SAP-C01 : AWS Certified Solutions Architect – Professional : Part 17

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 17

1. For Amazon EC2 issues, while troubleshooting AWS CloudFormation, you need to view the cloud-init and cfn logs for more information. Identify a directory to which these logs are published.

   • /var/opt/log/ec2
   • /var/log/lastlog
   • /var/log/
   • /var/log/ec2
   Explanation:
   When you use AWS CloudFormation, you might encounter issues when you create, update, or delete AWS CloudFormation stacks.
   For Amazon EC2 issues, view the cloud-init and cfn logs. These logs are published on the Amazon EC2 instance in the /var/log/ directory. These logs capture processes and command outputs while AWS CloudFormation is setting up your instance. For Windows, view the EC2Configure service and cfn logs in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.
   You can also configure your AWS CloudFormation template so that the logs are published to Amazon CloudWatch, which displays logs in the AWS Management Console so you don’t have to connect to your Amazon EC2 instance.

2. True or false: In a CloudFormation template, you can reuse the same logical ID several times to reference the resources in other parts of the template.

   • True, a logical ID can be used several times to reference the resources in other parts of the template.
   • False, a logical ID must be unique within the template.
   • False, you can mention a resource only once and you cannot reference it in other parts of a template.
   • False, you cannot reference other parts of the template.
   Explanation:
   In AWS CloudFormation, the logical ID must be alphanumeric (A-Za-z0-9) and unique within the template. You use the logical name to reference the resource in other parts of the template.

3. True or false: In CloudFormation, you cannot create an Amazon RDS DB instance from a snapshot.

   • False, you can specify it in attributes
   • False, you can specify it in condition
   • False, you can specify it in resource properties
   • True
   Explanation:
   In AWS CloudFormation, resource properties are additional options that you can specify on a resource. For example, you can specify the DB snapshot property for an Amazon RDS DB instance in order to create a DB instance from a snapshot.

4. How can you check the operational validity of your AWS CloudFormation template?

   • To check the operational validity, you need to attempt to create the stack.
   • There is no way to check the operational validity of your AWS CloudFormation template.
   • To check the operational validity, you need a sandbox or test area for AWS CloudFormation stacks.
   • To check the operational validity, you need to use the aws cloudformation validate-template command.
   Explanation:
   In AWS CloudFormation, to check the operational validity, you need to attempt to create the stack. There is no sandbox or test area for AWS CloudFormation stacks, so you are charged for the resources you create during testing.

5. What is a circular dependency in AWS CloudFormation?

   • When Nested Stacks depend on each other.
   • When Resources form a Depend On loop.
   • When a Template references an earlier version of itself.
   • When a Template references a region, which references the original Template.
   Explanation:
   To resolve a dependency error, add a Depends On attribute to resources that depend on other resources in your template. In some cases, you must explicitly declare dependencies so that AWS CloudFormation can create or delete resources in the correct order. For example, if you create an Elastic IP and a VPC with an Internet gateway in the same stack, the Elastic IP must depend on the Internet gateway attachment. For additional information, see Depends On Attribute.

6. You need to develop and run some new applications on AWS and you know that Elastic Beanstalk and CloudFormation can both help as a deployment mechanism for a broad range of AWS resources.

   Which of the following is TRUE statements when describing the differences between Elastic Beanstalk and CloudFormation?

   • AWS Elastic Beanstalk introduces two concepts: The template, a JSON or YAML-format, text- based file
   • Elastic Beanstalk supports AWS CloudFormation application environments as one of the AWS resource types.
   • Elastic Beanstalk automates and simplifies the task of repeatedly and predictably creating groups of related resources that power your applications. CloudFormation does not.
   • You can design and script custom resources in CloudFormation
   Explanation:
   These services are designed to complement each other. AWS Elastic Beanstalk provides an environment to easily deploy and run applications in the cloud. It is integrated with developer tools and provides a one-stop experience for you to manage the lifecycle of your applications. AWS CloudFormation is a convenient provisioning mechanism for a broad range of AWS resources. It supports the infrastructure needs of many different types of applications such as existing enterprise applications, legacy applications, applications built using a variety of AWS resources and container-based solutions (including those built using AWS Elastic Beanstalk). AWS CloudFormation supports Elastic Beanstalk application environments as one of the AWS resource types. This allows you, for example, to create and manage an AWS Elastic Beanstalk- hosted application along with an RDS database to store the application data. In addition to RDS instances, any other supported AWS resource can be added to the group as well.

7. An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An ENI can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you_____.

   • create an elastic network interface for eth1
   • include a MAC address
   • use an existing network interface
   • create an elastic network interface for eth0
   Explanation:
   An elastic network interface (ENI) is defined as a virtual network interface that you can attach to an instance in a VPC and can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you create an elastic network interface for eth0 instead of using an existing network interface.

8. After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?

   • You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
   • You can change the region of your virtual interface.
   • You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
   • You can create a hosted virtual interface.
   Explanation:
   You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual interface to connect to public resources or a private virtual interface to connect to your VPC. Also, it is possible to configure multiple virtual interfaces on a single AWS Direct Connect connection, and you’ll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key. To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.

9. Identify a correct statement about the expiration date of the “Letter of Authorization and Connecting Facility Assignment (LOA-CFA),” which lets you complete the Cross Connect step of setting up your AWS Direct Connect.

   • If the cross connect is not completed within 90 days, the authority granted by the LOA-CFA expires.
   • If the virtual interface is not created within 72 days, the LOA-CFA becomes outdated.
   • If the cross connect is not completed within a user-defined time, the authority granted by the LOA- CFA expires.
   • If the cross connect is not completed within the specified duration from the appropriate provider, the LOA-CFA expires.
   Explanation:
   An AWS Direct Connect location provides access to AWS in the region it is associated with. You can establish connections with AWS Direct Connect locations in multiple regions, but a connection in one region does not provide connectivity to other regions. Note: If the cross connect is not completed within 90 days, the authority granted by the LOA-CFA expires.

10. Which of the following is the final step that should be completed to start using AWS Direct Connect?

    • Creating your Virtual Interface
    • Configuring your router
    • Completing the Cross Connect
    • Verifying your Virtual Interface
    Explanation:
    You can get started using AWS Direct Connect by completing the following steps. Step 1: Sign Up for Amazon Web Services Step 2: Submit AWS Direct Connect Connection Request Step 3: Complete the Cross Connect (optional) Step 4: Configure Redundant Connections with AWS Direct Connect Step 5: Create a Virtual Interface Step 6: Download Router Configuration Step 7: Verify Your Virtual Interface

11. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.1.0/24.

    How can the user create the second subnet?

    • The user can modify the first subnet CIDR with AWS CLI
    • The user can modify the first subnet CIDR from the console
    • There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet’s CIDR
    • It is not possible to create a second subnet with overlapping IP CIDR without deleting the first subnet.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside the subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet. The user cannot modify the CIDR of a subnet once it is created. Thus, in this case if required, the user has to delete the subnet and create new subnets.

12. Which of the following should be followed before connecting to Amazon Virtual Private Cloud (Amazon VPC) using AWS Direct Connect?

    • Provide a public Autonomous System Number (ASN) to identify your network on the Internet.
    • Create a virtual private gateway and attach it to your Virtual Private Cloud (VPC).
    • Allocate a private IP address to your network in the 122.x.x.x range.
    • Provide a public IP address for each Border Gateway Protocol (BGP) session.
    Explanation:
    To connect to Amazon Virtual Private Cloud (Amazon VPC) by using AWS Direct Connect, you must first do the following:
    Provide a private Autonomous System Number (ASN) to identify your network on the Internet. Amazon then allocates a private IP address in the 169.x.x.x range to you. Create a virtual private gateway and attach it to your VPC.

13. Your supervisor has given you the task of creating an elastic network interface on each of your web servers that connect to a mid-tier network where an application server resides. He also wants this set up as a Dual-homed Instance on Distinct Subnets. Instead of routing network packets through the dual-homed instances, where should each dual-homed instance receive and process requests to fulfil his criteria?

    • On one of the web servers
    • On the front end
    • On the back end
    • Through a security group
    Explanation:
    You can place an elastic network interface on each of your web servers that connects to a mid- tier network where an application server resides. The application server can also be dual-homed to a back-end network (subnet) where the database server resides. If it is set up like this, instead of routing network packets through the dual-homed instances, each dual-homed instance receives and processes requests on the front end and initiates a connection to the back end before finally sending requests to the servers on the back-end network.

14. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-123456) to connect to the user’s data center. The user’s data center has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet.

    Which of the below mentioned options is not a valid entry for the main route table in this scenario?

    • Destination: 20.0.0.0/16 and Target: local
    • Destination: 0.0.0.0/0 and Target: i-123456
    • Destination: 172.28.0.0/12 and Target: vgw-123456
    • Destination: 20.0.1.0/24 and Target: i-123456

15. In which step of “start using AWS Direct Connect” steps is the virtual interface you created tagged with a customer-provided tag that complies with the Ethernet 802.1Q standard?

    • Download Router Configuration.
    • Complete the Cross Connect.
    • Configure Redundant Connections with AWS Direct Connect.
    • Create a Virtual Interface.
    Explanation:
    In the list of using Direct Connect steps, the create a Virtual Interface step is to provision your virtual interfaces. Each virtual interface must be tagged with a customer-provided tag that complies with the Ethernet 802.1Q standard. This tag is required for any traffic traversing the AWS Direct Connect connection.

16. A user has created a VPC with CIDR 20.0.0.0/16 using the VPC wizard. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s data center. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console.

    Will the console allow the user to delete the VPC?

    • Yes, the user can detach the virtual private gateway and then use the VPC console to delete the VPC.
    • No, since the NAT instance is running, the user cannot delete the VPC.
    • Yes, the user can use the CLI to delete the VPC that will detach the virtual private gateway automatically.
    • No, the VPC console needs to be accessed using an administrator account to delete the VPC.
    Explanation:
    You can delete your VPC at any time (for example, if you decide it’s too small). However, you must terminate all instances in the VPC first. When you delete a VPC using the VPC console, Amazon deletes all its components, such as subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options. If you have a VPN connection, you don’t have to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway).

17. You have been asked to set up a public website on AWS with the following criteria:
    You want the database and the application server running on an Amazon VPC. You want the database to be able to connect to the Internet so that it can be automatically updated to the correct patch level.
    You do not want to receive any incoming traffic from the Internet to the database.

    Which solutions would be the best to satisfy all the above requirements for your planned public website on AWS? (Choose two.)

    • Set up both the public website and the database on a public subnet and block all incoming requests from the Internet with a Network Access Control List (NACL)
    • Set up both the public website and the database on a public subnet, and block all incoming requests from the Internet with a security group which only allows access from the IP of the public website.
    • Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
    • Set up both the public website and the database on a private subnet and block all incoming requests from the Internet with a Network Access Control List (NACL). Set up a Security group between the public website and the database which only allows access via port 80.
    Explanation:
    You want the database to be able to connect to the Internet you need to either set it up on a public subnet or set it up on a private subnet which connects to the Internet via a NAT instance

18. Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

    • AWS Direct Connect locations in the United States can access public resources in any US region.
    • You can use a single AWS Direct Connect connection to build multi-region services.
    • Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
    • To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
    Explanation:
    AWS Direct Connect locations in the United States can access public resources in any US region. You can use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
    To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in the US. You can then also establish a VPN connection to your VPC in the remote region.
    Any data transfer out of a remote region is billed at the remote region data transfer rate.

19. Which of the following statements is NOT correct when working with your AWS Direct Connect connection after it is set up completely?

    • You can manage your AWS Direct Connect connections and view the connection details.
    • You can delete a connection as long as there are no virtual interfaces attached to it.
    • You cannot view the current connection ID and verify if it matches the connection ID on the Letter of Authorization (LOA).
    • You can accept a host connection by purchasing a hosted connection from the partner (APN).
    Explanation:
    You can manage your AWS Direct Connect connections and view connection details, accept hosted connections, and delete connections. You can view the current status of your connection. You can also view your connection ID, which looks similar to this example dxcon-xxxx, and verify that it matches the connection ID on the Letter of Authorization (LOA) that you received from Amazon.

20. Over which of the following Ethernet standards does AWS Direct Connect link your internal network to an AWS Direct Connect location?

    • Single mode fiber-optic cable
    • Multi-mode fiber-optic cable
    • Shielded balanced copper cable
    • Twisted pair cable
    Explanation:
    AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet single mode fiber-optic cable.