Practice questions for the AWS ANS-C01 (Advanced Networking Specialty) exam, Chapter 1.
-
Q1. A company wants to migrate its DNS registrar and DNS hosting to Amazon Route 53. The company website receives tens of thousands of visits each day, and the company’s current DNS provider cannot keep up. The company wants to migrate as quickly as possible but cannot tolerate any downtime.
Which solution will meet these requirements?
- A. Transfer the domain name to Route 53. Create a Route 53 private hosted zone, and copy all the existing DNS records. Update the name servers on the domain to use the name servers that are specified in the newly created private hosted zone.
- B. Copy all DNS records from the existing DNS servers to a Route 53 private hosted zone. Update the name servers with the existing registrar to use the private hosted zone name servers. Transfer the domain name to Route 53. Ensure that all the changes have propagated.
- C. Transfer the domain name to Route 53. Create a Route 53 public hosted zone, and copy all the existing DNS records. Set the TTL value on each record to 1 second. Update the name servers on the domain to use the name servers that are specified in the newly created public hosted zone.
- D. Copy all DNS records from the existing DNS servers to a Route 53 public hosted zone. Update the name servers with the existing registrar to use the Route 53 name servers for the hosted zone. When the changes have propagated, perform a domain name transfer to Route 53.
View question →
-
Q2. A company has an application that runs on a fleet of Amazon EC2 instances. A new company regulation mandates that all network traffic to and from the EC2 instances must be sent to a centralized third-party EC2 appliance for content inspection.
Which solution will meet these requirements?
- A. Configure VPC ow logs on each EC2 network interface. Publish the flow logs to an Amazon S3 bucket. Create a third-party EC2 appliance to acquire ow logs from the S3 bucket. Log in to the appliance to monitor network content.
- B. Create a third-party EC2 appliance in an Auto Scaling group fronted by a Network Load Balancer (NLB). Configure a mirror session. Specify the NLB as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application.
- C. Configure a mirror session. Specify an Amazon Kinesis Data Firehose delivery stream as the mirror target. Specify a mirror filter to capture inbound and outbound traffic. For the source of the mirror session, specify the EC2 elastic network interfaces for all the instances that host the application. Create a third-party EC2 appliance. Send all traffic to the appliance through the Kinesis Data Firehose delivery stream for content inspection.
- D. Configure VPC ow logs on each EC2 network interface. Send the logs to Amazon CloudWatch. Create a third-party EC2 appliance. Configure a CloudWatch lter to send the ow logs to Amazon Kinesis Data Firehose to load the logs into the appliance.
View question →
-
Q3. A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the Application will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include an NLB That distributes traffic to the services pods in an EKS cluster. The company is concerned about overall cost. User traffic will be responsible for more than 10 TB of data transfer from the ingress VPC to Services VPCs every month. A network engineer needs to recommend how to design the communication between the VPCs. Which solution will meet these requirements at the LOWEST cost?
- A. Create a transit gateway. Peer each VPC to the transit gateway. Use zonal DNS names for the NLB in the services VPCs to minimize crossAZ traffic from the ingress VPC to the services VPCs.
- B. Create an AWS PrivateLink endpoint in every Availability Zone in the ingress VPC. Each PrivateLink endpoint will point to the zonal DNS Entry of the NLB in the services VPCs.
- C. Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs. Use zonal DNS names for the NLB in the Services VPCs to minimize cross-AZ traffic from the ingress VPC to the services VPCs.
- D. Create a transit gateway. Peer each VPC to the transit gateway. Turn off cross-AZ load balancing on the transit gateway. Use Regional DNS Names for the NLB in the services VPCs.
View question →
-
Q4. A network engineer needs to standardize a company's approach to centralizing and managing interface VPC endpoints for private communication
With AWS services. The company uses AWS Transit Gateway for inter-VPC connectivity between AWS accounts through a hub-and-spoke model.
The company's network services team must manage all Amazon Route 53 zones and interface endpoints within a shared services AWS account.
The company wants to use this centralized model to provide AWS resources with access to AWS Key Management Service (AWS KMS) without
Sending tra¨c over the public internet.
What should the network engineer do to meet these requirements?
- A. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS Name. Create a private hosted zone in the shared services account with an alias record that points to the interface endpoint. Associate the Private hosted zone with the spoke VPCs in each AWS account.
- B. In the shared services account, create an interface endpoint for AWS KMS. Modify the interface endpoint by disabling the private DNS Name. Create a private hosted zone in each spoke AWS account with an alias record that points to the interface endpoint. Associate each Private hosted zone with the shared services AWS account.
- C. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in each spoke AWS account with an alias record that points to each interface endpoint. Associate each private Hosted zone with the shared services AWS account.
- D. In each spoke AWS account, create an interface endpoint for AWS KMS. Modify each interface endpoint by disabling the private DNS name. Create a private hosted zone in the shared services account with an alias record that points to each interface endpoint. Associate the private Hosted zone with the spoke VPCs in each AWS account.
View question →
-
Q5. A company plans to run a computationally intensive data processing application on AWS. The data is highly sensitive. The VPC must have no direct internet access, and the company has applied strict network security to control access.
Data scientists will transfer data from the company's on-premises data center to the instances by using an AWS Site-to-Site VPN connection. The on-premises data center uses the network range 172.31.0.0/20 and will use the network range 172.31.16.0/20 in the application VPC.
The data scientists report that they can start new instances of the application but that they cannot transfer any data from the on-premises data center. A network engineer enables VPC ow logs and sends a ping to one of the instances to test reachability. The flow logs show the following:
The network engineer must recommend a solution that will give the data scientists the ability to transfer data from the on-premises data center.
Which solution will meet these requirements?
- A. Modify the security group for the application. Add an inbound rule to allow traffic from the on-premises data center network range to the application.
- B. Modify the network ACLs for the VPC subnet. Add an inbound rule to allow traffic from the on-premises data center network range to the VPC subnet range.
- C. Modify the network ACLs for the VPC subnet. Add an outbound rule to allow traffic from the VPC subnet range to the on-premises data center network range.
- D. Modify the security group for the application. Add an outbound rule to allow traffic from the application to the on-premises data center network range.
View question →
-
Q6. A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must Always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a Change is made to the security group. The solution also must notify the network engineer when the change affects the connection. Which solution will meet these requirements?
- A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443. Publish the flow log Records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for rejected traffic. Create an Alarm to notify the network engineer.
- B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443. Publish the flow log records To a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric filter for the log group for all traffic. Create an alarm to notify The network engineer
- C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the Destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the security Group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in Case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the Security group occurs.
- D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as The destination. Create an Amazon Simple Notification Service (Amazon SNS) topic to notify the network engineer when a change to the Security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS Topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a Change to the security group occurs.
View question →
-
Q7. A company is running multiple workloads on Amazon EC2 instances in public subnets. In a recent incident, an attacker exploited an application
Vulnerability on one of the EC2 instances to gain access to the instance. The company ¦xed the application and launched a replacement EC2
Instance that contains the updated application.
The attacker used the compromised application to spread malware over the internet. The company became aware of the compromise through a
Noti¦cation from AWS. The company needs the ability to identify when an application that is deployed on an EC2 instance is spreading malware.
Which solution will meet this requirement with the LEAST operational effort?
- A. Use Amazon GuardDuty to analyze tra¨c patterns by inspecting DNS requests and VPC §ow logs.
- B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures.
- C. Set up a Gateway Load Balancer. Run an intrusion detection system (IDS) appliance from AWS Marketplace on Amazon EC2 for tra¨c Inspection.
- D. Con¦gure Amazon Inspector to perform deep packet inspection of outgoing tra¨c.
View question →
-
Q8. A company has an application that runs on premises. The application needs to communicate with an application that runs in a VPC on AWS. The Communication between the applications must be encrypted and must use private IP addresses. The communication cannot travel across the Public internet. The company has established a 1 Gbps AWS Direct Connect connection between the on-premises location and AWS. Which solution will meet the connectivity requirements with the LEAST operational overhead?
- A. Configure a private VIF on the Direct Connect connection. Associate the private VIF with the VPC's virtual private gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the virtual private gateway.
- B. Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit Gateway.
- C. Configure a public VIF on the Direct Connect connection. Associate the public VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up an AWS Site-to-Site VPN private IP VPN connection to the transit gateway.
- D. Create a transit gateway. Configure a transit VIF on the Direct Connect connection. Associate the transit VIF with a Direct Connect gateway. Associate the Direct Connect gateway with a new transit gateway. Set up a third-party firewall in a new VPC that is attached to the transit Gateway. Set up a VPN connection to the third-party firewall.
View question →
-
Q9. A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC To a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway. Which set of steps should the network engineer follow in each AWS account to meet these requirements?
- A. In the Production account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Connectivity Account ID. Enable the feature to allow external accounts 2In the Connectivity account: Accept the resource. 3In the Connectivity account: Create an attachment to the VPC subnets. 4In the Production account: Accept the attachment. Associate a route table with the attachment.
- B. 1In the Production account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Connectivity Account ID. Enable the feature to allow external accounts. 2In the Connectivity account: Accept the resource. 3In the Production account: Create an attachment on the transit gateway to the VPC subnets. 4In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
- C. 1In the Connectivity account: Create a resource share in AWS Resource Access Manager for the VPC subnets. Provide the Production Account ID. Enable the feature to allow external accounts. 2In the Production account: Accept the resource. 3In the Connectivity account: Create an attachment on the transit gateway to the VPC subnets. 4In the Production account: Accept the attachment. Associate a route table with the attachment.
- D. 1In the Connectivity account: Create a resource share in AWS Resource Access Manager for the transit gateway. Provide the Production Account ID Enable the feature to allow external accounts. 2In the Production account: Accept the resource. 3In the Production account: Create an attachment to the VPC subnets. 4In the Connectivity account: Accept the attachment. Associate a route table with the attachment.
View question →
-
Q10. A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.
Which architecture will meet these requirements MOST cost-effectively?
- A. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single network interface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.
- B. Deploy a Gateway Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
- C. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with a single network interface in a private subnet. Use a NAT gateway to send the traffic to the internet after inspection.
- D. Deploy a Network Load Balancer with the firewall appliances as targets. Configure the firewall appliances with two network interfaces: one network interface in a private subnet and another network interface in a public subnet. Use the NAT functionality on the firewall appliances to send the traffic to the internet after inspection.
View question →
-
Q11. A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has Configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 Instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution That can scale to meet the demand of the mirrored traffic. Which solution will meet these requirements?
- A. Deploy a Network Load Balancer (NLB) as the traffic mirror target. Behind the NLB. deploy a fleet of EC2 instances in an Auto Scaling Group. Use Traffic Mirroring as necessary.
- B. Deploy an Application Load Balancer (ALB) as the traffic mirror target. Behind the ALB, deploy a fleet of EC2 instances in an Auto Scaling Group. Use Traffic Mirroring only during non-business hours.
- C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target. Behind the GLB. deploy a fleet of EC2 instances in an Auto Scaling Group. Use Traffic Mirroring as necessary.
- D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target. Behind the ALB. deploy a fleet of EC2 Instances in an Auto Scaling group. Use Traffic Mirroring only during active events or business hours.
View question →
-
Q12. A company’s network engineer builds and tests network designs for VPCs in a development account. The company needs to monitor the changes that are made to network resources and must ensure strict compliance with network security policies. The company also needs access to the historical configurations of network resources.
Which solution will meet these requirements?
- A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes. Configure the rule to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
- B. Create custom metrics from Amazon CloudWatch logs. Use the metrics to invoke an AWS Lambda function to identify noncompliant resources. Update an Amazon DynamoDB table with the changes that are identified.
- C. Record the current state of network resources by using AWS Cong. Create rules that reflect the desired configuration settings. Set remediation for noncompliant resources.
- D. Record the current state of network resources by using AWS Systems Manager Inventory. Use Systems Manager State Manager to enforce the desired configuration settings and to carry out remediation for noncompliant resources.
View question →
-
Q13. A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website Has static content such as images. The company is using Amazon S3 to store the content. The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group Behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpages. The company is using AWS Direct Connect with a public VIF for on-premises connectivity to the S3 bucket.A network engineer notices that traffic between the EC2 instances and Amazon S3 is routing through a NAT gateway. As traffic increases, the Company's costs are increasing. The network engineer needs to change the connectivity to reduce the NAT gateway costs that result from the Traffic between the EC2 instances and Amazon S3. Which solution will meet these requirements?
- A. Create a Direct Connect private VIF. Migrate the traffic from the public VIF to the private VIF.
- B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF.
- C. Implement interface VPC endpoints for Amazon S3. Update the VPC route table.
- D. Implement gateway VPC endpoints for Amazon S3. Update the VPC route table.
View question →
-
Q14. A company is using an Amazon CloudFront distribution that is configured with an Application Load Balancer (ALB) as an origin. A network Engineer needs to implement a solution that requires all inbound traffic to the ALB to come from CloudFront. The network engineer must Implement the solution at the network layer rather than in the application. Which solution will meet these requirements in the MOST operationally efficient way?
- A. Add an inbound rule to the ALB's security group to allow the AWS managed prefix list for CloudFront.
- B. Add an inbound rule to the network ACLs that are associated with the ALB's subnets. Use the AWS managed prefix list for CloudFront as the Source in the rule.
- C. Configure CloudFront to add a custom HTTP header to the requests that CloudFront sends to the ALB.
- D. Associate an AWS WAF web ACL with the ALB. Configure the AWS WAF rules to allow traffic from the CloudFront IP set. Automatically Update the CloudFront IP set by using an AWS Lambda function.
View question →
-
Q15. A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT Gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer Must centralize access to these services and must eliminate the need to use public endpoints. Which solution will meet these requirements with the LEAST operational overhead?
- A. Create a central egress VPC that has private NAT gateways. Connect all the VPCs to the central egress VPC by using AWS Transit Gateway. Use the private NAT gateways to connect to Amazon S3 and Systems Manager by using private IP addresses.
- B. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 forwarding rule for each interface VPC endpoint. Associate the forwarding rules with all the VPCs. Forward DNS queries to the interface VPC endpoints in the shared services VPC.
- C. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Ensure that private DNS is turned off. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Create an Amazon Route 53 private hosted zone with a full service endpoint name for Amazon S3 and Systems Manager. Associate The private hosted zones with all the VPCs. Create an alias record in each private hosted zone with the full AWS service endpoint pointing to The interface VPC endpoint in the shared services VPC.
- D. Create a central shared services VPC. In the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access. Connect all the VPCs to the central shared services VPC by using AWS Transit Gateway. Ensure that private DNS is turned On for the interface VPC endpoints and that the transit gateway is created with DNS support turned on.
View question →
-
Q16. A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are part of an Amazon EC2 Auto Scaling group. To comply with new security standards, the company must capture all application access data, including server response codes, request paths, Latency, and client IP addresses. The company also needs to query the captured data for performance analysis. Which solution will meet these requirements?
- A. Enable VPC flow logs on the ALB subnets. Store the logs to an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.
- B. Configure Amazon VPC Traffic Mirroring on all EC2 elastic network interfaces. Deploy a third-party monitoring appliance from AWS Marketplace in a private subnet. Use Amazon Data Firehose to send all mirrored traffic to the monitoring appliance. Query the logs directly From the monitoring appliance.
- C. Configure Amazon CloudWatch detailed monitoring on the EC2 instances Include all available logs. Use Amazon Data Firehose to send all The collected logs to an Amazon S3 bucket. Query the data directly from the S3 bucket.
- D. Enable access logs on the ALB. Store the logs in an Amazon S3 bucket. Query the logs in the S3 bucket by using Amazon Athena.
View question →
-
Q17. A company has multiple VPCs with subnets that use IPv4. Traffic from the VPCs to the internet uses a NAT gateway. The company wants to Transition to IPv6.A network engineer creates multiple IPv6-only subnets in an existing testing VPC. The network engineer deploys a new Amazon EC2 instance that Has an IPv6 address into one of the subnets. During testing, the network engineer discovers that the new EC2 instance is not able to communicate With an IPv4-only service through the internet. The network engineer needs to enable the IPv6 EC2 instance to communicate with the IPv4-only Service. Which solution will meet this requirement?
- A. Enable DNS64 for the IPv6-only subnets. Update the route tables for the IPv6-only subnets to send traffic through the NAT gateway.
- B. Enable NAT64 for the testing VPC. Reconfigure the existing NAT gateway to support IPv6.
- C. Enable DNS64 for the new EC2 instance. Create a new egress-only internet gateway that supports IPv6.
- D. Enable NAT64 for each route table. Create a new NAT gateway that supports both IPv4 and IPv6.
View question →
-
Q18. A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load
Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All tra¨c must use HTTPS. TLS
Processing must be o©oaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs
For security purposes.
Which solution will meet these requirements?
- A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the tra¨c to the correct target group. Include the X-Forwarded-For request header with tra¨c to the targets.
- B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the tra¨c to the Correct target group for each domain. Include the X-Forwarded-For request header with tra¨c to the targets.
- C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the tra¨c to the correct target group. Con¦gure client IP address preservation for tra¨c to the targets.
- D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the tra¨c to the correct Target group for each domain. Con¦gure client IP address preservation for tra¨c to the targets.
View question →
-
Q19. A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company's trading platform includes a thirdparty pricing service that the EC2 instances communicate with over UDP on port 50000. Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectly Formatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning. The Third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricing service. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoring account. Which set of steps should a network engineer take to capture the data and meet these requirements?
- A. 1Configure VPC flow logs to capture the data that flows in the VPC. 2Send the data to an Amazon S3 bucket. 3In the monitoring account, extract the data that flows to the EC2 instance's IP address and filter the traffic for the UDP data. 4Provide the data to the third-party vendor.
- B. 1Configure a traffic mirror filter to capture the UDP data. 2Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface. 3Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror. 4Extract the data by using the packet inspection package. 5Provide the data to the third-party vendor.
- C. 1Configure a traffic mirror filter to capture the UDP data. 2Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface. 3Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the new EC2 Instance as the target for the traffic mirror. 4Extract the data by using the packet inspection package. 5Provide the data to the third-party vendor.
- D. 1Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance. 2Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume. 3Export the data from the EBS volume to Amazon S3. 4Provide the data to the third-party vendor.
View question →
-
Q20. A company has three VPCs in a single AWS Region. Each VPC contains 15 Amazon EC2 instances, and no connectivity exists between the VPCs. The company is deploying a new application across all three VPCs. The application requires high bandwidth between the nodes. A network Engineer must implement connectivity between the VPCs. Which solution will meet these requirements with the HIGHEST throughput?
- A. Configure a transit gateway. Attach each VPC to the transit gateway. Configure static routing in each VPC to route traffic to the transit Gateway.
- B. Configure VPC peering between the three VPCs. Configure static routing to route traffic between the three VPCs.
- C. Configure a transit VPConfigure a VPN gateway in each VPCreate an AWS Site-to-Site VPN tunnel from each VPC to the transit VPUse BGP Routing to route traffic between the VPCs and the transit VPC.
- D. Configure AWS Site-to-Site VPN connections between each VPC. Enable route propagation for each Site-to-Site VPN connection to route Traffic between the VPCs.
View question →
-
Q21. A company has 10 web server Amazon EC2 instances that run in an Auto Scaling group in a production VPC. The company has 10 other web servers that run in an on-premises data center. The company has a 10 Gbps AWS Direct Connect connection between the on-premises data center and the production VPC.
The company needs to implement a load balancing solution that receives HTTPS traffic from thousands of external users. The solution must distribute the traffic across the web servers on AWS and the web servers in the on-premises data center. Regardless of the location of the web servers, HTTPS requests must go to the same web server throughout the entire session.
Which solution will meet these requirements?
- A. Create a Network Load Balancer (NLB) in the production VPC. Create a target group. Specify IP as the target type. Register the EC2 instances and the on-premises servers with the target group Enable connection draining on the NLB
- B. Create an Application Load Balancer (ALB) in the production VPC. Create a target group Specify IP as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable application-based session affinity (sticky sessions) on the ALB.
- C. Create a Network Load Balancer (NLB) in the production VPCreate a target group. Specify instance as the target type. Register the EC2 instances and the on-premises servers with the target group. Enable session affinity (sticky sessions) on the NLB.
- D. Create an Application Load Balancer (ALB) in the production VPC. Create a target group. Specify instance as the target type Register the EC2 instances and the on-premises servers with the target group Enable application-based session affinity (sticky sessions) on the ALB.
View question →
-
Q22. You have a static VPN connecting your data center and your VPC. You currently have 50 routes added to your route table. You want to add more; how should you do this?
- A. 50 is the most you can have for any connection.
- B. Just add them, you have a maximum of 100 static routes per route table.
- C. Set up Direct Connect. A VPN will not support more routes.
- D. Convert your VPN to a dynamic VPN and use BGP.
View question →
-
Q23. A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 Routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway By using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway.A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network Engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The Network engineer must resolve this issue in the most operationally efficient manner. What should the network engineer do to meet these requirements?
- A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of The VPC.
- B. Change the router configurations to summarize the advertised routes.
- C. Open a support ticket to increase the quota on advertised routes to the VPC route table.
- D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway.
View question →
-
Q24. A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires
Connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and
Its on-premises network to accommodate the growing demand for the application.
The company already has encryption between its on-premises network and the colocation. The company needs to encrypt tra¨c between AWS
And the edge routers in the colocation within the next few months. The company must maintain its current bandwidth.
What should a network engineer do to meet these requirements with the LEAST operational overhead?
- A. Deploy a new public VIF with encryption on the existing Direct Connect connections. Reroute tra¨c through the new public VIF.
- B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute Tra¨c from the Direct Connect private VIF to the new VPNs.
- C. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Con¦gure MACsec on the edge routers. Reroute tra¨c to the new Direct Connect connections. Decommission the original Direct Connect connections
- D. Deploy a new pair of 10 GB Direct Connect connections with MACsec. Deploy a new public VIF on the new Direct Connect connections. Deploy two AWS Site-to-Site VPN connections on top of the new public VIF. Reroute tra¨c from the existing private VIF to the new Site-to-Site Connections. Decommission the original Direct Connect connections.
View question →
-
Q25. A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a
Unique random session key.
What should the network engineer do to meet this requirement?
- A. Change the ALB security policy to a policy that supports TLS 1.2 protocol only
- B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
- C. Associate an AWS WAF web ACL with the ALBs. and create a security rule to enforce forward secrecy (FS)
- D. Change the ALB security policy to a policy that supports forward secrecy (FS)
View question →
-
Q26. A company is planning to host a secure web application across multiple Amazon EC2 instances. The application will have an associated DNS Domain in an Amazon Route 53 hosted zone. The company wants to protect the domain from DNS poisoning attacks. The company also wants to allow web browsers to authenticate into the application by using a trusted third party. Which combination of actions will meet these requirements?
- A. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install self-signed X.509 certificates on the EC2 instances.
- B. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install X 509 certificates that are signed by a public Certificate authority on the EC2 instances.
- C. Configure the Route 53 hosted zone to use DNS Security Extensions (DNSSEC). Install X.509 certificates that are signed by a public certificate authority on the EC2 instances.
- D. Configure a Name Authority Pointer (NAPTR) record in the Route 53 hosted zone. Install self-signed X.509 certificates on the EC2 Instances.
View question →
-
Q27. A financial trading company is using Amazon EC2 instances to run its trading platform. Part of the company's trading platform includes a third-party pricing service that the EC2 instances communicate with over UDP on port 50000.
Recently, the company has had problems with the pricing service. Some of the responses from the pricing service appear to be incorrectly formatted and are not being processed successfully. The third-party vendor requests access to the data that the pricing service is returning. The third-party vendor wants to capture request and response data for debugging by logging in to an EC2 instance that accesses the pricing service. The company prohibits direct access to production systems and requires all log analysis to be performed in a dedicated monitoring account.
Which set of steps should a network engineer take to capture the data and meet these requirements?
- A. 1 Configure VPC ow logs to capture the data that flows in the VPC. 2 Send the data to an Amazon S3 bucket. 3 In the monitoring account, extract the data that flows to the EC2 instance's IP address and filter the traffic for the UDP data. 4 Provide the data to the third-party vendor.
- B. 1 Configure a traffic mirror filter to capture the UDP data. 2 Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface. 3 Configure a packet inspection package on a new EC2 instance in the production environment. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror. 4 Extract the data by using the packet inspection package. 5 Provide the data to the third-party vendor.
- C. 1 Configure a traffic mirror filter to capture the UDP data. 2 Configure Traffic Mirroring to capture the traffic for the EC2 instance's elastic network interface. 3 Configure a packet inspection package on a new EC2 instance in the monitoring account. Use the elastic network interface of the new EC2 instance as the target for the traffic mirror. 4. Extract the data by using the packet inspection package. 5 Provide the data to the third-party vendor.
- D. 1 Create a new Amazon Elastic Block Store (Amazon EBS) volume. Attach the EBS volume to the EC2 instance. 2 Log in to the EC2 instance in the production environment. Run the tcpdump command to capture the UDP data on the EBS volume. 3 Export the data from the EBS volume to Amazon S3. 4 Provide the data to the third-party vendor.
View question →
-
Q28. A company is growing rapidly. Data transfers between the company's on-premises systems and Amazon EC2 instances that run in VPCs are limited by the throughput of a single AWS Site-to-Site VPN connection between the company's on-premises data center firewall and an AWS Transit Gateway.
A network engineer must resolve the throttling by designing a solution that is highly available and secure. The solution also must scale the VPN throughput from on premises to the VPC resources to support the increase in traffic.
Which solution will meet these requirements?
- A. Configure multiple dynamic BGP-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing (ECMP).
- B. Configure multiple static routing-based Site-to-Site VPN connections to the transit gateway. Configure equal-cost multi-path routing (ECMP).
- C. Configure a new Site-to-Site VPN connection to the transit gateway. Enable acceleration for the Site-to-Site VPN connection.
- D. Configure a software appliance-based VPN connection over the internet from the on-premises firewall to an EC2 instance that has a large instance size and networking capabilities.
View question →
-
Q29. A company has set up hybrid connectivity between its VPCs and its on-premises data center. The company has the on-premises.example.com subdomain configured at its DNS server in the on-premises data center. The company is using the aws.example.com subdomain for workloads that run on AWS across different VPCs and accounts. Resources in both environments can access each other by using IP addresses. The company wants workloads in the VPCs to be able to access resources on premises by using the on-premises.example.com DNS names.
Which solution will meet these requirements with MINIMUM management of resources?
- A. Create an Amazon Route 53 Resolver outbound endpoint. Configure a Resolver rule that conditionally forwards DNS queries for onpremises.example.com to the on-premises DNS server. Associate the rule with the VPCs.
- B. Create an Amazon Route 53 Resolver inbound endpoint and a Resolver outbound endpoint. Configure a Resolver rule that conditionally forwards DNS queries for on-premises.example.com to the on-premises DNS server. Associate the rule with the VPCs.
- C. Launch an Amazon EC2 instance. Install and configure BIND software to conditionally forward DNS queries for on-premises.example.com to the on-premises DNS server. Configure the EC2 instance's IP address as a custom DNS server in each VPC.
- D. Launch an Amazon EC2 instance in each VPC. Install and configure BIND software to conditionally forward DNS queries for onpremises.example.com to the on-premises DNS server. Configure the EC2 instance's IP address as a custom DNS server in each VPC.
View question →
-
Q30. A company has deployed an application in a VPC that uses a NAT gateway for outbound tra¨c to the internet. A network engineer notices a large
Quantity of suspicious network tra¨c that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network
Engineer must implement a solution to determine which AWS resources are generating the suspicious tra¨c. The solution must minimize cost and
Administrative overhead.
Which solution will meet these requirements?
- A. Launch an Amazon EC2 instance in the VPC. Use Tra¨c Mirroring by specifying the NAT gateway as the source and the EC2 instance as the Destination. Analyze the captured tra¨c by using open-source tools to identify the AWS resources that are generating the suspicious tra¨c.
- B. Use VPC §ow logs. Launch a security information and event management (SIEM) solution in the VPC. Con¦gure the SIEM solution to ingest The VPC §ow logs. Run queries on the SIEM solution to identify the AWS resources that are generating the suspicious tra¨c.
- C. Use VPC §ow logs. Publish the §ow logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query the §ow logs To identify the AWS resources that are generating the suspicious tra¨c.
- D. Con¦gure the VPC to stream the network tra¨c directly to an Amazon Kinesis data stream. Send the data from the Kinesis data stream to An Amazon Kinesis Data Firehose delivery stream to store the data in Amazon S3. Use Amazon Athena to query the data to identify the AWS Resources that are generating the suspicious tra¨c.
View question →
-
Q31. An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2
Instances are part of an Auto Scaling group. The company wants to implement a solution to distribute tra¨c from customers to the EC2 instances.
The company must encrypt all tra¨c at all stages between the customers and the application servers. No decryption at intermediate points is
Allowed.
Which solution will meet these requirements?
- A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Con¦gure the Auto Scaling group to register instances with The ALB's target group.
- B. Create an Amazon CloudFront distribution. Con¦gure the distribution with a custom SSL/TLS certi¦cate. Set the Auto Scaling group as the Distribution's origin.
- C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Con¦gure the Auto Scaling group to register instances with the NLB's Target group.
- D. Create a Gateway Load Balancer (GLB). Con¦gure the Auto Scaling group to register instances with the GLB's target group.
View question →
-
Q32. A company's application team is unable to launch new resources into its VPC. A network engineer discovers that the VPC has run out of usable IP addresses. The VPC CIDR block is 172.16.0.0/16.
Which additional CIDR block can the network engineer attach to the VPC?
- A. 172.17.0.0/29
- B. 10.0.0.0/16
- C. 172.17.0.0/16
- D. 192.168.0.0/16
View question →
-
Q33. A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its on-premises data center. The connection provides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.
The company plans to build an additional application on AWS. On-site and remote employees will use the additional application. After the deployment of this additional application, the company will need 20% more bandwidth than the company currently uses. With the increased usage, the company wants to add resiliency to the AWS connectivity. A network engineer must review the current implementation and must make improvements within a limited budget.
What should the network engineer do to meet these requirements MOST cost-effectively?
- A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application. Create a link aggregation group (LAG).
- B. Deploy an AWS Site-to-Site VPN connection to the application VPC. Configure the on-premises routing for the remote employees to connect to the Site-to-Site VPN connection.
- C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces.
- D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections. Create an AWS Client VPN endpoint in the application VPC. Instruct the remote employees to connect to the Client VPN endpoint.
View question →
-
Q34. A company is migrating its on-premises network from its data center in Virginia to its data center in New York. The AWS Direct Connect Connections for the Virginia and New York data center locations are both associated to the us-east-1 Region. The company needs to migrate a Private VIF on an existing Direct Connect hosted connection from Virginia to New York. The company's on-premises network uses the connection To access VPCs through a Direct Connect gateway in us-east-1. The company has already requested a new Direct Connect hosted connection from the new data center to the New York Direct Connect location. Which solution will meet these requirements with the LEAST downtime?
- A. Create a new private VIF on the new Direct Connect hosted connection. Create a new Direct Connect gateway and attach the gateway to the New private VIF. Configure BGP routing on the new private VIF as a backup route. Perform the switchover during a maintenance window by Shutting down BGP on the existing private VIF. Decommission the existing Direct Connect connection.
- B. Create a new private VIF on the new Direct Connect hosted connection. Attach the new private VIF to the existing Direct Connect gateway. Configure BGP routing on the new private VIF as a backup route. Perform the switchover during a maintenance window by shutting down BGP On the existing private VIF. Decommission the existing Direct Connect connection.
- C. During a maintenance window, migrate the existing private VIF to the new Direct Connect hosted connection. Attach the existing private VIF To the existing Direct Connect gateway. Decommission the existing Direct Connect connection.
- D. During a maintenance window, delete the existing private VIF and create a new private VIF to the new Direct Connect hosted connection. Attach the new private VIF to the existing Direct Connect gateway. Decommission the existing Direct Connect hosted connection.
View question →
-
Q35. A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that Includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service Provider’s API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to Permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer Turns on IPv6 in the VPC and in the private subnets. Which solution will meet these requirements?
- A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT Gateway.
- B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT Instance.
- C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only Internet gateway.
- D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group With the egress-only internet gateway.
View question →
-
Q36. You have several Amazon Glacier vaults you would like to monitor. How might you monitor those vaults?
- A. Create a custom AWS Cong rule.
- B. Use an AWS master Cong rule.
- C. Use an AWS managed Cong rule.
- D. Create a KMS policy and attach it to your Amazon Glacier vault.
View question →
-
Q37. A company has a 2 Gbps AWS Direct Connect hosted connection from the company’s office to a VPC in the ap-southeast-2 Region. A network engineer adds a 5 Gbps Direct Connect hosted connection from a different Direct Connect location in the same Region. The hosted connections are connected to different routers from the office with an iBGP session running in between the routers.
The network engineer wants to ensure that the VPC uses the 5 Gbps hosted connection to route traffic to the office. Failover to the 2 Gbps hosted connection must occur when the 5 Gbps hosted connection is down.
Which solution will meet these requirements?
- A. Configure an outbound BGP policy from the router that is connected to the 2 Gbps connection. Advertise routes with a longer AS_PATH attribute to AWS.
- B. Advertise a longer prefix route from the router that is connected to the 2 Gbps connection.
- C. Advertise a less specific route from the router that is connected to the 5 Gbps connection.
- D. Configure an outbound BGP policy from the router that is connected to the 5 Gbps connection. Advertise routes with a longer AS_PATH attribute to AWS.
View question →
-
Q38. A company has established connectivity between its on-premises data center in Paris. France, and the AWS Cloud by using an AWS Direct Connect connection. The company uses a transit VIF that connects the Direct Connect connection with a transit gateway that is hosted in the Europe (Paris) Region. The company hosts workloads in private subnets in several VPCs that are attached to the transit gateway. The company recently acquired another corporation that hosts workloads on premises in an office building in Tokyo, Japan. The company needs to migrate the workloads from the Tokyo office to AWS. These workloads must have access to the company's existing workloads in Paris. The company also must establish connectivity between the Tokyo office building and the Paris data center. In the Asia Pacific (Tokyo) Region, the company creates a new VPC with private subnets for migration of the workloads. The workload migration must be completed in 5 days. The workloads cannot be directly accessible from the internet. Which set of steps should a network engineer take to meet these requirements?
- A. 1. Create public subnets in the Tokyo VPC to migrate the workloads into. 2Configure an internet gateway for the Tokyo office to reach the Tokyo VPC. 3Configure security groups on the Tokyo workloads to only allow traffic from the Tokyo office and the Paris workloads. 4Create peering connections between the Tokyo VPC and the Paris VPCs. 5Configure a VPN connection between the Paris data center and the Tokyo office by using existing routers.
- B. 1Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3Set up a new Direct Connect connection from the Tokyo office to the Tokyo transit gateway. 4Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
- C. 1 Configure a transit gateway in the Asia Pacific (Tokyo) Region. Associate this transit gateway with the Tokyo VPC. 2Create peering connections between the Tokyo transit gateway and the Paris transit gateway. 3Configure an AWS Site-to-Site VPN connection from the Tokyo office. Set the Tokyo transit gateway as the target. 4Configure routing on both transit gateways to allow data to flow between sites and the VPCs.
- D. 1Configure an AWS Site-to-Site VPN connection from the Tokyo office to the Paris transit gateway. 2Create an association between the Paris transit gateway and the Tokyo VPC. 3Configure routing on the Paris transit gateway to allow data to flow between sites and the VPC.
View question →
-
Q39. A company is running a hybrid cloud environment. The company has multiple AWS accounts as part of an organization in AWS Organizations. The company needs a solution to manage a list of IPv4 on-premises hosts that will be allowed to access resources in AWS. The solution must provide version control for the list of IPv4 addresses and must make the list available to the AWS accounts in the organization.
Which solution will meet these requirements?
- A. Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWS Resource Access Manager. Add the managed prefix list to the resource share. Share the resource with the organization.
- B. Create a customer-managed prefix list. Add entries for the initial list of on-premises IPv4 hosts. Use AWS Firewall Manager to share the managed prefix list with the organization.
- C. Create a security group. Add inbound rule entries for the initial list of on-premises IPv4 hosts. Create a resource share in AWS Resource Access Manager. Add the security group to the resource share. Share the resource with the organization.
- D. Create an Amazon DynamoDB table. Add entries for the initial list of on-premises IPv4 hosts. Create an AWS Lambda function that assumes a role in each AWS account in the organization to authorize inbound rules on security groups based on entries from the DynamoDB table.
View question →
-
Q40. A company has a single VPC in the us-east-1 Region. The company is planning to set up a new VPC in the us-east-2 Region. The existing VPC has An AWS Site-to-Site VPN connection to the company's on-premises environment and uses a virtual private gateway.A network engineer needs to implement a solution to establish connectivity between the existing VPC and the new VPC. The solution also must Implement support for IPv6 for the new VPC. The company has new on-premises resources that need to connect to VPC resources by using IPv6 Addresses. Which solution will meet these requirements?
- A. Create a new virtual private gateway in us-east-1. Attach the new virtual private gateway to the new VPC. Create two new Site-to-Site VPN Connections to the new virtual private gateway with IPv4 and IPv6 support. Configure routing between the VPCs by using VPC peering.
- B. Create a transit gateway in us-east-1 and in us-east-2. Attach the existing VPC and the new VPC to each transit gateway. Create a new Siteto-Site VPN connection to each transit gateway with IPv4 and IPv6 support. Configure transit gateway peering. Configure routing between the VPCs and the on-premises environment.
- C. Create a new virtual private gateway in us-east-2. Attach the new virtual private gateway to the new VPCreate two new Site-to-Site VPN Connections to the new virtual private gateway with IPv4 and IPv6 support. Configure routing between the VPCs by using VPC peering.
- D. Create a transit gateway in us-east-1. Attach the existing VPC and the new VPC to the transit gateway. Create two new Site-to-Site VPN Connections to the transit gateway with IPv4 and IPv6 support. Configure transit gateway peering. Configure routing between the VPCs and the On-premises environment.
View question →
-
Q41. A company has an application that hosts personally identifiable information (PII) of users. All connections to the application must be secured by HTTPS with TLS certificates that implement Elliptic Curve Cryptography (ECC). The application uses stateful connections between the web tier and the end users. Multiple instances host the application. A network engineer Must implement a solution that offloads TLS connections to a load balancer. Which load-balancing solution will meet these requirements?
- A. Provision a Network Load Balancer. Configure a TLS listener by specifying the use of an ECC SSL certificate that is uploaded to AWS Identity and Access Management (IAM). Turn on health checks to monitor the web hosts that connect to the end users.
- B. Provision an Application Load Balancer. Configure an HTTPS listener by specifying the use of an ECC SSL certificate that is uploaded to AWS Certificate Manager (ACM). Configure a default action to redirect to the URL for the application. Turn on health checks to monitor the Web hosts that connect to the end users.
- C. Provision a Network Load Balancer. Configure a TLS listener by specifying the use of an ECC SSL certificate that is uploaded to AWS Certificate Manager (ACM). Turn on application-based session affinity (sticky sessions). Turn on health checks to monitor the web hosts that Connect to the end users.
- D. Provision an Application Load Balancer. Configure an HTTPS listener by specifying the use of an ECC SSL certificate that is uploaded to AWS Identity and Access Management (IAM). Configure a default action to redirect to the URL for the application. Turn on application-based Session affinity (sticky sessions).
View question →
-
Q42. A logistics company has multiple VPCs in an AWS Region. The company uses a transit gateway to connect the VPCs. The company has several On-premises offices that connect to the transit gateway by using AWS Site-to-Site VPN connections over the internet. The company has configured One transit gateway VPN attachment for each office. Route propagation is enabled on all route tables. Each Site-to-Site VPN connection uses two tunnels in an active-passive configuration. The Company configured each office with appropriate static routes on both the Site-to-Site VPN connection and the office’s customer gateway. The company wants to use both IPsec tunnels of every office to maximize the overall VPN connection bandwidth. Which design changes are necessary to meet these requirements?
- A. Create an AWS Transit Gateway Connect attachment for each office Use the existing VPN attachments as the transport for the new Connect Attachments. Set up a Generic Routing Encapsulation (GRE) tunnel on each customer gateway that terminates on the Connect attachment for each office. Move the static routes From the transit gateway VPN attachment to the customer gateway for the transit gateway Connect attachment.
- B. Enable equal-cost multi-path (ECMP) routing on the transit gateway. Ensure ECMP is supported by and enabled on the customer gateways. Enable ECMP on the Site-to-Site VPN connection. Ensure static routes on the customer gateways have equal metrics and administrative Distance.
- C. Enable equal-cost multi-path (ECMP) routing on the transit gateway. (Ensure ECMP is supported by and enabled on the customer gateways. Change the routing configuration between the transit gateway and the customer gateways from static routing to BGP. Remove related static Routes from the customer gateways.
- D. Enable equal-cost multi-path (ECMP) routing on the transit gateway. Ensure ECMP is supported by and enabled on the customer gateways. Change the routing configuration between the transit gateway and the customer gateways from static routing to BGP. Ensure the customer Gateway applies the correct community strings to give the transit gateway the ability to perform ECMP forwarding.
View question →
-
Q43. A company has developed a new web application on AWS. The application runs on Amazon Elastic Container Service (Amazon ECS) on AWS Fargate behind an Application Load Balancer (ALB) in the us-east-1 Region. The application uses Amazon Route 53 to host the DNS records for The domain. The content that is served from the website is mostly static images and files that are not updated frequently. Most of the traffic to the Website from end users will originate from the United States. Some traffic will originate from Canada and Europe.A network engineer needs to design a solution that will reduce latency for end users at the lowest cost. The solution also must ensure that all Traffic is encrypted in transit until the traffic reaches the ALB. Which solution will meet these requirements?
- A. Configure the ALB to use an AWS Global Accelerator accelerator in us-east-1. Create a secure HTTPS listener. Create an alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the DNS name that is assigned to the accelerator for the ALB.
- B. Configure the ALB to use a secure HTTPS listener. Create an Amazon CloudFront distribution. Set the origin domain name to point to the DNS record that is assigned to the ALConfigure the CloudFront distribution to use an SSL certificate. Set all behaviors to force HTTPS. Create An alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the DNS name that is assigned to the ALB.
- C. Configure the ALB to use a secure HTTPS listener. Create an Amazon CloudFront distribution. Set the origin domain name to point to the DNS record that is assigned to the ALB. Configure the CloudFront distribution to use an SSL certificate and redirect HTTP to HTTPS. Create an Alias record in Amazon Route 53 for the custom domain name. Configure the alias record to route to the CloudFront distribution.
- D. Configure the ALB to use an AWS Global Accelerator accelerator in us-east-1. Create a secure HTTPS listener. Create a second application Stack on Amazon ECS on Fargate in the eu-west-1 Region. Create another secure HTTPS listener. Create an alias record in Amazon Route 53 For the custom domain name. Configure the alias record to use a latency-based routing policy to route to the DNS name that is assigned to the Accelerator for the ALBs.
View question →
-
Q44. A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit Gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises Over Direct Connect. What should a network engineer do to meet these requirements?
- A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes. Configure a CloudWatch alarm to send notifications When routes change.
- B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights. Use Amazon EventBridge (Amazon CloudWatch Events) To send notifications when routes change.
- C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes Change.
- D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes. Create a metric filter Set an alarm on the filter to send Notifications when routes change.
View question →
-
Q45. A global company is designing a hybrid architecture to privately access AWS resources in the us-west-2 Region. The company's existing architecture includes a VPC that uses RFC 1918 IP address space. The VPC is connected to an on-premises data center over AWS Direct Connect Amazon Route 53 provides name resolution within the VPC. Locally managed DNS servers in the data center provide DNS services to the on-premises hosts.
The company has applications in the data center that need to download objects from an Amazon S3 bucket in us-west-2.
Which solution can the company use to access Amazon S3 without using the public IP address space?
- A. Create an S3 interface endpoint in the VPC. Update the on-premises application configuration to use the Regional VPC endpoint DNS hostname that is mapped to the S3 interface endpoint.
- B. Create an S3 interface endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.
- C. Create an S3 gateway endpoint in the VPUpdate the on-premises application configuration to use the hostname that is mapped to the S3 gateway endpoint.
- D. Create an S3 gateway endpoint in the VPC. Configure a Route 53 Resolver inbound endpoint in the VPC. Set up the data center DNS servers to forward DNS queries for the S3 domain from on premises to the inbound endpoint.
View question →
-
Q46. A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1
Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.
The company is opening a new o¨ce in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new
Data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US data center and
Us-east-1 with the Europe data center and eu-west-2. A network engineer must establish full connectivity between the data centers and Regions
With the lowest possible latency.
How should the network engineer design the network architecture to meet these requirements?
- A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Associate the transit Gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
- B. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Associate the transit gateway in us-east-1 with the same Direct Connect gateway. Enable SiteLink for Both transit VIFs. Peer the two transit gateways.
- C. Connect the VPC in eu-west-2 to a new transit gateway. Connect the Europe data center to the new transit gateway by using a Direct Connect gateway and a new transit VIF. Create a new Direct Connect gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for both transit VIFs. Peer the two transit gateways.
- D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF. Create a new Direct Connect Gateway. Associate the transit gateway in us-east-1 with the new Direct Connect gateway. Enable SiteLink for the transit VIF and the private VIF.
View question →
-
Q47. A company's network engineer is configuring an AWS Site-to-Site VPN connection between a transit gateway and the company's on-premises network. The Site-to-Site VPN connection is configured to use BGP over two tunnels in active/active mode with equal-cost multi-path (ECMP) routing activated on the transit gateway.
When the network engineer attempts to send traffic from the on-premises network to an Amazon EC2 instance, traffic is sent over the first tunnel. However, return traffic is received over the second tunnel and is dropped at the customer gateway. The network engineer must resolve this issue without reducing the overall VPN bandwidth.
Which solution will meet these requirements?
- A. Configure the customer gateway to use AS PATH prepending and local preference to prefer one tunnel over the other.
- B. Configure the Site-to-Site VPN options to set the first tunnel as the primary tunnel to eliminate asymmetric routing.
- C. Configure the virtual tunnel interfaces on the customer gateway to allow asymmetric routing.
- D. Configure the Site-to-Site VPN to use static routing in active/active mode to ensure that traffic flows over a preferred path.
View question →
-
Q48. A company has set up a NAT gateway in a single Availability Zone (AZ1) in a VPC (VPC1) to access the internet from Amazon EC2 workloads in The VPC. The EC2 workloads are running in private subnets in three Availability Zones (AZ1, AZ2, AZ3). The route table for each subnet is Configured to use the NAT gateway to access the internet. Recently during an outage, internet access stopped working for the EC2 workloads because of the NAT gateway's unavailability. A network Engineer must implement a solution to remove the single point of failure from the architecture and provide built-in redundancy. Which solution will meet these requirements?
- A. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a Route table for private subnets to route traffic to the virtual IP addresses of the two NAT gateways.
- B. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a Route table to point the AZ2 private subnets to the NAT gateway in AZ2. Configure the same route table to point the AZ3 private subnets to the NAT gateway in AZ3.
- C. Create a second VPC (VPC2). Set up two NAT gateways. Place each NAT gateway in a different VPC (VPC1 and VPC2) and in the same Availability Zone (AZ2). Configure a route table in VPC1 to point the AZ2 private subnets to one NAT gateway. Configure a route table in VPC2 To point the AZ2 private subnets to the second NAT gateway.
- D. Set up two NAT gateways. Place each NAT gateway in a different public subnet in separate Availability Zones (AZ2 and AZ3). Configure a Route table to point the AZ2 private subnets to the NAT gateway in AZ2. Configure a second route table to point the AZ3 private subnets to the NAT gateway in AZ3.
View question →
-
Q49. A consulting company manages AWS accounts for its customers. One of the company's customers needs to add intrusion prevention for its environment without having to re-architect the environment. The customer's environment includes five VPCs in two AWS Regions in the United States. VPC-to-VPC connectivity is achieved through VPC peering. The customer does not plan to increase the number of VPCs within the next 2 years. The solution must accommodate unencrypted traffic.
Which solution will meet these requirements?
- A. Configure VPC security groups and network ACLs.
- B. Use an AWS Network Firewall centralized deployment model in each VPC.
- C. Use an AWS Network Firewall distributed deployment model in each VPC.
- D. Deploy AWS Shield in each VPC.
View question →
-
Q50. A company is deploying AWS Cloud WAN with edge locations in the us-east-1 Region and the ap-southeast-2 Region. Individual AWS Cloud WAN Segments are configured for the development environment, the production environment, and the shared services environment at each edge Location. Many new VPCs will be deployed for the environments and will be configured as attachments to the AWS Cloud WAN core network. The company's network team wants to ensure that VPC attachments are configured for the correct segment. The network team will tag the VPC Attachments by using the Environment key with a value of the corresponding environment segment name. The segment for the production Environment in us-east-1 must require acceptance for attachment requests. All other attachment requests must not require acceptance. Which solution will meet these requirements?
- A. Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic To the "or" value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1. Create a rule with a Number of 200 that does not require acceptance to map any tag:Environment values to their respective segments.
- B. Create a rule with a number of 100 that requires acceptance for attachments to the production segment. In the rule, set the condition logic To the "and" value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1. Create a rule with a Number of 200 that does not require acceptance to map any tag.Environment values to their respective segments.
- C. Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments. Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to The "and" value. Include conditions that require a tag:Environment value of Production and a Region value of us-east-1.
- D. Create a rule with a number of 100 that does not require acceptance to map any tag:Environment values to their respective segments. Create a rule with a number of 200 that requires acceptance for attachments to the production segment. In the rule, set the condition logic to The "or" value. Include conditions that require a tag:Environment value of Production or a Region value of us-east-1.
View question →
-
Q51. A company has deployed an AWS Network Firewall ¦rewall into a VPC. A network engineer needs to implement a solution to deliver Network
Firewall §ow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.
Which solution will meet these requirements?
- A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Noti¦cation Service (Amazon SNS) noti¦cations on the S3 bucket to invoke the Lambda function. Con¦gure §ow logs for the ¦rewall. Set the S3 bucket as the destination.
- B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) Cluster as the destination. Con¦gure §ow logs for the ¦rewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall §ow logs.
- C. Con¦gure §ow logs for the ¦rewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall §ow logs.
- D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the Destination. Con¦gure §ow logs for the ¦rewall. Set the Kinesis data stream as the destination for the Network Firewall §ow logs.
View question →
-
Q52. A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing
Resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes
Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate
Subnets within the same VPC and have a Cluster Autoscaler con¦gured.
The security team needs to determine which POD IP addresses are communicating with which services throughout the VPC. The security team
Wants to limit the number of §ow logs and wants to examine the tra¨c from only the two applications.
Which solution will meet these requirements with the LEAST operational overhead?
- A. Create VPC §ow logs in the default format. Create a ¦lter to gather §ow logs only from the EKS nodes. Include the srcaddr ¦eld and the Dstaddr ¦eld in the §ow logs.
- B. Create VPC §ow logs in a custom format. Set the EKS nodes as the resource Include the pkt-srcaddr ¦eld and the pkt-dstaddr ¦eld in the §ow logs.
- C. Create VPC §ow logs in a custom format. Set the application subnets as resources. Include the pkt-srcaddr ¦eld and the pkt-dstaddr ¦eld in The §ow logs.
- D. Create VPC §ow logs in a custom format. Create a ¦lter to gather §ow logs only from the EKS nodes. Include the pkt-srcaddr ¦eld and the Pkt-dstaddr ¦eld in the §ow logs.
View question →
-
Q53. A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2 Instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue. What should the network engineer do to meet this requirement?
- A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route tables. Use VPC flow Logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
- B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are Correct. Use AWS Firewall Manager to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
- C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are Correct. Use VPC flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
- D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables. Verify that the VPC route tables are correct. Use VPC Flow logs to analyze the IP traffic that security group rules and network ACL rules accept or reject in the VPC.
View question →
-
Q54. A company has several AWS Site-to-Site VPN connections between an on-premises customer gateway and a transit gateway. The company's Application uses IPv4 to communicate through the VPN connections. The company has updated the VPC to be dual stack and wants to transition to using IPv6-only for new workloads. When the company tries to Communicate through the existing VPN connections, IPv6 traffic fails. Which solution will provide IPv6 support with the LEAST operational overhead?
- A. Create a new Site-to-Site VPN connection that supports IPv6.
- B. Create a new Site-to-Site VPN connection to a self-managed Amazon EC2 instance that runs open source software.
- C. Update the existing Site-to-Site VPN connections to support IPv6.
- D. Update the on-premises customer gateway's public IP address from IPv4 to IPv6.
View question →
-
Q55. A network engineer needs to build an encrypted connection between an on-premises data center and a VPC. The network engineer attaches the VPC to a virtual private gateway and sets up an AWS Site-to-Site VPN connection. The VPN tunnel is UP after configuration and is working. However, during rekey for phase 2 of the VPN negotiation, the customer gateway device is receiving different parameters than the parameters that the device is configured to support.
The network engineer checks the IPsec configuration of the VPN tunnel. The network engineer notices that the customer gateway device is configured with the most secure encryption algorithms that the AWS Site-to-Site VPN configuration le provides.
What should the network engineer do to troubleshoot and correct the issue?
- A. Check the native virtual private gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
- B. Check the native customer gateway logs. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
- C. Check Amazon CloudWatch logs of the virtual private gateway. Restrict the VPN tunnel options to the specific VPN parameters that the virtual private gateway requires.
- D. Check Amazon CloudWatch logs of the customer gateway. Restrict the VPN tunnel options to the specific VPN parameters that the customer gateway requires.
View question →
-
Q56. A company uses Amazon Route 53 to host a public hosted zone for example.com. A network engineer recently reduced the TTL on several records to 60 seconds. The network engineer wants to assess whether the change has increased the number of queries to Route 53 beyond the expected levels that the company identified before the change. The network engineer must obtain the number of queries that have been made to the example.com public hosted zone.
Which solution will provide this information?
- A. Create a new trail in AWS CloudTrail to include Route 53 data events. Send logs to Amazon CloudWatch Logs. Set up a CloudWatch metric filter to count the number of queries and create graphs.
- B. Use Amazon CloudWatch to access the AWS/Route 53 namespace and to check the DNS Queries metric for the public hosted zone.
- C. Use Amazon CloudWatch to access the AWS/Route 53 Resolver namespace and to check the Inbound Query Volume metric for a specific endpoint.
- D. Configure logging to Amazon CloudWatch for the public hosted zone. Set up a CloudWatch metric filter to count the number of queries and create graphs.
View question →
-
Q57. A software-as-a-service (SaaS) company is migrating its private SaaS application to AWS. The company has hundreds of customers that connect To multiple data centers by using VPN tunnels. As the number of customers has grown, the company has experienced more difficulty in its effort To manage routing and segmentation of customers with complex NAT rules. After the migration to AWS is complete, the company's AWS customers must be able to access the SaaS application directly from their VPCs. Meanwhile, the company's on-premises customers still must be able to connect through IPsec encrypted tunnels. Which solution will meet these requirements?
- A. Connect the AWS customer VPCs to a shared transit gateway. Use AWS Site-to-Site VPN connections to the transit gateway for the onpremises customers
- B. Use AWS PrivateLink to connect the AWS customers. Use a third-party routing appliance in the SaaS application VPC to terminate Onpremises Site-to-Site VPN connections.
- C. Peer each AWS customer's VPCs to the VPC that hosts the SaaS application. Create AWS Site-to-Site VPN connections on the SaaS VPC Virtual private gateway.
- D. Use Site-to-Site VPN tunnels to connect each AWS customer's VPCs to the VPC that hosts the SaaS application. Use AWS Site-to-Site VPN To connect the on-premises customers.
View question →
-
Q58. A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The
Application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding
Metadata. The S3 bucket will be con¦gured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS)
Queue.
A compute cluster of Amazon EC2 instances will poll the SQS queue to ¦nd out about newly uploaded objects. The cluster will retrieve new
Objects, perform proprietary image and video recognition and classi¦cation update metadata in DynamoDB and replace the objects with new
Watermarked objects. The company does not want public IP addresses on the EC2 instances.
Which networking design solution will meet these requirements MOST cost-effectively as application usage increases?
- A. Place the EC2 instances in a public subnet. Disable the Auto-assign Public IP option while launching the EC2 instances. Create an internet Gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway.
- B. Place the EC2 instances in a private subnet. Create a NAT gateway in a public subnet in the same Availability Zone. Create an internet Gateway. Attach the internet gateway to the VPC. In the public subnet's route table, add a default route that points to the internet gateway
- C. Place the EC2 instances in a private subnet. Create an interface VPC endpoint for Amazon SQS. Create gateway VPC endpoints for Amazon S3 and DynamoDB.
- D. Place the EC2 instances in a private subnet. Create a gateway VPC endpoint for Amazon SQS. Create interface VPC endpoints for Amazon S3 and DynamoDB.
View question →
-
Q59. A company needs to protect against potential botnet command and control traffic from any Amazon EC2 instances that is in in the company’s AWS Environment. Which solution will meet these requirements?
- A. Use AWS Shield Advanced. Activate Shield Advanced protections on the EC2 instances to filter and block botnet traffic.
- B. Use Amazon Route 53 Resolver DNS Firewall. Add a rule to a rule group to use the AWSManagedDomainsBotnetCommandandControl Managed domain list with an action to block botnet traffic.
- C. Use AWS WAF Bot Control. Configure a managed rule group that uses an AWS managed rule set to block botnet traffic.
- D. Use AWS Systems Manager. Run a Systems Manager Automation runbook on the EC2 instances to configure the instances to block botnet Traffic.
View question →
-
Q60. A company has a transit gateway in a single AWS account. The company sends flow logs for the transit gateway to an Amazon CloudWatch Logs Log group. The company created an AWS Lambda function to analyze the logs. The Lambda function sends a notification to an Amazon Simple Notification Service (Amazon SNS) topic when a VPC generates traffic that is dropped by the transit gateway. Each notification contains the account ID. VPC ID, and total amount of dropped packets. The company wants to subscribe a new Lambda function to the SNS topic. The new Lambda function must automatically prevent the traffic that is Identified in each notification from leaving a VPC by applying a network ACL to the transit gateway attachment subnets in the VPC that generates The traffic. Which solution will meet these requirements?
- A. Configure the existing Lambda function to add the destination IP addresses of the dropped traffic to each SNS notification. Configure the New Lambda function to create an outbound rule by using the destination IP addresses in the network ACL.
- B. Configure the existing Lambda function to add the source IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an inbound rule by using the source IP addresses in the network ACL.
- C. Configure the existing Lambda function to add the source IP addresses of the dropped traffic to each SNS notification. Configure the new Lambda function to create an outbound rule by using the source IP addresses in the network ACL.
- D. Configure the existing Lambda function to add the destination IP addresses of the dropped traffic to each SNS notification. Configure the New Lambda function to create an inbound rule by using the destination IP addresses in the network ACL.
View question →
-
Q61. An application team for a startup company is deploying a new multi-tier application into the AWS Cloud. The application will be hosted on a fleet of Amazon EC2 instances that run in an Auto Scaling group behind a publicly accessible Network Load Balancer (NLB). The application requires the clients to work with UDP traffic and TCP traffic.
In the near term, the application will serve only users within the same geographic location. The application team plans to extend the application to a global audience and will move the deployment to multiple AWS Regions around the world to bring the application closer to the end users. The application team wants to use the new Regions to deploy new versions of the application and wants to be able to control the amount of traffic that each Region receives during these rollouts. In addition, the application team must minimize first-byte latency and jitter (randomized delay) for the end users.
How should the application team design the network architecture for the application to meet these requirements?
- A. Create an Amazon CloudFront distribution to align to each Regional deployment. Set the NLB for each Region as the origin for each CloudFront distribution. Use an Amazon Route 53 weighted routing policy to control traffic to the newer Regional deployments.
- B. Create an AWS Global Accelerator accelerator and listeners for the required ports. Configure endpoint groups for each Region. Configure a traffic dial for the endpoint groups to control traffic to the newer Regional deployments. Register the NLBs with the endpoint groups.
- C. Use Amazon S3 Transfer Acceleration for the application in each Region. Adjust the amount of traffic that each Region receives from the Transfer Acceleration endpoints to the Regional NLBs.
- D. Create an Amazon CloudFront distribution that includes an origin group. Set the NLB for each Region as the origins for the origin group. Use an Amazon Route 53 latency routing policy to control traffic to the new Regional deployments.
View question →
-
Q62. A company is developing a new application that is deployed in multiple VPCs across multiple AWS Regions. The VPCs are connected through AWS Transit Gateway. The VPCs contain private subnets and public subnets. All outbound internet traffic in the private subnets must be audited and logged. The company's network engineer plans to use AWS Network Firewall and must ensure that all traffic through Network Firewall is completely logged for auditing and alerting. How should the network engineer configure Network Firewall logging to meet these requirements?
- A. Configure Network Firewall logging in Amazon CloudWatch to capture all alerts. Send the logs to a log group in Amazon CloudWatch Logs.
- B. Configure Network Firewall logging in Network Firewall to capture all alerts and flow logs.
- C. Configure Network Firewall logging by configuring VPC Flow Logs for the firewall endpoint. Send the logs to a log group in Amazon CloudWatch Logs.
- D. Configure Network Firewall logging by configuring AWS CloudTrail to capture data events.
View question →
-
Q63. A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon
ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over
An SSL connection. Tra¨c must be able to §ow to the application from other AWS accounts over private connectivity. The application must scale
In a manageable way as more consumers use the application.
Which solution will meet these requirements?
- A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service. Create a lifecycle hook to add new tasks to the Target group from Amazon ECS as required to handle scaling. Specify the GLB in the service de¦nition. Create a VPC peer for external AWS Accounts. Update the route tables so that the AWS accounts can reach the GLB.
- B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the Application to target the containers that are registered in the target group. Specify the ALB in the service de¦nition. Create a VPC endpoint Service for the ALB Share the VPC endpoint service with other AWS accounts.
- C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service. Create path-based routing rules to allow the Application to target the containers that are registered in the target group. Specify the ALB in the service de¦nition. Create a VPC peer for the External AWS accounts. Update the route tables so that the AWS accounts can reach the ALB.
- D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service. Specify the NLB in the service de¦nition. Create a VPC endpoint service for the NLB. Share the VPC endpoint service with other AWS accounts.
View question →
-
Q64. A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has con¦gured the VPC with an internet
Gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private
And share a route table that does not have a default route.
The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances
Must not be directly accessible from the internet. The application will use an Amazon S3 bucket in the same Region to store data. The application
Will invoke S3 GET API operations and S3 PUT API operations from the EC2 instances. A network engineer must design a VPC architecture that
Minimizes data transfer cost.
Which solution will meet these requirements?
- A. Deploy the EC2 instances in the public subnets. Create an S3 interface endpoint in the VPC. Modify the application con¦guration to use the S3 endpoint-speci¦c DNS hostname.
- B. Deploy the EC2 instances in the private subnets. Create a NAT gateway in the VPC. Create default routes in the private subnets to the NAT Gateway. Connect to Amazon S3 by using the NAT gateway.
- C. Deploy the EC2 instances in the private subnets. Create an S3 gateway endpoint in the VPSpecify die route table of the private subnets During endpoint creation to create routes to Amazon S3.
- D. Deploy the EC2 instances in the private subnets. Create an S3 interface endpoint in the VPC. Modify the application con¦guration to use the S3 endpoint-speci¦c DNS hostname.
View question →
-
Q65. A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB. The company tests the application with a single EC2 instance and does not observe any problems. However, after production deployment, users Report that they can log in but that they cannot use the application. Every new web request restarts the login process. What should a network engineer do to resolve this issue?
- A. Modify the ALB listener configuration. Edit the rule that forwards traffic to the target group. Change the rule to enable group-level Stickiness. Set the duration to the maximum application session length.
- B. Replace the ALB with a Network Load Balancer. Create a TLS listener. Create a new target group with the protocol type set to TLS Register The EC2 instances. Modify the target group configuration by enabling the stickiness attribute.
- C. Modify the ALB target group configuration by enabling the stickiness attribute. Use an application-based cookie. Set the duration to the Maximum application session length.
- D. Remove the ALB. Create an Amazon Route 53 rule with a failover routing policy for the application name. Configure ACM to issue Certificates for each EC2 instance.
View question →
-
Q66. A company hosts a web application that runs on a fleet of Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in An Auto Scaling group. The company uses an Amazon CloudFront distribution with the ALB as an origin. The application recently experienced an attack. In response, the company associated an AWS WAF web ACL with the CloudFront distribution. The Company needs to use Amazon Athena to analyze application attacks that AWS WAF detects. Which solution will meet this requirement?
- A. Configure the ALB and the EC2 instance subnets to produce VPC flow logs. Configure the VPC flow logs to deliver logs to an Amazon S3 Bucket for log analysis.
- B. Create a trail in AWS CloudTrail to capture data events. Configure the trail to deliver logs to an Amazon S3 bucket for log analysis.
- C. Configure the AWS WAF web ACL to deliver logs to an Amazon Kinesis Data Firehose delivery stream. Configure the stream to deliver the Data to an Amazon S3 bucket for log analysis.
- D. Turn on access logging for the ALB. Configure the access logs to deliver the logs to an Amazon S3 bucket for log analysis.
View question →
-
Q67. A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets.
The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zones and EC2 instances. All connections from the same client session must be connected to the same EC2 instance. The company must provide end-to-end encryption for all connections between the clients and the application by using the application SSL certificate.
Which solution will meet these requirements?
- A. Create a Network Load Balancer. Create a target group. Set the protocol to TCP and the port to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2 instances as targets. Create a listener. Set the protocol to TCP and the port to 443 for the listener. Deploy SSL certificates to the EC2 instances.
- B. Create an Application Load Balancer. Create a target group. Set the protocol to HTTP and the port to 80 for the target group. Turn on session affinity (sticky sessions) with an application-based cookie policy. Register the EC2 instances as targets. Create an HTTPS listener. Set the default action to forward to the target group. Use AWS Certificate Manager (ACM) to create a certificate for the listener.
- C. Create a Network Load Balancer. Create a target group. Set the protocol to TLS and the port to 443 for the target group. Turn on session affinity (sticky sessions). Register the EC2 instances as targets. Create a listener. Set the protocol to TLS and the port to 443 for the listener. Use AWS Certificate Manager (ACM) to create a certificate for the application.
- D. Create an Application Load Balancer. Create a target group. Set the protocol to HTTPS and the port to 443 for the target group. Turn on session affinity (sticky sessions) with an application-based cookie policy. Register the EC2 instances as targets. Create an HTTP listener. Set the port to 443 for the listener. Set the default action to forward to the target group.
View question →
-
Q68. A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN
Connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has
Encountered an error and is rolling back.
What should the network engineer do to resolve the error?
- A. Change the order of resource creation in the CloudFormation template.
- B. Add the DependsOn attribute to the resource declaration for the virtual private gateway. Specify the route table entry resource.
- C. Add a wait condition in the template to wait for the creation of the virtual private gateway.
- D. Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource.
View question →
-
Q69. A company hosts a web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The ALB is the origin in an Amazon
CloudFront distribution. The company wants to implement a custom authentication system that will provide a token for its authenticated
Customers.
The web application must ensure that the GET/POST requests come from authenticated customers before it delivers the content. A network
Engineer must design a solution that gives the web application the ability to identify authorized customers.
What is the MOST operationally e¨cient solution that meets these requirements?
- A. Use the ALB to inspect the authorized token inside the GET/POST request payload. Use an AWS Lambda function to insert a customized Header to inform the web application of an authenticated customer request.
- B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload. Con¦gure the ALB listener to insert A customized header to inform the web application of an authenticated customer request.
- C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload. Use the Lambda@Edge function Also to insert a customized header to inform the web application of an authenticated customer request.
- D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload. Con¦gure the tool to insert a customized header to inform the web application of an authenticated customer request.
View question →
-
Q70. A global delivery company is modernizing its §eet management system. The company has several business units. Each business unit designs and
Maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's
Applications are designed to get data from a central shared services VPC.
The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as
More business units consume data from the central shared services VPC in the future.
Which solution will meet these requirements in the MOST secure manner?
- A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by Using the transit gateway.
- B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
- C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
- D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
View question →
-
Q71. A network engineer configures a second AWS Direct Connect connection to an existing network. The network engineer runs a test in the AWS Direct Connect Resiliency Toolkit on the connections. The test produces a failure. During the failover event, the network engineer observes a 90- Second interruption before traffic shifts to the failover connection. Which solution will reduce the time for failover?
- A. Decrease the BGP hello timer to 5 seconds.
- B. Add a VPN connection to the connectivity solution. Implement fast failover.
- C. Configure Bidirectional Forwarding Detection (BFD) on the on-premises router.
- D. Decrease the BGP hold-down timer to 5 seconds.
View question →
-
Q72. A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target Of a Network Load Balancer (NLB). The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do Not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment With the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17.A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments. Which solution will meet these requirements?
- A. Create a VPC peering connection between the web service VPC and the existing production VPC. Add a routing rule to the appropriate route Table to allow data to flow to 192.168.224.0/19 from the existing production environment and to flow to 192.168.128.0/17 from the web Service environment. Configure the relevant security groups and ACLs to allow the systems to communicate.
- B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there.
- C. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpoint for The web service in the existing production VPC.
- D. Create a transit gateway in the existing production environment. Create attachments to the production VPC and the web service VPC. Configure appropriate routing rules in the transit gateway and VPC route tables for 192.168.224.0/19 and 192.168.128.0/17. Configure the Relevant security groups and ACLs to allow the systems to communicate.
View question →
-
Q73. A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of
192 168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has con¦gured an Auto Scaling group as the target
Of a Network Load Balancer (NLB).
The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do
Not receive product recommendations. The company has a big sales event in 5 days and needs to integrate its existing production environment
With the recommendation engine by then. The existing production environment is hosted in a VPC with a CIDR block of 192.168.128 0/17.
A network engineer must integrate the systems by designing a solution that results in the least possible disruption to the existing environments.
Which solution will meet these requirements?
- A. Create a VPC peering connection between the web service VPC and the existing production VPC. Add a routing rule to the appropriate route Table to allow data to §ow to 192.168.224.0/19 from the existing production environment and to §ow to 192.168.128.0/17 from the web Service environment. Con¦gure the relevant security groups and ACLs to allow the systems to communicate.
- B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there.
- C. Create a VPC endpoint service. Associate the VPC endpoint service with the NLB for the web service. Create an interface VPC endpoint for The web service in the existing production VPC.
- D. Create a transit gateway in the existing production environment. Create attachments to the production VPC and the web service VPC. Con¦gure appropriate routing rules in the transit gateway and VPC route tables for 192.168.224.0/19 and 192.168.128.0/17. Con¦gure the Relevant security groups and ACLs to allow the systems to communicate.
View question →
-
Q74. A company is building an internet-facing application that is hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The company Is using the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes for pod networking connectivity. The company needs to expose Its application to the internet by using a Network Load Balancer (NLB). The pods that host the application must have visibility of the source IP address that is contained in the original packet that the NLB receives. How should the network engineer configure the NLB and Amazon EKS settings to achieve these goals?
- A. Specify the ip target type for the NLB. Set the externalTrafficPolicy attribute to Local in the Kubernetes service specification.
- B. Specify the instance target type for the NLSet the externalTrafficPolicy attribute to Cluster in the Kubernetes service specification.
- C. Specify the instance target type for the NLB. Set the externalTrafficPolicy attribute to Local in the Kubernetes service specification.
- D. Specify the ip target type for the NLB. Set the externalTrafficPolicy attribute to Cluster in the Kubernetes service specification.
View question →
-
Q75. A network engineer needs to design the architecture for a high performance computing (HPC) workload. Amazon EC2 instances will require 10 Gbps flows and an aggregate throughput of up to 100 Gbps across many instances with low-latency communication. Which architecture solution will optimize this workload?
- A. Place nodes in a single subnet of a VPC. Configure a cluster placement group. Ensure that the latest Elastic Fabric Adapter (EFA) drivers Are installed on the EC2 instances with a supported operating system.
- B. Place nodes in multiple subnets in a single VPC. Configure a spread placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
- C. Place nodes in multiple VPCs Use AWS Transit Gateway to route traffic between the VPCs. Ensure that the latest Elastic Fabric Adapter (EFA) drivers are installed on the EC2 instances with a supported operating system.
- D. Place nodes in multiple subnets in multiple Availability Zones. Configure a cluster placement group. Ensure that the EC2 instances support Elastic Network Adapters (ENAs) and that the drivers are updated on each instance operating system.
View question →
-
Q76. A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.
A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.
Which solution will meet these requirements?
- A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
- B. Configure an AWS Cong rule to detect inconsistencies between the desired security group configuration and the current security group configuration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
- C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration. Configure AWS OpsWorks for Chef to remediate noncompliant security groups.
- D. Configure an AWS Cong rule to detect inconsistencies between the desired security group configuration and the current security group configuration. Create an AWS Systems Manager Automation runbook to remediate noncompliant security groups.
View question →
-
Q77. A company runs workloads in multiple VPCs. The company needs to securely access a workload in one of the VPCs, named VPC-A, from an onpremises data center. A network engineer sets up an AWS Site-to-Site VPN connection to a transit gateway. The network engineer configures Dynamic routing for the connection, and communication works properly. Recently, the owner of VPC-A added another CIDR range to the VPC. The VPC-A owner created workloads that use the additional CIDR range. The company's on-premises network is unable to reach the new workloads. The network engineer needs to resolve the network connectivity issue And ensure that connectivity will not be affected if additional VPC CIDR ranges are added to the VPC in the future. Which solution will meet these requirements with the MOST operational efficiency?
- A. Configure route propagation for VPC-A to the VPN attachment route table.
- B. Manually update the VPN attachment route table to include the new CIDR range.
- C. Configure an Amazon EventBridge rule to invoke an AWS Lambda function when the rule to matches an update to the VPC-A CIDR range. Configure the Lambda function to update the VPN attachment route table.
- D. Configure an Amazon CloudWatch alarm to invoke an AWS Lambda function when there is an update to the VPC-A CIDR range. Configure The Lambda function to update the VPN attachment route table. Restart the VPN tunnels.
View question →
-
Q78. An online retail company is running a web application in the us-wast-2 Region and serves consumers in the United States. The company plans to Expand across several countries in Europe and wants to provide low latency for all its users. The application needs to identify the users’ IP addresses and provide localized content based on the users’ geographic location. The application Uses HTTP GET and POST methods for its functionality. The company also needs to develop a failover mechanism that works for GET and POST Methods and is based on health checks. The failover must occur in less than 1 minute for all clients. Which solution will meet these requirements?
- A. Configure a Network Load Balancer (NLB) for the application in each environment in the new AWS Regions. Create an AWS Global Accelerator accelerator that has endpoint groups that point to the NLBs in each Region.
- B. Configure an Application Load Balancer (ALB) for the application in each environment in the new AWS Regions. Create an AWS Global Accelerator accelerator that has endpoint groups that point to the ALBs in each Region.
- C. Configure an Application Load Balancer (ALB) for the application in each environment in the new AWS Regions. Create Amazon Route 53 Public hosted zones that have failover routing policies.
- D. Configure a Network Load Balancer (NLB) for the application in each environment in the new AWS Regions. Create an Amazon CloudFront Distribution. Configure an origin group with origin failover options.
View question →
-
Q79. A company is developing an application in which IoT devices will report measurements to the AWS Cloud. The application will have millions of end users. The company observes that the IoT devices cannot support DNS resolution. The company needs to implement an Amazon EC2 Auto Scaling solution so that the IoT devices can connect to an application endpoint without using DNS.
Which solution will meet these requirements MOST cost-effectively?
- A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALB. Set up the IoT devices to connect to the IP addresses of the NLB.
- B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB) endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the ALB, Set up the IoT devices to connect to the IP addresses of the accelerator.
- C. Use a Network Load Balancer (NLB). Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses of the NLB.
- D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB) endpoint. Create an EC2 Auto Scaling group. Attach the Auto Scaling group to the NLB. Set up the IoT devices to connect to the IP addresses of the accelerator.
View question →
-
Q80. A company is running its application servers on Amazon EC2 instances. The EC2 instances run in separate VPCs that are connected by a transit Gateway. The EC2 instances launch in a private subnet with a route to the transit gateway for internal and external connectivity. The external Connectivity is provided by a VPC with firewall devices that perform an inspection for packets that ingress and egress through an internet Gateway.A network engineer needs to help the company’s application team increase the payload size per packet delivery between the EC2 instances. All Network connectivity must be through the transit gateway What should the network engineer do to meet these requirements?
- A. Enable jumbo frames on the transit gateway. Instruct the application team to set the maximum transmission unit (MTU) of the system’s Network interfaces to 9001 bytes.
- B. Instruct the application team to set the maximum transmission unit (MTU) of the VPC to 8500 bytes.
- C. Instruct the application team to set up enhanced networking on the system by using the enhanced networking adapter. Set the maximum Transmission unit (MTU) to 9001 bytes.
- D. Instruct the application team to set the maximum transmission unit (MTU) of the system’s network interfaces to 8500 bytes.
View question →
-
Q81. A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to Company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time. How should the network engineer configure routing to meet these requirements?
- A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance. Add routes that are more Specific to point to the primary SD-WAN virtual appliance.
- B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway.
- C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway.
- D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect.
View question →
-
Q82. A company has critical VPC workloads that connect to an on-premises data center through two redundant active-passive AWS Direct Connect connections. However, a recent outage on one Direct Connect connection revealed that it takes more than a minute for traffic to fail over to the secondary Direct Connect connection. The company wants to reduce the failover time from minutes to seconds.
Which solution will provide the LARGEST reduction in the BGP failover time?
- A. Reduce the BGP hold-down timer that is configured on the BGP sessions on the Direct Connect connection VIFs.
- B. Configure an Amazon CloudWatch alarm for the Direct Connect connection state to invoke an AWS Lambda function to fail over the traffic.
- C. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the AWS side.
- D. Configure Bidirectional Forwarding Detection (BFD) on the Direct Connect connections on the on-premises router.
View question →
-
Q83. A company has users who work from home. The company wants to move these users to Amazon WorkSpaces for additional security visibility.
The company has deployed WorkSpaces in its own AWS account in VPC A A network engineer decides to provide the security visibility by using two firewall appliances behind a Gateway Load Balancer (GWLB). The network engineer provisions another VPC, VPC
B, in a separate account and deploys the two firewall appliances in separate Availability Zones.
What should the network engineer do to configure the network connectivity for this solution?
- A. Create a GWLB in VPC A with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
- B. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the GWLB endpoint.
- C. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the WorkSpaces account to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the WorkSpaces subnet to the VPC endpoint.
- D. Create a GWLB in VPC B with the firewall appliance instances as targets. Use the GWLB to create a GWLB endpoint. Add the AWS principal ARN of the account that contains the firewall appliances to the principal allow list of the GWLB endpoint. In the WorkSpaces account, create a VPC endpoint and specify the service name that the AWS Management Console provides for the GWLB endpoint. Modify the route tables of VPC A to point the default route to the VPC endpoint.
View question →
-
Q84. A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The company has established network connectivity from all VPCs to the on-premises DNS servers.
Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. The applications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.
What should a network engineer do to meet these requirements?
- A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosted domains. Associate the rules with the new Resolver endpoint and each application VPC. Update each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
- B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosted domains. Associate the rules with the new Resolver endpoint and each application VPC.
- C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosted domains. Associate the rules with the new Resolver endpoint and each application VPUpdate each application VPC's DHCP configuration to point DNS resolution to the new Resolver endpoint.
- D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC. Create forwarding rules for the on-premises hosted domains. Associate the rules with the new Resolver endpoint and each application VPC.
View question →
-
Q85. A company uses the us-east-1 Region and the ap-south-1 Region for its business units (BUs). The BUS are named BU-1 and BU-Z. For each BU, There are two VPCs in us-east-1 and one VPC in ap-south-1. Because of workload isolation requirements, resources can communicate within the same BU but cannot communicate with resources in the other BU. The company plans to add more BUs and plans to expand into more Regions Which solution will meet these requirements with the MOST operational efficiency?
- A. Configure an AWS Cloud WAN network that operates in the required Regions. Attach all BU VPCs to the AWS Cloud WAN core network. Update the AWS Cloud WAN segment actions to configure new routes to deny traffic between the different BU segments.
- B. Configure a transit gateway in each Region. Configure peering between the transit gateways. Attach the BU VPCs to the transit gateway in The corresponding Region. Configure the transit gateway and VPC route tables to isolate traffic between BU VPCs.
- C. Configure an AWS Cloud WAN network that operates in the required Regions. Attach all BU VPCs to the AWS Cloud WAN core network. Update the core network policy by setting the isolate-attachments parameter for each segment.
- D. Configure an AWS Cloud WAN network that operates in the required Regions. Create AWS Cloud WAN segments for each BU Configure VPC Attachments for each BU’s VPCs to the corresponding BU segment.
View question →
-
Q86. A company has a highly available application that is hosted in multiple VPCs and in two on-premises data centers. All the VPCs reside in the same AWS Region. All the VPCs require access to each other and to the on-premises data centers for the transfer of files that are multiple gigabytes in Size.A network engineer is designing an AWS Direct Connect solution to connect the on-premises data centers to each VPC. Which architecture will meet the company's requirements with the LEAST operational overhead?
- A. Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a Direct Connect gateway. Associate the VIF of Every VPC with the Direct Connect gateway. Create a new private VIF that connects the Direct Connect gateway to each on-premises data Center. Configure the new private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of 9001. Use VPC Peering between each VPC. Configure static routing in each VPC to provide inter-VPC routing.
- B. Configure a virtual private gateway and a private VIF in each VPC in the Region. Configure a Direct Connect gateway. Associate the VIF of Every VPC with the Direct Connect gateway. Create a new private VIF that connects the Direct Connect gateway to each on-premises data Center. Configure the new private VIF to exchange BGP routes with the on-premises data centers and to have an MTU of 8500. Use VPC Peering between each VPC. Configure static routing in each VPC to provide inter-VPC routing.
- C. Configure a transit gateway in the same Region of each VPAttach each VPC to the transit gateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transit gateway. Associate a new transit VIF with each Direct Connect connection. Configure The new transit VIF to exchange BGP routes and to have an MTU of 9001. Configure route propagation between each VPC and the transit Gateway.
- D. Configure a transit gateway in the same Region of each VPC. Attach each VPC to the transit gateway. Configure a Direct Connect gateway. Associate the Direct Connect gateway with the transit gateway. Associate a new transit VIF with each Direct Connect connection. Configure The new transit VIF to exchange BGP routes and to have an MTU of 8500. Configure route propagation between each VPC and the transit Gateway.
View question →
-
Q87. A company needs to temporarily scale out capacity for an on-premises application and wants to deploy new servers on Amazon EC2 instances. A network engineer must design the networking solution for the connectivity and for the application on AWS.
The EC2 instances need to share data with the existing servers in the on-premises data center. The servers must not be accessible from the internet. All traffic to the internet must route through the firewall in the on-premises data center. The servers must be able to access a third-party web application.
Which configuration will meet these requirements?
- A. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a NAT gateway in a public subnet. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add a default route to the NAT gateway. Add routes for the data center subnets to the virtual private gateway. Deploy the application to the private subnets.
- B. Create a VPC that has private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the private subnets with the route table. Add a default route to the virtual private gateway. Deploy the application to the private subnets.
- C. Create a VPC that has public subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the public subnets.
- D. Create a VPC that has public subnets and private subnets. Create a customer gateway, a virtual private gateway, and an AWS Site-to-Site VPN connection. Create a route table, and associate the public subnets with the route table. Add a default route to the internet gateway. Create a route table, and associate the private subnets with the route table. Add routes for the on-premises data center subnets to the virtual private gateway. Deploy the application to the private subnets.
View question →
-
Q88. A company has agreed to collaborate with a partner for a research project. The company has multiple VPCs in the us-east-1 Region that use CIDR Blocks within 10.10.0.0/16. The VPCs are connected by a transit gateway that is named TGW-C in us-east-1. TGW-C has an Autonomous System Number (ASN) configuration value of 64520. The partner has multiple VPCs in us-east-1 that use CIDR blocks within 172.16.0.0/16. The VPCs are connected by a transit gateway that is named TGW-P in us-east-1. TGW-P has an ASN configuration value of 64530.A network engineer needs to establish network connectivity between the company's VPCs and the partner's VPCs in us-east-1. Which solution will meet these requirements with MINIMUM changes to both networks?
- A. Create a new VPC in a new account. Deploy a router from AWS Marketplace. Share TGW-C and TGW-P with the new account by using AWS Resource Access Manager (AWS RAM). Associate TGW-C and TGW-P with the new VPC. Configure the router in the new VPC to route between TGW-C and TGW-P.
- B. Create an IPsec VPN connection between TGW-C and TGW-P. Configure the routing between the transit gateways to use the IPsec VPN Connection.
- C. Configure a cross-account transit gateway peering attachment between TGW-C and TGW-P. Configure the routing between the transit Gateways to use the peering attachment.
- D. Share TGW-C with the partner account by using AWS Resource Access Manager (AWS RAM). Associate the partner VPCs with TGW-C. Configure routing in the partner VPCs and TGW-C.
View question →
-
Q89. A company is planning to use an AWS Transit Gateway hub and spoke architecture to migrate to AWS. The current on-premises multi-protocol Label switching (MPLS) network has strict controls that enforce network segmentation by using MPLS VPNs. The company has provisioned two 10 Gbps AWS Direct Connect connections to provide resilient, high-speed, low-latency connectivity to AWS.A security engineer needs to apply the concept of network segmentation to the AWS environment to ensure that virtual routing and forwarding (VRF) is logically separated for each of the company's software development environments. The number of MPLS VPNs will increase in the future. On-premises MPLS VPNs will have overlapping address space. The company's AWS network design must support overlapping address space for The VPNs. Which solution will meet these requirements with the LEAST operational overhead?
- A. Deploy a software-defined WAN (SD-WAN) head-end virtual appliance and an SD-WAN controller into a Transit Gateway Connect VPC. Configure the company's edge routers to be managed by the new SD-WAN controller and to use SD-WAN to segment the traffic into the defined Segments for each of the company's development environments.
- B. Configure IPsec VPNs on the company edge routers for each MPLS VPN for each of the company's development environments. Attach each IPsec VPN tunnel to a discrete MPLS VPN. Configure AWS Site-to-Site VPN connections that terminate at a transit gateway for each MPLS VPN. Configure a transit gateway route table that matches the MPLS VPN for each Transit Gateway VPN attachment.
- C. Create a transit VPC that terminates at the AWS Site-to-Site VRF-aware IPsec VPN. Configure IPsec VPN connections to each VPC for each Of the company's development environment VRFs.
- D. Configure a Transit Gateway Connect attachment for each MPLS VPN between the company's edge routers and Transit Gateway. ConfigureA transit gateway route table that matches the MPLS VPN for each of the company's development environments.
View question →
-
Q90. A global company is establishing network connections between the company's primary and secondary data centers and a VPC. A network Engineer needs to maximize resiliency and fault tolerance for the connections. The network bandwidth must be greater than 10 Gbps. Which solution will meet these requirements MOST cost-effectively?
- A. Set up a 100 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up a second 100 Gbps Connection at the secondary data center that terminates at a second Direct Connect location. Ensure the connections are managed by Separate providers.
- B. Set up a 10 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up a second 10 Gbps Connection at the secondary data center that terminates at a second Direct Connect location. Ensure the connections are managed by Separate providers.
- C. Set up two 10 Gbps connections at the primary data center that terminate at one AWS Direct Connect location. Ensure the connections are Managed by separate providers. Set up two 10 Gbps connections at the secondary data center that terminate at a second Direct Connect Location. Ensure the connections are managed by separate providers.
- D. Set up a 10 Gbps connection at the primary data center that terminates at an AWS Direct Connect location. Set up an AWS Site-to-Site VPN Connection at the secondary data center that terminates at a virtual private gateway in the same Region as the company’s VPC.
View question →
-
Q91. A network engineer needs to set up an Amazon EC2 Auto Scaling group to run a Linux-based network appliance in a highly available architecture.
The network engineer is con¦guring the new launch template for the Auto Scaling group.
In addition to the primary network interface the network appliance requires a second network interface that will be used exclusively by the
Application to exchange tra¨c with hosts over the internet. The company has set up a Bring Your Own IP (BYOIP) pool that includes an Elastic IP
Address that should be used as the public IP address for the second network interface.
How can the network engineer implement the required architecture?
- A. Con¦gure the two network interfaces in the launch template. De¦ne the primary network interface to be created in one of the private Subnets. For the second network interface, select one of the public subnets. Choose the BYOIP pool ID as the source of public IP addresses.
- B. Con¦gure the primary network interface in a private subnet in the launch template. Use the user data option to run a cloud-init script after Boot to attach the second network interface from a subnet with auto-assign public IP addressing enabled.
- C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching. In the Lambda function, Assign a network interface to an AWS Global Accelerator endpoint.
- D. During creation of the Auto Scaling group, select subnets for the primary network interface. Use the user data option to run a cloud-init Script to allocate a second network interface and to associate an Elastic IP address from the BYOIP pool.
View question →
-
Q92. An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.
Which solution meets these requirements?
- A. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Dene Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
- B. Configure a public hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Dene Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC. and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
- C. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP Dene Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VP and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 outbound endpoints.
- D. Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Dene Route 53 Resolver rules to forward requests for the on-premises domains to the on-premises DNS resolver. Associate the Route 53 outbound rules with the application VPCs, and share the private hosted zones with the application accounts by using AWS Resource Access Manager. Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
View question →
-
Q93. A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new
10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration
Must occur over encrypted paths between the on-premises data center and the AWS Cloud.
Which solution will meet these requirements while providing the HIGHEST throughput?
- A. Con¦gure a public VIF on the Direct Connect connection. Con¦gure an AWS Site-to-Site VPN connection to the transit gateway as a VPN Attachment.
- B. Con¦gure a transit VIF on the Direct Connect connection. Con¦gure an IPsec VPN connection to an EC2 instance that is running third-party VPN software.
- C. Con¦gure MACsec for the Direct Connect connection. Con¦gure a transit VIF to a Direct Connect gateway that is associated with the transit Gateway.
- D. Con¦gure a public VIF on the Direct Connect connection. Con¦gure two AWS Site-to-Site VPN connections to the transit gateway. Enable Equal-cost multi-path (ECMP) routing.
View question →
-
Q94. A company has deployed a critical application on a §eet of Amazon EC2 instances behind an Application Load Balancer. The application must
Always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the
EC2 security group.
A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a
Change is made to the security group. The solution also must notify the network engineer when the change affects the connection.
Which solution will meet these requirements?
- A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT tra¨c on port 443. Publish the §ow log Records to a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric ¦lter for the log group for rejected tra¨c. Create an Alarm to notify the network engineer.
- B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all tra¨c on port 443. Publish the §ow log records To a log group in Amazon CloudWatch Logs. Create a CloudWatch Logs metric ¦lter for the log group for all tra¨c. Create an alarm to notify The network engineer
- C. Create a VPC Reachability Analyzer path on port 443. Specify the security group as the source. Specify the EC2 instances as the Destination. Create an Amazon Simple Noti¦cation Service (Amazon SNS) topic to notify the network engineer when a change to the security Group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS topic in Case the analyses fail Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a change to the Security group occurs.
- D. Create a VPC Reachability Analyzer path on port 443. Specify the internet gateway of the VPC as the source. Specify the EC2 instances as The destination. Create an Amazon Simple Noti¦cation Service (Amazon SNS) topic to notify the network engineer when a change to the Security group affects the connection. Create an AWS Lambda function to start Reachability Analyzer and to publish a message to the SNS Topic in case the analyses fail. Create an Amazon EventBridge (Amazon CloudWatch Events) rule to invoke the Lambda function when a Change to the security group occurs.
View question →
-
Q95. A banking company has an application that must connect to specific public IP addresses from a VPC. A network engineer has configured routes in The route table that is associated with the application’s subnet to the required public IP addresses through an internet gateway. The network engineer needs to set up email notifications that will alert the network engineer when a user adds a default route to the application Subnet's route table with the internet gateway as a target. Which solution will meet these requirements with the LEAST implementation effort?
- A. Create an AWS Lambda function that reads the routes in the route table and sends an email notification. Configure the Lambda function to Send an email notification if any route is configured with 0.0.0.0/0 or ::/0 CIDRs to the internet gateway. Configure the Lambda function to run Every minute.
- B. Create an AWS Lambda function that will be invoked by an Amazon EC2 CreateRoute API call. Configure the Lambda function to send an Email notification. Configure the Lambda function to send an email notification if any route is configured with 0.0.0.0/0 or ::/0 CIDRs to the Internet gateway.
- C. Create AWS Config rules for the route table by using the internet-gateway-authorized-vpc-only managed rule. Create an Amazon EventBridge Rule to match the AWS Config rule and to route to an Amazon Simple Notification Service (Amazon SNS) topic to send an email notification.
- D. Create an AWS Config rule for the route table by using the no-unrestricted-route-to-igw managed rule. Create an Amazon EventBridge rule to Match the AWS Config rule and to route to an Amazon Simple Notification Service (Amazon SNS) topic to send an email notification.
View question →
-
Q96. A company has AWS accounts in an organization in AWS Organizations. The company has implemented Amazon VPC IP Address Manager (IPAM) In its networking AWS account. The company is using AWS Resource Access Manager (AWS RAM) to share IPAM pools with other AWS accounts. The company has created a top-level pool with a CIDR block of 10.0.0.0/8. For each AWS account, the company has created an IPAM pool within The top-level pool.A network engineer needs to implement a solution to ensure that users in each AWS account cannot create new VPCs. The solution also must Prevent users from associating a CIDR block with existing VPCs unless the CIDR block is from the IPAM pool for that account. Which solution will meet these requirements?
- A. Create a new AWS Config rule to find all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke an AWS Lambda function to delete these VPCs.
- B. Create a new SCP in Organizations. Add a condition that denies the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions if the Ipv4IpamPoolId context key value is not the ID of an IPAM pool.
- C. Create an AWS Lambda function to check for and delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool. Invoke the Lambda function at regular intervals.
- D. Create an Amazon EventBridge rule to check for AWS CloudTrail events for the CreateVpc and AssociateVpcCidrBlock Amazon EC2 actions. Use the rule to invoke an AWS Lambda function to delete all VPCs that are not configured to allocate their CIDR block from an IPAM pool.
View question →
-
Q97. A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS
Environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads
That are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west
(VPC-to-VPC) tra¨c.
Users report that inter-VPC tra¨c to different Availability Zones is dropping. A network engineer veri¦ed this claim by issuing Internet Control
Message Protocol (ICMP) pings between workloads in different Availability Zones across the application VPCs. The network engineer has ruled
Out security groups, stateful device con¦gurations and network ACLs as the cause of the dropped tra¨c
What is causing the tra¨c to drop?
- A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC.
- B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC.
- C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VPC
- D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs.
View question →
-
Q98. A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and Maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's Applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as More business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner?
- A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by Using the transit gateway.
- B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account.
- C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC.
- D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs.
View question →
-
Q99. A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company Hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company Has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN throughput for each Region is 500 Mbps. The company wants to migrate the production environments to AWS. The company needs a solution that will simplify the network architecture and Allow for future growth. The production environments will generate an additional 2 Gbps of traffic per Region back to the data centers. This traffic Will increase over time. Which solution will meet these requirements?
- A. Set up an AWS Direct Connect connection from each data center to AWS in each Region. Create and attach private VIFs to a single Direct Connect gateway. Attach the Direct Connect gateway to all the VPCs. Remove the existing VPN connections that are attached directly to the Virtual private gateways.
- B. Create a single transit gateway with VPN connections from each data center. Share the transit gateway with each account by using AWS Resource Access Manager (AWS RAM). Attach the transit gateway to each VPC. Remove the existing VPN connections that are attached Directly to the virtual private gateways.
- C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center. Share the transit Gateways with each account by using AWS Resource Access Manager (AWS RAM). In each Region, attach the transit gateway to each VPRemove the existing VPN connections that are attached directly to the virtual private gateways.
- D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC. Create new VPN connections From each data center to the transit VPCs. Terminate the original VPN connections that are attached to all the original VPCs. Retain the new VPN connection to the new transit VPC in each Region.
View question →
-
Q100. A company has two business units (BUs). The company operates in the us-east-1 Region and the us-west-1 Region. The company plans to extend To more Regions in the future. Each BU has a VPC in each Region. Each Region has a transit gateway with the BU VPCs attached. The transit Gateways in both Regions are peered. The company will create several more BUs in the future and will need to isolate some of the BUs from the other BUs. The company wants to Migrate to an architecture to incorporate more Regions and BUs. Which solution will meet these requirements with the MOST operational efficiency?
- A. Create a new transit gateway for each new BU in each Region. Peer the new transit gateways with the existing transit gateways. Update the Route tables to control traffic between BUs.
- B. Create an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to The new BU VPCs. Use segment actions to control traffic between segments.
- C. Create an AWS Cloud WAN core network with an edge location in both Regions. Configure a segment for each BU with VPC attachments to The new BU VPCs. Configure the segments to isolate attachments to control traffic between segments.
- D. Attach new VPCs to the existing transit gateways. Update route tables to control traffic between BUs.
View question →