Amazon Web Services (AWS) - Set #16

Powered by Techhyme.com

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.

1. How can you decrease the network overhead of a Direct Connect connection?
  • A. Create a link aggregation group (LAG).
  • B. Use jumbo frames on the virtual interfaces.
  • C. Encrypt all data traversing the connection.
  • D. Use a VPN tunnel.
Answer - B
Explanation - Using jumbo frames can decrease network overhead by allowing more data to be sent across the connection in a single frame. The other options don’t decrease network overhead.
2. How many routes are you allowed to advertise in a BGP session over a Direct Connect connection over a private virtual interface?
  • A. 50
  • B. 100
  • C. 500
  • D. 1000
Answer - B
Explanation - You can advertise up to 100 routes over each BGP session over a private virtual interface.
3. What happens if you advertise more than 100 routes over a BGP session over a Direct Connect private virtual interface?
  • A. The oldest routes will be discarded to bring the total number of routes to 100 or fewer.
  • B. Additional routes over the first 100 won’t be installed in the route table.
  • C. The Direct Connect link will go down.
  • D. The session will go down.
Answer - A
Explanation - If you advertise more than 100 routes over a private virtual interface, the BGP session will go down. The Direct Connect link will not go down.
4. You’re unable to create a BGP session over a Direct Connect connection. Which of the following could be the reason?
  • A. BGP MD5 authentication mismatch
  • B. Missing community tags
  • C. Your router doesn’t support multiprotocol BGP (MP-BGP).
  • D. UDP port 179 is blocked.
Answer - A
Explanation - BGP MD5 authentication settings must match both on the Direct Connect side and on your router. You don’t need to apply community tags to BGP prefixes. Direct Connect doesn’t support MP-BGP. BGP uses TCP port 179, not UDP port 179.
5. How many prefixes are you allowed to advertise over a BGP session over a Direct Connect public virtual interface?
  • A. 100
  • B. 200
  • C. 1000
  • D. 2000
Answer - C
Explanation - You can advertise up to 1000 prefixes over a public virtual interface.
6. Which of the following can cause a BGP session to fail over a Direct Connect link?
  • A. Not having any prefixes to advertise
  • B. Incorrect autonomous system (AS) number
  • C. Blocking TCP port 197
  • D. Using the NO_EXPORT BGP community
Answer - B
Explanation - Specifying the peer AS number or your own AS number incorrectly can cause a session to fail. Having prefixes to advertise isn’t a prerequisite for establishing a BGP session. BGP uses TCP port 179, not 197. Direct Connect supports the NO_EXPORT BGP community, and even if it didn’t, that wouldn’t stop the session from establishing.
7. From your datacenter, you have a Direct Connect connection to a VPC with six subnets. There are running EC2 instances in each subnet. AWS is advertising prefixes for all six subnets via BGP. You want to prevent only one of these prefixes from being installed in your datacenter router and without impacting existing EC2 instances. How can you accomplish this with the least effort?
  • A. Remove the prefix from the VPC route table.
  • B. Request AWS not advertise the prefix.
  • C. Block the prefixes on your datacenter router.
  • D. Delete the subnet.
Answer - C
Explanation - Your only option is to block the prefixes on your router. AWS can’t suppress specific prefixes for a private virtual interface. Deleting the subnet isn’t an option because it would require deleting the instances in that subnet. You also can’t remove the prefix from the VPC route table without deleting the subnet.
8. You have a branch office connected to a VPC via a VPN. You also have a datacenter connected to the same VPC via Direct Connect. You need to pass traffic between the branch office and the datacenter. How can you do this with the least effort?
  • A. Create a VPN connection between the branch office and datacenter.
  • B. Configure VPN CloudHub to use the VPC for transit.
  • C. Add a Direct Connect connection to the branch office.
  • D. Add a private line between the datacenter and branch office.
Answer - B
Explanation - VPN CloudHub allows you to use a VPC for transit between two connected sites. The other options are feasible but require substantially more effort.
9. You have a VPN connection and a Direct Connect connection between your datacenter and a VPC. BGP sessions on both connections have the exact same prefixes. Which connection will be preferred?
  • A. Direct Connect
  • B. VPN
  • C. The connection advertising the prefix with the shortest AS PATH length
  • D. The oldest connection
Answer - A
Explanation - Direct Connect will always be preferred, regardless of AS PATH length.
10. In your datacenter you have 200 prefixes that need to be reachable from a VPC via a Direct Connect virtual interface. How can you ensure all prefixes are reachable? (Choose two.)
  • A. Advertise the default route.
  • B. Use multiple BGP sessions to advertise all the prefixes.
  • C. Summarize the prefixes into 100 or fewer prefixes.
  • D. Advertise all 200 prefixes over a single BGP session.
Answer - A, C
Explanation - Summarizing the prefixes into fewer than 100 or advertising the default route are both feasible options. You can’t advertise more than 100 prefixes per BGP session. You can establish only one BGP session per virtual interface.
11. Which of the following CIDR blocks can you use to establish a BGP session over a site-to-site VPN tunnel?
  • A. 169.254.0.0/30
  • B. 169.0.0.0/16
  • C. 10.0.0.0/30
  • D. 10.0.0.0/16
Answer - A
Explanation - You can choose a /30 CIDR block anywhere in the 169.254.0.0/16 (link-local) range, so 169.254.0.0/30 would be a valid choice. 169.0.0.0/16 isn’t a /30. 10.0.0.0/30 and 10.0.0.0/16 don’t fall within the 169.254.0.0/16 range and aren’t allowed.
12. What are two differences between CloudHub and Direct Connect Gateway? (Choose two.)
  • A. CloudHub connects on-premises networks and VPCs in any region.
  • B. CloudHub connects on-premises networks and VPCs in only one region.
  • C. Direct Connect Gateway connects on-premises networks and VPCs in any region.
  • D. Direct Connect Gateway connects on-premises networks and VPCs in only one region.
Answer - B, C
Explanation - CloudHub connects on-premises networks (via a VPN or Direct Connect link) and VPCs in only one region. Direct Connect Gateway connects on-premises networks and VPCs in any region.
13. Which of the following BGP communities propagates public prefixes to all AWS regions?
  • A. 7224:9100
  • B. 7224:9200
  • C. 7224:9300
  • D. 7224:8100
Answer - C
Explanation - The community 7224:9300 propagates routes to all AWS regions. 7224:9100 propagates routes only to the connected AWS region. 7224:9200 propagates routes to all AWS regions in the same continent. 7224:8100 is a community that AWS applies to outbound routes that originate in the connected AWS region.
14. You’re advertising the same prefix over two separate Direct Connect links. One prefix is advertised from your datacenter, and the other is advertised from your headquarters office. How can you ensure the datacenter route will take precedence for return traffic?
  • A. Apply the community tag 7224:7100 to the prefix from the datacenter.
  • B. Apply the community tag 7224:7300 to the prefix from the datacenter.
  • C. Apply the community tag 7224:7300 to the prefix from the headquarters office.
  • D. Use AS PATH prepending on the prefix from the datacenter.
Answer - B
Explanation - Applying the 7224:7300 community gives it a higher local preference on the AWS side. Applying the 7224:7100 community gives it a lower precedence. Using AS PATH prepending on the prefix from the datacenter would make it less preferred.
15. You have two Direct Connect connections at your datacenter and want to load balance incoming traffic for all prefixes. Which of the following BGP attributes must be identical on all prefixes you advertise?
  • A. Community tags
  • B. Multi-exit discriminator (MED)
  • C. Local preference
  • D. Router ID
Answer - A
Explanation - The community tags must be the same on prefixes to load balance them across different connections. Local preference and router ID don’t have to be the same.
16. Which of the following is true regarding using a private AS number (ASN) on a Direct Connect public virtual interface?
  • A. You must own the ASN.
  • B. The ASN must be greater than 65535.
  • C. It’s not allowed; you must use a public ASN.
  • D. AS path prepending won’t work.
Answer - D
Explanation - You can use a private ASN on a public virtual interface, but AS path prepending won’t work. Private ASNs are between 64512 and 65534. You can’t own a private ASN.
17. What are valid values for a VLAN? (Choose two.)
  • A. 4000
  • B. 6000
  • C. 12000
  • D. 1
Answer - A, D
Explanation - Valid VLAN ranges are 1 through 4094.
18. You have an IPv4 BGP session established over a Direct Connect virtual interface. How can you advertise IPv6 prefixes over this connection with the least effort?
  • A. Establish a second IPv4 BGP session.
  • B. Establish an IPv6 BGP session.
  • C. Advertise the IPv6 prefixes over the IPv4 BGP session.
  • D. Create an IPv6 VPN tunnel over the Direct Connect link.
Answer - B
Explanation - The easiest way to advertise IPv6 prefixes is to establish an IPv6 BGP session. You can’t establish more than one IPv4 BGP session per virtual interface. You can’t advertise IPv6 prefixes over an IPv4 BGP session. Creating an IPv6 VPN tunnel is an option, but not the one that requires the least effort.
19. Which of the following is required to associate a transit gateway with a Direct Connect gateway?
  • A. The ASNs of the transit gateway and the Direct Connect gateway must be different.
  • B. The transit gateway and the Direct Connect gateway must be in the same VLAN.
  • C. The ASNs of the transit gateway and the Direct Connect gateway must be the same.
  • D. The transit gateway and the Direct Connect gateway must be in the same AWS account.
Answer - A
Explanation - The ASNs of the transit gateway and Direct Connect gateway must be different. The association between the two doesn’t use VLANs. The gateways don’t have to be in the same account.
20. Which of the following CloudWatch metrics indicates the status of the egress fiber from the AWS side of a 10 Gbps Direct Connect connection?
  • A. ConnectionState
  • B. ConnectionLightLevelRx
  • C. ConnectionLightLevelTx
  • D. ConnectionPpsEgress
Answer - C
Explanation - The ConnectionLightLevelTx metric indicates the health of the egress fiber from the AWS side. ConnectionLightLevelRx indicates the health of the ingress fiber from the AWS side. Both metrics are available only with 10 Gbps port speeds.
21. How many transit virtual interfaces can you create on a Direct Connect link aggregation group (LAG) composed of two 10 Gbps links?
  • A. None
  • B. One
  • C. Two
  • D. Four
Answer - B
Explanation - You can create one transit virtual interface per LAG.
22. What’s the maximum number of Direct Connect dedicated connections you can have per link aggregation group?
  • A. 2
  • B. 4
  • C. 8
  • D. 16
Answer - B
Explanation - You can have up to 4 connections per LAG.
23. You launch an instance into a subnet that has an IPv6 CIDR assigned. The application running on the instance requires a routable IPv6 address. The instance has one elastic network interface and doesn’t have an IPv6 address assigned. What should you do to enable IPv6 connectivity for the application with the least effort?
  • A. Assign a link-local IPv6 address to the instance.
  • B. Attach an additional network interface to the instance and assign it a global unicast IPv6 address.
  • C. Terminate the instance and launch a new one.
  • D. Assign a global unicast IPv6 address to the instance.
Answer - D
Explanation - You can assign a global unicast IPv6 address to an instance after launch. Link-local IPv6 addresses aren’t routable. Attaching an additional network interface and assigning it a public IPv6 address is fine, but it requires more work than necessary. There’s no need to terminate the instance and launch a new one.
24. You have an EC2 instance with a global unicast IPv6 address assigned. How can you ensure that hosts on the Internet are able to resolve the IPv6 address of the instance?
  • A. No action is required; they can query the IPv6 record of the instance’s DNS hostname.
  • B. Create a publicly resolvable AAAA record that points to the instance’s IPv6 address.
  • C. Create a publicly resolvable A record that points to the instance’s IPv6 address.
  • D. Ensure that the instance’s security group allows inbound access to UDP port 53.
Answer - B
Explanation - Instances don’t have IPv6 DNS hostnames, so you’d need to create a publicly resolvable AAAA record pointing to the IPv6 address. An A record is for IPv4 addresses only. The instance’s security group has no bearing on being able to resolve the instance’s IPv6 address.
25. The address fe80:db8:1234:1a00::1/64 is an example of which of the following?
  • A. Elastic IP address
  • B. IPv4 link-local address
  • C. IPv6 link-local address
  • D. IPv6 global unicast address
Answer - C
Explanation - fe80:db8:1234:1a00::1/64 is a link-local IPv6 address. Elastic IP addresses are IPv4, not IPv6.
26. Which of the following addresses is released when an EC2 instance is stopped?
  • A. Its primary private IP address
  • B. Its public IPv4 address
  • C. Its public IPv6 address
  • D. Its elastic IP address
Answer - B
Explanation - The instance’s public IPv4 address is released when the instance is stopped. The others are retained.
27. Your EC2 instance in the us-east-1 region is assigned the public IP address 203.0.113.25. Which of the following is its external DNS hostname?
  • A. 203-0-113-25.compute-1.amazonaws.com
  • B. 25.113.0.203.ec2.compute-1.amazonaws.com
  • C. ec-203-0-113-25.compute-1.amazonaws.com
  • D. ec2-203-0-113-25.compute-1.amazonaws.com
Answer - D
Explanation - The external DNS hostname would be ec2-203-0- 113-25.compute-1.amazonaws.com. The IP address octets are separated by dashes, not dots.
28. You created a default VPC and made no other changes to it. Which of the following is true of an EC2 instance launched into this default VPC? (Choose two.)
  • A. Its primary private IP address has a /16 CIDR.
  • B. It’s in a public subnet.
  • C. It has a public IP address.
  • D. It has no outbound access.
Answer - B, C
Explanation - An instance launched into a default VPC will be launched into a public subnet, have a public IP address, and have outbound access. Its primary private IP address will have a /20 CIDR, not a /16.
29. Your EC2 instance in the us-east-1 region has a primary private IP address of 10.9.13.37/20 and a secondary private IP address of 10.8.13.37/20. Which of the following is the instance’s private hostname?
  • A. ip-10-9-13-37.ec2.internal
  • B. ip-10-8-13-37.ec2.internal
  • C. ip-10-9-13-37.ec2.compute-1.internal
  • D. ip-10-8-13-37.ec2.us-east-1.internal
Answer - A
Explanation - The private hostname is ip-10-9-13-37.ec2.internal. In the US East 1 region, the hostname suffix is ec2.internal, while in other regions it follows the format region.compute.internal.
30. Which of the following VPC attributes determines whether an instance with a public IP address receives a public DNS hostname?
  • A. enableDnsSupport
  • B. enableDnsHostnames
  • C. enableDnsResolution
  • D. enableDns
Answer - B
Explanation - If enableDnsHostnames is set to true, then instances with a public IP address will receive a public DNS hostname. If enableDnsSupport is enabled, the Amazon DNS server is enabled. The other two options aren’t valid attributes.
31. Which of the following VPC attributes determines whether an instance can resolve the Amazon-provided private hostname of another instance in the same VPC?
  • A. enableDnsHostnames
  • B. enableDnsSupport
  • C. enableDnsResolution
  • D. enablePrivateDns
Answer - B
Explanation - If enableDnsSupport is set to true, then instances in a VPC can use the Amazon DNS server to resolve the Amazon-provided private hostname of another instance in the VPC. If enableDnsHostnames is set to true, then instances with a public IP address will receive a public DNS hostname.
32. A subnet has the CIDR 2001:db8:1234:1a00::/64. Which of the following addresses can you not assign to an instance?
  • A. 2001:db8:1234:1a00:ffff::
  • B. 2001:db8:1234:1a00:1:1
  • C. 2001:db8:1234:1a00::ffff
  • D. 2001:db8:1234:1a00::
Answer - D
Explanation - The first four addresses and last address of a subnet are reserved and can’t be assigned to an instance.
33. Using a virtual private gateway, you’ve created a site-tosite VPN connection between a VPC subnet and a datacenter. When creating routes to datacenter subnets, which of the following should you specify as the target?
  • A. Virtual private gateway
  • B. Customer gateway
  • C. Internet gateway
  • D. Transit gateway
Answer - A
Explanation - The route table tells the VPC’s implicit router how to reach the datacenter subnets. Because the virtual private gateway terminates the VPN connection with the customer gateway, the virtual private gateway should be the route target.
34. When attempting to RDP into a Windows instance from the Internet, you get the error “Your credentials did not work.” Which of the following could be the reason?
  • A. TCP port 3389 is blocked.
  • B. You’re using the wrong SSH key.
  • C. The password is incorrect.
  • D. The instance doesn’t have Internet access.
Answer - B
Explanation - The error indicates that you’ve established connectivity to the instance but didn’t supply the right credentials. For credentials, Windows RDP uses a password, not an SSH key.
35. You have a custom-built Windows instance that’s managed using Simple Systems Manager (SSM). You’ve attempted to connect to the instance via RDP from the Internet, but it doesn’t respond. You’ve verified that both your NACL and the instance’s security group allow RDP traffic. You can also use SSM to install official patches on the instance. Which of the following steps might resolve the issue with the least effort?
  • A. Re-create the instance using an official AMI.
  • B. Open up a PowerShell remoting session to the instance and enable RDP.
  • C. Attach to the instance an instance role with RDP permissions.
  • D. Run the AWSSupport-TroubleshootRDP SSM automation document to disable the Windows Firewall and enable RDP.
Answer - D
Explanation - Using the SSM AWSSupport-TroubleshootRDP automation document to enable RDP and disable the Windows firewall is the troubleshooting step that requires the least effort. It can also tell you what port RDP is listening on, in case it’s not using the wellknown TCP port 3389. Doing the same with a PowerShell remoting session may be an option but would require adding additional security group and NACL rules.
36. You’re unable to RDP to a Windows EC2 instance after a reboot. Prior to this you were able to RDP into it via the Internet. Which of the following actions can help you determine the cause?
  • A. Take an instance screen shot.
  • B. View the system log.
  • C. View the CloudTrail logs for the instance.
  • D. View the AWS Config logs for the instance.
Answer - A
Explanation - An instance screen shot of a Windows instance can reveal whether the instance is at the logon screen (and hopefully ready to accept RDP connections) or at another screen where it wouldn’t be ready to accept RDP connections, such as the recovery console screen, the boot manager screen, the Windows update screen, the Getting Ready screen, the Chkdsk screen, or the Sysprep screen. The EC2 system log, CloudTrail logs, and AWS Config logs won’t provide valuable information for troubleshooting Windows RDP issues in this case.
37. Which of the following changes to a Windows Server 2019 instance can result in a loss of all network connectivity for several hours after rebooting it?
  • A. Changing the time zone
  • B. Upgrading the PV driver
  • C. The Windows Plug and Play Cleanup feature removing the EC2 network device
  • D. Enabling TCP offloading
Answer - A
Explanation - Changing the time zone can cause the instance to temporarily lose its IP address for up to several hours. Upgrading the PV driver may cause a temporary loss of connectivity, but only for up to 15 minutes. The Windows Plug and Play Cleanup feature won’t remove the EC2 network device except in Windows Server 2012 R2. Enabling TCP offloading may cause TCP connectivity problems but won’t affect all network connectivity.
38. Which of the following IP addresses does AWS use for Windows activation?
  • A. 169.254.169.250
  • B. 192.168.169.250
  • C. 169.168.169.254
  • D. 169.254.0.254
Answer - A
Explanation - AWS uses the addresses 169.254.169.250,169.254.169.251, and 169.254.169.254 for Windows activation.
39. An EC2 instance in your VPC is unable to connect to a Relational Database Service (RDS) instance hosting a database. Which of the following should you try to resolve the problem?
  • A. Move the RDS instance into the same VPC as the EC2 instance but a different subnet.
  • B. Reconfigure the EC2 instance’s security group to allow access from the database instance.
  • C. Move the RDS instance into the same VPC and subnet as the EC2 instance.
  • D. Reconfigure the database instance’s security group to allow access from the EC2 instance.
Answer - D
Explanation - Because the EC2 instance initiates the connection, the database instance’s security group must allow inbound access from the EC2 instance. The EC2 and RDS instances don’t need to be in the same VPC.
40. You’re connected to an EC2 instance via SSH when you’re abruptly disconnected. You attempt to reconnect to the instance’s elastic IP address but are unsuccessful. Which of the following could explain this?
  • A. A rule denying outbound TCP port 22 access was added to the instance’s subnet’s NACL.
  • B. The outbound rules for the instance’s security group were removed.
  • C. All outbound rules for the instance’s subnet’s NACL were removed.
  • D. A rule denying outbound TCP port 22 access was added to the instance’s security group.
Answer - C
Explanation - Removing all outbound rules for the instance’s subnet’s NACL will stop all outbound traffic from the instance. Removing security group rules that allow outbound access or adding an outbound NACL rule denying access to TCP port 22 wouldn’t prevent an inbound SSH connection or cause it to drop. You can’t add a deny rule to a security group.
41. When attempting to SSH to an EC2 instance, you get the error that the user key is not recognized. You try a different SSH client and get a “permission denied” error. Which of the following could be the reason?
  • A. Other users have read and write permissions to your private SSH key.
  • B. There is a security group or NACL blocking SSH access to the instance.
  • C. You entered the wrong passphrase for the private SSH key.
  • D. The username you provided is incorrect.
Answer - D
Explanation - The errors indicate that you’re reaching the instance but it doesn’t recognize your credentials as valid. Entering the wrong passphrase for the private SSH key or using an SSH key that grants other users or groups read/write permissions will result in the SSH client not even attempting the connection. This leaves an incorrect username as the only possible answer.
42. When attempting to SSH to an EC2 instance from your workstation, you get the error “Permissions 0777 for ‘.ssh/private_key.pem’ are too open.” Which of the following actions can correct this error?
  • A. Re-create the key using ssh-keygen.
  • B. Delete the file .ssh/private_key.pem.
  • C. Execute the command chmod 0400 .ssh/private_key.pem.
  • D. Delete the public key from the .ssh/authorized_keys file.
Answer - C
Explanation - The error indicates that the SSH client won’t permit the connection because the private key’s permissions are too open. Executing the command chmod 0400 .ssh/private_key.pem would resolve this. Deleting the private key or creating it wouldn’t resolve this issue. The SSH public key is stored on the instance, not on your workstation.
43. You intermittently get disconnected from an SSH session to an EC2 instance. You’re able to immediately reconnect. Which of the following may prevent the intermittent disconnection?
  • A. Enable keepalives on your SSH client.
  • B. Disable TCP keepalives on the server.
  • C. Set the ClientAliveInterval on the server to 0.
  • D. Run a continuous ping to the instance during the SSH session.
Answer - A
Explanation - The SSH server may be disconnecting the session after a period of inactivity. To avoid this, you can enable keepalives on your SSH client. Enabling, not disabling. TCP keepalives will also work. Setting the ClientAliveInterval on the server to 0 or running a continuous ping won’t prevent the server from disconnecting an idle session.
44. You need to be able to ping an EC2 instance’s elastic IP address. Which of the following should you add to the inbound security group rules?
  • A. ICMPv4 Echo Request
  • B. ICMPv4 Echo Reply
  • C. ICMPv6 All
  • D. ICMPv4 Destination Unreachable
Answer - A
Explanation - You need to allow ICMPv4 Echo Requests inbound to the instance. An ICMPv6 Echo Reply is what the instance would send in response to the ping. Elastic IP addresses are IPv4 addresses, so there’s no need to add rules for ICMPv6.
45. You attempt to ping an EC2 instance’s public IPv4 address but get no response. Which of the following could be the reason?
  • A. An inbound NACL rule denying UDP traffic
  • B. An inbound NACL rule denying ICMPv4 Echo Replies
  • C. An outbound NACL rule denying ICMPv4 Echo Requests
  • D. An outbound NACL rule denying ICMPv4 Echo Replies
Answer - D
Explanation - An outbound NACL rule that denies ICMPv4 Echo Replies would block the response to the Echo Request. ICMP and UDP are different protocols.
46. Which of the following can help an instance automatically recover from a loss of network connectivity caused by a problem with the underlying host?
  • A. CloudWatch alarms
  • B. CloudWatch Events
  • C. Simple Notification Service
  • D. Enhanced monitoring
Answer - A
Explanation - You can create a CloudWatch alarm to recover an instance when it fails its system status check.
47. What’s the maximum number of instance recovery attempts allowed per day?
  • A. Two
  • B. Three
  • C. Four
  • D. No limit
Answer - B
Explanation - Up to three instance recovery attempts are allowed per day.
48. Which of the following can tell you whether a security group or NACL has blocked traffic from a particular IP address?
  • A. CloudTrail logs
  • B. VPC Flow Logs
  • C. CloudWatch basic metrics
  • D. CloudWatch detailed metrics
Answer - B
Explanation - Of the options, only VPC Flow Logs can track whether traffic is allowed or denied.
49. You can configure VPC flow logging to limit the logging of traffic flows to which of the following? (Choose two.)
  • A. Elastic load balancer
  • B. VPC
  • C. Placement group
  • D. Host
Answer - A, B
Explanation - VPC Flow Logs can be configured to log flows for a VPC, a subnet, or an elastic network interface (such as one attached to an elastic load balancer or instance). VPC flow logging can’t be configured per host or per placement group.
50. Which of the following is not included in the 5-tuple of a VPC Flow Logs data?
  • A. Source port
  • B. Protocol
  • C. Number of packets
  • D. IPv4/IPv6 indicator
Answer - D
Explanation - A VPC Flow Logs record contains a 5-tuple that includes source address, source port, destination address, destination port, and protocol. A VPC Flow Logs record doesn’t include an indicator to explicitly distinguish an IPv4 flow from an IPv6 flow, nor does it contain the number of packets in the flow.