Amazon Amazon Certifications SAP-C01 Questions & Answers

• Question 591:

  To ensure failover capabilities on an elastic network interface (ENI), what should you use for incoming traffic?

  A. A Route53 A record

  B. A secondary private IP

  C. A secondary public IP

  D. A secondary ENI

  Correct Answer: B

  To ensure failover capabilities on an elastic network interface (ENI), consider using a secondary private IP for incoming traffic and if a failure occurs, you can move the interface and/or secondary private IP address to a standby instance.

  Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

• Question 592:

  Someone is creating a VPC for their application hosting. He has created two private subnets in the same availability zone and created one subnet in a separate availability zone. He wants to make a High Availability system with an internal Elastic Load Balancer.

  Which choice is true regarding internal ELBs in this scenario? (Choose two.)

  A. Internal ELBs should only be launched within private subnets.

  B. Amazon ELB service does not allow subnet selection; instead it will automatically select all the available subnets of the VPC.

  C. Internal ELBs can support only one subnet in each availability zone.

  D. An internal ELB can support all the subnets irrespective of their zones.

  Correct Answer: AC

  The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as elastic load balancers, and EC2 instances. There are two ELBs available with VPC: internet facing and internal (private) ELB. For internal servers, such as App servers the organization can create an internal load balancer in their VPC and then place back-end application instances behind the internal load balancer. The internal load balancer will route requests to the back-end application instances, which are also using private IP addresses and only accept requests from the internal load balancer. The Internal ELB supports only one subnet in each AZ and asks the user to select a subnet while configuring internal ELB.

  Reference: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/USVPC_creating_basic_lb.html

• Question 593:

  You want to establish redundant VPN connections and customer gateways on your network by setting up a second VPN connection.

  Which of the following will ensure that this functions correctly?

  A. The customer gateway IP address for the second VPN connection must be publicly accessible.

  B. The virtual gateway IP address for the second VPN connection must be publicly accessible.

  C. The customer gateway IP address for the second VPN connection must use dynamic routes.

  D. The customer gateway IP address for the second VPN connection must be privately accessible and be the same public IP address that you are using for the first VPN connection.

  Correct Answer: A

  To establish redundant VPN connections and customer gateways on your network, you would need to set up a second VPN connection. However, you must ensure that the customer gateway IP address for the second VPN connection is publicly accessible.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.html

• Question 594:

  A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24.

  Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?

  A. Destination : 20.0.0.0/0 and Target : ALL

  B. Destination : 20.0.0.0/16 and Target : Local

  C. Destination : 20.0.0.0/24 and Target : Local

  D. Destination : 20.0.0.0/16 and Target : ALL

  Correct Answer: B

  A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry "Destination: 20.0.0.0/16 and Target: Local", which allows all instances in the VPC to communicate with each other.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

• Question 595:

  A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet.

  How can the instances in the private subnet connect to the internet?

  A. The private subnet can never connect to the internet

  B. Use NAT with an elastic IP

  C. Use the internet gateway with a private IP

  D. Allow outbound traffic in the security group for port 80 to allow internet updates

  Correct Answer: B

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created two subnets (one private and one public), they would need a Network Address Translation (NAT) instance with the elastic IP address. This enables the instances in the private subnet to send requests to the internet (for example, to perform software updates).

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

• Question 596:

  A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

  A. The user has to manually create a NAT instance

  B. The Amazon VPC will automatically create a NAT instance with the micro size only

  C. VPC updates the main route table used with the private subnet, and creates a custom route table with a public subnet

  D. VPC updates the main route table used with a public subnet, and creates a custom route table with a private subnet

  Correct Answer: C

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC has an implied router and the VPC wizard updates the main route table used with the private subnet, creates a custom route table and associates it with the public subnet.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

• Question 597:

  A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance.

  Which of the below mentioned entries is not required in NAT's security group for the database servers to connect to the Internet for software updates?

  A. For Outbound allow Destination: 0.0.0.0/0 on port 443

  B. For Inbound allow Source: 20.0.1.0/24 on port 80

  C. For Inbound allow Source: 20.0.0.0/24 on port 80

  D. For Outbound allow Destination: 0.0.0.0/0 on port 80

  Correct Answer: C

  A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can connect to the internet using the NAT instances. The user should first configure that NAT can receive traffic on ports 80 and 443 from the private subnet. Thus, allow ports 80 and 443 in Inbound for the private subnet 20.0.1.0/24. Now to route this traffic to the internet configure ports 80 and 443 in Outbound with destination 0.0.0.0/0. The NAT should not have an entry for the public subnet CIDR.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

• Question 598:

  An organization is planning to host a Wordpress blog as well as joomla CMS on a single instance launched with VPC. The organization wants to create separate domains for each application using Route 53. The organization may have about ten instances each with these two applications. While launching each instance, the organization configured two separate network interfaces (primary + secondary ENI) with their own Elastic IPs to the instance. The suggestion was to use a public IP from AWS instead of an Elastic IP as the number of elastic IPs allocation per region is restricted in the account.

  What action will you recommend to the organization?

  A. Only Elastic IP can be used by requesting limit increase, since AWS does not assign a public IP to an instance with multiple ENIs.

  B. AWS VPC does not attach a public IP to an ENI; so the only way is to use an Elastic IP.

  C. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.

  D. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.

  Correct Answer: A

  A Virtual Private Cloud (VPC) is a virtual network dedicated to the user's AWS account. It enables the user

  to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface

  (ENI) is a virtual network interface that the user can attach to an instance in a VPC.

  The user can attach up to two ENIs with a single instance. However, AWS cannot assign a public IP when

  there are two ENIs attached to a single instance. It is recommended to assign an elastic IP in this scenario.

  If the organization wants more than 5 EIPs they can request AWS to increase the number.

  Reference:

  http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

• Question 599:

  An organization is trying to setup a VPC with Auto Scaling. Which configuration steps below is not required to setup AWS VPC with Auto Scaling?

  A. Configure the Auto Scaling group with the VPC ID in which instances will be launched.

  B. Configure the Auto Scaling Launch configuration with multiple subnets of the VPC to enable the Multi AZ feature.

  C. Configure the Auto Scaling Launch configuration which does not allow assigning a public IP to instances.

  D. Configure the Auto Scaling Launch configuration with the VPC security group.

  Correct Answer: B

  The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. Within this virtual private cloud, the user can launch AWS resources, such as an Auto Scaling group. Before creating the Auto Scaling group it is recommended that the user creates the Launch configuration. Since it is a VPC, it is recommended to select the parameter which does not allow assigning a public IP to the instances. The user should also set the VPC security group with the Launch configuration and select the subnets where the instances will be launched in the AutoScaling group. The HA will be provided as the subnets may be a part of separate AZs.

  Reference: http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/autoscalingsubnets.html

• Question 600:

  When configuring your customer gateway to connect to your VPC, the________Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.

  A. IPsec

  B. BGP

  C. IKE Security

  D. Tunnel

  Correct Answer: C

  When configuring your customer gateway to connect to your VPC, several steps need to be completed. The IKE Security Association is established first between the virtual private gateway and customer gateway using the Pre-Shared Key as the authenticator.

  Reference: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html