ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 02
-
An organization runs a consumer-facing website on AWS. The Amazon EC2-based web fleet is load balanced using the AWS Application Load Balancer; Amazon Route 53 is used to provide the public DNS services.
The following URLs need to server content to end users:
test.example.com
web.example.com
example.comBased on this information, what combination of services must be used to meet the requirement? (Choose two.)
- Path condition in ALB listener to route example.com to appropriate target groups.
- Host condition in ALB listener to route *.example.com to appropriate target groups.
- Host condition in ALB listener to route example.com to appropriate target groups.
- Path condition in ALB listener to route *.example.com to appropriate target groups.
- Host condition in ALB listener to route $$$$.example.com to appropriate target groups.
-
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location.
Which solution will meet this requirement, while minimizing downtime and costs?
- Deploy a third-party vendor solution to perform deep packet inspection in a transit VPC.
- Enable VPC Flow Logs on each VPC. Set up a stream of the flow logs to a central Amazon Elasticsearch cluster.
- Enable Amazon Macie on each AWS account and configure central reporting.
- Enable Amazon GuardDuty on each account as members of a central account.
-
An organization delivers high-resolution, dynamic web content. Internet users access the content from a variety of platforms, including mobile, tablet and desktop. Each platform receives a customized experience to account for the differences in viewing modes. A dedicated, automatic-scaling fleet of Amazon EC2 instances is used for each platform to server content based on path-based headers.
Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Choose two.)
- Amazon CloudFront with Lambda@Edge
- Network Load Balancer
- Amazon S3 static websites
- Amazon Route 53 with traffic flow policies
- Application Load Balancer
-
A company needs to set up a VPN between AWS VPC and its on-premises network. A team creates a VPN connection in the AWS Management Console, downloads the configuration file, and installs it on the on-premises router. The tunnel is not coming up because of firewall restrictions on the router. Which two network traffic options should you allow through the firewall? (Choose two.)
- UDP port 500
- IP protocol 50
- IP protocol 5
- TCP port 50
- TCP port 500
-
You have been asked to monitor traffic flows on your Amazon EC2 instance. You will be performing deep packet inspection, looking for atypical patterns.
Which tool will enable you to look at this data?
- Wireshark
- VPC Flow Logs
- AWS CLI
- CloudWatch Logs
-
You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:
2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027 1432917142 ACCEPT OK 2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027 1432917082 ACCEPT OK 2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094 1432917142 REJECT OK
Why are ICMP responses not received by the on-premises system?
- The inbound network access control list is blocking the traffic
- The outbound network access control list is blocking the traffic
- The inbound security group is blocking the traffic.
- The outbound security group is blocking the traffic.
Explanation:
An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance.
A REJECT record for the response ping that the network ACL denied.
If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance. -
You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit.
What ELB configuration complies with the corporate encryption policy?
- Configure the ELB load balancer protocol as HTTP. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
- Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.
- Configure the ELB load balancer protocol as HTTPS. Offload application instance encryption to the load balancer. Install your SSL certificate on Amazon RDS, and configure SSL.
- Configure the ELB protocols in SSL mode. Offload application instance encryption to the load balancer. Install your SSL/TLS certificate on Amazon RDS, and configure SSL.
-
Your application is hosted behind an Elastic Load Balancer (ELB) within an autoscaling group. The autoscaling group is configured with a minimum of 2, a maximum of 14, and a desired value of 2. The autoscaling cooldown and the termination policies are set to the default value.
Cloud Watch reports that the site typically requires just two servers, but spikes at the start and end of the business day can require eight to ten servers. You receive intermittent reports of timeouts and partially loaded web pages.
Which configuration change should you make to address this issue?
- Configure connection draining on the ELB.
- Configure the autoscaling cooldown to 600 seconds.
- Configure the termination policy to oldest instance.
- Configure a Terminating: Wait lifecycle hook on a scale in event.
-
You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.
Which three factors that must be supported should you consider when choosing the customer router? (Choose three.)
- 802.1Q VLAN encapsulation
- 802.1ax or 802.3ad link aggregation
- OSPF
- BGP
- single-mode optical fiber connectivity
- 1-Gbps copper connectivity
-
Your company uses an NTP server to synchronize time across systems. The company runs multiple versions of Linux and Windows systems. You discover that the NTP server has failed, and you need to add an alternate NTP server to your instances.
Where should you apply the NTP server update to propagate information without rebooting your running instances?
- DHCP Options Set
- instance user-data
- cfn-init scripts
- instance meta-data
-
Your company has set up AWS Direct Connect to connect on-premises to an Amazon VPC instance. Two Direct Connect connections terminate at two different Direct Connect locations. You are using two routers, R1 and R2, at your end (one of each Direct Connect connection). R1 and R2 do NOT have connectivity between them. Both routers advertise the same routers over BGP to the VGW. You have a stateful firewall on each router. The routers drop some of the traffic coming from the VPC.
Which two actions should you take to fix this problem? (Choose two.)
- Use BGP AS prepend attribute to prepend additional AS numbers while advertising routers from R1 to VGW.
- Use BGP local preference attribute to assign R1 to a lower local preference number than R2.
- Use BGP local preference attribute to assign R1 a higher local preference number than R2.
- Use BGP MED attribute to assign a higher MED value to the routes advertised R1 to VGW.
- Use BGP MED attribute to assign a higher MED value to the routes advertised from R2 to VGW.
-
An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.
Which of the following designs will minimize cost while allowing the organization to expand?
- Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.
- Create a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.
- Create hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.
- Create a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.
-
An organization with a growing ecommerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?
- Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.
- Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.
- Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.
- Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.
-
A company has 225 mobile and desktop devices and 300 partner VPNs that need access to an AWS VPC. VPN users should not be able to reach one another. Which approach will meet the technical and security requirements while minimizing costs?
- Use the AWS IPsec VPN for the mobile, desktop, and partner VPN connections. Use network access control lists (Network ACLs) and security groups to maintain routing separation.
- Use the AWS IPsec VPN for the partner VPN connections. Use an Amazon EC2 instance VPN for the mobile and desktop devices. Use Network ACLs and security groups to maintain routing separation.
- Create an AWS Direct Connect connection between on-premises and AWS Use a public virtual interface to connect to the AWS IPsec VPN for the mobile, desktop, and partner VPN connections.
- Use an Amazon EC2 instance VPN for the desktop, mobile, and partner VPN connections. Use features of the VPN instance to limit routing and connectivity.
-
Your company needs to leverage Amazon Simple Storage Solution (S3) for backup and archiving. According to company policy, data should not flow on the public Internet even if data is encrypted. You have set up two S3 buckets in us-east-1 and us-west-2. Your company data center is located on the West Coast of the United States. The design must be cost-effective and enable minimal latency.
Which design should you set up?
- An AWS Direct Connect connection to us-east-1 and a Direct Connect connection to us-west-2.
- An AWS Direct Connect connection to us-east-1.
- An AWS Direct Connect connection to us-west-2.
- An AWS Direct Connect connection to us-west-2 and a VPN connection to us-east-1.
-
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses.
Which step should you take to fix this problem?
- Generate new SSL certificates for all web servers and replace current certificates.
- Change the security policy on the ELB to disable vulnerable protocols and ciphers.
- Generate new SSL certificates and use ELB to front-end the encrypted traffic for all web servers.
- Leverage your current configuration management system to update SSL policy on all web servers.
-
Your organization leverages an IP Address Management (IPAM) product to manage IP address distribution. The IPAM exposes an API. Development teams use CloudFormation to provision approved reference architectures. At deployment time, IP addresses must be allocated to the VPC. When the VPC is deleted, the IPAM must reclaim the VPC’s IP allocation.
Which method allows for efficient, automated integration of the IPAM with CloudFormation?
- AWS CloudFormation parameters using the “Ref::” intrinsic function
- AWS CloudFormation custom resource using an AWS Lambda invocation.
- CloudFormation::OpsWorks::Stack with custom Chef configuration.
- AWS CloudFormation parameters using the “Fn::FindInMap” intrinsic function.
-
You need to set up an Amazon Elastic Compute Cloud (EC2) instance for an application that requires the lowest latency and the highest packet-per-second network performance. The application will talk to other servers in a peered VPC.
Which two of the following components should be part of the design? (Choose two.)
- Select an instance with support for single root I/O virtualization.
- Select an instance that has support for multiple ENAs.
- Ensure that the instance supports jumbo frames and set 9001 MTU.
- Select an instance with Amazon Elastic Block Store (EBS)-optimization.
- Ensure that proper OS drivers are installed.
-
You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Choose two.)
- Public AS number
- VLAN ID
- IP prefixes to advertise
- Direct Connect location
- Virtual private gateway
-
A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.
What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?
- Attach the virtual private gateway to a VPC and enable route propagation.
- Filter the public IP pre?xes on the corporate network from the private virtual interface.
- Change the BGP advertisements from the corporate network to only be a default route.
- Attach the second virtual interface to an alternative virtual private gateway.
Subscribe
0 Comments
Newest