VPC and Networking

Question 1

A company needs to create a VPC with support for 500 hosts distributed across public and private subnets. The architect must select a CIDR block that allows future growth without wasting IP addresses. Which CIDR block is most appropriate?

Accepted Answer

10.0.0.0/22 (1,024 IP addresses)

Answer

10.0.0.0/16 (65,536 IP addresses)

Answer

10.0.0.0/23 (512 IP addresses)

Answer

10.0.0.0/24 (256 IP addresses)

Question 2

An architect designs a VPC with EC2 instances in private subnets that need to access the Internet to download software updates, but should not be accessible from the Internet. Which components must be configured? (Select TWO)

Accepted Answer

Answer

NAT Gateway in public subnet with 0.0.0.0/0 route from private subnet

Answer

Route Table configured with route to NAT Gateway

Answer

Internet Gateway directly connected to private subnet

Answer

Security Group allowing outbound traffic to 0.0.0.0/0

Answer

VPN Gateway for Internet connection

Question 3

A web application on EC2 needs protection against DDoS attacks and web application exploits. The architect must implement multi-layer security. Which services should be combined? (Select TWO)

Accepted Answer

Answer

AWS Shield Standard for automatic DDoS protection at network layer

Answer

AWS WAF to filter malicious HTTP/HTTPS traffic with custom rules

Answer

VPC Flow Logs to block attacks in real-time

Answer

Security Groups with stateless rules for dynamic blocking

Answer

CloudTrail for web attack prevention

Question 4

A company has two VPCs in the same region (VPC-A: 10.0.0.0/16 and VPC-B: 10.1.0.0/16) that need to communicate privately. The architect must enable bidirectional communication between VPCs. Which solution to implement most simply?

Accepted Answer

Create VPC Peering connection between VPC-A and VPC-B with updated route tables

Answer

Configure Transit Gateway with route tables for both VPCs

Answer

Use Internet Gateway with VPN for secure connection

Answer

Implement AWS PrivateLink with multiple endpoints

Question 5

A serverless application on Lambda needs to access an RDS database in a private VPC without exposing the database to the Internet. Which configuration is correct to allow this access?

Accepted Answer

Configure Lambda with VPC configuration pointing to private subnets where RDS resides

Answer

Place Lambda in public subnet with NAT Gateway

Answer

Use RDS Proxy with public endpoint for Lambda

Answer

Create Internet Gateway for Lambda to access RDS

Question 6

An architect needs to allow EC2 instances in private subnets to access S3 without traffic going to public Internet for security and cost reasons. Which component should be implemented most efficiently?

Accepted Answer

VPC Gateway Endpoint for S3 with route table update

Answer

NAT Gateway with route to Internet Gateway

Answer

VPC Interface Endpoint with ENI in each subnet

Answer

VPN Connection for private S3 access

Question 7

A company needs to establish dedicated low-latency connectivity (1-10 Gbps) between its on-premises datacenter and AWS to migrate large data volumes and run hybrid applications. Which solution provides the most reliable and highest performance connection?

Accepted Answer

AWS Direct Connect with dedicated 10 Gbps connection

Answer

Site-to-Site VPN over public Internet with multiple tunnels

Answer

CloudFront with Origin Shield for static content

Answer

VPC Peering between on-premises and AWS

Question 8

An architect designs security for a multi-tier application where web servers in public subnet must communicate with application servers in private subnet. What is the key difference between Security Groups and Network ACLs to consider?

Accepted Answer

Security Groups are stateful (return traffic automatic), Network ACLs are stateless (require explicit inbound and outbound rules)

Answer

Security Groups operate at subnet level, Network ACLs at instance level

Answer

Security Groups only support DENY rules, Network ACLs support ALLOW and DENY

Answer

Security Groups are evaluated after Network ACLs in traffic flow

Question 9

A company has 50 VPCs across multiple regions that need to communicate with each other with centralized and simplified routing. Which service provides the most scalable solution to connect multiple VPCs?

Accepted Answer

AWS Transit Gateway with centralized route tables

Answer

Create VPC Peering connections between each pair of VPCs (mesh topology)

Answer

Use multiple Site-to-Site VPN connections

Answer

Implement Direct Connect Gateway per region

Question 10

An architect needs to allow SSH access to EC2 instances in private subnets for administration. Administrators connect from corporate office. What is the most secure architecture to provide this access?

Accepted Answer

Bastion Host (Jump Box) in public subnet with SSH access limited from corporate IP, then SSH to private instances

Answer

Place all instances in public subnet with restrictive Security Group

Answer

Open SSH port directly on NAT Gateway

Answer

Create Internet Gateway with integrated VPN for SSH access