[DEVELOPER] Advanced Networking and Content Delivery

Question 1

What is the primary function of an Interface VPC Endpoint (powered by PrivateLink)?

Answer 1

Allows you to connect to an AWS service using private IP addresses in your VPC via an ENI, without using an Internet Gateway or NAT Gateway.

Question 2

What is a Gateway VPC Endpoint?

Answer 2

A target you specify in your route tables to privately access Amazon S3 and DynamoDB from your VPC. It is not an ENI and does not use PrivateLink.

Question 3

When connecting to a service via PrivateLink, does the traffic flow ever touch the public internet?

Answer 3

It stays entirely within the AWS network backbone, never touching the public internet.

Question 4

What is the key developer benefit of AWS Global Accelerator over CloudFront?

Answer 4

It improves performance for non-HTTP/HTTPS applications (like gaming, IoT, or VoIP) and provides two static, Anycast IP addresses as a fixed entry point.

Question 5

At what layer does Global Accelerator primarily operate?

Answer 5

Layer 4 (TCP/UDP), which is why it’s suitable for non-HTTP traffic.

Question 6

What is the primary role of AWS App Mesh in a microservices architecture?

Answer 6

It is a service mesh that enables consistent traffic control, monitoring, and logging across services running on EC2, ECS, or EKS using the Envoy proxy

Question 7

What is a service mesh?

Answer 7

A microservice abstraction that handles all of the interactions of your microservices with each other, leaving the microservices to just handle their business logic

Question 8

Which two deployment strategies does App Mesh facilitate?

Answer 8

1. Canary Deployment (slow rollout of a new version)
2. A/B Testing by controlling the percentage of traffic routed to each service version.

Question 9

What is AWS Cloud Map?

Answer 9

An API-based service discovery tool that lets your applications find and connect to services by using custom names, eliminating the need to hardcode service locations.

Question 10

How does Cloud Map integrate with Route 53?

Answer 10

Cloud Map can create and update Route 53 records automatically for newly deployed services

Question 11

In what key ways is service discovery different from DNS?

Answer 11

Both answer “where is my dependency?”

Service discovery is better equipped to handle dependencies that are more ephemeral (e.g. likely to move / scale vs. static webpages)

It does that by actively pushing a services location to the resolver (vs. DNS just uses TTL)

Question 12

How can a developer temporarily restrict access to specific files in a CloudFront distribution?

Answer 12

Use Signed URLs or Signed Cookies

They include an expiration time and a policy to define what the user can access.

Question 13

What does OAC stand for?

Answer 13

Origin Access Control

Question 14

What is the modern, preferred way to restrict access to an S3 bucket so that users can only access files via CloudFront?

Answer 14

Origin Access Control (OAC), which is an improvement over the legacy OAI (Origin Access Identity).

Question 15

A backend service is under maintenance. How can an ALB be configured to communicate this to the client without hitting any of the downstream targets?

Answer 15

Use the Fixed Response Action in the listener rule to immediately return a custom response code (e.g.503 Service Unavailable) and a custom message.

Question 16

In an ALB, how can you route requests based on data in the request body?

Answer 16

You can’t.

ALBs only perform routing based on data in the request headers, path, query strings, or source IP address.

Question 17

What is the use case for an ALB Fixed Response Action?

Answer 17

It is an ALB Listener action that returns a specified HTTP status code and body to the client without forwarding the request downstream to any target group

Question 18

In the context of Geoproximity Routing

What is a bias?

Answer 18

It changes the effective distance between client and server for geoproximity routing

Question 19

How does an OAC grant CloudFront permission to access a private S3 bucket?

Answer 19

By assigning an IAM Service Principal to the CloudFront distribution and updating the S3 Bucket Policy to trust that principal.

Question 20

What is the required AWS region for an AWS Certificate Manager (ACM) certificate used with a CloudFront distribution?

Answer 20

It must be created in the us-east-1 (N. Virginia) region, as CloudFront is a global service.

Question 21

What happens if you try to use an ACM certificate that is NOT in the us-east-1 region for a CloudFront distribution?

Answer 21

CloudFront will not allow the certificate to be selected for the distribution.

Question 22

What is the recommended practice for securing the connection between the viewer (client) and CloudFront?

Answer 22

Use HTTPS/TLS (requiring an ACM certificate).

Question 23

If something in a private subnet needs to communicate with S3 or DynamoDB outside the VPC, what should be used?

Answer 23

Gateway Endpoint

Question 24

If something in a private subnet needs to communicate with an AWS service OTHER THAN S3 or DynamoDB outside the VPC, what should be used?

Answer 24

Interface Endpoint

Question 25

If something in a private subnet needs to communicate with a 3rd party service outside of AWS and the VPC, and communication does **not** need to be bidirectional, what should be used?

Answer 25

NAT Gateway

Question 26

If something in a private subnet needs to communicate with a 3rd party service outside of AWS and the VPC, and communication needs to be bidirectional, what should be used?

Answer 26

Internet Gateway