Premium

AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)



Question : You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the
Internet for product updates. The depots and distributions are accessible via third party CDNs by their URLs. You want to explicitly deny any other outbound connections from your VPC
instances to hosts on the internet. Which of the following options would you consider?

: You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the
1. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes.
2. Implement security groups and configure outbound rules to only permit traffic to software depots.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Implement network access control lists to all specific destinations, with an Implicit deny as a rule.


Correct Answer : Get Lastest Questions and Answer :

Security Group
Operates at the instance level (first layer of defense)
Supports allow rules only
Is stateful: Return traffic is automatically allowed, regardless of any rules
We evaluate all rules before deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

Network ACL
Operates at the subnet level (second layer of defense)
Supports allow rules and deny rules
Is stateless: Return traffic must be explicitly allowed by rules
We process rules in number order when deciding whether to allow traffic
Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)






Question : You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture.
Which alternatives should you consider? (Choose 2 answers)

A. Configure a NAT instance in your VPC. Create a default route via the NAT instance and associate it with all subnets. Configure a DNS record that points to the NAT instance public
IP address.
B. Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers Configure a Route53 CNAME record to your CloudFront
distribution.
C. Place all your web servers behind ELB. Configure a Route53 CNAME to point to the ELB DNS name.
D. Assign EIPs to all web servers. Configure a Route53 record set with all EIPs. With health checks and DNS failover.
E. Configure ELB with an EIP. Place all your Web servers behind ELB. Configure a Route53 record that points to the EIP.
: You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture.
1. A,B
2. B,C
 3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E
5. A,E

Correct Answer : Get Lastest Questions and Answer :
Exp: NAT instances support outbound traffic , hence option A is not correct.
CloudFront main purpose is to reduce the latency for web content hence option B is also not correct.
You can not assign EIP to ELB, hence option E is not correct. So answer should be C and D.
Elastic Load Balancers do not have a fixed IP address - it is possible that a single ELB is actually multiple appliances, so as to overcome the bottleneck that would otherwise occur
with very high load (i.e. if all connections were passing through a single ELB). ELBs will scale up by increasing their number. As such, it is recommended that you use the DNS
address instead, as this can internally be mapped to the IP of any ELB appliance serving your requests (much like round robin DNS). Typically, you will use a CNAME to map the
provided DNS value to a subdomain (e.g. www) of your domain.





Question : An ERP application is deployed across multiple AZs in a single region. In the event of failure, the Recovery Time Objective (RTO) must be less than hours, and the
Recovery Point Objective (RPO) must be 15 minutes the customer realizes that data corruption occurred roughly 1.5 hours ago.
What DR strategy could be used to achieve this RTO and RPO in the event of this kind of failure?


: An ERP application is deployed across multiple AZs in a single region. In the event of failure, the Recovery Time Objective (RTO) must be less than hours, and the
1. Take hourly DB backups to S3, with transaction logs stored in S3 every 5 minutes.
2. Use synchronous database master-slave replication between two availability zones.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Take 15 minute DB backups stored In Glacier with transaction logs stored in S3 every 5 minutes.



Answer: 1 RPO : 15 Minutes (Means you can loose maximum 15 minutes of data). RTO : 3 Hrs (It means you have 3 hours time to bring your system back).
Glacier is not good for 3 Hrs RTO (Hence option 4 is out). Instance store is not good for backup. (So option 3 is out)
Master slave replication, means if master is corrupted than slave also be corrupted. Hence answer should be 1




Related Questions

Question : QuickTechie.com is creating a VPC for their application hosting and has created two private subnets in the same AZ and created one subnet
in a separate zone. QuickTechie.com wants to make a HA system with the internal ELB. Which of the below mentioned statements is true with respect to an internal ELB in this scenario?
 : QuickTechie.com is creating a VPC for their application hosting and has created two private subnets in the same AZ and created one subnet
1. ELB can support only one subnet in each availability zone.
2. ELB does not allow subnet selection; instead it will automatically select all the available subnets of the VPC.
3. Access Mostly Uused Products by 50000+ Subscribers
4. If the user is creating an internal ELB, he should use only private subnets.




Question : HadoopExam.com has setup a VPC with public and private subnets and does not want everyone to connect to the private VPC instance.
Instead it wants to setup secure access from a single IP. Which of the below mentioned options fits best as a solution?
 : HadoopExam.com has setup a VPC with public and private subnets and does not want everyone to connect to the private VPC instance.
1. Create an IAM user who will have secure access to the private subnet.
2. Allow only the public subnet to SSH to the private subnet.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Create a NAT instance which allows access only from the selected IP address.




Question : QuickTechie.com is planning to setup a 'warm standby' to AWS for fast recovery of the application in case of DR.
Which of the below mentioned configurations will not fit the 'warm standby' requirement setup?

 : QuickTechie.com is planning to setup a 'warm standby' to AWS for fast recovery of the application in case of DR.
1. Setup EC2 with the smallest server and ELB which run continuously.
2. Setup the backup data on S3 and transfer data regularly to S3 using the storage gateway.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Mirror the data from in premise data to EC2.




Question : QuickTechie.com is running an application on an EBS backed EC instance for hours a day across days.
The application is a scalable web application which uses RDS for fetching data. Which of the below mentioned options
is a better scalable and cost effective solution for this scenario?
 : QuickTechie.com is running an application on an EBS backed EC instance for hours a day across days.
1. Use RDS with heavy utilized Reserved Instances and EC2 with medium utilized Reserved Instances.
2. Use both RDS and EC2 with heavy utilized Reserved Instances.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Use RDS with a medium utilized Reserved Instance and EC2 with low utilized Reserved Instances.




Question : QuickTechie.com has launched two applications: one for polling and one for review on the same AWS Linux EC instance running in the AWS VPC.
And has attached two private IPs (primary and secondary) to the above mentioned instance also wants the instance OS to recognize the secondary IP address.
How can the organization configure this?
 : QuickTechie.com has launched two applications: one for polling and one for review on the same AWS Linux EC instance running in the AWS VPC.
1. Use the ec2-net-utility package which updates routing tables, uses DHCP to refresh the secondary IP and adds the network interface.
2. Use the ec2-ip-update package which can configure the network interface as well as update the secondary IP with DHCP.
 3. Access Mostly Uused Products by 50000+ Subscribers
4. Use the ec2-ip-utility package which can update the routing tables as well as refresh the secondary IP using DHCP.




Question : QuickTechie.com has setup a web application in the AWS VPC and also running a database on the EC instance and the application server connects to the
DB server only on the internal IP. QuickTechie is looking for HA and DR for the database. Which of the below mentioned options fulfils the QuickTechie's need for a DB backup?

 : QuickTechie.com has setup a web application in the AWS VPC and also running a database on the EC instance and the application server connects to the
1. Setup the database in the private subnet and keep a hot standby running in the public subnet for immediate failover.
2. Use the AWS storage gateway with VPC to switchover from the primary to secondary DB in separate zones.
 3. Access Mostly Uused Products by 50000+ Subscribers
with a different subnet.
4. Setup the database on the instance with an elastic network interface which will have a fixed private IP address and also keep a hot standby running in a separate zone
with a different subnet.