AWS Certified Solutions Architect – Associate Practice Questions Second Edition Part 6

A fresh VPC with CIDR range 10.10.0.0/16 has been set up with a public and a private subnet. Internet Gateway and a unique route table have been created, and a route has been added with the ‘Destination’ as ‘0.0.0.0/0’ and the ‘Target’ with Internet Gateway (igw-id). A fresh Linux EC2 instance has been launched on the public subnet with the auto-assign public IP option enabled. However, the connection is getting failed when trying to SSH into the machine. What could be the reason?

You are an AWS architect in your company. Your company would want to upload files to the AWS S3 bucket. In a VPC, you create a private subnet and VPC endpoint for S3. You also create one route table that routes the traffic from the private subnet to a NAT gateway for internet access. In AWS S3 server logs, you notice that the requests to the S3 bucket from an EC2 instance in the VPC do not go through the NAT Gateway. What could cause this situation?

Your company has an existing VPC with an AWS S3 VPC endpoint built and serving specific S3 buckets. You were requested to create a new S3 bucket and reuse the current VPC endpoint to route requests to the new S3 bucket. However, after building a new S3 bucket and sending requests from an EC2 instance via the VPC endpoint, you found the requests are failing with the “Access Denied” error. What may the problem be? (select two options)

A company has defined following NACL rules and deployed in a subnet of a VPC which is associated with a routing table with an Internet Gateway.

Inbound Rules:

Outbound Rules:

When a user tries to access via SSH an EC2 instance launched into this public subnet from his corporate network, what would be the outcome?

Your company looked to download patches onto an existing EC2 instance inside a private subnet in an existing custom VPC. You created a NAT instance and a NAT Gateway. However, when you try to download patches from the internet onto the EC2 instance, the connection gets timed out. What could be the reason? (choose 2 options)

Your company is planning to develop a web application containing a Web Server and an RDS Instance. You may access this application from the web. Your company requested you to architect the solution on AWS. Your existing AWS environment previously has a VPC with a private subnet and public subnet, a route to the internet through Internet Gateway. What would be the best and cost-effective solution you would provide?

You are launching a fleet of EC2 Linux Instances in the AWS environment to manage heavy workloads and write data into Amazon Redshift. The developers and administrators must log in to these EC2 machines to develop, fix, deploy, and manage workloads within your organizational network ONLY. Which of the following would grant only the personnel within the company to access the resources most securely?

You have a bastion host EC2 server on Amazon VPC public subnet. You would need to SSH to Bastion host EC2 instance. What would be the protected and minimal configuration you need for SSH requests to work? Assume route table is already set up with Internet Gateway.

You have the following Network ACL and Security Group rules. What would happen to an SSH request transmit from a 10.10.1.148 IP address to an EC2 instance with the below security group and exists inside a subnet with the below NACL rules?

Network ACL Inbound

Network ACL Outbound

Security Group Inbound

Security Group Outbound

Following are NACL rules for a subnet. You are doing some connectivity testing (HTTP/HTTPS/SSH) originated from a test server with IP 10.10.1.148. They are considering both inbound and outbound rules. Which of the following requests are allowed by the network ACL rules?

Inbound Rules

Outbound Rules

You have data residing on your company’s network that needs to be migrated. Your company’s network is connected to an AWS VPC through VPN. The VPC has an S3 VPC Gateway Endpoint created to access S3 through AWS internal network. As an architect, you were requested to transfer the data to S3 in a secure way. What is the perfect feasible way to achieve this?

You have an existing VPC in us-east-1. You have built a VPC Endpoint for S3 and added it to the core route table. You have created an EC2 instance inside a subnet that is associated with the core route table. From the new EC2 instance, when requesting the S3 bucket within us-east-1, you noticed that the connection is failing. What may be the source of this? ( Choose two options)

Your company had requested to be cost-efficient in designing AWS solutions. You have created three VPCs (VPC A, VPC B, VPC C), peered VPC A to VPC B, and VPC B to VPC C. You have made a NAT gateway in VPC B. You would like to use the same NAT Gateway for services within VPC A and VPC C. However, VPC A and VPC C services cannot communicate to the internet through NAT Gateway, but resources in VPC B can communicate. What could be the reason?

You have set up a peering relation between two VPCs with proper Security Groups configuration and the Route Tables. You have created EC2 instances in both VPCs and trying to connect through peer relations. However, you found the request is gaining timed out. From the following possibilities, what could be the reason for the time out? (Select Two)

You built a new VPC with CIDR range 10.10.0.0/16 and a new subnet with CIDR range 10.10.1.0/24. CIDR with /24 comes with 256 IP addresses. When you go to VPC console subnets and look at the newly created subnet, you can only see 251 IP addresses. You have not launched any resources in the newly created VPC. What would have caused this?

You have built a new VPC and a private subnet. You will also be setting up a VPN connection with your company to communicate with resources within the VPC. Your company would need DNS names for some of the on-premise applications to share with VPC resources. You have created a new EC2 instance with Auto-assign public IP as enable. When the instance is ready to use, you found that the Public DNS name is missing. What steps should be taken to accommodate this?

You are taking over the AWS platform in your company. You were asked to build a new application that would require a fleet of 20 EC2 instances inside a private VPC that should communicate with each other and no traffic going into the EC2 instances from the internet but should receive requests from all other EC2 instances inside the VPC. When you looked at the existing VPC, it was created with the 10.10.0.0/24 CIDR range containing only 256 IP addresses. You noticed that eight subnets were consuming all 256 IP addresses with /27 CIDR ranges. How can you transform the CIDR range of the VPC?

Your company has a VPC set up with a unique route table having 40 routes for different use cases such as “VPC peering,” “VPN connections,” “NAT gateways,” with varying ranges of IP. The Main route table had a local route to the internet gateway to behave for the public subnet. Your VPC IP range is 10.10.0.0/16, and many teams are working on this. VPC requires creating different subnets for their respective applications that need a custom route table associated with them. However, often, these teams forget to explicitly associate the custom route table to the subnets. It leads to many troubleshooting hours when the connections to the new subnets from the VPN do not work as expected. As an architect, how would you repair this issue?

You are an architect in your company. One of the application teams in your company recently noticed the requests sending from an EC2 instance to an RDS in the same VPC, but another subnet is getting timed out. They claim that connections were working before. How do you troubleshoot this issue?

You have set up two VPCs: VPC A has the address of “10.10.0.0/16”. It also contains a subnet with address space “10.10.1.0/24”. VPC B has the address of “10.11.0.0/16”. It also has a subnet with address space “10.11.1.0/28”. You also have set up a VPC peering relation between the two VPCs. What should be the respective route table entries in VPC A and VPC B?

Following are Security Group inbound rules. What is the correct statement below?

Which of the following is correct for the routing table of the VPC created with the primary CIDR of 20.0.0.0/16?

Your company had set up a VPC with CIDR range 10.10.0.0/16. There are 100 subnets within the VPC and are being actively used by multiple application teams. An application team using 50 EC2 instances in subnet 10.10.55.0/24 complains there are intermittent outgoing network connection failures for around 30 random EC2 instances in a given day. How would you troubleshoot the issue with minimal configuration and minimal logs written?

You are working as a Cloud Architect in an Antivirus company. You created the quotation and did all the new infrastructure setup. You deployed the existing application from the local server to an On-demand EC2 instance. But there is an issue while connecting the application using HTTPS Protocol. After troubleshooting the problem, you added port 443 to the security group of the instance. How much time will it take to update changes to all of the resources in VPC?

You work for an IT firm as a Cloud Solutions provider, and the company has set up several VPN connections. They wish to use the AWS VPN Cloud Hub to enable secure connections between multiple sites. Which of the following statements is the truest in describing what you must do to set this up properly? How do you link several sites to a virtual private cloud (VPC)?

As a Cloud Technical Advisor, you work at a college. Your college was storing all of its data locally, posing security and redundancy concerns. So you recommended that they install the app on AWS and utilize a NoSQL database for their database. The team requires your help in building new Security Groups while deploying the servers on AWS. Can you decide which of the following scenarios presented by the team is correct? (Select 2)

An IT firm hired you recently as Cloud Architect. Your Manager told you that the team is trying to host an Application on an EC2 Server with instance type as t2.micro. The team has created a security group named APP_SG and sent it for User Acceptance Testing, where the tester complained that they could not access the website. What could be the issue from the scenario?

You are hired as Cloud Consultant in a Cloud Solutions Firm. The US East Region has the following VPCs: The first VPC has a subnet with CIDR block 172.10.10.0/24 and a CIDR block 172.10.0.0/16. The second VPC with CIDR block 192.168.0.0/16, having a subnet with CIDR block 192.168.20.0/24. Your colleague is struggling to create a network link between two subnets, a subnet with CIDR block 172.10.10.0/24 and an additional subnet with CIDR block 192.168.20.0/24. Also, they do not need any related peering links. A single communication failure or a bandwidth constraint should not exist in the connection. Which of the following is the most straightforward remedy?

You are working as a Cloud Solutions Architect in a Series-B funding startup. The Senior Director requested you to deploy a data mining server for their financial data on a Reserved EC2 instance in any region using IPv6. As the data is related to the economy, the company’s CEO was worried about security. He suggested that the system be highly secured to avoid unauthorized access, and other security features must also be implemented. To follow the guidance given by your CEO, which of the following VPC feature will you implement to achieve the given security?

You are working in a gaming company with four departments that make iOS, Android, Windows, and PlayStation games. For that, they just recently adopted a hybrid cloud architecture where their on-premise data center is connected to their Amazon VPC. Your VPC is created with a CIDR block of 10.0.0.0/24 (256 IPs). Your supervisor told you that they require such security in all four departments so that information from one department should not reach other departments. They do not want to have a new network that can be expensive and will build more overhead. As a Solutions Architect, how will you create your network to achieve this need?

A 50-year-old Computer Solutions firm has a vast application that needs to be deployed to the AWS cloud from its existing server. The application is a media access control (MAC) address linked as per the application licensing terms. This application will be run in an on-need base EC2 instance with instance type r4.2xlarge. How can you ensure that the EC2 instance’s MAC address is not altered even if the instance is rebooted?

One of your colleagues, who is new to the firm where you work as a cloud Architect, has some IP addresses issues. He has created an Amazon VPC with an IPV4 CIDR block 10.0.0.0/24, but now there is a requirement of hosting some more services to that VPC. As per his knowledge, he is thinking of creating a new VPC with a more fantastic range. Could you suggest to him a better way that should be reliable?

You are hired as Cloud Troubleshooting Expert in a well-known IT Company. The Cloud Team has used the AWS VPN Endpoint in Amazon Virtual Private Cloud with a virtual network (VPN) (Amazon VPC). They were experiencing problems related to network stability, or connectivity, or sometimes even data loss. You must come to know the underlying cause of the problem. In this scenario, what could be the issue? Choose 2 answers.

In us-west-2, you have an application that requires 6 EC2 Instances to run at all times. The following applications give fault tolerances if ONE availability zone in us-west-2 does not exist, with 3 Availability zones in the region, namely us-western-2a, us-west-2b, and us-west-2c? (SELECT Two.)

Elastic Beanstalk should be used in which of the following cases, according to a Solutions Architect? (Choose two options.)

When you watch your application’s Auto Scaling events, you find that it is scaling up and down many times in the same hour. What changes do you propose to cut costs while preserving elasticity? (SELECT Two)

A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a default VPC private subnet with NACL settings that AWS created as default. The database must only be available to web servers in a public subnet, and the web servers must only be accessible to customers over HTTPS connections. Which solution would meet these requirements without impacting other applications? (SELECT Two)

An S3 bucket is used by an application to read and write items. The read/write traffic is estimated to be 5,000 requests per second for data addition and 7,000 requests per second for data retrieval when the app is ultimately deployed.

Data from a retailer’s transactional databases are exported daily to an S3 bucket in the Sydney region. The Data Warehousing team at the store wishes to integrate the data onto an existing Amazon Redshift cluster in their Sydney VPC. Data can only be transmitted within AWS’s private network, according to corporate security policy. Which actions would meet the security policy’s requirements?

Currently, a Redshift cluster holds 60TB of data. There is a necessity to set up a disaster recovery facility in another area. Which solution would be most helpful in ensuring that this criterion is met?

A Redshift cluster is being used to hold a company’s data warehouse. The Internal IT Security team has mandated that data in the Redshift database be encrypted. What is the best way to do that? (Select Two)

In two weeks, an advertising effort for an application hosted on EC2 Instances will begin. Based on previous data, the performance team does some analysis and tells you the number of instances necessary for the campaign. You must ensure that the Auto Scaling group is set up appropriately with the number of instances specified. How should this requirement be fulfillled?

A company has an application hosted in AWS. This application consists of EC2 Instances that sit behind an ELB. From an administrative point of view, the following are:
a) Ensure that alerts are delivered when the number of reading requests per minute exceeds 1000.
b) Make sure that when the delay exceeds 10 seconds, alerts are issued.
c) Keep track of all AWS API requests made on AWS resources.
Which of the following options may be utilized to meet these criteria? (Select Two)

The Amazon RDS service is being used to host a database. This database is utilized in the manufacturing process and must be highly available. Which of the following methods could be used to meet this need?

To do behavioral analysis, you must examine a customer’s clickstream data on a website. Your consumer needs to know what pages and advertising they clicked on in what order. This information will be utilized in real-time to change page layouts as customers navigate the site, increasing stickiness and ad click-through rates. Which option would best fulfilll the needs for gathering and evaluating this information?

A company’s infrastructure is made up of devices that send log data every five minutes. Thousands of these devices might be present. It is necessary to guarantee that each log item’s analysis is finished within 24 hours. What could be able to assist in meeting this requirement?

For batch processing, a firm intends to employ Docker containers and the associated container orchestration technologies. Batch processing is required for both critical and non-critical data sets. Which of the following is the most efficient implementation phase for this need in terms of cost management?

At now, your firm has a set of EC2 Instances hosted by AWS that are not produced. When the average CPU use is below 10% in 24 hours, you desire to terminate the EC2 instance, meaning it is idle and is no longer used to save money. How would this requirement be most beneficial?

A web application on AWS is planned. In an EC2 subnet connecting to an EC2 instance hosting an Oracle database, you are building an EC2 instance. How would a safe installation be ensured? (Select Two)

An EC2 Instance hosts a Java-based application that accesses a DynamoDB table. This EC2 Instance is currently serving production users. What is a safe method to access the DynamoDB database for EC2 Instance?