ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 04

  1. You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.

    How should you configure your on-premises BGP peer to meet these requirements?

    • Configure AS-Prepending on your BGP session
    • Summarize your prefix announcement to less than 100
    • Announce a default route to the VPC over the BGP session
    • Enable route propagation on the VPC route table
  2. You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.

    Which of the following will improve transmission quality?

    • Enable enhanced networking
    • Select G2 instance types
    • Enable jumbo frames
    • Use multiple elastic network interfaces
  3. The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.

    A team will migrate the PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.

    How should you configure CloudFront to meet this requirement?

    • Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin’s Protocol Policy to ‘Match Viewer’.
    • Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.
    • Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.
    • Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.
  4. You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1–Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.

    You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.

    Which design should you choose?

    • Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
    • Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
    • Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
    • Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.
  5. Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.

    Which of the following connectivity options should you choose?

    • Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
    • Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
    • Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
    • Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.
  6. An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.

    What is the MOST simple and secure architecture that will achieve the organization’s goal?

    • Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
    • Use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
    • Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.
    • Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.
  7. An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney regions. The organization wants to determine whether all available Elastic IP addresses (EIPs) in these accounts are attached to Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the specified regions for compliance and cost-optimization purposes.

    Which of the following meets the requirements with the LEAST management overhead?

    • Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions to find the unattached and unused EIPs.
    • Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the unattached and unused EIPs.
    • Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and unused EIPs.
    • Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find the unattached and unused EIPs.
  8. A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain “example.com” should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain “dev.example.com” should reside on-premises. The administrator has decided to use Amazon Route 53 to achieve this scenario.

    What procedurals steps must be taken to implement the solution?

    • Use a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com
    • Use a Route 53 public and private hosted zone for example.com, and perform subdomain delegation for dev.example.com
    • Use a Route 53 public hosted zone for example.com, and perform subdomain delegation for dev.example.com
    • Use a Route 53 private hosted zone for example.com, and perform subdomain delegation for dev.example.com
  9. DNS name resolution must be provided for services in the following four zones:

    ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q09 002
    ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q09 002

    The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.

    How can you use Amazon route 53 to meet these requirements?

    • Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.
    • Create a single Route 53 Private Hosted Zone for the zone company.private. and associate it with the three VPCs.
    • Create a Route Public 53 Hosted Zone for each of the four zones and configure the VPC DNS Resolver to forward
    • Create a single Route 53 Public Hosted Zone for the zone company.private. and configure the VPC DNS Resolver to forward
  10. An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

    What connection option should the organization use to get up and running at minimal cost?

    • Use an internet connection.
    • Set up an AWS VPN connection.
    • Provision an AWS Direct Connection private virtual interface.
    • Provision a Direct Connect public virtual interface.
  11. All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that it is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

    What is the reason for this failure?

    • The NAT gateway does not support UDP traffic.
    • The authentication server is not accepting traffic.
    • The NAT gateway cannot allocate more ports.
    • The NAT gateway is launched in a private subnet.
  12. An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.

    Which solution will fix the connectivity failures with the LEAST amount of effort?

    • Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
    • Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
    • Update the application server’s outbound security group to use the prefix-list for Amazon S3 in the same region.
    • Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon S3.
  13. A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven’t yet upgraded.

    What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

    • Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
    • Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
    • Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
    • Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.
  14. A company is deploying a non-web application on an Elastic Load Balancing. All targets are servers located on-premises that can be accessed by using AWS Direct Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.

    How can this requirement be achieved?

    • Use a Network Load Balancer to automatically preserve the source IP address.
    • Use a Network Load Balancer and enable the X-Forwarded-For attribute.
    • Use a Network Load Balancer and enable the ProxyProtocol attribute.
    • Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.
  15. An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the Remote (receiving) account are already in place.

    The template below creates the VPC peering connection in the Originating account. It contains these components:

    ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 003
    ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 003

    Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Choose two.)

    • ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 004
      ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 004
    • ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 005
      ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 005
    • ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 006
      ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 006
    • ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 007
      ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 007
    • ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q15 008
      ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q15 008
  16. A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.

    What design will use the LEAST amount of IP space, while allowing for this growth?

    • Use two /29 subnets for an Application Load Balancer in different Availability Zones.
    • Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
    • Use two /28 subnets for a Network Load Balancer in different Availability Zones.
    • Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.
  17. A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable –‘app.example.com’.

    Instances within the VPC should always connect to the private IP to minimize data transfer costs.

    How should the engineer configure DNS to support these requirements?

    • Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.
    • Create two A record entries for ‘app’ in the DNS zone ‘example.com’ – one for the public IP and one for the private IP.
    • Use Route 53 to create an ALIAS record to the public DNS name for the instance.
    • Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.
  18. A Network Engineer is troubleshooting a network connectivity issue for an instance within a public subnet that cannot connect to the internet. The first step the Engineer takes is to SSH to the instance via a local bastion within the VPC and runs an ifconfig command to inspect the IP addresses configured on the instance. The output is as follows:

    ANS-C00 AWS Certified Advanced Networking - Specialty Part 04 Q18 009
    ANS-C00 AWS Certified Advanced Networking – Specialty Part 04 Q18 009

    The Engineer notices that the command output does not contain a public IP address. In the AWS Management Console, the public subnet has a route to the internet gateway. The instance also has a public IP address associated with it.

    What should the Engineer do next to troubleshoot this situation?

    • Configure the public IP on the interface.
    • Disable source/destination checking for the instance.
    • Associate an Elastic IP address to the interface.
    • Evaluate the security groups and the network access control list.
  19. A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.

    What steps must be taken to order the cross-connect at the Direct Connect location?

    • Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.
    • Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.
    • Obtain one LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The facility operator will ensure that the cross-connect is installed.
    • Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.
  20. An organization’s Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.

    What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

    • Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.
    • Provision a private virtual interface for each VPC connection.
    • Enable VPC Flow Logs for each VPC.
    • Use AWS KMS to encrypt traffic between on-premises and AWS.
    • Provision a VPN connection to each VPC over the internet.