ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 03
-
Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account. Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.
Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Choose two.)
- Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.
- Update the Route 53 private hosted zone’s VPC associations to include the new VPC.
- Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.
- Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.
- Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.
-
A department in your company has created a new account that is not part of the organization’s consolidated billing family. The department has also created a VPC for its workload. Access is restricted by network access control lists to the department’s on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon EC2 instance in its new VPC, what are the associated charges?
- The company pays Internet Data Out charges.
- The company pays AWS Direct Connect Data Out charges.
- The department pays Internet Data Out charges.
- The department pays AWS Direct Connect Data Out charges.
-
An organization will be extending its existing on-premises infrastructure into the cloud. The design consists of a transit VPC that contains stateful firewalls that will be deployed in a highly available configuration across two Availability Zones for automatic failover.
What MUST be configured for this design to work? (Choose two.)
- A different Autonomous System Number (ASN) for each firewall
- Border Gateway Protocol (BGP) routing
- Autonomous system (AS) path prepending
- Static routing
- Equal-cost multi-path routing (ECMP)
-
A company is about to migrate an application from its on-premises data center to AWS. As part of the planning process, the following requirements involving DNS have been identified.
– On-premises systems must be able to resolve the entries in an Amazon Route 53 private hosted zone.
– Amazon EC2 instances running in the organization’s VPC must be able to resolve the DNS names of on-premises systemsThe organization’s VPC uses the CIDR block 172.16.0.0/16.
Assuming that there is no DNS namespace overlap, how can these requirements be met?
- Change the DHCP options set for the VPC to use both the Amazon-provided DNS server and the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
- Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to 172.16.0.2. Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the name server 172.16.0.2 as authoritative for the Route 53 private hosted zone.
- Deploy and configure a set of EC2 instances into the company VPC to act as DNS proxies. Configure the proxies to forward queries for the on-premises domain to the on-premises DNS systems, and forward all other queries to the Amazon-provided DNS server (172.16.0.2). Change the DHCP options set for the VPC to use the new DNS proxies. Configure the on-premises DNS systems with a stub-zone, delegating the proxies as authoritative for the Route 53 private hosted zone.
- Change the DHCP options set for the VPC to use both the on-premises DNS systems. Configure the on-premises DNS systems with a stub-zone, delegating the Route 53 private hosted zone’s name servers as authoritative for the Route 53 private hosted zone.
-
The Web Application Development team is worried about malicious activity from 200 random IP addresses. Which action will ensure security and scalability from this type of threat?
- Use inbound security group rules to block the IP addresses.
- Use inbound network ACL rules to block the IP addresses.
- Use AWS WAF to block the IP addresses.
- Write iptables rules on the instance to block the IP addresses.
-
You operate a production VPC with both a public and a private subnet. Your organization maintains a restricted Amazon S3 bucket to support this production workload. Only Amazon EC2 instances in the private subnet should access the bucket. You implement VPC endpoints (VPC-E) for Amazon S3 and remove the NAT that previously provided a network path to Amazon S3. The default VPC-E policy is applied. Neither EC2 instances in the public or private subnets are able to access the S3 bucket.
What should you do to enable Amazon S3 access from EC2 instances in the private subnet?
- Add the CIDR address range of the private subnet to the S3 bucket policy.
- Add the VPC-E identifier to the S3 bucket policy.
- Add the VPC identifier for the production VPC to the S3 bucket policy.
- Add the VPC-E identifier for the production VPC to endpoint policy.
-
Your hybrid networking environment consists of two application VPCs, a shared services VPC, and your corporate network. The corporate network is connected to the shared services VPC via an IPsec VPN with dynamic (BGP) routing enabled.
The applications require access to a common authentication service in the shared services VPC. You need to enable native network access from the corporate network to both application VPCs.
Which step should you take to meet the requirements?
- Use VPC peering to peer the application VPCs with the shared services VPC, and enable associated routing in the shared services VPC via the corporate VPN.
- Configure an IPsec VPN between the virtual private gateway in each application VPC to the virtual private gateway in the shared services VPC.
- Configure additional IPsec VPNs for each application VPC back to the corporate network, and enable VPC peering to the shared services VPC.
- Enable CloudHub functionality to route traffic between the three VPCs and the corporate network using dynamic BGP routing.
-
You use a VPN to extend your corporate network into a VPC. Instances in the VPC are able to resolve resource records in an Amazon Route 53 private hosted zone. Your on-premises DNS server is configured with a forwarder to the VPC DNS server IP address. On-premises users are unable to resolve names in the private hosted zone, although instances in a peered VPC can.
What should you do to provide on-premises users with access to the private hosted zone?
- Create a proxy resolver within the VPC. Point the on-premises forwarder to the proxy resolver.
- Modify the network access control list on the VPC to allow DNS queries from on-premises systems.
- Configure the on-premises server as a secondary DNS for the private zone. Update the NS records.
- Update the on-premises forwarders with the four name servers assigned to the private hosted zone.
-
Your organization has a newly installed 1-Gbps AWS Direct Connect connection. You order the cross-connect from the Direct Connect location provider to the port on your router in the same facility. To enable the use of your first virtual interface, your router must be configured appropriately.
What are the minimum requirements for your router?
- 1-Gbps Multi Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
- 1-Gbps Single Mode Fiber Interface, 802.1Q VLAN, Peer IP Address, BGP Session with MD5.
- IPsec Parameters, Pre-Shared key, Peer IP Address, BGP Session with MD5
- BGP Session with MD5, 802.1Q VLAN, Route-Map, Prefix List, IPsec encrypted GRE Tunnel
-
Your security team implements a host-based firewall on all of your Amazon Elastic Compute Cloud (EC2) instances to block all outgoing traffic. Exceptions must be requested for each specific requirement. Until you request a new rule, you cannot access the instance metadata service. Which firewall rule should you request to be added to your instances to allow instance metadata access?
- Inbound; Protocol tcp; Source [Instance’s EIP]; Destination 169.254.169.254
- Inbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
- Outbound; Protocol tcp; Destination 169.254.169.254; Destination port 80
- Outbound; Protocol tcp; Destination 169 .254.169.254; Destination port 443
-
A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.
Which design should be recommended?
- Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
- Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
- Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.
- Create a total of four private VIFs, and enable VPC peering between all VPCs.
-
Your company runs an application for the US market in the us-east-1 AWS region. This application uses proprietary TCP and UDP protocols on Amazon Elastic Compute Cloud (EC2) instances. End users run a real-time, front-end application on their local PCs. This front-end application knows the DNS hostname of the service.
You must prepare the system for global expansion. The end users must access the application with lowest latency.
How should you use AWS services to meet these requirements?
- Register the IP addresses of the service hosts as “A” records with latency-based routing policy in Amazon Route 53, and set a Route 53 health check for these hosts.
- Set the Elastic Load Balancing (ELB) load balancer in front of the hosts of the service, and register the ELB name of the main service host as an ALIAS record with a latency-based routing policy in Route 53.
- Set Amazon CloudFront in front of the host of the service, and register the CloudFront name of the main service as an ALIAS record in Route 53.
- Set the Amazon API gateway in front of the service, and register the API gateway name of the main service as an ALIAS record in Route 53.
-
You deploy an Amazon EC2 instance that runs a web server into a subnet in a VPC. An Internet gateway is attached, and the main route table has a default route (0.0.0.0/0) configured with a target of the Internet gateway.
The instance has a security group configured to allow as follows:
– Protocol: TCP
– Port: 80 inbound and nothing outboundThe Network ACL for the subnet is configured to allow as follows:
– Protocol: TCP
– Port: 80 inbound and nothing outboundWhen you try to browse to the web server, you receive no response.
Which additional step should you take to receive a successful response?
- Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 80
- Add an entry to the security group outbound rules for Protocol: TCP, Port Range: 1024-65535
- Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 80
- Add an entry to the Network ACL outbound rules for Protocol: TCP, Port Range: 1024-65535
-
An organization launched an IPv6-only web portal to support IPv6-native mobile clients. Front-end instances launch in an Amazon VPC associated with an appropriate IPv6 CIDR. The VPC IPv4 CIDR is fully utilized. A single subnet exists in each of two Availability Zones with appropriately configured IPv6 CIDR associations. Auto Scaling is properly configured, and no Elastic Load Balancing is used.
Customers say the service is unavailable during peak load times. The network engineer attempts to launch an instance manually and receives the following message: “There are not enough free addresses in subnet ‘subnet-12345678’ to satisfy the requested number of instances.”
What action will resolve the availability problem?
- Create a new subnet using a VPC secondary IPv6 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
- Create a new subnet using a VPC secondary IPv4 CIDR, and associate an IPv6 CIDR. Include the new subnet in the Auto Scaling group.
- Resize the IPv6 CIDR on each of the existing subnets. Modify the Auto Scaling group maximum number of instances.
- Add a secondary IPv4 CIDR to the Amazon VPC. Assign secondary IPv4 address space to each of the existing subnets.
-
A Network Engineer is designing a new system on AWS that will take advantage of Amazon CloudFront for both content caching and for protecting the underlying origin. There is concern that an external agency might be able to access the IP addresses for the application’s origin and then attack the origin despite it being served by CloudFront. Which of the following solutions provides the strongest level of protection to the origin?
- Use an IP whitelist rule in AWS WAF within CloudFront to ensure that only known-client IPs are able to access the application.
- Configure CloudFront to use a custom header and configure an AWS WAF rule on the origin’s Application Load Balancer to accept only traffic that contains that header.
- Configure an AWS Lambda@Edge function to validate that the traffic to the Application Load Balancer originates from CloudFront.
- Attach an origin access identity to the CloudFront origin that allows traffic to the origin that originates from only CloudFront.
-
A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Choose two.)
- Use Local Pref to control outbound traffic.
- Use AS Prepending to control inbound traffic.
- Use eBGP multi-hop between loopback interfaces.
- Use BGP Communities to control outbound traffic.
- Advertise more specific prefixes over one Direct Connect connection.
-
You are preparing to launch Amazon Work Spaces and need to configure the appropriate networking resources.
What must be configured to meet this requirement?
- At least two subnets in different Availability Zones.
- A dedicated VPC with Active Directory Services.
- An IPsec VPN to on-premises Active Directory.
- Network address translation for outbound traffic.
-
You have multiple Amazon Elastic Compute Cloud (EC2) instances running a web server in a VPC configured with security groups and NACL. You need to ensure layer 7 protocol level logging of all network traffic (ACCEPT/REJECT) on the instances. What should be enabled to complete this task?
- CloudWatch Logs at the VPC level
- Packet sniffing at the instance level
- VPC flow logs at the subnet level
- Packet sniffing at the VPC level
-
Your company operates a single AWS account. A common services VPC is deployed to provide shared services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and each VPC must peer with the common services VPC. You must choose the most efficient and cost effective approach.
Which approach should be used to automate the required VPC peering?
- AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.
- An OpsWorks Chef recipe to execute a command-line peering request.
- Cfn-init with AWS CloudFormation to execute a command-line peering request.
- An AWS CloudFormation template that includes a peering request.
-
Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)
- AWS Config
- AWS Simple Notification Service
- AWS CloudWatch metrics
- AWS Lambda
- AWS CloudFormation
- AWS Identify and Access Management
Subscribe
0 Comments
Newest