CHAPTER 4 - QA - AMAZON VIRTUAL PRIVATE CLOUD

PDF Download

CHAPTER 4 - Q/A - AMAZON VIRTUAL PRIVATE CLOUD

EXAM QUESTIONS

Actual Qs and Ans Expert-Verified Explanation

This Exam contains:

-Guarantee passing score -24 Questions and Answers -format set of multiple-choice -Expert-Verified Explanation Question 1: 19. You've created one VPC peering connection between two VPCs. What must you do to use this connection for bidirectional instance-to-instance communication?(Choose all that apply.)

• Create two routes with the peering connection as the target.
• Create only one default route with the peering connection as the target.
• Create another peering connection between the VPCs.
• Configure the instances' security groups correctly.

Answer:

• Create two routes with the peering connection as the target.

• Configure the instances' security groups correctly.

- A,

• Each peered VPC needs a route to the CIDR of its peer; therefore, you must create two routes with

the peering connection as the target. Creating only one route is not sufficient to enable bidirectional communication. Additionally, the instances' security groups must allow for bidirectional communication.You can't create more than one peering connection between a pair of VPCs.Para que o VPC Peering funcione são necessárias 2 rotas apontadas para o Peering Connection.

• rota em cada sentido.

Necessário configurar as Security Group para permitirem o tráfego bidirecional.Não é possível criar mais de 1 VPC Peering Connection por par de VPC's.Question 2: 12. How can you assign a public IP address to a running instance that doesn't have one?

• Allocate an ENI and associate it with the instance's primary EIP.
• Allocate an EIP and associate it with the instance's primary ENI.
• Configure the instance to use an automatically assigned public IP.
• Allocate an EIP and change the private IP address of the instance's ENI to match.

Answer:

• Allocate an EIP and associate it with the instance's primary ENI.

• Assigning an EIP to an instance is a two-step process. First you must allocate an EIP, and then you

must associate it with an ENI. You can't allocate an ENI, and there's no such thing as an instance's primary EIP. Configuring the instance to use an automatically assigned public IP must occur at instance creation. Changing an ENI's private IP to match an EIP doesn't actually assign a public IP to the instance, because the ENI's private address is still private.

Question 3: 16. Which VPC resource performs network address translation?

• Internet gateway
• Route table

C. EIP

D. ENI

Answer:

• Internet gateway

Question 4: 22. Which of the following allows EC2 instances in different regions to communicate using private IP addresses? (Choose three.)

A. VPN

• Direct Connect

• VPC peering
• Transit gateway

Answer:

A. VPN

• VPC peering

• Transit gateway

A, C,

• VPC peering, transit gateways, and VPNs all allow EC2 instances in different regions to

communicate using private IP addresses. Direct Connect is for connecting VPCs to on-premises networks, not for connecting VPCs together.Question 5: 20. Which of the following is a not a limitation of interregion VPC peering?

• It's not supported in some regions.
• The maximum MTU is 1,500 bytes.
• You can't use IPv4.
• You can't use IPv6.

Answer:

• You can't use IPv4.

Você pode usar IPv4 num VPC Peering Interregion.

Question 6: 5. Which is true regarding an elastic network interface?

• It must have a private IP address from the subnet that it resides in.
• It cannot exist independently of an instance.
• It can be connected to multiple subnets.
• It can have multiple IP addresses from different subnets.

Answer:

• It must have a private IP address from the subnet that it resides in.

Question 7: 21. Which over which of the following connection types is always encrypted?

• Direct Connect

B. VPN

• VPC peering
• Transit gateway

Answer:

B. VPN

VPN é SEMPRE encriptado.

Question 8: 7. How does an NACL differ from a security group?

• An NACL is stateless.
• An NACL is stateful.
• An NACL is attached to an ENI.
• An NACL can be associated with only one subnet.

Answer:

• An NACL is stateless.

NACL é stateless, precisa que seja declarada a regra de in e out.Question 9: 23. Which of the following is true of a route in a transit gateway route table?

• It can be multicast.
• It can be a blackhole route.
• It can have an Internet gateway as a target.
• It can have an ENI as a target.

Answer:

• It can be a blackhole route.

-

• A transit gateway route table can hold a blackhole route. If the transit gateway receives traffic that

matches the route, it will drop the traffic.Um AWS Transit Gateway pode ter uma rota para Blackhole.