AWS Cloud Architecting: Module 8 Knowledge Check – Connecting Networks

Posted by

Er. Bikash Subedi

Building a single VPC is often just the beginning. As organizations grow, they need to connect multiple VPCs and extend their cloud presence to on-premises data centers. Module 8 of the AWS Academy Cloud Architecting curriculum dives into these critical connectivity patterns.

Here’s your comprehensive guide to the Module 8 Knowledge Check, complete with full questions, options, and in-depth explanations.

1. Connecting 100 VPCs Together

Question: What is the simplest way to connect 100 virtual private clouds (VPCs) together?

  • Options:
    • Connect each VPC to all the other VPCs by using VPC peering.
    • Create a hub-and-spoke network by using AWS VPN CloudHub.
    • Chain VPCs together by using VPC peering.
    • Connect the VPCs to AWS Transit Gateway.
  • Correct Answer: Connect the VPCs to AWS Transit Gateway.
  • Why: While VPC peering works for a small number of connections, it doesn’t scale well because it doesn’t support transitive routing. Connecting 100 VPCs via peering would require a complex “full mesh” of thousands of individual connections. AWS Transit Gateway acts as a central hub, drastically simplifying the architecture and allowing you to scale to thousands of VPCs easily.

2. Cross-Account, Cross-Region Traffic

Question: A company needs network traffic to flow between an AWS account in one Region to another account in a different Region. What should they set up between the transit gateways in each region?

  • Options:
    • AWS Direct Connect
    • Transit gateway peering attachment
    • AWS Site-to-Site VPN
    • AWS PrivateLink
  • Correct Answer: Transit gateway peering attachment
  • Why: To allow traffic to flow between two transit gateways, regardless of whether they are in the same or different AWS accounts and Regions, you create a transit gateway peering attachment. This enables you to build a global network backbone using the AWS high-speed infrastructure.

3. Simplest Way to Connect Two VPCs

Question: A company has two VPCs (A and B) in the same account with non-overlapping CIDR blocks. What is the simplest way to connect the two VPCs so they can route all traffic between them?

  • Options:
    • AWS Site-to-Site VPN
    • VPC peering
    • AWS Direct Connect
    • VPC endpoints
  • Correct Answer: VPC peering
  • Why: VPC peering is the most straightforward and cost-effective way to establish full network connectivity between two VPCs in the same or different AWS accounts and Regions. It uses the existing AWS infrastructure and doesn’t require gateways, VPN connections, or physical hardware.

4. Secure S3 Access Without the Internet

Question: Systems in a secure subnet in a VPC must access a bucket in Amazon S3. Which solutions stop traffic from crossing the internet? (Select TWO.)

  • Options:
    • Create a VPC gateway endpoint for Amazon S3.
    • Use VPC interface endpoints.
    • Use the private IP address of Amazon S3.
    • Create a VPC peering connection to Amazon S3.
    • Use a private IP address for the system.
  • Correct Answers:
    1. Create a VPC gateway endpoint for Amazon S3.
    2. Use VPC interface endpoints.
  • Why: Both Gateway VPC endpoints and Interface VPC endpoints (via PrivateLink) allow you to connect your VPC to S3 privately. They add specific routes to your subnet’s route tables that keep the traffic within the AWS network, bypassing the public internet entirely. Gateway endpoints are generally the more cost-effective choice for S3 and DynamoDB.

5. Connecting Non-Peered VPCs via a Hub

Question: A company has three VPCs (A, B, and C) with non-overlapping CIDR blocks. A and C have peering connections with B, but A and C cannot communicate. What is the simplest and most cost-effective way to enable full communication between A and C?

  • Options:
    • Add routes to B to enable traffic between A and C through B.
    • Add a peering connection between A and C, and route traffic between A and C through the peering connection.
    • Link all three VPCs through a transit VPC, and route all traffic through the transit VPC.
    • Create VPC endpoints in A and C for the individual hosts that need to communicate with each other.
  • Correct Answer: Add a peering connection between A and C, and route traffic between A and C through the peering connection.
  • Why: This question tests your knowledge of “transitive peering.” VPC peering is NOT transitive; you cannot route traffic from VPC A through VPC B to reach VPC C. Therefore, to enable communication between A and C, you must establish a direct peering connection between them.

6. Rapid Deployment for Disaster Recovery

Question: Because of a natural disaster, a company moved a secondary data center to a temporary facility with internet connectivity. It needs a secure connection to the company’s VPC that must be operational as soon as possible. Which option meets these requirements?

  • Options:
    • AWS Site-to-Site VPN
    • AWS Direct Connect
    • VPC endpoints
    • VPC peering
  • Correct Answer: AWS Site-to-Site VPN
  • Why: AWS Site-to-Site VPN can be established quickly over the existing public internet. This makes it the ideal choice for emergency or temporary connectivity needs where speed of deployment is the primary concern. In contrast, AWS Direct Connect can take weeks or months to provision as it requires physical line installation.

7. Efficient Routing for Remote Offices

Question: A company is concerned about internet disruptions. It wants to efficiently route traffic from their on-premises network to an AWS edge location close to their customer gateway device. What should they use?

  • Options:
    • AWS Global Accelerator
    • AWS Direct Connect
    • AWS Transit Gateway
    • AWS VPN CloudHub
  • Correct Answer: AWS Global Accelerator
  • Why: An accelerated VPN connection uses AWS Global Accelerator to route traffic from your on-premises network over the public internet to the nearest AWS edge location. From there, the traffic travels over the optimized AWS global network, reducing latency and increasing reliability compared to the standard public internet.

8. Consistent Performance for Backups

Question: A company is implementing a system to back up on-premises systems to AWS. Which network connectivity method provides a solution with the most consistent performance?

  • Options:
    • Virtual private cloud (VPC) peering
    • AWS Direct Connect
    • AWS Site-to-Site VPN
    • Virtual private cloud (VPC) endpoints
  • Correct Answer: AWS Direct Connect
  • Why: AWS Direct Connect provides a dedicated, private physical connection between your data center and AWS. Because it does not use the public internet, it offers much more consistent performance, higher bandwidth, and lower latency compared to VPN-based solutions.

9. Cost-Effective Backup Connection

Question: A company uses a single AWS Direct Connect connection. They want to ensure that connectivity is highly available by adding a backup connection. Which network connectivity method provides the most cost-effective solution for the backup connection?

  • Options:
    • Another AWS Direct Connect connection through a different Direct Connect location
    • An on-demand AWS Client VPN connection across the internet
    • Another AWS Direct Connect connection through the same Direct Connect location
    • An on-demand AWS Site-to-Site VPN connection across the internet
  • Correct Answer: An on-demand AWS Site-to-Site VPN connection across the internet.
  • Why: While adding a second Direct Connect connection provides the highest level of reliability, it is also the most expensive. An AWS Site-to-Site VPN provides a highly cost-effective backup option that can be quickly established over the public internet and used only if the primary Direct Connect connection fails.

10. Multi-Data Center Resiliency

Question: A company is connecting a VPC to multiple on-premises data centers. Which implementation ensures resiliency and predictable bandwidth requirements?

  • Options:
    • Implement Direct Connect as the primary connection and use the VPN as a secondary failover connection from each data center.
    • Implement AWS Transit Gateway to connect to each on-premises data center.
    • Use a many-to-many mesh topology, such as Amazon VPC peering.
    • Establish multiple Border Gateway Protocol (BGP) sessions for each VPC to create connectivity to multiple VPCs across multiple AWS Regions.
  • Correct Answer: Implement Direct Connect as the primary connection and use the VPN as a secondary failover connection from each data center.
  • Why: This “hybrid” approach is a best practice for mission-critical connectivity. Direct Connect provides the high-bandwidth, consistent performance needed for daily operations, while a redundant Site-to-Site VPN connection ensures that connectivity remains operational even if the physical Direct Connect link is disrupted.

Summary Checklist

GoalRecommended Service
Simple hub-and-spoke for many VPCsAWS Transit Gateway
Fastest to set up (Emergency)AWS Site-to-Site VPN
Most consistent performanceAWS Direct Connect
Private access to S3/DynamoDBVPC Gateway Endpoints
Reduced latency for remote VPNsAWS Global Accelerator

Er. Bikash Subedi

Post Views: 6

Er. Bikash Subedi

Leave a Reply

Your email address will not be published. Required fields are marked *

Follow Us

Recent Posts

Categories

Tags