limit is directly correlated with the limit on VPCs per region. You cannot increase this limit individually; the only way to increase this limit is
to
increase the limit on VPCs per region. Only one Internet gateway can be attached to a VPC at a time.

Virtual private gateways per region : 5
This limit can be increased upon request; however, only one virtual private gateway can be attached to a VPC at a time.

VPCs per region : 5
This limit can be increased upon request. The limit for Internet gateways per region is directly correlated to this one. Increasing this limit will
increase
the limit on Internet gateways per region by the same amount.

Subnets per VPC : 200
This limit can be increased upon request



Question : You have installed Hadoop on the Amazon EC instances, now to monitor the NameNode you need public as well as private IP address, so you can
create the URL accordingly. So how will you determine the public and private IP addresses of the Amazon ec2 instance on which your NameNode is running?
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. As IP addresses keep changing, so you have to use Amazon CloudWatch metric to get the current IP address.
2. You can get it from local instance metadata.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Just fire the command ifconfig aqnd it will give you all the detail.
Ans : 2 Exp : Instance metadata is data about your instance that you can use to configure or manage the running instance. Instance metadata is divided
into categories. You can also access the user data that you supplied when launching your instance. For example, you can specify parameters for configuring
your instance, or attach a simple script. You can also use this data to build more generic AMIs that can be modified by configuration files supplied at launch
time. For example, if you run web servers for various small businesses, they can all use the same AMI and retrieve their content from the Amazon S3
bucket you specify in the user data at launch. To add a new customer at any time, simply create a bucket for the customer, add their content, and launch your
AMI.

If you launch more than one instance at the same time, the user data is available to all instances in that reservation.

Because you can access instance metadata and user data from within your running instance, you do not need to use the Amazon EC2 console or the CLI tools.
This can be helpful when you're writing scripts to run from within your instance. For example, you can access your instance's local IP address from
within the running instance to manage a connection to an external application.vmportant

Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone
who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption
keys). You should not store sensitive data, such as passwords, as user data.

However, each instance has certain unique metadata.
Instance 1
Metadata Value
instance-id i-10a64379
ami-launch-index 0
public-hostname ec2-203-0-113-25.compute-1.amazonaws.com
public-ipv4 67.202.51.223
local-hostname ip-10-251-50-12.ec2.internal
local-ipv4 10.251.50.35




Question : You have sensitive information like password and want to store it on ec instance. Which is the correct way.
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. instance metadata
2. instance userdata
 3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
5. None of 1,2 and 3

Ans : 5
Exp : Because you can access instance metadata and user data from within your running instance, you do not
need to use the Amazon EC2 console or the CLI tools. This can be helpful when you're writing scripts to
run from within your instance. For example, you can access your instance's local IP address from within
the running instance to manage a connection to an external application.

Although you can only access instance metadata and user data from within the instance itself,
the data is not protected by cryptographic methods. Anyone who can access the instance can
view its metadata.Therefore, you should take suitable precautions to protect sensitive data (such
as long-lived encryption keys).You should not store sensitive data, such as passwords, as user
data.


When you are adding user data, take note of the following:
. User data is treated as opaque data: what you give is what you get back. It is up to the instance to be
able to interpret it.
. User data is limited to 16 KB. This limit applies to the data in raw form, not base64-encoded form.
. User data must be base64-encoded before being submitted to the API



Question : You have configured www.QuickTechie.com with two reserverd instances and one spot instance and bid for spot instance $. per hour. You
have used spot instances for 40 minutes, after sometime another vendor increaed the bid by $0.15 per hour, what would happen ?

: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Spot instance will be terminated by AWS and it will charge $0.15
2. Spot instance will be terminated by AWS and it will charge $0.10
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Spot instance will not be terminated by AWS as it might be running critical services and it will charge $0.10
5. Spot instance will not be terminated by AWS as it might be running critical services and it will charge $0.15


Ans : 3
Exp :Please note the following important points:
" Spot Instances perform exactly like other Amazon EC2 instances while running. Spot Instances are simply spare Amazon EC2 instances and perform the
same
as On-Demand and Reserved Instances.
" You will never pay more than your maximum bid price per hour. By bidding the maximum you're willing to pay per hour, you set the ceiling on your Spot
Instance hourly costs.
" If your Spot Instance is interrupted by Amazon EC2, you will not be charged for the interrupted hour. For example, if your Spot Instance is
interrupted
59 minutes after it starts, we will not charge you for that 59 minutes. However, if you terminate your instance, you will pay for any partial hour of
usage
as you would for On-Demand Instances.
" There is always a possibility that your Spot Instance might be interrupted. A high max bid price may reduce the probability that your Spot Instance
will
be interrupted, but cannot prevent interruption. (For example, regardless of how high you bid, if we can no longer offer spare Amazon EC2 capacity of
your
Spot Instance's type, your Spot Instance will be terminated.)




Question : You have created a mobile app for www.QuickTechie.com which calls the WebService mthod on Amazon Elastic Cloud Compute (EC) and indirectly
this EC2 call AWS APIs. Which is the correct method of securely passing credentials to the application should you use?
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Create dynamic data to pass the credentials.
2. Use AWS Identity and Access Management roles for EC2 instances.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Store this credentials on Ec2 instances and pass by encrypting it.
Ans : 2
Exp : Applications must sign their API requests with AWS credentials. Therefore, if you are an application developer, you need a strategy for managing
credentials for your applications that run on EC2 instances. For example, you can securely distribute your AWS credentials to the instances, enabling the
applications on those instances to use your credentials to sign requests, while protecting them from other users. However, it's challenging to securely
distribute credentials to each instance, especially those that AWS creates on your behalf, such as Spot Instances or instances in Auto Scaling groups.
You
must also be able to update the credentials on each instance when you rotate your AWS credentials.
We designed IAM roles so that your applications can securely make API requests from your instances, without requiring you to manage the security
credentials
that the applications use. Instead of creating and distributing your AWS credentials, you can delegate permission to make API requests using IAM roles as
follows:
1. Create an IAM role.
2. Define which accounts or AWS services can assume the role.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Specify the role when you launch your instances.
5. Have the application retrieve a set of temporary credentials and use them.
For example, you can use IAM roles to grant permissions to applications running on your instances that needs to use a bucket in Amazon S3.
Note
Amazon EC2 uses an instance profile as a container for an IAM role. When you create an IAM role using the console, the console creates an instance
profile
automatically and gives it the same name as the role it corresponds to. If you use the AWS CLI, API, or an AWS SDK to create a role, you create the role
and
instance profile as separate actions, and you might give them different names. To launch an instance with an IAM role, you specify the name of its
instance
profile. When you launch an instance using the Amazon EC2 console, you can select a role to associate with the instance; however, the list that's
displayed
is actually a list of instance profile names. For more information, seeInstance Profiles in the Using IAM.

You can specify permissions for IAM roles by creating a policy in JSON format. These are similar to the policies that you create for IAM users. If you
make
a change to a role, the change is propagated to all instances, simplifying credential management.




Question : www.QuickTechie.com has implemented slide share solutions and it store millions of documents in Amazon Simple Storage Service (S).
QuickTechie.com expecting sudden and large increases in traffic to and from S3, What information you need in order to determine whether S3 is the right
option?
: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. You should enquire the current registered user on website based on that you can predict number of registered user in upcomming years.
2. You must find out the total number of requests per second at peak usage.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. you must understand the total amount of storage needs for each S3 bucket.
Ans: 2
Exp : Request Rate and Performance Considerations
Topics
" Workloads with a Mix of Request Types
" GET-Intensive Workloads
Amazon S3 scales to support very high request rates. If your workload in an Amazon S3 bucket routinely exceeds 100 PUT/LIST/DELETE requests per second or
more than 300 GET requests per second, follow the guidelines in this topic to ensure the best performance and scalability. If your request rate grows
steadily, Amazon S3 automatically partitions your buckets as needed to support higher request rates. However, if you expect a rapid increase in the
request
rate for a bucket to more than 300 PUT/LIST/DELETE requests per second or more than 800 GET requests per second, we recommend that you open a support
case
to prepare for the workload and avoid any temporary limits on your request rate. To open a support case, go to Contact Us.
This topic discusses two types of workloads:
" Workloads that include a mix of request types - If your requests are typically a mix of GET, PUT, DELETE, or GET Bucket (list objects), choosing
appropriate key names for your objects will ensure better performance by providing low-latency access to the Amazon S3 index (discussed in the following
section). It will also ensure scalability regardless of the number of requests you send per second.
" Workloads that are GET-intensive - If the bulk of your workload consists of GET requests, we recommend using the Amazon CloudFront content delivery
service.
Note
The guidelines in this section apply if you are routinely processing 100 or more requests per second. If your typical workload involves only occasional
bursts of 100 requests per second and less than 800 requests per second, you don't need to follow the guidelines in this section.




Question : Which is a good option when you need storage with very low latency, but you don't need it to persist when the instance terminates,
or you can take advantage of fault tolerant architectures.


: You have a www.QuickTechie.com website hosted in a AWS region with ec nodes in AZs, Select the correct architecture in this case,
1. Instance types use solid state drives (SSD)
2. t1.micro with Amazon EBS volumes
3. Access Mostly Uused Products by 50000+ Subscribers
4. Any type of instances with ELB storage.


Question : A US-based company is expanding their web presence into Europe. The company wants to
extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-
1) region. Which of the following options would enable an equivalent experience for users
on both continents?

 : A US-based company is expanding their web presence into Europe. The company wants to
1. Use a public-facing load balancer per region to load-balance web traffic, and enable
HTTP health checks.
2. Use a public-facing load balancer per region to load-balance web traffic, and enable
sticky sessions.
 3. Access Mostly Uused Products by 50000+ Subscribers
both regions.
4. Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across
both regions.



Question : A user creates an Auto Scaling group from the Amazon AWS Console. Will an instance launched with that group have any tags assigned to it?
 : A user creates an Auto Scaling group from the Amazon AWS Console. Will an instance launched with that group have any tags assigned to it?
1. True, always.
2. False
 3. Access Mostly Uused Products by 50000+ Subscribers
4. True, only if configured at the launch configuration


Question : A customer has a single -TB volume on-premises that is used to hold a large repository of
images and print layout files. This repository is growing at 500 GB a year and must be
presented as a single logical volume. The customer is becoming increasingly constrained
with their local storage capacity and wants an off-site backup of this data, while maintaining
low-latency access to their frequently accessed data. Which AWS Storage Gateway
configuration meets the customer requirements?

 : A customer has a single -TB volume on-premises that is used to hold a large repository of
1. Gateway-Cached volumes with snapshots scheduled to Amazon S3
2. Gateway-Stored volumes with snapshots scheduled to Amazon S3
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Gateway-Virtual Tape Library with snapshots to Amazon Glacier



Question : A t.medium EC instance type must be launched with what type of Amazon MachineImage (AMI)?
 : A t.medium EC instance type must be launched with what type of Amazon MachineImage (AMI)?
1. An Instance store Hardware Virtual Machine AMI
2. An Instance store Paravirtual AMI
 3. Access Mostly Uused Products by 50000+ Subscribers
4. An Amazon EBS-backed Paravirtual AMI
Ans : 1 Exp : Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). All current generation
instance types support HVM AMIs. Some previous generation instance types do not support Linux HVM AMIs. Some current generation instance types do not
support PV AMIs. You can't change the virtualization type of an instance or an AMI; an instance can only be resized to an instance type that supports its
method of virtualization, and AMIs can only be launched on instance types that support their method of virtualization. For more information, see Linux
AMI
Virtualization Types.

T2 instances must be launched into a VPC using HVM AMIs; they are not supported on the EC2-Classic platform and they do not support PV AMIs. If your
account
supports EC2-Classic and you have not created a nondefault VPC, you can't change your instance type to T2 in the console. If your instance uses HVM
virtualization and it was launched in a VPC, then you can resize that instance to a T2 instance. For more information, see T2 Instances, Amazon EC2 and
Amazon Virtual Private Cloud, and Linux AMI Virtualization Types.

All Amazon EC2 instance types support 64-bit AMIs, but only the following instance types support 32-bit AMIs: t1.micro, t2.micro, t2.small, t1.micro,
m1.small, m1.medium, and c1.medium. If you are resizing a 32-bit instance, you are limited to these instance types.

You can't add instance store volumes when you resize your instance; instance store volumes may only be added at launch time. If you want to add instance
store volumes, consider creating an AMI from your instance and launching a new instance from that AMI with instance store volumes. For more information,
see
Amazon EC2 Instance Store.


Question : Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose answers
A. Supported on all Amazon EBS volume types
B. Snapshots are automatically encrypted
C. Available to all instance types
D. Existing volumes can be encrypted
E. shared volumes can be encrypted

: A t.medium EC instance type must be launched with what type of Amazon MachineImage (AMI)?
1. A,B
2. B,C
 3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E

Ans : 1 Exp : Amazon EBS Encryption

Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key
management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, data stored at rest on the volume, disk
I/O,
and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host EC2 instances, providing encryption of
data-in-transit from EC2 instances to EBS storage.

Amazon EBS encryption uses AWS Key Management Service (AWS KMS) Customer Master Keys (CMKs) when creating encrypted volumes and any snapshots created
from
your encrypted volumes. The first time you create an encrypted volume in a region, a default CMK is created for you automatically. This key is used for
Amazon EBS encryption unless you select a CMK that you created separately using AWS Key Management Service. Creating your own CMK gives you more
flexibility, including the ability to create, rotate, disable, define access controls, and audit the encryption keys used to protect your data. For more
information, see the AWS Key Management Service Developer Guide.

This feature is supported with all EBS volume types (General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic), and you can expect the same IOPS
performance on encrypted volumes as you would with unencrypted volumes with a minimal effect on latency. You can access encrypted volumes the same way
that
you access existing volumes; encryption and decryption are handled transparently and they require no additional action from you, your EC2 instance, or
your
application. Snapshots of encrypted EBS volumes are automatically encrypted, and volumes that are created from encrypted EBS snapshots are also
automatically encrypted.

Important
Encrypted boot volumes are not supported at this time.
The Amazon EBS encryption feature is also extended to snapshots of your encrypted volumes. Snapshots that are taken from encrypted volumes are
automatically
encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes and any associated snapshots always
remain protected.

Amazon EBS encryption is only available on select instance types. You can attach both encrypted and unencrypted volumes to a supported instance type


Question : An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following
approaches would protect the sensitive data on an Amazon EBS volume?
: A t.medium EC instance type must be launched with what type of Amazon MachineImage (AMI)?
1. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Re-mount the Amazon EBS volume.
2. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume



Question : A company is building software on AWS that requires access to various AWS services.
Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?
 : A company is building software on AWS that requires access to various AWS services.
1. Enable Multi-Factor Authentication for your AWS root account.
2. Assign an IAM role to the Amazon EC2 instance.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Assign an IAM user to the Amazon EC2 Instance.

Ans : 1 Exp :For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or
APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal
credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for
example, it can run in an app on a smartphone). For increased security, we recommend that you protect your AWS resources by configuring AWS multi-factor
authentication (MFA). MFA adds extra security by requiring users to enter a unique authentication code from their authentication device when accessing
AWS
websites or services.

For MFA to work, you must assign an MFA device (hardware or virtual) to the IAM user or root account. The MFA device must be unique for each user; a user
cannot enter a code from another user's device to authenticate. This section shows you how to set up and enable a new MFA device, as well as how to
synchronize and deactivate existing devices, and what to do when a device is lost or stops working.


Question : You manually launch a NAT AMI in a public subnet. The network is properly configured.
Security groups and network access control lists are property configured. Instances in a
private subnet can access the NAT. The NAT can access the Internet. However, private
instances cannot access the Internet. What additional step is required to allow access from
the private instances?
: A company is building software on AWS that requires access to various AWS services.
1. Enable Source/Destination Check on the private Instances.
2. Enable Source/Destination Check on the NAT instance.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Disable Source/Destination Check on the NAT instance.

Ans : 4 Exp : Disabling Source/Destination Checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends
or
receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable
source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.




Question : A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that
is not connected to their corporate network. They are connecting to the VPC over the
Internet to manage all of their Amazon EC2 instances running in both the public and private
subnets. They have only authorized the bastion-security-group with Microsoft Remote
Desktop Protocol (RDP) access to the application instance security groups, but the
company wants to further limit administrative access to all of the instances in the VPC.
Which of the following Bastion deployment scenarios will meet this requirement?

: A company is building software on AWS that requires access to various AWS services.
1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
 3. Access Mostly Uused Products by 50000+ Subscribers
corporate public IP addresses.
4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from
only
the corporate public IP addresses.

Ans : 4 Exp : If you run Microsoft Windows instances in EC2, then you most likely use the Remote Desktop Protocol (RDP) for remote administration. To
define the source IPs that are allowed to connect to your EC2 instances, RDP port (TCP/3389), you configure the instance,s security group rules. When
configuring your security groups, it,s a best practice to apply the principle of least privilege, allowing only connections to the RDP port from IP
addresses your administrators will be connecting from and denying all others. However, in cases where an administrator could be connecting from
anywhere on
the Internet, however, trying to determine which IPs to allow can be difficult. As a result, we often see customers setting security groups for RDP
access
to allow every IP (0.0.0.0/0), thereby failing to enforce least privilege at the network layer.


One solution to this problem is to protect your Windows instances at the network layer using Microsoft Remote Desktop (RD) Gateway server set up as a
bastion. RD Gateway can be configured to accept connections via HTTPS (TCP/443) from every IP on the Internet, then proxy them to your other Windows
instances using RDP port (TCP/3389). Only users who authenticate to your RD Gateway instance are allowed to proceed on to the protected Windows instances
behind the proxy.



Question : You have kept a Windows EC instance in a private subnet and configured security group to allow traffic on Internet, and deny on any incoming traffic from internet. Now, you need to install a patch which can only be downloaded from vendor website. Please select the correct statement which applies.
A. You have logged in from windows EC2 instance which send request over internet however, patch download will fail. Because, you can send request on internet but incoming is denied.
B. You have logged in from windows EC2 instance which send request over internet, patch download will success.
C. You have logged in from windows EC2 instance which send request over internet, patch download will success, only if you have requent_id parameters with the request. So that response can be authenticated with the same request_id.
D. No, you cannot install Patch your own. You have to raise AWS support request.

: A company is building software on AWS that requires access to various AWS services.
1. You have logged in from windows EC2 instance which send request over internet however, patch download will fail. Because, you can send request on internet but incoming is denied.

2. You have logged in from windows EC2 instance which send request over internet, patch download will success.

3. Access Mostly Uused Products by 50000+ Subscribers

4. No, you cannot install Patch your own. You have to raise AWS support request.