AWS - Certified Solutions Architect VPC Networking and Security Questions and Answers

Question 1

A company has a three-tier web application running on EC2 instances within a VPC. The web tier is in a public subnet, and the application and database tiers are in private subnets. The application instances need to download software patches from the internet, but under no circumstances should they be directly accessible from the internet. Which VPC component should be configured to allow this access?

Accepted Answer

A NAT Gateway placed in the public subnet with a route from the private subnets.

Answer

A NAT (Network Address Translation) Gateway is designed for this exact scenario. Placed in a public subnet, it uses an Elastic IP address to route traffic from instances in a private subnet to the internet. The Internet Gateway then allows the outbound traffic to the internet. This setup enables the private instances to initiate outbound connections while preventing any inbound connections from being initiated from the internet, thus keeping them secure.

Question 2

A solutions architect is designing a security model for a VPC. They need to implement a stateful firewall at the instance level. Which of the following AWS security features should be used to meet this requirement?

Accepted Answer

Security Groups

Answer

Security Groups act as a virtual firewall for EC2 instances to control inbound and outbound traffic at the instance level. They are stateful, which means that if you allow an inbound request, the corresponding outbound response is automatically allowed, regardless of outbound rules. Network ACLs, in contrast, are stateless and operate at the subnet level.

Question 3

An organization has two VPCs, VPC-A and VPC-B, in the same AWS Region. They need to enable private communication between EC2 instances in both VPCs as if they were on the same network. However, they have discovered that both VPCs were created with the same CIDR block (10.0.0.0/16). What is the primary limitation that prevents them from using a VPC Peering connection?

Accepted Answer

The VPCs have overlapping CIDR blocks.

Answer

A fundamental requirement for establishing a VPC Peering connection is that the VPCs must not have matching or overlapping IPv4 CIDR blocks. Since both VPC-A and VPC-B use 10.0.0.0/16, a peering connection cannot be created. Transitive peering is a limitation, but not the one that applies here. Peering can be done within the same account or across accounts.

Question 4

A security team needs to implement a defense-in-depth strategy. They want to add a layer of security at the subnet level that can explicitly deny traffic from a list of known malicious IP addresses. Which VPC feature should they use?

Accepted Answer

Network Access Control Lists (NACLs)

Answer

Network Access Control Lists (NACLs) operate at the subnet level and support both allow and deny rules. This makes them the ideal tool for blacklisting specific IP addresses or ranges at the subnet boundary. Security groups, on the other hand, only support allow rules and cannot be used to explicitly deny traffic.

Question 5

A company wants to provide private and secure access to Amazon S3 from their EC2 instances located in a private subnet without the traffic traversing the public internet. Which is the most cost-effective and secure method to achieve this?

Accepted Answer

Configure a Gateway VPC Endpoint for Amazon S3.

Answer

A Gateway VPC Endpoint for Amazon S3 is the correct solution. It provides a private connection between your VPC and S3 by creating a route table entry that directs S3-bound traffic to the endpoint instead of over the internet. This is highly secure and cost-effective as data transfer via a gateway endpoint within the same region is free. Using a NAT gateway would send traffic over the internet and incur data processing costs.

AWS Practice Test

AWS Practice Test

AWS - Certified Solutions Architect VPC Networking and Security Questions and Answers