AWS/Virtual Private Cloud ( VPC ) – Review Questions

Background

Finally, returning to my AWS Study.

I was really stuck on the Networking, specifically Virtual Private ( VPC) area.

Admittedly, my shallowness included :-

  1. Not enough Networking Background
    • Too many new words
  2. Lab
    • I knew I will not have the strength nor time to confirm intuition in a Lab setting
    • And, so will be either quick guess or pass on the question

 

 

Review Questions

  1. What is the minimum size subnet that you can have in an Amazon VPC?
    • A. /24
    • B. /26
    • C. /28
    • D. /30
  2. You are a solutions architect working for a large travel company that is migrating its existing server estate to AWS. You have recommended that they use a custom Amazon VPC, and they have agreed to proceed. They will need a public subnet for their web servers and a private subnet in which to place their databases. They also require that the web servers and database servers be highly available and that there be a minimum of two web servers and two database servers each. How many subnets should you have to maintain high availability?
    • A. 2
    • B. 3
    • C. 4
    • D. 1
  3. Which of the following is an optional security control that can be applied at the subnet layer of a VPC?
    • A. Network ACL
    • B. Security Group
    • C. Firewall
    • D. Web application firewall
  4. What is the maximum size IP address range that you can have in an Amazon VPC?
    • A. /16
    • B. /24
    • C. /28
    • D. /30
  5. You create a new subnet and then add a route to your route table that routes traffic out from that subnet to the Internet using an IGW. What type of subnet have you created?
    • A. An internal subnet
    • B. A private subnet
    • C. An external subnet
    • D. A public subnet
  6. What happens when you create a new Amazon VPC?
    1. A. A main route table is created by default.
    2. B. Three subnets are created by default—one for each Availability Zone.
    3. C. Three subnets are created by default in one Availability Zone.
    4. D. An IGW is created by default.
  7. You create a new VPC in US-East-1 and provision three subnets inside this Amazon VPC. Which of the following statements is true?
    • A. By default, these subnets will not be able to communicate with each other; you will need to create routes.
    • B. All subnets are public by default.
    • C. All subnets will be able to communicate with each other by default.
    • D. Each subnet will have identical CIDR blocks.
  8. How many IGWs can you attach to an Amazon VPC at any one time?
    1. A. 1
    2. B. 2
    3. C. 3
    4. D. 4
  9. What aspect of an Amazon VPC is stateful?
    • A. Network ACLs
    • B. Security groups
    • C. Amazon DynamoDB
    • D. Amazon S3
  10. You have created a custom Amazon VPC with both private and public subnets. You have created a NAT instance and deployed this instance to a public subnet. You have attached an EIP address and added your NAT to the route table. Unfortunately, instances in your private subnet still cannot access the Internet. What may be the cause of this?
    • A. Your NAT is in a public subnet, but it needs to be in a private subnet.
    • B. Your NAT should be behind an Elastic Load Balancer.
    • C. You should disable source/destination checks on the NAT.
    • D. Your NAT has been deployed on a Windows instance, but your other instances are Linux. You should redeploy the NAT onto a Linux instance.
  11. Which of the following will occur when an Amazon Elastic Block Store (Amazon EBS)-backed Amazon EC2 instance in an Amazon VPC with an associated EIP is stopped and started? (Choose 2 answers)
    • A. The EIP will be dissociated from the instance.
    • B. All data on instance-store devices will be lost.
    • C. All data on Amazon EBS devices will be lost.
    • D. The ENI is detached.
    • E. The underlying host for the instance is changed.
  12. How many VPC Peering connections are required for four VPCs located within the same AWS region to be able to send traffic to each of the others?
    1. A. 3
    2. B. 4
    3. C. 5
    4. D. 6
  13. 13. Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS?
    1. A. A VPC peering connection
    2. B. A DHCP option set
    3. C. A routing rule
    4. D. An IGW
  14. Which of the following is the Amazon side of an Amazon VPN connection?
    • A. An EIP
    • B. A CGW
    • C. An IGW
    • D. A VPG
  15. What is the default limit for the number of Amazon VPCs that a customer may have in a region?
    1. A. 5
    2. B. 6
    3. C. 7
    4. D. There is no default maximum number of VPCs within a region
  16. You are responsible for your company’s AWS resources, and you notice a significant
    amount of traffic from an IP address in a foreign country in which your company does not have customers. Further investigation of the traffic indicates the source of the traffic is scanning for open ports on your EC2-VPC instances. Which one of the following resources can deny the traffic from reaching the instances?

    • A. Security group
    • B. Network ACL
    • C. NAT instance
    • D. An Amazon VPC endpoint
  17. Which of the following is the security protocol supported by Amazon VPC?
    • A. SSH
    • B. Advanced Encryption Standard (AES)
    • C. Point-to-Point Tunneling Protocol (PPTP)
    • D. IPsec
  18. Which of the following Amazon VPC resources would you use in order for EC2-VPC
    instances to send traffic directly to Amazon S3?

    • A. Amazon S3 gateway
    • B. IGW
    • C. CGW
    • D. VPC endpoint
  19. What properties of an Amazon VPC must be specified at the time of creation? (Choose 2 answers)
    • A. The CIDR block representing the IP address range
    • B. One or more subnets for the Amazon VPC
    • C. The region for the Amazon VPC
    • D. Amazon VPC Peering relationships
  20. 20. Which Amazon VPC feature allows you to create a dual-homed instance?
    • A. EIP address
    • B. ENI
    • C. Security groups
    • D. CGW 

 

Additional Study Material

 

Web application firewall

Links

Link

  1. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
  2. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules.
  3. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application.
  4. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns.
  5. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
  6. With AWS WAF you pay only for what you use.
    • AWS WAF pricing is based on how many rules you deploy and how many web requests your web application receives.
    • There are no upfront commitments.
  7. You can deploy AWS WAF
    • Amazon CloudFront as part of your CDN solution
    • Application Load Balancer (ALB) that fronts your web servers or origin servers running on EC2, or Amazon API Gateway for your APIs.

 

VPC Size

Links

Link

Q. How large of a VPC can I create?

  1.  IPv4
    • Currently, Amazon VPC supports five (5) IP address ranges
      • One (1) primary
      • and four (4) secondary for IPv4.
    • Each of these ranges can be between /28 (in CIDR notation) and /16 in size.
    • The IP address ranges of your VPC should not overlap with the IP address ranges of your existing network.
  2. IPv6
    • For IPv6, the VPC is a fixed size of /56 (in CIDR notation).
      • A VPC can have both IPv4 and IPv6 CIDR blocks associated to it.

 

 

Malik Drief :- When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones?

 

Question

Can some elaborate more on the below question, I was thinking that we have to configure VPC peering between??

When you create new subnets within a custom VPC, by default they can communicate with each other, across availability zones.

Answer

Link

Mike G Chambers

  1. You setup VPC peering to configure communication between two different VPCs.
  2. In this question we are talking about communication between two subnets inside of the same VPC.
  3. By default when you create a subnet, it’s associated with the default route table for that VPC, and as such each subnet can route to each other.
  4. The fact that in this case the subnets are in different Availability Zone is irrelevant.
  5. Hope that helped.

Siba Senapati

  1. As per the VPC lab, we need to add ICMP for allowing SSH from public subnet to private subnet.
  2. Not sure if there are other ways to communicate from one subnet to another subnet.

Axiom IO

ICMP is not for SSH, rather for pinging your instance in private VPC from public instance(bastion). What mike said makes sense to me.

 

Amazon VPC Limits

Links

Link

  1. Limits
    • Virtual Private Gateways
      • Default Maximum Virtual Private Gateways per Region is 5
      • Maximum Virtual Private Gateway per VPC is 1
    • VPCs per Region
      • Default Limit of 5
        • The limit for internet gateways per Region is directly correlated to this one.
        • Increasing this limit increases the limit on internet gateways per Region by the same amount.

EC2-VPC Instance resolve DNS Names outside of AWS

Question

Which of the following AWS resources would you use in order for an EC2-VPC instance to resolve DNS names outside of AWS?

  • A. A VPC peering connection
  • B. A DHCP option set
  • C. A routing rule
  • D. An IGW

Answer

DHCP option

  1. Set allows customers to define DNS servers for DNS name resolution
  2. Establish domain names for instances within an Amazon VPC
  3. Define NTP servers
  4. And, define the NetBIOS name servers.

 

Amazon VPC resources would you use in order for EC2-VPC instances to send traffic directly to Amazon S3

Question

  1. Which of the following Amazon VPC resources would you use in order for EC2-VPC
    instances to send traffic directly to Amazon S3?

    • A. Amazon S3 gateway
    • B. IGW
    • C. CGW
    • D. VPC endpoint

Answer

  1. Endpoint
    • Understand what endpoints provide to an Amazon VPC.
    • An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, a VPN connection, or AWS Direct Connect.
    • Endpoints support services within the region only.

 

AWS/RDS – SQL Server – Error – “The EXECUTE permission was denied on the object ‘agent_datetime’, database ‘msdb’, schema ‘dbo’ “

Background

Here is an error I have been wanting to talk about for a while here.

Code

msdb.dbo.agent_datetime

Outline

The agent.date_time function accepts two integer values, date and time.
And, returns the corresponding datetime value.

SQL


use [msdb]
go

declare @date int
declare @time int

set @date = 20190701
set @time = 0

select
        [ts]
            = [msdb].[dbo].[agent_datetime]
                (
                      @date
                    , @time
                )

Output

Output – AWS

Here is the result when we issue command against an ASW/RDS MS SQL Server Instance.

Output – AWS – Image

agent_datetime.aws.ouput.20190705.1257pm

Output – AWS- Textual
Msg 229, Level 14, State 5, Line 10
The EXECUTE permission was denied on the object 'agent_datetime', database 'msdb', schema 'dbo'.

Output – Traditional

Here is expected result.

Output – Traditional – Image

agent_datetime.aws.output.good.20190705.0101pm.PNG

Output – Traditional – Textual
2019-07-01 00:00:00.000

AWS/RDS – Delete Instance

Background

For one of the projects we are standing up in AWS, I will like to test out different Instance configuration options.

Constraints

It has a big database and I did not want to continue eating the cost of standing up various instances.  It is time to stand down of some of the instances.

 

Instances

Current

Here is the current list of RDS Instances.

Image

Text

  1. dev
    • Development
  2. perf
    • Performance
  3. prod
    • Production

Delete Instance

We are not currently using Prod and so I am going to take it “permanently” down.

And, start running load test against Perf; which is the instance I brought up just yesterday.

 

Outline

  1. Access list of Database Instances
  2. Select instance targeted for deletion
  3. Choose the menu options Action/Delete
  4. If “Delete Protection” has been enabled for the Instance
    • We are prompted to “modify the database and disable deletion protection
  5. Access Instance
    • Review Instance’s “Deletion Protection”
    • Check off “Enable Deletion Protection
    • Save Changes
    • Scheduling of Modifications
      • By default changes are effected during next maintenance window
      • Choose to effect this specific change immediately
  6. Return to list of RDS Databases
  7. Choose to delete instance
    • Prompted as to whether we want to take a final snapshot
    • We made the following modifications
      • We chose not to take that final snapshot
      • Confirm deletion by entering “delete me
    • Advised that RDS Instance Deletion is being processed
  8. List of RDS Databases reflects deletion processed

Screen Images

RDS / Instances / List – 01

This database has deletion protection option enabled

 

Instance

Deletion Protection

 

Scheduling of Modifications

Apply During the Next Scheduled Maintenance Window

Apply Immediately

 

RDS / Instances / List – 02

RDS / Instances / Delete Instance ?

Initial

Final

 

RDS / Instances / Deleting Instance

RDS / Instances

AWS/EC2 – Instance – Metadata

Background

Continuing with our study on AWS/EC2.

Let us quickly cover how we go about querying the EC2 instance for rudimentary system information.

Environment

On the instance itself, please send a payload against Link-local address; specifically 169.254.169.254.  The full URL is http://169.254.169.254/latest/meta-data/

Tool

We are on MS Windows and we have browsers loaded and we will use them as simple HTTP Client.

if you are on Linux and all you have is a terminal mode connection, please use curl ( Client URL ).

Top Level

Here is our top level node.

Browser

Block Device Mapping

Lists Storage Devices; please note only block devices and not RAW Storage Devices.

Please also keep in mind detailed storage info is not available; merely names.

Images

Image-Block Device Mapping

hostname

Images

Image-hostname

instance-id

Images

Image-instance-id

instance-type

Images

Image-instance-type

hostname

Images

hostname

local-hostname

Images

Image-Localhostname

local-ipv4

Images

Image-Local IP4 Address

Mac

Please read further; specifically under Network\Interface\Macs.

Network

interface

Macs

Network Mac Addresses which can be fairly useful for network troubleshooting, etc.

Images
Network Mac -01

Placement

Availability Zone

Here we talk about Country/Region/Availability Group.

In our case we are in

  1. Country :- US
  2. Region :- East Coast
  3. Availability Zone :- 1C

Images

Image.us-east-1c

Security-Groups

Security Groups are the Security groups each instance is assigned.

In the screen shots below we have two distinct results.

First is workplace for AWS Workplace node and the second is one of our custom security groups.

Images

Image – workplace

Image – taskRunner

Summary

Quick summary.

Instance metadata allows a bit of introspection on each EC/2 instance.

Akin to Windows Management Interface, WMI, in MS Windows.

References

  1. Amazon
    • AWS Documentation » Amazon EC2 » User Guide for Windows Instances » Amazon EC2 Instances » Configuring Your Windows Instance
      • Instance Metadata and User Data
        Link
    • AWS Documentation » Amazon EC2 » User Guide for Windows Instances » Monitoring Amazon EC2 » Monitoring the Status of Your Instances
      • Scheduled Events for You
        Link
  2. Curl for Windows

AWS :- Elastic Compute Cloud ( EC2 ) and Elastic Block Store ( EBS ) :- Review Questions

Review Questions

  1. Your web application needs four instances to support steady traffic nearly all of the time. On the last day of each month, the traffic triples. What is a cost-effective way to handle this traffic pattern?
    • A. Run 12 Reserved Instances all of the time.
    • B. Run four On-Demand Instances constantly, then add eight more On-Demand Instances on the last day of each month.
    • C. Run four Reserved Instances constantly, then add eight On-Demand Instances on the last day of each month.
    • D. Run four On-Demand Instances constantly, then add eight Reserved Instances on the last day of each month.
  2. Your order-processing application processes orders extracted from a queue with two Reserved Instances processing 10 orders/minute. If an order fails during processing, then it is returned to the queue without penalty. Due to a weekend sale, the queues have several hundred orders backed up. While the backup is not catastrophic, you would like to drain it so that customers get their confirmation emails faster. What is a cost-effective way to drain the queue for orders?
    • A. Create more queues.
    • B. Deploy additional Spot Instances to assist in processing the orders. 
    • C. Deploy additional Reserved Instances to assist in processing the orders.
    • D. Deploy additional On-Demand Instances to assist in processing the orders.
  3. Which of the following must be specified when launching a new Amazon Elastic Compute Cloud (Amazon EC2) Windows instance? (Choose 2 answers)
    • A. The Amazon EC2 instance ID
    • B. Password for the administrator account
    • C. Amazon EC2 instance type
    • D. Amazon Machine Image (AMI)
  4. You have purchased an m3.xlarge Linux Reserved instance in us-east-1a. In which ways can you modify this reservation? (Choose 2 answers)
    • A. Change it into two m3.large instances.
    • B. Change it to a Windows instance.
    • C. Move it to us-east-1b.
    • D. Change it to an m4.xlarge.
  5. Your instance is associated with two security groups. The first allows Remote Desktop Protocol (RDP) access over port 3389 from Classless Inter-Domain Routing (CIDR) block 72.14.0.0/16. The second allows HTTP access over port 80 from CIDR block 0.0.0.0/0. What traffic can reach your instance?
    • A. RDP and HTTP access from CIDR block 0.0.0.0/0
    • B. No traffic is allowed.
    • C. RDP and HTTP traffic from 72.14.0.0/16
    • D. RDP traffic over port 3389 from 72.14.0.0/16 and HTTP traffic over port 80 from 0.0.00/0
  6. Which of the following are features of enhanced networking? (Choose 3 answers)
    • A. More Packets Per Second (PPS)
    • B. Lower latency
    • C. Multiple network interfaces
    • D. Border Gateway Protocol (BGP) routing
    • E. Less jitter
  7. You are creating a High-Performance Computing (HPC) cluster and need very low latency and high bandwidth between instances. What combination of the following will allow this? (Choose 3 answers)
    • A. Use an instance type with 10 Gbps network performance.
    • B. Put the instances in a placement group. ( yes )
    • C. Use Dedicated Instances.
    • D. Enable enhanced networking on the instances.
    • E. Use Reserved Instances.
  8. Which Amazon Elastic Compute Cloud (Amazon EC2) feature ensures that your instances will not share a physical host with instances from any other AWS customer?
    • A. Amazon Virtual Private Cloud (VPC)
    • B. Placement groups
    • C. Dedicated Instances
    • D. Reserved Instances
  9. Which of the following are true of instance stores? (Choose 2 answers)
    • A. Automatic backups
    • B. Data is lost when the instance stops.
    • C. Very high IOPS
    • D. Charge is based on the total amount of storage provisioned. 
  10. Which of the following are features of Amazon Elastic Block Store (Amazon EBS) ?
    • A. Data stored on Amazon EBS is automatically replicated within an Availability Zone.
    • B. Amazon EBS data is automatically backed up to tape.
    • C. Amazon EBS volumes can be encrypted transparently to workloads on the attached instance.
    • D. Data on an Amazon EBS volume is lost when the attached instance is stopped
  11. You need to take a snapshot of an Amazon Elastic Block Store (Amazon EBS) volume.  How long will the volume be unavailable?
    • A. It depends on the provisioned size of the volume.
    • B. The volume will be available immediately. 
    • C. It depends on the amount of data stored on the volume.
    • D. It depends on whether the attached instance is an Amazon EBS-optimized instance.
  12. You are restoring an Amazon Elastic Block Store (Amazon EBS) volume from a snapshot.  How long will it be before the data is available?
    • A. It depends on the provisioned size of the volume.
    • B. The data will be available immediately.
    • C. It depends on the amount of data stored on the volume.
    • D. It depends on whether the attached instance is an Amazon EBS-optimized instance.
  13. You have a workload that requires 15,000 consistent IOPS for data that must be durable.  What combination of the following steps do you need? (Choose 2 answers)
    • A. Use an Amazon Elastic Block Store (Amazon EBS)-optimized instance. 
    • B. Use an instance store.
    • C. Use a Provisioned IOPS SSD volume. 
    • D. Use a magnetic volume.
  14. Which of the following can be accomplished through bootstrapping?
    • A. Install the most current security updates.
    • B. Install the current version of the application.
    • C. Configure Operating System (OS) services.
    • D. All of the above.
  15. How can you connect to a new Linux instance using SSH?
    • A. Decrypt the root password.
    • B. Using a certificate
    • C. Using the private half of the instance’s key pair
    • D. Using Multi-Factor Authentication (MFA)
  16. VM Import/Export can import existing virtual machines as: (Choose 2 answers)
    • A. Amazon Elastic Block Store (Amazon EBS) volumes
    • B. Amazon Elastic Compute Cloud (Amazon EC2) instances
    • C. Amazon Machine Images (AMIs)
    • D. Security groups
  17. Which of the following can be used to address an Amazon Elastic Compute Cloud (Amazon EC2) instance over the web? (Choose 2 answers)
    • A. Windows machine name
    • B. Public DNS name
    • C. Amazon EC2 instance ID
    • D. Elastic IP address
  18. Using the correctly decrypted Administrator password and RDP, you cannot log in to a Windows instance you just launched. Which of the following is a possible reason?
    • A. There is no security group rule that allows RDP access over port 3389 from your IP address. 
    • B. The instance is a Reserved Instance.
    • C. The instance is not using enhanced networking.
    • D. The instance is not an Amazon EBS-optimized instance.
  19. You have a workload that requires 1 TB of durable block storage at 1,500 IOPS during normal use. Every night there is an Extract, Transform, Load (ETL) task that requires 3,000 IOPS for 15 minutes. What is the most appropriate volume type for this workload?
    • A. Use a Provisioned IOPS SSD volume at 3,000 IOPS.
    • B. Use an instance store.
    • C. Use a general-purpose SSD volume.
    • D. Use a magnetic volume.
  20. How are you billed for elastic IP addresses?
    • A. Hourly when they are associated with an instance
    • B. Hourly when they are not associated with an instance
    • C. Based on the data that flows through them
    • D. Based on the instance type to which they are attached

 

Referenced Work

  1. AWS
    • Amazon EC2 Instance Types
      • Instance Features
        Link
    • Script
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Amazon EC2 Instances » Configuring Your Amazon Linux Instance » Running Commands on Your Linux Instance at Launch
        • Running Commands on Your Linux Instance at Launch
          Link
    • Amazon EC2 Instance Types
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Storage
        • Block Device Mapping
          Link
    • Elastic Block Store
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Storage » Amazon Elastic Block Store (Amazon EBS) » Amazon EBS Snapshots » Creating Amazon EBS Snapshots
        • Creating Amazon EBS Snapshots
          Link
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Storage » Amazon Elastic Block Store (Amazon EBS) » Amazon EBS Volumes
        • Restoring an Amazon EBS Volume from a Snapshot
          Link
    • Instance Store
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Storage
        • Amazon EC2 Instance Store
          Link
    • Enhanced Networking
      • AWS Documentation » Amazon EC2 » User Guide for Linux Instances » Network and Security
        • Enhanced Networking on Linux
          Link
    • EC2
      • EC/2 Instance
        • How do I move my EC2 instance to another subnet, Availability Zone, or VPC?
          Link
      • EC/2 Instance Metadata
        • EC2 Instance Metadata Query Tool
          Link
    • Elastic IP
      • Premium Support / Knowledge Center
        • Why am I being billed for Elastic IP addresses when all my instances are terminated?
          Link
    • AWS Compute Blog
      • Jeff Bartley
        • Recovering files from an Amazon EBS volume backup
          Link
  2. A Cloud Guru
    • A Cloud Guru > Course taking > Other
      • AWS EC2 Instance Store vs. EBS
        Link
  3. RightScale
    • RightScale Docs / Cloud Management / Dashboard User’s Guide / clouds / Amazon Web Services (AWS)
      • EC2 Elastic IPs
        Link
  4. Scale Your Code
    • Christophe Limpalair
      • Complete guide to launching your first free AWS EC2 instance
        Link