AWS-Advanced Networking-Specialty Practice

by Colette Robinson IT Certification

Question: 1

 

Considering your knowledge of both the OSI and TCP/IP models - select the following statement which you consider to NOT be true.

 

A. The TCP/IP Application layer maps to 2 of the OSI Layers

B. The top layer in the OSI model is named the Application layer

C. The TCP/IP Application layer maps to 3 of the OSI Layers

D. The top layer in the TCP/IP model is named the Application layer

 

Answer: A   

 

Explanation:

The OSI model is a 7 layered model. The TCP/IP model is a 4 layered model. The top layer in both models is called the Application layer. The TCP/IP Application layer maps to the top 3 OSI layers (Application, Presentation, and Session layers).

Reference: https://en.wikipedia.org/wiki/OSI_model

 

Question: 2

 

From the following options, select the answer that correctly describes the implementation of the HTTP protocol

 

A. By definition, HTTP is a connection-less oriented protocol and therefore utilises TCP

B. By definition, HTTP is a connection orientated protocol and therefore utilises TCP

C. By definition, HTTP is a connection-less oriented protocol and therefore utilises UDP

D. By definition, HTTP can be configured to be either connection or connection-less oriented - by specifying the appropriate HTTP header.

 

Answer: B   

 

Explanation:

HTTP is a connection orientated protocol and therefore utilises TCP

Reference: https://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol

 

Question: 3

 

You have just provisioned a new VPC a with a CIDR block of 172.16.12.0/24. The entire CIDR block is fully utilised by subdividing it into 6 subnets, we will refer to these as Subnet1 through to Subnet6. The first 2 subnets (Subnet1 and Subnet2) are the same size. The last 4 subnets (Subnet3, Subnet4, Subnet5, Subnet6) are also the same size. Subnet5 is half the size of Subnet2. The address space as occupied by the first two subnets is contiguous, as is the address space occupied by the last 4 subnets. Within Subnet3 AWS reserves the address 172.16.12.129 for the VPC router. Select the correct IP address reserved by AWS for DNS in the Subnet2.

 

A. 172.16.64.1

B. 172.16.64.65

C. 172.16.12.66

D. 172.16.12.64

 

Answer: C   

 

Explanation:

From the documentation above - we know AWS reserves the address x.x.x.1 for the VPC router, and x.x.x.2 for DNS from within each subnet. This question states that Subnet 3 reserves 172.16.12.130 for the VPC router. Given that we now know that the Subnet3 (the 1st of the last 4 Subnets) starts at 172.16.12.128 - then it must follow that Subnet2 ends at 172.16.12.127. From here we know we have 128 addresses that are halved evenly between Subnet1 and Subnet2 - 128/2 = 64 or /26 in CIDR form. Therefore it follows that the address reserved by AWS for DNS in the Subnet2 must be 172.16.12.66

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

 

Question: 4

 

Select the VPC Peering statement below that is NOT true

 

A. VPC peering supports transitive peering relationships for IPv6 traffic but not IPv4

B. VPC peering can be performed between VPCs in different AWS accounts in the same region

C. TCP connections can be performed between peered VPCs

D. UDP connections can be performed between peered VPCs

 

Answer: A    

 

Explanation:

VPC peering supports transitive peering relationships for IPv4 and IPv6 traffic

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-basics.html#vpc-peering-limitations

 

Question: 5

 

Select the answer/s that correctly state how Jumbo Frames work

 

A. Jumbo Frames assist with application disk storage

B. Jumbo Frames can assist with application performance

C. Jumbo Frames are supported across Virtual Private Gateway connections

D. Jumbo Frames are enabled by increasing the MTU size to 9000 kilobytes

 

Answer: B   

 

Explanation:

We know by definition that Jumbo Frames support 9000 byte MTU - therefore Answer 1 is incorrect (the stated unit is kilobytes). Jumbo Frames is a data transmission unit configuration option - it does not change or alter anything related to security - therefore Answer 2 is incorrect. Answer 3 is correct - we can get improved application performance when used within appropriate scenarios. Jumbo Frames are not supported over VPG IPsec VPN connections - therefore Answer 4 is incorrect. Answer 5 is nonsensical - Jumbo Frames is a networking construct and has nothing to do with disk storage.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

Question: 6

 

You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24x7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company's ability to attract investors and expansion into new markets. Select the correct network configuration that best facilitates your company's continued growth plans.

 

A. Provision a Direct Connect connection - between your service provider's data center and the AWS region that your cloud compute resources exist in . Configure just a Private Virtual

Interface. As this is a Direct Connection, a Virtual Private Gateway is not required

B. Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option

C. Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled - this is a secure and cheap option

D. Provision a Direct Connect connection - between your existing service provider's data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface

 

Answer: D   

 

Explanation:

Answers A, B, and C all rely on an Internet connection. An Internet connection cannot guarantee QoS and will be subject to performance fluctuations - therefore they are all incorrect options. The only difference between these options is whether a Virtual Private Gateway is required - the answer is yes and therefore the correct answer is D.

Reference: https://aws.amazon.com/directconnect/faqs/

 

Question: 7

 

You are your company’s AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2. Select the correct option from the list below.

 

A. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been disabled.

B. Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication

C. All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.

D. Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been enabled.

 

Answer: B   

 

Explanation:

Answers A, C and D are incorrect answers as they reference a non-existing setting - there is no such thing as a “default peering bi-directional communication flag”.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/peering-configurations-partial-access.html#one-to-two-vpcs-instances

 

Question: 8

 

In your current role as the corporate network architect - you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC. Select which option is NOT required

 

A. Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP

B. Deploy a Customer Gateway within your corporate network

C. Deploy a Customer Gateway within your VPC

D. Deploy a Virtual Private Gateway within your VPC

 

Answer: B   

 

Explanation:

A customer gateway within the corporate network is NOT required.

The Customer Gateway (CGW) is a component that you deploy within your VPC that logically represents you VPN physical hardware’s perimeter public IP - therefore Answer C is required.

A Virtual Private Gateway (VPG) is the AWS VPN Concentrator end point - and is always a requirement that needs to be deployed in your VPC - therefore it must always be deployed - therefore Answer D is required

AWS only supports IPsec in Tunnel mode - therefore Answer A is required.

Reference: https://aws.amazon.com/vpc/faqs/

 

Question: 9

 

The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity. Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

 

A. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5

B. The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES

C. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

D. The following protocols may be used to configure IPsec confidentiality, PSK, MD5

E. The following protocols may be used to configure IPsec confidentiality, PSK, RSA

 

Answer: B   

 

Explanation:

Answer A is incorrect - as MD5 is a hashing protocol (data integrity)

Answer C is incorrect - as PSK is short for Pre-Shared Keys (key exchange) - and again MD5 is a hashing protocol (data integrity)

Answer D is incorrect - as both MD5 and SHA are hashing protocols (data integrity)

Answer E is incorrect - as both PSK and RSA are used for key exchanges

This leaves Answer B is the only correct IPsec configuration covering confidentiality. DES, 3DES, and AES are all encryption protocols.

Reference: https://en.wikipedia.org/wiki/IPsec

 

Question: 10

 

Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

 

A. For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible

B. Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway

C. Jumbo Frames are not supported for traffic that exits the Internet Gateway

D. T2.micro instances do not support Jumbo Frames

 

Answer: D   

 

Explanation:

All answers except for Answer D are correct. Answer D is incorrect in that AWS does indeed support Jumbo Frames on all instance types within the T2 family class - including the T2.micro instance type..

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html

 

Question: 11

 

Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

 

A. Frames

B. Packets

C. Data

D. Segments

 

Answer: D   

 

Explanation:

Segments is the PDU used between transport layers

Reference: https://en.wikipedia.org/wiki/Transmission_Control_Protocol

 

Question: 12

 

Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

 

A. 8 subnets and 30 hosts per subnet

B. 16 subnets and 14 hosts per subnet

C. 32 subnets and 30 hosts per subnet

D. 8 subnets and 14 hosts per subnet

 

Answer: B   

 

Explanation:

16 subnets and 14 hosts per subnet are possible in the CIDR

Reference: https://en.wikipedia.org/wiki/IPv4_subnetting_reference