AWS SA Professional – Practice Question 6

question

Welcome back to another revision question.

You are designing internet connectivity for your VPC. The web servers must be available on the internet. The application must have a highly available architecture. Which alternatives should you consider? (Choose 2)

a. Configure ELB with an EIP. Place all your web servers behind ELB. Configure a Route53 A Record that points to the EIP.

b. Assign EIPs to all web servers. Configure a Route53 record set with all EIPs, with health checks and DNS failover.

c. Place all your web servers behind an ELB. Configure a Route53 CNAME to point to the ELB DNS name.

d. Configure a CloudFront distribution and configure the origin to point to the private IP address of your web servers. Configure a Route53 CNAME record to your CloudFront distribution.

e. Configure a NAT instance in your VPC. Create a default route via the NAT instance and associate it with all subnets. Configure a DNS A record that points to the NAT instance public IP address.

Reviewing the question its testing your understanding of VPC, understanding of DNS records, enabling internet access for servers within a VPC and designing high availability within a VPC. For this particular question we have to choose two correct answers. Lets work this one through.

If you’re already studying for the Solution Architect Profession exam you should know how to configure a VPC manually.

To create a VPC you need to do the following:

  • From the AWS Console, Select “Networking & Content Delivery” and then Click “VPC”.
  • Click on the “Your VPCs” link and Click “Create VPC”.
  • Give the VPC a Name and define your IPv4 Network CIDR Range and then Click “Yes, Create”.  Note – The CIDR Range can be as large as a /16 and as small as a /28.

To add an Internet Gateway you need to do the following:

  • From within the VPC Dashboard, Click on the “Internet Gateways” link and Click “Create Internet Gateway”.
  • Give the Internet Gateway a name and Click “Yes, Create”.  Note – The Internet Gateway that was just created will be shown as detached.
  • To attach the Internet Gateway to the VPC, Select the Internet Gateway that you created and Click “Attach to VPC”.
  • Select the VPC that you created previously and Click “Yes, Attach”.  Note – You can only attach one Internet Gateway per VPC.

To create a Public Subnet you need to do the following:

  • From within the VPC Dashboard, Click on the “Subnets” link and Click “Create Subnet”.
  • Give the Subnet a name, Select the VPC that you created in the previous step, Choose an Availability Zone, Define the IPv4 CIDR Range for the Subnet and then Click “Yes, Create”.  Note – The CIDR Range must sit within the same CIDR Range as the VPC.
  • Select the Subnet that was previously created, Click “Subnet Actions” and then Select “Modify auto-assign IP settings”.
  • Tick the checkbox for “Enable auto-assign public IPv4 address” and then Click “Save”.
  • Repeat the above step again to create another Subnet but in a different Availability Zone with a different CIDR Range to the previously created Subnet.

To create a Private Subnet you need to do the following:

  • From within the VPC Dashboard, Click on the “Subnets” link and Click “Create Subnet”.
  • Give the Subnet a name, Select the VPC that you created in the previous step, Choose an Availability Zone, Define the IPv4 CIDR Range for the Subnet and then Click “Yes, Create”.  Note – The CIDR Range must sit within the same CIDR Range as the VPC.
  • Repeat the above step again to create another Subnet but in a different Availability Zone with a different CIDR Range to the previously created Subnet.

To create a Route Table to enable Internet Connectivity for the Public Subnets you need do the following:

  • From within the VPC Dashboard, Click on the “Route Tables” link and Click “Create Route Table”.
  • Give the Route Table a name, Select the previously created VPC and then Click “Yes, Create”.
  • Select the Route Table previously created, Click the “Routes” Tab in the bottom half of the screen and then Click “Edit”.
  • Click “Add another route”, In the “Destination” textbox type “0.0.0.0/0”, in the “Target” textbox Select the Internet Gateway that was previously created and then Click “Save”.
  • Click the “Subnet Associations” Tab, and then Click “Edit”.
  • Select the Public Subnets that were created previously and then Click “Save”

Now that I’ve covered that off lets rule out the incorrect answers.

“Answer E” is not meeting any of the requirements. The purpose of using NAT Instances (or better still NAT Gateways) is to provide Internet Access for resources within your VPC that need to access the Internet for things like patch updates etc..

“Answer D is recommending to use CloudFront and configure the distributions Origin to the Web Server and then use a Route 53 ‘CNAME’ for the CloudFront Distribution. Whilst CloudFront in it’s own right is highly available and is accessible to the Internet, this would work better if the Origin for the CloudFront Distribution was pointed to an Elastic Load Balancer rather than to the Web Server itself. As the Origin would only have a Web Server if this Server was to go offline for a period of time, the Web Site could potentially become unavailable assuming that either the content wasn’t in the CloudFront Cache at the Edge location or if the TTL for the Object within the cache had expired. Therefore for this reason the answer is incorrect.

“Answer A” whilst its recommending to use an Elastic Load Balancer and configure a Route 53 ‘A’ Record, its suggesting to assign an Elastic IP to the Elastic Load Balancer which you physically can’t do, hence why this is incorrect.

“Answer C” is correct for the reason why “Answer A” wasn’t. This is purely because it’s using an Elastic Load Balancer for the Web Servers making them highly available and by configuring a Route 53 ‘CNAME’ Record to point to the ELB’s DNS Name.

“Answer B” is correct not just because its the only option left (even though it is). The reason it’s also another viable option without using an ELB, is that by allocating an Elastic IP to each Web Server this makes them publicly accessable from the Internet. Its meeting the other objective within the question around high availabilty by using Route 53 with a combination of health checks and failover.

For further reading I’d suggest reading the following:

That’s all for now.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s