ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 05
-
A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider’s public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing.
Which of the following actions should improve the connectivity issues? (Choose two.)
- Allocate additional Elastic IP addresses to the NAT gateway.
- Request that the third-party service provider implement HTTP keepalive.
- Implement TCP keepalive on the client instances.
- Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.
- Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.
-
An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.
What changes should be made to meet this requirement while continuing to support the existing application requirements?
- Modify the existing DHCP option set and specify the different domain name for the specified subnet.
- Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.
- Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.
- Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.
-
A Network Engineer has enabled VPC Flow Logs to troubleshoot an ICMP reachability issue for an echo reply from an Amazon EC2 instance. The flow logs reveal an ACCEPT record for the request from the client to the EC2 instance, and a REJECT record for the response from the EC2 instance to the client.
What is the MOST likely reason for there to be a REJECT record?
- The security group is denying inbound ICMP.
- The network ACL is denying inbound ICMP.
- The security group is denying outbound ICMP.
- The network ACL is denying outbound ICMP.
-
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.
What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?
- Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.
- Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.
- Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.
- Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.
-
A network engineer needs to create a public virtual interface on the company’s AWS Direct Connect connection and only import routes which originated from the same region as the Direct Connect location.
What action should accomplish this?
- Configure a prefix list on the customer router containing the AWS IP address ranges for the specific Region.
- Configure a filter on the company’s router to only import routes with the 7224:8100 BGP community tag.
- Configure a filter on the company’s router to only import routes without a BGP community tag and a maximum path length of 3.
- Configure a filter in the AWS console and only allow routes advertised by AWS without a BGP community tag and a maximum path length of 3.
-
A network engineer has configured a private hosted zone using Amazon Route 53. The engineer needs to configure health checks for record sets within the zone that are associated with instances.
How can the engineer meet the requirements?
- Configure a Route 53 health check to a private IP associated with the instances inside the VPC to be checked.
- Configure a Route 53 health check pointing to an Amazon SNS topic that notifies an Amazon CloudWatch alarm when the Amazon EC2 StatusCheckFailed metric fails.
- Create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm.
- Create a CloudWatch alarm for the StatusCheckFailed metric and choose Recover this instance, selecting a threshold value of 1.
-
An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.
Which architecture will support this deployment while allowing for future expansion?
- A VPC with a /16 CIDR and one /21 subnet
- A VPC with a /20 CIDR and two /21 subnets
- A VPC with a /16 CIDR and one /22 subnet
- A VPC with a /20 CIDR and two /23 subnets
-
An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication.
Which of the following options meets the organization’s requirements?
- Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.
- Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.
- Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.
- Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.
-
A network architect is designing a website. It has web, application, and database tiers that will run in AWS. The website uses Amazon DynamoDB.
Which architecture will minimize public exposure of the backend instances?
- A VPC with public subnets for the NLB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
- A VPC with public subnets for the ALB, private subnets for the web tier, and private subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
- A VPC with public subnets for the ALB, public subnets for the web tier, private subnets for the application tier, and private subnets for DynamoDB.
- A VPC with public subnets for the NLB, private subnets for the web tier, and public subnets for the application tier. The application tier connects DynamoDB through a VPC endpoint.
-
A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company’s Reliability Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection. During the resiliency tests, traffic failed to switch over to the backup VPN connection.
How can this failure be troubleshot?
- Ensure that Bidirectional Forwarding Detection is enabled on the Direct Connect connection
- Confirm that the same routes are being advertised over both the VPN and Direct Connect.
- Reconfigure the Direct Connect session from static routes to Border Gateway Protocol (BGP) peering.
- Configure a virtual private gateway for the VPN and another virtual private gateway for Direct Connect.
-
An organization is migrating its on-premises applications to AWS by using a lift-and-shift approach, taking advantage of managed AWS services wherever possible. The company must be able to edit the application code during the migration phase. One application is a traditional three-tier application, consisting of a web presentation tier, an application tier, and a database tier. The external calling client applications need their sessions to remain sticky to both the web and application nodes that they initially connect to.
Which load balancing solution would allow the web and application tiers to scale horizontally independent from one another other?
- Use an Application Load Balancer at the web tier and a Classic Load Balancer at the application tier. Set session stickiness on both, but update the application code to create an application-controlled cookie on the Classic Load Balancer.
- Use an Application Load Balancer at both the web and application tiers, setting session stickiness at the target group level for both tiers.
- Deploy a web node and an application node as separate containers on the same host, using task linking to create a relationship between the pair. Add an Application Load Balancer with session stickiness in front of all web node containers.
- Use a Network Load Balancer at the web tier, and an Application Load Balancer at the application tier. Enable session stickiness on the Application Load Balancer, but take advantage of the native WebSockets protocols available to the Network Load Balancer.
-
A team implements a highly available solution using Amazon AppStream 2.0. The AppStream 2.0 fleet needs to communicate with resources both in an existing VPC and on-premises. The VPC is connected to the on-premises environment using an AWS Direct Connect private virtual interface.
What implementation enables on-premises users to connect to AppStream and existing VPC resources?
- Deploy two subnets into the existing VPC. Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint
- Deploy two subnets into the existing VPC. Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint
- Deploy a new VPC with two subnets. Create a VPC peering connection between the two VPCs for users to access the AppStream endpoint.
- Deploy one subnet into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.
-
An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization’s private IP address.
What could cause this connectivity issue? (Choose two.)
- The VGW is not advertising the correct CIDR range back on-premises.
- The instance security group does not allow ICMP traffic.
- A public virtual interface must be configured for Amazon EC2 connectivity.
- The on-premises router is not advertising the correct CIDR range to AWS.
- There is a misconfiguration of the bi-directional forwarding detection.
-
A company has a hybrid IT architecture with two AWS Direct Connect connections to provide high availability. The services hosted on-premises are accessible using public IPs, and are also on the 172.16.0.0/16 range. The AWS resources are on the 192.168.0.0/18 range. The company wants to use Amazon Elastic Load Balancing for SSL offloading, health checks, and sticky sessions.
What should be done to meet these requirements?
- Create a Network Load Balancer pointing to the on-premises server’s private IP address.
- Create an Amazon CloudFront distribution for the on-premises service and use the public IPs of the on-premises servers as the origin.
- Create a Network Load Balancer pointing to the on-premises server’s public IP address.
- Create an Application Load Balancer pointing to the on-premises server’s private IP address.
-
A company deployed its production Amazon VPC using CIDR block 33.16.0.0/16. The company has nearly depleted its addresses and now needs to extend the VPC network.
Which CIDR blocks meet the company’s requirement to extend the VPC network with a secondary CIDR? (Choose two.)
- 33.17.0.0/16
- 172.16.0.0/18
- 100.70.0.0/17
- 192.168.1.0/24
- 10.0.0.0/8
-
A company is deploying a new web application that uses a three-tier model with a public-facing Network Load Balancer and web servers in an Amazon VPC. The application servers are hosted in the company’s data center. There is an AWS Direct Connect connection between the VPC and the company’s data center. Load testing results indicate that up to 100 servers, equally distributed across multiple Availability Zones, are required to handle peak loads.
The network engineer needs to design a VPC that has a /24 CIDR assigned to it.
How should the engineer allocate subnets across three Availability Zones for each tier?
- Network Load Balancer: /29 per subnet
Web: /26 per subnet - Network Load Balancer: /28 per subnet
Web: /25 per subnet - Network Load Balancer: /28 per subnet
Web: /27 per subnet - Network Load Balancer: /28 per subnet
Web: /26 per subnet
- Network Load Balancer: /29 per subnet
-
Changes made to a security group attached to an Application Load Balancer resulted in connectivity issues for a company’s production web application. The network engineer needs to lock down permissions for the company’s AWS account, automate auditing for any changes, and set up notifications.
What actions should accomplish this?
- Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify API calls from users. Use AWS Config to audit any changes, and configure Amazon SNS to send notifications.
- Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API calls from users. Configure AWS CodeCommit to audit any changes in configurations, and configure Amazon SNS to send notifications.
- Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API calls from users. Configure Amazon Macie to use machine learning to identify any configuration changes, and configure Amazon SNS to send notifications.
- Configure IAM role policies to lock down permissions for specific users. Configure Amazon GuardDuty to audit and monitor configuration changes, and configure Amazon SNS to send notifications.
-
A computing team is evaluating whether to place a high performance computing (HPC) application in AWS. The team is concerned about application performance and wants to know what options are available to increase networking performance.
Which of the following changes would increase performance for this application? (Choose two.)
- Place the application across many smaller instances to achieve higher total throughput.
- Increase the MTU of the VPC to 9001.
- Enable an MTU of 9001 in the application’s operating system.
- Enable enhanced networking on the instances.
- Deploy the application in two Availability Zones and insert them in one placement group.
-
An organization has created a web application inside a VPC and wants to make it available to 200 client VPCs. The client VPCs are in the same Region but are owned by other business units within the organization.
What is the best way to meet this requirement, without making the application publicly available?
- Configure the application as an AWS PrivateLink-powered service, and have the client VPCs connect to the endpoint service by using an interface VPC endpoint.
- Enable VPC peering between the web application VPC and all client VPCs.
- Deploy the web application behind an internet-facing Application Load Balancer and control which clients have access by using security groups.
- Deploy the web application behind an internal Application Load Balancer and control which clients have access by using security groups.
-
A company’s IT Security team needs to ensure that all servers within an Amazon VPC can communicate with a list of five approved external IPs only. The team also wants to receive a notification every time any server tries to open a connection with a non-approved endpoint.
What is the MOST cost-effective solution that meets these requirements?
- Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to ALL. Create an Amazon CloudWatch Logs filter on the VPC Flow Logs log group filtered by REJECT. Create an alarm for this metric to notify the security team.
- Enable Amazon GuardDuty on the account and the specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty trusted IP list. Configure an Amazon CloudWatch Events rule on all GuardDuty findings to trigger an Amazon SNS notification to the security team.
- Add allowed IPs to the network ACL for the application server subnets. Enable VPC Flow Logs with a filter set to REJECT. Set an Amazon CloudWatch Logs filter for the log group on every event. Create an alarm for this metric to notify the security team.
- Enable Amazon GuardDuty on the account and specific Region. Upload a list of allowed IPs to Amazon S3 and link the S3 object to the GuardDuty threat IP list. Integrate GuardDuty with a compatible SIEM to report on every alarm from GuardDuty.
Subscribe
0 Comments
Newest