Mastering AWS Networking: Module 7 Knowledge Check

Posted by

Er. Bikash Subedi

Designing a secure and efficient networking environment is fundamental to any AWS cloud architecture. Module 7 of the AWS Academy Cloud Architecting curriculum focuses on the essential components of building this environment. Here’s a detailed look at the Knowledge Check questions, their options, the correct answers, and the underlying architectural principles.

1. Defining a VPC

Question: Which definition describes a virtual private cloud (VPC)?

  • Options:
    • A logically isolated virtual network that you define in the AWS Cloud.
    • A fully managed service that extends the AWS Cloud to customer premises.
    • A virtual private network (VPN) in the AWS Cloud.
    • An extension of an on-premises network into AWS.
  • Correct Answer: A logically isolated virtual network that you define in the AWS Cloud.
  • Why: A VPC is a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

2. Internet Access for Components

Question: Which component does not have direct access to the internet?

  • Options:
    • Network address translation (NAT) gateway inside a public subnet.
    • EC2 instance inside a public subnet.
    • Elastic IP address interface.
    • EC2 instance inside a private subnet.
  • Correct Answer: EC2 instance inside a private subnet.
  • Why: By design, a private subnet does not have a route to an internet gateway, meaning instances within it cannot be directly accessed from or directly access the internet. They typically use a NAT gateway in a public subnet for outgoing internet access.

3. Subnet Addressing Scheme

Question: A company’s VPC has the CIDR block 172.16.0.0/21. Each of its two subnets must support 100 usable addresses now, but is expected to grow to 254. Which subnet addressing scheme meets these requirements and follows AWS best practices?

  • Options:
    • Subnet A: 172.16.0.0/24; Subnet B: 172.16.1.0/24
    • Subnet A: 172.16.0.0/22; Subnet B: 172.16.4.0/22
    • Subnet A: 172.16.0.0/23; Subnet B: 172.16.2.0/23
    • Subnet A: 172.16.0.0/25; Subnet B: 172.16.0.128/25
  • Correct Answer: Subnet A: 172.16.0.0/23; Subnet B: 172.16.2.0/23
  • Why: A /23 subnet provides 512 total IP addresses. Since AWS reserves 5 IP addresses in each subnet, this leaves 507 usable addresses, which comfortably accommodates the growth requirement of 254 usable addresses while providing a buffer for future expansion. /24 would only provide 251 usable addresses, which might be too tight if the requirement for 254 is exactly hit.

4. Updating Instances in Private Subnets

Question: Several EC2 instances in a VPC with internet access should not be accessible from the internet but need to download updates. How should the instances launch?

  • Options:
    • With Elastic IP addresses, in a subnet with a default route to an internet gateway.
    • Without public IP addresses, in a subnet with a default route to an internet gateway.
    • Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway.
    • With public IP addresses, in a subnet with a default route to an internet gateway.
  • Correct Answer: Without public IP addresses, in a subnet with a default route to a network address translation (NAT) gateway.
  • Why: This configuration ensures that the instances can initiate outbound connections to the internet (for updates) through the NAT gateway while remaining unreachable from any unsolicited inbound connections from the internet.

5. Access for Consultants

Question: A group of consultants requires access to an EC2 instance for 3 days each week. The instance is shut down the rest of the week. The VPC has internet access. How should you assign one IPv4 address to the instance to give the consultants access?

  • Options:
    • Enable automatic address assignment for the subnet.
    • Enable automatic address assignment for the EC2 instance.
    • Assign the IP address in the operating system (OS) boot configuration.
    • Associate an Elastic IP address with the EC2 instance.
  • Correct Answer: Associate an Elastic IP address with the EC2 instance.
  • Why: An Elastic IP address is a static, public IPv4 address that remains associated with your AWS account. By associating it with the EC2 instance, you ensure that the instance has the same public IP address every time it’s started, providing consistent access for the consultants.

6. Using a Bastion Host

Question: An application uses a bastion host to allow access to EC2 instances in a private subnet. Which security group configurations would allow SSH access from the source IP to the EC2 instances? (Select TWO.)

  • Options:
    • Add a rule to the private subnet EC2 instance security group to allow return traffic to the bastion host security group.
    • Add a rule to the bastion host security group to deny all traffic from the internet.
    • Add a rule to the bastion host security group to allow return traffic to your source IP address.
    • Add a rule to the EC2 instance security group to allow traffic from the bastion host security group on port 22.
    • Add a rule to the bastion host security group to allow traffic on port 22 from your source IP address.
  • Correct Answers:
    1. Add a rule to the EC2 instance security group to allow traffic from the bastion host security group on port 22.
    2. Add a rule to the bastion host security group to allow traffic on port 22 from your source IP address.
  • Why: This setup follows the principle of least privilege. You first allow SSH traffic (port 22) from your specific source IP to the bastion host, and then allow SSH traffic from the bastion host’s security group to the target EC2 instances in the private subnet.

7. Network Access Control List (ACL) Rules

Question: A solution in a VPC needs a subnet with limited access to specific internet addresses. How can an architect configure the traffic from and to the EC2 instances in the subnet using a network ACL?

  • Options:
    • Add rules to the default network ACL to allow traffic from and to allowed internet addresses.
    • Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
    • Add rules to the default network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
    • Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses.
  • Correct Answer: Add rules to the subnet custom network ACL to allow traffic from and to allowed internet addresses. Deny all other traffic.
  • Why: Custom network ACLs allow you to define specific allow and deny rules for traffic entering and exiting your subnets. By default, a custom network ACL denies all traffic until you add rules to allow it. Adding an explicit “deny all” rule at the end (the implicit deny) ensures that only traffic matching your specific “allow” rules is permitted.

8. VPC Design Best Practices

Question: Which actions are best practices for designing a virtual private cloud (VPC)? (Select THREE.)

  • Options:
    • Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
    • Reserve some address space for future use.
    • Match the size of the VPC CIDR block to the number of hosts required for a workload.
    • Use the same CIDR block as your on-premises network.
    • Use the same CIDR block for subnets in different Availability Zones within the same VPC.
    • Divide the VPC network range evenly across all Availability Zones.
  • Correct Answers:
    1. Create one subnet per Availability Zone for each group of hosts that have unique routing requirements.
    2. Reserve some address space for future use.
    3. Divide the VPC network range evenly across all Availability Zones.
  • Why: These practices promote high availability, scalability, and organized network management. Creating subnets across multiple AZs ensures redundancy. Reserving address space allows for future growth without complex re-addressing. Dividing the network range evenly helps in maintaining a balanced and predictable architecture.

9. VPC Flow Logs Delivery

Question: Where can you have VPC flow logs delivered? (Select THREE.)

  • Options:
    • Amazon S3 bucket
    • Amazon CloudWatch
    • AWS Management Console
    • Amazon Kinesis Data Firehose
    • Amazon Athena
    • Amazon OpenSearch Service
  • Correct Answers:
    1. Amazon S3 bucket
    2. Amazon CloudWatch
    3. Amazon Kinesis Data Firehose
  • Why: VPC Flow Logs can be natively delivered to Amazon S3 for long-term storage, Amazon CloudWatch Logs for real-time monitoring and alerting, and Amazon Kinesis Data Firehose for streaming the logs to other destinations for further analysis.

10. Connecting to an Amazon S3 Bucket

Question: An EC2 instance must connect to an Amazon S3 bucket. What component provides this connectivity with no additional charge and no throughput packet limits?

  • Options:
    • Gateway VPC endpoint
    • Public region access point
    • Gateway Load Balancer endpoint
    • Interface VPC endpoint
  • Correct Answer: Gateway VPC endpoint
  • Why: Gateway VPC endpoints for Amazon S3 and DynamoDB are provided at no additional cost and offer high-throughput, low-latency connectivity without traversing the public internet or incurring data transfer charges within the same region.

Er. Bikash Subedi

Post Views: 4

Er. Bikash Subedi

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags