Networking & Content Delivery

Question 1

An Amazon Virtual Private Cloud (VPC) can include multiple:

1. AWS Regions.
2. Edge locations.
3. Internet gateways.
4. Availability Zones.

Answer 1

4. Availability Zones.

An Amazon VPC includes multiple Availability Zones. Within a VPC you can create subnets in each AZ that is available in the Region and distribute your resources across these subnets for high availability.

• AWS Regions is incorrect. A VPC cannot include multiple Regions.
• Edge locations is incorrect. A VPC cannot include multiple Edge locations as these are independent of the Regions in which a VPC is created.
• Internet gateways is incorrect. You can only attach one Internet gateway to each VPC.

Reference:
Amazon Virtual Private Cloud

Save time with our AWS cheat sheets.

Question 2

A website has a global customer base and users have reported poor performance when connecting to the site.

Which AWS service will improve the customer experience by reducing latency?

1. AWS Direct Connect
2. Amazon EC2 Auto Scaling
3. Amazon CloudFront
4. Amazon ElastiCache

Answer 2

3. Amazon CloudFront

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment.

• AWS Direct Connect is incorrect. Direct Connect is a private network connection between an on-premises data center and AWS.
• Amazon EC2 Auto Scaling is incorrect. Auto Scaling launches and terminates instances, this does not reduce latency for global users.
• Amazon ElastiCache is incorrect. ElastiCache is a database caching service, it is not used to cache websites.

Reference:
Amazon CloudFront

Save time with our AWS cheat sheets.

Question 3

What is one method of protecting against distributed denial of service (DDoS) attacks in the AWS Cloud?

1. Use Amazon CloudWatch monitoring.
2. Configure a firewall in front of resources.
3. Monitor the AWS Health Dashboard.
4. Enable AWS CloudTrail logging.

Answer 3

2. Configure a firewall in front of resources.

Some forms of DDoS mitigation are included automatically with AWS services. You can further improve your DDoS resilience by using an AWS architecture with specific services and by implementing additional best practices. Using a firewall with AWS resources is recommended to reduce the attack surface of your services which can mitigate some DDoS attacks.

• Use Amazon CloudWatch monitoring is incorrect. Performance monitoring will not protect against DDoS.
• Enable AWS CloudTrail logging is incorrect. Logging API calls will not protect against DDoS.
• Monitor the AWS Health Dashboard is incorrect. The AWS Health Dashboard is not specifically to be used for DDoS mitigation, but is used more for gaining insight into AWS resources and your applications.

Reference:
Mitigation techniques

Save time with our AWS cheat sheets.

Question 4

A company is deploying a new web application in a single AWS Region that will be used by users globally.

Which AWS services will assist with lowering latency and improving transfer speeds for the global users?

(Select TWO.)

1. AWS Direct Connect
2. AWS Global Accelerator
3. Amazon CloudFront
4. AWS Transit Gateway
5. AWS Snowcone

Answer 4

2. AWS Global Accelerator
3. Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that caches content around the world for lower latency access. AWS Global Accelerator enables access to your application by leveraging the same Edge Locations as CloudFront and routing connections across the AWS global network.

Both of these services assist with lowering latency and improving transfer speeds for users who are distributed around the world.

• AWS Direct Connect is incorrect. This service provides private connections from data centers to AWS. It is not useful for distributed users as they will not be able to take advantage of it.
• AWS Transit Gateway is incorrect. This service is used for optimizing the network topology of interconnected VPCs and on-premises networks.
• AWS Snowcone is incorrect. Snowcone is used as an edge device for transferring data.

References:

• AWS Global Accelerator
• Amazon CloudFront

Save time with our AWS cheat sheets:

• AWS Content Delivery and DNS Services
• AWS Networking Services

Question 5

A company has a global user base and needs to deploy AWS services that can decrease network latency for their users. Which services may assist?

(Select TWO.)

1. Amazon CloudFront
2. Amazon VPC
3. Application Auto Scaling
4. AWS Direct Connect
5. AWS Global Accelerator

Answer 5

1. Amazon CloudFront
5. AWS Global Accelerator

Amazon CloudFront is a content delivery network (CDN) that caches media assets such as files, photos, and videos in Edge locations around the world. This gets your content closer to the user base which decreases latency.

AWS Global Accelerator is a service that can direct users to the nearest AWS Region that contains and endpoint for an application. The service utilizes Edge locations to decrease latency and then forwards all traffic on the AWS global network which also decreases latency.

• Amazon VPC is incorrect as this service does not decrease latency for global users.
• Application Auto Scaling is incorrect as this is used to scale applications based on workload, it does not decrease latency.
• AWS Direct Connect is incorrect as this service does decrease latency but not for a global user base.

References:

• AWS Global Accelerator
• Amazon CloudFront

Save time with our AWS cheat sheets:

• AWS Content Delivery and DNS Services
• AWS Networking Services

Question 6

Which AWS service should a Cloud Practitioner use to establish a secure network connection between an on-premises network and AWS?

1. AWS Mobile Hub
2. AWS Web Application Firewall (WAF)
3. Amazon Virtual Private Cloud (VPC)
4. Virtual Private Network

Answer 6

4. Virtual Private Network

AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network.

• AWS Mobile Hub is incorrect. This service is used for building, testing, and monitoring mobile applications that make use of one or more AWS services.
• AWS Web Application Firewall (WAF) is incorrect. This service is used for protecting against common web exploits.
• Amazon Virtual Private Cloud (VPC) is incorrect. This is a virtual network in the cloud. You connect your AWS VPN to your Amazon VPC.

Reference:
AWS VPN

Save time with our AWS cheat sheets.

Question 7

Which Amazon EC2 tool acts as a virtual firewall to control inbound and outbound traffic to an EC2 instance?

1. AWS WAF
2. AWS Shield
3. Network access control list (ACL)
4. Security group

Answer 7

4. Security group

A security group acts as a virtual firewall, controlling the traffic that is allowed to reach and leave the resources that it is associated with. For example, after you associate a security group with an EC2 instance, it controls the inbound and outbound traffic for the instance.

• AWS Shield is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service and does not control traffic.
• AWS WAF is incorrect, as the WAF is a Web Application Firewall - something that is placed in front of your web applications outside of your VPC - whereas security groups live within your VPC, controlled instance specific inbound and outbound traffic.
• Network access control list (ACL) is incorrect. Although Network ACLs are virtual firewalls which control access within a VPC, Network ACLs exist on the subnet level, not on the instance level.

Reference:
Control traffic to your AWS resources using security groups

Question 8

A company has a website that delivers static content from an Amazon S3 bucket to users from around the world.

Which AWS service will deliver the content with low latency?

1. AWS Lambda
2. Amazon CloudFront
3. AWS Elastic Beanstalk
4. AWS Global Accelerator

Answer 8

2. Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) and can use an Amazon S3 bucket configured as a static website as an origin for the content is caches globally. CloudFront reduces latency for global users by serving the requested content from a local cache.

• AWS Lambda is incorrect. Lambda is a serverless compute service that runs code in response to triggers.
• AWS Elastic Beanstalk is incorrect. Elastic Beanstalk is a platform as a service offering that is used to run applications on a managed platform.
• AWS Global Accelerator is incorrect. Global Accelerator is used to direct traffic to application endpoints in different Regions using the AWS global network. It does not cache content and would not be used in front of an S3 bucket.

Reference:
Amazon CloudFront

Save time with our AWS cheat sheets.

Question 9

Which AWS service or VPC component allows inbound traffic from the internet to access a VPC?

1. NAT Gateway
2. Internet gateway
3. VPC Route Table
4. Virtual Private Gateway

Answer 9

2. Internet gateway

An Internet gateway is attached to a VPC and allows inbound traffic from the internet to access the VPC. It is also used as a target in route tables for outbound internet traffic.

• NAT Gateway is incorrect. A NAT gateway is used for outbound internet access for instances running in a private subnet.
• VPC Route Table is incorrect. The route table is used within a VPC for directing traffic.
• Virtual Private Gateway is incorrect. A VGW is used for IPSec VPN connections to access a VPC.

Reference:
Enable internet access for a VPC using an internet gateway

Save time with our AWS cheat sheets.

Question 10

A company plans to connect their on-premises data center to the AWS Cloud and requires consistent bandwidth and performance.

Which AWS service should the company choose?

1. AWS VPN
2. Amazon Connect
3. AWS Direct Connect
4. Amazon CloudFront

Answer 10

3. AWS Direct Connect

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.

• AWS VPN is incorrect. A virtual private network (VPN) uses the internet and does not offer consistent network bandwidth or performance.
• Amazon Connect is incorrect. This is contact centre solution, not a networking technology.
• Amazon CloudFront is incorrect. CloudFront is a CDN used for caching content. It is not used for connecting from on-premises data centers to the AWS Cloud.

Reference:
AWS Direct Connect

Save time with our AWS cheat sheets.

Question 11

Which AWS service or feature can be used to capture information about inbound and outbound IP traffic on network interfaces in a VPC?

1. Internet gateway
2. AWS CloudTrail
3. VPC Endpoint
4. VPC Flow Logs

Answer 11

4. VPC Flow Logs

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3. After you’ve created a flow log, you can retrieve and view its data in the chosen destination.

Flow logs can help you with a number of tasks, such as:

• Diagnosing overly restrictive security group rules.
• Monitoring the traffic that is reaching your instance.
• Determining the direction of the traffic to and from the network interfaces.

Flow log data is collected outside of the path of your network traffic, and therefore does not affect network throughput or latency. You can create or delete flow logs without any risk of impact to network performance.

• Internet gateway is incorrect. An internet gateway is attached to a VPC and used for sending and receiving data from the internet.
• AWS CloudTrail is incorrect. CloudTrail is used for auditing API activity.
• VPC Endpoint is incorrect. VPC endpoints are used for connecting to public AWS services using private IP addresses.

Reference:
Logging IP traffic using VPC Flow Logs

Save time with our AWS cheat sheets.

Question 12

Which AWS services are associated with Edge Locations?

(Select TWO.)

1. Amazon CloudFront
2. AWS Direct Connect
3. AWS Shield
4. Amazon EBS
5. AWS Config

Answer 12

1. Amazon CloudFront
3. AWS Shield

Edge Locations are parts of the Amazon CloudFront content delivery network (CDN) that are all around the world and are used to get content closer to end-users for better performance.

AWS Shield which protects against Distributed Denial of Service (DDoS) attacks is available globally on Amazon CloudFront Edge Locations.

• AWS Shield is also a correct answer.
• AWS Direct Connect is incorrect. AWS Direct Connect is a networking service used for creating a hybrid cloud between on-premises and AWS Cloud using a private network connection
• Amazon EBS is incorrect. Amazon EBS is a storage service.
• AWS Config is incorrect. AWS Config is used for evaluating the configuration state of AWS resources.

Reference:

• AWS Shield
• Amazon CloudFront

Save time with our AWS cheat sheets.

Question 13

AWS Direct Connect is used by a company that wants to establish connectivity across multiple AWS Regions using VPCs.

Which AWS service or feature should the company use to meet these requirements?

1. AWS Transit Gateway
2. AWS PrivateLink
3. Amazon Connect
4. Amazon Route 53

Answer 13

1. AWS Transit Gateway

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-Region peering connects AWS Transit Gateways together using the AWS global network. Your data is automatically encrypted and never travels over the public internet.

• AWS PrivateLink is incorrect as although AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, it doesn’t do this across multiple regions.
• Amazon Connect is incorrect as Connect is a cloud-based telecommunications service providing managed cloud-based customer contact centers - and has nothing to do connecting VPCs.
• Amazon Route 53 is incorrect. Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service and can also be used to register domain names.

Reference:
AWS Transit Gateway

Save time with our AWS cheat sheets.

Question 14

Which service can be used to improve performance for users around the world?

1. AWS LightSail
2. Amazon CloudFront
3. Amazon Connect
4. Amazon ElastiCache

Answer 14

2. Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that caches content at Edge Locations around the world. This gets the content closer to users which improves performance.

• AWS LightSail is incorrect. AWS LightSail is a compute service that offers a lower cost and easier to use alternative to Amazon EC2.
• Amazon Connect is incorrect. Amazon Connect Amazon Connect is a self-service, cloud-based contact center service that makes it easy for any business to deliver better customer service at lower cost.
• Amazon ElastiCache is incorrect. Amazon ElastiCache is a caching service for databases. Though it does improve read performance for database queries, it is not a global service that is designed to improve performance for users around the world.

Reference:
Amazon CloudFront FAQs

Save time with our AWS cheat sheets.

Question 15

An organization has an on-premises cloud and accesses their AWS Cloud over the Internet.

How can they create a private hybrid cloud connection that avoids the internet?

1. AWS Direct Connect
2. AWS Managed VPN
3. AWS VPN CloudHub
4. AWS VPC Endpoint

Answer 15

1. AWS Direct Connect

AWS Direct Connect is a low-latency, high-bandwidth, private connection to AWS. This can be used to create a private hybrid cloud connection between on-premises and the AWS Cloud.

• AWS Managed VPN is incorrect. AWS Managed VPN uses the Internet for network connections, so it is not creating a private connection. The connection is secured but uses the Internet.
• AWS VPN CloudHub is incorrect. AWS VPN CloudHub uses the Internet for network connections, so it is not creating a private connection. The connection is secured but uses the Internet.
• AWS VPC Endpoint is incorrect. An AWS VPC Endpoint is a PrivateLink connection that connects an AWS public service to a VPC using a private connection. This does not connect on-premises environments to AWS.

Reference:
AWS Direct Connect FAQs

Save time with our AWS cheat sheets.

Question 16

Remote employees need access to managed Windows virtual desktops and applications over secure networks.

Which AWS services can the company use to meet these requirements?

(Select TWO.)

1. Amazon Connect
2. Amazon AppStream 2.0
3. Amazon Workspaces
4. AWS Site-to-Site VPN
5. Amazon Elastic Container Service (Amazon ECS)

Answer 16

3. Amazon Workspaces
4. AWS Site-to-Site VPN

Amazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to access resources from any supported device.

To secure your network you would use the AWS Site-to-Site VPN. AWS Site-to-Site VPN allows you to encrypt traffic across your networks.

• Amazon Connect is incorrect. Amazon Connect is a cloud-based telecommunications service providing managed cloud-based customer contact centers.
• Amazon AppStream 2.0 is incorrect. Amazon AppStream is a non-persistent desktop and application service for remotely accessing your work. The non-persistent feature of this service would make the product unsuitable.
• Amazon Elastic Container Service (Amazon ECS) is incorrect. Amazon ECS is a managed container service which makes it manage your containers in the cloud. Amazon EC2 cannot provide access to persistent topics.

References:

• Amazon WorkSpaces Family
• What is AWS Site-to-Site VPN?

Question 17

An IT company requires a private, encrypted channel of communication between its on-premises data center and a VPC in the AWS Cloud.

Which AWS service or feature meets this requirement?

1. VPC endpoints
2. AWS Site-to-Site VPN
3. AWS Global Accelerator
4. AWS PrivateLink

Answer 17

4. AWS PrivateLink

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

• VPC endpoints is incorrect. A VPC endpoint enables users to privately connect their VPC to supported AWS services and does not connect AWS to an on-premises network.
• AWS Global Accelerator is incorrect. AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low. It is not used as a tool to communicate between your VPC and on-premises environments.
• AWS Site-to-Site VPN is incorrect, because although traffic can be encrypted between a VPC and on-premises environments, it is over the public interview therefore it is not suitable for the needs of the IT company.

Reference:
AWS PrivateLink

Save time with our AWS cheat sheets.

Question 18

How can I deploy AWS Cloud infrastructure to multiple AWS Regions quickly, automatically, and reliably?

1. Use AWS CodeStar to set up a continuous delivery toolchain for automated deployment.
2. Create and launch an Amazon EC2 Amazon Machine Image (AMI) containing the source code with built-in deployment hooks to launch other AWS services.
3. Create and use an AWS CloudFormation template.
4. Use AWS Systems Manager to automate management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches.

Answer 18

3. Create and use an AWS CloudFormation template.

AWS CloudFormation is an Infrastructure as Code (IaC) tool which allows users to provision infrastructure services using either JSON or YAML. With AWS CloudFormation you can easily provision resources in a different Region easily.

• Use AWS CodeStar to set up a continuous delivery toolchain for automated deployment is incorrect. AWS CodeStar is a cloud‑based development service that provides the tools you need to quickly develop, build, and deploy applications on AWS.
• Create and launch an Amazon EC2 Amazon Machine Image (AMI) containing the source code with built-in deployment hooks to launch other AWS services is incorrect. This would not inherently provide multi-Region functionality as AMIs are Region specific.
• Use AWS Systems Manager to automate management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches is incorrect. AWS Systems Manager can be used for automation of management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches - however this is not related to the question of launching applications across multiple Regions.

Reference:
AWS CloudFormation

Save time with our AWS cheat sheets.

Question 19

What are the primary benefits of using AWS Elastic Load Balancing?

(Select TWO.)

1. High availability
2. Elasticity
3. Automation
4. Caching
5. Regional resilience

Answer 19

1. High availability
2. Elasticity

High availability – ELB automatically distributes traffic across multiple EC2 instances in different AZs within a region.

Elasticity – ELB is capable of handling rapid changes in network traffic patterns.

• Automation is incorrect. Automation is not a primary benefit of ELB.
• Caching is incorrect. Caching is not a benefit of ELB
• Regional resilience is incorrect. An ELB can distribute incoming traffic across your Amazon EC2 instances in a single Availability Zone or multiple Availability Zones, but not across regions (for regional resilience).

Reference:
Elastic Load Balancing

Save time with our AWS cheat sheets.

Question 20

What is an Edge location?

1. A public endpoint for Amazon S3
2. A content delivery network (CDN) endpoint for CloudFront
3. A virtual private gateway for VPN
4. A VPC peering connection endpoint

Answer 20

2. A content delivery network (CDN) endpoint for CloudFront

Edge locations are Content Delivery Network (CDN) endpoints for CloudFront. There are many more edge locations than regions.

• A public endpoint for Amazon S3 is incorrect as it is not related to S3.
• A virtual private gateway for VPN is incorrect as it is not related to VPN.
• A VPC peering connection endpoint is incorrect as it is not related to VPC.

Save time with our AWS cheat sheets.

Question 21

What is the relationship between subnets and availability zones?

1. You can create one or more subnets within each availability zone
2. Subnets span across multiple availability zones
3. You can create one subnet per availability zone
4. Subnets contain one or more availability zones

Answer 21

1. You can create one or more subnets within each availability zone

You can create one or more subnets within each availability zone but subnets cannot span across availability zones.

• Subnets span across multiple availability zones is incorrect as they are contained within a single AZ.
• You can create one subnet per availability zone is incorrect as you can create many subnets per AZ.
• Subnets contain one or more availability zones is incorrect as they are created within a single AZ.

Reference:
Regions, Availability Zones, and Local Zones

Save time with our AWS cheat sheets.

Question 22

How can you configure Amazon Route 53 to monitor the health and performance of your application?

1. Using DNS lookups
2. Using Route 53 health checks
3. Using the Route 53 API
4. Using CloudWatch

Answer 22

2. Using Route 53 health checks

Amazon Route 53 health checks monitor the health and performance of your web applications, web servers, and other resources.

None of the other options provide a solution that can check the health and performance of an application.

Reference:
Creating Amazon Route 53 health checks

Save time with our AWS cheat sheets.

Question 23

A developer needs a way to automatically provision a collection of AWS resources. Which AWS service is primarily used for deploying infrastructure as code?

1. AWS Elastic Beanstalk
2. AWS CloudFormation
3. AWS CodeDeploy
4. Jenkins

Answer 23

2. AWS CloudFormation

AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS resources and provision them in an orderly and predictable fashion.

AWS CloudFormation provides a common language for you to describe and provision all the infrastructure resources in your cloud environment. Think of CloudFormation as deploying infrastructure as code.

• AWS Elastic Beanstalk is incorrect. Elastic Beanstalk is more focused on deploying applications on EC2 (PaaS).
• AWS CodeDeploy is incorrect. AWS CodeDeploy is a fully managed deployment service that automates software deployments to a variety of compute services such as Amazon EC2, AWS Lambda, and your on-premises servers.
• Jenkins is incorrect. Jenkins is a Continuous Integration tool but is not an AWS service.

Reference:
AWS CloudFormation

Save time with our AWS cheat sheets.

Question 24

How can a company connect from their on-premises network to VPCs in multiple regions using private connections?

1. AWS Managed VPN
2. AWS Direct Connect Gateway
3. Amazon CloudFront
4. Inter-Region VPC Peering

Answer 24

2. AWS Direct Connect Gateway

You can use an AWS Direct Connect gateway to connect your AWS Direct Connect connection over a private virtual interface to one or more VPCs in your account that are located in the same or different Regions

• AWS Managed VPN is incorrect. AWS Managed VPN uses the public Internet and is therefore not a private connection.
• Amazon CloudFront is incorrect. Amazon CloudFront is a content delivery network used for caching data.
• Inter-Region VPC Peering is incorrect. Inter-Region VPC peering does not help you to connect from an on-premise network.

Reference:
AWS Direct Connect gateways

Save time with our AWS cheat sheets.

Question 25

Which of the following descriptions is incorrect in relation to the design of Availability Zones? 1. AZ’s have direct, low-latency, high throughput and redundant network connections between each other 2. Each AZ is designed as an independent failure zone 3. AZs are physically separated within a typical metropolitan region and are located in lower risk flood plains 4. Each subnet in a VPC is mapped to all AZs in the region

Answer 25

**4.** Each subnet in a VPC is mapped to all AZs in the region ## Footnote Subnets are created within a single AZ and do not get mapped to multiple AZs. * AZ’s have direct, low-latency, high throughput and redundant network connections between each other is incorrect as this is true. * Each AZ is designed as an independent failure zone is incorrect as this is true. * AZs are physically separated within a typical metropolitan region and are located in lower risk flood plains is incorrect as this is true. **Reference:** [Regions and Zones](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html) Save time with our AWS cheat sheets: * [AWS Global Infrastructure](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-global-infrastructure/) * [AWS Networking Services](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-networking/)

Question 26

When designing a VPC, what is the purpose of an Internet Gateway? 1. Provides Internet access for EC2 instances in private subnets 2. Enables Internet communications for instances in public subnets 3. It's a bastion host for inbound management connections 4. It's used for making VPN connections to a VPC

Answer 26

**2.** Enables Internet communications for instances in public subnets ## Footnote An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. * Provides Internet access for EC2 instances in private subnets is incorrect. You cannot connect instances in a private subnet to the Internet using an Internet Gateway, you need a NAT Gateway or NAT Instance for this purpose. * It's a bastion host for inbound management connections is incorrect. You cannot use an Internet Gateway as a bastion host, deploy an EC2 instance in a public subnet for this purpose. * It's used for making VPN connections to a VPC is incorrect. You cannot use the Internet Gateway for making VPN connections to a VPC, you need a Virtual Private Gateway for this purpose. **Reference:** [Enable internet access for a VPC using an internet gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html) Save time with our [AWS cheat sheets](https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-networking/).