Knowledge CheckModule 03

Quiz: Module 03: The AWS Account & Root User

Test your understanding of the concepts covered in this module.

50 questions

  1. Question 1. Which of the following best describes an Amazon Virtual Private Cloud (VPC)?

  2. Question 2. True or False: A VPC exists within a single AWS Region but can span multiple Availability Zones within that Region.

  3. Question 3. Which of the following are true about the default VPC that AWS creates in each Region? (Select THREE.)Select multiple

  4. Question 4. A VPC has the CIDR block `10.0.0.0/16`. How many total IP addresses does this CIDR block provide?

  5. Question 5. In your own words, explain why you should create a custom VPC for production workloads instead of using the default VPC.

    Free-response questions are self-assessed. Compare your answer with the sample response.

  6. Question 6. Which of the following CIDR blocks represents the largest network?

  7. Question 7. What makes a subnet a "public" subnet in a VPC?

  8. Question 8. AWS reserves five IP addresses in every subnet. In a `/24` subnet with 256 total addresses, how many addresses are available for your resources?

  9. Question 9. Which of the following are private IP address ranges defined by RFC 1918? (Select THREE.)Select multiple

  10. Question 10. True or False: A subnet can span multiple Availability Zones within a VPC.

  11. Question 11. Which of the following correctly describes the difference between an internet gateway and a NAT gateway?

  12. Question 12. A company has a database server in a private subnet that needs to download software patches from the internet. Which component enables this without exposing the database to inbound internet traffic?

  13. Question 13. How many internet gateways can be attached to a single VPC at one time?

  14. Question 14. A VPC route table contains the following two routes: | Destination | Target | |-------------|--------| | `10.0.0.0/16` | local | | `0.0.0.0/0` | igw-xxxxxxxx | A resource in this VPC sends traffic to the IP address `10.0.3.25`. Which route does the VPC router select, and why?

  15. Question 15. True or False: Every subnet in a VPC must be explicitly associated with a custom route table. If a subnet is not associated with any custom route table, it cannot route traffic.

  16. Question 16. Which of the following are characteristics of security groups? (Select TWO.)Select multiple

  17. Question 17. Which of the following are characteristics of network access control lists (NACLs)? (Select TWO.)Select multiple

  18. Question 18. True or False: Network access control lists (NACLs) evaluate all rules at once before making a decision, just like security groups.

  19. Question 19. In a three-tier VPC architecture, which tier is typically placed in public subnets?

  20. Question 20. A NAT gateway must be placed in which type of subnet?

  21. Question 21. Which of the following resources would you typically place in a private subnet? (Select TWO.)Select multiple

  22. Question 22. When you create a new custom security group, what is its default behavior?

  23. Question 23. A solutions architect is designing a VPC with the CIDR block `10.0.0.0/16`. They need to create subnets that each support at least 200 usable IP addresses. What is the smallest subnet prefix length that meets this requirement, accounting for the five AWS-reserved addresses?

  24. Question 24. True or False: You can attach multiple VPCs to a single internet gateway for cost savings.

  25. Question 25. Which of the following statements about the default NACL is correct?

  26. Question 26. An EC2 instance in a public subnet has a security group that allows inbound HTTP traffic on port 80 from `0.0.0.0/0`. A user on the internet sends an HTTP request to the instance. The instance processes the request and sends a response. Does the security group need an explicit outbound rule to allow the response traffic?

  27. Question 27. A company has a VPC with CIDR block `10.0.0.0/16` and another VPC with CIDR block `10.0.0.0/16`. Can these two VPCs be connected using VPC peering?

  28. Question 28. Which of the following is true about Elastic IP addresses? (Select TWO.)Select multiple

  29. Question 29. In a three-tier architecture, the database security group allows inbound traffic only from the application tier security group. What is this practice called?

  30. Question 30. True or False: A security group can contain only allow rules. To explicitly deny traffic from a specific IP address, you must use a network ACL instead.

  31. Question 31. A VPC has the following route table for a private subnet: | Destination | Target | |-------------|--------| | `10.0.0.0/16` | local | | `0.0.0.0/0` | nat-xxxxxxxx | An instance in this private subnet sends a request to `10.0.1.50`. Where does the traffic go?

  32. Question 32. Which of the following is NOT a step required to enable internet access for instances in a public subnet?

  33. Question 33. A NACL has the following inbound rules: | Rule # | Type | Protocol | Port Range | Source | Allow/Deny | |--------|------|----------|------------|--------|------------| | 100 | HTTP | TCP | 80 | 0.0.0.0/0 | ALLOW | | 110 | HTTP | TCP | 80 | 203.0.113.0/24 | DENY | | * | All traffic | All | All | 0.0.0.0/0 | DENY | A request arrives on port 80 from IP address `203.0.113.15`. What happens?

  34. Question 34. In your own words, explain the difference between stateful and stateless firewalls in the context of security groups and NACLs.

    Free-response questions are self-assessed. Compare your answer with the sample response.

  35. Question 35. Which of the following best describes the "local" route in a VPC route table?

  36. Question 36. True or False: You can have multiple route tables in a single VPC, but each subnet can be associated with only one route table at a time.

  37. Question 37. A company is designing a VPC for a web application. The application has web servers that must be accessible from the internet and a database that must not be accessible from the internet. Which VPC design pattern should they use?

  38. Question 38. What is the minimum subnet size allowed in an AWS VPC?

  39. Question 39. An EC2 instance in a private subnet needs to call an external API on the internet. The private subnet's route table has a route sending `0.0.0.0/0` to a NAT gateway. Can the external API initiate a new inbound connection to this EC2 instance?

  40. Question 40. Which of the following statements about the main route table is correct?

  41. Question 41. True or False: When you create a custom NACL, it allows all inbound and outbound traffic by default, just like the default NACL.

  42. Question 42. A solutions architect needs to ensure high availability for NAT gateways. What is the recommended approach?

  43. Question 43. Which of the following correctly lists the five IP addresses that AWS reserves in every subnet?

  44. Question 44. A security engineer needs to block all traffic from a specific IP address (`198.51.100.50`) to any resource in a subnet. Which approach is most appropriate?

  45. Question 45. In a `/28` subnet, how many IP addresses are usable for your resources after accounting for the five AWS-reserved addresses?

  46. Question 46. True or False: Security group rules reference other security groups as sources or destinations, which is more maintainable than specifying individual IP addresses because it automatically adapts as instances are added or removed.

  47. Question 47. A VPC has the CIDR block `10.0.0.0/16`. A subnet within this VPC has the CIDR block `10.0.1.0/24`. Which of the following CIDR blocks could be used for another subnet in the same VPC? (Select TWO.)Select multiple

  48. Question 48. An EC2 instance in a public subnet can receive inbound HTTP requests but cannot send responses back to clients. The security group allows inbound HTTP on port 80 and allows all outbound traffic. The subnet uses the default NACL. A custom NACL is then applied that allows inbound HTTP on port 80 but has no outbound rules. What is the most likely cause of the problem?

  49. Question 49. In your own words, describe the traffic flow when an EC2 instance in a private subnet makes an outbound HTTPS request to an external API on the internet. Include the role of the route table, NAT gateway, and internet gateway.

    Free-response questions are self-assessed. Compare your answer with the sample response.

  50. Question 50. A company is designing a three-tier architecture. Match each tier to the correct subnet type and the security group inbound rule source: | Tier | Subnet Type | Security Group Allows Inbound From | |------|-------------|-------------------------------------| | Presentation (ALB) | ? | ? | | Application (EC2) | ? | ? | | Data (RDS) | ? | ? |