Last Updated on September 4, 2021 by Admin 2

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 18

  1. One of the components that is part of ec2-net-utils used with ENI’s is ec2ifscan.

    Which of the following is not correct about ec2-net-utils?

    • ec2-net-utils generates an interface configuration file suitable for use with DHCP.
    • ec2-net-utils extends the functionality of the standard if up.
    • ec2-net-utils detaches a primary network interface from an instance.
    • ec2-net-utils identifies network interfaces when they are attached, detached, or reattached to a running instance.
    Explanation:
    Each instance in a VPC has a default elastic network interface (the primary network interface) that is assigned a private IP address from the IP address range of your VPC. You cannot detach a primary network interface from an instance. You can create and attach additional elastic network interfaces. Amazon Linux AMIs may contain additional scripts installed by AWS, known as ec2-net-utils. One of the components that is part of ec2-net-utils used with ENI’s is ec2ifscan. Its function is to check for network interfaces that have not been configured and configure them.
  2. A user wants to create a public subnet in VPC and launch an EC2 instance within it. The user has not selected the option to assign a public IP address while launching the instance.

    Which of the below mentioned statements is true with respect to this scenario?

    • The instance will always have a public DNS attached to the instance by default
    • The user would need to create a default route to IGW in subnet’s route table and then attach an elastic IP to the instance to connect from the internet
    • The user can directly attach an elastic IP to the instance
    • The instance will never launch if the public IP is not assigned
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When the user is launching an instance he needs to select an option which attaches a public IP to the instance. If the user has not selected the option to attach the public IP, then it will only have a private IP when launched. The user cannot connect to the instance from the internet. If the user wants an elastic IP to connect to the instance from the internet, he should create an internet gateway and assign an elastic IP to instance.
  3. A user has created a VPC with a public subnet. The user has terminated all the instances which are part of the subnet.

    Which of the below mentioned statements is true with respect to this scenario?

    • The subnet to which the instances were launched with will be deleted
    • When the user launches a new instance it cannot use the same subnet
    • The user cannot delete the VPC since the subnet is not deleted
    • Secondary network interfaces attached to the terminated instances may persist.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When an instance is launched it will have a network interface attached with it. The user cannot delete the subnet until he terminates the instance and deletes the network interface. By default, network interfaces that are automatically created and attached to instances using the console are set to terminate when the instance terminates. However, network interfaces created using the command line interface aren’t set to terminate when the instance terminates.
  4. When configuring your customer gateway to connect to your VPC, the________Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.

    • IPsec
    • BGP
    • IKE Security
    • Tunnel
    Explanation:
    When configuring your customer gateway to connect to your VPC, several steps need to be completed. The IKE Security Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.
  5. An organization is trying to setup a VPC with Auto Scaling. Which configuration steps below is not required to setup AWS VPC with Auto Scaling?

    • Configure the Auto Scaling group with the VPC ID in which instances will be launched.
    • Configure the Auto Scaling Launch configuration with multiple subnets of the VPC to enable the Multi AZ feature.
    • Configure the Auto Scaling Launch configuration which does not allow assigning a public IP to instances.
    • Configure the Auto Scaling Launch configuration with the VPC security group.
    Explanation:
    The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an Auto Scaling group. Before creating the Auto Scaling group it is recommended that the user creates the Launch configuration. Since it is a VPC, it is recommended to select the parameter which does not allow assigning a public IP to the instances.
    The user should also set the VPC security group with the Launch configuration and select the subnets where the instances will be launched in the AutoScaling group. The HA will be provided as the subnets may be a part of separate AZs.
  6. An organization is planning to host a WordPress blog as well as joomla CMS on a single instance launched with VPC. The organization wants to create separate domains for each application using Route 53. The organization may have about ten instances each with these two applications. While launching each instance, the organization configured two separate network interfaces (primary + secondary ENI) with their own Elastic IPs to the instance. The suggestion was to use a public IP from AWS instead of an Elastic IP as the number of elastic IPs allocation per region is restricted in the account.

    What action will you recommend to the organization?

    • Only Elastic IP can be used by requesting limit increase, since AWS does not assign a public IP to an instance with multiple ENIs.
    • AWS VPC does not attach a public IP to an ENI; so the only way is to use an Elastic IP.
    • I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
    • I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.
    The user can attach up to two ENIs with a single instance. However, AWS cannot assign a public IP when there are two ENIs attached to a single instance. It is recommended to assign an elastic IP in this scenario. If the organization wants more than 5 EIPs they can request AWS to increase the number.
  7. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance.

    Which of the below mentioned entries is not required in NAT’s security group for the database servers to connect to the Internet for software updates?

    • For Outbound allow Destination: 0.0.0.0/0 on port 443
    • For Inbound allow Source: 20.0.1.0/24 on port 80
    • For Inbound allow Source: 20.0.0.0/24 on port 80
    • For Outbound allow Destination: 0.0.0.0/0 on port 80
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can connect to the internet using the NAT instances. The user should first configure that NAT can receive traffic on ports 80 and 443 from the private subnet. Thus, allow ports 80 and 443 in Inbound for the private subnet 20.0.1.0/24. Now to route this traffic to the internet configure ports 80 and 443 in Outbound with destination 0.0.0.0/0. The NAT should not have an entry for the public subnet CIDR.
  8. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

    • The user has to manually create a NAT instance
    • The Amazon VPC will automatically create a NAT instance with the micro size only
    • VPC updates the main route table used with the private subnet, and creates a custom route table with a public subnet
    • VPC updates the main route table used with a public subnet, and creates a custom route table with a private subnet
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route table used with the private subnet, creates a custom route table and associates it with the public subnet.
  9. A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet.

    How can the instances in the private subnet connect to the internet?

    • The private subnet can never connect to the internet
    • Use NAT with an elastic IP
    • Use the internet gateway with a private IP
    • Allow outbound traffic in the security group for port 80 to allow internet updates
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created two subnets (one private and one public), they would need a Network Address Translation (NAT) instance with the elastic IP address. This enables the instances in the private subnet to send requests to the internet (for example, to perform software updates).
  10. A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24.

    Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?

    • Destination : 20.0.0.0/0 and Target : ALL
    • Destination : 20.0.0.0/16 and Target : Local
    • Destination : 20.0.0.0/24 and Target : Local
    • Destination : 20.0.0.0/16 and Target : ALL
    Explanation:
    A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry “Destination: 20.0.0.0/16 and Target: Local”, which allows all instances in the VPC to communicate with each other.
  11. You want to establish redundant VPN connections and customer gateways on your network by setting up a second VPN connection.

    Which of the following will ensure that this functions correctly?

    • The customer gateway IP address for the second VPN connection must be publicly accessible.
    • The virtual gateway IP address for the second VPN connection must be publicly accessible.
    • The customer gateway IP address for the second VPN connection must use dynamic routes.
    • The customer gateway IP address for the second VPN connection must be privately accessible and be the same public IP address that you are using for the first VPN connection.
    Explanation:
    To establish redundant VPN connections and customer gateways on your network, you would need to set up a second VPN connection. However, you must ensure that the customer gateway IP address for the second VPN connection is publicly accessible.
  12. Someone is creating a VPC for their application hosting. He has created two private subnets in the same availability zone and created one subnet in a separate availability zone. He wants to make a High Availability system with an internal Elastic Load Balancer.

    Which choice is true regarding internal ELBs in this scenario? (Choose two.)

    • Internal ELBs should only be launched within private subnets.
    • Amazon ELB service does not allow subnet selection; instead it will automatically select all the available subnets of the VPC.
    • Internal ELBs can support only one subnet in each availability zone.
    • An internal ELB can support all the subnets irrespective of their zones.
    Explanation:
    The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as elastic load balancers, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For internal servers, such as App servers the organization can create an internal load balancer in their VPC and then place back-end application instances behind the internal load balancer. The internal load balancer will route requests to the back-end application instances, which are also using private IP addresses and only accept requests from the internal load balancer. The Internal ELB supports only one subnet in each AZ and asks the user to select a subnet while configuring internal ELB.
  13. To ensure failover capabilities on an elastic network interface (ENI), what should you use for incoming traffic?

    • A Route53 A record
    • A secondary private IP
    • A secondary public IP
    • A secondary ENI
    Explanation:
    To ensure failover capabilities on an elastic network interface (ENI), consider using a secondary private IP for incoming traffic and if a failure occurs, you can move the interface and/or secondary private IP address to a standby instance.
  14. An organization is setting up a highly scalable application using Elastic Beanstalk. The organization is using ELB and RDS with VPC. The organization has public and private subnets within the cloud.

    Which of the below mentioned configurations will not work in this scenario?

    • To setup RDS in a private subnet and ELB in a public subnet.
    • The configuration must have public and private subnets in the same AZ.
    • The configuration must have two private subnets in separate AZs.
    • The EC2 instance should have a public IP assigned to it.
    Explanation:
    The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. If the organization is planning to implement a scalable secure application using RDS, VPC and ELB the organization should follow below mentioned configurations:
    Setup RDS in a private subnet Setup ELB in a public subnet
    Since RDS needs a subnet group, the organization should have two private subnets in the same zone
    The ELB needs private and public subnet to be part of same AZs It is not required that instances should have a public IP assigned to them. The instances can be a part of a private subnet and the organization can setup a corresponding routing mechanism.
  15. In DynamoDB, a projection is__________.

    • systematic transformation of the latitudes and longitudes of the locations inside your table
    • importing data from your file to a table
    • exporting data from a table to your file
    • the set of attributes that is copied from a table into a secondary index
    Explanation:
    In DynamoDB, a projection is the set of attributes that is copied from a table into a secondary index.
  16. Which of the following is NOT true of the DynamoDB Console?

    • It allows you to add local secondary indexes to existing tables.
    • It allows you to query a table.
    • It allows you to set up alarms to monitor your table’s capacity usage.
    • It allows you to view items stored in a tables, add, update, and delete items.
    Explanation:
    The DynamoDB Console lets you do the following: Create, update, and delete tables. The throughput calculator provides you with estimates of how many capacity units you will need to request based on the usage information you provide. View items stored in a tables, add, update, and delete items. Query a table. Set up alarms to monitor your table’s capacity usage. View your table’s top monitoring metrics on real-time graphs from CloudWatch. View alarms configured for each table and create custom alarms.html.
  17. DynamoDB uses only as a transport protocol, not as a storage format.

    • WDDX
    • XML
    • SGML
    • JSON
    Explanation:
    DynamoDB uses JSON only as a transport protocol, not as a storage format. The AWS SDKs use JSON to send data to DynamoDB, and DynamoDB responds with JSON, but DynamoDB does not store data persistently in JSON format.
  18. In DynamoDB, which of the following allows you to set alarms when you reach a specified threshold for a metric?

    • Alarm Signal
    • DynamoDB Analyzer
    • CloudWatch
    • DynamoDBALARM
    Explanation:
    CloudWatch allows you to set alarms when you reach a specified threshold for a metric.
  19. Is it possible to load data from Amazon DynamoDB into Amazon Redshift?

    • No, you cannot load all the data from DynamoDB table to a Redshift table as it limited by size constraints.
    • No
    • No, DynamoDB data types do not correspond directly with those of Amazon Redshift.
    • Yes
    Explanation:
    Yes. When you copy data from an Amazon DynamoDB table into Amazon Redshift, you can perform complex data analysis queries on that data. This includes joins with other tables in your Amazon Redshift cluster.
  20. In regard to DynamoDB, when you create a table with a hash-and-range key.

    • You must define one or more Local secondary indexes on that table
    • You must define one or more Global secondary indexes on that table
    • You can optionally define one or more secondary indexes on that table
    • You must define one or more secondary indexes on that table
    Explanation:
    When you create a table with a hash-and-range key, you can optionally define one or more secondary indexes on that table. A secondary index lets you query the data in the table using an alternate key, in addition to queries against the primary key.