Networking

What is a NACL (Network ACL) in AWS?

Stateless firewall for subnets; controls inbound/outbound traffic; evaluated by rules; good for controlling access at the subnet level

How do you "access trusted IPs" in AWS networking?

Use security groups or NACLs to allow only specific IP addresses; whitelisting trusted IPs

What is a firewall in AWS context?

Controls network traffic; can be Security Groups (stateful) or NACLs (stateless)

What is an Elastic IP address?

Public IPv4 that can be attached to AWS resources; static IP for dynamic cloud resources

Difference between NLB and ALB?

NLB = Layer 4 TCP/UDP, ultra-high performance, preserves source IP; ALB = Layer 7 HTTP/HTTPS, supports path/host-based routing, advanced web features

Elastic IP vs Static IP?

Elastic IP = AWS-managed public IPv4 that you can remap; Static IP = general term, may be fixed outside AWS

What is geoproximity routing in AWS Route 53?

Route traffic based on geographic location and optionally shift traffic by bias; helps reduce latency and comply with regulations

What is weighted routing in AWS Route 53?

Distribute traffic across resources based on assigned weights; useful for testing or partial deployment

VPC IPv4 vs IPv6 usage?

IPv4 = standard private/public IP; IPv6 = globally unique, allows dual-stack (both v4 and v6) in subnets; choose based on internet accessibility and address needs

You are designing a VPC subnet that hosts a set of web servers. You want to allow inbound HTTP traffic from the public internet, but also restrict SSH access to only your corporate office IP addresses. Which AWS features should you use?

A) NACL for HTTP, Security Group for SSH
B) Security Group for HTTP, NACL for SSH
C) Security Group for both HTTP and SSH, allow only corporate IPs in rules
D) NACL for both HTTP and SSH

Answer: C – Security Groups are stateful and easier for instance-level access control; you can restrict SSH to specific IPs and allow HTTP publicly. NACLs are stateless and optional.

You need to host a public-facing application on EC2 and require a fixed IP address that won’t change if you stop/start the instance. Which is the best option?

A) Public IPv4 automatically assigned by AWS
B) Elastic IP
C) Private IPv4 with NAT
D) IPv6 auto-assigned

Answer: B – Elastic IP is static and can be reassigned; public IPv4 changes if instance is stopped.

Your application serves HTTP traffic globally. You need host-based routing for multiple microservices, SSL termination, and session stickiness. Which load balancer should you choose?

A) Classic Load Balancer (CLB)
B) Network Load Balancer (NLB)
C) Application Load Balancer (ALB)
D) Gateway Load Balancer

Answer: C – ALB is Layer 7, supports host/path-based routing, SSL termination, and stickiness. NLB is Layer 4 and does not have these features.

Your company wants users in the US to access US servers and users in Europe to access European servers. Additionally, you want 20% of traffic in each region to go to a new test instance. Which routing configurations accomplish this?

A) Geoproximity routing + weighted routing
B) Latency-based routing + failover routing
C) Weighted routing only
D) Simple routing

Answer: A – Geoproximity directs users by location, weighted routing splits traffic percentages to test instances.

NACL vs Security Groups

NACL = stateless, subnet-level; Security Group = stateful, instance-level; allow SSH from specific IP → usually Security Group

Exam Strategy

Stateful vs stateless → SG vs NACL; Layer 4 vs 7 → NLB vs ALB; percentage traffic → Weighted/Geoproximity; Elastic IP vs public IP