AWS Interview Question-9

List the components required to build Amazon VPC?

Ans: Subnet, Internet Gateway, NAT Gateway, HW VPN Connection, Virtual Private Gateway, Customer Gateway, Router, Peering Connection, VPC Endpoint for S3, Egress-only Internet Gateway.

Can a EC2 instance inside your VPC connect with the EC2 instance belonging to other VPCs?

Ans: Yes, Possible. Provided an Internet Gateway is configured in such a way that traffic bounded for EC2 instances running in other VPCs.

How do you safeguard your EC2 instances running in a VPC?
  • We can use security Groups to protect EC2 instances in a VPC.
  • We can configure both INBOUND and OUTBOUND traffic in a Security Group which enables secured access to EC2 instances.
  • Security Group automatically denies any unauthorized access to your EC2 instances.
How many EC2 instances can be used in a VPC?

Ans: 20 EC2 Instances. Maximum VPC size is 65,536 instances.

How can you monitor network traffic in your VPC?

Ans: It is possible using Amazon VPC Flow-Logs feature.

Can you establish a peering connection to a VPC in a different REGION?

Ans: Not possible. Peering Connection are available only between VPC in the same region.

Difference between Security Groups and ACLs in a VPC?

Ans: A Security Group defines which traffic is allowed TO or FROM EC2 instance. Whereas ACL, controls at the SUBNET level, scrutinize the traffic TO or FROM a Subnet.

Can you connect your VPC with a VPC owned by another AWS account in project?

Ans: Yes, it is Possible. We can provide details to the owner of other VPCs who can accept your connection.

What are all the different connectivity options available for your VPC?

Ans: Internet Gateway, Virtual Private Gateway, NAT, EndPoints, Peering Connections.

How an EC2 instance in a VPC establish the connection with the internet?

Ans: Using either a Public IP or an Elastic IP.

Describe about Reserved Instances ?

Reserved Instances:

  • Purchase (or agree to purchase) usage of EC2 instances in advance for significant discounts over On-Demand pricing
  • It Provides a capacity reservation when used in a specific AZ
  • AWS Billing automatically applies discounted rates when you launch an instance that matches your purchased RI
  • Its Capacity is reserved for a term of 1 or 3 years
  • Its EC2 has three RI types: Standard, Convertible,and Scheduled
  • Standard = commitment of 1 or 3 years, charged whether it’s on or off
  • Scheduled = reserved for specific periods of time,accrue charges hourly, billed in monthly increments over the term (1 year)
  • Its RIs are used for steady state workloads and predictable usage
  • It is Ideal for applications that need reserved capacity
  • It Can change the instance size within the same instance type
  • Its Instance type modifications are supported for Linux only
  • It Cannot change the instance size of Windows RIs
  • It is Billed whether running or not
  • It Can sell reservations on the AWS marketplace
  • It Can be used in Auto Scaling Groups
  • It Can be used in Placement Groups
  • It Can be shared across multiple accounts within Consolidated Billing
  • If you don’t need your RI’s, you can try to sell them on the Reserved Instance Marketplace

Different types of Cloud Computing as per services?

Ans: PAAS (Platform As A Service), IAAS (Infrastructure As A Service), SAAS (Software As A Service)

What is Security Group in AWS?

Amazon web Service provides a big scope of IT foundation and distributed computing administrations.

Every customer needs product with some degree of security where system traffic can be sifted properly. For that we need AWS Security Group services.

AWS works with security groups that help some level of control of system traffic related with EC2 instances. In Short,

  • A security group acts as a virtual firewall that controls the traffic for EC2 instances.
  • When we launch an instance, we can specify security group; otherwise, we must use the default security group.
  • We can add rules to customize security group that allow traffic to or from its instances.
  • If required, then we can modify rules(Inbound/Outbound) at any time, and it reflects simultaneously.
  • We can customize our own firewall on EC2 instance, as in some of the cases, our requirements are not met by the defined security groups then we can provide our own firewall on EC2 instance in addition to use security groups.
  • Security groups act as a firewall for associated instances, controlling both inbound and outbound traffic at the instance level.
  • We can add rules to a security group that enable us to connect to our instance from our IP address using SSH.
  • We can also add rules that allow inbound and outbound HTTP and HTTPS access from anywhere.

If you have requirements that doesn’t meet by the defined security groups, you can customize your own firewall on any of your instances in addition to using security groups.

Now we will learn about Security Groups and its uses step by step:

If you have to use in join level queries frequently then which distribution styles would you utilize for the table in Redshift?

Answer : KEY. A distribution key is a column that is used to determine the database partition in which a particular row of data is stored. A distribution key is defined on a table using the CREATE TABLE statement.  The columns of the unique or primary key are used as the distribution keys.

Which method can be used to disable automated snapshots in Red shift?

Answer : Set the retention period to -1

What is the default retention period for a Kinesis stream?

Answer : 1day

What is DynamoDB?

              DynamoDB is a non-relational database for applications that need performance at any scale.

  • NoSQL managed database service
  • Supports both key-value and document data model
  • It’s really fast
    • Consistent responsiveness
    • Single-digit millisecond
  • Unlimited throughput and storage
  • Automatic scaling up or down
  • Handles trillions of requests per day
  • ACID transaction support
  • On -demand backups and point-in-time recovery
  • Encryption at rest
  • Data is replication across multiple Availability zones
  • Service-level agreement (SLA)up to 99.999%
What are the non-relational Databases?

The Non-Relational databases are NoSQL databases.
These databases are categorized into four groups:

  • Key-value stores
  • Graph stores
  • Column stores
  • Document stores
List the Data Types supported by DynamoDB?

DynamoDB supports four scalar data types, and they are:

  • Number
  • String
  • Binary
  • Boolean

DynamoDB supports collection data types such as:

  • Number Set
  • String Set
  • Binary Set
  • Heterogeneous List
  • Heterogeneous Map
2) Is All Outbound traffic allowed?

By default, a security group includes an outbound rule that allows all outbound traffic. We can remove the rule and add outbound rules that allow specific outbound traffic only. If our security group has no outbound rules, no outbound traffic originating from our instance will be allowed.

3) Verify below statement whether it is correct or wrong?

Changes to Security Groups get effected immediately.

TRUE.

We have seen that once Security Group is modified (Inbound rules) then simultaneously it effects on URL.

  • 4) Verify below statement whether it is correct or wrong?

You can have any number of EC2 instances within a security group.

TRUE.

We can assign up to five security groups to the instance.

Security groups act at the instance level. Each instance in your VPC can be assigned to a different set of security groups. If we don’t specify any particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

5) Verify below statement whether it is correct or wrong?

Multiple security groups can be attached to EC2 Instances.

Ans — TRUE

Security Groups are STATEFUL.

Ans- True

If you create an inbound rule allowing traffic in, that traffic is automatically allowed back out again.

Ans – True

We cannot block specific IP addresses using Security Groups, instead use Network Access Control Lists.

Ans- True

6) How to create a Security Group?

To create a security group using the console

Step 1: Open the Amazon VPC console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Choose Create Security Group.

Step 4: Enter a name for the security group and provide a description.

Step 5: Security Group will be created.

Summary:

  • Open the Amazon EC2 console.
  • From the left navigation bar, select a region for the security group.
  • Click Security Groups in the navigation pane.
  • Click Create Security Group.
  • Enter a name for the new security group and a description.
  • In the VPC list, select your VPC.
  • On the Inbound tab, click Add Rule for each new rule, and then click Create.
7)What are the basic rules for defining name and description of security groups?

Names and descriptions can be upto 255 characters in length.

Names and descriptions are limited to the following characters: a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.

A security group name cannot start with sg-.

A security group name must be unique within the VPC.

8) How to delete a rule using the console?

Step 1: Open the Amazon console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Select the security group to update.

Step 4: Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

Step 5: Choose the delete button that you want to delete.

Step 6: Choose Save rules.

9) How to update a rule using the console

Step 1: Open the Amazon console

Step 2: In the navigation pane, choose Security Groups.

Step 3: Select the security group to update.

Step 4: Choose Actions, Edit inbound rules or Actions, Edit outbound rules.

Step 5: Modify the rule entry as required.

Step 6: Choose Save rules.

Amazon EBS is like a hard drive in the cloud that gives persistent block storage volumes for use with Amazon EC2 instances.

EBS volumes can be attached to EC2 instances and we can create a file system on top of these volumes. In this chapter, we will learn about EBS Volumes.

What is EBS?

Amazon Elastic Block Store (EBS) provides persistent block storage volumes for use with Amazon EC2 instances in the AWS Cloud.

Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high availability and durability.

We can use EBS volumes as primary storage for data that requires frequent updates.After a volume is attached to an instance, we can use it like any other physical hard drive. EBS volumes are flexible.

If we delete any EC2 instance, then volumes attached to respective EC2 instance will be deleted.

What are the different types of EBS Storages?

Ans-There are 5 Different Types of EBS Storage:

General Purpose (SSD)

Provisioned IOPS (SSD)

Throughput Optimized Hard Disk Drive

Cold Hard Disk Drive

Magnetic

Difference between these EBS Volume types:

Now we will learn about EBS Volume creation.

Methods of Creating a Volume

  1. Create and attach EBS volumes when you launch instances by specifying a block device mapping.
  2. You can restore volumes from previously created snapshots.
  3. Create an EBS volume and attach it to a running instance.

Let’s learn Method 1 now. Remaining methods will be discussed later.

Method 1: Create and attach EBS volumes when you launch instances by specifying a block device mapping.

Step 1:

Open the Amazon EC2 console 

AND Create an EC2 Instance (follow steps 1 to 6 in EC2 Creation -Chapter 1).

Step 2:

Add Storage

We can select storage type of any volume type. Even we can provide Storage size based on our needs. By Clicking on ADD NEW VOLUME new Volume type can be added.

Step 3: Fill next steps and launch EC2 instance.

Step 4: Navigate to Volumes tab and verify added Volumes:

Now we can modify Volumes size as per requirement.

Consider we have to increase size of io1 Volume type then navigate to Actions->Modify Volume.

And perform actions.







Once we modify volumes size , we get info saying that – it will take sometimes to reflect its changes.

Now refresh page and check whether size got increased or not.

So we have created EBS Volumes during launching EC2 Instance.

Q) Suppose we have to move Volumes in different Availability zones i.e. us-west-1c. How will we do it?

Solution: There are two ways to solve this problem.

Way 1:

Step 1: Create Snapshot first.

Note: Snapshot is photocopy of disk. In details,

An EBS snapshot is a point-in-time copy of your Amazon EBS volume, which is lazily copied to Amazon Simple Storage Service. EBS snapshots are incremental copies of data. This means that only unique blocks of EBS volume data that have changed since the last EBS snapshot are stored in the next EBS snapshot.

Navigate to Volumes and click on Actions->Create Snapshot





Snapshot is created and we can see created snapshot under snapshot.


Step 2: Now we will create Image which will be deployed in different Availability zone:




We can see created Images under AMIs tab.


Step 3: Now click on Launch and create EC2 instance.

A screenshot of a social media post

Description automatically generated


Next:

Change the subnet level in different Availability zone:

In this way, we can move Volumes in different AZ.

Now continue remaining steps and Launch EC2 instance.

A screenshot of a social media post

Description automatically generated

A screenshot of a cell phone

Description automatically generated




We can see, One EC2 instance is created in different zone i.e in us-west-1c.

Way 2:

Other ways, we can copy AMI image in different region.

Navigate to AMIs and then navigate to Actions->Copy AMI





We can change Destination region based on our requirement. In this way, EC2 instance from 1 region to another region is copied.

So we have discussed both ways to move Volumes in different AZ.

Post this lab , lets delete all EC2, Volumes ,Snapshots and images.

Q) If User terminates EC2 instance, will all Volumes linked to that EC2 deleted?

Ans- No. Lets understand in this way. We have terminated EC2 instance.

Lets navigate to Volumes and check whether all volumes are deleted or not.



Additional Volumes will not be deleted, which is added while EC2 creation. We have to delete Additional Volumes manually.

Now delete all volumes.





All volumes will be deleted.

Your software developers require an easy way to launch new instances that are customized with developer tools and settings. What should you do?

Ans – Create a custom AMI

Question: What service is aligned to the elasticity value proposition at AWS?

Ans – Auto-scaling

Q) How to delete Snapshot?

Navigate to Snapshot and delete.





Before deleting Snapshot, we must delete AMIs images.

Navigate to AMIs -> images and delete images.



Now we can delete Snapshot.

Difference between EBS and Instance Store:

As we know that we can select AMI based on below parameters:

  1. Region (Regions and Availability Zones)
  2. Operating system
  3. Architecture
  4. Launch Permissions
  5. Storage for the Root Device

  There are 2 types of Storage for the Root Device

a) Instance Store

b) EBS Backed Volumes

For Instance Store Volumes: An instance launched from the AMI is an instance store volume if it is created from a template (stored in Amazon S3).

For EBS Volumes: An instance launched from the AMI is an Amazon EBS volume if it is created from an Amazon EBS snapshot.

Lets practice this.

Step 1: Create EC2 instance following steps defined in Chapter 1-EC2 instance creation.

A screenshot of a social media post

Description automatically generated

Step 2: Create 2nd instance – Click on Community AMIs and select EBS  UNDER Root device type.






Next Add Storages


Complete remaining steps and launch Instance.

This instance cannot be stopped.


Now we can terminate all Instances.

************************************************************************

How can we encrypt Root Device Volume?

We can encrypt Root Device Volume in following ways:

Step 1: Launch EC2 instance and navigate to Add Storage tab. We can see Encryption as Not Encrypted as default value. It cannot be changed.


Instance got created and navigate to Volumes:

It shows –it is Not Encrypted.

Step 2: Create Snapshot:

We can see, it is not encrypted.

Now we will copy this snapshot and allow encrypt option for this.




Now we can see encrypted snapshot:


Step 4: Create Image.



Image is created under AMIs.


Now we can launch Instance and check whether it is accepting encrypted or not.


It is encrypted and will throw error message if we try to select not encryption.


Important facts about AWS EBS volume encryption:

  • root volume cannot be selected for encryption during instance launch.
  • non-root volume can be encrypted during launch or after launch.
  • root volume cannot be encrypted after the launch of an instance without creating a snapshot of it.

Points to remember:

  • Volumes exist on EBS. Consider EBS as a virtual hard disk
  • Snapshots exist on S3. Consider snapshots as a photograph of the disk.
  • Snapshots are point in time copies of Volumes.
  • Snapshots are incremental — this means that only the blocks that have changed since your last snapshot are moved to S3.
  • To create a snapshot for Amazon EBS volumes that serve as root devices, you should stop the instance before taking the snapshot.
  • However you can take a snap while the instance is running.
  • You can create AMI’s from both Volumes and Snapshots.
  • You can change EBS volume sizes on the fly, including changing the size and storage type.
  • Volumes will ALWAYS be in the same availability zone as the EC2 instance.
  • To move an EC2 volume from one AZ to another, take a snapshot of it, create an AMI from the snapshot and then use the AMI to launch the EC2 instance in a new AZ.
  • To move an EC2 volume from one region to another, take a snapshot of it, create an AMI from the snapshot and then copy the AMI from one region to the other. Then use the copied AMI to launch the new EC2 instance in the new region.
  • Instance Store Volumes are sometimes called Ephemeral Storage.
  • Instance store volumes cannot be stopped. If the underlying host fails, you will lose your data.
  • EBS backed instances can be stopped. You will not lose the data on this instance if it is stopped.
  • You can reboot both, you will not lose your data.
  • By default, both ROOT volumes will be deleted on termination. However, with EBS volumes, you can tell AWS to keep the root device volume.
  • Snapshots of encrypted volumes are encrypted automatically.
  • Volumes restored from encrypted snapshots are encrypted automatically.
  • Snapshots can be shared, but only if they are unencrypted.

QUESTION and ANSWER:

What are Benefits of Using EBS Volumes?

Ans : EBS volumes provide many benefits that are not supported by instance store volumes.

  1. Data availability: At the point when you make an EBS volume in an Availability Zone, it is consequently reproduced inside that zone to prevent data loss due to failure of any single hardware component.

We can attach an EBS volume to one instance only but single instance can have multiple volumes linked. Incase multiple volumes are attached to a single instance then we can stripe data across the volumes for increased I/O and throughput performance.

  • Data encryption: We can create encrypted EBS volumes with the Amazon EBS encryption feature. We can use encrypted EBS volumes to meet a wide range of data-at-rest encryption requirements.
  • Snapshots: Amazon EBS gives the ability to create snapshots of any EBS volume and write a copy of the data in the volume to Amazon S3, where it is stored in multiple Availability Zones.