Quiz: Cloud Deep Dive¶
10 questions
L0 (1 questions)¶
1. What is the difference between a Security Group and a Network ACL (NACL) in AWS?
Show answer
Security Groups are stateful firewalls attached per ENI (return traffic auto-allowed). NACLs are stateless firewalls per subnet (you must explicitly allow return traffic). Security Groups only allow rules; NACLs support allow and deny.L1 (3 questions)¶
1. How does IRSA (IAM Roles for Service Accounts) let Kubernetes pods assume AWS IAM roles without static credentials?
Show answer
The EKS cluster has an OIDC provider. A K8s ServiceAccount is annotated with an IAM role ARN. When a pod uses that SA, it receives temporary AWS credentials via a projected volume token. The IAM role's trust policy allows the OIDC provider to assume it. No access keys are stored or rotated.2. What is the shared responsibility model in cloud computing?
Show answer
The cloud provider secures the infrastructure (physical, network, hypervisor). The customer secures what they put in the cloud (data, IAM, app config, OS patches on VMs). The exact split depends on the service model (IaaS vs PaaS vs SaaS). *Common mistake:* The cloud provider is responsible for everything3. Why should you tag all cloud resources, and what are three useful tag keys?
Show answer
Tags enable cost allocation, access control, and automation. Useful keys: Environment (prod/staging/dev), Team/Owner (who pays and maintains), Service (which application). Untagged resources are invisible to governance tools. *Common mistake:* Tags are only decorative and have no functional purposeL2 (5 questions)¶
1. Your EKS cluster is running out of pod IP addresses in a /24 subnet. What is the root cause and what are two solutions?
Show answer
EKS VPC CNI assigns a real VPC IP to every pod, so a /24 (254 IPs) fills fast with many pods per node. Solutions:1. Use larger subnets (/20 or /18).
2. Enable VPC CNI prefix delegation to assign /28 prefixes per ENI slot instead of individual IPs, dramatically increasing per-node pod capacity.
2. A microservice running on ECS Fargate suddenly has high latency. What three things do you check first?
Show answer
1. Task CPU/memory metrics — is the container resource-constrained?2. Target group health checks — are instances being deregistered?
3. VPC flow logs and security groups — is there a network bottleneck or dropped traffic? *Common mistake:* Restart all ECS tasks simultaneously
3. What is the difference between horizontal and vertical scaling in cloud environments, and when do you prefer each?
Show answer
Vertical scaling (bigger instance) is simpler but has an upper limit. Horizontal scaling (more instances) has no ceiling but requires stateless design and load balancing. Prefer horizontal for web/API tiers; vertical for databases that are hard to shard. *Common mistake:* Vertical scaling is always better because it avoids complexity4. Your team receives a $50K monthly AWS bill. How do you identify the top cost drivers?
Show answer
Use AWS Cost Explorer with grouping by service, then drill into the top service by usage type. Check: reserved vs on-demand instance usage, data transfer costs (often hidden), and unused/idle resources (EBS volumes, old snapshots, idle NAT gateways). *Common mistake:* Shut down all non-production accounts immediately5. What is a VPC peering connection and what is its main limitation?
Show answer
VPC peering connects two VPCs for private IP communication without traversing the public internet. Main limitation: peering is non-transitive — if VPC A peers with B and B peers with C, A cannot reach C through B. Use Transit Gateway for hub-and-spoke. *Common mistake:* VPC peering allows unlimited transitive routingL3 (1 questions)¶
1. You notice NAT Gateway costs are 40% of your AWS bill. Describe a strategy to reduce them without changing application code.