Uncategorised

AWS Certified SysOps Administrator – Chapter – 3

May 3, 2021 comments off

Review Questions

You have implement a Classic Load Balancer. You now need to collect some Information, specifically what is the IP address of the client making the request on the Classic Load Balancer. How wold you collect this information?

  • Enable CloudWatch and monitor the HostConnect metric.
  • Use AWS CloudTrail and monitor the eventSource API.
  • You would not be able to collect this Information in a Classic Load Balancer –it is only available with Application Load Balancers.
  • Use access logs.

You just updated the port of the health check for an Application Load Balancer. You go to into the CloudWathc console, but you are not seeing the health check. What cloud possibly be the reason?

  • The CouldWatch console does not display information on a number of healthy hosts.
  • You find this information in the Amazon EC2 Management Console.
  • You should review your security group’s rules to make sure that traffic is allowed to that port.
  • You need to restart your Application Load Balancer after you make this change.

You need to establish a highly available connection between your Amazon VPC and your datacenter. What is the best way to accomplish this?

  • Create an AWS Direct Connect connection between your datacenter and your AWS VPC.
  • Spin up multiple Amazon EC2 instance across two Availability Zones. Load VPN Software onto the Amazon EC2 instances. Set internal routing such that if one Amazon EC2 instance fails the other takes over.
  • Set up a Virtual Private Gateway with a route out to your datacenter.
  • Set up a Virtual Private Gateway. Make sure that you have two customer gateways configured.

You are using Amazon Route S3 as your DNS provider. You have a web application that is running in you datacenter located in Las Vegas, NV and in the AWS Frankfort, Germany Region. What step would you take to minimize the load times for this web application

  • Implement a geolocation routing police when

You are trying to SSH in to an Amazon EC2 instance in your Amazon VPC but are unable to do so. What should you be checking?

  • Make sure that you a Virtual Private Gateway attached to your VPC, that the VPC route table has an entry that routes packets to the Internet, and that the Network ACL has an inbound rule that allows traffic on port 80.
  • Make sure that you have an Internet gateway attached to your VPC, That the VPC route table has an entry that routes packed to the Internet, and that the Network ACL has an inbound rule that allows SSH.
  • Make sure that you have an Internet gateway attached to your Amazon VPC, that the VPC route table has an entry that route packets to the Internet, That the Network ACL has an Inbound and an outbound rule that allows SSH, and that the Amazon EC2 instance has a security group rule that allows inbound SSH.
  • Make sure that you have an Internet gateway attached to your Amazon VPC, that the VPC route table has an entry that route packed to the Internet, that the Network ACL has an inbound and an outbound rule that allows SSH, and that the Amazon EC2 instance has a Security group rule that allows inbound SSH. Make sure that the EC2 instance has a public or Elastic IP address associated with it.

Why would you place an Amazon EC2 Instance in a Private subnet?

  • To decrease the latency in reaching the instance
  • Because you have more available IP address in a private subnet than you do in a public subnet
  • As a way of providing an additional layer of security
  • Because with some Amazon EC2 Instance, You are obligated to place them in a private subnet

You need to order an AWS Direct Connect circuit. What do you need on your side to implement AWS Direct Connect successfully?

  • A router that supports BGP, with single mode fiber, and with a 1 or 10 Gir Ethernet port. You also need both a public and a private Autonomous System Number.
  • A router that supports OSPF and has a 10 Gig Ethernet port. You also need a private Autonomous System Number.
  • A switch that supports single mode fiber with a 1 or 10 Gig Ethernet port.
  • A route that supports BGP with single mode fiber and with a 1 or 10 Gig Ethernet port. You also need both a Public and private Autonomous System Number. Finally, you need the ability to issue a LOA/CFA to AWS.
  • A router that supports static routing with single mode fiber and that has a 1 or 10 Gig Ethernet port

What would NOT be a reason to get AWS Direct Connect?

  • Increased latency
  • Decreased data transfer out costs
  • Connecting VPCs in different regions
  • Connectivity between your WAN and AWS

What is a private VIF?
The physical connection between AWS and the Customer location
The logical interface between the customer location and those AWS resources located inside the VPC
The logical interface between the customer location and those AWS resources located outside the VPC

What statement is true about Internet gateways?

  • For high availability, you should have one Internet gateway per Availability Zone.
  • Internet gateway come with public IP addresses already assigned.
  • You cannot have a VPC with both an Internet gateway and a Virtual Private Network gateway.
  • An Internet gateway is needed if you want to connect to AWS services outside of the VPC.

You have noticed that your web servers have come under a phishing attack. You have identified the IP address that is the source of this attack. What should you do to mitigate this attack?

  • Configure a route table that directs packets from this IP address to a fictitious Amazon EC2 instance.
  • Configure the Network ACLs to block traffic from this IP address.
  • Configure the security group for your web servers to deny any protocols from this IP address.
  • Contact the AWS Help Desk, and ask them to put a block on the offending subnet.

You have established three VPCs all within the same region but in different accounts. What is the easiest way to establish connectivity between all three VPSc?

  • Designate one VPC as the master, and establish VPN peering between the master VPC and each of other VPCs.
  • Establish an AWS Direct Connect connection among all of the VPCs.
  • Establish a CloudHub with all three VPCs as participants.
  • Establish VPC peering between each pair of VPCs.
  • Install a Virtual Private Gateway (VPG) in each VPC, and establish an IPsec tunnel between each VPC using the AWS infrastructure.

What is the difference between an Internet-facing load balancer and an internet-facing load balancer? (Choose two.)

  • There is no difference between the two.
  • Internet-facing load balancer are larger than internal load balancers.
  • By default, Internet-facing load balancer get their DNS names from DHCP servers, while internal load balancers do not.
  • The DNS name of an Internet-facing load balancer is publicly resolvable to the public IP address of the nodes.
  • The DNS name of an internal load balancer is publicly resolvable to the private IP address of the nodes.

What does a default VPC come with?

  • A/20 address space
  • Both an Internet gateway and a Virtual Private Network gateway
  • A route table that sends all IPv4 traffic destined for the Internet to the Internet gateway
  • A NAT instance

You need to monitor all traffic from the Internet to Amazon EC2 Instances in a VPC. What AWS tool do you have at your disposal?

  • Amazon VPC Flow Logs
  • Amazon CloudWatch
  • AWS CloudTrail
  • AWS Network Management Console

Which statement is correct regarding Amazon CloudFront?

  • Amazon CloudFront will forward a file to the user as soon as it gets the first bytes.
  • Amazon CloudFront will wait until the entire file downloads in order to perform error checking before it forwards the file to the user.
  • Amazon CloudFront always delivers the most current version of the file to the user.
  • Amazon CloudFront is only located in AWS regions.

What are the best ways to control access to your content in the Amazon CloudFront edge locations? (Choose two.)

  • Use Origin Access Identity (OAI)
  • Signed URLs
  • Signed cookies
  • Policies that restrict access by IP address
Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)