Answer these questions. The answers follow the last question. If you cannot answer these questions correctly, consider reading this section again until you can.
1. You are examining a route table in your VPC and find the following route entry: “Destination : 10.0.0.0/24 and Target : Local”. What type of route is this?
A. An automatically created route entry for traffic within the AZ
B. An automatically created route entry for traffic within the VPC
C. A default route for traffic destined for the Internet
D. A user-defined route for traffic between subnets within a VPC
2. You have created a private subnet in a VPC. Application servers in the private subnet require Internet access for updates. Which statement regarding this configuration is correct?
A. A NAT gateway is automatically created for each private subnet.
B. A NAT instance is automatically created and runs on EC2.
C. To allow Internet access, you should create a NAT gateway within a public subnet and update the route table used by the private subnet.
D. To allow Internet access, you should enable NAT on the Internet gateway and update the route table used by the private subnet.
3. You have public and private subnets in a VPC. In the public subnet, you have a bastion host that is accessible over port 3389. The network for the public subnet is 192.168.10.0/24. In the private network, you have an application server that must be accessible from the bastion host on port 80. The private subnet is network 192.168.20.0/24. A NAT gateway is used to provide Internet access to the private subnet. You are creating a security group for the application servers. Which statements must be manually configured for the security group? (Choose all that apply.)
A. Allow port 80 inbound from the bastion host.
B. Allow ports 80 and 3389 inbound from the bastion host.
C. Allow outbound traffic to the Internet from the application server via the NAT gateway.
D. Allow ports 80 and 3389 outbound to the bastion host.
1. Answer: B is correct. Every route table within a VPC is automatically populated with a local route. This route is used for communication within the VPC.
2. Answer: C is correct. To allow Internet access, you should create a NAT gateway. You should modify the route table associated with the private subnet and create a default route that forwards traffic to the NAT gateway.
3. Answer: A is correct. Traffic from the bastion host to the application server is on port 80. You do not need to manually allow any outbound traffic because a security group allows all outbound traffic by default.
This section covers the following objective of Domain 5 (Networking and Content Delivery) from the official AWS Certified SysOps Administrator – Associate (SOA-C02) exam guide:
5.1 Implement networking features and connectivity
If you can correctly answer these questions before going through this section, save time by skimming the Exam Alerts in this section and then completing the Cram Quiz at the end of the section.
1. Which traffic is allowed by a new security group by default?
2. Is a network access control list stateless or stateful?
1. Answer: All outbound traffic is allowed, and all inbound traffic is blocked.
2. Answer: An NACL is stateless, which means it does not dynamically allow return traffic for existing connections.
AWS offers multiple security features within the VPC, each of which serves a different purpose. Some of these tools are native to other AWS services. For example, the AWS Application Load Balancer (ALB) features a Web Application Firewall (WAF) that can be used to detect malicious traffic. In this chapter, we focus on security features that are native to the AWS VPC.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
