[Amazon] SAP-C02 - Solution Architect Professional Exam Dumps & Study Guide

Free [Amazon] SAP-C02 - Solution Architect Professional Practice Questions Preview

• Question 1

  A company needs to architect a hybrid DNS solution. This solution will use an Amazon Route 53 private hosted zone for the domain cloud.example.com for the resources stored within VPCs.
  The company has the following DNS resolution requirements:
  On-premises systems should be able to resolve and connect to cloud.example.com.
  All VPCs should be able to resolve cloud.example.com.
  There is already an AWS Direct Connect connection between the on-premises corporate network and AWS Transit Gateway.
  Which architecture should the company use to meet these requirements with the HIGHEST performance?

  • A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.
  • B. Associate the private hosted zone to all the VPCs. Deploy an Amazon EC2 conditional forwarder in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the conditional forwarder.
  • C. Associate the private hosted zone to the shared services VPCreate a Route 53 outbound resolver in the shared services VPAttach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the outbound resolver.
  • D. Associate the private hosted zone to the shared services VPC. Create a Route 53 inbound resolver in the shared services VPC. Attach the shared services VPC to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

  Correct Answer: A

  Explanation:

  The recommended answer is A. Associate the private hosted zone to all the VPCs. Create a Route 53 inbound resolver in the shared services VPC. Attach all VPCs to the transit gateway and create forwarding rules in the on-premises DNS server for cloud.example.com that point to the inbound resolver.

  Reasoning: This architecture provides the highest performance by leveraging Route 53's capabilities. * Association of Private Hosted Zone to All VPCs: This ensures that all VPCs can directly resolve DNS records within the `cloud.example.com` zone without needing to traverse additional hops or resolvers within the VPCs. * Route 53 Inbound Resolver: An inbound resolver in the shared services VPC efficiently handles DNS resolution requests from on-premises systems. These requests are forwarded to Route 53, which then resolves them using the private hosted zone. This setup offers low latency and high availability for DNS resolution. * Transit Gateway and Forwarding Rules: The Transit Gateway enables seamless connectivity between the on-premises network and all VPCs. The forwarding rules on the on-premises DNS server direct queries for `cloud.example.com` to the inbound resolver. Why other options are not chosen: * Option B: Using an EC2 conditional forwarder (B) introduces an extra hop in the DNS resolution path compared to using Route 53 inbound resolver. This can lead to slightly increased latency and is less efficient compared to the optimized Route 53 service. * Options C and D: These options incorrectly associate the private hosted zone with only the shared services VPC, which means that the DNS resolution would not work directly from other VPCs. This configuration will not meet the requirement for all VPCs to be able to resolve `cloud.example.com`. Also, Route 53 outbound resolver is usually used for on-premise systems to resolve AWS resources, not for the hybrid architecture.

  • AWS Documentation: Private Hosted Zones
  • AWS Documentation: Transit Gateway

• Question 2

  A company is providing weather data over a REST-based API to several customers. The API is hosted by Amazon API Gateway and is integrated with different AWS Lambda functions for each API operation. The company uses Amazon Route 53 for DNS and has created a resource record of weather.example.com. The company stores data for the API in Amazon DynamoDB tables. The company needs a solution that will give the API the ability to fail over to a different AWS Region.
  Which solution will meet these requirements?

  • A. Deploy a new set of Lambda functions in a new Region. Update the API Gateway API to use an edge-optimized API endpoint with Lambda functions from both Regions as targets. Convert the DynamoDB tables to global tables.
  • B. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a multivalue answer. Add both API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.
  • C. Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a failover record. Enable target health monitoring. Convert the DynamoDB tables to global tables.
  • D. Deploy a new API Gateway API in a new Region. Change the Lambda functions to global functions. Change the Route 53 DNS record to a multivalue answer. Add both API Gateway APIs to the answer. Enable target health monitoring. Convert the DynamoDB tables to global tables.

  Correct Answer: C

  Explanation:

  The best solution is C: Deploy a new API Gateway API and Lambda functions in another Region. Change the Route 53 DNS record to a failover record. Enable target health monitoring. Convert the DynamoDB tables to global tables.

  Reasoning:

  This answer is correct because it provides a comprehensive failover solution. By deploying a new API Gateway API and Lambda functions in another Region, the application is duplicated for redundancy. The critical part is using Route 53's failover record type with health checks. This configuration ensures that Route 53 automatically redirects traffic to the secondary Region if the primary Region becomes unavailable. Health checks continuously monitor the primary Region's health, and upon detecting a failure, the DNS record is updated to point to the secondary Region. Additionally, converting DynamoDB tables to global tables ensures that the data is replicated across Regions, maintaining data consistency during failover.

  Why other options are incorrect:

  • Option A is incorrect because edge-optimized API endpoints in API Gateway are designed for global distribution and low latency by leveraging CloudFront. While they can improve performance for geographically dispersed users, they do not inherently provide regional failover capabilities. Simply using Lambda functions from both Regions as targets for the API Gateway does not guarantee automatic failover in case of a regional outage.
  • Option B is incorrect because using a multivalue answer in Route 53 is designed for load balancing across multiple healthy endpoints. While it distributes traffic, it doesn't provide a guaranteed failover mechanism. If one API Gateway API becomes unhealthy, Route 53 might still direct some traffic to it until Route 53 detects the failure which might take some time based on the health check configuration. Failover records are specifically designed to switch all traffic to a healthy secondary endpoint immediately upon detecting a failure in the primary.
  • Option D is incorrect because Lambda functions are regional and cannot be directly converted to "global functions." Similar to option B, using a multivalue answer in Route 53 is not the correct approach for failover.

  In summary, option C provides the most robust and reliable solution for regional failover by utilizing Route 53 failover records and DynamoDB global tables.

  • Route 53 Failover, https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html
  • DynamoDB Global Tables, https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/globaltables.html

• Question 3

  A company uses AWS Organizations with a single OU named Production to manage multiple accounts. All accounts are members of the Production OU. Administrators use deny list SCPs in the root of the organization to manage access to restricted services.
  The company recently acquired a new business unit and invited the new unit’s existing AWS account to the organization. Once onboarded, the administrators of the new business unit discovered that they are not able to update existing AWS Config rules to meet the company’s policies.
  Which option will allow administrators to make changes and continue to enforce the current policies without introducing additional long-term maintenance?

  • A. Remove the organization’s root SCPs that limit access to AWS Config. Create AWS Service Catalog products for the company’s standard AWS Config rules and deploy them throughout the organization, including the new account.
  • B. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the new account to the Production OU when adjustments to AWS Config are complete.
  • C. Convert the organization’s root SCPs from deny list SCPs to allow list SCPs to allow the required services only. Temporarily apply an SCP to the organization’s root that allows AWS Config actions for principals only in the new account.
  • D. Create a temporary OU named Onboarding for the new account. Apply an SCP to the Onboarding OU to allow AWS Config actions. Move the organization’s root SCP to the Production OU. Move the new account to the Production OU when adjustments to AWS Config are complete.

  Correct Answer: D

  Explanation:

  The best approach to solve the problem is to use a temporary OU to grant the necessary permissions for AWS Config modifications, then move the account to the production OU. Therefore, option D is the most suitable answer.

  Reasoning:

  • Option D: Creating a temporary OU named "Onboarding" allows administrators to apply a specific SCP that permits AWS Config actions *only* to the new account. Moving the existing root SCP to the Production OU ensures that the restrictive policies are still enforced for the existing accounts. Once the AWS Config adjustments are complete, the new account can be moved to the Production OU. This solution aligns with the requirement of making changes while maintaining existing policies and avoiding long-term maintenance overhead.

  Why other options are not suitable:

  • Option A: Removing the root SCPs entirely is risky and violates the requirement to continue enforcing current policies. Creating Service Catalog products introduces a long-term maintenance overhead as new rules would require new products and deployments.
  • Option B: While creating a temporary OU allows for granting Config access, simply moving the account to the Production OU after adjustments doesn't address the root cause, as the root SCP will continue to deny access. The new business unit administrators will face the same problem again.
  • Option C: Converting deny list SCPs to allow list SCPs is a complex and potentially disruptive change that requires a thorough understanding of all services used in the organization. It introduces significant overhead and increases the risk of accidentally blocking necessary services. Temporarily applying an SCP that allows Config actions only for principals in the new account still leaves the root deny SCPs in place which will override the allowed actions. This is because deny rules always take precedence.

  The key is to allow modification only for the new account during onboarding without affecting other accounts and without introducing long-term complexity. Option D achieves this by using temporary OU and moving the root SCP to the production OU.

  In summary, option D is the recommended approach because it provides a balance between enabling the new business unit to make necessary changes to AWS Config rules and maintaining the company's existing security policies without introducing excessive administrative overhead.

  • AWS Organizations, https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html
  • Service control policies (SCPs), https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

• Question 4

  A company is running a two-tier web-based application in an on-premises data center. The application layer consists of a single server running a stateful application. The application connects to a PostgreSQL database running on a separate server. The application’s user base is expected to grow significantly, so the company is migrating the application and database to AWS. The solution will use Amazon Aurora PostgreSQL, Amazon EC2 Auto Scaling, and Elastic Load Balancing.
  Which solution will provide a consistent user experience that will allow the application and database tiers to scale?

  • A. Enable Aurora Auto Scaling for Aurora Replicas. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.
  • B. Enable Aurora Auto Scaling for Aurora writers. Use an Application Load Balancer with the round robin routing algorithm and sticky sessions enabled.
  • C. Enable Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions enabled.
  • D. Enable Aurora Scaling for Aurora writers. Use a Network Load Balancer with the least outstanding requests routing algorithm and sticky sessions enabled.

  Correct Answer: C

  Explanation:

  The best solution is C. Enable Aurora Auto Scaling for Aurora Replicas. Use an Application Load Balancer with the round robin routing and sticky sessions enabled.

  Reasoning:

  This solution addresses both the database and application scaling requirements while maintaining a consistent user experience.

  1. Aurora Auto Scaling for Replicas: Aurora Auto Scaling for read replicas allows the database to scale its read capacity based on demand. This is crucial as the user base grows, ensuring that the database can handle increased read requests without performance degradation. Since the application is expected to grow significantly, scaling read replicas is the appropriate action.

  2. Application Load Balancer (ALB) with Round Robin and Sticky Sessions: An Application Load Balancer is suitable for load balancing HTTP/HTTPS traffic, which is typical for web applications. Using the round robin routing algorithm distributes traffic evenly across the available application servers (EC2 instances in this case). Importantly, enabling sticky sessions (also known as session affinity) ensures that a user's requests are consistently routed to the same application server for the duration of their session. This is critical for stateful applications, as it prevents data loss or inconsistencies that could occur if a user's session is switched between different servers. This maintains a consistent user experience. Also, sticky sessions are the best option to keep a consistent user experience.

  Why other options are not suitable:

  • A and D: Network Load Balancers (NLB) operate at Layer 4 (TCP/UDP) and do not natively support features like round robin routing or sticky sessions based on application-level cookies. While NLBs offer high performance and low latency, they are not the best choice for maintaining session affinity for stateful web applications. Using 'least outstanding requests' is less suitable than round robin for distributing new sessions evenly, especially when combined with sticky sessions.
  • B and D: Aurora Auto Scaling does not directly apply to the primary writer instance. Aurora primarily scales read capacity using replicas. While you can scale the writer instance manually or through other automation, the term "Aurora Auto Scaling for writers" is misleading in the context of the options provided.

  Therefore, option C is the most suitable choice because it correctly leverages Aurora Auto Scaling for read replicas and an ALB with sticky sessions to provide a scalable and consistent user experience for the web application.

  Citations:

  • AWS Documentation on Aurora Auto Scaling, https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/Aurora.Managing.AutoScaling.html
  • AWS Documentation on Application Load Balancers, https://docs.aws.amazon.com/elasticloadbalancing/latest/application/introduction.html
  • AWS Documentation on Network Load Balancers, https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html

• Question 5

  A company uses a service to collect metadata from applications that the company hosts on premises. Consumer devices such as TVs and internet radios access the applications. Many older devices do not support certain HTTP headers and exhibit errors when these headers are present in responses. The company has configured an on-premises load balancer to remove the unsupported headers from responses sent to older devices, which the company identified by the User-Agent headers.
  The company wants to migrate the service to AWS, adopt serverless technologies, and retain the ability to support the older devices. The company has already migrated the applications into a set of AWS Lambda functions.
  Which solution will meet these requirements?

  • A. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a CloudFront function to remove the problematic headers based on the value of the User-Agent header.
  • B. Create an Amazon API Gateway REST API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Modify the default gateway responses to remove the problematic headers based on the value of the User-Agent header.
  • C. Create an Amazon API Gateway HTTP API for the metadata service. Configure API Gateway to invoke the correct Lambda function for each type of request. Create a response mapping template to remove the problematic headers based on the value of the User-Agent. Associate the response data mapping with the HTTP API.
  • D. Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a Lambda@Edge function that will remove the problematic headers in response to viewer requests based on the value of the User-Agent header.

  Correct Answer: A

  Explanation:

  The best solution is A: Create an Amazon CloudFront distribution for the metadata service. Create an Application Load Balancer (ALB). Configure the CloudFront distribution to forward requests to the ALB. Configure the ALB to invoke the correct Lambda function for each type of request. Create a CloudFront function to remove the problematic headers based on the value of the User-Agent header.

  Reasoning:

  • Why A is the best choice: This solution leverages CloudFront functions, which are designed for lightweight tasks like header manipulation. CloudFront functions execute closer to the viewer, resulting in lower latency and reduced cost compared to Lambda@Edge. Using CloudFront allows for caching of the metadata, improving performance for supported devices. This approach aligns with the requirement to efficiently handle older devices while leveraging serverless technologies.
  • Why B is not the best choice: While API Gateway can invoke Lambda functions, modifying default gateway responses based on the User-Agent header is not the intended use case and may introduce complexity and potential performance issues. The question requires the use of serverless technology, which API Gateway provides. However, it is not efficient enough to remove the header based on User-Agent header.
  • Why C is not the best choice: Although API Gateway HTTP APIs are cost-effective, response mapping templates might not offer the flexibility to remove specific headers based on the User-Agent. This option might also introduce complexities similar to option B.
  • Why D is not the best choice: Lambda@Edge functions can modify response headers, but they incur higher latency and cost compared to CloudFront functions for simple tasks like header manipulation. Since the requirement specifies the use of the serverless technology, and CloudFront function is more cost-effective.

  In summary, option A is the most efficient and cost-effective solution because it uses CloudFront Functions. CloudFront Functions is faster and cheaper than Lambda@Edge.

  Citations:

  • CloudFront Functions, https://aws.amazon.com/cloudfront/features/cloudfront-functions/
  • Lambda@Edge, https://aws.amazon.com/lambda/edge/

• Question 6

  A retail company needs to provide a series of data files to another company, which is its business partner. These files are saved in an Amazon S3 bucket under Account A, which belongs to the retail company. The business partner company wants one of its IAM users, User_DataProcessor, to access the files from its own AWS account (Account B).
  Which combination of steps must the companies take so that User_DataProcessor can access the S3 bucket successfully? (Choose two.)

  • A. Turn on the cross-origin resource sharing (CORS) feature for the S3 bucket in Account A.
  • B. In Account A, set the S3 bucket policy to the following:
  • C. In Account A, set the S3 bucket policy to the following:
  • D. In Account B, set the permissions of User_DataProcessor to the following:
  • E. In Account B, set the permissions of User_DataProcessor to the following:

  Correct Answer: C

  Explanation:

  The correct answers are C and D. Here's why:

  Reasoning for choosing C: The S3 bucket policy in Account A (the retail company's account) needs to explicitly grant access to Account B's IAM user (User_DataProcessor). The policy provided in option C correctly does this by: * Using "Effect": "Allow" to grant permission. * Specifying the "Principal": {"AWS": "arn:aws:iam::AccountB-ID:user/User_DataProcessor"} to identify the specific IAM user in Account B that is being granted access. AccountB-ID must be replaced with the actual AWS account ID of Account B. * Using "Action": "s3:GetObject" to allow the user to download (get) objects from the bucket. * Using "Resource": "arn:aws:s3:::bucketname/*" to specify that the permission applies to all objects within the specified bucket. bucketname must be replaced with the actual name of the S3 bucket.

  Reasoning for choosing D: While the bucket policy (option C) grants permission, the IAM user in Account B also needs an IAM policy that allows them to perform the actions specified in the bucket policy. Option D provides an IAM policy for User_DataProcessor in Account B that: * Uses "Effect": "Allow" to grant permission. * Specifies the "Action": "s3:GetObject" which aligns with action defined in bucket policy. * Uses "Resource": "arn:aws:s3:::bucketname/*" to specify that the permission applies to all objects within the specified bucket. bucketname must be replaced with the actual name of the S3 bucket.

  Reasoning for not choosing A: Cross-Origin Resource Sharing (CORS) is a mechanism that allows web pages from one domain to access resources from a different domain. It is relevant for web browsers and JavaScript code running in a browser, not for IAM users accessing S3 buckets directly. Therefore, CORS is not used for cross-account access in this scenario.

  Reasoning for not choosing B: The policy provided in option B grants access to 'ALL' AWS principals, which is a security risk and is generally not recommended. It is better to grant access to specific principals.

  Reasoning for not choosing E: The "Resource" section in option E is configured to allow the user to access all the S3 buckets owned by Account A. This is a bad practice, we should always follow the least privilege principle.

  • AWS Documentation on S3 Bucket Policies: https://docs.aws.amazon.com/AmazonS3/latest/userguide/add-bucket-policy.html
  • AWS Documentation on IAM Policies: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
  • AWS Documentation on Cross-Account Access: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html

• Question 7

  A company is running a traditional web application on Amazon EC2 instances. The company needs to refactor the application as microservices that run on containers. Separate versions of the application exist in two distinct environments: production and testing. Load for the application is variable, but the minimum load and the maximum load are known. A solutions architect needs to design the updated application with a serverless architecture that minimizes operational complexity.
  Which solution will meet these requirements MOST cost-effectively?

  • A. Upload the container images to AWS Lambda as functions. Configure a concurrency limit for the associated Lambda functions to handle the expected peak load. Configure two separate Lambda integrations within Amazon API Gateway: one for production and one for testing.
  • B. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Container Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the ECS clusters.
  • C. Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Kubernetes Service (Amazon EKS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the EKS clusters.
  • D. Upload the container images to AWS Elastic Beanstalk. In Elastic Beanstalk, create separate environments and deployments for production and testing. Configure two separate Application Load Balancers to direct traffic to the Elastic Beanstalk deployments.

  Correct Answer: B

  Explanation:

  The best solution is B: Upload the container images to Amazon Elastic Container Registry (Amazon ECR). Configure two auto scaled Amazon Elastic Container Service (Amazon ECS) clusters with the Fargate launch type to handle the expected load. Deploy tasks from the ECR images. Configure two separate Application Load Balancers to direct traffic to the ECS clusters.

  Reasoning: The question asks for a serverless architecture that minimizes operational complexity and is cost-effective. ECS with Fargate is a serverless container orchestration service. Fargate removes the need to manage the underlying EC2 instances, thus minimizing operational overhead. Using two separate auto-scaled ECS clusters (one for production and one for testing) allows for environment isolation and independent scaling. Application Load Balancers are used to route traffic to the appropriate clusters.

  Why other options are not optimal:

  • A: While Lambda is serverless, it's not the ideal solution for running containerized microservices due to potential limitations on execution time and memory. Lambda is generally better suited for event-driven functions rather than long-running applications.
  • C: EKS, while also container-based, introduces significantly more operational complexity compared to ECS, especially when using Fargate. EKS requires more management of the Kubernetes control plane.
  • D: Elastic Beanstalk, while simplifying deployment, is not a serverless architecture. It still involves managing underlying EC2 instances (unless using the limited single-instance docker environment) which increases operational overhead and reduces cost-effectiveness in a low-load scenario.

  The primary advantage of ECS with Fargate is the reduced operational overhead and the serverless nature which is best suited for this scenario.

  • AWS Fargate, https://aws.amazon.com/fargate/
  • Amazon ECS, https://aws.amazon.com/ecs/

• Question 8

  A company has a multi-tier web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Auto Scaling group. The ALB and the Auto Scaling group are replicated in a backup AWS Region. The minimum value and the maximum value for the Auto Scaling group are set to zero. An Amazon RDS Multi-AZ DB instance stores the application’s data. The DB instance has a read replica in the backup Region. The application presents an endpoint to end users by using an Amazon Route 53 record.
  The company needs to reduce its RTO to less than 15 minutes by giving the application the ability to automatically fail over to the backup Region. The company does not have a large enough budget for an active-active strategy.
  What should a solutions architect recommend to meet these requirements?

  • A. Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.
  • B. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Configure Route 53 with a health check that monitors the web application and sends an Amazon Simple Notification Service (Amazon SNS) notification to the Lambda function when the health check status is unhealthy. Update the application’s Route 53 record with a failover policy that routes traffic to the ALB in the backup Region when a health check failure occurs.
  • C. Configure the Auto Scaling group in the backup Region to have the same values as the Auto Scaling group in the primary Region. Reconfigure the application’s Route 53 record with a latency-based routing policy that load balances traffic between the two ALBs. Remove the read replica. Replace the read replica with a standalone RDS DB instance. Configure Cross-Region Replication between the RDS DB instances by using snapshots and Amazon S3.
  • D. Configure an endpoint in AWS Global Accelerator with the two ALBs as equal weighted targets. Create an AWS Lambda function in the backup Region to promote the read replica and modify the Auto Scaling group values. Create an Amazon CloudWatch alarm that is based on the HTTPCode_Target_5XX_Count metric for the ALB in the primary Region. Configure the CloudWatch alarm to invoke the Lambda function.

  Correct Answer: B

  Explanation:

  The suggested answer is B. This option effectively meets the requirements for reducing the Recovery Time Objective (RTO) to less than 15 minutes and adhering to the budget constraints by implementing an active-passive failover strategy. The steps involved in option B ensure that upon failure in the primary region, the application can automatically failover to the backup region. The Lambda function automates the promotion of the read replica to a standalone database and adjusts the Auto Scaling group, Route 53 health checks trigger the failover, and the failover policy in Route 53 redirects traffic.

  Here's a breakdown of why other options are not ideal:

  • Option A: While using CloudWatch alarms based on HTTP 5XX errors might seem useful, it does not provide a comprehensive health check for the application's functionality. Also, using latency-based routing is not a failover strategy; it's a traffic distribution strategy, and it doesn't guarantee that traffic will be directed to the backup region only when the primary region is down.
  • Option C: Configuring the Auto Scaling group in the backup region to have the same values as the primary region implies an active-active setup, which contradicts the budget constraints. Removing the read replica and setting up Cross-Region Replication using S3 snapshots is complex and does not provide the fast RTO required. It's also not cost-effective compared to using a read replica for failover.
  • Option D: Using AWS Global Accelerator might seem appealing for its global traffic management capabilities, but it's more suited for active-active setups or when you need consistent performance for users worldwide. It doesn't directly address the need for a quick, automated failover within the given budget. Also, relying solely on HTTP 5XX errors for failover is not as reliable as a comprehensive health check.

  Option B is the best choice because it leverages Route 53 health checks for reliable failure detection and automates the failover process with Lambda, ensuring minimal RTO while staying within budget.

  • Route 53 Health Checks, https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/health-checks-creating.html
  • AWS Lambda, https://aws.amazon.com/lambda/
  • Amazon RDS Read Replicas, https://aws.amazon.com/rds/features/read-replicas/
  • Route 53 Failover, https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/dns-failover.html

• Question 9

  A company is hosting a critical application on a single Amazon EC2 instance. The application uses an Amazon ElastiCache for Redis single-node cluster for an in-memory data store. The application uses an Amazon RDS for MariaDB DB instance for a relational database. For the application to function, each piece of the infrastructure must be healthy and must be in an active state.
  A solutions architect needs to improve the application's architecture so that the infrastructure can automatically recover from failure with the least possible downtime.
  Which combination of steps will meet these requirements? (Choose three.)

  • A. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are part of an Auto Scaling group that has a minimum capacity of two instances.
  • B. Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are configured in unlimited mode.
  • C. Modify the DB instance to create a read replica in the same Availability Zone. Promote the read replica to be the primary DB instance in failure scenarios.
  • D. Modify the DB instance to create a Multi-AZ deployment that extends across two Availability Zones.
  • E. Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum capacity of two instances.
  • F. Create a replication group for the ElastiCache for Redis cluster. Enable Multi-AZ on the cluster.

  Correct Answer: ADF

  Explanation:

  The best combination of steps to improve the application's architecture for automatic recovery from failure with the least possible downtime is ADF. Here's why:

  A: Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are part of an Auto Scaling group that has a minimum capacity of two instances. This is correct because using an Elastic Load Balancer (ELB) distributes incoming application traffic across multiple EC2 instances, improving availability and fault tolerance. An Auto Scaling group ensures that if an EC2 instance fails, a new instance is automatically launched to replace it, maintaining the desired capacity. Setting a minimum capacity of two instances ensures that at least two instances are always running, providing redundancy. This ensures high availability of the application tier.

  D: Modify the DB instance to create a Multi-AZ deployment that extends across two Availability Zones. This is correct because Multi-AZ deployments for RDS provide a standby DB instance in a different Availability Zone. In case of a failure of the primary DB instance, RDS automatically fails over to the standby instance, minimizing downtime. This provides database layer redundancy.

  F: Create a replication group for the ElastiCache for Redis cluster. Enable Multi-AZ on the cluster. This is correct because creating a replication group with Multi-AZ enabled for ElastiCache for Redis provides automatic failover capabilities. If the primary node fails, a replica node is automatically promoted to primary, minimizing downtime. This ensures in-memory data store availability.

  B: Use an Elastic Load Balancer to distribute traffic across multiple EC2 instances. Ensure that the EC2 instances are configured in unlimited mode. This is incorrect because while using an ELB is a good practice, configuring EC2 instances in unlimited mode only pertains to how they handle CPU credit usage and does not directly contribute to automatic recovery from failure or high availability. Unlimited mode allows instances to earn CPU credits when they are idle and use them when they need more CPU power, but it doesn't address instance failure scenarios. Therefore, this option does not meet the requirements of the question.

  C: Modify the DB instance to create a read replica in the same Availability Zone. Promote the read replica to be the primary DB instance in failure scenarios. This is incorrect because while read replicas can improve read performance, promoting a read replica to a primary instance in a failure scenario is a manual process and does not provide automatic failover. Also, creating the read replica in the same Availability Zone does not protect against AZ-level failures. Multi-AZ deployments offer automatic failover to a standby instance in a different Availability Zone, providing a more robust solution for high availability.

  E: Create a replication group for the ElastiCache for Redis cluster. Configure the cluster to use an Auto Scaling group that has a minimum capacity of two instances. This is incorrect because Auto Scaling groups are designed for scaling EC2 instances, not ElastiCache clusters. While replication groups provide redundancy, Auto Scaling is not applicable here. ElastiCache Multi-AZ provides the failover capability needed.

  In summary, options A, D, and F provide the necessary redundancy and automatic failover capabilities for the EC2 instances, RDS database, and ElastiCache cluster, respectively, to meet the requirements of the question, while B, C, and E do not adequately address the automatic recovery aspect or are not applicable to the specific services.

  • AWS Auto Scaling, https://aws.amazon.com/autoscaling/
  • Amazon RDS Multi-AZ, https://aws.amazon.com/rds/features/multi-az/
  • ElastiCache for Redis Replication Groups, https://docs.aws.amazon.com/AmazonElastiCache/latest/red-ug/Replication.html

• Question 10

  A retail company is operating its ecommerce application on AWS. The application runs on Amazon EC2 instances behind an Application Load Balancer (ALB). The company uses an Amazon RDS DB instance as the database backend. Amazon CloudFront is configured with one origin that points to the ALB. Static content is cached. Amazon Route 53 is used to host all public zones.
  After an update of the application, the ALB occasionally returns a 502 status code (Bad Gateway) error. The root cause is malformed HTTP headers that are returned to the ALB. The webpage returns successfully when a solutions architect reloads the webpage immediately after the error occurs.
  While the company is working on the problem, the solutions architect needs to provide a custom error page instead of the standard ALB error page to visitors.
  Which combination of steps will meet this requirement with the LEAST amount of operational overhead? (Choose two.)

  • A. Create an Amazon S3 bucket. Configure the S3 bucket to host a static webpage. Upload the custom error pages to Amazon S3.
  • B. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Target.FailedHealthChecks is greater than 0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a publicly accessible web server.
  • C. Modify the existing Amazon Route 53 records by adding health checks. Configure a fallback target if the health check fails. Modify DNS records to point to a publicly accessible webpage.
  • D. Create an Amazon CloudWatch alarm to invoke an AWS Lambda function if the ALB health check response Elb.InternalError is greater than 0. Configure the Lambda function to modify the forwarding rule at the ALB to point to a public accessible web server.
  • E. Add a custom error response by configuring a CloudFront custom error page. Modify DNS records to point to a publicly accessible web page.

  Correct Answer: AE

  Explanation:

  The recommended answer is A and E. Here's why:

  A. Create an Amazon S3 bucket. Configure the S3 bucket to host a static webpage. Upload the custom error pages to Amazon S3.

  Reason: This is a suitable solution because it allows for the hosting of static content, including custom error pages. S3 is cost-effective and highly available, making it a good choice for serving these pages. By uploading the custom error pages to S3, they can be easily accessed and served when the ALB encounters a 502 error. This satisfies the requirement of providing a custom error page.

  E. Add a custom error response by configuring a CloudFront custom error page. Modify DNS records to point to a publicly accessible web page.

  Reason: Configuring CloudFront to serve custom error pages is a direct and efficient way to provide a branded error experience to users. When CloudFront receives a 502 error from the ALB, it can be configured to serve a custom error page from S3, addressing the requirement. The DNS modification makes sure the custom error page will be accessible.

  Reasons for not choosing other answers:

  B & D: These options involve complex setups using CloudWatch alarms and Lambda functions to modify ALB forwarding rules. This adds significant operational overhead compared to the simpler solutions of using S3 and CloudFront. While these options could technically work, they introduce unnecessary complexity for the stated requirement.

  C: Modifying Route 53 records with health checks and fallback targets to point to a publicly accessible webpage is not the most appropriate solution in this case. It would redirect all traffic to an alternative page and it is not designed for handling custom error pages directly.

  • https://aws.amazon.com/cloudfront/
  • https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/custom-error-pages.html
  • https://aws.amazon.com/s3/