AWS Cloud Practitioner Essentials T3.5

Questions and Answers

Which statement about subnets in a VPC is true?

Private subnets can be accessed directly from the internet.

Public subnets are used for backend systems.

All resources in a private subnet can communicate with public subnets without restrictions.

Public subnets can host web servers accessible from the internet. (correct)

What is the main function of a NAT Gateway in a VPC?

To allow private instances to initiate outbound traffic while blocking inbound traffic. (correct)

To enable secure connections to on-premises data centers.

To convert elastic IP addresses to dynamic ones.

To allow inbound traffic from the internet to private instances.

Which characteristic differentiates Security Groups from Network ACLs?

Security Groups accept both allowing and denying rules while NACLs only allow.

NACLs are stateful, whereas Security Groups are stateless.

NACLs evaluate rules independently, while Security Groups automatically track connections. (correct)

Security Groups operate at the subnet level, while NACLs function at the instance level.

Which routing policy in Amazon Route 53 is designed to enhance performance by directing users to the closest Regional endpoint?

Latency-Based Routing

What is a key difference between a Virtual Private Gateway and an Internet Gateway in a VPC context?

Virtual Private Gateways are used for VPN connections, while Internet Gateways are for public accessibility.

What type of IP addresses are Elastic IPs primarily used for in a VPC?

Static public IP addresses for resources in public subnets.

Which of the following is NOT a capability of Amazon Route 53?

Perform advanced analytics on traffic patterns.

Which statement about the routing tables in a VPC is accurate?

They determine how traffic is routed within the VPC and to external destinations.

What is a potential risk when using public subnets in a VPC?

Exposing resources in public subnets to the internet increases vulnerability to attacks.

In what way do Network ACLs provide a layer of security compared to Security Groups?

They operate at the subnet level and can deny traffic from specific addresses.

What is the primary function of Amazon CloudFront?

To cache and deliver content globally, reducing latency for end users.

Which of the following is a key feature of AWS Direct Connect?

It provides a dedicated private connection bypassing the internet.

In which scenario would AWS Global Accelerator be the most beneficial?

Optimizing real-time applications such as online gaming.

What type of traffic control do Network ACLs provide?

Subnet-level control to block unwanted or malicious traffic.

What use case is AWS VPN predominantly suited for?

Secure connections for small businesses connecting to AWS.

Which service is best suited for routing global traffic for real-time applications?

AWS Global Accelerator.

Which combination of services would best support a business needing to regularly transfer large amounts of data with low latency?

AWS Direct Connect and AWS VPN.

Which of the following best describes how AWS Global Accelerator functions?

By routing user traffic to the nearest healthy application endpoint.

What is the main advantage of utilizing Amazon CloudFront for delivering content?

Reduced latency for serving content closer to users globally.

Which of the following best represents a key takeaway about AWS's VPC service?

It provides a means for isolated network setups for AWS resources.

Study Notes

Virtual Private Cloud (VPC) Components

• A VPC is a logically isolated network within AWS to securely run resources.
• Provides full control over the networking environment.
• Subnets: Divide the VPC.
  • Public Subnets: Accessible from the internet, often for web servers.
  • Private Subnets: Not internet-accessible, for databases and backend systems.
• Gateways:
  • Internet Gateway: Allows public subnet resources to access the internet.
  • NAT Gateway: Enables private subnet instances to connect outbound, but blocks inbound internet traffic.
  • Virtual Private Gateway: Connects on-premises data centers securely via AWS VPN.
• Route Tables: Define how traffic moves within the VPC and to external destinations (internet, other VPCs).
• Elastic IPs: Static IP addresses for EC2 instances in public subnets.

Security in a VPC

• Security Groups: Firewalls at the instance level, controlling inbound/outbound traffic.
  • Example: Allow SSH (port 22) only from specific IPs.
• Network ACLs (Access Control Lists): Subnet-level firewalls, controlling traffic for all subnet resources.
  • Example: Deny all traffic from a specific IP address.
• Key Differences (Security Groups vs. NACLs):
  • Scope: Security Groups operate at the instance level, NACLs at the subnet level.
  • Statefulness: Security Groups are stateful (track connections), NACLs are stateless.
  • Rules: NACLs have "allow" and "deny" rules, Security Groups mostly use "allow" but can have a complex combination of rules depending upon the need .

Amazon Route 53

• A DNS (Domain Name System) service that routes traffic.
• Domain Registration: Register and manage domain names.
• DNS Routing: Translates domain names (e.g., www.example.com) into IP addresses.
• Routing Policies:
  • Simple Routing: Maps a domain name to a single resource.
  • Latency-Based Routing: Routes to the closest Region for lower latency.
  • Failover Routing: Automatically redirects traffic for failed resources.
• Use Case: Route 53 directs users to the nearest, fastest, or healthiest endpoint.

Edge Services

• Amazon CloudFront: A CDN (content delivery network) caching content at global edge locations.
  • Purpose: Reduce latency by serving content closer to users.
  • Use Cases: Streaming, delivering static content.
• AWS Global Accelerator: Improves application performance by routing through AWS's global network.
  • Purpose: Provides lower latency and better failover.
  • Use Cases: Real-time apps, gaming.

Network Connectivity Options

• AWS VPN (Virtual Private Network):
  • Secure connection between on-premises networks and AWS.
  • Uses IPsec tunnels. Suitable for lower bandwidth needs.
  • Use Cases: Connecting from office/data center.
• AWS Direct Connect:
  • Dedicated private connection between on-premises and AWS.
  • Bypasses the public internet. Supports up to 100 Gbps.
  • Use Cases: Large-scale data transfers, low-latency needs.

Key Comparisons (CloudFront vs. Global Accelerator)

• CloudFront: Global content caching, suitable for static content (e.g., images, videos).
• Global Accelerator: Global traffic optimization, best for real-time or low-latency applications (e.g., gaming).

Real-World Scenarios

• Securing a VPC: Use Security Groups (instance-level) and Network ACLs (subnet-level) to prevent unauthorized access.
• Connecting On-Premises to AWS: Use AWS Direct Connect for high-speed, consistent connections if bandwidth is high.
• Improving Global App Performance: Use AWS Global Accelerator to route users to the physically nearest AWS Region.

Key Takeaways

• VPC: Securely runs resources (e.g., EC2, RDS) in a isolated virtual network.
• Security Groups: Control inbound/outbound traffic at the instance level.
• Network ACLs: Subnet-level traffic control (allow/deny).
• Route 53: Domain name and traffic routing service.
• CloudFront: Securely serves content at edge locations, for low latency content delivery.
• Global Accelerator: Global traffic optimization, ideal for low latency applications.
• AWS VPN: Securely connect lower-bandwidth on-premises networks to AWS.
• Direct Connect: High-bandwidth, consistent private connections for significant data transfer.

Description

Explore the critical components and security features of Virtual Private Clouds (VPC) in AWS. This quiz covers subnets, gateways, route tables, and security groups, offering insights into controlling network traffic within a VPC environment. Test your knowledge on how these elements work together to enhance security and performance.