Question 1

Which definition describes a virtual private cloud (VPC)?

A fully managed service that extends the AWS Cloud to customer premises
An extension of an on-premises network into AWS
A virtual private network (VPN) in the AWS Cloud
A logically isolated virtual network that you define in the AWS Cloud

A VPC is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment.

Question 2

Which component does not have direct access to the internet?

Network address translation (NAT) gateway inside a public subnet
EC2 instance inside a public subnet
EC2 instance inside a private subnet
Elastic IP address interface

Question 3

A company's virtual private cloud (VPC) has the Classless Inter-Domain Routing (CIDR) block 172.16.0.0/21 (2048 addresses). It has two subnets (A and B). Each subnet must support 100 usable addresses now, but this number is expected to rise to at most 254 usable addresses soon. Which subnet addressing scheme meets the requirements and follows AWS best practices?

Subnet A: 172.16.0.0/22 (1024 addresses) Subnet B: 172.16.4.0/22 (1024 addresses)
Subnet A: 172.16.0.0/25 (128 addresses) Subnet B: 172.16.0.128/25 (128 addresses)
Subnet A: 172.16.0.0/24 (256 addresses) Subnet B: 172.16.1.0/24 (256 addresses)
Subnet A: 172.16.0.0/23 (512 addresses) Subnet B: 172.16.2.0/23 (512 addresses)

These CIDR blocks are the next larger size from /24. AWS reserves five addresses per subnet, so each CIDR block has 507 usable addresses. This scheme provides room for the growth requirement.

Question 4

Several EC2 instances launch in a virtual private cloud (VPC) that has internet access. These instances should not be accessible from the internet, but they must be able to download updates from the internet. How should the instances launch?

Without public IP addresses, in a subnet with a default route to an internet gateway
With public IP addresses, in a subnet with a default route to an internet gateway
With Elastic IP addresses, in a subnet with a default route to an internet gateway
Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway

A NAT gateway provides the EC2 instances with internet-routable source addresses for sessions that EC2 instances initiate. However, it does not enable internet access to the instances.

Question 5

A group of consultants requires access to an EC2 instance from the internet for 3 consecutive days each week. The instance is shut down the rest of the week. The virtual private cloud (VPC) has internet access. How should you assign one IPv4 address to the instance to give the consultants access?

Associate an Elastic IP address with the EC2 instance.
Enable automatic address assignment for the EC2 instance.
Assign the IP address in the operating system (OS) boot configuration.
Enable automatic address assignment for the subnet.

Question 6

An application uses a bastion host to allow access to EC2 instances in a private subnet within a virtual private cloud (VPC). What security group configurations would allow SSH access from the source IP to the EC2 instances? (Select TWO.)

Add a rule to the bastion host security group to deny all traffic from the internet.
Add a rule to the bastion host security group to allow traffic on port 22 from your source IP address.
Add a rule to the EC2 instance security group to allow traffic from the bastion host security group on port 22.
Add a rule to the private subnet EC2 instance security group to allow return traffic to the bastion host security group.
Add a rule to the bastion host security group to allow return traffic to your source IP address.

You must modify the security group of each instance to allow traffic. Following the principle of least privilege, the security groups should limit traffic to only those systems that need access. You can allow traffic to IP addresses and other security groups.

Question 7

A solution deployed in a virtual private cloud (VPC) needs a subnet with limited access to specific internet addresses. How can an architect configure the network to limit traffic from and to the EC2 instances in the subnet using a network access control list (ACL)?

Add rules to the default network ACL to allow traffic from and to allowed internet addresses.
Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
Add rules to the default network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.

Add network traffic rules specific to an individual subnet in a custom network ACL for that subnet. A custom network ACL automatically includes a rule to deny all other traffic (this rule is called implicit deny).

Question 8

Which actions are best practices for designing a virtual private cloud (VPC)? (Select THREE.)

Match the size of the VPC Classless Inter-Domain Routing (CIDR) block to the number of hosts that are required for a workload.
Use the same Classless Inter-Domain Routing (CIDR) block as your on-premises network.
Use the same Classless Inter-Domain Routing (CIDR) block for subnets in different Availability Zones that are part of the same AWS Auto Scaling group.
Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
Divide the VPC network range evenly across all Availability Zones that are available.
Reserve some address space for future use.

Running out of addresses might require complicated network re-addressing. Adding more CIDR blocks to a VPC is possible, but is not a solution for inadequate planning. Distributing subnets and hosts across Availability Zones reduces the chance of correlated failures.

Question 9

Where can you have VPC flow logs delivered? (Select THREE.)

Amazon Kinesis Data Firehose
Amazon OpenSearch Service
Amazon Athena
Amazon S3 bucket
AWS Management Console
Amazon CloudWatch

VPC Flow Logs delivers network traffic to Amazon CloudWatch logs, Amazon S3 buckets, or Amazon Kinesis Data Firehose streams. To view logs, users can use the AWS Management Console for Amazon CloudWatch logs and Amazon Athena for Amazon S3. Amazon Kinesis Data Firehose streams can deliver flow logs to Amazon OpenSearch Service.

Question 10

An EC2 instance must connect to an Amazon S3 bucket. What component provides this connectivity with no additional charge and no throughput packet limits?

Gateway Load Balancer endpoint
Public region access point
Interface VPC endpoint
Gateway VPC endpoint

Use a gateway VPC endpoint to connect an EC2 instance to an Amazon S3 bucket. There is no additional charge for using gateway endpoints. There are no throughput packet limits.

CLD120 Module 7 Knowledge Check

Creating a Networking Environment

Keyboard Shortcuts