dinsdag 30 augustus 2016

My attempt to the AWS Solution Architect professional exam sample questions.

For this practice exam the correct answers are given on the Japanese version of the practice exam which can be found here.  The English practice exam is available from here.  And in this post I like to provide my reasoning in why the given answers are the correct ones.  I have done similarly for the DevOps professional exam here.

Question 1: Best RTO for on-premise Content Management System

 - Answer A will and is the best of the provided options because storage gateway is already used and it's volumes can be converted to EBS volumes.  RMAN backups in S3 also allow restoration into EC2
 - Answer B is not acceptable since Glacier storage takes recovery times >= 3 hours
 - Answer C: There is no need to attach a AWS Storage gateway to the EC2 instance, better to use an EBS volume
 - Answer D: AWS Storage Gateway-VTL is for tapes so no need here as you had a storage gateway volume

Question 2: ERP application in multiple AZs

 - Answer C is valid and allows to restore data up until 5 minutes from the issue (so RPO of 15 minutes is met).  Since you have hourly backups as well in S3 you can quickly restore these and you only need to replay transaction logs for max 1 hour. Furthermore S3 provides excellent data retention.
 - Answer A is not acceptable since Glacier recoveries take too much time > 3 hours
 - Answer B is not good for this scenario as it is unknown how the data corruption occurred.  Probably data corruption is introduced by a logical error rather than issues on storage level.  Since synchronous replication only makes sure you write the changes on a 2nd system as part of your transactions it doesn't allow to recover to earlier time to protect for these corruption errors.
 - Answer D is unacceptable because even though instance store volumes might allow to take quicker backups they are volatile and should not be relied upon for database backups (they are also only accessible from 1 instance and therefore data is only in 1 AZ)

Question 3: Random acts of kindness

 - Answer B is good as it is a cheap way that allows you to operate without maintaining infrastructure
 - Answer A is not good as IAM users should be internal users of your organizations.  You should not use these identities for 'web' users.  One reason would be because the amount of users would be limited.  Even if you would map them to a single 'application' user it would not be a good practice to do so.
 - Answer C is not good again because of IAM user usage as well as introducing additional unnecessary infrastructure (incurring costs)
 - Answer D introduces unneeded infrastructure incurring unneeded costs.

Question 4: Protecting SSL

 - Answer D is the best. CloudHSM is hardened to make sure SSL certificates cannot leave the device.  Furthermore its design and external certification certify that Amazon employees won't have access to them either.  Since Amazon employees also don't have access inside your EC2 instance it is good to store your logs on an ephemeral volume using a randomly generated AES key.  This means that you will lose your logs upon stop/start or when you experience a hardware failure but there were no retention requirements mentioned for the log files.  Since the volumes use this random key when mounting you grant your users access by granting them access to the instance.  The encryption makes sure that data is encrypted at rest and that physical access does not compromise your data.
 - Answer A is generally a good solution but since in this case security is the main concern it is not the best solution.  By offloading SSL at your Load balancing tier you have the traffic flowing in plain text from ELB to web servers.
 - Answer B is not good as there is no way of protecting your private key in the Amazon S3 bucket.  Since your instances need access to the S3 bucket to retrieve the key, employees could do the same and therefore compromise the key.
 - Answer C is good but it does not really protect your logs as you cannot write them straight into S3.  S3 is an object store and cannot be used reliably as a block device.

Question 5: Fat client application 

 - Answer D is the best.  Using the SSL VPN client the users can securely connect to the VPC and have access to the private subnets.  The fat client can then connect over the VPN tunnel to the application servers which are safely in the private subnet.
 - Answer A does not make sense, AWS Direct Connect is to allow a 'private' line from your data center into AWS and therefore does not come into play for this scenario
 - Answer B is not valid as you don't want to publish the application on the internet therefore an ELB by itself won't help
 - Answer C is not valid as you still place your application servers in the public subnet.  Having the IPsec VPN connection is meant to avoid this need.

Question 6: Legacy engineering application migration

 - Answer B is indeed the way to go an initial sync followed by incremental syncs to make sure you get all the data in the latest state within the time frame.  If needed you could perform multiple incremental syncs (note that these would incur additional cost as you would be consuming more bandwidth)
 - Answer A is not valid as it does not provide a solution to time needed to transfer the 900 GB of data
 - Answer C is not valid as AWS Import/Export is not to migrate data within 48 hours
 - Answer D is not valid because it says to copy the data on Friday which again does not provide enough time to transfer all the data.

My attempt to the AWS DevOps Engineer professional exam sample questions.

This is just a blogpost to try out the sample questions of the AWS Devops Engineer professional exam.  So keep in mind that these are by no means official answers they are just my attempt to solving the example questions.  I did a similar attempt for the Solutions Architect professional exam.

Question 1 automated data backup solution:

  - Answer C: ec2-create-snapshot API results in a snapshot from your EBS volume which is stored in S3 (=distributed data store without single point of failure).  Use the tags to manage metadata and be able to cleanup old snapshots to limit costs.
 -  Answer A is not valid because ec2-create-volume creates an empty volume or one initiated from a snapshot.  Even if copy backup data means to this volume than it would be sub optimal as you will have worse retention compared to answer C and you will have higher costs (every volume you create will take up full space whereas S3 snapshot will be incremental)
- Answer B is not valid because recovering your data from Glacier won't be possible within 1 hour
- Answer D is not valid because ec2-copy-snapshot can only operate on snapshots not on EBS volumes

Question 2: Going from M3 instances to C3 instances when using CloudFormation and AutoScaling Groups

 - Answer D is correct:
 -  Answer A is not sufficient as the Auto Scaling group won't automatically replace your existing instances.
  - Answer B & C are not valid since you cannot update a launch configuration.  As stated in the documentation.

Question 3:  CloudFormation for complex systems 

 - Answer B is my preferred answer as multiple separate templates are easier to maintain and allow re-use.
 - Answer A is not good because maintaining a single template does not scale (it won't allow re-use)
 - Answer C is not good as orchestrating the process from an EC2 instance introduces a single point of failure.  It is also not cost efficient as it will require additional work to implement and a running instance.
 - Answer D is not good because you wanted to version-control your infrastructure which encompasses networking and thus VPC

Question 4: Automated deployment - reduce launch time

- Answer B is correct as it fulfills the requirements
- Answer A is incorrect because of the timing requirements it would take more than 3 minutes given the timings of the operations
- Answer C is incorrect because of timing (artifacts 4 min + deploy app code 1 min) > 3 min
- Answer D is incorrect because you still need to perform all the steps and thus require > 3 minutes, also the polling is not needed as User Data can be used to initialize the EC2

Question 5: I/O load performance test

 - Answer B is correct.  This operation is needed to avoid the first touch penalty and to make sure you check the performance of a warm Volume (at least if the volume is restored from snapshot, nowadays you don't need to prewarm new empty volumes).
- Answer A is incorrect because you would use the block size which is applicable for your application and won't change it upon deployment
- Answer C is incorrect as you just use the volumes to test so no need to back them up, having a backup also does not influence performance
- Answer D is incorrect as encrypted volumes won't boost performance
- Answer E is incorrect as creating a snapshot does not read every block in the volume but only touches the blocks that have data (or changed data if the volume itself was created from a snapshot)

Question 6: social media marketing application

- Answer B is a possible way to do this.  DynamoDB is a persistent store that stores data in multiple AZs.
- Answer A is not correct because Kinesis is for streaming data, it won't allow you to keep historical data as it only can keep data records for 1-7 days.
- Answer C is not correct because Glacier is for archiving data that you rarely want to retrieve.  Also if you want to publish your data into Redshift using DataPipeline you need to have your data in a source that can be used by Redshift (e.g regular S3 (not Glacier!), DynamoDB, EC2 (via SSH), EMR (via SSH) )
- Answer D is not correct because Amazon CloudWatch is not for analytics.  Also Cloudwatch only retains data for 14 days.

Question 7: bill increase

- Answer C is correct: wording is a bit weird as it looks sub optimal to send an SNS to your application which would then query DynamoDB.  It is good to have the data in Dynamo DB to have it there persistently but it would be more efficient to have a lambda function putting the data into Dynamo DB and that this lambda function also updates the cache with the new entry such that at this time DynamoDB does not need to be queried.
- Answer A is incorrect because S3 bucket life cycles are to change storage type of an object it does not allow you to push a list of objects to another bucket
- Answer B would be feasible but only if you have a very controlled process over the uploads that can be done in your bucket it is not as practical as C.
- Answer D is incorrect because there is no such thing as SQS lifecycles that move objects into S3
- Answer E is incorrect because ElastiCache is a key-value cache service which does not allow you to push files into Amazon S3

Question 8: AWS Elastic Beanstalk + continuous deployment (zero downtime)

- Answer B is correct because the swap of DNS name allows you to rollback almost immediately (ignoring clients that don't implement DNS and TTLs correctly)
- Answer A is incorrect because depending on the deploy time rollback won't be almost immediately
- Answer C is incorrect doesn't have a rollback scenario
- Answer D is incorrect because I don't think you can configure a beanstalk environment to send HTTP 301 response codes.  Also because 301 HTTP response code is a permanent redirect and therefore will cause clients to cache this redirect so rollback will still keep impacted clients on the new environment

Question 9: Log analysis application

- Answer A seems possible as CoudWatch Logs can filter your logs and keep track of login actions
- Answer B is incorrect as it won't be real time
- Answer C is incorrect because it has no auto-scaling
- Answer D is incorrect as it won't be real time
- Answer E is incorrect as you cannot use map reduce job on data that is in your RDS MySQL.  You would need to export the data which won't be real time either

Question 10: orders processing

- Answer B is correct because it will automatically replace an instance if it is stopped/terminated or fails (HW failure).
- Answer E is correct because it allows to detect that the application is no longer running correctly and will stop the instance automatically.
- Answer A is incorrect as a 2nd watchdog instance costs money
- Answer C is incorrect as no need for scaling was expressed and having a minimum of 2 already makes it more expensive
- Answer D is incorrect as you need to pay for the ELB so it is not the most cost-effective way