- (Exam Topic 3)
A company has a web server running on an Amazon EC2 instance in a public subnet with an Elastic IP address. The default security group is assigned to the EC2 instance. The default network ACL has been modified to block all traffic. A solutions architect needs to make the web server accessible from everywhere on port 443.
Which combination of steps will accomplish this task? (Choose two.)

1. A. Create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0.
2. B. Create a security group with a rule to allow TCP port 443 to destination 0.0.0.0/0.
3. C. Update the network ACL to allow TCP port 443 from source 0.0.0.0/0.
4. D. Update the network ACL to allow inbound/outbound TCP port 443 from source 0.0.0.0/0 and to destination 0.0.0.0/0.
5. E. Update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 and outbound TCP port 32768-65535 to destination 0.0.0.0/0.

Correct Answer: AC
The combination of steps that will accomplish the task of making the web server accessible from everywhere on port 443 is to create a security group with a rule to allow TCP port 443 from source 0.0.0.0/0 (A) and to update the network ACL to allow inbound TCP port 443 from source 0.0.0.0/0 (C). This will ensure that traffic to port 443 is allowed both at the security group level and at the network ACL level, which will make the web server accessible from everywhere on port 443.

- (Exam Topic 3)
A company is concerned that two NAT instances in use will no longer be able to support the traffic needed for the company’s application. A solutions architect wants to implement a solution that is highly available, fault tolerant, and automatically scalable.
What should the solutions architect recommend?

1. A. Remove the two NAT instances and replace them with two NAT gateways in the same Availability Zone.
2. B. Use Auto Scaling groups with Network Load Balancers for the NAT instances in different Availability Zones.
3. C. Remove the two NAT instances and replace them with two NAT gateways in different Availability Zones.
4. D. Replace the two NAT instances with Spot Instances in different Availability Zones and deploy a Network Load Balancer.

Correct Answer: C
If you have resources in multiple Availability Zones and they share one NAT gateway, and if the NAT
gateway’s Availability Zone is down, resources in the other Availability Zones lose internet access. To create an Availability Zone-independent architecture, create a NAT gateway in each Availability Zone and configure your routing to ensure that resources use the NAT gateway in the same Availability Zone. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-basics

- (Exam Topic 3)
A company is running a batch application on Amazon EC2 instances. The application consists of a backend with multiple Amazon RDS databases. The application is causing a high number of leads on the databases. A solutions architect must reduce the number of database reads while ensuring high availability.
What should the solutions architect do to meet this requirement?

1. A. Add Amazon RDS read replicas
2. B. Use Amazon ElastCache for Redis
3. C. Use Amazon Route 53 DNS caching
4. D. Use Amazon ElastiCache for Memcached

Correct Answer: A

- (Exam Topic 1)
A company recently launched Linux-based application instances on Amazon EC2 in a private subnet and launched a Linux-based bastion host on an Amazon EC2 instance in a public subnet of a VPC A solutions architect needs to connect from the on-premises network, through the company's internet connection to the bastion host and to the application servers The solutions architect must make sure that the security groups of all the EC2 instances will allow that access
Which combination of steps should the solutions architect take to meet these requirements? (Select TWO)

1. A. Replace the current security group of the bastion host with one that only allows inbound access from the application instances
2. B. Replace the current security group of the bastion host with one that only allows inbound access from the internal IP range for the company
3. C. Replace the current security group of the bastion host with one that only allows inbound access from the external IP range for the company
4. D. Replace the current security group of the application instances with one that allows inbound SSH access from only the private IP address of the bastion host
5. E. Replace the current security group of the application instances with one that allows inbound SSH access from only the public IP address of the bastion host

Correct Answer: CD
https://digitalcloud.training/ssh-into-ec2-in-private-subnet/

- (Exam Topic 3)
A medical research lab produces data that is related to a new study. The lab wants to make the data available with minimum latency to clinics across the country for their on-premises, file-based applications. The data files are stored in an Amazon S3 bucket that has read-only permissions for each clinic.
What should a solutions architect recommend to meet these requirements?

1. A. Deploy an AWS Storage Gateway file gateway as a virtual machine (VM) on premises at each clinic
2. B. Migrate the files to each clinic’s on-premises applications by using AWS DataSync for processing.
3. C. Deploy an AWS Storage Gateway volume gateway as a virtual machine (VM) on premises at each clinic.
4. D. Attach an Amazon Elastic File System (Amazon EFS) file system to each clinic’s on-premises servers.

Correct Answer: A
AWS Storage Gateway is a service that connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between an organization's on-premises IT environment and AWS's storage infrastructure. By deploying a file gateway as a virtual machine on each clinic's premises, the medical research lab can provide low-latency access to the data stored in the S3 bucket while maintaining read-only permissions for each clinic. This solution allows the clinics to access the data files directly from their
on-premises file-based applications without the need for data transfer or migration.