A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS, which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CloudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which activity would be useful in defending against this attack?

D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (internet Gateway)

B.Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP

C. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Main Route Table with the new EIP

Which of the following statements describes network ACLs? (Choose 2 answers)

B.Using network ACLs, you can deny access from a specific IP range

C.Keep network ACL rules simple and use a security group to restrict application level access

A. Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (are stateless)

D. NACLs are associated with a single Availability Zone (associated with Subnet)

You are designing security inside your VPC. You are considering the options for establishing separate security zones and enforcing network traffic rules across different zone to limit Instances can communications. How would you accomplish these requirements? Choose 2 answers

B.Configure you instances to use pre-set IP addresses with an IP address range every security zone. Configure NACL to explicitly allow or deny communication between the different IP address ranges, as required for interzone communication

C. Configure a security group for every zone. Configure allow rules only between zone that need to be able to communicate with one another. Use implicit deny all rule to block any other traffic

A.Configure a security group for every zone. Configure a default allow all rule. Configure explicit deny rules for the zones that shouldn’t be able to communicate with one another (Security group does not allow deny rules)

D. Configure multiple subnets in your VPC, one for each zone. Configure routing within your VPC in such a way that each subnet only has routes to other subnets with which it needs to communicate, and doesn’t have routes to subnets with which it shouldn’t be able to communicate. (default routes are unmodifiable)

Your entire AWS infrastructure lives inside of one Amazon VPC. You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application. Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else” If so how?

C. Yes, The security group for the monitoring instance needs to allow outbound ICMP and the application instance’s security group needs to allow Inbound ICMP (is stateful, so just allow outbound ICMP from monitoring and inbound ICMP on monitored instance)

A.No Two instances in two different AZ’s can’t talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e. broadcast) boundaries (Can communicate

B.Yes Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP (Need not have to be part of same security group)

D.Yes, Both the monitoring instance’s security group and the application instance’s security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection-oriented protocol (Security groups are stateful)

A user has configured a VPC with a new subnet. The user has created a security group. The user wants to configure that instances of the same subnet communicate with each other. How can the user configure this with the security group?

C. Configure the security group itself as the source and allow traffic on all the protocols and ports

A. There is no need for a security group modification as all the instances can communicate with each other inside the same subnet

B. Configure the subnet as the source in the security group and allow traffic on all the protocols and ports

D. The user has to use VPC peering to configure this

You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the Internet for product updates. The depots and distributions are accessible via third party CDNs by their URLs. You want to explicitly deny any other outbound connections from your VPC instances to hosts on the Internet. Which of the following options would you consider?

A. Configure a web proxy server in your VPC and enforce URL-based rules for outbound access Remove default routes. (Security group and NACL cannot have URLs in the rules nor does the route)

B.Implement security groups and configure outbound rules to only permit traffic to software depots

C.Move all your instances into private VPC subnets remove default routes from all routing tables and add specific routes to the software depots and distributions only.

D. Implement network access control lists to all specific destinations, with an Implicit deny as a rule.

You have an EC2 Security Group with several running EC2 instances. You change the Security Group rules to allow inbound traffic on a new port and protocol, and launch several new instances in the same Security Group. The new rules apply:

A. Immediately to all instances in the security group.

B. Immediately to the new instances only.

C. Immediately to the new instances, but old instances must be stopped and restarted before the new rules apply.

D.To all instances, but it may take several minutes for old instances to see the changes.

You have in total 5 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. Which of the below help you to implement this?

A.you can have redundant customer gateways between your data center and your VPC

B.you can have multiple locations connected to the AWS VPN CloudHub

C. You have to define 5 different static IP addresses in route table.

You have in total 15 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. What problem do you see in this scenario?

A. You can not create more than 1 VPN connections with single VPC (Can be created)

B.You can not create more than 10 VPN connections with single VPC (soft limit can be extended)

C.You can not create more than 10 VPN connections with single VPC (soft limit can be extended)

D.Statically assigned routes cannot be configured in case of more than 1 VPN with virtual private gateway. (can be configured)

You have been asked to virtually extend two existing data centers into AWS to support a highly available application that depends on existing, on-premises resources located in multiple data centers and static content that is served from an Amazon Simple Storage Service (S3) bucket. Your design currently includes a dual-tunnel VPN connection between your CGW and VGW. Which component of your architecture represents a potential single point of failure that you should consider changing to make the solution more highly available?

B.Add another CGW in a different data center and create another dual-tunnel VPN connection.

A. Add another VGW in a different Availability Zone and create another dual-tunnel VPN connection.

C. Add a second VGW in a different Availability Zone, and a CGW in a different data center, and create another dual-tunnel.

D.No changes are necessary: the network architecture is currently highly available

You are designing network connectivity for your fat client application. The application is designed for business travelers who must be able to connect to it from their hotel rooms, cafes, public Wi-Fi hotspots, and elsewhere on the Internet. You do not want to publish the application on the Internet. Which network design meets the above requirements while minimizing deployment and operational costs? [PROFESSIONAL]

D.Configure an SSL VPN solution in a public subnet of your VPC, then install and configure SSL VPN client software on all user computers. Create a private subnet in your VPC and place your application servers in it. (Cost effective and can be in private subnet as well)

A.Implement AWS Direct Connect, and create a private interface to your VPC. Create a public subnet and place your application servers in it. (High Cost and does not minimize deployment)

B. Implement Elastic Load Balancing with an SSL listener that terminates the back-end connection to the application. (Needs to be published to internet)

C. Configure an IPsec VPN connection, and provide the users with the configuration details. Create a public subnet in your VPC, and place your application servers in it. (Instances still in public subnet are internet accessible)

You are designing a connectivity solution between on-premises infrastructure and Amazon VPC Your server’s on-premises will De communicating with your VPC instances You will De establishing IPSec tunnels over the internet You will be using VPN gateways and terminating the IPsec tunnels on AWS-supported customer gateways. Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? (Choose 4 answers) [PROFESSIONAL]

C. Data encryption across the Internet

D. Protection of data in transit over the Internet

F. Peer identity authentication between VPN gateway and customer gateway

B. Data integrity protection across the Internet

A. End-to-end protection of data in transit

A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that is not connected to their corporate network. They are connecting to the VPC over the Internet to manage all of their Amazon EC2 instances running in both the public and private subnets. They have only authorized the bastion-security-group with Microsoft Remote Desktop Protocol (RDP) access to the application instance security groups, but the company wants to further limit administrative access to all of the instances in the VPC. Which of the following Bastion deployment scenarios will meet this requirement?

D. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from only the corporate public IP addresses.

A. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.

B.Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere

C. Deploy a Windows Bastion host with an Elastic IP address in the private subnet, and restrict RDP access to the bastion from only the corporate public IP addresses.

You are designing a system that has a Bastion host. This component needs to be highly available without human intervention. Which of the following approaches would you select?

C.Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1

A.Run the bastion on two instances one in each AZ

B. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure

D. Configure an ELB in front of the bastion instance

You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3- tier VPC. The configuration is as follows: VPC vpc-2f8t>C447 IGW ig-2d8bc445 NACL acl-2080c448 Subnets and Route Tables: Web server’s subnet-258bc44d Application server’s subnet-248DC44c Database server’s subnet-9189c6f9 Route Tables: rtb-2i8bc449 rtb-238bc44b Associations: Subnet-258bc44d: rtb-2i8bc449 Subnet-248DC44c: rtb-238bc44b Subnet-9189c6f9: rtb-238bc44b You are now ready to begin deploying EC2 instances into the VPC. Web servers must have direct access to the internet Application and database servers cannot have direct access to the internet. Which configuration below will allow you the ability to remotely administer your application and database servers, as well as allow these servers to retrieve updates from the Internet?

D.Create a Bastion and NAT instance in subnet-258bc44d and add a route from rtb-238bc44b to the NAT instance. (Bastion and NAT should be in the public subnet. As Web Server has direct access to Internet, the subnet subnet-258bc44d should be public and Route rtb-2i8bc449 pointing to IGW. Route rtb-238bc44b for private subnets should point to NAT for outgoing internet access)

A.Create a bastion and NAT Instance in subnet-258bc44d and add a route from rtb-238bc44b to subnet-258bc44d. (Route should point to the NAT)

B. Add a route from rtb-238bc44b to igw-2d8bc445 and add a bastion and NAT instance within Subnet-248DC44c. (Adding IGW to routertb-238bc44b would expose the Application and Database server to internet. Bastion and NAT should be in public subnet)

C. Create a Bastion and NAT Instance in subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445. And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c. (Route should point to NAT and not Internet Gateway else it would be internet accessible.)

You are tasked with setting up a Linux bastion host for access to Amazon EC2 instances running in your VPC. Only clients connecting from the corporate external public IP address 72.34.51.100 should have SSH access to the host. Which option will meet the customer requirement?

A. Security Group Inbound Rule: Protocol – TCP. Port Range – 22, Source 72.34.51.100/32

B. Security Group Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32

C. Network ACL Inbound Rule: Protocol – UDP, Port Range – 22, Source 72.34.51.100/32

D. Network ACL Inbound Rule: Protocol – TCP, Port Range-22, Source 72.34.51.100/0

You are building a solution for a customer to extend their on-premises data center to AWS. The customer requires a 50-Mbps dedicated and private connection to their VPC. Which AWS product or feature satisfies this requirement?

D. Amazon VPC virtual private gateway

Is there any way to own a direct connection to Amazon Web Services?

D.Yes, it’s called Direct Connect

A. You can create an encrypted tunnel to VPC, but you don’t own the connection.

B.Yes, it’s called Amazon Dedicated Connection.

C.No, AWS only allows access from the public Internet

An organization has established an Internet-based VPN connection between their on-premises data center and AWS. They are considering migrating from VPN to AWS Direct Connect. Which operational concern should drive an organization to consider switching from an Internet-based VPN connection to AWS Direct Connect?

C. AWS Direct Connect provides greater bandwidth than an Internet-based VPN connection.

A.AWS Direct Connect provides greater redundancy than an Internet-based VPN connection.

B.AWS Direct Connect provides greater resiliency than an Internet-based VPN connection.

D. AWS Direct Connect provides greater control of network provider selection than an Internet-based VPN connection.

Does AWS Direct Connect allow you access to all Availabilities Zones within a Region?

A. Depends on the type of connection

D.Only when there’s just one availability zone in a region. If there are more than one, only one availability zone can be accessed directly.

A customer has established an AWS Direct Connect connection to AWS. The link is up and routes are being advertised from the customer’s end, however the customer is unable to connect from EC2 instances inside its VPC to servers residing in its datacenter. Which of the following options provide a viable solution to remedy this situation? (Choose 2 answers)

B.Enable route propagation to the Virtual Private Gateway (VGW)

E.Modify the Instances VPC subnet route table by adding a route back to the customer’s on-premises environment

A. Add a route to the route table with an IPSec VPN connection as the target (deals with VPN)

C.Enable route propagation to the customer gateway (CGW) (route propagation is enabled on VGW)

D. Modify the route table of all Instances using the ‘route’ command. (no route command available)

A company has configured and peered two VPCs: VPC-1 and VPC-2. VPC-1 contains only private subnets, and VPC-2 contains only public subnets. The company uses a single AWS Direct Connect connection and private virtual interface to connect their on-premises network with VPC-1. Which two methods increase the fault tolerance of the connection to VPC-1? Choose 2 answers

B. Establish a hardware VPN over the internet between VPC-1 and the on-premises network

E. Establish a new AWS Direct Connect connection and private virtual interface in the same AWS region as VPC-1

A. Establish a hardware VPN over the internet between VPC-2 and the on-premises network. (Peered VPC does not support Edge to Edge Routing)

C. Establish a new AWS Direct Connect connection and private virtual interface in the same region as VPC-2 (Peered VPC does not support Edge to Edge Routing)

D. Establish a new AWS Direct Connect connection and private virtual interface in a different AWS region than VPC-1 (need to be in the same region as VPC-1)

Your company previously configured a heavily used, dynamically routed VPN connection between your on premises data center and AWS. You recently provisioned a Direct Connect connection and would like to start using the new connection. After configuring Direct Connect settings in the AWS Console, which of the following options will provide the most seamless transition for your users?

C. Update your VPC route tables to point to the Direct Connect connection configure your Direct Connect router with the appropriate settings verify network traffic is leveraging Direct Connect and then delete the VPN connection.

A.Delete your existing VPN connection to avoid routing loops configure your Direct Connect router with the appropriate settings and verity network traffic is leveraging Direct Connect

B.Configure your Direct Connect router with a higher BGP priority than your VPN router, verify network traffic is leveraging Direct Connect and then delete your existing VPN connection

D. Configure your Direct Connect router, update your VPC route tables to point to the Direct Connect connection, configure your VPN connection with a higher BGP priority. And verify network traffic is leveraging the Direct Connect connection

You are designing the network infrastructure for an application server in Amazon VPC. Users will access all the application instances from the Internet as well as from an on-premises network The on-premises network is connected to your VPC over an AWS Direct Connect link. How would you design routing to meet the above requirements?

B. Configure a single routing table with a default route via the internet gateway. Propagate specific routes for the on-premises networks via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC subnets.

A.Configure a single routing Table with a default route via the Internet gateway. Propagate a default route via BGP on the AWS Direct Connect customer router. Associate the routing table with all VPC

C. Configure a single routing table with two default routes: one to the internet via an Internet gateway the other to the on-premises network via the VPN gateway use this routing table across all subnets in your VPC. (there cannot be 2 default routes)

D. Configure two routing tables one that has a default route via the Internet gateway and another that has a default route via the VPN gateway Associate both routing tables with each VPC subnet. (as the instances has to be in public subnet and should have a single routing table associated with them)

AWS VPC

Other

1st Grade

Used 167+ times

AI Actions

Add similar questions

Adjust reading levels

Convert to real-world scenario

Translate activity

More...

Content View

Student View

31 questions

Show all answers

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

A company has an AWS account that contains three VPCs (Dev, Test, and Prod) in the same region. Test is peered to both Prod and Dev. All VPCs have non-overlapping CIDR blocks. The company wants to push minor code releases from Dev to Prod to speed up time to market. Which of the following options helps the company accomplish this?

A. Create a new peering connection Between Prod and Dev along with appropriate routes.

B. Create a new entry to Prod in the Dev route table using the peering connection as the target.

C. Attach a second gateway to Dev. Add a new entry in the Prod route table identifying the gateway as the target.

D. The VPCs have non-overlapping CIDR blocks in the same account. The route tables contain local routes for all VPCs.

MULTIPLE SELECT QUESTION

30 sec • 1 pt

Instance A and instance B are running in two different subnets A and B of a VPC. Instance A is not able to ping instance B. What are two possible reasons for this? (Pick 2 correct answers)

A. The routing table of subnet A has no target route to subnet B

B. The security group attached to instance B does not allow inbound ICMP traffic

C. The policy linked to the IAM role on instance A is not configured correctly

D.The NACL on subnet B does not allow outbound ICMP traffic

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

An instance is launched into a VPC subnet with the network ACL configured to allow all inbound traffic and deny all outbound traffic. The instance’s security group is configured to allow SSH from any IP address and deny all outbound traffic. What changes need to be made to allow SSH access to the instance?

A.The outbound security group needs to be modified to allow outbound traffic

B.The outbound network ACL needs to be modified to allow outbound traffic

C. Nothing, it can be accessed from any IP address using SSH

D. Both the outbound security group and outbound network ACL need to be modified to allow outbound traffic.

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

1. From what services I can block incoming/outgoing IPs?

A. Security Groups

B. DNS

C.ELB

D. VPC subnet

E. NACL

MULTIPLE SELECT QUESTION

30 sec • 1 pt

What is the difference between a security group in VPC and a network ACL in VPC (chose 3 correct answers)

A. Security group restricts access to a Subnet while ACL restricts traffic to EC2

B.Security group restricts access to EC2 while ACL restricts traffic to a subnet

C. Security group can work outside the VPC also while ACL only works within a VPC

D. Network ACL performs stateless filtering and Security group provides stateful filtering

E. Security group can only set Allow rule, while ACL can set Deny rule also

MULTIPLE CHOICE QUESTION

30 sec • 1 pt

You are currently hosting multiple applications in a VPC and have logged numerous port scans coming in from a specific IP address block. Your security team has requested that all access from the offending IP address block be denied for the next 24 hours. Which of the following is the best method to quickly and temporarily deny access from the specified IP address block?

A. Create an AD policy to modify Windows Firewall settings on all hosts in the VPC to deny access from the IP address block

B. Modify the Network ACLs associated with all public subnets in the VPC to deny access from the IP address block

C. Add a rule to all of the VPC 5 Security Groups to deny access from the IP address block

D. Modify the Windows Firewall settings on all Amazon Machine Images (AMIs) that your organization uses in that VPC to deny access from the IP address block

MULTIPLE SELECT QUESTION

30 sec • 1 pt

You have two Elastic Compute Cloud (EC2) instances inside a Virtual Private Cloud (VPC) in the same Availability Zone (AZ) but in different subnets. One instance is running a database and the other instance an application that will interface with the database. You want to confirm that they can talk to each other for your application to work properly. Which two things do we need to confirm in the VPC settings so that these EC2 instances can communicate inside the VPC? Choose 2 answers

A. A network ACL that allows communication between the two subnets.

B.Both instances are the same instance class and using the same Key-pair

C.That the default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate

D.Security groups are set to allow the application host to talk to the database on the right port/protocol

Access all questions and much more by creating a free account

Create resources

Host any resource

Get auto-graded reports

Continue with Google

Continue with Email

Continue with Classlink

Continue with Clever

or continue with

Microsoft

Apple

Others

Already have an account?

Similar Resources on Wayground

33 questions

IDBI-B11-BOB-LU2

Quiz

•

1st Grade

26 questions

IGCSE Mandarin Chinese (0547) - Vocabulary

Quiz

•

1st - 3rd Grade

28 questions

Occ69 Setting out

Quiz

•

KG - University

32 questions

Ôn tập Công nghệ GKI

Quiz

•

1st Grade

34 questions

Kitchen Tools & Utensils

Quiz

•

KG - University

31 questions

Cartoon Characters

Quiz

•

1st - 12th Grade

29 questions

Nintendo swich games

Quiz

•

1st Grade - University

31 questions

Chinese Spelling Bee Group A

Quiz

•

KG - 5th Grade

Popular Resources on Wayground

15 questions

Fractions on a Number Line

Quiz

•

3rd Grade

20 questions

Equivalent Fractions

Quiz

•

3rd Grade

25 questions

Multiplication Facts

Quiz

•

5th Grade

$fractions$

22 questions

fractions

Quiz

•

3rd Grade

20 questions

Main Idea and Details

Quiz

•

5th Grade

20 questions

Context Clues

Quiz

•

6th Grade

15 questions

Equivalent Fractions

Quiz

•

4th Grade

20 questions

Figurative Language Review

Quiz

•

6th Grade

Discover more resources for Other

20 questions

Telling Time to the Hour and Half hour

Quiz

•

1st Grade

10 questions

Exploring Rosa Parks and Black History Month

Interactive video

•

1st - 5th Grade

20 questions

Place Value

Quiz

•

KG - 3rd Grade

13 questions

Fractions

Quiz

•

1st - 2nd Grade

20 questions

CVC Words

Quiz

•

KG - 1st Grade

15 questions

Place Value tens and ones

Quiz

•

1st Grade

16 questions

Money - Coins

Lesson

•

1st - 2nd Grade

20 questions

Halves and Fourths

Quiz

•

1st Grade