来源:Amazon AWS Certified Solutions Architect - Professional SAP-C02 Exam
4 题 (No.14 ~ No.17),仅供自己复习使用。
如果侵权请联系删除。
一、Auto Scaling Group terminate event
A company is running an application on several Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer. The load on the application varies throughout the day, and EC2 instances are scaled in and out on a regular basis. Log files from the EC2 instances are copied to a central Amazon S3 bucket every 15 minutes. The security team discovers that log files are missing from some of the terminated EC2 instances.
Which set of actions will ensure that log files are copied to the central S3 bucket from the terminated EC2 instances?
- Create a script to copy log files to Amazon S3, and store the script in a file on the EC2 instance. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to send ABANDON to the Auto Scaling group to prevent termination, run the script to copy the log files, and terminate the instance using the AWS SDK.
- ✅ Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance.
- Change the log delivery rate to every 5 minutes. Create a script to copy log files to Amazon S3, and add the script to EC2 instance user data. Create an Amazon EventBridge rule to detect EC2 instance termination. Invoke an AWS Lambda function from the EventBridge rule that uses the AWS CLI to run the user-data script to copy the log files and terminate the instance.
- ❌ Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook that publishes a message to an Amazon Simple Notification Service (Amazon SNS) topic. From the SNS notification, call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send ABANDON to the Auto Scaling group to terminate the instance.
✨ 关键词:
4️⃣ ❌ -> 2️⃣ ✅
💡 解析:弹性组中的
EC2实例每 15 分钟发送日志到统一的存储桶中,需要在终止的时候也执行这个操作。
如何监听弹性组的实例终止事件:Run code before terminating an EC2 Auto Scaling instance5. Create a CloudWatch Events rule.
6. Add a Systems Manager automation document as a CloudWatch Event target.需要使用到
CloudWatch Event和Systems Manager document,因此选 2️⃣。
这里还需要注意EC2_INSTANCE_TERMINATING这个事件,它会在相应的钩子事件触发后进入等待状态,只有钩子事件给予继续的命令才会进行实际的实例终止行为:生命周期钩子当 Amazon EC2 Auto Scaling 响应缩减事件时,它将终止一个或多个实例。这些实例将从 Auto Scaling 组中分离并进入
Terminating状态。如果您已将一个autoscaling:EC2_INSTANCE_TERMINATING生命周期挂钩添加到您的 Auto Scaling 组,则实例将从Terminating状态转换为Terminating:Wait状态。完成生命周期操作后,实例将进入Terminating:Proceed状态。在完全终止实例后,实例将进入Terminated状态。
👨👨👦👦 社区讨论:B. Create an AWS Systems Manager document with a script to copy log files to Amazon S3. Create an Auto Scaling lifecycle hook and an Amazon EventBridge rule to detect lifecycle events from the Auto Scaling group. Invoke an AWS Lambda function on the autoscaling:EC2_INSTANCE_TERMINATING transition to call the AWS Systems Manager API SendCommand operation to run the document to copy the log files and send CONTINUE to the Auto Scaling group to terminate the instance. This approach will use the Auto Scaling lifecycle hook to execute the script that copies log files to S3, before the instance is terminated, ensuring that all log files are copied from the terminated instances.
二、Cross Account DNS
A company is using multiple AWS accounts. The DNS records are stored in a private hosted zone for Amazon Route 53 in Account A. The company’s applications and databases are running in Account B.
A solutions architect will deploy a two-tier application in a new VPC. To simplify the configuration, the db.example.com CNAME record set for the Amazon RDS endpoint was created in a private hosted zone for Amazon Route 53.
During deployment, the application failed to start. Troubleshooting revealed that db.example.com is not resolvable on the Amazon EC2 instance. The solutions architect confirmed that the record set was created correctly in Route 53.
Which combination of steps should the solutions architect take to resolve this issue? (Choose two.)
- ❌ Deploy the database on a separate EC2 instance in the new VPC. Create a record set for the instance’s private IP in the private hosted zone.
- Use SSH to connect to the application tier EC2 instance. Add an RDS endpoint IP address to the /etc/resolv.conf file.
- ✅ Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B.
- Create a private hosted zone for the example com domain in Account B. Configure Route 53 replication between AWS accounts.
- ✅ Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A.
✨ 关键词:
1️⃣ 3️⃣ ❌ -> 3️⃣ 5️⃣ ✅
💡 解析:
Route 53的私有托管区在账户 A 中,数据库实例在账户 B 中。
将您创建的 Amazon VPC 和私有托管区域关联到不同的账户 AWS
- 使用创建托管区域的账户 A,授权(其他账户的)VPC 与私有托管区域的关联。
- 使用创建 VPC 的账户 B,将 VPC 与托管区域关联。
- (推荐)删除与托管区域 VPC 关联的授权。
本题的 3️⃣ 选项对应的就是操作 1,而 5️⃣ 选项对应的就是操作 2 和 3。
👨👨👦👦 社区讨论:C and E are correct.
C. Create an authorization to associate the private hosted zone in Account A with the new VPC in Account B. This step is necessary because the VPC in Account B needs to be associated with the private hosted zone in Account A to be able to resolve the DNS records.
E. Associate a new VPC in Account B with a hosted zone in Account A. Delete the association authorization in Account A. This step is necessary because the association authorization needs to be removed in Account A after the association is done in Account B.
三、Content distribution
A company used Amazon EC2 instances to deploy a web fleet to host a blog site. The EC2 instances are behind an Application Load Balancer (ALB) and are configured in an Auto Scaling group. The web application stores all blog content on an Amazon EFS volume.
The company recently added a feature for bloggers to add video to their posts, attracting 10 times the previous user traffic. At peak times of day, users report buffering and timeout issues while attempting to reach the site or watch videos.
Which is the MOST cost-efficient and scalable deployment that will resolve the issues for users?
- Reconfigure Amazon EFS to enable maximum I/O.
- Update the blog site to use instance store volumes for storage. Copy the site contents to the volumes at launch and to Amazon S3 at shutdown.
- ✅ Configure an Amazon CloudFront distribution. Point the distribution to an S3 bucket, and migrate the videos from EFS to Amazon S3.
- Set up an Amazon CloudFront distribution for all site contents, and point the distribution at the ALB.
✨ 关键词:
3️⃣ ✅
💡 解析:静态内容分发使用
CloudFront和S3。
👨👨👦👦 社区讨论:C. Configure an Amazon CloudFront distribution. Point the distribution to an S3 bucket, and migrate the videos from EFS to Amazon S3.
Amazon CloudFront is a content delivery network (CDN) that can be used to deliver content to users with low latency and high data transfer speeds. By configuring a CloudFront distribution for the blog site and pointing it at an S3 bucket, the videos can be cached at edge locations closer to users, reducing buffering and timeout issues. Additionally, S3 is designed for scalable storage and can handle high levels of user traffic. Migrating the videos from EFS to S3, would also improve the performance and scalability of the website.
四、AWS Direct Connect Gateway
A company with global offices has a single 1 Gbps AWS Direct Connect connection to a single AWS Region. The company’s on-premises network uses the connection to communicate with the company’s resources in the AWS Cloud. The connection has a single private virtual interface that connects to a single VPC.
A solutions architect must implement a solution that adds a redundant Direct Connect connection in the same Region. The solution also must provide connectivity to other Regions through the same pair of Direct Connect connections as the company expands into other Regions.
Which solution meets these requirements?
- ✅ Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.
- Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new private virtual interface on the new connection, and connect the new private virtual interface to the single VPC.
- Keep the existing private virtual interface. Create the second Direct Connect connection. Create a new public virtual interface on the new connection, and connect the new public virtual interface to the single VPC.
- ❌ Provision a transit gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the transit gateway. Associate the transit gateway with the single VPC.
✨ 关键词:
4️⃣ ❌ -> 1️⃣ ✅
💡 解析:New – AWS Direct Connect Gateway – Inter-Region VPC Access
使用 AWS Direct Connect 网关连接您的 VPC。将 AWS Direct Connect 网关与以下任一网关关联:
- 当您在同一区域有多个 VPC 时的中转网关 (A transit gateway when you have multiple VPCs in the same Region)
- 虚拟私有网关 (A virtual private gateway)
- An AWS Cloud WAN core network
👨👨👦👦 社区讨论:A. Provision a Direct Connect gateway. Delete the existing private virtual interface from the existing connection. Create the second Direct Connect connection. Create a new private virtual interface on each connection, and connect both private virtual interfaces to the Direct Connect gateway. Connect the Direct Connect gateway to the single VPC.
This solution provides a redundant Direct Connect connection in the same Region by creating a new private virtual interface on each connection, and connecting both private virtual interfaces to a Direct Connect gateway. The Direct Connect gateway is then connected to the single VPC. This solution also allows the company to expand into other Regions while providing connectivity through the same pair of Direct Connect connections.
The Direct Connect Gateway allows you to connect multiple VPCs and on-premises networks in different accounts and different regions to a single Direct Connect connection.
It also provides automatic failover and routing capabilities.