Question 1

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?
A) CloudWatch Logs at the VPC level
B) Packet sniffing at the instance level
C) VPC flow logs at the subnet level
D) Packet sniffing at the VPC level

Accepted Answer

The answer of You have multiple Amazon Elastic Compute Cloud...

Question 2

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)
A) AWS Config
B) AWS Simple Notification Service
C) AWS CloudWatch metrics
D) AWS Lambda
E) AWS CloudFormation
F) AWS Identify and Access Management

Accepted Answer

The answer of Your organization requires strict adherence to a...

Question 3

An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used. Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: "There are not enough free addresses in subnet 'subnet-12345678' to satisfy the requested number of instances." What action will resolve the availability problem?
A) Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
B) Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
C) Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
D) Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.

Accepted Answer

The answer of An organization launched an IPv6-only web portal...

Question 4

You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints(VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket. What should you do to enable Amazon S3 access from EC2 instances in the private subnet?
A) Add the CIDR address range of the private subnet to the S3 bucket policy.
B) Add the VPC-E identified to the S3 bucket policy.
C) Add the VPC identifier for the production VPC to the S3 bucket policy.
D) Add the VPC-E identifier for the production VPC to endpoint policy.

Accepted Answer

The answer of You operate a production VPC with both...

Question 5

A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application's origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?
A) Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
B) Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin's Application Load Balancer to accept only traffic that contains that header.
C) Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
D) Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.

Accepted Answer

The answer of A Network Engineer is designing a new...

Question 6

You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway. The instance has a security group configured to allow as follows: Protocol: TCP Port: 80 inbound, nothing outbound The Network ACL for the subnet is configured to allow as follows: When you try to browse to the web server, you receive no response. Which additional step should you take to receive a successful response?
A) Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
B) Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
C) Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
D) Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535

Accepted Answer

The answer of You deploy an Amazon EC2 instance that...

Question 7

You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW. How should you configure your on-premises BGP peer to meet these requirements?
A) Configure AS-Prepending on your BGP session
B) Summarize your prefix announcement to less than 100
C) Announce a default route to the VPC over the BGP session
D) Enable route propagation on the VPC route table

Accepted Answer

The answer of You have a global corporate network with...

Question 8

You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1-Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network. You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy. Which design should you choose?
A) Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
B) Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
C) Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
D) Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.

Accepted Answer

Using the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 to us-east-1 is the most effective solution in terms of cost, performance, and time to deploy. It leverages the existing Direct Connect setup and provides a high-performance, low-latency connection between regions without the need for additional infrastructure or complex configurations.

Question 9

You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required. Which of the following will improve transmission quality?
A) Enable enhanced networking
B) Select G2 instance types
C) Enable jumbo frames
D) Use multiple elastic network interfaces

Accepted Answer

The answer of You are building an application that provides...

Question 10

Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?
A) Inbound; Protocol tcp; Source [Instance's EIP]; Destination 169.254.169.254
B) Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
C) Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
D) Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443

Accepted Answer

The instance metadata service is accessed via HTTP, which uses TCP port 80. Therefore, an outbound rule allowing TCP traffic to the IP address 169.254.169.254 on port 80 is needed.

Question 11

Your company operates a single AWS account. A common services VPC is deployed to provide shared services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and each VPC must peer with the common services VPC. You must choose the most efficient and cost effective approach. Which approach should be used to automate the required VPC peering?
A) AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.
B) An OpsWorks Chef recipe to execute a command-line peering request.
C) Cfn-init with AWS CloudFormation to execute a command-line peering request.
D) An AWS CloudFormation template that includes a peering request.

Accepted Answer

The answer of Your company operates a single AWS account....

Question 12

A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Choose two.)
A) Use Local Pref to control outbound traffic.
B) Use AS Prepending to control inbound traffic.
C) Use eBGP multi-hop between loopback interfaces.
D) Use BGP Communities to control outbound traffic.
E) Advertise more specific prefixes over one Direct Connect connection.

Accepted Answer

The answer of A network engineer is managing two AWS...

Question 13

An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover. What MUST be configured for this design to work? (Choose two.)
A) A different Autonomous System Number (ASN) for each firewall.
B) Border Gateway Protocol (BGP) routing
C) Autonomous system (AS) path prepending
D) Static routing
E) Equal-cost multi-path routing (ECMP)

Accepted Answer

BGP routing and ECMP are required for automatic failover of stateful firewalls across Availability Zones in a transit VPC.

Question 14

Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately. What are the minimum requirements for your router?
A) 1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
B) 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
C) IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5
D) BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel

Accepted Answer

1-Gbps Single Mode Fiber Interface is required for AWS Direct Connect connections.

Question 15

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks. You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront. How should you configure CloudFront to meet this requirement?
A) Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin's Protocol Policy to 'Match Viewer'.
B) Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.
C) Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.
D) Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.

Accepted Answer

The answer of The Payment Card Industry Data Security Standard...

Question 16

Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account. Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone. Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Choose two.)
A) Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
B) Update the Route 53 private hosted zone's VPC associations to include the new VPC.
C) Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.
D) Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
E) Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.

Accepted Answer

The answer of Your company maintains an Amazon Route 53...

Question 17

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Choose two.)
A) Public AS number
B) VLAN ID
C) IP prefixes to advertise
D) Direct Connect location
E) Virtual private gateway

Accepted Answer

The answer of You are configuring a virtual interface for...

Question 18

A company is about to migrate an application from its on-premises data center to AWS. As part of the planning process, the following requirements involving DNS have been identified. On-premises systems must be able to resolve the entries in an Amazon Route 53 private hosted zone. Amazon EC2 instances running in the organization's VPC must be able to resolve the DNS names of on-premises systems The organization's VPC uses the CIDR block 172.16.0.0/16. Assuming that there is no DNS namespace overlap, how can these requirements be met?
A) Change the DHCP options set for the VPC to use both the Amazon-provided DNS server and the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
B) Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to 172.16.0.2. Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
C) Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to the Amazon-provided DNS server (172.16.0.2). Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the proxies as authoritative for the Route 53 private hosted zone.
D) Change the DHCP options set for the VPC to use both the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the Route 53 private hosted zone's name servers as authoritative for the Route 53 private hosted zone.

Accepted Answer

This option correctly sets up DNS proxies in the VPC to forward queries to the appropriate DNS systems, ensuring that both on-premises and AWS DNS names can be resolved. The proxies forward on-premises queries to on-premises DNS and other queries to the Amazon-provided DNS server, while the on-premises DNS is configured to delegate the Route 53 private hosted zone to the proxies.

Question 19

A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You con?gure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down. What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available ?
A) Attach the virtual private gateway to a VPC and enable route propagation.
B) Filter the public IP pre?xes on the corporate network from the private virtual interface.
C) Change the BGP advertisements from the corporate network to only be a default route.
D) Attach the second virtual interface to an alternative virtual private gateway.

Accepted Answer

The answer of A corporate network routing table contains 624...

Question 20

A department in your company has created a new account that is not part of the organization's consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon Elastic Compute Cloud(EC2) instance in its new VPC, what are the associated charges?
A) The company pays Internet Data Out charges.
B) The company pays AWS Direct Connect Data Out charges.
C) The department pays Internet Data Out charges.
D) The department pays AWS Direct Connect Data Out charges.

Accepted Answer

The department pays AWS Direct Connect Data Out charges because the data is being transferred from AWS to the on-premises network via Direct Connect.

Exam 1: AWS Certified Advanced Networking - Specialty (ANS-C00)

You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?

You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required. Which of the following will improve transmission quality?

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Choose two.)