架构设计中网络也是少不了的一个环节,而AWS有自身的网络结构和网络产品。本章中将带你看看AWS中不同网络产品,以及计算资源、存储资源等产品在网络架构中处于哪个位置,如何才能让它们与互联网互通、与其它产品互通。下图视图将SAP涉及到网络相关组件在一张图表示出来,图中可以看到各个网络组件在AWS Cloud的位置以及大概作用。
从上图我们可以将其网络组件大概分类为:内部网络、与互联网相关、连接本地数据中心几类。
1 内部网络
1.1 Amazon VPC
Amazon Virtual Private Cloud(Amazon VPC),您可以在自己定义的逻辑隔离的虚拟网络中启动 AWS 资源。这个虚拟网络与您在数据中心中运行的传统网络极其相似,并会为您提供使用的可扩展基础设施的优势 AWS。你创建的大部分计算、存储资源都需要在一个VPC中(除了那些公共服务之外)。
阿里云对标产品:专有网络 VPC
1.1.1 基础概念
- CIDR块:是一个网络基本概念,用来解决分类地址。我们看到192.168.0.0/24,代表是是一段IP地址,而不是一个IP地址
- Private IP(私有IP):是一个网络基本概念,目前规定3个基本网段为私有IP地址。
1.1.2 VPC的组成
- VPC包括一个CIDR块,这在创建的时候给与分配
- subnets(子网):VPC下面可以分多个subnets,用于网络规划分组,子网网段必须在所在VPC范围内。子网分private subnets和public subnets,从上面图中可见EC2是在private subnet,而NAT是在public subnets中。
- Route Table(路由表):路由表,用于与VPC外部做连接路由使用
- ENI:(Elastic Network Interface)是一种虚拟的网络接口,用户可以将其绑定到VPC中的实例上
例题:An organization is planning to host a Wordpress blog as well as joomla CMS on a single instance launched with VPC. The organization wants to create separate domains for each application using Route 53. The organization may have about ten instances each with these two applications. While launching each instance, the organization configured two separate network interfaces (primary + secondary ENI) with their own Elastic IPs to the instance. The suggestion was to use a public IP from AWS instead of an Elastic IP as the number of elastic IPs allocation per region is restricted in the account.
What action will you recommend to the organization?
A. Only Elastic IP can be used by requesting limit increase, since AWS does not assign a public IP to an instance with multiple ENIs.
B. AWS VPC does not attach a public IP to an ENI; so the only way is to use an Elastic IP.
C. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
D. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.
答案:A
答案解析:用户最多可以用一个实例连接两个eni。但是,当有两个eni连接到单个实例时,AWS无法分配公共IP。建议在此场景下分配弹性IP(当然EIP也是有区域5个限制)。
1.1.3 网络控制
- NACL:网络访问控制列表 (ACL) 在子网级别允许或拒绝特定的入站或出站流量。您可以使用 VPC 的默认网络 ACL,也可以为 VPC 创建自定义网络 ACL,使其规则与您安全组的规则相似,以便为您的 VPC 添加额外安全层。注意:NACL是无状态(意味着入出都需要定义规则)
例题:A company has developed a web application. The company is hosting the application on a group of Amazon EC2 instances behind an Application Load Balancer.
The company wants to improve the security posture of the application and plans to use AWS WAF web ACLs. The solution must not adversely affect legitimate traffic to the application.
How should a solutions architect configure the web ACLs to meet these requirements?
A. Set the action of the web ACL rules to Count. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Count to Block.
B. Use only rate-based rules in the web ACLs, and set the throttle limit as high as possible. Temporarily block all requests that exceed the limit. Define nested rules to narrow the scope of the rate tracking.
C. Set the action of the web ACL rules to Block. Use only AWS managed rule groups in the web ACLs. Evaluate the rule groups by using Amazon CloudWatch metrics with AWS WAF sampled requests or AWS WAF logs.
D. Use only custom rule groups in the web ACLs, and set the action to Allow. Enable AWS WAF logging. Analyze the requests for false positives. Modify the rules to avoid any false positive. Over time, change the action of the web ACL rules from Allow to Block.
答案:A
答案分析:题目需要增加WAF web ACLs,但是不能影响现有的业务(其实就是怕加错了)。那么影响最少就是先看看目前使用情况(通过计数统计),再加规则。参考:https://aws.amazon.com/premiumsupport/knowledge-center/waf-analyze-count-action-rules/
- 安全组:这不是VPC,这是EC2、ALB等自带的安全组,也是用于控制网络访问。注意:安全组是有状态的(意味着定义入流量,自动允许响应)
例题:A company has an application that runs on Amazon EC2 instances. A solutions architect is designing VPC infrastructure in an AWS Region where the application needs to access an Amazon Aurora DB Cluster. The EC2 instances are all associated with the same security group. The DB cluster is associated with its own security group.
The solutions architect needs to add rules to the security groups to provide the application with least privilege access to the DB Cluster.
Which combination of steps will meet these requirements? (Choose two.)
A. Add an inbound rule to the EC2 instances’ security group. Specify the DB cluster’s security group as the source over the default Aurora port.
B. Add an outbound rule to the EC2 instances’ security group. Specify the DB cluster’s security group as the destination over the default Aurora port.
C. Add an inbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the source over the default Aurora port.
D. Add an outbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the destination over the default Aurora port.
E. Add an outbound rule to the DB cluster’s security group. Specify the EC2 instances’ security group as the destination over the ephemeral ports.
答案:BC
答案解析:题目需要让在VPC中的EC2访问DB做安全流量控制。因为EC2的outbound 以及DB的inbound。因此选择BC
1.1.4 VPC Flow logs
利用 VPC Flow logs这项功能,您可以捕获有关传入和传出您的 VPC 中网络接口的 IP 流量的信息。流日志数据可发布到以下位置:Amazon CloudWatch Logs、Amazon S3 或 Amazon Kinesis Data Firehose。从而进行如下判断:
- 诊断过于严格的安全组规则
- 监控达到您实例的流量
- 确定在网络接口上往返的流量的方向
1.1.4.1 基本特性
- 支持Elastic Load Balancing、Amazon RDS、Amazon ElastiCache、Amazon Redshift、Amazon WorkSpaces、NAT Gateway、Transit Gateway
- 日志中字段,可参照《可用字段》:https://docs.aws.amazon.com/zh_cn/vpc/latest/userguide/flow-logs.html
- 可以将结果发送到CloudWatch Logs、S3、Kinesis Data Firehouse、Athena。(没有CloudTrail)
- prefix lists(前缀列表):包含一个或多个 CIDR 块的集合。可以使用前缀列表更轻松地配置和维护安全组和路由表。可以根据经常使用的 IP 地址创建前缀列表,并将它们作为安全组规则和路由中的集合引用
例题:A company has an organization in AWS Organizations that has a large number of AWS accounts. One of the AWS accounts is designated as a transit account and has a transit gateway that is shared with all of the other AWS accounts. AWS Site-to-Site VPN connections are configured between all of the company’s global offices and the transit account. The company has AWS Config enabled on all of its accounts.
The company’s networking team needs to centrally manage a list of internal IP address ranges that belong to the global offices. Developers will reference this list to gain access to their applications securely.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. Create a JSON file that is hosted in Amazon S3 and that lists all of the internal IP address ranges. Configure an Amazon Simple Notification Service (Amazon SNS) topic in each of the accounts that can be invoked when the JSON file is updated. Subscribe an AWS Lambda function to the SNS topic to update all relevant security group rules with the updated IP address ranges.
B. Create a new AWS Config managed rule that contains all of the internal IP address ranges. Use the rule to check the security groups in each of the accounts to ensure compliance with the list of IP address ranges. Configure the rule to automatically remediate any noncompliant security group that is detected.
C. In the transit account, create a VPC prefix list with all of the internal IP address ranges. Use AWS Resource Access Manager to share the prefix list with all of the other accounts. Use the shared prefix list to configure security group rules in the other accounts.
D. In the transit account, create a security group with all of the internal IP address ranges. Configure the security groups in the other accounts to reference the transit account’s security group by using a nested security group reference of “/sg-1a2b3c4d”.
答案:C
答案解析:参考:https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
例题:A company has an organization that has many AWS accounts in AWS Organizations. A solutions architect must improve how the company manages common security group rules for the AWS accounts in the organization.
The company has a common set of IP CIDR ranges in an allow list in each AWS account to allow access to and from the company’s on-premises network.
Developers within each account are responsible for adding new IP CIDR ranges to their security groups. The security team has its own AWS account. Currently, the security team notifies the owners of the other AWS accounts when changes are made to the allow list.
The solutions architect must design a solution that distributes the common set of CIDR ranges across all accounts.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. Set up an Amazon Simple Notification Service (Amazon SNS) topic in the security team’s AWS account. Deploy an AWS Lambda function in each AWS account. Configure the Lambda function to run every time an SNS topic receives a message. Configure the Lambda function to take an IP address as input and add it to a list of security groups in the account. Instruct the security team to distribute changes by publishing messages to its SNS topic.
B. Create new customer-managed prefix lists in each AWS account within the organization. Populate the prefix lists in each account with all internal CIDR ranges. Notify the owner of each AWS account to allow the new customer-managed prefix list IDs in their accounts in their security groups. Instruct the security team to share updates with each AWS account owner.
C. Create a new customer-managed prefix list in the security team’s AWS account. Populate the customer-managed prefix list with all internal CIDR ranges. Share the customer-managed prefix list with the organization by using AWS Resource Access Manager. Notify the owner of each AWS account to allow the new customer-managed prefix list ID in their security groups.
D. Create an IAM role in each account in the organization. Grant permissions to update security groups. Deploy an AWS Lambda function in the security team’s AWS account. Configure the Lambda function to take a list of internal IP addresses as input, assume a role in each organization account, and add the list of IP addresses to the security groups in each account.
答案:C
答案解析:参考:https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
1.1.4.2 典型架构
(注意:利用CloudWatch Logs和可用字段可以按照需求查询流量情况,进一步可以确认是否存在配置问题)
1.2 VPC Peering
当你2个VPC想要相互通讯时,有一种方法就是分别给2个VPC挂载NAT公网访问,然后就可以相互访问。但是如果不想通过公网方法,而是通过AWS内网访问,那么VPC Peering就是你的选择。VPC Peering(VPC 对等连接)是两个 VPC 之间的网络连接,您可通过此连接不公开地在这两个 VPC 之间路由流量。
例题:A software company hosts an application on AWS with resources in multiple AWS accounts and Regions. The application runs on a group of Amazon EC2 instances in an application VPC located in the us-east-1 Region with an IPv4 CIDR block of 10.10.0.0/16. In a different AWS account, a shared services VPC is located in the us-east-2 Region with an IPv4 CIDR block of 10.10.10.0/24. When a cloud engineer uses AWS CloudFormation to attempt to peer the application
VPC with the shared services VPC, an error message indicates a peering failure.
Which factors could cause this error? (Choose two.)
A. The IPv4 CIDR ranges of the two VPCs overlap
B. The VPCs are not in the same Region
C. One or both accounts do not have access to an Internet gateway
D. One of the VPCs was not shared through AWS Resource Access Manager
E. The IAM role in the peer accepter account does not have the correct permissions
答案:AE
答案解析:参考:https://repost.aws/zh-Hans/knowledge-center/cloudformation-vpc-peering-error
1.2.1 基本特性
- 使用VPC Peering的VPCs必须保证CIDR不能重叠。(此处考试会经常考,比如VPC之间建立访问,却又有CIDR重叠,VPC就不能使用VPC Peering)
- 不可传递性,比如A和B做VPC Peering,A和C做VPC Peering,但是B和C相互是不能通讯的,除非B和C也做VPC Peering。
- VPC Peering可跨账号
- VPC Peering是无法共享边缘路由(VPN、Direct Connect、Endpoint Gateway、NAT网关等)。(此处考试会经常考如果On-premise通过VPN想访问AWS上面多个VPC时,这些VPC就不能使用VPC Peering)
- Client VPN endpoint :配置访问对等连接的VPC
例题:A company has introduced a new policy that allows employees to work remotely from their homes if they connect by using a VPN. The company is hosting internal applications with VPCs in multiple AWS accounts. Currently, the applications are accessible from the company’s on-premises office network through an AWS Site- to-Site VPN connection. The VPC in the company’s main AWS account has peering connections established with VPCs in other AWS accounts.
A solutions architect must design a scalable AWS Client VPN solution for employees to use while they work from home.
What is the MOST cost-effective solution that meets these requirements?
A. Create a Client VPN endpoint in each AWS account. Configure required routing that allows access to internal applications.
B. Create a Client VPN endpoint in the main AWS account. Configure required routing that allows access to internal applications.
C. Create a Client VPN endpoint in the main AWS account. Provision a transit gateway that is connected to each AWS account. Configure required routing that allows access to internal applications.
D. Create a Client VPN endpoint in the main AWS account. Establish connectivity between the Client VPN endpoint and the AWS Site-to-Site VPN.
答案:B
答案解析:参考:https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/scenario-peered.html
1.2.2 典型架构
- 建立多个VPC之间连接
1.3 Transit Gateway
VPC Peering虽然可以让VPC之间连通,但是2个问题无法解决,一个是CIDR重叠,一个是无法共享边缘路由(VPN、Direct Connect、Endpoint Gateway、NAT网关等)。那么有什么好的方式?
一种方法就是你自己定义个共享VPC,通过网络转发到你这个共享VPC中,但是有个问题是你要维护好这个共享VPC的高可用,同时还要付出带宽的代价。现在AWS提供这样一种服务,它就是Transit Gateway。使用Transit Gateway(中转网关)来连接 Virtual Private Cloud(VPC)和本地部署的网络,该中转网关将作为中央枢纽,在 VPC、VPN 连接和 AWS Direct Connect 连接之间路由流量。
1.3.1 基本特性
- 星型架构
- 可跨区域
- 通过RAM能共享给其它账户
- 有路由表可以控制VPC之间的访问(并不是连接上Transit Gateway就意味着VPC之间都能访问,需要配置相关路由信息)
- 可共享边缘路由(VPN、Direct Connect、Endpoint Gateway、NAT网关等)(考试如果涉及本地网络和AWS Cloud多个VPC,一般都会选择Transit Gateway)
例题:Example Corp. has an on-premises data center and a VPC named VPC A in the Example Corp. AWS account. The on-premises network connects to VPC A through an AWS Site-To-Site VPN. The on-premises servers can properly access VPC A. Example Corp. just acquired AnyCompany, which has a VPC named VPC B. There is no IP address overlap among these networks. Example Corp. has peered VPC A and VPC B.
Example Corp. wants to connect from its on-premise servers to VPC B. Example Corp. has properly set up the network ACL and security groups.
Which solution will meet this requirement with the LEAST operational effort?
A. Create a transit gateway. Attach the Site-to-Site VPN, VPC A, and VPC B to the transit gateway. Update the transit gateway route tables for all networks to add IP range routes for all other networks.
B. Create a transit gateway. Create a Site-to-Site VPN connection between the on-premises network and VPC B, and connect the VPN connection to the transit gateway. Add a route to direct traffic to the peered VPCs, and add an authorization rule to give clients access to the VPCs A and B.
C. Update the route tables for the Site-to-Site VPN and both VPCs for all three networks. Configure BGP propagation for all three networks. Wait for up to 5 minutes for BGP propagation to finish.
D. Modify the Site-to-Site VPN’s virtual private gateway definition to include VPC A and VPC B. Split the two routers of the virtual private getaway between the two VPCs.
答案:A
答案解析:B选项当你创建一个Site-to-Site VPN连接时,它是在2个实体之间(这里,on-premise和VPCB)。它说他们用Site-to-Site 将on-premise连接到VPC B,然后连接到TGW,从on-premise到VPC连接到TGW是不可能的(它是3个实体)。C选项在AWS上没有传递性。Site-to-Site VPN无法通过VPC A到达VPC B。D选项你不能“分裂”路由器(那是不存在的)。VGW被附加到单个VPC上,Site-to-SiteVPN不支持VPC复用。因此A选项最合适
例题:A company uses AWS CloudFormation to deploy applications within multiple VPCs that are all attached to a transit gateway. Each VPC that sends traffic to the public internet must send the traffic through a shared services VPC. Each subnet within a VPC uses the default VPC route table, and the traffic is routed to the transit gateway. The transit gateway uses its default route table for any VPC attachment.
A security audit reveals that an Amazon EC2 instance that is deployed within a VPC can communicate with an EC2 instance that is deployed in any of the company’s other VPCs. A solutions architect needs to limit the traffic between the VPCs. Each VPC must be able to communicate only with a predefined, limited set of authorized VPCs.
What should the solutions architect do to meet these requirements?
A. Update the network ACL of each subnet within a VPC to allow outbound traffic only to the authorized VPCs. Remove all deny rules except the default deny rule.
B. Update all the security groups that are used within a VPC to deny outbound traffic to security groups that are used within the unauthorized VPCs.
C. Create a dedicated transit gateway route table for each VPC attachment. Route traffic only to the authorized VPCs.
D. Update the main route table of each VPC to route traffic only to the authorized VPCs through the transit gateway.
答案:C
答案解析:题目要求限制VPC之间访问,那么通过transit gateway的路由表控制是最好的,因此选择C选项。
- 支持网络IP多播
1.3.2 典型架构
- 通过搭建共享VPC+Transit Gateway,实现内网与Internet的访问控制
例题:A large company runs workloads in VPCs that are deployed across hundreds of AWS accounts. Each VPC consists of public subnets and private subnets that span across multiple Availability Zones. NAT gateways are deployed in the public subnets and allow outbound connectivity to the internet from the private subnets.
A solutions architect is working on a hub-and-spoke design. All private subnets in the spoke VPCs must route traffic to the internet through an egress VPC. The solutions architect already has deployed a NAT gateway in an egress VPC in a central AWS account.
Which set of additional steps should the solutions architect take to meet these requirements?
A. Create peering connections between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.
B. Create a transit gateway, and share it with the existing AWS accounts. Attach existing VPCs to the transit gateway. Configure the required routing to allow access to the internet.
C. Create a transit gateway in every account. Attach the NAT gateway to the transit gateways. Configure the required routing to allow access to the internet.
D. Create an AWS PrivateLink connection between the egress VPC and the spoke VPCs. Configure the required routing to allow access to the internet.
答案:B
答案解析:参考:https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/centralized-egress-to-internet.html
1.4 VPC Endpoints
在AWS Cloud中有许多公共服务(S3、DynamoDB、CloudWatch、Athena等),这些服务并没有在某一个VPC内,也不再外网,那么VPC内部资源向访问这些服务该如何做?Endpoints就是用于访问AWS Service的。
可通过:https://docs.aws.amazon.com/zh_cn/vpc/latest/privatelink/aws-services-privatelink-support.html查看哪些服务的地址。
例题:A company has many services running in its on-premises data center. The data center is connected to AWS using AWS Direct Connect (DX) and an IPSec VPN.
The service data is sensitive and connectivity cannot traverse the internet. The company wants to expand into a new market segment and begin offering its services to other companies that are using AWS.
Which solution will meet these requirements?
A. Create a VPC Endpoint Service that accepts TCP traffic, host it behind a Network Load Balancer, and make the service available over DX.
B. Create a VPC Endpoint Service that accepts HTTP or HTTPS traffic, host it behind an Application Load Balancer, and make the service available over DX.
C. Attach an internet gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.
D. Attach a NAT gateway to the VPC, and ensure that network access control and security group rules allow the relevant inbound and outbound traffic.
答案:A
答案解析:题目要求将本地数据中心的服务提供给AWS上的服务使用,且不能经过外网方式。因此选择Endpoint Service 最合适。Endpoint Service 只支持通过TCP传输的流量。因此选择A选项
1.4.1 基本概念
- 分为endpoint interface和endpoint gateway,其中endpoint interface可以访问所有服务,但是安全度一般;endpoint gateway只能访问S3和DynamoDB,有较好安全度,但是如果On-premise无法通过endpoint gateway访问。(此处在考试中经常出现)
例题:A team collects and routes behavioral data for an entire company. The company runs a Multi-AZ VPC environment with public subnets, private subnets, and in internet gateway. Each public subnet also contains a NAT gateway. Most of the company’s applications read from and write to Amazon Kinesis Data Streams.
Most of the workloads run in private subnets.
A solutions architect must review the infrastructure. The solution architect needs to reduce costs and maintain the function of the applications. The solutions architect uses Cost Explorer and notices that the cost in the EC2-Other category is consistently high. A further review shows that NatGateway-Bytes charges are increasing the cost in the EC2-Other category.
What should the solutions architect do to meet these requirements?
A. Enable VPC Flow Logs. Use Amazon Athena to analyze the logs for traffic that can be removed. Ensure that security groups are blocking traffic that is responsible for high costs.
B. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that applications have the correct IAM permissions to use the interface VPC endpoint.
C. Enable VPC Flow Logs and Amazon Detective. Review Detective findings for traffic that is not related to Kinesis Data Streams. Configure security groups to block that traffic.
D. Add an interface VPC endpoint for Kinesis Data Streams to the VPC. Ensure that the VPC endpoint policy allows traffic from the applications.
答案:D
答案解析:题目主要就是想节省网络成本费用,所以需要通过内部网络来,因此需要一个interface VPC endpoint。IAM和endpoint policy 的差别就是IAM控制用户和应用,endpoint policy 控制流量到端点,此题主要就是流量控制,因此选择D。
例题:A company is hosting an image-processing service on AWS in a VPC. The VPC extends across two Availability Zones. Each Availability Zone contains one public subnet and one private subnet.
The service runs on Amazon EC2 instances in the private subnets. An Application Load Balancer in the public subnets is in front of the service. The service needs to communicate with the internet and does so through two NAT gateways. The service uses Amazon S3 for image storage. The EC2 instances retrieve approximately 1 ׀¢׀’ of data from an S3 bucket each day.
The company has promoted the service as highly secure. A solutions architect must reduce cloud expenditures as much as possible without compromising the service’s security posture or increasing the time spent on ongoing operations.
Which solution will meet these requirements?
A. Replace the NAT gateways with NAT instances. In the VPC route table, create a route from the private subnets to the NAT instances.
B. Move the EC2 instances to the public subnets. Remove the NAT gateways.
C. Set up an S3 gateway VPC endpoint in the VPC. Attach an endpoint policy to the endpoint to allow the required actions on the S3 bucket.
D. Attach an Amazon Elastic File System (Amazon EFS) volume to the EC2 instances. Host the image on the EFS volume.
答案:C
答案解析:题目需要减少费用,而原先是通过NAT互联网访问,现在需要改为内部网络访问,所以使用gateway VPC endpoint。
例题:A company is migrating a legacy application from an on-premises data center to AWS. The application uses MongoDB as a key-value database. According to the company’s technical guidelines, all Amazon EC2 instances must be hosted in a private subnet without an internet connection. In addition, all connectivity between applications and databases must be encrypted. The database must be able to scale based on demand.
Which solution will meet these requirements?
A. Create new Amazon DocumentDB (with MongoDB compatibility) tables for the application with Provisioned IOPS volumes. Use the instance endpoint to connect to Amazon DocumentDB.
B. Create new Amazon DynamoDB tables for the application with on-demand capacity. Use a gateway VPC endpoint for DynamoDB to connect to the DynamoDB tables.
C. Create new Amazon DynamoDB tables for the application with on-demand capacity. Use an interface VPC endpoint for DynamoDB to connect to the DynamoDB tables.
D. Create new Amazon DocumentDB (with MongoDB compatibility) tables for the application with Provisioned IOPS volumes. Use the cluster endpoint to connect to Amazon DocumentDB.
答案:B
答案解析:题目要求迁移到AWS,原先使用MongoDB ,并且迁移后EC2与数据库要安全传输。MongoDB是一个key-value,因此采用DynamoDB或者DocumentDB 都可以,但是需要一个安全传输,那么这时候就会相关gateway VPC endpoint(只支持S3和DynamoDB)。因此选择B选项。
例题:A company is running an application in the AWS Cloud. The application consists of microservices that run on a fleet of Amazon EC2 instances in multiple
Availability Zones behind an Application Load Balancer. The company recently added a new REST API that was implemented in Amazon API Gateway. Some of the older microservices that run on EC2 instances need to call this new API.
The company does not want the API to be accessible from the public internet and does not want proprietary data to traverse the public internet.
What should a solutions architect do to meet these requirements?
A. Create an AWS Site-to-Site VPN connection between the VPC and the API Gateway. Use API Gateway to generate a unique API key for each microservice. Configure the API methods to require the key.
B. Create an interface VPC endpoint for API Gateway, and set an endpoint policy to only allow access to the specific API. Add a resource policy to API Gateway to only allow access from the VPC endpoint. Change the API Gateway endpoint type to private.
C. Modify the API Gateway to use IAM authentication Update the IAM policy for the IAM role that is assigned to the EC2 instances to allow access to the API Gateway Move the API Gateway into a new VPC. Deploy a transit gateway and connect the VPCs.
D. Create an accelerator in AWS Global Accelerator, and connect the accelerator to the API Gateway. Update the route table for all VPC subnets with a route to the created Global Accelerator endpoint IP address. Add an API key for each service to use for authentication.
答案:B
答案解析:题目要求EC2访问一个部署在AWS上面的API,且不能通过公网访问。因此需要使用endpoint方式,且是private,因此选择B选项
- 使用endpoint gateway必须配置路由表
1.4.2 Endpoint Policy
可以通过配置Endpoint的Policy做访问控制
1.4.3 典型架构
- 检查一个EC2访问S3的过程(注意考试中会出现网络无法访问,应该检查哪些内容)
1.5 Privatelink
Endpoit是用来访问AWS上面的公共服务,那么假如我们自己VPC内资源想被作为服务给其他VPC使用时,我们就需要Privatelink。AWS PrivateLink 是一项高度可用的可扩展技术,可用于将 VPC 私密地连接到服务,如同这些服务就在您自己的 VPC 中一样。您无需使用互联网网关、NAT 设备、公有 IP 地址、AWS Direct Connect 连接或 AWS Site-to-Site VPN 连接来允许与私有子网中的服务进行通信。因此,您可以控制可从 VPC 访问的特定 API 端点、站点和服务。(注意:考试中如果出现VPC内部资源需要被作为服务使用,那么就一定是选择Privatelink)
例题:A company wants to use a third-party software-as-a-service (SaaS) application. The third-party SaaS application is consumed through several API calls. The third- party SaaS application also runs on AWS inside a VPC.
The company will consume the third-party SaaS application from inside a VPC. The company has internal security policies that mandate the use of private connectivity that does not traverse the internet. No resources that run in the company VPC are allowed to be accessed from outside the company’s VPC. All permissions must conform to the principles of least privilege.
Which solution meets these requirements?
A. Create an AWS PrivateLink interface VPC endpoint. Connect this endpoint to the endpoint service that the third-party SaaS application provides. Create a security group to limit the access to the endpoint. Associate the security group with the endpoint.
B. Create an AWS Site-to-Site VPN connection between the third-party SaaS application and the company VPC. Configure network ACLs to limit access across the VPN tunnels.
C. Create a VPC peering connection between the third-party SaaS application and the company VPC. Update route tables by adding the needed routes for the peering connection.
D. Create an AWS PrivateLink endpoint service. Ask the third-party SaaS provider to create an interface VPC endpoint for this endpoint service. Grant permissions for the endpoint service to the specific account of the third-party SaaS provider.
答案:A
答案解析:题目要求AWS服务提供API接口,且通过AWS内网方式访问,也是就是VPC内部资源需要被作为服务使用。那么优先选择PrivateLink,只有在A选项和D选项,由于服务在第三方,因此需要将此endpoint连接到第三方,因此选择A选项。
例题:A company has multiple business units that each have separate accounts on AWS. Each business unit manages its own network with several VPCs that have CIDR ranges that overlap. The company’s marketing team has created a new internal application and wants to make the application accessible to all the other business units. The solution must use private IP addresses only.
Which solution will meet these requirements with the LEAST operational overhead?
A. Instruct each business unit to add a unique secondary CIDR range to the business unit’s VPC. Peer the VPCs and use a private NAT gateway in the secondary range to route traffic to the marketing team.
B. Create an Amazon EC2 instance to serve as a virtual appliance in the marketing account’s VPC. Create an AWS Site-to-Site VPN connection between the marketing team and each business unit’s VPC. Perform NAT where necessary.
C. Create an AWS PrivateLink endpoint service to share the marketing application. Grant permission to specific AWS accounts to connect to the service. Create interface VPC endpoints in other accounts to access the application by using private IP addresses.
D. Create a Network Load Balancer (NLB) in front of the marketing application in a private subnet. Create an API Gateway API. Use the Amazon API Gateway private integration to connect the API to the NLB. Activate IAM authorization for the API. Grant access to the accounts of the other business units.
答案:C
答案解析:题目要求将其某个部门提供的内部服务供其它部门使用。VPC内部资源需要被作为服务使用,那么最好选择Privatelink,因此C选项。A选项Peer the VPCs不行,因为CIDR重叠;B选项使用Site-to-Site VPN没必要,因为都是内部使用;D选项使用没必要使用NLB+API Gateway复杂化架构。
1.5.1 典型架构
- 通过Privatelink+NLB+NAT将内部资源提供给Internet访问
1.6 EIP(弹性IP)
弹性 IP 地址 是专门用于进行动态云计算的静态、公有 IPv4 地址。您可以将弹性 IP 地址与您账户中的任意 VPC 中的任何实例或网络接口相关联。借助弹性 IP 地址,您可以迅速将地址重新映射到 VPC 中的另一个实例,从而屏蔽实例故障。
- 弹性 IP 地址是公有 IPv4 地址,可通过 Internet 访问
- 将弹性 IP 地址与您的实例关联以启用与 Internet 的通信
- 弹性 IP 地址是静态地址,不会随着时间的推移而改变。
- 所有 AWS 账户在每个区域的限额为五(5)个弹性 IP 地址
1.7 Elastic Load Balancing
负载均衡这个大家应该不陌生。
Elastic Load Balancing 在一个或多个可用区中的多个目标(如 EC2 实例、容器和 IP 地址)之间自动分配传入的流量。它会监控已注册目标的运行状况,并仅将流量传输到运行状况良好的目标。弹性负载均衡将会扩展负载均衡器容量,以响应传入流量中的变化。AWS提供3种负载均衡分别是:CLB、ALB和NLB。其中CLB不推荐使用,因此考试中基本上不会出现。所以关注一下2种负载均衡的特性即可。
1.7.1 ALB
- 支持HTTP、HTTPS、WebSocket(考试中会根据协议考选择哪种负载均衡)
- 支持配置URL做定向,动态端口定向
- 有安全组,可以设置防火墙WAF
- 路由算法(轮询算法、最少未完成请求路由算法)
- 支持多个AZ
- 不支持多区域(考试中会出现多区域的时候,一般都会使用Route53)
- 不支持弹性IP(考试中会根据是否绑定弹性IP考选择哪种负载均衡)
例题:A telecommunications company is running an application on AWS. The company has set up an AWS Direct Connect connection between the company’s on-premises data center and AWS. The company deployed the application on Amazon EC2 instances in multiple Availability Zones behind an internal Application Load Balancer (ALB). The company’s clients connect from the on-premises network by using HTTPS. The TLS terminates in the ALB. The company has multiple target groups and uses path-based routing to forward requests based on the URL path.
The company is planning to deploy an on-premises firewall appliance with an allow list that is based on IP address. A solutions architect must develop a solution to allow traffic flow to AWS from the on-premises network so that the clients can continue to access the application.
Which solution will meet these requirements?
A. Configure the existing ALB to use static IP addresses. Assign IP addresses in multiple Availability Zones to the ALB. Add the ALB IP addresses to the firewall appliance.
B. Create a Network Load Balancer (NLB). Associate the NLB with one static IP addresses in multiple Availability Zones. Create an ALB-type target group for the NLB and add the existing ALAdd the NLB IP addresses to the firewall appliance. Update the clients to connect to the NLB.
C. Create a Network Load Balancer (NLB). Associate the LNB with one static IP addresses in multiple Availability Zones. Add the existing target groups to the NLB. Update the clients to connect to the NLB. Delete the ALB Add the NLB IP addresses to the firewall appliance.
D. Create a Gateway Load Balancer (GWLB). Assign static IP addresses to the GWLB in multiple Availability Zones. Create an ALB-type target group for the GWLB and add the existing ALB. Add the GWLB IP addresses to the firewall appliance. Update the clients to connect to the GWLB.
答案:B
答案解析:题目要求公司正在使用ALB功能,必须保留这些功能,新建的防火墙需要配置ALB的静态IP地址作为下一跳,但是ALB不能配置静态IP地址。参考:https://aws.amazon.com/premiumsupport/knowledge-center/alb-static-ip/
1.7.2 NLB
- 支持TCP、UDP、TLS(secure TCP)
- 没有安全组,不能设置防火墙WAF
- 路由算法(流哈希算法)(注意:NLB不支持轮询和最少未完成请求路由算法,考试中会出现)
- 支持多个AZ
- 不支持多区域(考试中会出现多区域的时候,一般都会使用Route53)
- 支持弹性IP,在每个可用区获得一个静态IP
例题: A company is developing a new service that will be accessed using TCP on a static port, A Solutions Architect must ensure that the service is highly available, has redundancy across Availability Zones, and is accessible using the DNS name my.service.com, which is publicly accessible. The service must use fixed address assignments SO other companies can add the addresses to their allow lists. Assuming that resources are deployed in multiple Availability Zones in a single Region, which solution will meet these requirements?
A. Create Amazon EC2 instances with an Elastic IP address for each instance. Create a Network Load Balancer (NLB) and expose the static TCP port.
Register EC2 instances with the NLB, Create a new name server record set named my.service. com, and assign the Elastic IP addresses of the EC2 instances to the record set. Provide the Elastic lP addresses of the EC2 instances to the other companies to add to their allow lists.
B. Create an Amazon ECS cluster and a service definition for the application. Create and assign public IP addresses for the ECS cluster. Create a Network Load Balancer (NLB) and expose the TCP port.
Create a target group and assign the ECS cluster name to the NLB. Create a new A record set named my.service .com, and assign the public IP addresses of the ECS cluster to the record set. Provide the public IP addresses of the ECS cluster to the other companies to add to their allow lists.
C. Create Amazon EC2 instances for the service. Create one Elastic IP address for each Availability Zone.
Create a Network Load Balancer (NLB) and expose the assigned TCP port.
Assign the Elastic IP addresses to the NLB for each Availability Zone.
Create a target group and register the EC2 instances with the NLB.
Create a new A (alias) record set named my.service .com, and assign the NLB DNS name to the record set.
D. Create an Amazon ECS cluster and a service definition for the application.
Create and assign public IP address for each host in the cluster. Create an Application Load Balancer (ALB) and expose the static TCP port.
Create a target group and assign the ECS service definition name to the ALB.Create a new CNAME record set and associate the public IP addresses to the record set. Provide the Elastic IPaddresses of the Amazon EC2 instances to the other companies to add to their allow lists.
答案:C
答案解析:题目关键词:TCP, DNS, multiple Availability Zones。在一个区域的多可用区部署TCP协议访问的高可用。首先支持TCP协议的ELB就是NLB,因此排除掉D选项;其次NLB绑定弹性IP是需要每个可用区分配一个弹性IP地址。A、B选项每个EC2实例或EC2集群一个弹性IP是不建议的推荐。
2 与互联网相关
2.1 NAT Gateway
NAT 网关是一种网络地址转换 (NAT) 服务。您可以使用 NAT 网关,以便私有子网中的实例可以连接到 VPC 外部的服务,但外部服务无法启动与这些实例的连接。
在创建 NAT 网关时,您指定以下连接类型之一:
- 公开—(默认)私有子网中的实例可以通过公共 NAT 网关连接到互联网,但不能接收来自互联网的未经请求的入站连接。您在公有子网中创建公有 NAT 网关,并且必须在创建时将弹性 IP 地址与 NAT 网关相关联。您可以将流量从 NAT 网关路由到 VPC 的互联网网关。或者,您可以使用公有 NAT 网关连接到其他 VPC 或本地部署网络。在这种情况下,您可以借助中转网关或虚拟私有网关路由来自 NAT 网关的流量。
- 私密—私有子网中的实例可以通过私有 NAT 网关连接到其他 VPC 或您的本地部署网络。您可以借助中转网关或虚拟私有网关路由来自 NAT 网关的流量。您不能将弹性 IP 地址与私有 NAT 网关相关联。您可以将互联网网关连接到具有私有 NAT 网关的 VPC,但如果您将流量从私有 NAT 网关路由到互联网网关,则互联网网关会丢弃流量。
例题:An AWS customer has a web application that runs on premises. The web application fetches data from a third-party API that is behind a firewall. The third party accepts only one public CIDR block in each client’s allow list.
The customer wants to migrate their web application to the AWS Cloud. The application will be hosted on a set of Amazon EC2 instances behind an Application
Load Balancer (ALB) in a VPC. The ALB is located in public subnets. The EC2 instances are located in private subnets. NAT gateways provide internet access to the private subnets.
How should a solutions architect ensure that the web application can continue to call the third-party API after the migration?
A. Associate a block of customer-owned public IP addresses to the VPC. Enable public IP addressing for public subnets in the VPC.
B. Register a block of customer-owned public IP addresses in the AWS account. Create Elastic IP addresses from the address block and assign them to the NAT gateways in the VPC.
C. Create Elastic IP addresses from the block of customer-owned IP addresses. Assign the static Elastic IP addresses to the ALB.
D. Register a block of customer-owned public IP addresses in the AWS account. Set up AWS Global Accelerator to use Elastic IP addresses from the address block. Set the ALB as the accelerator endpoint.
答案:B
答案解析:题目要求EC2访问外部的第三方API,且第三方API只接受限定的IP块。而EC2的内部私有IP会被NAT所屏蔽,因此使用一个公有IP组,在通过NAT绑定访问外网,这样对于外网API来说就是一组固定的IP。
例题:A company is building a serverless application that runs on an AWS Lambda function that is attached to a VPC. The company needs to integrate the application with a new service from an external provider. The external provider supports only requests that come from public IPv4 addresses that are in an allow list.
The company must provide a single public IP address to the external provider before the application can start using the new service.
Which solution will give the application the ability to access the new service?
A. Deploy a NAT gateway. Associate an Elastic IP address with the NAT gateway. Configure the VPC to use the NAT gateway.
B. Deploy an egress-only internet gateway. Associate an Elastic IP address with the egress-only internet gateway. Configure the elastic network interface on the Lambda function to use the egress-only internet gateway.
C. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the Lambda function to use the internet gateway.
D. Deploy an internet gateway. Associate an Elastic IP address with the internet gateway. Configure the default route in the public VPC route table to use the internet gateway.
答案:A
答案解析:使Lambda函数通过具有公共弹性IP地址的NAT网关路由其出站流量,从而访问internet。这将允许外部提供者将与NAT网关关联的单个公共IP地址列入白名单,并使应用程序能够访问新服务。因此选择A选项
2.2 Amazon Route53
Amazon Route 53 是一种可用性高、可扩展性强的域名系统 (DNS) Web 服务。您可以使用 Route 53 以任意组合执行三个主要功能:域注册、DNS 路由和运行状况检查。
2.2.1 基本概念
- A:主机名与IPv4的对应
- AAAA:主机名与IPv6的对应
- CNAME:主机名与主机名的对应
- Alias:主机名与AWS Service的对应
- TTL:客户端从Route53获取到的对应记录是有过期时间,如果超过过期时间,则重新从Route53获取,这样避免频繁访问Route53
- 可以做权重控制
- 全球服务,可以做多区域(注意:考试中出现跨区域的故障转移,一般选择使用Route53)
- 可做故障转移(注意:考试中出现跨区域的故障转移,一般选择使用Route53)
例题:A company has an asynchronous HTTP application that is hosted as an AWS Lambda function. A public Amazon API Gateway endpoint invokes the Lambda function. The Lambda function and the API Gateway endpoint reside in the us-east-1 Region. A solutions architect needs to redesign the application to support failover to another AWS Region.
Which solution will meet these requirements?
A. Create an API Gateway endpoint in the us-west-2 Region to direct traffic to the Lambda function in us-east-1. Configure Amazon Route 53 to use a failover routing policy to route traffic for the two API Gateway endpoints.
B. Create an Amazon Simple Queue Service (Amazon SQS) queue. Configure API Gateway to direct traffic to the SQS queue instead of to the Lambda function. Configure the Lambda function to pull messages from the queue for processing.
C. Deploy the Lambda function to the us-west-2 Region. Create an API Gateway endpoint in us-west-2 10 direct traffic to the Lambda function in us-west-2. Configure AWS Global Accelerator and an Application Load Balancer to manage traffic across the two API Gateway endpoints.
D. Deploy the Lambda function and an API Gateway endpoint to the us-west-2 Region. Configure Amazon Route 53 to use a failover routing policy to route traffic for the two API Gateway endpoints.
答案:D
答案解析:通过部署Lambda和API Gateway到us-west-2,使用Route 53做故障转移
- 支持DNSSEC做安全保护
2.2.2 典型架构
- 使用Route53做多区域负载
- Route53自动故障转移
-
Hybrid DNS(注意:考试中出现过的架构)
Hybrid DNS是高级DNS架构的解决方案,简单理解就是需要在本地数据中心和Amazon vpc中的EC2实例之间进行DNS解析的方案,也就是AWS的EC2与本地数据中心通过DNS访问,Route53改如何配置。
有2个概念需要理清楚:
1)Inbound Endpoint:网络上的 DNS 解析程序可以通过此端点将 DNS 查询转发到 Route 53 Resolver。简单来说就是就是可以通过Inbound Endpoint查询你Route 53 Resolver的DNS记录从而获取你内部服务的IP地址。(如果是外部想要通过DNS访问AWS内部资源,就需要配置Inbound Endpoint)
2)Oubound Endpoint:Resolver 通过此端点有条件地将查询转发到网络上的解析程序。简单来说就是Route53可以通过Oubound Endpoint去查询外部的DNS服务器,获取外部服务的IP地址。(如果是AWS内部资源想要通过DNS访问外部资源,就需要配置Oubound Endpoint)
例题:A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.com for the resources stored within VPCs.The company has the following DNS resolution requirements:
– On-premises systems should be able to resolve and connect to cloud.example.com.
– All VPCs should be able to resolve cloud.example.com.
There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway.
Which architecture should the company use to meet these requirements with the HIGHEST performance?
A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.
B. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder.
C. Associate the private hosted zone to the shared services VPC. Create a Route 53 outbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the outbound resolver.
D. Associate the private hosted zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Attach the shared services VPC to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.
答案:A
答案解析:题目主要希望On-premises能够识别域名,VPC能够解析域名。那么需要配置Route53使用Inbound Endpoint,因此答案在A选项和D选项。当Route 53私有托管区域需要在多个VPC和AWS帐户中解析时,最可靠的模式是在多个帐户之间共享私有托管区域,并将其关联到需要它的每个VPC:https://aws.amazon.com/cn/blogs/networking-and-content-delivery/centralized-dns-management-of-hybrid-cloud-with-amazon-route-53-and-aws-transit-gateway/。因此答案选择A选项。
例题:A company has an organization in AWS Organizations that includes multiple AWS accounts. Each account has a single VPC.In an account named Shared Services, there is a transit gateway that is connected to a Direct Connect gateway that provides access to the company’s on-premises network,The company configured AWS Resource Access Manager (AWS RAM) to share the transit gateway to all the accounts that are in the organization. The company has attached all the VPCs to the transit gateway to facilitate routing between each other.
The company uses a DNS server for on-premises serversThere are a pair of DNS servers on premises and in the Shared Services account VPC.The company discovers that Amazon EC2 instances that the company starts within the VPCs are not able to resolve addresses in the private on-premises domain. Which solution will allow EC2 instances in all VPCs to resole on-premises addresses
A. Define an Amazon Route 53 Resolver outbound endpoint for the on-premises domain in the Shared Services account VPC. Configure the outbound endpoint to use the IP addresses of the DNS servers for the on-premises domain.Configure a forwarder on the DNS servers to point to the internal DNS resolver of the VPC
B. Create an Amazon Route 53 private hosted zone for the on-premises domain in the Shared Services account VPC. Configure AWS Resource Access Manager (AWS RAM) to share the hosted zone to all accounts in the organization. Associate the Route 53 private hosted zone with each VPC
C. Define an Amazon Route 53 Resolver outbound endpoint for the on-premises domain in the Shared Services account VPC. Configure the outbound endpoint to use the IP addresses of the DNS servers for the on-premises domain. Configure AWS Resource Access Manager (AWS RAM) to share the Route 53 Resolver rule to all accounts in the organization. Associate the Route 53 Resolver rule with each VPC.
D. Define an Amazon Route 53 Resolver inbound endpoint for the on-premises domain in the Shared Services account VPC. Configure the inbound endpoint to use the lP addresses of the DNS servers for the on-premises domain. Configure AWS Resource Access Manager (AWS RAM) to share the Route 53 Resolver rule to all accounts in the organization. Associate the Route 53 Resolver rule with each VPC
答案:C
答案解析:希望VPC能够解析到本地数据中心域名,因此应该配置Route 53的outbound endpoint,然后需要使用RAM共享路由规则,因此选择C选项。
例题:A company plans to deploy a new private intranet service on Amazon EC2 instances inside a VPC. An AWS Site-to-Site VPN connects the VPC to the company’s on-premises network. The new service must communicate with existing on-premises services. The on-premises services are accessible through the use of hostnames that reside in the company.example DNS zone. This DNS zone is wholly hosted on premises and is available only on the company’s private network.
A solutions architect must ensure that the new service can resolve hostnames on the company example domain to integrate with existing services.
Which solution meets these requirements?
A. Create an empty private zone in Amazon Route 53 for company example. Add an additional NS record to the company’s on-premises company.example zone that points to the authoritative name servers for the new private zone in Route 53.
B. Turn on DNS hostnames for the VPC. Configure a new outbound endpoint with Amazon Route 53 Resolver. Create a Resolver rule to forward requests for company.example to the on-premises name servers.
C. Turn on DNS hostnames for the VPC. Configure a new inbound resolver endpoint with Amazon Route 53 Resolver. Configure the on-premises DNS server to forward requests for company.example to the new resolver.
D. Use AWS Systems Manager to configure a run document that will install a hosts file that contains any required hostnames. Use an Amazon EventBridge (Amazon CloudWatch Events) rule to run the document when an instance is entering the running state.
答案:B
答案解析:题目要求部署在AWS的新服务能够通过域名访问到本地数据中心,因此应该配置Route 53的outbound endpoint,因此选择B选项。
2.3 Amazon API Gateway
Amazon API Gateway 是一项AWS服务,用于创建、发布、维护、监控和保护任意规模的 REST、HTTP 和 WebSocket API。API 开发人员可以创建能够访问 AWS 或其他 Web 服务以及存储在 AWS 云中的数据的 API。作为 API Gateway API 开发人员,您可以创建 API 以在您自己的客户端应用程序中使用。或者,您可以将您的 API 提供给第三方应用程序开发人员。
2.3.1 基础特性
- 支持REST、HTTP、Websocket
- 支持CORS
- 限制:超时29秒;传输最大10MB;
- 可利用如Lambda的alias进行版本切换、回滚等发布操作
- 支持缓存cache
- 与CloudWatch集成,包括Logging、monitoring、tracing等日志监控数据
- 可以与X-Ray集成,做可视化调用链追踪
- 常见错误码
例题:A company is storing data in several Amazon DynamoDB tables. A solutions architect must use a serverless architecture to make the data accessible publicly through a simple API over HTTPS. The solution must scale automatically in response to demand.
Which solutions meet these requirements? (Choose two.)
A. Create an Amazon API Gateway REST API. Configure this API with direct integrations to DynamoDB by using API Gateway’s AWS integration type.
B. Create an Amazon API Gateway HTTP API. Configure this API with direct integrations to Dynamo DB by using API Gateway’s AWS integration type.
C. Create an Amazon API Gateway HTTP API. Configure this API with integrations to AWS Lambda functions that return data from the DynamoDB tables.
D. Create an accelerator in AWS Global Accelerator. Configure this accelerator with AWS Lambda@Edge function integrations that return data from the DynamoDB tables.
E. Create a Network Load Balancer. Configure listener rules to forward requests to the appropriate AWS Lambda functions.
答案:AC
答案解析:参考:https://aws.amazon.com/cn/blogs/compute/using-amazon-api-gateway-as-a-proxy-for-dynamodb/。可以使用API Gateway REST API直接继承。参考:https://docs.aws.amazon.com/apigateway/latest/developerguide/http-api-dynamo-db.html使用HTTP API集成需要通过Lambda。
例题:A company is building a software-as-a-service (SaaS) solution on AWS. The company has deployed an Amazon API Gateway REST API with AWS Lambda integration in multiple AWS Regions and in the same production account.
The company offers tiered pricing that gives customers the ability to pay for the capacity to make a certain number of API calls per second. The premium tier offers up to 3,000 calls per second, and customers are identified by a unique API key. Several premium tier customers in various Regions report that they receive error responses of 429 Too Many Requests from multiple API methods during peak usage hours. Logs indicate that the Lambda function is never invoked.
What could be the cause of the error messages for these customers?
A. The Lambda function reached its concurrency limit.
B. The Lambda function its Region limit for concurrency.
C. The company reached its API Gateway account limit for calls per second.
D. The company reached its API Gateway default per-method limit for calls per second.
答案:C
答案解析:题目关键词:429 Too Many Requests 。那么只有在C和D做抉择,D选项可能错误将是:429 Limit Exceeded。因此选择C。
2.3.2 Endpoint Types
API Endpoint Types(终端节点类型)指的是 API 的主机名。API 终端节点类型可以是边缘优化的、区域的或私有的,具体取决于您的大部分 API 流量的源头位置。有3种不同的的类型:
- Edge-optimized(边缘优化的 API 终端节点)
- Regional (区域 API 终端节点)
- Private (私有 API 终端节点)
例题:A company has developed APIs that use Amazon API Gateway with Regional endpoints. The APIs call AWS Lambda functions that use API Gateway authentication mechanisms. After a design review, a solutions architect identifies a set of APIs that do not require public access.
The solutions architect must design a solution to make the set of APIs accessible only from a VPC. All APIs need to be called with an authenticated user
Which solution will meet these requirements with the LEAST amount of effort?
A. Create an internal Application Load Balancer (ALB). Create a target group. Select the Lambda function to call. Use the ALB DNS name to call the API from the VPC.
B. Remove the DNS entry that is associated with the API in API Gateway. Create a hosted zone in Amazon Route 53. Create a CNAME record in the hosted zone. Update the API in API Gateway with the CNAME record. Use the CNAME record to call the API from the VPC.
C. Update the API endpoint from Regional to private in API Gateway. Create an interface VPC endpoint in the VPCreate a resource policy, and attach it to the API. Use the VPC endpoint to call the API from the VPC.
D. Deploy the Lambda functions inside the VPC Provision an EC2 instance, and install an Apache server. From the Apache server, call the Lambda functions. Use the internal CNAME record of the EC2 instance to call the API from the VPC.
答案:C
答案解析:题目希望API只能在VPC中使用,那么很明显使用Private(私有API终端节点),因此选择C选项。
例题:A company runs a processing engine in the AWS Cloud. The engine processes environmental data from logistics centers to calculate a sustainability index. The company has millions of devices in logistics centers that are spread across Europe. The devices send information to the processing engine through a RESTful API.
The API experiences unpredictable bursts of traffic. The company must implement a solution to process all data that the devices send to the processing engine. Data loss is unacceptable.
Which solution will meet these requirements?
A. Create an Application Load Balancer (ALB) for the RESTful API. Create an Amazon Simple Queue Service (Amazon SQS) queue. Create a listener and a target group for the ALB Add the SQS queue as the target. Use a container that runs in Amazon Elastic Container Service (Amazon ECS) with the Fargate launch type to process messages in the queue.
B. Create an Amazon API Gateway HTTP API that implements the RESTful API. Create an Amazon Simple Queue Service (Amazon SQS) queue. Create an API Gateway service integration with the SQS queue. Create an AWS Lambda function to process messages in the SQS queue.
C. Create an Amazon API Gateway REST API that implements the RESTful API. Create a fleet of Amazon EC2 instances in an Auto Scaling group. Create an API Gateway Auto Scaling group proxy integration. Use the EC2 instances to process incoming data.
D. Create an Amazon CloudFront distribution for the RESTful API. Create a data stream in Amazon Kinesis Data Streams. Set the data stream as the origin for the distribution. Create an AWS Lambda function to consume and process data in the data stream.
答案:B
答案解析:题目要求发布一个RESTful API接收数据,且数据不可丢失。A选项是因为应用程序负载平衡器(ALB)不能直接针对Amazon SQS队列。C选项虽然Amazon API Gateway和EC2 Auto Scaling可以处理高负载,但它们没有提供内置机制来确保处理所有消息时不会丢失。D选项因为Amazon CloudFron主要用于缓存并向用户交付内容,通常不用于处理传入的API请求。因此B选项正确。
2.3.3 安全
- 可以在API Gateway加载SSL证书
- 支持Resource Policy
- 支持WAF
- 支持IAM角色
- 支持CORS
- 与Cognito集成
例题:A company is creating a REST API to share information with six of its partners based in the United States. The company has created an Amazon API Gateway
Regional endpoint. Each of the six partners will access the API once per day to post daily sales figures.
After initial deployment, the company observes 1,000 requests per second originating from 500 different IP addresses around the world. The company believes this traffic is originating from a botnet and wants to secure its API while minimizing cost.
Which approach should the company take to secure its API?
A. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Configure CloudFront with an origin access identity (OAI) and associate it with the distribution. Configure API Gateway to ensure only the OAI can run the POST method.
B. Create an Amazon CloudFront distribution with the API as the origin. Create an AWS WAF web ACL with a rule to block clients that submit more than five requests per day. Associate the web ACL with the CloudFront distribution. Add a custom header to the CloudFront distribution populated with an API key. Configure the API to require an API key on the POST method.
C. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a resource policy with a request limit and associate it with the API. Configure the API to require an API key on the POST method.
D. Create an AWS WAF web ACL with a rule to allow access to the IP addresses used by the six partners. Associate the web ACL with the API. Create a usage plan with a request limit and associate it with the API. Create an API key and add it to the usage plan.
答案:D
答案解析:题目要求需要抵制攻击。首先使用WAF可以做到过滤固定IP从而抵制攻击,但是使用CloudFront是多余的,因为本身API Gateway和ALB一样可以直接使用WAF,因此排除A选项和B选项。C选项中请求限制不是资源策略的一部分,因此正确答案是D选项。
2.3.4 高级特性
- 使用Usage plan设置节流,Amazon API Gateway 提供四种基本类型的限制相关设置:
1)AWS 节流限制适用于某个区域的所有账户和客户。这些限制设置旨在防止您的 API 和账户因过多请求而不堪重负。这些限制是由 AWS 设置,且客户无法更改。
例题:A software company has deployed an application that consumes a REST API by using Amazon API Gateway, AWS Lambda functions, and an Amazon
DynamoDB table. The application is showing an increase in the number of errors during PUT requests. Most of the PUT calls come from a small number of clients that are authenticated with specific API keys.
A solutions architect has identified that a large number of the PUT requests originate from one client. The API is noncritical, and clients can tolerate retries of unsuccessful calls. However, the errors are displayed to customers and are causing damage to the API’s reputation.
What should the solutions architect recommend to improve the customer experience?
A. Implement retry logic with exponential backoff and irregular variation in the client application. Ensure that the errors are caught and handled with descriptive error messages.
B. Implement API throttling through a usage plan at the API Gateway level. Ensure that the client application handles code 429 replies without error.
C. Turn on API caching to enhance responsiveness for the production stage. Run 10-minute load tests. Verify that the cache capacity is appropriate for the workload.
D. Implement reserved concurrency at the Lambda function level to provide the resources that are needed during sudden increases in traffic.
答案:B
答案解析:题目关键词:a large number of the PUT requests。因此需要限制,选择B。
2)每个账户限制适用于指定区域内账户中的所有 API。客户可以请求我们放宽账户级别的速率限制 —— 如果具有更短的超时和较小的有效负载的 API,则可以提高限制。要请求增加每个区域的账户级别限制,请联系 AWS Support 中心。请注意,这些限制不能高于 AWS 节流限制。
3)每个 API、每阶段的节流限制应用于某个阶段的 API 方法级别。您可以为所有方法配置相同的设置,也可以为每种方法配置不同的限制设置。请注意,这些限制不能高于 AWS 节流限制。
4)每客户端限制应用于将与使用计划关联的 API 密钥用作客户端标识符的客户端。请注意,这些限制不能高于每个账户限制。
- API key
- Private APIs
2.3.5 典型架构
- 突破10M大小限制
- websocket解决方案
2.4 Amazon CloudFront
CloudFront之所以放在网络这一章讲,主要是在架构层面与网络设计有很大关系。
了解之前,你可以先了解一下CDN。CDN的全称是Content Delivery Network,即内容分发网络。其基本思路是尽可能避开互联网上有可能影响数据传输速度和稳定性的瓶颈和环节,使内容传输得更快、更稳定。简单来说就是为了降低不同区域对服务访问延迟,可以在各个区域有一个缓存服务器,请求的时候根据IP获取就近的缓存服务器,从而更快的获取到数据。
CloudFront 是一项加快将静态和动态 Web 内容(例如 .html、.css、.js 和图像文件)分发给用户的速度的 Web 服务。CloudFront 通过全球数据中心(称作边缘站点)网络传输内容。当用户请求您用 CloudFront 提供的内容时,请求被路由到提供最低延迟(时间延迟)的边缘站点,从而以尽可能最佳的性能传送内容。CloudFront 就是一个AWS上的CDN。
2.4.1 基本特性
- CloudFront 通过全球数据中心(称作边缘站点)网络传输内容(此链接查看CloudFront的全球IP:https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips)
例题:A company runs an application on a fleet of Amazon EC2 instances that are in private subnets behind an internet-facing Application Load Balancer (ALB). The ALB is the origin for an Amazon CloudFront distribution. An AWS WAF web ACL that contains various AWS managed rules is associated with the CloudFront distribution.
The company needs a solution that will prevent internet traffic from directly accessing the ALB.
Which solution will meet these requirements with the LEAST operational overhead?
A. Create a new web ACL that contains the same rules that the existing web ACL contains. Associate the new web ACL with the ALB.
B. Associate the existing web ACL with the ALB.
C. Add a security group rule to the ALB to allow traffic from the AWS managed prefix list for CloudFront only.
D. Add a security group rule to the ALB to allow only the various CloudFront IP address ranges.
答案:C
答案解析:题目要求ALB只允许来自CloudFront 的访问。CloudFront 是一个全球服务,有很多个IP。因此在ALB上面配置prefix list是最合适。因此选择C选项。参考:https://docs.amazonaws.cn/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html中的“使用 CloudFront 托管前缀列表”
- 包括DDoS防御、Shield、Web Application Firewall等安全措施
- 支持HTTP、HTTPS
- 常用的源站点-S3、website(EC2、ALB等)等,与源站点交互通过内网。
- 最好有主要源站点(primary)和次要源站点(secondary)保持高可用(注意:CloudFront可以用于多区域的故障转移作用)
例题:A company is running a web application in the AWS Cloud. The application consists of dynamic content that is created on a set of Amazon EC2 instances. The
EC2 instances run in an Auto Scaling group that is configured as a target group for an Application Load Balancer (ALB).
The company is using an Amazon CloudFront distribution to distribute the application globally. The CloudFront distribution uses the ALB as an origin. The company uses Amazon Route 53 for DNS and has created an A record of www.example.com for the CloudFront distribution.
A solutions architect must configure the application so that itis highly available and fault tolerant.
Which solution meets these requirements?
A. Provision a full, secondary application deployment in a different AWS Region. Update the Route 53 A record to be a failover record. Add both of the CloudFront distributions as values. Create Route 53 health checks.
B. Provision an ALB, an Auto Scaling group, and EC2 instances in a different AWS Region. Update the CloudFront distribution, and create a second origin for the new ALB. Create an origin group for the two origins. Configure one origin as primary and one origin as secondary.
C. Provision an Auto Scaling group and EC2 instances in a different AWS Region. Create a second target for the new Auto Scaling group in the ALB. Set up the failover routing algorithm on the ALB.
D. Provision a full, secondary application deployment in a different AWS Region. Create a second CloudFront distribution, and add the new application setup as an origin. Create an AWS Global Accelerator accelerator. Add both of the CloudFront distributions as endpoints.
答案:B
答案解析:可以为需要高可用性的场景设置带有原始故障转移的CloudFront。首先,创建一个具有两个起源的起源组:一个主要的和一个次要的。如果主源不可用,或者返回指示失败的特定HTTP响应状态码,CloudFront会自动切换到备用源。
- CloudFront(全球站点、有TTL、适合静态内容)与S3 Cross Region Replication(必须每个区域建立副本、近实时、只读、更适合动态内容)的区别
- Geo Restriction(白名单和黑名单,通过国家层面控制(比如版权等场景))
- Signed URL/Signed Cookies:付费使用你共享的资源(控制有效时间、有效访问IP等);Signed URL必须是每个文件创建一个URL,Signed Cookies可以多个文件创建一个Signed Cookies。
2.4.2 CloudFront Caching
- CloudFront Caching可以根据headers、session cookies、query string parameters等作为缓存键,但如果设置的缓存键参数过多,会导致命中率不高。建议使用headers中的GET、host、authoritarian,这样能提高命中率。
- 静态分离架构
- CloudFront caching vs API Gateway Caching。CloudFront 有更多的控制。还有一种CloudFront Edge后面讲到。
例题:A company has a complex web application that leverages Amazon CloudFront for global scalability and performance. Over time, users report that the web application is slowing down.
The company’s operations team reports that the CloudFront cache hit ratio has been dropping steadily. The cache metrics report indicates that query strings on some URLs are inconsistently ordered and are specified sometimes in mixed-case letters and sometimes in lowercase letters.
Which set of actions should the solutions architect take to increase the cache hit ratio as quickly possible?
A. Deploy a Lambda@Edge function to sort parameters by name and force them to be lowercase. Select the CloudFront viewer request trigger to invoke the function.
B. Update the CloudFront distribution to disable caching based on query string parameters.
C. Deploy a reverse proxy after the load balancer to post process the emitted URLs in the application to force the URL strings to be lowercase.
D. Update the CloudFront distribution to specify case-insensitive query string processing.
答案:A
答案解析:题目出现CloudFront 的缓存命中率不高,原因是因为参数顺序和大小写问题。因此需要对参数做处理,因此采用Lambda@Edge规范化参数。因此选择A选项
2.4.3 CloudFront Functions vs Lambda@Edge
CloudFront可以编写自己的代码来自定义 CloudFront 分配如何处理 HTTP 请求和响应。该代码靠近查看器(用户)运行,以最大限度地减少延迟,而且您无需管理服务器或其他基础设施。简单来说,就是你可以在CloudFront分配HTTP请求时,做一些处理:
- 处理request和response
- 过滤请求
- 身份验证
- 搜索引擎优化
- 智能路由源站
- 边缘图像转换
- A/BTesting
2.4.3.1 实现方式
有2种方式做到
- CloudFront Functions:借助 CloudFront Functions,您可以在 JavaScript 中编写轻量级函数,以实现大规模、延迟敏感的 CDN 自定义。CloudFront Functions 运行时环境提供亚毫秒的启动时间,可立即扩展,从而每秒处理数百万个请求,并且非常安全。CloudFront Functions 是 CloudFront 的原生功能,这意味着您可以完全在 CloudFront 中构建、测试和部署代码。
- Lambda@Edge:Lambda@Edge 是 AWS Lambda 的扩展,可为复杂的函数提供强大而灵活的计算,并带来更接近您的查看器的完整应用程序逻辑,并且具有高度安全性。Lambda@Edge 函数在 Node.js 或 Python 运行时环境中运行。您将函数发布到单个 AWS 区域,当您关联该函数与 CloudFront 分配时,Lambda@Edge 可自动将您的代码复制到世界上任何地点。
例题:A company’s interactive web application uses an Amazon CloudFront distribution to serve images from an Amazon S3 bucket. Occasionally, third-party tools ingest corrupted images into the S3 bucket. This image corruption causes a poor user experience in the application later. The company has successfully implemented and tested Python logic to detect corrupt images.
A solutions architect must recommend a solution to integrate the detection logic with minimal latency between the ingestion and serving.
Which solution will meet these requirements?
A. Use a Lambda@Edge function that is invoked by a viewer-response event.
B. Use a Lambda@Edge function that is invoked by an origin-response event.
C. Use an S3 event notification that invokes an AWS Lambda function.
D. Use an S3 event notification that invokes an AWS Step Functions state machine.
答案:B
答案解析:需要运行Python程序,然后要求minimal latency。因此应该选择Lambda@Edge,然后由S3的事件触发,因此选择B选项。
例题:A company uses a service to collect metadata from applications that the company hosts on premises. Consumer devices such as TVs and internet radios access the applications. Many older devices do not support certain HTTP headers and exhibit errors when these headers are present in responses. The company has configured an on-premises load balancer to remove the unsupported headers from responses sent to older devices, which the company identified by the User-Agent headers.
The company wants to migrate the service to AWS, adopt serverless technologies, and retain the ability to support the older devices. The company has already migrated the applications into a set of AWS Lambda functions.
Which solution will meet these requirements?
A. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a CloudFront function to remove the problematic headers based on the value of the User-Agent header.
B. Create an Amazon API Gateway REST API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Modify the default gateway responses to remove the problematic headers based on the value of the User-Agent header.
C. Create an Amazon API Gateway HTTP API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Create a response mapping template to remove the problematic headers based on the value of the User-Agent. Associate the response data mapping with the HTTP API.
D. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.
答案:A
答案解析:题目要求处理HTTP表头问题。我们知道借助CloudFront Functions和Lambda@Edge均可做到,但是Lambda@Edge更适合复杂有脚本的操作,CloudFront Functions更适合轻量级操作。而操作HTTP表头是一个轻量级操作,因此选择A选项。
2.4.3.2 比较2种方式
上表或许你无需全部记住,更多记住一些应用场景:
- CloudFront Functions 极其适合轻量级短期运行的函数,以用于以下使用案例等:
1)缓存键归一化 – 您可以转变 HTTP 请求属性(标头、查询字符串、cookies,甚至是 URL 路径)以创建最佳缓存键,它可以提高您的缓存命中率。
2)标头操作 – 您可以在请求或响应中插入、修改或删除 HTTP 标头。例如,您可以为每个请求添加 True-Client-IP 标头。
3)URL 重定向或重写 – 您可以根据请求中的信息将查看器重定向到其他页面,或者将所有请求从一个路径重写到另一个路径。
4)请求授权 – 您可以通过检查授权标头或其他请求元数据来验证哈希授权令牌,例如 JSON Web 令牌 (JWT)。 - Lambda@Edge 非常适合以下场景:
1)需要几毫秒或更长时间才能完成的函数。
2)需要可调节 CPU 或内存的函数。
3)依赖于第三方库(包括 AWS 开发工具包,用于与其他 AWS 服务集成)的函数。
4)需要网络访问才能使用外部服务进行处理的函数。
5)需要文件系统访问或访问 HTTP 请求正文的函数。
(另外:有个限制就是组合使用 CloudFront Functions 和 Lambda@Edge时,不允许查看器事件(查看器请求和查看器响应))
2.4.4 CloudFront的HTTPS配置
1)方案一:是通过CloudFront 修改Hostname,不转发原来的Hostname,但需要维护2个证书
2)方案二:如果只需要拥有一个证书,通过Lambda@Edge添加原来host value。(注意CloudFront 不能配置Origin和Hostname一样的)
2.4.5 典型架构
- 基于User-Agent和Lambda@Edge设置不同资源访问(图片访问)
- 构建全球化的应用程序
- 利用Lambda@Edge路由到多个区域(就近原则)
2.5 AWS Global Accelerator
AWS Global Accelerator 是一项服务,您可以在其中创建加速器,以提高本地和 Global 用户的应用程序的性能。根据您选择的加速器的类型,您可以获得额外的好处。
2.5.1 基本特性
- 就近原则,通过AWS的内网总线快速访问你的服务
- 与EIP、EC2、ALB、NLB一起使用
例题:A mobile gaming company is expanding into the global market. The company’s game servers run in the us-east-1 Region. The game’s client application uses UDP to communicate with the game servers and needs to be able to connect to a set of static IP addresses.
The company wants its game to be accessible on multiple continents. The company also wants the game to maintain its network performance and global availability.
Which solution meets these requirements?
A. Provision an Application Load Balancer (ALB) in front of the game servers. Create an Amazon CloudFront distribution that has no geographical restrictions. Set the ALB as the origin. Perform DNS lookups for the cloudfront.net domain name. Use the resulting IP addresses in the game’s client application.
B. Provision game servers in each AWS Region. Provision an Application Load Balancer in front of the game servers. Create an Amazon Route 53 latency-based routing policy for the game’s client application to use with DNS lookups.
C. Provision game servers in each AWS Region. Provision a Network Load Balancer (NLB) in front of the game servers. Create an accelerator in AWS Global Accelerator, and configure endpoint groups in each Region. Associate the NLBs with the corresponding Regional endpoint groups. Point the game client’s application to the Global Accelerator endpoints.
D. Provision game servers in each AWS Region. Provision a Network Load Balancer (NLB) in front of the game servers. Create an Amazon CloudFront distribution that has no geographical restrictions. Set the NLB as the origin. Perform DNS lookups for the cloudfront.net domain name. Use the resulting IP addresses in the game’s client application.
答案:C
答案解析:题目场景是游戏客户端通过UDP连接服务器的一组IP(全球各个区域)。因此使用Global Accelerator提供静态IP地址,为您的应用程序提供一个固定的入口点,并消除了为不同AWS区域和可用区管理特定IP地址的复杂性。因此选择C选项
例题:A software-as-a-service (SaaS) provider exposes APIs through an Application Load Balancer (ALB). The ALB connects to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster that is deployed in the us-east-1 Region. The exposed APIs contain usage of a few non-standard REST methods: LINK, UNLINK, LOCK, and UNLOCK.
Users outside the United States are reporting long and inconsistent response times for these APIs. A solutions architect needs to resolve this problem with a solution that minimizes operational overhead.
Which solution meets these requirements?
A. Add an Amazon CloudFront distribution. Configure the ALB as the origin.
B. Add an Amazon API Gateway edge-optimized API endpoint to expose the APIs. Configure the ALB as the target.
C. Add an accelerator in AWS Global Accelerator. Configure the ALB as the origin.
D. Deploy the APIs to two additional AWS Regions: eu-west-1 and ap-southeast-2. Add latency-based routing records in Amazon Route 53.
答案:C
答案解析:题目要求将API提升其它区域的访问速度,API使用了一些非标准REST接口,并且要求minimizes operational overhead。A选项CloudFront 不支持非标准REST接口;B选项和D选项虽然符合,但是相对于C选项来说操作开销较大,因此最近选项是C选项
- 保护客户端IP地址(但NLB或者EIP除外)
- 可以作为DR(灾备)的很好措施(因为有Health Checks)
例题:A global media company is planning a multi-Region deployment of an application. Amazon DynamoDB global tables will back the deployment to keep the user experience consistent across the two continents where users are concentrated. Each deployment will have a public Application Load Balancer (ALB). The company manages public DNS internally. The company wants to make the application available through an apex domain.
Which solution will meet these requirements with the LEAST effort?
A. Migrate public DNS to Amazon Route 53. Create CNAME records for the apex domain to point to the ALB. Use a geolocation routing policy to route traffic based on user location.
B. Place a Network Load Balancer (NLB) in front of the ALMigrate public DNS to Amazon Route 53. Create a CNAME record for the apex domain to point to the NLB’s static IP address. Use a geolocation routing policy to route traffic based on user location.
C. Create an AWS Global Accelerator accelerator with multiple endpoint groups that target endpoints in appropriate AWS Regions. Use the accelerator’s static IP address to create a record in public DNS for the apex domain.
D. Create an Amazon API Gateway API that is backed by AWS Lambda in one of the AWS Regions. Configure a Lambda function to route traffic to application deployments by using the round robin method. Create CNAME records for the apex domain to point to the API’s URL.
答案:C
答案解析:题目要求使用顶级域名做多区域部署。首先Route 53.不支持CNAME,因此排除A选项和B选项;其次API Gateway或许能够起作用,但是作为全球多区域方案不太合适。因此选择C选项。
2.5.2 与CloudFront的区别
| \ | Global Accelerator | CloudFront |
|---|---|---|
| 原理 | 通过内部网络提高访问速度 | 通过缓存机制提高访问速度 |
| 支持协议 | HTTP、HTTPS、TCP、UDP | HTTP、HTTPS |
| 应用场景 | 快速区域灾备切换 | 内容缓存 |
3 连接本地数据中心
当你有一个本地的数据中心(On-premise)想与你的AWS Cloud相互访问时,可以彼此开放互联网接口,如果这种方式你觉得不安全,那么可以采用以下VPN和Direct Connect方式实现。
3.1 AWS VPN
默认情况下,您在 Amazon VPC 中启动的实例无法与您自己的本地网络(On-premise)进行通信。您可以通过创建 AWS Site-to-Site VPN(Site-to-Site VPN)连接并将路由配置为通过该连接传输流量,从而启用从您的 VPC 访问远程网络的权限。
3.1.1 特性
- 稳定性较差
- 带宽不高
3.1.2 典型架构
- 通过VPN,在共享VPC中复制服务,然后其它VPC通过VPC Peering访问(这样就能解决VPC Peering无法共享边缘路由)
3.2 AWS Direct Connect
AWS Direct Connect 通过标准的以太网光纤电缆将您的内部网络链接到 AWS Direct Connect 位置。电缆的一端接到您的路由器,另一端接到 AWS Direct Connect 路由器。通过这个连接,你可以创建虚拟接口直接向公众公开AWS服务(例如,到 Amazon S3)或 Amazon VPC,绕过您的网络路径中的互联网服务提供商。一个AWS Direct Connect位置提供访问权限AWS在与之相关的区域。您可以在公共区域中使用单个连接,或者AWS GovCloud (US)访问公众AWS所有其他公共区域的服务。
3.2.1 特性
- 它是运营商专门建立的物理线路连接,因此建立需要大约一个月时间
- 稳定性高
- 带宽高(考试中如果出现GB级别的传输,那么应该选择Direct Connect,而非VPN)
- 配合Transit Gateway实现on-premise与AWS上多个VPC互联
例题:A company is migrating some of its applications to AWS. The company wants to migrate and modernize the applications quickly after it finalizes networking and security strategies. The company has set up an AWS Direct Connect connection in a central network account.
The company expects to have hundreds of AWS accounts and VPCs in the near future. The corporate network must be able to access the resources on AWS seamlessly and also must be able to communicate with all the VPCs. The company also wants to route its cloud resources to the internet through its on-premises data center.
Which combination of steps will meet these requirements? (Choose three.)
A. Create a Direct Connect gateway in the central account. In each of the accounts, create an association proposal by using the Direct Connect gateway and the account ID for every virtual private gateway.
B. Create a Direct Connect gateway and a transit gateway in the central network account. Attach the transit gateway to the Direct Connect gateway by using a transit VIF.
C. Provision an internet gateway. Attach the internet gateway to subnets. Allow internet traffic through the gateway.
D. Share the transit gateway with other accounts. Attach VPCs to the transit gateway.
E. Provision VPC peering as necessary.
F. Provision only private subnets. Open the necessary route on the transit gateway and customer gateway to allow outbound internet traffic from AWS to flow through NAT services that run in the data center.
答案:BDF
答案解析:题目要求通过DC连接本地数据中心和AWS,同时AWS有多个账户和VPC。那么优先方案就是DC+Transit Gateway。A选项因为同时使用直接连接网关和传输网关是冗余,所以不准确。C选项因为没有必要提供互联网网关,因为公司希望通过其本地数据中心路由流量。E选项因为如果公司使用传输网关连接所有VPC,可能不需要VPC对等连接。因此选择BDF。
例题:A company needs to establish a connection from its on-premises data center to AWS. The company needs to connect all of its VPCs that are located in different
AWS Regions with transitive routing capabilities between VPC networks. The company also must reduce network outbound traffic costs, increase bandwidth throughput, and provide a consistent network experience for end users.
Which solution will meet these requirements?
A. Create an AWS Site-to-Site VPN connection between the on-premises data center and a new central VPC. Create VPC peering connections that initiate from the central VPC to all other VPCs.
B. Create an AWS Direct Connect connection between the on-premises data center and AWS. Provision a transit VIF, and connect it to a Direct Connect gateway. Connect the Direct Connect gateway to all the other VPCs by using a transit gateway in each Region.
C. Create an AWS Site-to-Site VPN connection between the on-premises data center and a new central VPC. Use a transit gateway with dynamic routing. Connect the transit gateway to all other VPCs.
D. Create an AWS Direct Connect connection between the on-premises data center and AWS. Establish an AWS Site-to-Site VPN connection between all VPCs in each Region. Create VPC peering connections that initiate from the central VPC to all other VPCs.
答案:B
答案解析:题目要求多个VPC能够传递与本地数据中心访问,并且访问需要稳定。在稳定性上DC比VPN靠谱,因此排除A选项和C选项。多个VPC能够传递与本地数据中心访问使用transit gateway,不能使用VPC peering。因此选择B选项
- 安全度高
例题:A company with global offices has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company’s on-premises network uses the connection to communicate with the company’s resources in the AWS Cloud. The connection has a single private virtual interface that connects to a single VPC.
A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. The solution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.
Which solution meets these requirements?
A. Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.
B. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new private virtual interface on the new connection, and connect the new private virtual interface to the single VPC.
C. Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new public virtual interface on the new connection and connect the new public virtual interface to the single VPC.
D. Provision a transit gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the transit gateway. Associate the transit gateway with the single VPC.
答案:A
答案解析:B 选项没有直接连接GW如何将流量路由到另一个地区;C选项-正在使用公共VIF,它将不起作用;D选项Transit Gateway是一个区域服务,你不能用它将流量路由到另一个区域-你需要在另一个区域提供一个新的Transit Gateway并对等它,或者使用DX Gateway与Transit VIF。
例题:A retail company has an on-premises data center in Europe. The company also has a multi-Region AWS presence that includes the eu-west-1 and us-east-1 Regions. The company wants to be able to route network traffic from its on-premises infrastructure into VPCs in either of those Regions. The company also needs to support traffic that is routed directly between VPCs in those Regions. No single points of failure can exist on the network.
The company already has created two 1 Gbps AWS Direct Connect connections from its on-premises data center. Each connection goes into a separate Direct Connect location in Europe for high availability. These two locations are named DX-A and DX-B, respectively. Each Region has a single AWS Transit Gateway that is configured to route all inter-VPC traffic within that Region.
Which solution will meet these requirements?
A. Create a private VIF from the DX-A connection into a Direct Connect gateway. Create a private VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with the Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.
B. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Associate the eu-west-1 transit gateway with this Direct Connect gateway. Create a transit VIF from the DX-B connection into a separate Direct Connect gateway. Associate the us-east-1 transit gateway with this separate Direct Connect gateway. Peer the Direct Connect gateways with each other to support high availability and cross-Region routing.
C. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Configure the Direct Connect gateway to route traffic between the transit gateways.
D. Create a transit VIF from the DX-A connection into a Direct Connect gateway. Create a transit VIF from the DX-B connection into the same Direct Connect gateway for high availability. Associate both the eu-west-1 and us-east-1 transit gateways with this Direct Connect gateway. Peer the transit gateways with each other to support cross-Region routing.
答案:D
答案解析:A选项VPC没有连接。B选项Peer the Direct Connect gateways错误;C选项没有中间网关。因此选择D
例题:A company is configuring connectivity to a multi-account AWS environment to support application workloads that serve users in a single geographic region. The workloads depend on a highly available, on-premises legacy system deployed across two locations. It is critical for the AWS workloads to maintain connectivity to the legacy system, and a minimum of 5 Gbps of bandwidth is required. All application workloads within AWS must have connectivity with one another.
Which solution will meet these requirements?
A. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on-premises location. Create private virtual interfaces on each connection for each AWS account VPC. Associate the private virtual interface with a virtual private gateway attached to each VPC.
B. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location. Create and attach a virtual private gateway for each AWS account VPC. Create a DX gateway in a central network account and associate it with the virtual private gateways. Create a public virtual interface on each DX connection and associate the interface with the DX gateway.
C. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from two DX partners for each on-premises location. Create a transit gateway and a DX gateway in a central network account. Create a transit virtual interface for each DX interface and associate them with the DX gateway. Create a gateway association between the DX gateway and the transit gateway.
D. Configure multiple AWS Direct Connect (DX) 10 Gbps dedicated connections from a DX partner for each on-premises location. Create and attach a virtual private gateway for each AWS account VPC. Create a transit gateway in a central network account and associate it with the virtual private gateways. Create a transit virtual interface on each DX connection and attach the interface to the transit gateway.
答案:C
答案解析:题目要求2个本地数据中心与AWS云的连接。A选项vpc之间没有连接。B选项因为DX网关不支持从一个VPN路由到另一个(https://docs.aws.amazon.com/directconnect/latest/UserGuide/direct-connect-gateways-intro.html)。D选项如果中间没有直接连接网关,就不能将直接连接连接到中转网关。因此参考:https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway.html
因此C选项正确
4 考试中网络相关综合解决方案
例题:A financial company is planning to migrate its web application from on premises to AWS. The company uses a third-party security tool to monitor the inbound traffic to the application. The company has used the security tool for the last 15 years, and the tool has no cloud solutions available from its vendor. The company’s security team is concerned about how to integrate the security tool with AWS technology.
The company plans to deploy the application migration to AWS on Amazon EC2 instances. The EC2 instances will run in an Auto Scaling group in a dedicated VPC. The company needs to use the security tool to inspect all packets that come in and out of the VPC. This inspection must occur in real time and must not affect the application’s performance. A solutions architect must design a target architecture on AWS that is highly available within an AWS Region.
Which combination of steps should the solutions architect take to meet these requirements? (Choose two.)
A. Deploy the security tool on EC2 instances m a new Auto Scaling group in the existing VPC
B. Deploy the web application behind a Network Load Balancer
C. Deploy an Application Load Balancer in front of the security tool instances
D. Provision a Gateway Load Balancer for each Availability Zone to redirect the traffic to the security tool
E. Provision a transit gateway to facilitate communication between VPCs.
答案:AD
答案解析:题目要求第三方工具(流量监控工具)迁移到云,并保持对VPC的监控。B选项将web应用程序部署在网络负载均衡器后面,与将第三方安全工具与AWS技术集成无关。C选项(在安全工具实例前面部署应用程序负载平衡器)是不必要的,因为网关负载平衡器已经被用于将流量重定向到安全工具。E选项为VPC之间的通信提供中转网关,不涉及第三方安全工具与AWS技术的集成,也不涉及对进出VPC的报文进行检测。因此答案AD。
例题:A company is running a web application in a VPC. The web application runs on a group of Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is using AWS WAF.
An external customer needs to connect to the web application. The company must provide IP addresses to all external customers.
Which solution will meet these requirements with the LEAST operational overhead?
A. Replace the ALB with a Network Load Balancer (NLB). Assign an Elastic IP address to the NLB.
B. Allocate an Elastic IP address. Assign the Elastic IP address to the ALB. Provide the Elastic IP address to the customer.
C. Create an AWS Global Accelerator standard accelerator. Specify the ALB as the accelerator’s endpoint. Provide the accelerator’s IP addresses to the customer.
D. Configure an Amazon CloudFront distribution. Set the ALB as the origin. Ping the distribution’s DNS name to determine the distribution’s public IP address. Provide the IP address to the customer.
答案:C
答案解析:题目要求提供固定IP给客户,等同于要配置静态IP。静态IP可以用下面的方法制作。
– NLB(用ALB代替NLB)
– NLB+ ALB
– Global Accelerator + ALB
– 其它负载均衡器(如nginx)
A选项NLB不支持WAF;B选项ALB不支持弹性IP;D选项不会给出静态IP地址
例题:A solutions architect has an operational workload deployed on Amazon EC2 instances in an Auto Scaling group. The VPC architecture spans two Availability
Zones (AZ) with a subnet in each that the Auto Scaling group is targeting. The VPC is connected to an on-premises environment and connectivity cannot be interrupted. The maximum size of the Auto Scaling group is 20 instances in service. The VPC IPv4 addressing is as follows:
VPC CIDR: 10.0.0.0/23 -
AZ1 subnet CIDR: 10.0.0.0/24 -
AZ2 subnet CIDR: 10.0.1.0/24 -
Since deployment, a third AZ has become available in the Region. The solutions architect wants to adopt the new AZ without adding additional IPv4 address space and without service downtime.
Which solution will meet these requirements?
A. Update the Auto Scaling group to use the AZ2 subnet only. Delete and re-create the AZ1 subnet using half the previous address space. Adjust the Auto Scaling group to also use the new AZ1 subnet. When the instances are healthy, adjust the Auto Scaling group to use the AZ1 subnet only. Remove the current AZ2 subnet. Create a new AZ2 subnet using the second half of the address space from the original AZ1 subnet. Create a new AZ3 subnet using half the original AZ2 subnet address space, then update the Auto Scaling group to target all three new subnets.
B. Terminate the EC2 instances in the AZ1 subnet. Delete and re-create the AZ1 subnet using half the address space. Update the Auto Scaling group to use this new subnet. Repeat this for the second AZ. Define a new subnet in AZ3, then update the Auto Scaling group to target all three new subnets.
C. Create a new VPC with the same IPv4 address space and define three subnets, with one for each AZ. Update the existing Auto Scaling group to target the new subnets in the new VPC.
D. Update the Auto Scaling group to use the AZ2 subnet only. Update the AZ1 subnet to have the previous address space. Adjust the Auto Scaling group to also use the AZ1 subnet again. When the instances are healthy, adjust the Auto Scaling group to use the AZ1 subnet only. Update the current AZ2 subnet and assign the second half of the address space from the original AZ1 subnet. Create a new AZ3 subnet using half the original AZ2 subnet address space, then update the Auto Scaling group to target all three new subnets.
答案:A
答案解析:题目希望对VPC的子网网络做调整。首先AWS不支持修改已存在VPC或子网的IP地址范围。需要先删除该VPC或子网,再使用自己的CIDR块创建新的VPC或子网。因此选择A选项。
例题:A solutions architect is designing an AWS account structure for a company that consists of multiple teams. All the teams will work in the same AWS Region. The company needs a VPC that is connected to the on-premises network. The company expects less than 50 Mbps of total traffic to and from the on-premises network.
Which combination of steps will meet these requirements MOST cost-effectively? (Choose two.)
A. Create an AWS CloudFormation template that provisions a VPC and the required subnets. Deploy the template to each AWS account.
B. Create an AWS CloudFormation template that provisions a VPC and the required subnets. Deploy the template to a shared services account. Share the subnets by using AWS Resource Access Manager.
C. Use AWS Transit Gateway along with an AWS Site-to-Site VPN for connectivity to the on-premises network. Share the transit gateway by using AWS Resource Access Manager.
D. Use AWS Site-to-Site VPN for connectivity to the on-premises network.
E. Use AWS Direct Connect for connectivity to the on-premises network.
答案:BD
答案解析:题目要求设计一个网络符合公司需求,在同一区域,且可以连接本地数据中心,带宽不超过50M,最后要求MOST cost-effectively。首先在同一区域可以创建一个VPC即可,不需要Transit gateway,使用RAM共享,因此B选项符合。与本地数据中心连接可以使用VPN或者DC,因为题目中带宽不高,因此使用VPN即可,因此D选项符合。
例题:A solutions architect at a large company needs to set up network security for outbound traffic to the internet from all AWS accounts within an organization in AWS
Organizations. The organization has more than 100 AWS accounts, and the accounts route to each other by using a centralized AWS Transit Gateway. Each account has both an internet gateway and a NAT gateway for outbound traffic to the internet. The company deploys resources only into a single AWS Region.
The company needs the ability to add centrally managed rule-based filtering on all outbound traffic to the internet for all AWS accounts in the organization. The peak load of outbound traffic will not exceed 25 Gbps in each Availability Zone.
Which solution meets these requirements?
A. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Create an Auto Scaling group of Amazon EC2 instances that run an open-source internet proxy for rule-based filtering across all Availability Zones in the Region. Modify all default routes to point to the proxy’s Auto Scaling group.
B. Create a new VPC for outbound traffic to the internet. Connect the existing transit gateway to the new VPC. Configure a new NAT gateway. Use an AWS Network Firewall firewall for rule-based filtering. Create Network Firewall endpoints in each Availability Zone. Modify all default routes to point to the Network Firewall endpoints.
C. Create an AWS Network Firewall firewall for rule-based filtering in each AWS account. Modify all default routes to point to the Network Firewall firewalls in each account.
D. In each AWS account, create an Auto Scaling group of network-optimized Amazon EC2 instances that run an open-source internet proxy for rule-based filtering. Modify all default routes to point to the proxy’s Auto Scaling group.
答案:B
答案解析:题目需要将组织内多个账户的出口流量做统一网络安全设置。参考:https://aws.amazon.com/blogs/networking-and-content-delivery/deploy-centralized-traffic-filtering-using-aws-network-firewall/
例题:A company is creating a centralized logging service running on Amazon EC2 that will receive and analyze logs from hundreds of AWS accounts. AWS PrivateLink is being used to provide connectivity between the client services and the logging service.
In each AWS account with a client, an interface endpoint has been created for the logging service and is available. The logging service running on EC2 instances with a Network Load Balancer (NLB) are deployed in different subnets. The clients are unable to submit logs using the VPC endpoint.
Which combination of steps should a solutions architect take to resolve this issue? (Choose two.)
A. Check that the NACL is attached to the logging service subnet to allow communications to and from the NLB subnets. Check that the NACL is attached to the NLB subnet to allow communications to and from the logging service subnets running on EC2 instances.
B. Check that the NACL is attached to the logging service subnets to allow communications to and from the interface endpoint subnets. Check that the NACL is attached to the interface endpoint subnet to allow communications to and from the logging service subnets running on EC2 instances.
C. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the NLB subnets.
D. Check the security group for the logging service running on the EC2 instances to ensure it allows ingress from the clients.
E. Check the security group for the NLB to ensure it allows ingress from the interface endpoint subnets.
答案:AC
答案解析:题目需要检查无法访问的原因,客户端->endpoint->NLB->EC2(NACL)。由于EC2只能看到NBL的IP,无法看到客户端端点IP,因此在B选项错误,A选项正确。同样EC2的security group 无法看到客户端端点IP,因此C选项正确,D选项错误。E选项NLB没有security group 。因此答案选择AC。
例题:A company runs an unauthenticated static website (www.example.com) that includes a registration form for users. The website uses Amazon S3 for hosting and uses Amazon CloudFront as the content delivery network with AWS WAF configured. When the registration form is submitted, the website calls an Amazon API Gateway API endpoint that invokes an AWS Lambda function to process the payload and forward the payload to an external API call.
During testing, a solutions architect encounters a cross-origin resource sharing (CORS) error. The solutions architect confirms that the CloudFront distribution origin has the Access-Control-Allow-Origin header set to www.example.com.
What should the solutions architect do to resolve the error?
A. Change the CORS configuration on the S3 bucket. Add rules for CORS to the AllowedOrigin element for www.example.com.
B. Enable the CORS setting in AWS WAF. Create a web ACL rule in which the Access-Control-Allow-Origin header is set to www.example.com.
C. Enable the CORS setting on the API Gateway API endpoint. Ensure that the API endpoint is configured to return all responses that have the Access-Control-Allow-Origin header set to www.example.com.
D. Enable the CORS setting on the Lambda function. Ensure that the return code of the function has the Access-Control-Allow-Origin header set to www.example.com.
答案:C
答案解析:参考:https://aws.amazon.com/premiumsupport/knowledge-center/api-gateway-cors-errors/
例题:A company has migrated a legacy application to the AWS Cloud. The application runs on three Amazon EC2 instances that are spread across three Availability Zones. One EC2 instance is in each Availability Zone. The EC2 instances are running in three private subnets of the VPC and are set up as targets for an Application Load Balancer (ALB) that is associated with three public subnets.
The application needs to communicate with on-premises systems. Only traffic from IP addresses in the company’s IP address range are allowed to access the on-premises systems. The company’s security team is bringing only one IP address from its internal IP address range to the cloud. The company has added this IP address to the allow list for the company firewall. The company also has created an Elastic IP address for this IP address.
A solutions architect needs to create a solution that gives the application the ability to communicate with the on-premises systems. The solution also must be able to mitigate failures automatically.
Which solution will meet these requirements?
A. Deploy three NAT gateways, one in each public subnet. Assign the Elastic IP address to the NAT gateways. Turn on health checks for the NAT gateways. If a NAT gateway fails a health check, recreate the NAT gateway and assign the Elastic IP address to the new NAT gateway.
B. Replace the ALB with a Network Load Balancer (NLB). Assign the Elastic IP address to the NLB Turn on health checks for the NLIn the case of a failed health check, redeploy the NLB in different subnets.
C. Deploy a single NAT gateway in a public subnet. Assign the Elastic IP address to the NAT gateway. Use Amazon CloudWatch with a custom metric to monitor the NAT gateway. If the NAT gateway is unhealthy, invoke an AWS Lambda function to create a new NAT gateway in a different subnet. Assign the Elastic IP address to the new NAT gateway.
D. Assign the Elastic IP address to the ALB. Create an Amazon Route 53 simple record with the Elastic IP address as the value. Create a Route 53 health check. In the case of a failed health check, recreate the ALB in different subnets.
答案:C
答案解析:要从私有子网连接出去,你需要一个NAT网关,因为防火墙上只有一个弹性IP白名单,每次只有一个NATGateway,如果AZ发生故障,Lambda使用相同的弹性IP在不同的AZ中创建一个新的NATGateway。因此选择C选项文章来源:https://www.toymoban.com/news/detail-726065.html
例题:A company wants to send data from its on-premises systems to Amazon S3 buckets. The company created the S3 buckets in three different accounts. The company must send the data privately without the data traveling across the internet. The company has no existing dedicated connectivity to AWS.
Which combination of steps should a solutions architect take to meet these requirements? (Choose two.)
A. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a private VIF between the on-premises environment and the private VPC.
B. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Set up an AWS Direct Connect connection with a public VIF between the on-premises environment and the private VPC.
C. Create an Amazon S3 interface endpoint in the networking account.
D. Create an Amazon S3 gateway endpoint in the networking account.
E. Establish a networking account in the AWS Cloud. Create a private VPC in the networking account. Peer VPCs from the accounts that host the S3 buckets with the VPC in the network account.
答案:AC
答案解析:题目要求本地数据中心能够访问AWS上的S3存储桶,并且不能通过外网访问。在A选项和B选项中,B选项使用public VIF不正确,因此选择A选项;在C选项和D选项中,gateway endpoint无法传递边缘路由,因此选择C选项。E选项采用peer VPCs不正确。因此答案:AC。文章来源地址https://www.toymoban.com/news/detail-726065.html
到了这里,关于AWS SAP-C02教程3--网络资源的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
