AWS - Certified Solutions Architect VPC Networking and Security Questions and Answers

Question 1

A company has a three-tier web application running on EC2 instances within a VPC.
The web tier is in a public subnet, and the application and database tiers are in private subnets.
The application instances need to download software patches from the internet, but under no circumstances should they be directly accessible from the internet.
Which VPC component should be configured to allow this access?

Accepted Answer

A NAT Gateway placed in the public subnet with a route from the private subnets.

Answer

An Internet Gateway attached to the private subnets.

Answer

A VPC Peering connection to another VPC that has internet access.

Answer

An Egress-Only Internet Gateway.

Question 2

A solutions architect is designing a security model for a VPC. They need to implement a stateful firewall at the instance level. Which of the following AWS security features should be used to meet this requirement?

Accepted Answer

Security Groups

Answer

Network ACLs

Answer

AWS WAF

Answer

VPC Flow Logs

Question 3

An organization has two VPCs, VPC-A and VPC-B, in the same AWS Region. They need to enable private communication between EC2 instances in both VPCs as if they were on the same network. However, they have discovered that both VPCs were created with the same CIDR block (10.0.0.0/16). What is the primary limitation that prevents them from using a VPC Peering connection?

Accepted Answer

The VPCs have overlapping CIDR blocks.

Answer

VPC Peering does not support transitive routing.

Answer

The VPCs are in the same AWS account.

Answer

Security Groups cannot be referenced across a peering connection.

Question 4

A security team needs to implement a defense-in-depth strategy. They want to add a layer of security at the subnet level that can explicitly deny traffic from a list of known malicious IP addresses. Which VPC feature should they use?

Accepted Answer

Network Access Control Lists (NACLs)

Answer

Security Groups

Answer

Route Tables

Answer

An Internet Gateway

Question 5

A company wants to provide private and secure access to Amazon S3 from their EC2 instances located in a private subnet without the traffic traversing the public internet. Which is the most cost-effective and secure method to achieve this?

Accepted Answer

Configure a Gateway VPC Endpoint for Amazon S3.

Answer

Route the traffic through a NAT Gateway in a public subnet.

Answer

Establish a Direct Connect connection to the S3 service.

Answer

Use an Interface VPC Endpoint (PrivateLink) for Amazon S3.

Question 6

You have established a VPC peering connection between VPC-A and VPC-B. Additionally, VPC-A has a VPN connection to an on-premises corporate network. An EC2 instance in VPC-B needs to communicate with a server in the corporate network. What must be done to enable this communication?

Accepted Answer

Establish a separate VPN connection from VPC-B to the corporate network.

Answer

Configure the VPC-A route table to forward traffic from VPC-B to the Virtual Private Gateway.

Answer

Create a direct VPC peering connection between VPC-B and the corporate network.

Answer

Nothing, transitive routing will automatically allow the connection.