A. Create a DX connection to a second AWS Region. Use DynamoDB global tables to replicate data to the second Region. Modify the application to fail over to the second Region.
B. Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS Lambda to synchronize data to the copied table.
C. Create a DX connection to a second AWS Region. Create an identical DynamoDB table in the second Region. Enable DynamoDB auto scaling to manage throughput capacity. Modify the application to write to the second Region.
D. Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS DMS to synchronize data to the copied table.
Solution
Explanation
To ensure consistent network performance and AWS Direct Connect connection must be used as AWS Managed VPN relies on the public internet which cannot offer consistent performance. Amazon DynamoDB Global Tables is a fully managed, multi-region, multi-active database. This means you can read and write to multiple Regions. In the event of the failure of a Region the application logic must be set to fail to an endpoint in another Region where a replica table is running. “Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS Lambda to synchronize data to the copied table” is incorrect. A VPN does not offer consistent performance and DynamoDB global tables should be used for a multi-active database. INCORRECT: “Create a DX connection to a second AWS Region. Create an identical DynamoDB table in the second Region. Enable DynamoDB auto scaling to manage throughput capacity. Modify the application to write to the second Region” is incorrect. This does not offer any solution for creating a synchronized copy of the database in a second Region. Use an AWS managed VPN to connect to a second AWS Region. Create a copy of the DynamoDB table in the second Region. Enable DynamoDB streams in the primary Region and use AWS DMS to synchronize data to the copied table” is incorrect. A VPN does not offer consistent performance and AWS DMS should be replaced with DynamoDB global tables.
A. Check the security group for the EC2 instances to ensure it allows ingress from the NLB subnets.
B. Check the security group for the NLB to ensure it allows egress to the private subnet.
C. Check the security group for the EC2 instances to ensure it allows ingress from the customer office.
D. Check the security group for the NLB to ensure it allows ingress from the customer office.
Solution
Explanation
The Solutions Architect should check that the security group of the EC2 instances is allowing inbound connections from the customer office IP ranges. Note that NLBs do not have security groups configured and pass connections straight to EC2 instances with the source IP of the client preserved (when registered by instance-id). With NLBs, when you register EC2 instances as targets, you must ensure that the security groups for these instances allow traffic on both the listener port and the health check port. We know that the health check port is already configured correctly as the targets are all healthy. “Check the security group for the NLB to ensure it allows egress to the private subnet” is incorrect. There is no security group associated with an NLB. “Check the security group for the NLB to ensure it allows ingress from the customer office” is incorrect. There is no security group associated with an NLB. “Check the security group for the EC2 instances to ensure it allows ingress from the NLB subnets” is incorrect. This is not necessary as the source IPs of clients are preserved.
A. Configure the DNS service on the EC2 instances in the VPC to use the VPC resolver server as the secondary DNS server.
B. Update the DNS service on the Active Directory servers to forward all non-authoritative queries to the VPC Resolver.
C. Update the DNS service on the Active Directory servers to forward all queries to the VPC Resolver.
D. Define an inbound Amazon Route 53 Resolver. Set a conditional forwarding rule for the Active Directory domain to the Active Directory servers. Configure the DNS settings in the VPC DHCP options set to use the AmazonProvidedDNS servers.
E. Define an outbound Amazon Route 53 Resolver. Set a conditional forwarding rule for the Active Directory domain to the Active Directory servers. Configure the DNS settings in the VPC DHCP options set to use the AmazonProvidedDNS servers.
Solution
Explanation
The EC2 instances are unable to resolve the DNS name of the VPC interface endpoint to an IP address as they are configured to use the Domain Controllers for DNS and the DCs do not have a record for the VCP interface endpoint. There are two solutions to this problem that both achieve the same outcome. The first involves modifying the DNS service on the DCs to forward non-authoritative queries to the VPC resolver. This simply means if the DNS service on the DC does not have the record in its zone file it will forward the query to another DNS service. The second solution uses an outbound Route 53 resolver. With outbound resolvers (but not with inbound resolvers) you can configure forwarding rules. In this case you would need to modify the EC2 instances (via the DHCP options set) to use the Amazon provided DNS servers. These servers would be able to resolve the VPC interface endpoint. The forwarding rule will forward any traffic for the Domain Controllers to those servers.
A. Configure the security group on the interface endpoint to allow connectivity to the AWS services.
B. Enable the private DNS option on the VPC attributes.
C. Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application.
D. Configure Lambda to use the stored database credentials in AWS Secrets Manager and enable automatic rotation.
E. Update the route table for the subnets with a route to the interface endpoint.
Solution
Explanation
You must ensure that the security group that’s associated with the endpoint network interface allows communication between the endpoint network interface and the resources in your VPC that communicate with the service. Update the route table for the subnets with a route to the interface endpoint” is incorrect. You do not need to update the route table for interface endpoints (you do for Gateway endpoints). “Enable the private DNS option on the VPC attributes” is incorrect. Private DNS is enabled by default for endpoints created for AWS services and AWS Marketplace Partner services. “Configure an Amazon Route 53 private hosted zone with a conditional forwarder for the internal application” is incorrect. This is unnecessary, a private hosted zone is a private hosted zone is associated with the VPC by default when the private DNS option is enabled (which is a default).
A. Use the AWS Direct Connect link to upload the data to S3.
B. Upload the data to the S3 bucket using S3 Transfer Acceleration.
C. Use AWS DataSync to migrate the data to S3.
D. Copy the data to an 80 TB AWS Snowball device.
Solution
Explanation
The fastest way to upload the data would be to use the higher speed internet connection and use Amazon S3 Transfer Acceleration. Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket. Transfer Acceleration takes advantage of Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge location, data is routed to Amazon S3 over an optimized network path.
A. Create VPC peering connections between the VPCs in a fully meshed topology. Configure the route tables in the VPCs to route traffic across the peering connections.
B. Create an AWS Direct Connect (DX) gateway and attach the DX gateway to a transit gateway. Enable route propagation with BGP.
C. Create an AWS Direct Connect (DX) gateway and associate the DX gateway with a VGW in each VPC. Enable route propagation with BGP.
D. Create an AWS transit gateway and add attachments for all of the VPCs. Configure the route tables in the VPCs to send traffic to the transit gateway.
E. Create IPSec VPN connections between the VPCs in a fully meshed topology. Configure the route tables in the VPCs to route traffic across the IPSec VPN connections.
Solution
Explanation
The simplest solution here with the lowest complexity is to use a combination of an AWS transit gateway and a DX gateway. The transit gateway allows fully transitive connections between VPCs in a Region. The DX gateway can then connect the transit gateway to the DX connection. BGP is used to propagate routes from the on-premises data center into AWS and vice versa. The diagram below depicts a similar configuration with transit gateway and DX gateway:
References
1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-choosing-signed-urls-cookies.html
2. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
3. https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-using-cookies-protect-your-amazon-cloudfront-content-from-being-downloaded-by-unauthenticated-users/
A. Add an additional physical connection for the existing DX connection using the same network carrier and join the connections to a link aggregation group (LAG) on the same private virtual interface.
B. Use multiple IPSec VPN connections to separate virtual private gateways and configure BGP to prioritize the DX connection.
C. Create an AWS Managed VPN connection that uses the public internet and attach it to the same virtual private gateway as the DX connection.
D. Install a second DX connection from a different network carrier and attach it to the same virtual private gateway as the first DX connection.
Solution
Explanation
Another DX connection should be established from a different carrier. This will provide physical separation and redundancy for the DX connections and is preferable to using the same carrier which could result in sharing the same physical pathways. The virtual private gateway has built in redundancy so sharing a VGW is acceptable. “Use multiple IPSec VPN connections to separate virtual private gateways and configure BGP to prioritize the DX connection” is incorrect. Separate DX links a preferable to using the internet for better reliability as the internet can be subject to various bandwidth and latency constraints.