AWS Virtual Private Cloud Exam Practice Questions:

  1. You have a business-to-business web application running in a VPC consisting of an Elastic Load Balancer (ELB), web servers, application servers and a database. Your web application should only accept traffic from predefined customer IP addresses. Which two options meet this security requirement? Choose 2 answers
    1. Configure web server VPC security groups to allow traffic from your customers’ IPs
    2. Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header
    3. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic
    4. Configure a VPC NACL to allow web traffic from your customers’ IPs and deny all outbound traffic

[showhide type=”q1″ more_text=”Answer is…” less_text=”Show less…”]

2. Configure your web servers to filter traffic based on the ELB’s “X-forwarded-for” header.

3. Configure ELB security groups to allow traffic from your customers’ IPs and deny all outbound traffic [/showhide]

  1. A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?
    1. Destination : 20.0.0.0/24 and Target : VPC
    2. Destination : 20.0.0.0/16 and Target : ALL
    3. Destination : 20.0.0.0/0 and Target : ALL
    4. Destination : 20.0.0.0/16 and Target : Local

[showhide type=”q2″ more_text=”Answer is…” less_text=”Show less…”]

4. Destination : 20.0.0.0/16 and Target : Local [/showhide]

  1. A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?
    1. Use the internet gateway with a private IP
    2. Allow outbound traffic in the security group for port 80 to allow internet updates
    3. The private subnet can never connect to the internet
    4. Use NAT with an elastic IP

[showhide type=”q3″ more_text=”Answer is…” less_text=”Show less…”]

4. Use NAT with an elastic IP. [/showhide]

  1. A user has launched an EC2 instance and installed a website with the Apache webserver. The webserver is running but the user is not able to access the website from the Internet. What can be the possible reason for this failure?
    1. The security group of the instance is not configured properly.
    2. The instance is not configured with the proper key-pairs.
    3. The Apache website cannot be accessed from the Internet.
    4. Instance is not configured with an elastic IP.

[showhide type=”q4″ more_text=”Answer is…” less_text=”Show less…”]

1. The security group of the instance is not configured properly. [/showhide]

  1. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?

1. AWS VPC will automatically create a NAT instance with the micro size

2. VPC bounds the main route table with a private subnet and a custom route table with a public subnet

3. User has to manually create a NAT instance

4. VPC bounds the main route table with a public subnet and a custom route table with a private subnet

[showhide type=”q5″ more_text=”Answer is…” less_text=”Show less…”]

2. VPC bounds the main route table with a private subnet and a custom route table with a public subnet. [/showhide]

  1. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?

1. For Inbound allow Source: 20.0.1.0/24 on port 80

2. For Outbound allow Destination: 0.0.0.0/0 on port 80

3. For Inbound allow Source: 20.0.0.0/24 on port 80

4. For Outbound allow Destination: 0.0.0.0/0 on port 443

[showhide type=”q6″ more_text=”Answer is…” less_text=”Show less…”]

3. For Inbound allow Source: 20.0.0.0/24 on port 80. [/showhide]

  1. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the web server security group (WebSecGrp)?

1. Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound

2. Configure port 80 for Destination 0.0.0.0/0 Outbound

3. Configure port 3306 for source 20.0.0.0/24 InBound

4. Configure port 80 InBound for source 20.0.0.0/16

[showhide type=”q7″ more_text=”Answer is…” less_text=”Show less…”]

1. Configure Destination as DB Security group ID (DbSecGrp) for port 3306 Outbound. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet?

1. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet’s CIDR

2. The user can modify the first subnet CIDR from the console

3. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created

4. The user can modify the first subnet CIDR with AWS CLI

[showhide type=”q8″ more_text=”Answer is…” less_text=”Show less…”]

3. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created. [/showhide]

  1. A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24) and a public subnet (20.0.0.0/24). The user’s data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will happen?

1. It will allow traffic communication on both the CIDRs of the data centre

2. It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24

3. It will not allow traffic communication on any of the data centre CIDRs

4. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24

[showhide type=”q9″ more_text=”Answer is…” less_text=”Show less…”]

4. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24. [/showhide]

  1. A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?

1. Destination: 0.0.0.0/0 and Target: i-a12345

2. Destination: 20.0.0.0/0 and Target: 80

3. Destination: 20.0.0.0/0 and Target: i-a12345

4. Destination: 20.0.0.0/24 and Target: i-a12345

[showhide type=”q10″ more_text=”Answer is…” less_text=”Show less…”]

1. Destination: 0.0.0.0/0 and Target: i-a12345. [/showhide]




  1. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data centre. The user’s data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?

1. Destination: 20.0.1.0/24 and Target: i-123456

2. Destination: 0.0.0.0/0 and Target: i-123456

3. Destination: 172.28.0.0/12 and Target: vgw-12345

4. Destination: 20.0.0.0/16 and Target: local

[showhide type=”q11″ more_text=”Answer is…” less_text=”Show less…”]

1. Destination: 20.0.1.0/24 and Target: i-123456. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 in this VPC. The user is trying to create another subnet with the same VPC for CIDR 20.0.0.1/24. What will happen in this scenario?

1. The VPC will modify the first subnet CIDR automatically to allow the second subnet IP range

2. It is not possible to create a subnet with the same CIDR as VPC

3. The second subnet will be created

4. It will throw a CIDR overlaps error

[showhide type=”q12″ more_text=”Answer is…” less_text=”Show less…”]

4. It will throw a CIDR overlaps error. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created both Public and VPN-Only subnets along with hardware VPN access to connect to the user’s data centre. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC?

1. Yes, the console will delete all the setups and also delete the virtual private gateway

2. No, the console will ask the user to manually detach the virtual private gateway first and then allow deleting the VPC

3. Yes, the console will delete all the setups and detach the virtual private gateway

4. No, since the NAT instance is running

[showhide type=”q13″ more_text=”Answer is…” less_text=”Show less…”]

3. Yes, the console will delete all the setups and detach the virtual private gateway. [/showhide]

  1. A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group for the public subnet (WebSecGrp) and the private subnet (DBSecGrp). Which of the below mentioned entries is required in the private subnet database security group (DBSecGrp)?

1. Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp)

2. Allow Inbound on port 3306 from source 20.0.0.0/16

3. Allow Outbound on port 3306 for Destination Web Server Security Group (WebSecGrp.

4. Allow Outbound on port 80 for Destination NAT Instance IP

[showhide type=”q14″ more_text=”Answer is…” less_text=”Show less…”]

1. Allow Inbound on port 3306 for Source Web Server Security Group (WebSecGrp). [/showhide]

  1. A user has created a VPC with a subnet and a security group. The user has launched an instance in that subnet and attached a public IP. The user is still unable to connect to the instance. The internet gateway has also been created. What can be the reason for the error?

1. The internet gateway is not configured with the route table

2. The private IP is not present

3. The outbound traffic on the security group is disabled

4. The internet gateway is not configured with the security group

[showhide type=”q15″ more_text=”Answer is…” less_text=”Show less…”]

1. The internet gateway is not configured with the route table. [/showhide]

  1. A user has created a subnet in VPC and launched an EC2 instance within it. The user has not selected the option to assign the IP address while launching the instance. Which of the below mentioned statements is true with respect to the Instance requiring access to the Internet?

1. The instance will always have a public DNS attached to the instance by default

2. The user can directly attach an elastic IP to the instance

3. The instance will never launch if the public IP is not assigned

4. The user would need to create an internet gateway and then attach an elastic IP to the instance to connect from internet

[showhide type=”q16″ more_text=”Answer is…” less_text=”Show less…”]

4. The user would need to create an internet gateway and then attach an elastic IP to the instance to connect from internet. [/showhide]

  1. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario?

1. VPC will create a routing instance and attach it with a public subnet

2. VPC will create two subnets

3. VPC will create one internet gateway and attach it to VPC

4. VPC will launch one NAT instance with an elastic IP

[showhide type=”q17″ more_text=”Answer is…” less_text=”Show less…”]

1. VPC will create a routing instance and attach it with a public subnet. [/showhide]

  1. A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created?

1. It can connect to the AWS services, such as S3 and RDS by default

2. It will have all the inbound traffic by default

3. It will have all the outbound traffic by default

4. It will by default allow traffic to the internet gateway

[showhide type=”q18″ more_text=”Answer is…” less_text=”Show less…”]

3. It will have all the outbound traffic by default. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16 using VPC Wizard. The user has created a public CIDR (20.0.0.0/24) and a VPN only subnet CIDR (20.0.1.0/24) along with the hardware VPN access to connect to the user’s data centre. Which of the below mentioned components is not present when the VPC is setup with the wizard?

1. Main route table attached with a VPN only subnet

2. A NAT instance configured to allow the VPN subnet instances to connect with the internet

3. Custom route table attached with a public subnet

4. An internet gateway for a public subnet

[showhide type=”q19″ more_text=”Answer is…” less_text=”Show less…”]

2. A NAT instance configured to allow the VPN subnet instances to connect with the internet. [/showhide]

  1. A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?

1. It will not allow to delete the VPC as it has subnets with route tables

2. It will not allow to delete the VPC since it has a running route instance

3. It will terminate the VPC along with all the instances launched by the wizard

4. It will not allow to delete the VPC since it has a running NAT instance

[showhide type=”q20″ more_text=”Answer is…” less_text=”Show less…”]

4. It will not allow to delete the VPC since it has a running NAT instance. [/showhide]




  1. A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to delete the subnet. What will happen in this scenario?

1. It will delete the subnet and make the EC2 instance as a part of the default subnet

2. It will not allow the user to delete the subnet until the instances are terminated

3. It will delete the subnet as well as terminate the instances

4. Subnet can never be deleted independently, but the user has to delete the VPC first

[showhide type=”q21″ more_text=”Answer is…” less_text=”Show less…”]

2. It will not allow the user to delete the subnet until the instances are terminated. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP) assigned to an instance in the public or private subnet?

1. 20.0.0.255

2. 20.0.0.132

3. 20.0.0.122

4. 20.0.0.55

[showhide type=”q22″ more_text=”Answer is…” less_text=”Show less…”]

1. 20.0.0.255. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16. The user has created public and VPN only subnets along with hardware VPN access to connect to the user’s datacenter. The user wants to make so that all traffic coming to the public subnet follows the organization’s proxy policy. How can the user make this happen?

1. Setting up a NAT with the proxy protocol and configure that the public subnet receives traffic from NAT

2. Setting up a proxy policy in the internet gateway connected with the public subnet

3. It is not possible to setup the proxy policy for a public subnet

4. Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway

[showhide type=”q23″ more_text=”Answer is…” less_text=”Show less…”]

4. Setting the route table and security group of the public subnet which receives traffic from a virtual private gateway. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-12345) to connect to the user’s data centre. Which of the below mentioned options is a valid entry for the main route table in this scenario?

1. Destination: 20.0.0.0/24 and Target: vgw-12345

2. Destination: 20.0.0.0/16 and Target: ALL

3. Destination: 20.0.1.0/16 and Target: vgw-12345

4. Destination: 0.0.0.0/0 and Target: vgw-12345

[showhide type=”q24″ more_text=”Answer is…” less_text=”Show less…”]

4. Destination: 0.0.0.0/0 and Target: vgw-12345. [/showhide]

  1. Which two components provide connectivity with external networks? When attached to an Amazon VPC which two components provide connectivity with external networks? Choose 2 answers

1. Elastic IPs (EIP)

2. NAT Gateway (NAT)

3. Internet Gateway (IGW)

4. Virtual Private Gateway (VGW)

[showhide type=”q25″ more_text=”Answer is…” less_text=”Show less…”]

3. Internet Gateway (IGW)

4. Virtual Private Gateway (VGW). [/showhide]

  1. You are attempting to connect to an instance in Amazon VPC without success You have already verified that the VPC has an Internet Gateway (IGW) the instance has an associated Elastic IP (EIP) and correct security group rules are in place. Which VPC component should you evaluate next?

1. The configuration of a NAT instance

2. The configuration of the Routing Table

3. The configuration of the internet Gateway (IGW)

4. The configuration of SRC/DST checking

[showhide type=”q26″ more_text=”Answer is…” less_text=”Show less…”]

2. The configuration of the Routing Table. [/showhide]

  1. If you want to launch Amazon Elastic Compute Cloud (EC2) Instances and assign each Instance a predetermined private IP address you should:

1. Assign a group or sequential Elastic IP address to the instances

2. Launch the instances in a Placement Group

3. Launch the instances in the Amazon virtual Private Cloud (VPC)

4. Use standard EC2 instances since each instance gets a private Domain Name Service (DNS) already

5. Launch the Instance from a private Amazon Machine image (AMI)

[showhide type=”q27″ more_text=”Answer is…” less_text=”Show less…”]

3. Launch the instances in the Amazon virtual Private Cloud (VPC). [/showhide]

  1. A user has recently started using EC2. The user launched one EC2 instance in the default subnet in EC2-VPC Which of the below mentioned options is not attached or available with the EC2 instance when it is launched?

1. Public IP address

2. Internet gateway

3. Elastic IP

4. Private IP address

[showhide type=”q28″ more_text=”Answer is…” less_text=”Show less…”]

3. Elastic IP. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25. The user is trying to create the private subnet with CIDR 20.0.0.128/25. Which of the below mentioned statements is true in this scenario?

1. It will not allow the user to create the private subnet due to a CIDR overlap

2. It will allow the user to create a private subnet with CIDR as 20.0.0.128/25

3. This statement is wrong as AWS does not allow CIDR 20.0.0.0/25

4. It will not allow the user to create a private subnet due to a wrong CIDR range

[showhide type=”q29″ more_text=”Answer is…” less_text=”Show less…”]

2. It will allow the user to create a private subnet with CIDR as 20.0.0.128/25. [/showhide]

  1. A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

1. Allow Inbound traffic on port 22 from the user’s network

2. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP

3. The user can connect to a instance in a private subnet using the NAT instance

4. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet

[showhide type=”q30″ more_text=”Answer is…” less_text=”Show less…”]

1. Allow Inbound traffic on port 22 from the user’s network. [/showhide]




  1. A company wants to implement their website in a virtual private cloud (VPC). The web tier will use an Auto Scaling group across multiple Availability Zones (AZs). The database will use Multi-AZ RDS MySQL and should not be publicly accessible. What is the minimum number of subnets that need to be configured in the VPC?

1. 1

2. 2

3. 3

4. 4

[showhide type=”q31″ more_text=”Answer is…” less_text=”Show less…”]

4. 4. (2 public subnets for web instances in multiple AZs and 2 private subnets for RDS Multi-AZ) [/showhide]

  1. Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers

1. Each subnet maps to a single Availability Zone

2. A CIDR block mask of /25 is the smallest range supported

3. Instances in a private subnet can communicate with the Internet only if they have an Elastic IP.

4. By default, all subnets can route between each other, whether they are private or public

5. Each subnet spans at least 2 Availability zones to provide a high-availability environment

[showhide type=”q32″ more_text=”Answer is…” less_text=”Show less…”]

1. Each subnet maps to a single Availability Zone

4. By default, all subnets can route between each other, whether they are private or public. [/showhide]

  1. You need to design a VPC for a web-application consisting of an Elastic Load Balancer (ELB). a fleet of web/application servers, and an RDS database The entire Infrastructure must be distributed over 2 availability zones. Which VPC configuration works while assuring the database is not available from the Internet?

1. One public subnet for ELB one public subnet for the web-servers, and one private subnet for the database

2. One public subnet for ELB two private subnets for the web-servers, two private subnets for RDS

3. Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS

4. Two public subnets for ELB two public subnets for the web-servers, and two public subnets for RDS

[showhide type=”q33″ more_text=”Answer is…” less_text=”Show less…”]

3. Two public subnets for ELB two private subnets for the web-servers and two private subnets for RDS. [/showhide]

  1. You have deployed a three-tier web application in a VPC with a CIDR block of 10.0.0.0/28. You initially deploy two web servers, two application servers, two database servers and one NAT instance tor a total of seven EC2 instances The web. Application and database servers are deployed across two availability zones (AZs). You also deploy an ELB in front of the two web servers, and use Route53 for DNS Web (raffle gradually increases in the first few days following the deployment, so you attempt to double the number of instances in each tier of the application to handle the new load unfortunately some of these new instances fail to launch. Which of the following could the root caused? (Choose 2 answers) [PROFESSIONAL]

1. The Internet Gateway (IGW) of your VPC has scaled-up adding more instances to handle the traffic spike, reducing the number of available private IP addresses for new instance launches.

2. AWS reserves one IP address in each subnet’s CIDR block for Route53 so you do not have enough addresses left to launch all of the new EC2 instances.

3. AWS reserves the first and the last private IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.

4. The ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches

5. AWS reserves the first four and the last IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances.

[showhide type=”q34″ more_text=”Answer is…” less_text=”Show less…”]

4. The ELB has scaled-up. Adding more instances to handle the traffic reducing the number of available private IP addresses for new instance launches.

5. AWS reserves the first four and the last IP address in each subnet’s CIDR block so you do not have enough addresses left to launch all of the new EC2 instances. [/showhide]

  1. A user wants to access RDS from an EC2 instance using IP addresses. Both RDS and EC2 are in the same region, but different AZs. Which of the below mentioned options help configure that the instance is accessed faster?

1. Configure the Private IP of the Instance in RDS security group (Recommended as the data is transferred within the the Amazon network and not through internet – Refer link)

2. Security group of EC2 allowed in the RDS security group

3. Configuring the elastic IP of the instance in RDS security group

4. Configure the Public IP of the instance in RDS security group

[showhide type=”q35″ more_text=”Answer is…” less_text=”Show less…”]

1. Configure the Private IP of the Instance in RDS security group. [/showhide]

  1. In regards to VPC, select the correct statement:

1. You can associate multiple subnets with the same Route Table.

2. You can associate multiple subnets with the same Route Table, but you can’t associate a subnet with only one Route Table.

3. You can’t associate multiple subnets with the same Route Table.

4. None of these.

[showhide type=”q36″ more_text=”Answer is…” less_text=”Show less…”]

1. You can associate multiple subnets with the same Route Table. [/showhide]

  1. You need to design a VPC for a web-application consisting of an ELB a fleet of web application servers, and an RDS DB. The entire infrastructure must be distributed over 2 AZ. Which VPC configuration works while assuring the DB is not available from the Internet?

1. One Public Subnet for ELB, one Public Subnet for the web-servers, and one private subnet for the DB

2. One Public Subnet for ELB, two Private Subnets for the web-servers, and two private subnets for the RDS

3. Two Public Subnets for ELB, two private Subnet for the web-servers, and two private subnet for the RDS

4. Two Public Subnets for ELB, two Public Subnet for the web-servers, and two public subnets for the RDS

[showhide type=”q37″ more_text=”Answer is…” less_text=”Show less…”]

3. Two Public Subnets for ELB, two private Subnet for the web-servers, and two private subnet for the RDS. [/showhide]

  1. You have an Amazon VPC with one private subnet and one public subnet with a Network Address Translator (NAT) server. You are creating a group of Amazon Elastic Cloud Compute (EC2) instances that configure themselves at startup via downloading a bootstrapping script from Amazon Simple Storage Service (S3) that deploys an application via GIT. Which setup provides the highest level of security?

1. Amazon EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT

2. Amazon EC2 instances in public subnet, no EIPs, route outgoing traffic via the Internet Gateway (IGW)

3. Amazon EC2 instances in private subnet, assign EIPs, route outgoing traffic via the Internet Gateway (IGW)

4. Amazon EC2 instances in public subnet, assign EIPs, route outgoing traffic via the NAT

[showhide type=”q38″ more_text=”Answer is…” less_text=”Show less…”]

1. Amazon EC2 instances in private subnet, no EIPs, route outgoing traffic via the NAT. [/showhide]

  1. You have launched an Amazon Elastic Compute Cloud (EC2) instance into a public subnet with a primary private IP address assigned, an internet gateway is attached to the VPC, and the public route table is configured to send all Internet-based traffic to the Internet gateway. The instance security group is set to allow all outbound traffic but cannot access the Internet. Why is the Internet unreachable from this instance?

1. The instance does not have a public IP address

2. The Internet gateway security group must allow all outbound traffic.

3. The instance security group must allow all inbound traffic.

4. The instance “Source/Destination check” property must be enabled.

[showhide type=”q39″ more_text=”Answer is…” less_text=”Show less…”]

1. The instance does not have a public IP address. [/showhide]

  1. You have an environment that consists of a public subnet using Amazon VPC and 3 instances that are running in this subnet. These three instances can successfully communicate with other hosts on the Internet. You launch a fourth instance in the same subnet, using the same AMI and security group configuration you used for the others, but find that this instance cannot be accessed from the internet. What should you do to enable Internet access?

1. Deploy a NAT instance into the public subnet.

2. Assign an Elastic IP address to the fourth instance

3. Configure a publically routable IP Address in the host OS of the fourth instance.

4. Modify the routing table for the public subnet.

[showhide type=”q40″ more_text=”Answer is…” less_text=”Show less…”]

2. Assign an Elastic IP address to the fourth instance. [/showhide]




  1. You have a load balancer configured for VPC, and all back-end Amazon EC2 instances are in service. However, your web browser times out when connecting to the load balancer’s DNS name. Which options are probable causes of this behavior? Choose 2 answers

1. The load balancer was not configured to use a public subnet with an Internet gateway configured

2. The Amazon EC2 instances do not have a dynamically allocated private IP address

3. The security groups or network ACLs are not property configured for web traffic.

4. The load balancer is not configured in a private subnet with a NAT instance.

5. The VPC does not have a VGW configured.

[showhide type=”q41″ more_text=”Answer is…” less_text=”Show less…”]

1. The load balancer was not configured to use a public subnet with an Internet gateway configured.

3. The security groups or network ACLs are not property configured for web traffic. [/showhide]

  1. When will you incur costs with an Elastic IP address (EIP)?

1. When an EIP is allocated.

2. When it is allocated and associated with a running instance.

3. When it is allocated and associated with a stopped instance.

4. Costs are incurred regardless of whether the EIP is associated with a running instance.

[showhide type=”q42″ more_text=”Answer is…” less_text=”Show less…”]

3. When it is allocated and associated with a stopped instance. [/showhide]