An EC2 instance that performs source/destination checks by default is launched in a private VPC subnet. All security, NACL, and routing definitions are configured as expected. A custom NAT instance is launched.
Which of the following must be done for the custom NAT instance to work?
A.The source/destination checks should be disabled on the NAT instance.
B.The NAT instance should be launched in public subnet.
C.The NAT instance should be configured with a public IP address.
D.The NAT instance should be configured with an elastic IP address.
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself.
Therefore, you must disable source/destination checks on the NAT instance. Reference:
An organization has created multiple components of a single application for compartmentalization. Currently all the components are hosted on a single EC2 instance. Due to security reasons the organization wants to implement two separate SSLs for the separate modules although it is already using VPC. How can the organization achieve this with a single instance?
A.You have to launch two instances each in a separate subnet and allow VPC peering for a single IP.
B.Create a VPC instance which will have multiple network interfaces with multiple elastic IP addresses.
C.Create a VPC instance which will have both the ACL and the security group attached to it and have separate rules for each IP address.
D.Create a VPC instance which will have multiple subnets attached to it and each will have a separate IP address.
Answer: B Explanation:
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It
enables the user to launch AWS resources into a virtual network that the user has defined. With VPC the user can specify multiple private IP addresses for his instances.
The number of network interfaces and private IP addresses that a user can specify for an instance depends on the instance type. With each network interface the organization can assign an EIP. This scenario helps when the user wants to host multiple websites on a single EC2 instance by using multiple SSL certificates on a single server and associating each certificate with a specific EIP address. It also helps in scenarios for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MultipleIP.html
An organization is making software for the CIA in USA. CIA agreed to host the application on AWS but in a secure environment. The organization is thinking of hosting the application on the AWS GovCloud region. Which of the below mentioned difference is not correct when the organization is hosting on the AWS GovCloud in comparison with the AWS standard region?
A.The billing for the AWS GovCLoud will be in a different account than the Standard AWS account.
B.GovCloud region authentication is isolated from Amazon.com.
C.Physical and logical administrative access only to U.S. persons.
D.It is physically isolated and has logical network isolation from all the other regions.
Answer: A Explanation:
AWS GovCloud (US) is an isolated AWS region designed to allow U.S. government agencies and
customers to move sensitive workloads into the cloud by addressing their specific regulatory and compliance requirements. The AWS GovCloud (US) Region adheres to the U.S. International Traffic in Arms Regulations (ITAR) requirements. It has added advantages, such as:
Restricting physical and logical administrative access to U.S. persons only
There will be a separate AWS GovCloud (US) credentials, such as access key and secret access key than the standard AWS account
The user signs in with the IAM user name and password
The AWS GovCloud (US) Region authentication is completely isolated from Amazon.com
If the organization is planning to host on EC2 in AWS GovCloud then it will be billed to standard AWS account of organization since AWS GovCloud billing is linked with the standard AWS account and is not be billed separately