AWS Public vs Private Services

Questions and Answers

Which aspect of AWS services is primarily emphasized when distinguishing between public and private?

• Permissions
• Compute power
• Cost
• Networking (correct)

What does it mean for an AWS service to be 'public' in the context of networking?

• It's free to use for all AWS customers.
• It's managed and maintained by AWS directly.
• It's accessible to any AWS account.
• It uses public endpoints and can be accessed from anywhere with an internet connection. (correct)

What is a key characteristic of an AWS private service?

• It can be accessed from any internet connection.
• It's accessible only by the AWS account root user.
• It runs within a Virtual Private Cloud (VPC). (correct)
• It does not require any permissions to access.

Besides networking, what other aspect governs access to AWS resources?

Permissions (B)

What is the primary function of the 'AWS public zone'?

To act as an intermediary network zone where AWS public services operate. (B)

If you are accessing an AWS public service, such as S3, from your home internet connection, what path does your communication take?

Through the public internet to the AWS public zone. (D)

What is the purpose of an Internet Gateway (IGW) in the context of a VPC?

To enable resources in the private zone to access the public internet and AWS public services. (A)

Which AWS service can be used to create a private network within AWS, allowing resources to communicate with each other in an isolated environment?

Virtual Private Cloud (VPC) (C)

What are the three main network zones in AWS?

Public Internet, AWS Public Zone, AWS Private Zone (C)

Which of the following is a characteristic of AWS Regions?

They are isolated from each other, providing fault tolerance. (D)

In AWS, what is the primary purpose of an Edge Location?

To reduce latency by caching content closer to end-users. (A)

What should a solutions architect consider when designing a globally resilient application on AWS?

Distributing resources across multiple AWS Regions. (B)

What is the key difference between an AWS Region and an Availability Zone (AZ)?

A Region is a geographically isolated area, while an AZ is an isolated infrastructure within a Region. (B)

Which of the following services is an example of a globally resilient service in AWS?

AWS IAM (A)

What does it mean for an AWS service to be 'region resilient'?

The service operates in a single region with data replicated across multiple Availability Zones. (D)

What is the primary benefit of designing your application to span multiple Availability Zones within a single AWS Region?

Higher fault tolerance. (D)

What is a key characteristic of an 'AZ resilient' service in AWS?

It runs from a single Availability Zone, and will fail if that AZ fails. (C)

A company wants to ensure that its application remains available even if an entire AWS Region experiences a major outage. Which architectural approach would be MOST suitable?

Deploy the application across multiple AWS Regions. (B)

Your company is launching a new video streaming service and wants to ensure that content is delivered to users with the lowest possible latency. Which AWS service would be MOST suitable for this purpose?

AWS Edge Locations (D)

What does geopolitical separation achieved by selecting a specific AWS region provide to a company?

Ensures compliance with the laws and regulations of the country where the region is located. (B)

An organization is planning to deploy a critical application that requires maximum fault tolerance and minimal downtime. Which of the following architectural strategies would BEST achieve this goal?

Deploy the application across multiple AWS Regions, using a global load balancer and automated failover mechanisms. (B)

A company is designing a new application that must comply with strict data residency requirements, ensuring that all data remains within the European Union (EU). Which of the following strategies would BEST meet this requirement?

Deploy the application and store all data in AWS Regions located within the EU, and explicitly prevent cross-region data transfers. (B)

Given that AWS Regions are designed to be 100% isolated for fault tolerance, under what specific circumstance might an issue in one AWS Region directly impact resources in another AWS Region?

When using AWS services that are inherently global in nature, such as AWS IAM or Route 53, which have dependencies across regions. (B)

You are designing a multi-tier web application for a global audience, with the backend database hosted on Amazon RDS. The application requires low latency access to the database for users worldwide. Which of the following architectural choices would be MOST effective in minimizing latency for global users?

Deploy read replicas of the database in multiple AWS Regions and route users to the nearest replica using a global DNS service. (A)

A company is migrating its on-premises infrastructure to AWS. They have a critical application that requires direct, low-latency access to a database running in an AWS VPC. However, due to regulatory compliance, they cannot use the public internet for this connection. Which of the following options would provide the MOST secure and reliable connection between their on-premises environment and the AWS VPC?

Establish an AWS Direct Connect connection between their on-premises environment and the AWS VPC. (C)

An organization's security policy mandates that all data stored in AWS must be encrypted at rest using keys managed exclusively by the organization. Which of the following approaches would BEST satisfy this requirement?

Use AWS CloudHSM to generate and manage encryption keys, and integrate CloudHSM with AWS services to encrypt data at rest. (B)

An architect is designing a highly available web application that must withstand the failure of an entire AWS Region with minimal downtime. They have implemented a multi-region architecture with active-active deployments in two Regions. Which of the following strategies would be MOST effective for routing traffic to the healthy Region in the event of a regional failure?

Use Amazon Route 53 with a failover routing policy to automatically redirect traffic to the healthy Region. (D)

You are designing a system that processes highly sensitive data and requires the data to remain within a specific geographic boundary at all times. Which of the following actions would be MOST important to implement?

Use AWS Organizations Service Control Policies (SCPs) to restrict the AWS regions where resources can be provisioned. (D)

An organization has multiple AWS accounts managed under AWS Organizations. They need to ensure that all data stored in S3 buckets across all accounts is encrypted by default, without requiring individual account owners to configure it manually. Which of the following strategies would be MOST effective in achieving this goal?

Create an AWS CloudFormation StackSet to deploy an S3 bucket policy to all accounts, enforcing encryption by default. (A)

A company stores highly sensitive data in Amazon S3 and needs to implement a solution that provides maximum security and control over access to the data. They want to ensure that even if an attacker gains access to their AWS account credentials, they cannot access the S3 data. Which of the following approaches would provide the GREATEST level of protection?

Implement client-side encryption using keys stored outside of AWS and require users to decrypt the data locally before accessing it. (C)

Suppose a catastrophic event causes irreversible damage to multiple AWS Availability Zones within a single region, including the physical destruction of data centers. Which AWS service, by fundamental design, would likely be the LEAST affected?

AWS IAM (Identity and Access Management) (B)

A clandestine organization seeks to establish an AWS presence with the HIGHEST possible degree of anonymity and resistance to legal discovery. They require compute resources, data storage, and network connectivity. Which action below provides the strongest guarantee against revealing their true identity and location to external investigators?

Deploy resources in a jurisdiction with extremely lax data retention laws, and utilize homomorphic encryption for all stored and transmitted data. (A)

You are tasked with developing a system that automatically replicates data between Availability Zones (AZs) for disaster recovery. Your team has implemented a solution that successfully replicates data asynchronously from one AZ to another. However, you discover that the solution is introducing significant latency to the application. Which of the following strategies would you recommend to reduce the impact of replication latency while maintaining data durability?

Implement a caching layer in front of the database to reduce the number of read requests. (B)

You work for a financial institution with strict regulatory requirements for data sovereignty. You need to ensure that all customer data remains within the country's borders. You are using services like Amazon S3, Amazon EC2, and Amazon RDS. What is the MOST important design consideration to meet data sovereignty requirements?

Restrict the deployment of all AWS resources within a single AWS Region located inside the country. (D)

There are three AWS services and you must choose one based on what the company needs. Which of these best fits the needs of the company? A fast transfer of information worldwide is needed.

AWS Edge Locations (D)

When an Availability Zone (AZ) experiences a failure, what is the expected behavior of the other AZs within the same AWS Region?

They will automatically reroute traffic and continue operating normally. (A)

Which statement accurately describes the primary function of a VPC in AWS?

It enables you to provision a logically isolated section of the AWS cloud where you can launch AWS resources. (B)

If a company requires that their cloud infrastructure is compliant with regulations tied to a specific country, what AWS feature would assist them, and what does this feature provide?

Region Selection; ensures compliance with the laws and regulations of the country where a region is located. (C)

Flashcards

AWS Public Service

Accessed using public endpoints, like S3, from anywhere with an internet connection.

AWS Private Service

Runs within a VPC; access is limited to what's connected to that VPC.

Networking Perspective

Focuses on how services are reachable by networking.

Internet Zone

The zone where Internet-based services like online stores and email operate.

Private Network

A network only directly connected devices/people with Wi-Fi password can operate.

Virtual Private Clouds (VPCs)

Isolated virtual networks that cannot communicate unless configured to do so.

AWS Public Zone

The network zone where AWS public services operate with public endpoints like S3.

Edge locations

AWS service that is smaller than regions with content distribution

EC2 Region

AWS compute service where you must choose a region to operate.

Geographic Separation

Each region is isolated, therefore a problem in one region won't affect others.

Geopolitical Separation

The country the region is located in affects the the laws and regulations that your infrastructure is stored in.

Location Control

Regions allow you to place infrastructure as close to your customers for better performance.

Availability Zone (AZ)

Isolated infrastructure areas inside a region.

Globally Resilient Service

A service operates globally with data replicated across multiple regions.

Region Resilient Services

Services that run in a single region and are separate from other regions.

AZ Resilient Services

These services run from a single availability zone.

Study Notes

AWS Public vs Private Services

• AWS services are categorized into public and private types, differing primarily in networking.
• AWS private services are accessed using public endpoints and the Internet, like S3.
• A private AWS service runs within a VPC and can only be accessed by resources within that VPC or connected to it.
• Access to a service involves both permissions and networking; public vs. private primarily concerns networking.
• The Internet is where internet-based services operate.
• Home networks are an example of a private network.
• AWS also features private zones called Virtual Private Clouds (VPCs) which are isolated from each other by default.
• The AWS public zone runs between the public Internet and AWS private zone networks, where AWS public services operate from.
• When accessing AWS public services with a public internet connection, communication goes thru the AWS public zone.
• VPCs can be connected to on-premises networks via VPN or Direct Connect.
• Private zone resources can access the public internet if allowed and configured, using an allocated public IP address and an internet gateway.
• Data communicated between private resources and public AWS services does not traverse the public internet; it uses the AWS public zone.
• Private resources can be given a public IP address.

AWS Global Infrastructure

• AWS global infrastructure is a collection of smaller infrastructure groupings connected by a global high-speed network.
• Key infrastructure concepts include AWS regions, edge locations, and availability zones.
• The three levels of service resilience include global, regional, and zone resilient services.
• AWS regions are areas selected by AWS that contain full deployments of AWS infrastructure, including compute, storage, databases, and AI analytics.
• Amazon's Elastic Compute Cloud in different regions is separate from each other.
• AWS edge locations are smaller than regions, have content distribution services, edge computing, and are in more locations.
• Regions and edge locations work together; regions host infrastructure and edge locations store content closer to customers.
• If a customer in Melbourne wants to stream a move from Netflix, it would stream from an edge location in Melbourne.
• If using EC2 in the AWS console, a region must be selected.
• Global AWS services, like IAM and Route 53, do not require region selection.
• Regions are geographically isolated to ensure that a problem in one region does not affect other regions.
• Regions are designed to be 100% isolated for fault tolerance.
• Selecting a region allows geopolitical or governance separation.
• Regions allow location control to tune architecture performance, and allow infrastructure to be duplicated into another region if required.
• Regions are not the only level, there are things inside regions.
• Inside a region there are availability zones.
• When referring to a region, the region code can be used or the region name (e.g. ap-southeast-2 or Asia Pacific (Sydney)).
• AWS provides multiple availability zones inside every Region.
• With availability zones, isolated infrastructure is provided inside a region that includes compute, storage, networking, power, and facilities.
• Services can be placed across multiple availability zones to make them resilient.
• An availability zone is a logical entity that might comprise one or multiple data centers.
• Availability zones are isolated from each other and connected with high-speed redundant networking.
• Virtual Private Cloud or VPC can work across multiple availability zones.
• Global resilient services are those that operate globally with a single database, with data replicated across multiple regions (e.g., IAM, Route 53).
• Region resilient services operate in a single region with a separate data set per region, with data replicated to multiple availability zones.
• AZ resilient services run from a single availability zone.
• Knowing whether a service is global, regional, or AZ resilient is important for AWS architects.