ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 08

  1. Your company is connecting one data center with one router to several VPCs and needs to access them transitively. What should you do?

    • Create a VPN to one VPC and peer the others.
    • This is not possible.
    • Use a transit VPC with a VPN running on one or more EC2 instances to route traffic between the VPCs. 
    • Just connect; VPCs are transitive in nature.
    Explanation:
    VPCs are not transitive, so you will need a “transit VPN” in order to route between the VPCs.
  2. Your AWS WorkSpaces users are unable to authenticate. What could be one reason for this?

    • Your AD server is running Windows Server 2016
    • Port 3389 is not open to your AD server.
    • Port 389 is not open to your AD server. 
    • Your AD server is running Windows Server 2012 Core Edition.
    Explanation:
    AD requires port 389.
  3. You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. You know you configured CloudFront to use cdn.yourdomain.com. What is the most likely reason why your users not seeing the images?

    • There is no rule in your bucket policy allowing public access.
    • The images in S3 are saved as .png instead of .jpg.
    • There is no record in Route 53 pointing cdn.yourdomain.com to the ALIAS. 
    • The users are using Internet Explorer.
    Explanation:
    You must have a Route 53 record. You never want to give public access to your content bucket.
  4. You are responsible for several EC2 instances deployed from Amazon AMIs that are required to upload information to an S3 bucket. This information must not traverse the public internet. You must also be able to update the instances. Which option is your best solution?

    • An S3 endpoint and a NAT
    • An S3 endpoint 
    • A VPN to the IP addresses specified in the AWS official S3 prefix list
    • A NACL with the AWS prefix list added to it and a VPN.
    Explanation:
    A NAT is not required as an S3 endpoint will allow an instance to update. C and D are not possible.
  5. Your company is building a new data center. You currently have an on-premises data center that accesses your single VPC via VPN. You need to provide access to your single VPC to your new data center. Since your new data center build is already over budget, you need to keep costs low.

    How should you accomplish this?

    • Add a Private VIF and create a Direct Connect connection.
    • Create a new Customer Gateway and add it to your VPN using a CloudHub infrastructure model. 
    • Add a Public VIF and create a Direct Connect connection.
    • Create a new Virtual Gateway and add it to your VPN using a CloudHub infrastructure model.
    Explanation:
    Create a new Customer Gateway. A Private VIF would work, but you want to keep costs low. A Public VIF is only for AWS specific resources, such as S3. A Virtual Gateway would be created if you were creating a new VPN connection in a new VPC. A Customer Gateway would allow you to add the new datacenter to your VPN.
  6. You have a website hosted on EC2 that is not serving web pages. You have ensured that the server is running and the site is configured properly. What could be the problem?

    • Your NACL does not allow port 80 outbound.
    • Your NACL does not allow ports 1024 − 65535 outbound. 
    • Your NACL does not allow ports 1024 − 65535 inbound. D. Your security group does not allow outbound traffic.
    Explanation:
    The ephemeral ports 1024 − 65535 are required outbound for return traffic. For the server to access websites, those same ports need to be allowed inbound.
  7. You are auditing an AWS infrastructure after you noticed some abnormal charges on the bill. You use AWS Config to monitor your changes. What else is required to find out who made the change?

    • There is no information to find this. You will need to sign up for Config Premium.
    • Use the eventID of the change and reference it with your Flow Logs.
    • Use the eventId of the change and reference it with CloudTrail to find the culprit. 
    • Use the eventID of the change and reference it with CloudWatch to find the culprit.
    Explanation:
    CloudTrail is for finding “who” performed an action.
  8. Your organization has placed a project on hold and has stopped 30 public EC2 instances. These instances use instance store volumes and do not have custom AMIs associated. You are still being charged every month.

    What is the charge probably for?

    • AWS charges for dormant accounts.
    • You have Elastic IPs associated with those instances. 
    • There is a “stopped instance” fee that AWS charges every month.
    • You are being charged for the EBS volumes.
    Explanation:
    You have Elastic IPs associated with those instances. AWS charges for any unused Elastic IPs in your account.
  9. You need to quickly view inbound traffic to an instance to determine why it isn’t reaching the instance properly. What is the best tool for this?

    • Wireshark
    • CloudWatch
    • CloudTrail
    • Flow Logs
    Explanation:
    CloudWatch only shows the amount of data in. Wireshark cannot see anything inside AWS infrastructure. You can only use it to view instance traffic.
  10. Your company has just completed a transition to IPv6 and has deployed a website on a server. You were able to download software on the instance without an issue. This website is deployed using IPv6, but the public is not able to access it. What should you do to fix this problem?

    • Add an internet gateway for the instance.
    • Add an egress-only internet gateway.
    • Add an inbound rule to your security group that allows inbound traffic on port 80 for ::/0. 
    • Add an inbound rule to your security group that allows inbound traffic on port 80 for 0.0.0.0/0.
    Explanation:
    Your instance can reach the internet if it was able to download sofftware, so an IGW is not needed. 0.0.0.0/0 is for IPv4.
  11. Your company has two DX locations. You need to configure one link as passive. What should you configure in your router to set that link as the passive link.

    • Set a higher MED.
    • Configure AS_PATH Prepending on the link. 
    • Advertise a network with a higher CIDR.
    • Call your service provider and have the ASN changed for that link.
    Explanation:
    You should configure AS_PATH prepending on the link. A higher CIDR is the same as a more specific prefix, which will make the link more preferred. A higher MED will make the path less preferred, but this is not the preferred method to accomplish this. Changing your ASN will not help. Configuring AS_PATH Prepending is the preferred method of AWS to configure an Active-Passive configuration with Direct Connect.
  12. You have just configured an Elastic Load Balancer. Assuming all settings are configured properly, about how long will it take an instance to become healthy with a 6 second HealthCheck Interval, an unhealthy threshold of 5 and a healthy threshold of 10?

    • 120 seconds
    • 30 seconds
    • 6 seconds
    • 60 seconds
    Explanation:
    60 seconds. 10 healthcheck successes with 6 second intervals.
  13. Your company needs to directly update an S3 bucket that serves as a CloudFront origin with the most reliability possible. Your company also has a set of private EC2 servers that it needs to access with the same reliability. Which combination will provide the best solution?

    • A Virtual Gateway and a Public VIF
    • A Private VIF is all you need to access all AWS resources.
    • A Hosted VIF and a Private VIF
    • A Public VIF and a Private VIF
    Explanation:
    The Public VIF will allow access to the S3 bucket, and the Private VIF will allow access to the EC2 instances.
  14. You wish to have a sub-1G connection to AWS to save on costs. How can you achieve this?

    • Just set your router to the speed you want and AWS will charge you based on the actual speed of the port.
    • Contact AWS, they will put you in contact with a technical account manager who can help you get this setup.
    • You can’t. The only speeds available for Direct Connect are 1G and 10G.
    • Contact an AWS partner, AWS does not provide sub-1G connection speeds.
    Explanation:
    Sub-1G service is only available through AWS partners.
  15. You have just peered two VPCs, and you need to improve performance for instances you plan on deploying. What are two steps you would take to do this? (Choose two.)

    • Create two subnets in the same AZ and create a placement group. 
    • Set the MTU of your instances to 1500.
    • Create two subnets in different AZs and create a placement group.
    • Ensure you choose instances that use enhanced networking.
    Explanation:
    A placement group can only be deployed in the same AZ and is only useful with enhanced networking instances.
  16. You have just deployed a website that utilizes CloudFront, ELB, and S3 to serve content. When users access your site, they are seeing broken image links. What is most likely the problem?

    • There is no record in Route 53 pointing cdn.yourdomain.com to the CloudFront ALIAS.
    • You need to create Origin Access Identity for CloudFront and add it to your bucket policy. 
    • The images in S3 are saved as .png instead of .jpg.
    • There is no rule in your bucket policy allowing public access.
    Explanation:
    You must have an OAI if the bucket policy does not allow public access, which is bad practice.
  17. You have a static VPN connecting your data center and your VPC. You currently have 50 routes added to your route table. You want to add more; how should you do this?

    • 50 is the most you can have for any connection.
    • Just add them, you have a maximum of 100 static routes per route table.
    • Set up Direct Connect. A VPN will not support more routes.
    • Convert your VPN to a dynamic VPN and use BGP.
    Explanation:
    A dynamic routing table can support 100 routes. A static can only support 50 per IPv4 and 50 per IPv6. Direct Connect will work, but it would be more than you needed.
  18. Your company needs an inexpensive solution to host their AD data in the cloud. They do not need all of the features of AD but do need to be able to use it with WorkSpaces. What is the best solution?

    • AD Connector
    • Hosted Microsoft AD
    • Simple AD 
    • Deploy an AD server on an M3.large instance
    Explanation:
    Simple AD is the best choice here. If authentication is all you need, it is the most inexpensive option for in-cloud directory.
  19. You need to find the MTU used by another instance, but tracepath is not working. You know the instance you are trying to tracepath has open security group and NACL rules. Which protocol do you need to allow to access your instance to remedy this?

    • Protocol 6: TCP
    • Protocol 47: GRE
    • Protocol 17: UDP
    • Protocol 1: ICMP
    Explanation:
    You need to allow Protocol 1, ICMP, to access your instance. tracepath specifically needs the “destination unreachable” feature of ICMP.
  20. You are under a DDoS attack and you have added a deny all TCP rule to your NACL, but traffic is still coming. What did you do wrong?

    • You configured the rule number to be too low.
    • A NACL can’t protect against a DDoS.
    • The DDoS isn’t a TCP attack. 
    • You need to add a deny rule outbound also since NACLs are stateful.
    Explanation:
    The DDoS isn’t a TCP attack (this time.) A DDoS can use several different protocols. NACLs are stateless. The lower the rule number, the higher the priority.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments