AWS

AWS Interview Questions and Answer Part – 10

January 11, 2020 comments off

Instance A and instance B are running in two different subnets A and B of a VPC. Instance A is not able to ping instance B. What are two possible reasons for this?

  • The routing table of subnet A has no taget route to subnet B & The security group attached to instance B doest not allow inbound ICMP traffic.
  • The security group attached to instance B does not allow inbound ICMP traffic & The policy linked to the IAM role on instance A is not configured correctly.
  • The policy linked to the IAM role on instance A is not configured correctly & The NACL on subnet B does not allow outbound ICMP traffic.
  • The NACL on subnet B does not allow outbound ICMP traffic & The security group attached to instance B does not allow inbound ICMP traffic. (Ans)

Your web site is hosted on 10 EC2 instances in 5 regions around the globe with 2 instances per region. How could you configure your site to maintain site availability with minimum downtime if one of the 5 regions was to lose network connectivity for an extended period of time?

  • Create an Elastic Load Balancer to place in front of the EC2 instances. Set an appropriate health check on each ELB.
  • Establish VPN Connections between the instances in each region. Rely on BGP to failover in the case of region wide connectivity outage.
  • Create a Route 53 Lantency Based Routing Record Set that resolves to an Elastic Load Balancer in each region. Set an appropriate health check on each ELB.
  • Create a Route 53 Latnecy Based Routing Record Set that resolves to Elastic Load Balancers in each region and has the Evaluate Target Health flag set to true. (Ans)

You are creating a fleet of EC2 instances that will be inside an autoscaling group. These EC2 instances will need to write custom metric to Cloud Watch and will need the appropriate permissions in which to do this. What is the most secure way to enable this?

  • Create a unique user in IAM with CloudWatch permissions and modify the autoscaling group to include a boot strap script that passes the EC2 instance that users credentials.
  • Create a unique user in IAM with CloudWatch permissions and store these credentials in GitHub. Have the EC2 instances pull these credentials when they need to log to CloudWatch
  • Create an IAM role with CloudWatch permissions and modify the autoscalling launch configuration to use EC2 insatnces that have been assigned the new role. (Ans)
  • Create an IAM role with CloudWatch permissions and assign this to RDS. The existing EC2 instances will automatically be able to report to CloudWatch vis RDS.

What does the following policy do;
{ “Version”: “2012-10-17”, “Statement”: [ { “Action”: [ “autoscaling:Describe“, “cloudwatch:“, “logs:“, “sns:” ], “Effect”: “Allow”, “Resource”: “*” } ] }

  • Allows full access to RDS
  • Allows Read Only Access to CloudWatch
  • Allows Write & Read Access to CloudWatch only.
  • Allows full access to CloudWatch (Ans)

You have a stateless web application on a m4.10xlarge EC2 instance. Your application is both memory and CPU intensive and is not performing well when under heavy load. Users are reporting long delays in the application’s performance. The application itself maintains its state in DynamoDB. The DynamoDB table is properly provisioned and responses are returning really fast. What option below will best resolve this issue?

  • There is obviously an issue with the memory/CPU load. Provision another m4.10xlarge EC2 instance and place both EC2 instances behind an Elastic Load Balancer to help even the load. (Ans)
  • The latency issue is being caused because the EC2 insatnce and the DynamoDB table are not in the ame availability zone. Move the EC2 instance to same AZ as the DynamoDb table.
  • DynamoDB is not performing fast enough due to the amount of load. Cache the queries using Elasticache.
  • Create a DynamoDB read replica to further scale the database out.

You are designing a network with a Bastion host (jump box) for security. Your network admins will SSH in to the bastion host and then on to other EC2 instances in a private subnet. You need your bastion host to be highly available. How should you build this environment?

  • Create 2 EC2 instance in separate availability zones. Placed these instances behind and elastic load balancer and then ask your SysAdmins to connect to the ELB’s public DNS name via SSH.
  • Create 2 EC2 instances in the same subnet. Create a DNS entry in Route53 which uses Round Robin DNS and points to each instance. Tell oyour SysAdmins to connect using the new DNS entry.
  • Create 2 EC2 instances in the different subnet. Create a DNS entry in Route53 which uses Round Robin DNS and points to each instance. Tell your SysAdmins to connect using the new DNS entry. (Ans)
  • Create 1 EC2 instance in private subnet. Connect to this EC2 instance using a site to site VPN. Configure your router to automatically reconnect if the VPN is dropped.

You have started a snapshot on an attached EBS Volume. Which of the below is true.

  • The EBS Volume cannot be attached or detached until the snapshot has been completed.
  • The EBS volume will be read only until the snapshot completes.
  • The EBS volume will be unusable until the snapshot completes.
  • The EBS volume can continue to be used while the snapshot is taking place. (Ans)

You have a web application which queries elasticache to cache your database queries. You are using memached with elasticache and you use CloudWatch metrics to monitor your memcached performance. You notice that two metrics, Evictions (The number of non-expired items the cache evicted to allow space for new writes.) and GetMisses (The number of get requests the cache has received where the key requested was not found.) are getting very high. What should you do to scale your environment further?

  • Increase the number of nodes in your memcached cluster or increase the size of each node in your cluster. (Ans)
  • Decrease the number of nodes in your memcached cluster or decrease the size of each node in your cluster.
  • Migrate from Memcached to Redis.
  • Use CloudFront as an alternative caching engine.

You have an existing application which is hosted on premise and is a very popular bulletin board, receiving a lot of traffic. You will be migrating this application to AWS so that you can scale it further. You need to implement chef recipes to configure the application servers in a scripted fashion. What AWS service would let you do this while reducing administrative over heads?

  • EC2
  • Elastic Beanstalk
  • Opworks (Ans)
  • CloudFront

Your company has moved to AWS because of the ability to use “scripted infrastructure”. You would like to apply version control on your infrastructure (similar to software development) so that you can roll back infrastructure to a previous stable version if needed. You would also like to to quickly deploy testing and staging environments in multiple regions. What services should you use to achieve this?

  • Opworks & a version control system such as GitHub.
  • Elastic BeanStalk & a version control system such as GitHub.
  • CloudWatch & a version control system such as GitHub.
  • CloudFormation & a version control system such as GitHub. (Ans)

You have a web application that is behind an autoscaling group. Something is going wrong with your application and it keeps causing the CPU to go up to 90% which triggers an autoscaling event. You need to investigate the cause of this issue. What is the most efficient way to trouble shoot this issue with the minimum amount of down time.

  • Take a snapshot of your EC2 instance. Delete the autoscaling group and the associated EC2 instances. Create a new EC2 insatnce with your snapshot and then begin trouble shooting. Once you have figured out the cause of the problem, take a new snapshot and use that snapshot as the base AMI for your new autoscaling group.
  • Suspend Autoscaling. SSH in to the EC2 instance and begin trouble shooting. Once you have fixed the problem, resume Autoscaling. (Ans)
  • Delete the autoscaling group and the associated EC2 insatnaces. Create a new EC2 insatnce from scratch and reinstall your application. Once you have figured out the cause of the problem, take a new snapshot and use that sanpshot as the base AMI for your new autoscaling group.
  • Delete Autoscaling all together and rely on manual scaling based off SNS notifications sent to your SysOps team from the appropriate CloudWatch Metric.

You have created a new VPC with the CIDR block of 10.0.0.0/16. You create 2 subnets, 10.0.1.0/24 and 10.0.2.0/24. 10.0.1.0 will be a public subnet and 10.0.2.0 will be a private subnet. You deploy a NAT instance with the name i-7c1507ab into 10.0.1.0 and assign it a public IP address. You disable your source/destination checks on the NAT. You now need to update your route table to complete the setup. What should you update the route table to?

  • Destination:0.0.0/0 Target:i/7c1507ab (Ans)
  • Destination:10.0.2.0/24 Target:i/7c1507ab
  • Destination:10.0.0.0/16 Target:i/7c1507ab
  • Destination:10.0.1.0/16 Target:i/7c1507ab

What does the term PIOPS stand for when dealing with EBS?

  • Phemeral Input Output Per Second
  • Physical Input Output Per Second
  • Provisioned Input Output Per Second (Ans)
  • Permanent Input Output Per Second

Which of the following SSL protocols is NOT supported by Elastic Load Balancers?

  • TLS 1.0
  • TLS 1.1
  • TLS 1.2
  • SSL 1.0 (Ans)
  • SSL 2.0
  • SSL 3.0

You have an EC2 instance which reports back to CloudWatch every minute it’s CPU utilization. If the CPU utilization is too high, a CloudWatch alarm will trigger an SNS notification to your sysadmins. Tonight you plan on running some routine tests which will cause CPU utilization to spike and you need to disable the CloudWatch alarm. How should you do this?

  • You can’t disable CloudWatch Alarms.
  • Using the AWS console.
  • Using the AWS Command Line using the following command: mon-disable-alarm-actions (Ans)
  • Using CloudTrail

You have created a new VPC with the CIDR block of 10.0.0.0/16. You create a new internet gateway called IGW-55573321 and attach it to your VPC. You now need to create a route out to the newly attached internet gateway. What should you update the route table to?

  • Destination:10.0.0.0/16 Target:IGW-55573321
  • Destination:0.0.0.0/16 Target:IGW-55573321
  • Destination:10.0.0.0/24 Target:IGW-55573321
  • Destination:0.0.0.0/0 Target:IGW-55573321 (Ans)

You have created a new decoupled application using SQS and EC2. Essentially a user uploads an image to your Web Tier and this is stored in S3. A message is then stored on SQS and the Application tier then processes these messages and applies a watermark to the uploaded image. Unfortunately your application tier goes down for 3 days over a long weekend. When you get back in the office, you resolve the issue and the application tier becomes live again. What will happen to the SQS messages in the Queue? Will these be lost by default?

  • Yes because the default SQS message retention period is only 12 hours.
  • Yes because the default SQS message retention period is only 1 day.
  • No because the default SQS message retention period is 4 days. (Ans)
  • No because the default SQS message retention period is 14 days.
Rajesh Kumar
Follow me
Latest posts by Rajesh Kumar (see all)