SAP-C02 Exam Dumps - Amazon Web Services AWS Certified Professional Questions and Answers

The application is business-critical with an SLA requirement of 99.95% uptime and is currently limited by an on-premises data center. The architecture includes a PostgreSQL database and separate business logic and presentation layers. Remote users experience high latency when accessing the application, which is latency-sensitive.

To meet or exceed a 99.95% SLA for the database while minimizing operational burden, a managed database service with built-in high availability is preferred. Amazon Aurora PostgreSQL-compatible editions provide high availability and durability by automatically replicating data across multiple Availability Zones in a Region. Aurora can offer higher availability and faster failover compared to self-managed databases on EC2, and offloads patching, backups, and maintenance.

For the application and presentation layers, running them on Amazon EC2 instances in an Auto Scaling group behind an Application Load Balancer preserves the basic architecture (stateless application servers behind a load balancer) while moving to a managed, highly available environment that can scale out and in automatically based on demand. This results in minimal changes to the application components and provides improved resilience compared to on-premises VMs.

Remote users experience slow load times because their desktop clients connect over higher-latency networks to the on-premises servers. By using Amazon AppStream 2.0, the application can be streamed from AWS to end users. AppStream 2.0 runs the desktop application close to the backend database and application servers within AWS, and streams only the display and input over the network. This significantly reduces the effect of latency between the user and the application backend, improving user experience, especially for latency-sensitive desktop applications, without requiring major changes to the application itself.

Option A uses a PostgreSQL database on EC2, which requires the customer to manage availability, backups, patching, and failover. This does not provide the same managed high-availability guarantees as Aurora or RDS Multi-AZ. It also suggests allocating a full Amazon WorkSpaces desktop per user, which can be more expensive and more complex than streaming only the application via AppStream 2.0.

Option C uses Amazon RDS for PostgreSQL with Multi-AZ configuration, which provides high availability and is a valid managed option. However, it runs the application and presentation layers on Fargate containers behind a Network Load Balancer. NLB is typically used for TCP-level load balancing and is better suited for protocols that require low-level handling, whereas HTTP/HTTPS web applications are commonly placed behind an Application Load Balancer, which provides advanced HTTP routing features. Also, ElastiCache can reduce database load and improve response times but does not directly solve the end-user network latency issue in a desktop client scenario.

Option D is incorrect because Amazon Redshift is a data warehouse service, not an operational PostgreSQL-compatible database for transaction processing. It is not appropriate for hosting the application’s primary relational database. CloudFront accelerates delivery of static and cached web content, not interactive desktop client-server traffic.

Therefore, migrating the database to Aurora PostgreSQL, running the application and presentation layers on EC2 Auto Scaling behind an Application Load Balancer, and using Amazon AppStream 2.0 to deliver the application to remote users (option B) meets the availability requirements, improves user experience, requires relatively little change to the application architecture, and minimizes operational costs compared to more complex or less-managed alternatives.

AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. By creating a management account and inviting all the existing accounts to join the organization, the solutions architect can track and consolidate expenditures for all the accounts using AWS Cost Management tools such as AWS Cost Explorer and AWS Budgets. An organizational unit (OU) is a group of accounts within an organization that can be used to apply policies and simplify management. A service control policy (SCP) is a type of policy that you can use to manage permissions in your organization. By creating an OU that includes all the development teams and applying an SCP that allows the creation of resources only in Regions that are in the United States, the solutions architect can ensure that the company meets its compliance requirements and avoids unwanted charges from other Regions. An IAM role is an identity with permission policies that determine what the identity can and cannot do in AWS. By creating an IAM role in the management account and allowing the finance team users to assume it, the solutions architect can give them access to view the Billing and Cost Management console without sharing credentials or creating additional users. References:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html

https://docs.aws.amazon.com/aws-cost-management/latest/userguide/what-is-costmanagement.html

Create a Transit Gateway:

Step 1: In the AWS Management Console, navigate to the VPC Dashboard.

Step 2: Select "Transit Gateways" and click on "Create Transit Gateway".

Step 3: Configure the transit gateway by providing a name and setting the options for Amazon side ASN and VPN ECMP support as needed.

Step 4: Attach each of the company’s VPCs and relevant subnets to the transit gateway. This centralizes the network management and simplifies the routing configurations, supporting scalable and flexible network architecture.

Set Up AWS PrivateLink:

Step 1: Create a Network Load Balancer (NLB) in the management VPC that points to the compute resource responsible for license validation.

Step 2: Create an AWS PrivateLink endpoint service pointing to this NLB.

Step 3: Allow each customer's VPC to create an interface endpoint to this PrivateLink service. This setup enables secure and private communication between the customer VPCs and the management VPC, ensuring one-way access from each customer's VPC to the management VPC for license validation.

This combination leverages the benefits of AWS Transit Gateway for scalable and centralized routing, and AWS PrivateLink for secure and private service access, meeting the requirement with minimal operational overhead.

References

Amazon VPC-to-Amazon VPC Connectivity Options

AWS PrivateLink - Building a Scalable and Secure Multi-VPC AWS Network Infrastructure

Connecting Your VPC to Other VPCs and Networks Using a Transit Gateway

https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.IAMDBAuth.html

an AWS Lambda function in the backup region to promote the read replica and modify the Auto Scaling group values, and then configuring Route 53 with a health check that monitors the web application and sends an Amazon SNS notification to the Lambda function when the health check status is unhealthy. Finally, the application's Route 53 record should be updated with a failover policy that routes traffic to the ALB in the backup region when a health check failure occurs. This approach provides automatic failover to the backup region when a health check failure occurs, reducing the RTO to less than 15 minutes. Additionally, this approach is cost-effective as it does not require an active-active strategy.

https://docs.aws.amazon.com/sns/latest/dg/sns-cross-region-delivery.html

To develop a migration plan with accurate inventory and dependency data:

AWS Migration Hub provides a single view for tracking migration tasks and resources across multiple AWS services.

The AWS Application Discovery Agent (installed on servers) collects detailed data about running processes, system performance, and network connections.

Migration Hub Strategy Recommendations leverages this data to automatically identify application patterns, generate recommended AWS target services, and provide a detailed migration plan.This approach ensures accurate data collection, detailed dependency mapping, and tailored recommendations—crucial for a successful and right-sized migration to AWS.

S3 Transfer Acceleration is a feature that enables fast, easy, and secure transfers of files over long distances between your client and an S3 bucket1. It works by leveraging the CloudFront edge network to route your requests to S3 over an optimized network path1. By using a Transfer Acceleration endpoint when generating a presigned URL, you can allow authenticated users to upload objects fasterand more reliably2. Additionally, using the S3 multipart upload API can improve the performance of large object uploads by breaking them into smaller parts and uploading them in parallel3.

S3 Transfer Acceleration

Using Transfer Acceleration with presigned URLs

Uploading objects using multipart upload API

The company should deploy a new Amazon Elastic File System (Amazon EFS) Multi-AZ file system. The company should configure the file system for 75 MiBps of provisioned throughput. The company should implement replication to a file system in the DR Region. This solution will meet the requirements because Amazon EFS is a serverless, fully elastic file storage service that lets you share file data without provisioning or managing storage capacity and performance. Amazon EFS is built to scale on demand to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files1. By deploying a new Amazon EFS Multi-AZ file system, the company can create a single location for updates to application data for all instances. A Multi-AZ file system replicates data across multiple Availability Zones (AZs) within a Region, providing high availability and durability2. By configuring the file system for 75 MiBps of provisioned throughput, the company can ensure that it meets the peak operations requirement of 225 MiBps of read throughput. Provisioned throughput is a feature that enables you to specify a level of throughput that the file system can drive independent of the file system’s size or burst credit balance3. By implementing replication to a file system in the DR Region, the company can make a copy of the data available in another AWS Region for disaster recovery. Replication is a feature that enables you to replicate data from one EFS file system to another EFS file system across AWS Regions. The replication process has an RPO of less than 1 hour.

The other options are not correct because:

Deploying a new Amazon FSx for Lustre file system would not provide a single location for updates to application data for all instances. Amazon FSx for Lustre is a fully managed service that provides cost-effective, high-performance storage for compute workloads. However, it does not support concurrent write access from multiple instances. Using AWS Backup to back up the file system to the DR Region would not provide real-time replication of data. AWS Backup is a service that enables you to centralize and automate data protection across AWS services. However, it does not support continuous data replication or cross-Region disaster recovery.

Deploying a General Purpose SSD (gp3) Amazon Elastic Block Store (Amazon EBS) volume with 225 MiBps of throughput would not provide a single location for updates to application data for all instances. Amazon EBS is a service that provides persistent block storage volumes for use with Amazon EC2 instances. However, it does not support concurrent access from multiple instances, unless Multi-Attach is enabled. Enabling Multi-Attach for the EBS volume would not provide Multi-AZ resilience or cross-Region replication. Multi-Attach is a feature that enables you to attach an EBS volume to multiple EC2 instances within the same Availability Zone. Using AWS Elastic Disaster Recovery to replicate the EBS volume to the DR Region would not provide real-time replication of data. AWS Elastic Disaster Recovery (AWS DRS) is a service that enables you to orchestrate and automate disaster recovery workflows across AWS Regions. However, it does not support continuous data replication or sub-hour RPOs.

Deploying an Amazon FSx for OpenZFS file system in both the production Region and the DR Region would not be as simple or cost-effective as using Amazon EFS. Amazon FSx for OpenZFS is a fully managed service that provides high-performance storage with strong data consistency and advanced data management features for Linux workloads. However, it requires more configuration and management than Amazon EFS, which is serverless and fully elastic. Creating an AWS DataSync scheduled task to replicate the data from the production file system to the DR file system every 10 minutes would not provide real-time replication of data. AWS DataSync is a service that enables you to transfer data between on-premises storage and AWS services, or between AWS services. However, it does not support continuous data replication or sub-minute RPOs.

This explanation is based on AWS documentation and best practices but is paraphrased, not a literal extract.

The company wants to move from a manual EC2 and EBS-based workflow to a containerized application on Amazon EKS and automate data movement. The solution must:

Support automated transfer of raw and processed data.

Offer multiprotocol support.

Be directly usable from the EKS cluster as a mounted volume.

Minimize operational effort by using managed services where possible.

AWS DataSync is a managed service designed to move data between on-premises storage and AWS storage services or between AWS storage services. It can perform scheduled or continuous transfers with minimal operational overhead. For storage accessible from Amazon EKS, a shared file system that supports mounting as a volume is appropriate.

Amazon FSx for NetApp ONTAP provides a fully managed file system with multiprotocol support, including NFS and SMB, and supports features such as snapshots and storage efficiencies. Because it supports multiple protocols, it satisfies the requirement for multiprotocol access and can be mounted by applications running in Amazon EKS using standard Kubernetes persistent volume mechanisms.

In the correct solution (option C), DataSync is used to copy raw data from the on-premises environment to FSx for NetApp ONTAP. The FSx for NetApp ONTAP file system is then mounted as a volume in the EKS cluster, allowing the containerized analytics processing logic to read and write data directly. After processing, DataSync is again used to copy processed data from FSx for NetApp ONTAP to Amazon S3 for long-term storage. This leverages DataSync’s native integration with both FSx for NetApp ONTAP and Amazon S3, and avoids the need to run or manage custom upload tooling.

Option A uses Amazon EFS, which supports NFS but does not provide multiprotocol support (for example, SMB), so it does not fully meet the multiprotocol requirement. It also introduces AWS Transfer for SFTP for the processed data upload, which adds an additional managed endpoint and SFTP-based flow, increasing complexity relative to using DataSync end-to-end.

Option B uses Amazon FSx for Lustre, which is optimized for high-performance compute workloads and integrates well with S3, but it is not a multiprotocol file system and is typically accessed via NFS. It does not meet the stated multiprotocol requirement.

Option D uses FSx for NetApp ONTAP (which supports multiprotocol) but relies on AWS Transfer for SFTP to move processed data to S3. While this can work, it adds another managed input endpoint and requires SFTP client configuration and management. Using DataSync directly from FSx for NetApp ONTAP to Amazon S3 (as in option C) is more straightforward, better suited for automated large-scale transfers, and involves less operational overhead.

Therefore, option C meets all the requirements with the least operational effort by using DataSync with FSx for NetApp ONTAP and S3.

Creating a headless Aurora DB cluster in the secondary Region as part of an Aurora global database ensures continuous, low-latency replication without running active instances in the secondary Region.

This configuration meets the RTO and RPO requirements by allowing rapid promotion of the secondary cluster in a failover scenario.

It also reduces operational costs compared to continuously running standby instances in the secondary Region.

This aligns with AWS best practices for DR and cross-Region resiliency.

https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ReadWriteCapacityMode.html#HowItWorks.ProvisionedThroughput.Manual

Hosting the .NET Core components on Amazon ECS with the Amazon EC2 launch type will meet the requirements of having complex orchestration and full control over networking and host configuration. Amazon ECS is a fully managed container orchestration service that supports both AWS Fargate and Amazon EC2 as launch types. The Amazon EC2 launch type allows users to choose their own EC2 instances, configure their own networking settings, and access their own host operating systems. Hosting the database on Amazon Aurora MySQL Serverless v2 will meet the requirements of having a strongly relational database model and using the same database engine as SQL Server. MySQL is a compatible relational database engine with SQL Server, and it can support most of the legacy application’s database model. Amazon Aurora MySQL Serverless v2 is a serverless version of Amazon Aurora MySQL that can scale up and down automatically based on demand. Using Amazon SQS for asynchronous messaging will meet the requirements of providing a compatible replacement for MSMQ, which is a queue-based messaging system3. Amazon SQS is a fully managed message queuing service that enables decoupled and scalable microservices, distributed systems, and serverless applications.