What might be happening?

You are implementing a URL whitelisting system for a company that wants to restrict outbound HTTP’S
connections to specific domains from their EC2-hosted applications you deploy a single EC2 instance running
proxy software and configure It to accept traffic from all subnets and EC2 instances in the VPC. You configure
the proxy to only pass through traffic to domains that you define in its whitelist configuration You have a
nightly maintenance window or 10 minutes where ail instances fetch new software updates. Each update Is
about 200MB In size and there are 500 instances In the VPC that routinely fetch updates After a few days you
notice that some machines are failing to successfully download some, but not all of their updates within the
maintenance window The download URLs used for these updates are correctly listed in the proxy’s whitelist
configuration and you are able to access them manually using a web browser on the instances What might be
happening? (Choose 2 answers)

You are implementing a URL whitelisting system for a company that wants to restrict outbound HTTP’S
connections to specific domains from their EC2-hosted applications you deploy a single EC2 instance running
proxy software and configure It to accept traffic from all subnets and EC2 instances in the VPC. You configure
the proxy to only pass through traffic to domains that you define in its whitelist configuration You have a
nightly maintenance window or 10 minutes where ail instances fetch new software updates. Each update Is
about 200MB In size and there are 500 instances In the VPC that routinely fetch updates After a few days you
notice that some machines are failing to successfully download some, but not all of their updates within the
maintenance window The download URLs used for these updates are correctly listed in the proxy’s whitelist
configuration and you are able to access them manually using a web browser on the instances What might be
happening? (Choose 2 answers)

A.
You are running the proxy on an undersized EC2 instance type so network throughput is not sufficient for all
instances to download their updates in time.

B.
You have not allocated enough storage to the EC2 instance running me proxy so the network buffer is filling
up. causing some requests to fall

C.
You are running the proxy in a public subnet but have not allocated enough EIPs lo support the needed
network throughput through the Internet Gateway (IGW)

D.
You are running the proxy on a affilelentiy-sized EC2 instance in a private subnet and its network
throughput is being throttled by a NAT running on an undersized EO£ instance

E.
The route table for the subnets containing the affected EC2 instances is not configured to direct network
traffic for the software update locations to the proxy.



Leave a Reply 15

Your email address will not be published. Required fields are marked *


KwagongMakisig

KwagongMakisig

Its A&D

Downloaded file will not be saved on the proxy EC2 instance, so I dont see why storage will matter.
D is a possible configuration as the proxy although it is in private subnet, will get internet connectivity via a NAT instance (well assumingly this is not one of those trick questions, and NAT is properly placed in the public subnet with access to IGW)

Amit

Amit

With Proxy in place you may not requrie a NAT instance

Chef

Chef

I like A and B.

kirrim

kirrim

I like A and D.

The question does not specify whether the proxy is in a public subnet. Surely, you would configure the proxy in a public subnet, right? If you did that, then A would be the most likely answer, just size up the instance and see if that helps.

But, if this was engineered less than optimally with the proxy in a private subnet, then you’d have to also have the proxy pass traffic through a NAT instance/gateway, in which the throughput on that device could still be a bottleneck, even if you scaled up the proxy.

The only way I can see B coming into play is if the proxy is also serving a cache function (not uncommon for patch updates through a proxy?), but the question does not state this to be the case. (Even if it were stated that the proxy is serving a cache role, which is not stated, and you assume there is not enough disk for the cache, I’m not sure I would say this would result in a “network buffer filling up, causing some requests to fail”. It would be the cache storage buffer filling up. And the lack of cache storage would likely not be observed with requests failing altogether, more likely just with patch downloads taking too long and running on past the maintenance window, due to too many devices trying to talk through a single proxy instance. Which takes us straight back to A.)

DaDA

DaDA

thank you, I think so

vladam

vladam

A and D are the right answers.

I agree with kirrim’s explanation. Running out of buffer should not cause some of the updates failing. This rules out B.

Homer

Homer

Bandwidth needed to download the update: 10 mins to download 200MB * 500 Instances, that’s 167MB/s, or 1.5Gb/s.

I tested downloading files from Microsoft on us-east-1, us-east-2, us-west-1 and us-west-2, the best result I got was around 125MB/s. I guess proxy cache is a must if you want to finish all updates in 10 mins window, unless the updates are hosted in the same regions.

Amit

Amit

With all reasoning above my respone would be A and D
The plausible answers are A , B and D

The issue with B is network buffer will not overflow because of storage if it was adequate RAM then it would have made atleast some sense