Exercises – Inter-VPC and Multi-account Networking – ANS-C01 Study Guide

Exercises

1.Read and review the AWS VPC sharing documentation:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html
2.Read and review the AWS VPC peering documentation:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-peering.html
3.Read and review the Transit Gateway Service documentation:
https://aws.amazon.com/transit-gateway
https://aws.amazon.com/transit-gateway/faqs
4.Read and review the AWS PrivateLink documentation:
https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/aws-privatelink.html
https://aws.amazon.com/privatelink/features
5.Know the details of the AWS Organizations service:
https://docs.aws.amazon.com/organizations
6.Understand the Resource Access Manager service:
https://aws.amazon.com/ram
7.Understand the AWS Active Directory services, their use cases, and how they are implemented:
https://aws.amazon.com/directoryservice

Review Questions

The following questions are designed to test your understanding of this chapter’s material. For more information on how to obtain additional questions, please see this book’s introduction.

  1. A group of developers in your Dublin office needs to access the AWS management console in your account. How can you provide access for each developer without having to create a separate IAM account for each developer?
    1. Implement VPC peering from the developer VPC into yours
    1. Add console rights for the Dublin developers into your AWS authorization account permissions table
    1. Use your on-premises SAML 2.0 identity provider
    1. Modify the VPC network ACL to allow access for the developers based on their authentication credentials
  2. Carol is asking for help locating a single AWS utility that will enable her to access a single management location used to create new AWS accounts, link the existing accounts, and share resources among the accounts. Which service would you recommend she implement?
    1. Organizations
    1. Cognito
    1. AWS Authentication
    1. Macie
    1. Secrets Manager
  3. Your finance and accounting manager has been reviewing the company’s AWS spending and is asking you to reduce service duplication between the development, test, and production accounts. What tool could you use to consolidate your AWS services and share them between the three groups?
    1. Deploy MPLS and consolidate the multiple private link services
    1. Implement Active Directory Connector for federated access
    1. Use the Resource Access Manager tool
    1. Deploy a SAML 2.0 identity service provider
    1. Use the AWS Transit Gateway service
  4. Many of your WAN links are underutilized, and certain company traffic flows are experiencing network jitter. You are looking for a technology that you can implement that offers a single point of control to optimize your backbone network. What technology would you explore to meet your needs?
    1. OSPF
    1. eBGP
    1. MPLS
    1. SD-WAN
    1. CloudWatch
  5.  You have been tasked to simplify your AWS Organizations structure in preparation for a new Service Control Policy rollout. Which technique would you use to accomplish this?
    1. Organizational units
    1. Simple Directory Services
    1. Workflow services
    1. Cloud HSM
  6. You want to give your development and test teams the ability to share IP subnets between each other for less duplication of resources, such as EC2 instances, while allowing the application owners to continue to manage their own resources, security, and account structure. The requirement is for each VPC account owner to create, manage, and delete their own VPC resources but not in the other group’s VPC that they do not manage. What would you implement to achieve the requirements?
    1. Cloud Connect
    1. VPC sharing
    1. Direct Connect
    1. Site-to-site VPN
  7. Your company’s AWS Organizations account is being audited by an outside security and compliance provider. They are asking you to implement restrictions assigned at the Organizations root level to block lower-level organization member accounts from implementing any Redshift services. What could you do to create a global policy that prohibits creating any Redshift services and apply it to all accounts in your organization?
    1. Service control policies
    1. IAM policies
    1. Label service policies
    1. Create the restrictions in Active Directory and apply it to all groups
  8. You need to connect your SAN service provider’s SD-WAN to access your AWS cloud services. You have implemented the AWS Transit Gateway service. What additional steps would you need to take to integrate the SD-WAN service?
    1. Implement VPC peering
    1. Use the Kinesis data pipeline
    1. Use the Transit Gateway attachment
    1. Deploy CloudFront