AWS - Multiple Choice Questions - Set #15

1. An EC2 instance in a private subnet needs to download security updates from the Internet. Which of the following resources can be used to achieve this? (Choose two.)

A. NAT gateway
B. NAT instance
C. VPC peering
D. VPC endpoint

Answer - A, B

Explanation - A NAT instance or NAT gateway can be used to allow an instance in a private subnet access to the Internet. A VPC peering connection or VPC endpoint can’t achieve this.

2. You have several EC2 instances in a public subnet. All instances were launched using the same AMI. When you’re trying to download operating system security updates for one of the instances, the download fails. Downloading the updates on the other instances works fine. Which of the following might resolve the issue?

A. Add a default route to the subnet’s route table.
B. Create a NAT gateway.
C. Assign an elastic IP address to the instance.
D. Create an internet gateway.

Answer - C

Explanation - The instance not having a public IP address would prevent it from downloading updates, so assigning an elastic IP could fix the issue. The fact that the instance is in a public subnet indicates that an internet gateway and default route are already in place. There’s no need for a NAT gateway because the instance is in a public subnet.

3. Which of the following VPC resources allows outboundonly access to IPv6 resources on the Internet?

A. Internet gateway
B. Egress-only Internet gateway
C. NAT gateway
D. NAT instance

Answer - B

Explanation - The egress-only Internet gateway allows outboundonly IPv6 access. An Internet gateway allows both outbound and inbound IPv4 and IPv6 access. NAT gateways and NAT instances don’t allow IPv6 at all.

4. Which of the following Route 53 routing policies will ensure that all users near Ohio will always get routed to the us-east-2 (Ohio) AWS region?

A. Geolocation
B. Geoproximity
C. Latency
D. Region

Answer - B

Explanation - The geoproximity routing policy can route users to a resource based on their distance from a geographic location. A geolocation routing policy routes users according to the specific geographic region they’re in. A latency record routes users to the region with the lowest latency, but this may not necessarily be the closest to them. There’s no such thing as a region routing policy.

5. You need to deploy a highly available web application across two AWS regions. Connections to the web application should be evenly distributed across all EC2 instances. Which of the following should you do to achieve this? (Choose two.)

A. Launch an Auto Scaling group in each region and use the same group size for each.
B. Configure cross-region load balancing.
C. Configure a Route 53 weighted routing policy.
D. Deploy the application using Lambda.

Answer - A, C

Explanation - The best solution is to create an Auto Scaling group in each region, using the same group size to ensure an even number of instances. Next, configure an elastic load balancer in each region. Then configure a Route 53 weighted routing policy to evenly distribute requests to each load balancer. Using cross-region load balancing may not ensure high availability because the load balancer listener will exist in only one region. Lambda doesn’t use instances.

6. Which of the following Route 53 features ensures users get routed to the region with the best network performance?

A. Geoproximity routing policy
B. Latency routing policy
C. Weighted routing policy
D. Failover routing policy

Answer - B

Explanation - The latency routing policy routes users to the AWS region with the best network performance. Geoproximity considers the user’s location but not network performance. Failover routing considers whether a resource is healthy but doesn’t consider network performance. A weighted routing policy attempts to distribute users to resources according to a configured ratio, such as, for example, 50% to one ,elastic load balancer and 50% to another.

7. You’re running a web service on an EC2 instance. You want Route 53 to return the public IP address of the instance even if the web service on the instance is unhealthy. How can you achieve this? (Choose two.)

A. Create a simple basic resource record.
B. Create a simple alias resource record.
C. Create a simple basic resource record that uses a health check.
D. Create a multivalue answer resource record.

Answer - A, D

Explanation - A simple basic resource record or a multivalue answer resource record without a health check will always return the public IP address of the instance. A simple alias resource record can’t point directly to an instance. A simple resource record doesn’t use health checks.

8. You’ve launched a NAT instance with a public IP address in a public subnet. In the same VPC, you created a private subnet and modified its default route table to include a default route that points to the NAT instance as a target. However, instances in the private subnet are unable to access the Internet. All security groups and NACLs are configured correctly. Which of the following should you try to fix the problem with the least effort?

A. Modify the default route to point to the NAT instance’s private IP address as a destination.
B. Disable the source/destination check on the NAT instance.
C. Configure a NAT gateway instead.
D. Assign an elastic IP address to the NAT instance.

Answer - B

Explanation - The source/destination check must be disabled on the NAT instance. Configuring a NAT gateway could resolve the problem but would require more effort. A NAT instance needs a public IP address but doesn’t require an elastic IP address. The default route in the private subnet is configured correctly.

9. Which of the following IPv4 prefix lengths is allowed for a VPC CIDR block?

A. /8
B. /15
C. /28
D. /29

Answer - C

Explanation - A CIDR block can have a prefix length between /16 and /28 inclusive.

10. Which of the following is a valid IPv6 CIDR block for a VPC?

A. 2600:1f18:2551:8900/32
B. 2600:1f18:2551:8900/48
C. 2600:1f18:2551:8900/56
D. 2600:1f18:2551:8900/64

Answer - C

Explanation - AWS assigns IPv6 VPC CIDR blocks with a /56 prefix length.

11. You’re running a distributed application on EC2 instances in a VPC with a CIDR of 172.31.0.0/24. You’re running out of private IP addresses and need to allocate more for additional instances. The instances must be able to communicate with each other using their private addresses. How can you allocate more IP addresses with the least amount of effort?

A. Change the VPC CIDR to 172.31.0.0/16.
B. Add a secondary CIDR of 172.31.1.0/24.
C. Add a secondary CIDR of 172.31.0.0/16.
D. Create a new VPC.

Answer - B

Explanation - Adding a secondary VPC CIDR of 172.31.1.0/24 is the easiest option. You can’t add a secondary CIDR that overlaps with the existing CIDR as 172.31.0.0/16 does. You also can’t change the VPC CIDR. Creating a new VPC for the additional application instances is possible but would require more effort than just adding a secondary CIDR.

12. What is the limiting factor in the number of subnets you can have in a VPC?

A. The number of availability zones
B. The size of the VPC CIDR
C. The number of VPCs
D. The number of NACLs

Answer - B

Explanation - The number of subnets you can have in a VPC depends in part on the size of the VPC CIDR. A VPC CIDR and a subnet CIDR can be between /16 and /28 inclusive. The number of availability zones, the number of VPCs, and the number of NACLs aren’t limiting factors.

13. You plan to run a fleet of EC2 instances in a VPC. You need to achieve the highest level of availability and the most efficient use of IP address space. Which of the following should you do?

A. Create one subnet that spans three availability zones.
B. Create three subnets, each in a different availability zone.
C. Create three subnets in the same availability zone.
D. Create two subnets in one availability zone and one subnet in a different availability zone.

Answer - B

Explanation - Creating three subnets, each in a different availabilit zone, will maximize IP address space utilization and achieve the highest level of reliability. A subnet can’t span multiple availability zones. Creating three subnets in one availability zone would not provide high availability. Creating two subnets in one availability zone and one subnet in a different availability zone would provide a highly available configuration but would not be the most efficient use of IP address space.

14. Your organization is running servers on-premises using the IP address range 192.168.10.0/24. The servers have Internet access. Your organization is merging with another company that runs EC2 instances in a public subnet that uses the same IP address range. Which of the following will, with the least effort, enable the onpremises servers to communicate with the EC2 instances using standard HTTPS communication? (Choose two.)

A. Implement a VPN.
B. Assign a public or elastic IP address to each instance.
C. Implement one-to-one NAT.
D. Create a security group rule to allow inbound access on TCP port 443 from the on-premises servers.

Answer - B, D

Explanation - Simply giving the instances a public IP address and permitting inbound HTTPS access is sufficient and requires minimal effort. Using a VPN is a possibility but would require implementing NAT to overcome the IP addressing conflicts and would entail a lot more effort.

15. Which of the following is true of an elastic network interface (ENI)?

A. It must have only one primary private IP address.
B. It can be associated with only one elastic IP address.
C. It can have multiple private IP addresses from different subnets.
D. It must be attached to an instance.

Answer - A

Explanation - An elastic network interface must have only one primary private IP address. It can have a secondary private IP address, but it must be from the same subnet as the primary. An ENI can be associated with multiple elastic IP addresses. It doesn’t have to be attached to an instance but can be created separately.

16. Which of the following prevents EC2 from automatically assigning a public IP address to an instance? (Choose two.)

A. Assigning an elastic IP address to the instance and then unassigning it
B. Assigning a secondary elastic network interface
C. Launching the instance in a private subnet
D. Removing the primary elastic network interface from the instance

Answer - B, C

Explanation - Assigning a secondary elastic network interface or launching the instance in a private subnet both prevent EC2 from automatically assigning a public IP address to the instance. Assigning an elastic IP address to the instance and then unassigning it will result in the instance receiving a new public IP address. It’s not possible to remove the primary elastic network interface from an instance.

17. You have some EC2 instances that access Internet resources over TCP port 443. The instances are able to access some of these resources but not others. You check the route table associated with the instances’ subnets and see only the local route and a route with a destination of 0.0.0.0/0. Which of the following may resolve the problem? (Choose two.)

A. Disable IPv6 in the VPC.
B. Associate an egress-only Internet gateway with the VPC.
C. Add an IPv6 default route.
D. Associate an Internet gateway with the VPC.

Answer - A, C

Explanation - The symptoms raise the possibility that the instances are configured with IPv6 addresses but can’t reach the IPv6 Internet due to a missing IPv6 default route. Creating the route may resolve the problem. Alternatively, disabling IPv6 in the VPC would also resolve the problem, as the instances would no longer attempt to communicate using IPv6. Because the instances can reach other (ostensibly IPv4 resources), an Internet gateway must already be present. An egressonly Internet gateway isn’t necessary because an Internet gateway can pass both IPv4 and IPv6 traffic.

18. In a VPC, which of the following is most analogous to connecting a router to a traditional network?

A. Attaching an elastic network interface to an instance
B. Associating a route table with a subnet
C. Creating a default route
D. Associating an elastic IP address with an instance

Answer - B

Explanation - A route table performs the same function as a router in a traditional network. Associating a route table with a subnet is like connecting a router to a traditional network. In a traditional network, creating a default route is done on a router after the router’s been connected to the network.

19. Your organization has proposed migrating an onpremises application to EC2. The application requires multicast and the servers it runs on must retain the same RFC 1918 IP addresses. Which of the following recommendations should you make regarding this proposed migration?

A. The migration is feasible as proposed.
B. The migration is feasible provided the subnet is between /16 and /28.
C. The migration may not be possible because VPCs don’t support RFC 1918 addresses.
D. The migration isn’t possible because VPCs don’t support multicast.

Answer - D

Explanation - VPCs don’t support multicast traffic, so the migration isn’t possible. VPCs do support RFC 1918 addresses.

20. You have two instances in different VPCs, instance A and instance B. Both instances have a public IP address. Each VPC contains only one subnet. VPC peering is not configured and there’s no VPN. Instance A sends a packet to instance B. What does instance B see as the source IP address?

A. Instance A’s public IP address
B. Instance A’s private IP address
C. The Internet gateway’s public address
D. The NAT gateway’s public IP address

Answer - A

Explanation - The traffic between the VPCs must traverse the Internet, and so instance B will see instance A’s public IP address as the source. If VPC peering or a VPN were being used, instance B would see the private IP address. An Internet gateway doesn’t have a public IP address but enables an instance to obtain one. Even if a NAT gateway was present in instance A’s VPC, instance A would still directly go through the Internet gateway not use the NAT gateway.

21. Which of the following are true of NACLs and security groups? (Choose two.)

A. Security groups apply to a subnet.
B. NACLs apply to a subnet.
C. NACLs apply to an instance.
D. Security groups apply to an elastic network interface.

Answer - B, D

Explanation - NACLs apply to a subnet, while security groups apply to an elastic network interface.

22. Which of the following describes an elastic VPC resource that hides the public source IP address of an instance from hosts on the Internet?

A. NAT gateway
B. NAT instance
C. Internet gateway
D. Virtual private gateway

Answer - A

Explanation - A NAT gateway is an elastic VPC resource that hides the public source IP address of an instance from hosts on the Internet. A NAT instance can also do this, but it’s not elastic; that is, it doesn’t scale automatically. An Internet gateway hides the private source address, not the public address. A virtual private gateway is used to establish a VPN connection and doesn’t perform NAT.

23. Which of the following is true regarding peering VPCs in the same region?

A. The same two VPCs can have multiple peering connections with each other for redundancy.
B. It doesn’t support overlapping CIDR blocks.
C. It supports transitive peering.
D. It doesn’t support IPv6.

Answer - B

Explanation - VPCs with overlapping CIDR blocks can’t be peered. VPCs do support IPv6 and don’t support transitive peering. You can have only one peering connection between any two VPCs.

24. Which of the following is a limitation of inter-region VPC peering?

A. Both VPC CIDRs must reside in the same RFC 1918 address range.
B. DNS resolution doesn’t work.
C. An MTU of less than 1500 isn’t supported.
D. IPv6 isn’t supported.

Answer - D

Explanation - IPv6 isn’t supported for inter-region VPC peering. DNS resolution works, and the VPCs don’t need to have RFC 1918 CIDRs. An MTU of 1500 or less is supported.

25. You’ve created a peering connection between two VPCs in the same region. Which of the following do you need to do to enable bidirectional IP communication between the instances in these VPCs?

A. Create the appropriate routes with the VPC peering connection as the target.
B. Configure NAT.
C. Assign public IP addresses to the instances.
D. Enable DNS resolution.

Answer - A

Explanation - You must add routes to the appropriate route table in each VPC, specifying the VPC peering connection as the target. There’s no need to configure NAT, assign public IP addresses to instances, or enable DNS resolution.

26. Which of the following can change the public IP address of an EC2 instance?

A. Removing the primary elastic network interface
B. Removing the default route from the route table
C. Rebooting the instance
D. Changing the instance type

Answer - D

Explanation - Changing the instance type requires stopping the instance, thus releasing its public IP address. Rebooting the instance or removing the default route won’t change the public IP address. It’s not possible to remove the primary elastic network interface from an instance.

27. You’re running an EC2 instance in a private subnet. The instance needs to resolve a resource record for a public domain that you have registered with a third-party domain name registrar. Which of the following will achieve this?

A. Enable DNS hostnames in the VPC.
B. Enable DNS support in the VPC.
C. Transfer the domain name to Route 53.
D. Assign an elastic IP address to the instance.

Answer - B

Explanation - Enabling DNS support in the VPC is sufficient to enable DNS resolution. Enabling DNS hostnames will only assign public DNS hostnames to instances with public IP addresses. There’s no need to transfer the domain name to Route 53. It’s not possible to assign an elastic IP address to an instance since it’s in a private subnet.

28. Which of the following speeds up transfers between S3 buckets and hosts on the Internet?

A. CloudFront distribution
B. S3 transfer acceleration
C. Elastic load balancing
D. S3 cross-region replication

Answer - B

Explanation - S3 transfer acceleration uses edge locations to speed up transfers between S3 and the Internet. CloudFront distributions deliver content to end users from edge locations. S3 cross-region replication transfers objects between S3 buckets, not between S3 buckets and the Internet. Elastic load balancing has nothing to do with S3.

29. Which of the following VPC resources will incur costs only if not associated with an instance?

A. Elastic IP address
B. Elastic network interface
C. NAT gateway
D. Elastic load balancer

Answer - A

Explanation - An elastic IP address will incur costs only if it’s not associated with an instance. NAT gateways and elastic load balancers incur costs regardless. Elastic network interfaces are free.

30. You need to run a Lambda application that must communicate with EC2 instances in a private subnet. Which of the following features will enable this communication?

A. Gateway VPC endpoint
B. Interface VPC endpoint
C. API gateway
D. VPC peering

Answer - B

Explanation - You can connect Lambda functions to EC2 instances using an interface VPC endpoint. Lambda doesn’t offer a gateway VPC endpoint. The API gateway service is for creating your own APIs. VPC peering is for peering two VPCs that you control. Lambda functions execute in a VPC controlled by Amazon.

31. Which of the following is true of an interface VPC endpoint? (Choose two.)

A. It supports TCP traffic.
B. It supports IPv6 traffic.
C. It supports UDP traffic.
D. It exists in only one availability zone.

Answer - A, D

Explanation - An interface endpoint exists in only one availability zone and supports only IPv4 TCP traffic. It doesn’t support IPv6 or UDP.

32. You’ve configured a VPC gateway endpoint for S3. Which of the following will allow you to restrict which EC2 instances can access S3 via the endpoint?

A. Create a NACL rule and specify the S3 prefix list ID.
B. Create a security group rule and specify the S3 prefix list ID.
C. Use S3 bucket policies.
D. Modify the instance role’s permission policy.

Answer - B

Explanation - You can restrict access to a gateway endpoint using security groups and the S3 prefix list ID. You can’t use a prefix list with a NACL. S3 bucket policies and IAM permissions policies will restrict access to S3 across the board, not just via the endpoint.

33. Which of the following must you do to use IPv6 in a new VPC?

A. Configure an egress-only Internet gateway.
B. Assign a link-local IPv6 address to the VPC.
C. Enable DNS hostnames.
D. Configure an IPv4 CIDR.

Answer - D

Explanation - An IPv4 CIDR is always required in a VPC, even if you plan to use only IPv6. Enabling DNS hostnames or configuring an egress-only Internet gateway aren’t required to use IPv6. You can’t assign a link-local IPv6 address to a VPC. AWS automatically assigns a global unicast IPv6 address upon your request.

34. Which VPC component controls traffic direction within a VPC?

A. Internet gateway
B. Security group
C. Route table
D. NACL

Answer - C

Explanation - A route table contains routes that determine how network traffic is directed. Security groups and NACLs control whether traffic is allowed or blocked but doesn’t affect the direction of traffic. An Internet gateway enables Internet access for a VPC.

35. You need to create a subnet that will hold only 10 EC2 instances, each with a single elastic network interface. What’s the smallest prefix length you can use?

A. /8
B. /16
C. /28
D. /29

Answer - C

Explanation - A /28 will give you 16 possible IP addresses, 5 of which AWS reserves, leaving you with 11 usable IP addresses.

36. How many IP addresses does AWS reserve in each VPC subnet?

A. One
B. Two
C. Four
D. Five

Answer - D

Explanation - AWS reserves five IP addresses in each subnet: the first four and the last.

37. You’ve created the VPC subnet 10.0.0.0/24. Which of the following addresses is not available for assignment to an EC2 instance?

A. 10.0.0.4
B. 10.0.0.254
C. 10.0.0.255
D. 10.0.0.5

Answer - C

Explanation - Reserved addresses include 10.0.0.0–10.0.0.3 and 10.0.0.255. You can use the rest.

38. You’ve launched a Windows EC2 instance and configured its security group and the subnet’s NACL to permit access from all other hosts in the subnet to the Remote Desktop Protocol (RDP) on TCP port 3389. However, when you’re attempting to RDP to the server from a Linux host in the same subnet, the connection fails. You are able to RDP from the same host to other Windows servers. Which of the following could be the reason for the failure?

A. RDP uses TCP port 2598.
B. Linux hosts can’t use RDP.
C. The Windows firewall is blocking access on TCP port 3389.
D. RDP uses UDP, not TCP.

Answer - C

Explanation - RDP uses TCP port 3389, which is permitted by the security group and NACL. The Linux host is able to RDP to other hosts. That leaves the Windows firewall as the only possible culprit.

39. You need to connect two VPCs to resources in a remote office via a site-to-site VPN. You need to ensure that resources in the VPCs can’t communicate with each other. Which of the following can help you achieve this?

A. VPC peering
B. Transit gateway
C. Virtual private gateway
D. VPC endpoint

Answer - B

Explanation - A transit gateway is an elastic resource that can be used to connect a VPC to customer gateways, other VPCs, and Direct Connect gateways. A transit gateway’s route table can be configured to control how traffic is allowed to flow. VPC peering only connects two VPCs. A virtual private gateway only provides a site-to-site VPN connection between a remote site and a single VPC; VPC endpoints provide a private (non-Internet) connection between a VPC and AWS services.

40. Which of the following is an advantage of using Direct Connect instead of a VPN connection?

A. Reduced cost
B. Data encryption
C. Higher bandwidth
D. Predictable latency

Answer - D

Explanation - A Direct Connect link to AWS provides consistent latency. It doesn’t necessarily provide higher bandwidth or reduced cost over an Internet VPN connection. Direct Connect doesn’t provide data encryption.

41. Servers in your datacenter are using a 10 Gbps Internet connection to connect to S3 using a public endpoint. Which of the following can improve the security of this configuration?

A. Use HTTPS to connect to the S3 endpoint.
B. Use Direct Connect.
C. Use a VPN connection.
D. Use a VPC endpoint.

Answer - B

Explanation - Direct Connect can improve the security of this configuration by bypassing the public Internet. All AWS services, including S3, use HTTPS for their public endpoints. A VPN connection can’t be configured between a remote site and S3. A VPC endpoint only connects a VPC to an AWS service via a private network, bypassing the Internet.

42. Before you can use Direct Connect to connect a VPC to your datacenter, which of the following should you do to ensure proper connectivity? (Choose two.)

A. Make sure the IP address ranges in the networks don’t overlap.
B. Use encryption.
C. Configure the appropriate IAM policies.
D. Configure routing.

Answer - A, D

Explanation - Whenever a VPC is connected to an external network, the IP address ranges mustn’t overlap. Also, routing must be configured so that resources in the datacenter and VPC can reach each other. Encryption is useful for securing data, but it isn’t required for proper connectivity. IAM policies are unrelated to network connectivity.

43. Which of the following are options for connecting a site to AWS using Direct Connect? (Choose two.)

A. Configure a VPN between the site and an AWS Direct Connect Location.
B. Complete a cross-connect between your equipment and AWS at a Direct Connect location.
C. Request AWS to install a Direct Connect connection to be installed at the site.
D. Use a hosted connection from an AWS Direct Connect Partner.

Answer - B, D

Explanation - Direct Connect is available in two ways: a dedicated connection between your equipment and AWS at a Direct Connect location or a hosted connection from an AWS Direct Connect Partner. AWS doesn’t install Direct Connect connections at customer sites. You can’t create a VPN connection to a Direct Connect location.

44. Applications running in your datacenter currently connect to AWS services using their public endpoints. You plan to use Direct Connect to access these services but don’t want to reconfigure the applications to use private AWS service endpoints. Which of the following types of virtual interfaces should you configure?

A. Private virtual interface
B. Public virtual interface
C. Transit virtual interface
D. Peer virtual interface

Answer - B

Explanation - A public virtual interface allows you to use public AWS endpoints over a Direct Connect connection. A private virtual interface is used for connecting to a VPC. A transit virtual interface is only for use with an Amazon VPC Transit Gateway. There’s no such thing as a peer virtual interface.

45. Which of the following BGP configuration tasks is required to use a Direct Connect public virtual interface?

A. Advertise at least one public IP prefix.
B. Advertise at least one private IP prefix.
C. Specify a public autonomous system number (ASN).
D. Enable jumbo frames.

Answer - A

Explanation - You must advertise at least one public IP prefix to use a public virtual interface. A public ASN isn’t required. You can use a public ASN if you have one; otherwise, you can use a private ASN between 64512 and 65534. Jumbo frames aren’t supported on public virtual interfaces, and even if they were, enabling jumbo frames wouldn’t be required.

46. You need a Direct Connect connection that supports up to 75 Mbps. Which of the following options is the most cost-effective?

A. A hosted connection with a 50 Mbps port
B. A hosted connection with an 80 Mbps port
C. A hosted connection with a 100 Mbps port
D. A dedicated connection with a 1 Gbps port

Answer - C

Explanation - A hosted connection with a 100 Mbps port costs about $0.06 per port-hour. A 50 Mbps hosted connection isn’t big enough, and there isn’t a 80 Mbps hosted connection. A dedicated connection always costs more than a hosted connection.

47. You’re using almost the full bandwidth of your 1 Gbps hosted Direct Connect connection. Which of the following can you do to approximately double your Direct Connect bandwidth to AWS? (Choose two.)

A. Upgrade the 1 Gbps connection to 2 Gbps.
B. Create a new connection using a 2 Gbps connection and remove the 1 Gbps connection.
C. Create a new connection using a 1 Gbps connection and add both connections to a link aggregation group (LAG).
D. Create two new 50 Mbps connections and add them to a link aggregation group (LAG) along with the existing 1 Gbps connection.

Answer - B, C

Explanation - To increase your bandwidth, you have two options. You can create a new 2 Gbps connection and remove the 1 Gbps connection. Or you can create a new 1 Gbps connection and combine it with the existing 1 Gbps connection in a link aggregation group (LAG) to achieve a combined bandwidth of 2 Gbps. All connections in a LAG must have the same bandwidth. You can’t upgrade a connection’s bandwidth.

48. What’s the default maximum transmission unit (MTU) of a Direct Connect virtual interface?

A. 1500 bytes
B. 8500 bytes
C. 9000 bytes
D. 1472 bytes

Answer - A

Explanation - The default MTU is 1500 bytes.

49. How many VPN connections can you create to a single VPC?

A. 1
B. 5
C. 10
D. 25

Answer - C

Explanation - You can have up to 10 VPN connections to a VPC.

50. Which of the following is true regarding an IPv6 BGP peering session over a Direct Connect virtual interface?

A. You can specify your own IPv6 peer addresses.
B. AWS assigns a /125 IPv6 CIDR to use.
C. Direct Connect doesn’t support IPv6 BGP peering.
D. An IPv4 BGP peering session can’t be used alongside an IPv6 BGP peering session.

Answer - B

Explanation - AWS assigns you a /125 IPv6 CIDR that you and AWS must use to set up an IPv6 BGP peering session. You may not specify your own IPv6 addresses. You may also have a simultaneous IPv4 BGP peering session.

Amazon Web Services (AWS) - Set #15