Which configuration below will allow you the ability to remotely administer your application…?

You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3-
tier VPC.
The configuration is as follows:
VPC vpc-2f8t>C447

IGVV ig-2d8bc445
NACL acl-2080c448
Subnets and Route Tables:
Web server’s subnet-258Dc44d
Application server’s suDnet-248bc44c
Database server’s subnet-9189c6f9
Route Tables:
rrb-218DC449
rtb-238bc44b
Associations:
subnet-258bc44d: rtb-2i8bc449
Subnet-248DC44C rtb-238tX44b
subnet-9189c6f9 rtb-238Dc 44b
You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the
internet Application and database servers cannot have direct access to the internet.
Which configuration below will allow you the ability to remotely administer your application and database
servers, as well as allow these servers to retrieve updates from the Internet?

You’ve been brought in as solutions architect to assist an enterprise customer with their migration of an ecommerce platform to Amazon Virtual Private Cloud (VPC) The previous architect has already deployed a 3-
tier VPC.
The configuration is as follows:
VPC vpc-2f8t>C447

IGVV ig-2d8bc445
NACL acl-2080c448
Subnets and Route Tables:
Web server’s subnet-258Dc44d
Application server’s suDnet-248bc44c
Database server’s subnet-9189c6f9
Route Tables:
rrb-218DC449
rtb-238bc44b
Associations:
subnet-258bc44d: rtb-2i8bc449
Subnet-248DC44C rtb-238tX44b
subnet-9189c6f9 rtb-238Dc 44b
You are now ready to begin deploying EC2 instances into the VPC Web servers must have direct access to the
internet Application and database servers cannot have direct access to the internet.
Which configuration below will allow you the ability to remotely administer your application and database
servers, as well as allow these servers to retrieve updates from the Internet?

A.
Create a bastion and NAT Instance in subnet-248bc44c and add a route from rtb-238bc44b to subnet-
258bc44d.

B.
Add a route from rtD-238bc44D to igw-2d8bc445 and add a bastion and NAT instance within suonet-
248bc44c.

C.
Create a bastion and MAT Instance In subnet-258bc44d. Add a route from rtb-238bc44b to igw-2d8bc445.
And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c.

D.
Create a bastion and mat instance in suDnet-258Dc44d and add a route from rtD-238Dc44D to the mat
instance.



Leave a Reply 15

Your email address will not be published. Required fields are marked *


Kiran

Kiran

Answer is D

taka

taka

C
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html
To enable access to or from the Internet for instances in a VPC subnet, you must do the following:
– Attach an Internet gateway to your VPC.
– Ensure that your subnet’s route table points to the Internet gateway.
– Ensure that instances in your subnet have public IP addresses or Elastic IP addresses.
– Ensure that your network access control and security group rules allow the relevant traffic to flow to and from your instance.

Martin Win

Martin Win

Answer is D. Taka’s link is not referring to bastion.

Manu

Manu

Correct answer is D,

Option C will create a direct connection from App subnet to Internet gateway, which is not a best security practice .

engmohhamed

engmohhamed

i choose D, create NAT instance in public subnet which is web server subnet (suDnet-258Dc44d) and add route (rtD-238Dc44D) from private subnet (database subnet-9189c6f9) to the public NAT one to retrieve the updates

longbv

longbv

D
Create NAT instance in public subnet which is web server subnet (suDnet-258Dc44d) and add route (rtD-238Dc44D) from private subnet (database subnet-9189c6f9) to the public NAT one to retrieve the updates

AWS_certified

AWS_certified

It’s C

Wiper

Wiper

I don’t think this is Associate Level Question

Amit

Amit

D is the answer hwoever it should have mentiond “default route” instead of just “route”

Anthony

Anthony

Answer is C

D uses a NAT which allows the private subnets to reach the internet, but the question says you must be able to remotely administer the servers, meaning you should have a bastion host in the public subnet through which you connect to servers in the private subnet to administer them. I don’t think you want to use the NAT to administer the servers. Only C gives that option, so C is the answer.

Anthony

Anthony

D seems to the correct answer

On a second look, the route should go the NAT, not to the IGW. D seems more plausible from security point of view. You can SSH to the servers via the NAT .

Quang

Quang

D is correct.
Point is that Web tier subnet-258Dc44d has access to public internet means that IGW is attached to subnet-258Dc44d

NAT should be in a public subnet which is suDnet-258Dc44d, hence A B is out.
Option C make both App & DB tier subnet public. And you can administer private servers via a bastion in suDnet-258Dc44d

mutiger91

mutiger91

The correct answer is “None of the above”. The question is:

“Which configuration below will allow you the ability to remotely administer your application and database
servers, as well as allow these servers to retrieve updates from the Internet?”

If you break it down, that means that
– Web Server Subnet is a public subnet with a default route to IGW and NAT Gateway or Nat instance and a Bastion Host
– App and database subnets are private subnets with a default route to NAT Gateway or instance

Now lets look at how they screwed each one of these up:

a) Create a bastion and NAT Instance in subnet-248bc44c – Wrong, that’s the Application server subnet and we need them in the web subnet.

b) Add a route from rtD-238bc44D to igw-2d8bc445 – That route table doesn’t exist. It is similar to route tables associated with Application or maybe database subnets, but they should be private, so there should be no direct IGW route anyway.

c) Create a bastion and MAT (NAT) Instance In subnet-258bc44d. (Again, this subnet is not defined. Maybe they meant web server subnet and that would be correct, but they didn’t say it.

Add a route from rtb-238bc44b to igw-2d8bc445. (Again, no such route table. Looks like maybe the one associated with DB servers. But you would also need one from the App server subnet)

And a new NACL that allows access between subnet-258bc44d and subnet-248bc44c.
(I’m not sure of the point of this. First of all, by default, the NACL access is there. There is no mention of NACL changes in the original design. Secondly, being able to talk from the App server subnet to the web server subnet doesn’t mean that you have a path to the internet. The requirement states that app and database servers don’t have direct access to the internet, but to put in a NAT instance would suggest that there is a desire for indirect access to the internet via NAT. Then NACL doesn’t give you that.

d) Create a bastion and mat instance in suDnet-258Dc44d (yes)
and add a route from rtD-238Dc44D to the mat instance.(Again, they got the route table ID number wrong. Assuming it’s database subnet route table, how is the app subnet supposed to reach the internet).

D seems to be the closest to being correct.