Domain 6
Networking

✓ Subdomain: 6.1 Apply AWS networking features
✓ Subdomain: 6.2 Implement connectivity services of AWS
✓ Subdomain: 6.3 Gather and interpret relevant information for network troubleshooting

Where can you obtain the public IP address of a Linux EC2 instance?
1. Ping the instance’s private DNS name.
2. The user data
3. The instance metadata
4. The ifconfig command
From within an EC2 instance, sending an HTTP GET request to which of the following URLs will return an instance’s public IP address?
1. 169.254.169.254/latest/meta-data/public-ipv4
2. 169.254.169.254/1.0/meta-data/local-ipv4
3. 169.254.169.254/latest/dynamic/public-ipv4
4. 169.254.169.254/latest/meta-data/local-ipv4
Which of the following two components are required for configuring a VPN connection between a VPC and an on-premises network? (Choose two.)
1. A default route to the virtual private gateway
2. Virtual private gateway
3. A default route to the Internet gateway
4. Customer gateway
You’re running a web service on EC2 instances in an Auto Scaling group. These instances are members of an application load balancer target group. How can you ensure an instance is replaced when the web service fails on it? (Choose two.)
1. Configure the Auto Scaling group to use an EC2 health check.
2. Configure a UDP health check to monitor the web service.
3. Configure an ELB health check to monitor the web service.
4. Configure the Auto Scaling group to use an ELB health check.
You’re running a database-backed web application on six EC2 instances behind an application load balancer. The instances are evenly distributed across private subnets in three availability zones. CloudWatch shows that some instances are incurring significantly higher CPU utilization than others. Which of the following could be the reason?
1. Clients are connecting directly to the public IP addresses of some instances.
2. Session stickiness is enabled on the elastic load balancer.
3. Health checks are occurring too rapidly.
4. Cross-zone load balancing is disabled.
An EC2 instance in a private subnet needs to download security updates from the Internet. Which of the following resources can be used to achieve this? (Choose two.)
1. NAT gateway
2. NAT instance
3. VPC peering
4. VPC endpoint
You have several EC2 instances in a public subnet. All instances were launched using the same AMI. When you’re trying to download operating system security updates for one of the instances, the download fails. Downloading the updates on the other instances works fine. Which of the following might resolve the issue?
1. Add a default route to the subnet’s route table.
2. Create a NAT gateway.
3. Assign an elastic IP address to the instance.
4. Create an internet gateway.
Which of the following VPC resources allows outbound-only access to IPv6 resources on the Internet?
1. Internet gateway
2. Egress-only Internet gateway
3. NAT gateway
4. NAT instance
Which of the following Route 53 routing policies will ensure that all users near Ohio will always get routed to the us-east-2 (Ohio) AWS region?
1. Geolocation
2. Geoproximity
3. Latency
4. Region
You need to deploy a highly available web application across two AWS regions. Connections to the web application should be evenly distributed across all EC2 instances. Which of the following should you do to achieve this? (Choose two.)
1. Launch an Auto Scaling group in each region and use the same group size for each.
2. Configure cross-region load balancing.
3. Configure a Route 53 weighted routing policy.
4. Deploy the application using Lambda.
Which of the following Route 53 features ensures users get routed to the region with the best network performance?
1. Geoproximity routing policy
2. Latency routing policy
3. Weighted routing policy
4. Failover routing policy
You’re running a web service on an EC2 instance. You want Route 53 to return the public IP address of the instance even if the web service on the instance is unhealthy. How can you achieve this? (Choose two.)
1. Create a simple basic resource record.
2. Create a simple alias resource record.
3. Create a simple basic resource record that uses a health check.
4. Create a multivalue answer resource record.
You’ve launched a NAT instance with a public IP address in a public subnet. In the same VPC, you created a private subnet and modified its default route table to include a default route that points to the NAT instance as a target. However, instances in the private subnet are unable to access the Internet. All security groups and NACLs are configured correctly. Which of the following should you try to fix the problem with the least effort?
1. Modify the default route to point to the NAT instance’s private IP address as a destination.
2. Disable the source/destination check on the NAT instance.
3. Configure a NAT gateway instead.
4. Assign an elastic IP address to the NAT instance.
Which of the following IPv4 prefix lengths is allowed for a VPC CIDR block??
1. /8
2. /15
3. /28
4. /29
Which of the following is a valid IPv6 CIDR block for a VPC?
1. 2600:1f18:2551:8900/32
2. 2600:1f18:2551:8900/48
3. 2600:1f18:2551:8900/56
4. 2600:1f18:2551:8900/64
You’re running a distributed application on EC2 instances in a VPC with a CIDR of 172.31.0.0/24. You’re running out of private IP addresses and need to allocate more for additional instances. The instances must be able to communicate with each other using their private addresses. How can you allocate more IP addresses with the least amount of effort?
1. Change the VPC CIDR to 172.31.0.0/16.
2. Add a secondary CIDR of 172.31.1.0/24.
3. Add a secondary CIDR of 172.31.0.0/16.
4. Create a new VPC.
What is the limiting factor in the number of subnets you can have in a VPC?
1. The number of availability zones
2. The size of the VPC CIDR
3. The number of VPCs
4. The number of NACLs
You plan to run a fleet of EC2 instances in a VPC. You need to achieve the highest level of availability and the most efficient use of IP address space. Which of the following should you do?
1. Create one subnet that spans three availability zones.
2. Create three subnets, each in a different availability zone.
3. Create three subnets in the same availability zone.
4. Create two subnets in one availability zone and one subnet in a different availability zone.
Your organization is running servers on-premises using the IP address range 192.168.10.0/24. The servers have Internet access. Your organization is merging with another company that runs EC2 instances in a public subnet that uses the same IP address range. Which of the following will, with the least effort, enable the on-premises servers to communicate with the EC2 instances using standard HTTPS communication? (Choose two.)
1. Implement a VPN.
2. Assign a public or elastic IP address to each instance.
3. Implement one-to-one NAT.
4. Create a security group rule to allow inbound access on TCP port 443 from the on-premises servers.
Which of the following is true of an elastic network interface (ENI)?
1. It must have only one primary private IP address.
2. It can be associated with only one elastic IP address.
3. It can have multiple private IP addresses from different subnets.
4. It must be attached to an instance.
Which of the following prevents EC2 from automatically assigning a public IP address to an instance? (Choose two.)
1. Assigning an elastic IP address to the instance and then unassigning it
2. Assigning a secondary elastic network interface
3. Launching the instance in a private subnet
4. Removing the primary elastic network interface from the instance
You have some EC2 instances that access Internet resources over TCP port 443. The instances are able to access some of these resources but not others. You check the route table associated with the instances’ subnets and see only the local route and a route with a destination of 0.0.0.0/0. Which of the following may resolve the problem? (Choose two.)
1. Disable IPv6 in the VPC.
2. Associate an egress-only Internet gateway with the VPC.
3. Add an IPv6 default route.
4. Associate an Internet gateway with the VPC.
In a VPC, which of the following is most analogous to connecting a router to a traditional network?
1. Attaching an elastic network interface to an instance
2. Associating a route table with a subnet
3. Creating a default route
4. Associating an elastic IP address with an instance
Your organization has proposed migrating an on-premises application to EC2. The application requires multicast and the servers it runs on must retain the same RFC 1918 IP addresses. Which of the following recommendations should you make regarding this proposed migration?
1. The migration is feasible as proposed.
2. The migration is feasible provided the subnet is between /16 and /28.
3. The migration may not be possible because VPCs don’t support RFC 1918 addresses.
4. The migration isn’t possible because VPCs don’t support multicast.
You have two instances in different VPCs, instance A and instance B. Both instances have a public IP address. Each VPC contains only one subnet. VPC peering is not configured and there’s no VPN. Instance A sends a packet to instance B. What does instance B see as the source IP address?
1. Instance A’s public IP address
2. Instance A’s private IP address
3. The Internet gateway’s public address
4. The NAT gateway’s public IP address
Which of the following are true of NACLs and security groups? (Choose two.)
1. Security groups apply to a subnet.
2. NACLs apply to a subnet.
3. NACLs apply to an instance.
4. Security groups apply to an elastic network interface.
Which of the following describes an elastic VPC resource that hides the public source IP address of an instance from hosts on the Internet?
1. NAT gateway
2. NAT instance
3. Internet gateway
4. Virtual private gateway
Which of the following is true regarding peering VPCs in the same region?
1. The same two VPCs can have multiple peering connections with each other for redundancy.
2. It doesn’t support overlapping CIDR blocks.
3. It supports transitive peering.
4. It doesn’t support IPv6.
Which of the following is a limitation of inter-region VPC peering?
1. Both VPC CIDRs must reside in the same RFC 1918 address range.
2. DNS resolution doesn’t work.
3. An MTU of less than 1500 isn’t supported.
4. IPv6 isn’t supported.
You’ve created a peering connection between two VPCs in the same region. Which of the following do you need to do to enable bidirectional IP communication between the instances in these VPCs?
1. Create the appropriate routes with the VPC peering connection as the target.
2. Configure NAT.
3. Assign public IP addresses to the instances.
4. Enable DNS resolution.
Which of the following can change the public IP address of an EC2 instance?
1. Removing the primary elastic network interface
2. Removing the default route from the route table
3. Rebooting the instance
4. Changing the instance type
You’re running an EC2 instance in a private subnet. The instance needs to resolve a resource record for a public domain that you have registered with a third-party domain name registrar. Which of the following will achieve this?
1. Enable DNS hostnames in the VPC.
2. Enable DNS support in the VPC.
3. Transfer the domain name to Route 53.
4. Assign an elastic IP address to the instance.
Which of the following speeds up transfers between S3 buckets and hosts on the Internet?
1. CloudFront distribution
2. S3 transfer acceleration
3. Elastic load balancing
4. S3 cross-region replication
Which of the following VPC resources will incur costs only if not associated with an instance?
1. Elastic IP address
2. Elastic network interface
3. NAT gateway
4. Elastic load balancer
You need to run a Lambda application that must communicate with EC2 instances in a private subnet. Which of the following features will enable this communication?
1. Gateway VPC endpoint
2. Interface VPC endpoint
3. API gateway
4. VPC peering
Which of the following is true of an interface VPC endpoint? (Choose two.)
1. It supports TCP traffic.
2. It supports IPv6 traffic.
3. It supports UDP traffic.
4. It exists in only one availability zone.
You’ve configured a VPC gateway endpoint for S3. Which of the following will allow you to restrict which EC2 instances can access S3 via the endpoint?
1. Create a NACL rule and specify the S3 prefix list ID.
2. Create a security group rule and specify the S3 prefix list ID.
3. Use S3 bucket policies.
4. Modify the instance role’s permission policy.
Which of the following must you do to use IPv6 in a new VPC?
1. Configure an egress-only Internet gateway.
2. Assign a link-local IPv6 address to the VPC.
3. Enable DNS hostnames.
4. Configure an IPv4 CIDR.
Which VPC component controls traffic direction within a VPC?
1. Internet gateway
2. Security group
3. Route table
4. NACL
You need to create a subnet that will hold only 10 EC2 instances, each with a single elastic network interface. What’s the smallest prefix length you can use?
1. /8
2. /16
3. /28
4. /29
How many IP addresses does AWS reserve in each VPC subnet?
1. One
2. Two
3. Four
4. Five
You’ve created the VPC subnet 10.0.0.0/24. Which of the following addresses is not available for assignment to an EC2 instance?
1. 10.0.0.4
2. 10.0.0.254
3. 10.0.0.255
4. 10.0.0.5
You’ve launched a Windows EC2 instance and configured its security group and the subnet’s NACL to permit access from all other hosts in the subnet to the Remote Desktop Protocol (RDP) on TCP port 3389. However, when you’re attempting to RDP to the server from a Linux host in the same subnet, the connection fails. You are able to RDP from the same host to other Windows servers. Which of the following could be the reason for the failure?
1. RDP uses TCP port 2598.
2. Linux hosts can’t use RDP.
3. The Windows firewall is blocking access on TCP port 3389.
4. RDP uses UDP, not TCP.
You need to connect two VPCs to resources in a remote office via a site-to-site VPN. You need to ensure that resources in the VPCs can’t communicate with each other. Which of the following can help you achieve this?
1. VPC peering
2. Transit gateway
3. Virtual private gateway
4. VPC endpoint
Which of the following is an advantage of using Direct Connect instead of a VPN connection?
1. Reduced cost
2. Data encryption
3. Higher bandwidth
4. Predictable latency
Servers in your datacenter are using a 10 Gbps Internet connection to connect to S3 using a public endpoint. Which of the following can improve the security of this configuration?
1. Use HTTPS to connect to the S3 endpoint.
2. Use Direct Connect.
3. Use a VPN connection.
4. Use a VPC endpoint.
Before you can use Direct Connect to connect a VPC to your datacenter, which of the following should you do to ensure proper connectivity? (Choose two.)
1. Make sure the IP address ranges in the networks don’t overlap.
2. Use encryption.
3. Configure the appropriate IAM policies.
4. Configure routing.
Which of the following are options for connecting a site to AWS using Direct Connect? (Choose two.)
1. Configure a VPN between the site and an AWS Direct Connect Location.
2. Complete a cross-connect between your equipment and AWS at a Direct Connect location.
3. Request AWS to install a Direct Connect connection to be installed at the site.
4. Use a hosted connection from an AWS Direct Connect Partner.
Applications running in your datacenter currently connect to AWS services using their public endpoints. You plan to use Direct Connect to access these services but don’t want to reconfigure the applications to use private AWS service endpoints. Which of the following types of virtual interfaces should you configure?
1. Private virtual interface
2. Public virtual interface
3. Transit virtual interface
4. Peer virtual interface
Which of the following BGP configuration tasks is required to use a Direct Connect public virtual interface?
1. Advertise at least one public IP prefix.
2. Advertise at least one private IP prefix.
3. Specify a public autonomous system number (ASN).
4. Enable jumbo frames.
You need a Direct Connect connection that supports up to 75 Mbps. Which of the following options is the most cost-effective?
1. A hosted connection with a 50 Mbps port
2. A hosted connection with an 80 Mbps port
3. A hosted connection with a 100 Mbps port
4. A dedicated connection with a 1 Gbps port
You’re using almost the full bandwidth of your 1 Gbps hosted Direct Connect connection. Which of the following can you do to approximately double your Direct Connect bandwidth to AWS? (Choose two.)
1. Upgrade the 1 Gbps connection to 2 Gbps.
2. Create a new connection using a 2 Gbps connection and remove the 1 Gbps connection.
3. Create a new connection using a 1 Gbps connection and add both connections to a link aggregation group (LAG).
4. Create two new 50 Mbps connections and add them to a link aggregation group (LAG) along with the existing 1 Gbps connection.
What’s the default maximum transmission unit (MTU) of a Direct Connect virtual interface?
1. 1500 bytes
2. 8500 bytes
3. 9000 bytes
4. 1472 bytes
How many VPN connections can you create to a single VPC?
1. 1
2. 5
3. 10
4. 25
Which of the following is true regarding an IPv6 BGP peering session over a Direct Connect virtual interface?
1. You can specify your own IPv6 peer addresses.
2. AWS assigns a /125 IPv6 CIDR to use.
3. Direct Connect doesn’t support IPv6 BGP peering.
4. An IPv4 BGP peering session can’t be used alongside an IPv6 BGP peering session.
How can you decrease the network overhead of a Direct Connect connection?
1. Create a link aggregation group (LAG).
2. Use jumbo frames on the virtual interfaces.
3. Encrypt all data traversing the connection.
4. Use a VPN tunnel.
How many routes are you allowed to advertise in a BGP session over a Direct Connect connection over a private virtual interface?
1. 50
2. 100
3. 500
4. 1000
What happens if you advertise more than 100 routes over a BGP session over a Direct Connect private virtual interface?
1. The oldest routes will be discarded to bring the total number of routes to 100 or fewer.
2. Additional routes over the first 100 won’t be installed in the route table.
3. The Direct Connect link will go down.
4. The session will go down.
You’re unable to create a BGP session over a Direct Connect connection. Which of the following could be the reason?
1. BGP MD5 authentication mismatch
2. Missing community tags
3. Your router doesn’t support multiprotocol BGP (MP-BGP).
4. UDP port 179 is blocked.
How many prefixes are you allowed to advertise over a BGP session over a Direct Connect public virtual interface?
1. 100
2. 200
3. 1000
4. 2000
Which of the following can cause a BGP session to fail over a Direct Connect link?
1. Not having any prefixes to advertise
2. Incorrect autonomous system (AS) number
3. Blocking TCP port 197
4. Using the NO_EXPORT BGP community
From your datacenter, you have a Direct Connect connection to a VPC with six subnets. There are running EC2 instances in each subnet. AWS is advertising prefixes for all six subnets via BGP. You want to prevent only one of these prefixes from being installed in your datacenter router and without impacting existing EC2 instances. How can you accomplish this with the least effort?
1. Remove the prefix from the VPC route table.
2. Request AWS not advertise the prefix.
3. Block the prefixes on your datacenter router.
4. Delete the subnet.
You have a branch office connected to a VPC via a VPN. You also have a datacenter connected to the same VPC via Direct Connect. You need to pass traffic between the branch office and the datacenter. How can you do this with the least effort?
1. Create a VPN connection between the branch office and datacenter.
2. Configure VPN CloudHub to use the VPC for transit.
3. Add a Direct Connect connection to the branch office.
4. Add a private line between the datacenter and branch office.
You have a VPN connection and a Direct Connect connection between your datacenter and a VPC. BGP sessions on both connections have the exact same prefixes. Which connection will be preferred?
1. Direct Connect
2. VPN
3. The connection advertising the prefix with the shortest AS PATH length
4. The oldest connection
In your datacenter you have 200 prefixes that need to be reachable from a VPC via a Direct Connect virtual interface. How can you ensure all prefixes are reachable? (Choose two.)
1. Advertise the default route.
2. Use multiple BGP sessions to advertise all the prefixes.
3. Summarize the prefixes into 100 or fewer prefixes.
4. Advertise all 200 prefixes over a single BGP session.
Which of the following CIDR blocks can you use to establish a BGP session over a site-to-site VPN tunnel?
1. 169.254.0.0/30
2. 169.0.0.0/16
3. 10.0.0.0/30
4. 10.0.0.0/16
What are two differences between CloudHub and Direct Connect Gateway? (Choose two.)
1. CloudHub connects on-premises networks and VPCs in any region.
2. CloudHub connects on-premises networks and VPCs in only one region.
3. Direct Connect Gateway connects on-premises networks and VPCs in any region.
4. Direct Connect Gateway connects on-premises networks and VPCs in only one region.
Which of the following BGP communities propagates public prefixes to all AWS regions?
1. 7224:9100
2. 7224:9200
3. 7224:9300
4. 7224:8100
You’re advertising the same prefix over two separate Direct Connect links. One prefix is advertised from your datacenter, and the other is advertised from your headquarters office. How can you ensure the datacenter route will take precedence for return traffic?
1. Apply the community tag 7224:7100 to the prefix from the datacenter.
2. Apply the community tag 7224:7300 to the prefix from the datacenter.
3. Apply the community tag 7224:7300 to the prefix from the headquarters office.
4. Use AS PATH prepending on the prefix from the datacenter.
You have two Direct Connect connections at your datacenter and want to load balance incoming traffic for all prefixes. Which of the following BGP attributes must be identical on all prefixes you advertise?
1. Community tags
2. Multi-exit discriminator (MED)
3. Local preference
4. Router ID
Which of the following is true regarding using a private AS number (ASN) on a Direct Connect public virtual interface?
1. You must own the ASN.
2. The ASN must be greater than 65535.
3. It’s not allowed; you must use a public ASN.
4. AS path prepending won’t work.
What are valid values for a VLAN? (Choose two.)
1. 4000
2. 6000
3. 12000
4. 1
You have an IPv4 BGP session established over a Direct Connect virtual interface. How can you advertise IPv6 prefixes over this connection with the least effort?
1. Establish a second IPv4 BGP session.
2. Establish an IPv6 BGP session.
3. Advertise the IPv6 prefixes over the IPv4 BGP session.
4. Create an IPv6 VPN tunnel over the Direct Connect link.
Which of the following is required to associate a transit gateway with a Direct Connect gateway?
1. The ASNs of the transit gateway and the Direct Connect gateway must be different.
2. The transit gateway and the Direct Connect gateway must be in the same VLAN.
3. The ASNs of the transit gateway and the Direct Connect gateway must be the same.
4. The transit gateway and the Direct Connect gateway must be in the same AWS account.
Which of the following CloudWatch metrics indicates the status of the egress fiber from the AWS side of a 10 Gbps Direct Connect connection?
1. ConnectionState
2. ConnectionLightLevelRx
3. ConnectionLightLevelTx
4. ConnectionPpsEgress
How many transit virtual interfaces can you create on a Direct Connect link aggregation group (LAG) composed of two 10 Gbps links?
1. None
2. One
3. Two
4. Four
What’s the maximum number of Direct Connect dedicated connections you can have per link aggregation group?
1. 2
2. 4
3. 8
4. 16
You launch an instance into a subnet that has an IPv6 CIDR assigned. The application running on the instance requires a routable IPv6 address. The instance has one elastic network interface and doesn’t have an IPv6 address assigned. What should you do to enable IPv6 connectivity for the application with the least effort?
1. Assign a link-local IPv6 address to the instance.
2. Attach an additional network interface to the instance and assign it a global unicast IPv6 address.
3. Terminate the instance and launch a new one.
4. Assign a global unicast IPv6 address to the instance.
You have an EC2 instance with a global unicast IPv6 address assigned. How can you ensure that hosts on the Internet are able to resolve the IPv6 address of the instance?
1. No action is required; they can query the IPv6 record of the instance’s DNS hostname.
2. Create a publicly resolvable AAAA record that points to the instance’s IPv6 address.
3. Create a publicly resolvable A record that points to the instance’s IPv6 address.
4. Ensure that the instance’s security group allows inbound access to UDP port 53.
The address fe80:db8:1234:1a00::1/64 is an example of which of the following?
1. Elastic IP address
2. IPv4 link-local address
3. IPv6 link-local address
4. IPv6 global unicast address
Which of the following addresses is released when an EC2 instance is stopped?
1. Its primary private IP address
2. Its public IPv4 address
3. Its public IPv6 address
4. Its elastic IP address
Your EC2 instance in the us-east-1 region is assigned the public IP address 203.0.113.25. Which of the following is its external DNS hostname?
1. 203-0-113-25.compute-1.amazonaws.com
2. 25.113.0.203.ec2.compute-1.amazonaws.com
3. ec-203-0-113-25.compute-1.amazonaws.com
4. ec2-203-0-113-25.compute-1.amazonaws.com
You created a default VPC and made no other changes to it. Which of the following is true of an EC2 instance launched into this default VPC? (Choose two.)
1. Its primary private IP address has a /16 CIDR.
2. It’s in a public subnet.
3. It has a public IP address.
4. It has no outbound access.
Your EC2 instance in the us-east-1 region has a primary private IP address of 10.9.13.37/20 and a secondary private IP address of 10.8.13.37/20. Which of the following is the instance’s private hostname?
1. ip-10-9-13-37.ec2.internal
2. ip-10-8-13-37.ec2.internal
3. ip-10-9-13-37.ec2.compute-1.internal
4. ip-10-8-13-37.ec2.us-east-1.internal
Which of the following VPC attributes determines whether an instance with a public IP address receives a public DNS hostname?
1. enableDnsSupport
2. enableDnsHostnames
3. enableDnsResolution
4. enableDns
Which of the following VPC attributes determines whether an instance can resolve the Amazon-provided private hostname of another instance in the same VPC?
1. enableDnsHostnames
2. enableDnsSupport
3. enableDnsResolution
4. enablePrivateDns
A subnet has the CIDR 2001:db8:1234:1a00::/64. Which of the following addresses can you not assign to an instance?
1. 2001:db8:1234:1a00:ffff::
2. 2001:db8:1234:1a00:1:1
3. 2001:db8:1234:1a00::ffff
4. 2001:db8:1234:1a00::
Using a virtual private gateway, you’ve created a site-to-site VPN connection between a VPC subnet and a datacenter. When creating routes to datacenter subnets, which of the following should you specify as the target?
1. Virtual private gateway
2. Customer gateway
3. Internet gateway
4. Transit gateway
When attempting to RDP into a Windows instance from the Internet, you get the error “Your credentials did not work.” Which of the following could be the reason?
1. TCP port 3389 is blocked.
2. You’re using the wrong SSH key.
3. The password is incorrect.
4. The instance doesn’t have Internet access.
You have a custom-built Windows instance that’s managed using Simple Systems Manager (SSM). You’ve attempted to connect to the instance via RDP from the Internet, but it doesn’t respond. You’ve verified that both your NACL and the instance’s security group allow RDP traffic. You can also use SSM to install official patches on the instance. Which of the following steps might resolve the issue with the least effort?
1. Re-create the instance using an official AMI.
2. Open up a PowerShell remoting session to the instance and enable RDP.
3. Attach to the instance an instance role with RDP permissions.
4. Run the AWSSupport-TroubleshootRDP SSM automation document to disable the Windows Firewall and enable RDP.
You’re unable to RDP to a Windows EC2 instance after a reboot. Prior to this you were able to RDP into it via the Internet. Which of the following actions can help you determine the cause?
1. Take an instance screen shot.
2. View the system log.
3. View the CloudTrail logs for the instance.
4. View the AWS Config logs for the instance.
Which of the following changes to a Windows Server 2019 instance can result in a loss of all network connectivity for several hours after rebooting it?
1. Changing the time zone
2. Upgrading the PV driver
3. The Windows Plug and Play Cleanup feature removing the EC2 network device
4. Enabling TCP offloading
Which of the following IP addresses does AWS use for Windows activation?
1. 169.254.169.250
2. 192.168.169.250
3. 169.168.169.254
4. 169.254.0.254
An EC2 instance in your VPC is unable to connect to a Relational Database Service (RDS) instance hosting a database. Which of the following should you try to resolve the problem?
1. Move the RDS instance into the same VPC as the EC2 instance but a different subnet.
2. Reconfigure the EC2 instance’s security group to allow access from the database instance.
3. Move the RDS instance into the same VPC and subnet as the EC2 instance.
4. Reconfigure the database instance’s security group to allow access from the EC2 instance.
You’re connected to an EC2 instance via SSH when you’re abruptly disconnected. You attempt to reconnect to the instance’s elastic IP address but are unsuccessful. Which of the following could explain this?
1. A rule denying outbound TCP port 22 access was added to the instance’s subnet’s NACL.
2. The outbound rules for the instance’s security group were removed.
3. All outbound rules for the instance’s subnet’s NACL were removed.
4. A rule denying outbound TCP port 22 access was added to the instance’s security group.
When attempting to SSH to an EC2 instance, you get the error that the user key is not recognized. You try a different SSH client and get a “permission denied” error. Which of the following could be the reason?
1. Other users have read and write permissions to your private SSH key.
2. There is a security group or NACL blocking SSH access to the instance.
3. You entered the wrong passphrase for the private SSH key.
4. The username you provided is incorrect.
When attempting to SSH to an EC2 instance from your workstation, you get the error “Permissions 0777 for ‘.ssh/private_key.pem’ are too open.” Which of the following actions can correct this error?
1. Re-create the key using ssh-keygen.
2. Delete the file .ssh/private_key.pem.
3. Execute the command chmod 0400 .ssh/private_key.pem.
4. Delete the public key from the .ssh/authorized_keys file.
You intermittently get disconnected from an SSH session to an EC2 instance. You’re able to immediately reconnect. Which of the following may prevent the intermittent disconnection?
1. Enable keepalives on your SSH client.
2. Disable TCP keepalives on the server.
3. Set the ClientAliveInterval on the server to 0.
4. Run a continuous ping to the instance during the SSH session.
You need to be able to ping an EC2 instance’s elastic IP address. Which of the following should you add to the inbound security group rules?
1. ICMPv4 Echo Request
2. ICMPv4 Echo Reply
3. ICMPv6 All
4. ICMPv4 Destination Unreachable
You attempt to ping an EC2 instance’s public IPv4 address but get no response. Which of the following could be the reason?
1. An inbound NACL rule denying UDP traffic
2. An inbound NACL rule denying ICMPv4 Echo Replies
3. An outbound NACL rule denying ICMPv4 Echo Requests
4. An outbound NACL rule denying ICMPv4 Echo Replies
Which of the following can help an instance automatically recover from a loss of network connectivity caused by a problem with the underlying host?
1. CloudWatch alarms
2. CloudWatch Events
3. Simple Notification Service
4. Enhanced monitoring
What’s the maximum number of instance recovery attempts allowed per day?
1. Two
2. Three
3. Four
4. No limit
Which of the following can tell you whether a security group or NACL has blocked traffic from a particular IP address?
1. CloudTrail logs
2. VPC Flow Logs
3. CloudWatch basic metrics
4. CloudWatch detailed metrics
You can configure VPC flow logging to limit the logging of traffic flows to which of the following? (Choose two.)
1. Elastic load balancer
2. VPC
3. Placement group
4. Host
Which of the following is not included in the 5-tuple of a VPC Flow Logs data?
1. Source port
2. Protocol
3. Number of packets
4. IPv4/IPv6 indicator
You’ve configured VPC flow logging for a VPC that has intermittent bursts of heavy traffic. The logs are stored in an S3 bucket. An hour later, you view the logs and notice that although there are several flow records containing a 5-tuple, some records appear without the 5-tuple and have “NODATA” at the end. What can you conclude from this?
1. VPC flow logging is configured correctly.
2. Some VPC traffic is not getting logged.
3. There’s too much traffic to log.
4. Some traffic is getting blocked.
You want to use VPC flow logging to identify any traffic that’s blocked by a security group. How can you accomplish this in the most cost-effective way?
1. Enable VPC flow logging to log only rejected traffic to CloudWatch Logs.
2. Enable VPC flow logging to log only rejected traffic to an S3 bucket.
3. Enable VPC flow logging to log all traffic to an S3 bucket, and search the logs for the word REJECT.
4. Enable VPC flow logging to log all traffic to CloudWatch Logs, and use a filter to view only rejected traffic.
When trying to add an alternative domain name to a CloudFront distribution, you get an “InvalidViewerCertificateException” error. Which of the following could be the reason?
1. The certificate specifies an invalid cipher.
2. The domain name is in all lowercase.
3. The custom certificate you’ve provided isn’t signed by a trusted certificate authority (CA).
4. The attached certificate contains too many domain names.
You have a CloudFront distribution for the alternate domain name www.example.com. You try to add another alternate domain name for www1.example.com and receive an “InvalidViewerCertificateException” error. How can you enable the CloudFront distribution for both domains?
1. Verify your ownership of the www1.example.com domain name.
2. Supply a new certificate for the domain names www.example.com and www1.example.com.
3. Use the default CloudFront certificate.
4. Supply a new certificate for the domain name www1.example.com.
You’re currently running a web application on a set of EC2 instances behind an elastic load balancer (ELB). You’re storing static web assets for the application in an S3 bucket. Which of the following is the most scalable approach for serving these web assets using a CloudFront distribution?
1. Create a streaming distribution.
2. Add the ELB as an origin.
3. Add the EC2 instances as origins.
4. Add the S3 bucket as an origin.
You’ve placed video and media player files in an S3 bucket and created a streaming RTMP CloudFront distribution using the bucket as the origin. Users are unable to play the videos. How can you resolve this?
1. Move the media player files into a different bucket.
2. Serve the media player files from an HTTP CloudFront distribution.
3. Ensure the bucket has public access.
4. Enable HTTPS on the distribution.
You’ve created an RTMP distribution for streaming video. Most users are able to watch the videos, but users at one location aren’t. Which of the following could be the problem?
1. UDP port 1935 is blocked.
2. The video files aren’t served from an HTTP distribution.
3. The media player files are served from the RTMP distribution.
4. TCP port 1935 is blocked.
Some users are unable to access an RTMP streaming distribution due to TCP port 1935 being blocked. Only TCP ports 80 and 443 are allowed. Which of the following must occur in order for the users to access the distribution?
1. Convert the RTMP distribution to HTTP.
2. Switch to RTMPT.
3. Convert the RTMP distribution to HTTPS.
4. Add an inbound security group rule to permit access to TCP port 1935.
Which of the following is a valid URL for an RTMP distribution?
1. rtmp://s5c39gqb8ow64r.cloudfront.net
2. rtmp://d111111abcdef8.cloudfront.net
3. https://s5c39gqb8ow64r.cloudfront.net
4. https://d111111abcdef8.cloudfront.net
When does a CloudFront edge location first fetch a file from an origin?
1. When the file is added to the origin
2. When the distribution is created
3. When the edge location receives a request for the file
4. When the distribution enters a “deployed” state
You’ve created a CloudFront distribution using an alternate domain name example.com. In the Route 53 hosted zone for example.com, you’ve created a CNAME record for example.com that points to the distribution’s domain name as an alias. You discover that you’re being charged for queries of this record. How can you reduce your costs while continuing to use the example.com domain name for the distribution?
1. Replace the CNAME record with an A record that points to the distribution as an alias target.
2. Modify the CNAME record to point to the distribution as an alias target.
3. Purchase a Route 53 zone reservation.
4. Decrease the time-to-live (TTL) of the record.
You’ve created a CloudFront distribution with the alternate domain name example.com You’ve created an A record pointing to the distribution as an alias target. IPv4 users are able to access the distribution using the alternate domain name, but IPv6 users aren’t. They can, however, access it using the distribution domain name. How can you resolve this?
1. Convert the record to a non-alias record.
2. Change the alternate name to www.example.com and update the A record accordingly.
3. Change the A record to a CNAME record.
4. Create an AAAA record.
Which of the following is not a valid alternate domain name for a CloudFront distribution?
1. *.example.com
2. example.example.com
3. *.www.example.com
4. www.*.example.com
You’re storing an object named production/index.html in a bucket named myawsbucket. You want to make this object accessible via a CloudFront distribution using just the alternate domain name example.com/index.html. Which of the following steps is required to accomplish this?
1. Restrict access to the bucket.
2. Set the origin path to /production.
3. Set the origin path to /myawsbucket/production.
4. Create a CNAME record for example.com.
Which of the following is a network protocol that CloudFront supports?
1. RSA
2. WebSocket
3. UDP
4. RTSP
How can you enable Internet users to access a CloudFront distribution without allowing public access to its origin S3 bucket?
1. Use an origin access identity.
2. Create a bucket policy that grants read permissions to the * principal.
3. Create a bucket ACL to grant the CloudFront service access to the bucket.
4. Put a password on the bucket.
You’re hosting audio files and a custom player on a set of EC2 instances behind an elastic load balancer (ELB) in a public subnet. You want to use a CloudFront distribution to host this content while preventing users from accessing the audio files or player from the EC2 instances directly. How can you accomplish this with the least effort? (Choose two.)
1. Create a custom distribution with the EC2 instances as custom origins.
2. Move the audio files to a non-public S3 bucket and create a streaming distribution with the bucket as the origin.
3. Move the audio player to an non-public S3 bucket and create a distribution with the bucket as the origin.
4. Place the instances in a private subnet.
Which of the following can be a custom CloudFront origin??
1. None of these
2. A non-public S3 bucket
3. A private web server on a company intranet
4. A public web server open to the Internet
You’ve created a target group that you plan to use with a network load balancer (NLB). The target group contains several EC2 instances, all in the same subnet, and all of the instances are configured to listen for HTTPS traffic on TCP port 443. One of the EC2 instance targets isn’t entering the InService state. You check and find that the instance is failing its health check. All targets are configured with the same health check settings. From other instances in the same subnet you’re able to access TCP port 443 on the problem instance. Which of the following could be the reason the instance is failing its health check?
1. The instance’s TLS certificate isn’t valid.
2. The instance’s security group isn’t allowing traffic from the NLB.
3. The subnet NACL isn’t allowing traffic from the NLB.
4. The instance is stopped.
You’ve created a network load balancer (NLB) and have added instances to a target group. Some of the instances are in the same VPC as the NLB, while others are in a peered VPC. Requests aren’t getting routed to instances in the peered VPC. Why?
1. The instances are getting overwhelmed with health checks.
2. The target group doesn’t reference the instances by instance ID.
3. The target group doesn’t reference the instances by IP address.
4. NLB doesn’t support VPC peering.
Which of the following IP addresses can you not specify in a network load balancer target group?
1. 10.0.0.15
2. 100.64.0.7
3. 100.127.7.7
4. 65.156.1.101
Which of the following elastic load balancers supports the Lambda target type?
1. Network load balancer
2. Application load balancer
3. Classic load balancer
4. Lambda load balancer
You are running a web application on a set of EC2 instances. The application requires that each incoming TCP connection has the source IP address of the client. Which type of load balancing should you use?
1. Network load balancer
2. Application load balancer
3. Classic load balancer
4. Route 53 weighted resource records
When browsing to the public URL of an application load balancer, users receive a “Bad Gateway” error. The target group contains only EC2 instances. What could this indicate?
1. The users are unable to connect to the application load balancer.
2. A web application firewall (WAF) rule blocked the request.
3. The target instance closed the connection from the load balancer.
4. The target instance didn’t accept the connection from the load balancer.
When browsing to the public URL of an application load balancer, users receive a “Gateway Timeout” error. The target group contains only EC2 instances. What could this indicate?
1. The users are unable to connect to the application load balancer.
2. The target instance didn’t accept the connection from the load balancer.
3. The target instance closed the connection from the load balancer.
4. A web application firewall (WAF) rule blocked the request.
Which of the following CloudFront metrics tracks the number of server errors generated by an application load balancer?
1. HTTPCode_ELB_2XX_Count
2. HTTPCode_ELB_4XX_Count
3. HTTPCode_ELB_5XX_Count
4. None of these
Where can an application load balancer store logs containing client IP address, latencies, and server responses?
1. Web application firewall
2. S3 bucket
3. CloudWatch Logs
4. CloudTrail logs