Our Blog

Scenario 1

A colleague from your company’s IT Security team has notified you of an Internet-based threat that affects a certain port and protocol combination. You have conducted an audit of your VPC and found that this port and protocol combination is allowed on an Inbound Rule with a source of 0.0.0.0/0. You have verified that this rule only exists for maintenance purposes and need to make an urgent change to block the access. What is the fastest way to block access from the Internet to specific ports and protocols?

You don’t need to do anything; this rule will only allow access to VPC based resources

– Update the security group by removing the rule (Correct)

– Delete the security group

– Add a deny rule to the security group with a higher priority

Explanation:

• Security group membership can be changed whilst instances are running
• Any changes to security groups will take effect immediately
• You can only assign permit rules in a security group, you cannot assign deny rules
• If you delete the security you will remove all rules and potentially cause other problems.

Scenario 2

A customer has asked you to recommend the best solution for a highly available database. The database is a relational OLTP type of database and the customer does not want to manage the operating system the database runs on. Failover between AZs must be automatic. Which of the below options would you suggest to the customer?

– Use DynamoDB

– Use RDS in a Multi-AZ configuration (Correct)

– Install a relational database on EC2 instances in multiple AZs and create a cluster

– Use RedShift in a Multi-AZ configuration

Explanation:

• Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. With RDS you can configure Multi-AZ which creates a replica in another AZ and synchronously replicates to it (DR only)
• RedShift is used for analytics OLAP not OLTP
• If you install a DB on an EC2 instance you will need to manage to OS yourself and the customer wants it to be managed for them
• DynamoDB is a managed database of the NoSQL type. NoSQL DBs are not relational DBs.

Scenario 3

You are troubleshooting a connectivity issue where you cannot connect to an EC2 instance in a public subnet in your VPC from the Internet. Which of the configuration items in the list below would you check first? (choose 2)

The subnet has “Auto-assign public IPv4 address” set to “Yes” (Correct)

– There is a NAT Gateway installed in the subnet

– The subnet route table has an attached NAT Gateway

– The security group attached to the EC2 instance has an inbound rule allowing the traffic(Correct)

– The EC2 instance has a private IP address associated with it

Explanation:

• Public subnets are subnets that have: “Auto-assign public IPv4 address” set to “Yes” which will assign a public IP and the subnet route table has an attached Internet Gateway
• The instance will also need a security group with an inbound rule allowing the traffic
• EC2 instances always have a private IP address assigned. When using a public subnet with an Internet Gateway the instance needs a public IP to be addressable from the Internet
• NAT gateways are used to enable outbound Internet access for instances in private subnets.

Scenario 4

A Solutions Architect is responsible for a web application that runs on EC2 instances that sit behind an Application Load Balancer (ALB). Auto Scaling is used to launch instances across 3 Availability Zones. The web application serves large image files and these are stored on an Amazon EFS file system. Users have experienced delays in retrieving the files and the Architect has been asked to improve the user experience. What should the Architect do to improve the user experience?

– Move the digital assets to EBS

– Reduce the file size of the images

– Cache static content using CloudFront (Correct)

– Use Spot instances

Explanation:

• CloudFront is ideal for caching static content such as the files in this scenario and would increase performance
• Moving the files to EBS would not make accessing the files easier or improve performance
• Reducing the file size of the images may result in better retrieval times, however, CloudFront would still be the preferable option
• Using Spot EC2 instances may reduce EC2 costs but it won’t improve user experience.