- (Topic 1)
A company has an application that ingests incoming messages. These messages are then quickly consumed by dozens of other applications and microservices.
The number of messages varies drastically and sometimes spikes as high as 100,000 each second. The company wants to decouple the solution and increase scalability.
Which solution meets these requirements?

1. A. Persist the messages to Amazon Kinesis Data Analytic
2. B. All the applications will read and process the messages.
3. C. Deploy the application on Amazon EC2 instances in an Auto Scaling group, which scales the number of EC2 instances based on CPU metrics.
4. D. Write the messages to Amazon Kinesis Data Streams with a single shar
5. E. All applications will read from the stream and process the messages.
6. F. Publish the messages to an Amazon Simple Notification Service (Amazon SNS) topic with one or more Amazon Simple Queue Service (Amazon SQS) subscription
7. G. All applications then process the messages from the queues.

Correct Answer: D
https://aws.amazon.com/sqs/features/
By routing incoming requests to Amazon SQS, the company can decouple the job requests from the processing instances. This allows them to scale the number of instances based on the size of the queue, providing more resources when needed. Additionally, using an Auto Scaling group based on the queue size will automatically scale the number of instances up or down depending on the workload. Updating the software to read from the queue will allow it to process the job requests in a more efficient manner, improving the performance of the system.

- (Topic 4)
A company has a stateless web application that runs on AWS Lambda functions that are invoked by Amazon API Gateway. The company v wants to deploy the application across multiple AWS Regions to provide Regional failover capabilities.
What should a solutions architect do to route traffic to multiple Regions?

1. A. Create Amazon Route 53 health checks for each Regio
2. B. Use an active-active failover configuration.
3. C. Create an Amazon CloudFront distribution with an origin for each Regio
4. D. Use CloudFront health checks to route traffic.
5. E. Create a transit gatewa
6. F. Attach the transit gateway to the API Gateway endpoint in each Regio
7. G. Configure the transit gateway to route requests.
8. H. Create an Application Load Balancer in the primary Regio
9. I. Set the target group to point to the API Gateway endpoint hostnames in each Region.

Correct Answer: C
This answer is correct because it provides Regional failover capabilities for the online gaming application by using AWS Global Accelerator. AWS Global Accelerator is a networking service that helps you improve the availability, performance, and security of your public applications. Global Accelerator provides two global static public IPs that act as a fixed entry point to your application endpoints, such as NLBs, in different AWS Regions. Global Accelerator uses the AWS global network to route traffic to the optimal regional endpoint based on health, client location, and policies that you configure. Global Accelerator also terminates TCP and UDP traffic at the edge locations, which reduces the number of hops and improves the network performance. By adding AWS Global Accelerator in front of the NLBs, you can achieve Regional failover for your online gaming application.
References:
✑ https://docs.aws.amazon.com/global-accelerator/latest/dg/what-is-global- accelerator.html
✑ https://aws.amazon.com/global-accelerator/

- (Topic 3)
A company runs a public three-Tier web application in a VPC The application runs on Amazon EC2 instances across multiple Availability Zones. The EC2 instances that run in private subnets need to communicate with a license server over the internet The company needs a managed solution that minimizes operational maintenance
Which solution meets these requirements''

1. A. Provision a NAT instance in a public subnet Modify each private subnets route table with a default route that points to the NAT instance
2. B. Provision a NAT instance in a private subnet Modify each private subnet's route table with a default route that points to the NAT instance
3. C. Provision a NAT gateway in a public subnet Modify each private subnet's route table with a default route that points to the NAT gateway
4. D. Provision a NAT gateway in a private subnet Modify each private subnet's route table with a default route that points to the NAT gateway

Correct Answer: C
A NAT gateway is a type of network address translation (NAT) device that enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances1. A NAT gateway is a managed service that requires minimal operational maintenance and can handle up to 45 Gbps of bursty traffic1. A NAT gateway is suitable for scenarios where EC2 instances in private subnets need to communicate with a license server over the internet, such as the three-tier web application in the scenario1.
To meet the requirements of the scenario, the solutions architect should provision a NAT gateway in a public subnet. The solutions architect should also modify each private subnet’s route table with a default route that points to the NAT gateway1. This way, the EC2 instances that run in private subnets can access the license server over the internet through the NAT gateway.

- (Topic 4)
A company's ecommerce website has unpredictable traffic and uses AWS Lambda functions to directly access a private Amazon RDS for PostgreSQL DB instance. The company wants to maintain predictable database performance and ensure that the Lambda invocations do not overload the database with too many connections.
What should a solutions architect do to meet these requirements?

1. A. Point the client driver at an RDS custom endpoin
2. B. Deploy the Lambda functions inside a VPC.
3. C. Point the client driver at an RDS proxy endpoin
4. D. Deploy the Lambda functions inside a VPC.
5. E. Point the client driver at an RDS custom endpoin
6. F. Deploy the Lambda functions outside a VPC.
7. G. Point the client driver at an RDS proxy endpoin
8. H. Deploy the Lambda functions outside a VPC.

Correct Answer: B
To maintain predictable database performance and ensure that the Lambda invocations do not overload the database with too many connections, a solutions architect should point the client driver at an RDS proxy endpoint and deploy the Lambda functions inside a VPC. An RDS proxy is a fully managed database proxy that allows applications to share connections to a database, improving database availability and scalability. By using an RDS proxy, the Lambda functions can reuse existing connections, rather than creating new ones for every invocation, reducing the connection overhead and latency. Deploying the Lambda functions inside a VPC allows them to access the private RDS DB instance securely and efficiently, without exposing it to the public internet. References:
✑ Using Amazon RDS Proxy with AWS Lambda
✑ Configuring a Lambda function to access resources in a VPC

- (Topic 3)
A company wants to deploy a new public web application on AWS The application includes a web server tier that uses Amazon EC2 instances The application also includes a database tier that uses an Amazon RDS for MySQL DB instance
The application must be secure and accessible for global customers that have dynamic IP addresses
How should a solutions architect configure the security groups to meet these requirements'?

1. A. Configure the security group tor the web servers lo allow inbound traffic on port 443 from 0.0.0. 0/0) Configure the security group for the DB instance to allow inbound traffic on port 3306 from the security group of the web servers
2. B. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers Configure the security group for the DB instance lo allow inbound traffic on port 3306 from the security group of the web servers
3. C. Configure the security group for the web servers to allow inbound traffic on port 443 from the IP addresses of the customers Configure the security group for the DB instance to allow inbound traffic on port 3306 from the IP addresses of the customers
4. D. Configure the security group for the web servers to allow inbound traffic on port 443 from 0.0.0.0.0 Configure the security group for the DB instance to allow inbound traffic on port 3306 from 0.0.0.0/0)

Correct Answer: A
✑ Restricting inbound access to the web servers to only port 443, which is used for HTTPS traffic, and allowing access from any IP address (0.0.0.0/0), since the application is public and accessible for global customers.
✑ Restricting inbound access to the DB instance to only port 3306, which is used for MySQL traffic, and allowing access only from the security group of the web servers, which creates a secure connection between the two tiers and prevents unauthorized access to the database.
✑ Restricting outbound access to the minimum required for both tiers, which is not specified in the question but can be assumed to be similar to the inbound rules.
References:
✑ Security groups - Amazon Virtual Private Cloud
✑ 5 Best Practices for AWS Security Groups - DZone