AWS Cloud Practitioner Essentials T3.5

Questions and Answers

Which statement about subnets in a VPC is true?

• You cannot create more than one subnet in a single Availability Zone.
• All subnets in a VPC must be public.
• A subnet can span multiple Availability Zones.
• A subnet is tied to a specific Availability Zone (AZ) in a VPC. (correct)

What is the main function of a NAT Gateway in a VPC?

• A NAT Gateway enables resources in private subnets to access the internet while preventing inbound traffic from the internet. (correct)
• A NAT Gateway allows inbound internet traffic to private subnets.
• A NAT Gateway is used to connect private subnets to other VPCs.
• A NAT Gateway is required for all internet access in a VPC.

Which characteristic differentiates Security Groups from Network ACLs?

• Security Groups apply to entire subnets, while NACLs apply to individual instances.
• Security Groups use rules that allow or deny traffic, while NACLs only allow traffic.
• Security Groups are stateful, while Network ACLs are stateless. (correct)
• Security Groups have higher priority than Network ACLs.

Which routing policy in Amazon Route 53 is designed to enhance performance by directing users to the closest Regional endpoint?

Latency-Based Routing (A)

What is a key difference between a Virtual Private Gateway and an Internet Gateway in a VPC context?

A Virtual Private Gateway connects a VPC to an on-premises network via a VPN or Direct Connect, while an Internet Gateway connects a VPC to the public internet. (D)

What type of IP addresses are Elastic IPs primarily used for in a VPC?

Elastic IPs are primarily used for public IPv4 addresses to allow resources in a VPC to be accessible over the internet. (D)

Which of the following is NOT a capability of Amazon Route 53?

Hosting dynamic content like a web server. (B)

Which statement about the routing tables in a VPC is accurate?

They determine how traffic is routed within the VPC and to external destinations. (C)

What is a potential risk when using public subnets in a VPC?

Exposing resources in public subnets to the internet increases vulnerability to attacks. (B)

In what way do Network ACLs provide a layer of security compared to Security Groups?

Network ACLs provide security at the subnet level, allowing control over traffic entering and leaving the entire subnet, while Security Groups operate at the instance level. (D)

What is the primary function of Amazon CloudFront?

Amazon CloudFront is a content delivery network (CDN) that delivers data, videos, applications, and APIs to users with low latency by caching content at edge locations around the world. (A)

Which of the following is a key feature of AWS Direct Connect?

It provides a dedicated private connection bypassing the internet. (D)

In which scenario would AWS Global Accelerator be the most beneficial?

Optimizing real-time applications such as online gaming. (B)

What type of traffic control do Network ACLs provide?

Subnet-level control to block unwanted or malicious traffic. (A)

What use case is AWS VPN predominantly suited for?

Secure connections for small businesses connecting to AWS. (C)

Which service is best suited for routing global traffic for real-time applications?

AWS Global Accelerator. (C)

Which combination of services would best support a business needing to regularly transfer large amounts of data with low latency?

AWS Direct Connect + Amazon S3 (A)

Which of the following best describes how AWS Global Accelerator functions?

By routing user traffic to the nearest healthy application endpoint. (C)

What is the main advantage of utilizing Amazon CloudFront for delivering content?

Reduced latency for serving content closer to users globally. (D)

Which of the following best represents a key takeaway about AWS's VPC service?

It provides a means for isolated network setups for AWS resources. (A)

Flashcards

Public Subnet Components of a Virtual Private Cloud (VPC)

Accessible from the internet, typically for web servers.

Virtual Private Cloud (VPC) Subnets

Divide a Virtual Private Cloud (VPC) into smaller, isolated segments.

Internet Gateway

Connects resources in a public subnet to the internet.

Private Subnet Components of a Virtual Private Cloud (VPC)

Not accessible from the internet; often used for databases or backend systems.

Route Tables

Defines how traffic is routed within a VPC and to external destinations. (e.g., internet or other VPCs).

NAT Gateway

Allows private subnet instances to connect to the internet for outbound traffic but blocks inbound.

Virtual Private Gateway

Enables secure connections to your on-premises data center through AWS VPN (Virtual Private Network).

Security Group

Firewall at the instance level, controlling inbound and outbound traffic.

Elastic IPs

Static IP addresses for use with EC2 instances in public subnets.

Network ACL

Firewall at the subnet level, controlling inbound/outbound traffic for all resources in a subnet.

What does Security Groups (Stateful) mean?

Connection Tracking: Tracks the state of connections.

Rules: Automatically allows return traffic for established connections.

Granularity: Simplified configuration with fewer rules.

Use Case: Instance-level security.

What are the key features of Amazon Route 53?

Domain Registration: Register and manage domain names directly in Route 53.

DNS Routing: Translate domain names (e.g., www.example.com) into IP addresses.

Routing Policies: Simple Routing: Maps a domain name to a single resource. Latency-Based Routing: Routes users to the closest Region for lower latency. Failover Routing: Automatically redirects traffic to a healthy resource in case of failure.

Amazon Route 53

A Domain Name System (DNS) service that routes traffic to applications based on user-defined rules.

What does Network ACLs (Stateless) mean?

Connection Tracking: Does not track connection state.

Rules: Separate rules are required for inbound and outbound traffic.

Granularity: Fine-grained control with more detailed rules.

Use Case: Subnet-level security.

Virtual Private Cloud (VPC)

Isolated network for AWS resources, allowing for secure resource management.

AWS VPN (Virtual Private Network)

Secure connection between your network and AWS using IPsec tunnels. Suitable for lower-bandwidth needs.

Edge Services - AWS Global Accelerator

Improves application performance by routing traffic across AWS's global network.

Purpose: Provides lower latency and faster failover than traditional internet routing. Use Cases: Real-time applications like gaming or financial trading.

AWS Direct Connect

Dedicated, private connection between your network and AWS for high-speed data transfers.

Supports up to 100 Gbps bandwidth.

Use Cases: Large-scale data transfers or applications requiring consistent low latency.

Edge Services - Amazon CloudFront

A content delivery network (CDN) that caches content globally for faster delivery. Static content (e.g., videos, images)

Purpose: Reduces latency by serving cached content closer to users.

Study Notes

Virtual Private Cloud (VPC) Components

• A VPC is a logically isolated network within AWS to securely run resources.
• Provides full control over the networking environment.
• Subnets: Divide the VPC.
  • Public Subnets: Accessible from the internet, often for web servers.
  • Private Subnets: Not internet-accessible, for databases and backend systems.
• Gateways:
  • Internet Gateway: Allows public subnet resources to access the internet.
  • NAT Gateway: Enables private subnet instances to connect outbound, but blocks inbound internet traffic.
  • Virtual Private Gateway: Connects on-premises data centers securely via AWS VPN.
• Route Tables: Define how traffic moves within the VPC and to external destinations (internet, other VPCs).
• Elastic IPs: Static IP addresses for EC2 instances in public subnets.

Security in a VPC

• Security Groups: Firewalls at the instance level, controlling inbound/outbound traffic.
  • Example: Allow SSH (port 22) only from specific IPs.
• Network ACLs (Access Control Lists): Subnet-level firewalls, controlling traffic for all subnet resources.
  • Example: Deny all traffic from a specific IP address.
• Key Differences (Security Groups vs. NACLs):
  • Scope: Security Groups operate at the instance level, NACLs at the subnet level.
  • Statefulness: Security Groups are stateful (track connections), NACLs are stateless.
  • Rules: NACLs have "allow" and "deny" rules, Security Groups mostly use "allow" but can have a complex combination of rules depending upon the need .

Amazon Route 53

• A DNS (Domain Name System) service that routes traffic.
• Domain Registration: Register and manage domain names.
• DNS Routing: Translates domain names (e.g., www.example.com) into IP addresses.
• Routing Policies:
  • Simple Routing: Maps a domain name to a single resource.
  • Latency-Based Routing: Routes to the closest Region for lower latency.
  • Failover Routing: Automatically redirects traffic for failed resources.
• Use Case: Route 53 directs users to the nearest, fastest, or healthiest endpoint.

Edge Services

• Amazon CloudFront: A CDN (content delivery network) caching content at global edge locations.
  • Purpose: Reduce latency by serving content closer to users.
  • Use Cases: Streaming, delivering static content.
• AWS Global Accelerator: Improves application performance by routing through AWS's global network.
  • Purpose: Provides lower latency and better failover.
  • Use Cases: Real-time apps, gaming.

Network Connectivity Options

• AWS VPN (Virtual Private Network):
  • Secure connection between on-premises networks and AWS.
  • Uses IPsec tunnels. Suitable for lower bandwidth needs.
  • Use Cases: Connecting from office/data center.
• AWS Direct Connect:
  • Dedicated private connection between on-premises and AWS.
  • Bypasses the public internet. Supports up to 100 Gbps.
  • Use Cases: Large-scale data transfers, low-latency needs.

Key Comparisons (CloudFront vs. Global Accelerator)

• CloudFront: Global content caching, suitable for static content (e.g., images, videos).
• Global Accelerator: Global traffic optimization, best for real-time or low-latency applications (e.g., gaming).

Real-World Scenarios

• Securing a VPC: Use Security Groups (instance-level) and Network ACLs (subnet-level) to prevent unauthorized access.
• Connecting On-Premises to AWS: Use AWS Direct Connect for high-speed, consistent connections if bandwidth is high.
• Improving Global App Performance: Use AWS Global Accelerator to route users to the physically nearest AWS Region.

Key Takeaways

• VPC: Securely runs resources (e.g., EC2, RDS) in a isolated virtual network.
• Security Groups: Control inbound/outbound traffic at the instance level.
• Network ACLs: Subnet-level traffic control (allow/deny).
• Route 53: Domain name and traffic routing service.
• CloudFront: Securely serves content at edge locations, for low latency content delivery.
• Global Accelerator: Global traffic optimization, ideal for low latency applications.
• AWS VPN: Securely connect lower-bandwidth on-premises networks to AWS.
• Direct Connect: High-bandwidth, consistent private connections for significant data transfer.

Description

Explore the critical components and security features of Virtual Private Clouds (VPC) in AWS. This quiz covers subnets, gateways, route tables, and security groups, offering insights into controlling network traffic within a VPC environment. Test your knowledge on how these elements work together to enhance security and performance.