No student devices needed. Know more
20 questions
Which of the following statements are true with respect to VPC? (choose 2)
A subnet can have multiple route tables associated with it.
A network ACL can be associated with multiple subnets.
A route with target “local” on the route table can be edited to restrict traffic within VPC.
Subnet’s IP CIDR block can be same as the VPC CIDR block.
How many VPCs can an Internet Gateway be attached to at any given time?
2
5
1
By default 1. But it can be attached to any VPC peered with its belonging VPC.
Your organization was planning to develop a web application on AWS EC2. Application admin was tasked to perform AWS setup required to spin EC2 instance inside an existing private VPC. He/she has created a subnet and wants to ensure no other subnets in the VPC can communicate with your subnet except for the specific IP address. So he/she created a new route table and associated with the new subnet. When he/she was trying to delete the route with the target as local, there is no option to delete the route. What could have caused this behavior?
Policy attached to IAM user does not have access to remove routes.
A route with the target as local cannot be deleted.
You cannot add/delete routes when associated with the subnet. Remove associated, add/delete routes and associate again with the subnet.
There must be at least one route on the route table. Add a new route to enable delete option on existing routes.
Your organization has an existing VPC setup and has a requirement to route any traffic going from VPC to AWS S3 bucket through AWS internal network. So they have created VPC endpoint for S3 and configured to allow traffic for S3 buckets. The application you are developing involves sending traffic to AWS S3 bucket from VPC for which you planned to use a similar approach. You have created a new route table, added route to VPC endpoint and associated route table with your new subnet. However, when you are trying to send a request from EC2 to S3 bucket using AWS CLI, the request is getting failed with 403 access denied errors. What could be causing the failure?
AWS S3 bucket is in the different region than your VPC.
EC2 security group outbound rules not allowing traffic to S3 prefix list.
VPC endpoint might have a restrictive policy and does not contain the new S3 bucket.
S3 bucket CORS configuration does not have EC2 instance as the origin.
Which of the following is an AWS component which consumes resources from your VPC?
Internet Gateway
Gateway VPC Endpoints
Elastic IP Addresses
NAT Gateway
You have successfully set up a VPC peering connection in your account between two VPCs – VPC A and VPC B, each in a different region. When you are trying to make a request from VPC A to VPC B, request getting failed. Which of the following could be a reason?
Cross region peering is not supported in AWS
CIDR blocks of both VPCs might be overlapping.
Routes not configured in route tables for peering connections.
VPC A security group default outbound rules not allowing traffic to VPC B IP range.
VPC A security group default outbound rules not allowing traffic to VPC B IP range.
In a Network ACL, for a successful HTTPS connection, add an inbound rule with HTTPS type, IP range in source and ALLOW traffic.
In a Network ACL, for a successful HTTPS connection, you must add an inbound rule and outbound rule with HTTPS type, IP range in source and destination respectively and ALLOW traffic.
In a Security Group, for a successful HTTPS connection, add an inbound rule with HTTPS type and IP range in the source.
In a Security Group, for a successful HTTPS connection, you must add an inbound rule and outbound rule with HTTPS type, IP range in source and destination respectively.
You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? (Choose 2)
Configure web server VPC security groups to allow traffic from your customers’ IPs
Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic
A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?
Destination : 20.0.0.0/24 and Target : VPC
Destination : 20.0.0.0/24 and Target : VPC
Destination : 20.0.0.0/0 and Target : ALL
Destination : 20.0.0.0/16 and Target : Local
A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?
Use the internet gateway with a private IP
Allow outbound traffic in the security group for port 80 to allow internet updates
The private subnet can never connect to the internet
Use NAT with an elastic IP
A user has launched an EC2 instance and installed a website with the Apache web server. The webserver is running but the user is not able to access the website from the Internet. What can be the possible reason for this failure?
The security group of the instance is not configured properly.
The instance is not configured with the proper key-pairs.
The Apache website cannot be accessed from the Internet.
Instance is not configured with an elastic IP.
A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?
For Inbound allow Source: 20.0.1.0/24 on port 80
For Outbound allow Destination: 0.0.0.0/0 on port 80
For Inbound allow Source: 20.0.0.0/24 on port 80
For Outbound allow Destination: 0.0.0.0/0 on port 443
A user has created a VPC with CIDR 20.0.0.0/24. The user has used all the IPs of CIDR and wants to increase the size of the VPC. The user has two subnets: public (20.0.0.0/25) and private (20.0.0.128/25). How can the user change the size of the VPC?
The user can delete all the instances of the subnet. Change the size of the subnets to 20.0.0.0/32 and 20.0.1.0/32, respectively. Then the user can increase the size of the VPC using CLI
It is not possible to change the size of the VPC once it has been created
User can add a subnet with a higher range so that it will automatically increase the size of the VPC
User can delete the subnets first and then modify the size of the VPC
You have deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28. You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances The web. Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route53 for DNS Web (raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch. Which of the following could the root caused? (Choose 2)
The Internet Gateway (IGW) of your VPC has scaled-up adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches.
AWS reserves one IP address in each subnet’s CIDR block for Route53 so you do not have enough addresses left to launch all of the new EC2 instances.
AWS reserves the first and the last private IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
AWS reserves the first and the last private IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.
You have an Amazon VPC with one private subnet and one public subnet with a Network Address Translator (NAT) server. You are creating a group of Amazon Elastic Cloud Compute (EC2) instances that configure themselves at startup via downloading a bootstrapping script from Amazon Simple Storage Service (S3) that deploys an application via GIT. Which setup provides the highest level of security?
Amazon EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT
Amazon EC2 instances in public subnet, no EIPs, route outgoing traffic via the Internet Gateway (IGW)
Amazon EC2 instances in private subnet, assign EIPs, route outgoing traffic via the Internet Gateway (IGW)
Amazon EC2 instances in public subnet, assign EIPs, route outgoing traffic via the NAT
You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer's DNS name. Which options are probable causes of this behavior? (Choose 2)
The load balancer was not configured to use a public subnet with an Internet gateway configured
The Amazon EC2 instances do not have a dynamically allocated private IP address
The security groups or network ACLs are not property configured for web traffic.
The load balancer is not configured in a private subnet with a NAT instance.
The VPC does not have a VGW configured.
When will you incur costs with an Elastic IP address (EIP)?
When an EIP is allocated.
When it is allocated and associated with a running instance.
When it is allocated and associated with a stopped instance.
Costs are incurred regardless of whether the EIP is associated with a running instance.
You are working as a Solutions Architect in a top software development company in Silicon Valley. The company has multiple applications hosted in their VPC. While you are monitoring the system, you noticed that multiple port scans are coming in from a specific IP address block which are trying to connect to several AWS resources inside your VPC. The internal security team has requested that all offending IP addresses be denied for the next 24 hours for security purposes.
Which of the following is the best method to quickly and temporarily deny access from the specified IP addresses?
Create a policy in IAM to deny access from the IP Address block.
Modify the Network Access Control List associated with all public subnets in the VPC to deny access from the IP Address block.
Modify the Network Access Control List associated with all public subnets in the VPC to deny access from the IP Address block.
Configure the firewall in the operating system of the EC2 instances to deny access from the IP address block.
You are working for a FinTech startup as their AWS Solutions Architect. You deployed an application on different EC2 instances with Elastic IP addresses attached for easy DNS resolution and configuration. These servers are only accessed from 8 AM to 6 PM and can be stopped from 6 PM to 8 AM for cost efficiency using Lambda with the script that automates this based on tags.
Which of the following will occur when an EC2-VPC instance with an associated Elastic IP is stopped and started? (Choose 2)
The underlying host for the instance is possibly changed.
The ENI (Elastic Network Interface) is detached.
All data on the attached instance-store devices will be lost.
The Elastic IP address is disassociated with the instance.
There will be no changes
A company is using a custom shell script to automate the deployment and management of their EC2 instances. The script is using various AWS CLI commands such as revoke-security-group-ingress, revoke-security-group-egress, run-scheduled-instances and many others.
In the shell script, what does the revoke-security-group-ingress command do?
Removes one or more security groups from a rule.
Removes one or more security groups from a rule.
Removes one or more ingress rules from a security group.
Removes one or more egress rules from a security group.
Explore all questions with a free account