ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 09
-
When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this. (Choose two.)
- Keep both tunnels up.
- Configure AS_PATH prepending on one of the paths.
- Turn off one of the paths until you need it.
- Configure MED on one of the tunnels.
Explanation:
AWS prefers AS_PATH prepending and for a tunnel to provide true failover, it must always be on. -
Your company is working on a transition from IPv4 to IPv6 but is concerned about the security of having public IPv6 addresses attached to instances in a public network. They currently use a NAT to allow outbound traffic for instances. Outbound traffic is required for updates. What are two options to alleviate your company’s concerns? (Choose two.)
- Remove any rules allowing ::/0 inbound in the security group.
- Block ::/0 inbound in the NACL.
- Create an egress-only internet gateway.
- Block 0.0.0.0/0 inbound in the NACL.
Explanation:
0.0.0.0/0 will only block IPv4, blocking ::/0 in the NACL will prevent return traffic and updates to the instances. An egress-only internet gateway or blocking ::/0 inbound in the security group will allow the instances to initiate outbound connections and receive the return traffic, while still preventing outside attackers from initiating connections to the instances. -
You have two placement groups in a VPC. What communication speed can be expected between the two placement groups?
- 5Gbps
- 10Gbps
- 20Gbps
- You cannot communicate between two placement groups.
Explanation:
5Gbps is the maximum speed for traffic outside of a placement group. -
You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?
- Site A: VPN 10.0.1.0/24 AS 65000 65000
- Site B: VPN 10.0.1.252/30 AS 65000 65000 65000
- Site C: DX 10.0.0.0/8 AS 65000
- Site D: DX 10.0.0.0/16
Explanation:
Site B, the most specific prefix always wins. -
You manage a website that uses a load balancer. You are noticing one of the servers is receiving more traffic than the other. What is probably the cause of this?
- An Elastic Load Balancer sends traffic based on server load. One server must be a larger instance.
- You have DNS latency routing set, so it is diverting traffic to a different instance.
- You have sticky sessions configured and there are several power users that happen to be on the other server.
- The server has more connections available.
Explanation:
Sticky sessions can keep users on a particular server throughout their session. Latency routing would route to the load balancer, not the instances. Load balancers use a round-robin algorithm to balance. -
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
- aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress -rule-number 32768
- aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -egress rule-number 100
- aws ec2 delete-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100
- aws ec2 create-network-acl-entry -network-acl-id acl-5fb84d47 -ingress rule-number 100 -protocol -1 -port-range From =-1,To =-1 -cidr-block 0.0.0.0/0 -rule-action deny
Explanation:
You should remove the default allow rules in your NACL and a default deny will be the only rule left for inbound and outbound. If you attempt to create a rule number 100, it will encounter an error as there is already a rule 100. -
You are a holdings company that buys many businesses and must integrate their VPCs into your network. You are constantly encountering networks with similar or overlapping subnets.
What is the best way to manage this.
- BFD
- VRF
- A standby router for the overlapping subnets.
- A strict IP addressing policy that forces new companies to change the IP addresses of their VPCs.
Explanation:
VRF, or Virtual Routing and Forwarding will allow you to have multiple routing tables on your router. -
Your company has a high-availability hybrid solution that utilizes a two Direct Connect connections and a backup VPN connection. For some reason, traffic is preferring the VPN connection instead of the direct connection. You have prepended a longer AS_PATH on the VPN connection, but AWS still prefers it over the Direct Connect connections.
What might you be able to do to fix this issue?
- Advertise a less specific prefix on the VPN.
- Remove the prepended AS_PATH.
- Reconfigure the VPN as a static VPN instead of dynamic.
- Increase the MED on the VPN.
Explanation:
The only reason a VPN would be preferred over Direct Connect is if it has a more specific prefix. This was not discussed in the question but is assumed since it is the only criteria in the path selection process that supersedes Direct Connect. -
You work for an international corporation that uses AWS. Due to regulations, you are now required to route the US and China to two different websites. You set up the records and now no other countries can access your site.
Why is this?
- You forgot to set a default geolocation record.
- You probably broke your DNS.
- You must have a geolocation in place for every country.
- Geolocation features are only available in CloudFront.
Explanation:
A default record is required for traffic that does not match a geolocation criteria to follow. -
Your company is expanding its cloud infrastructure and moving many of its flat files and static assets to S3. You currently use a VPN to access your compute infrastructure, but you require more reliability for your static files as you are offloading all of your important data to AWS. What is your best course of action while keeping costs low?
- Create a Direct Connect connection using a Private VIF to access both compute and S3 resources.
- Create an S3 endpoint and create a route to the endpoint prefix list for your VPN to allow access to your S3 resources.
- Create two Direct Connect connections. Each connected to a Private VIF to ensure maximum resiliency.
- Create a Direct Connect connection using a Public VIF and route your VPN over the DX connection to your VPN endpoint.
Explanation:
An S3 endpoint cannot be used with a VPN. A Private VIF cannot access S3 resources. A Public VIF with a VPN will ensure security for your compute resources and access to your S3 resources. Two DX connections are very expensive and a Private VIF still won’t allow access to your S3 resources. -
Your company currently has a LAG to AWS with two 1Gbps connections. What is the best way to increase throughput on this LAG?
- Add three 1Gbps connections to the LAG.
- Add one 10Gbps connections to the LAG.
- Configure your router to use “jumbo frames” with an MTU of 9001.
- Add two 1Gbps connections to the LAG.
Explanation:
Add two 1Gbps connections to the LAG. DX does not support jumbo frames, a LAG only supports 4 connections, and adding a 10Gbps connection will be limited to the lowest speed of 1Gbps. -
You have 4 Direct Connect connections from your datacenter. Site A advertises 172.16.0.0/16 AS 65000, Site B advertises 172.16.0.128/25 AS 65000 65000 65000, Site C advertises 172.0.0.0/8 AS 65000 and Site D advertises 172.16.0.0/24 AS 65000. Which site will AWS choose to reach your network?
- Site A: 172.16.0.0/16 AS 65000
- Site B: 172.16.0.128/25 AS 65000 65000 65000
- Site C: 172.0.0.0/8 AS 65000
- Site D: 172.16.0.0/24 AS 65000
Explanation:
172.16.0.128/25 AS 65000 65000 65000. The most specific prefix is always the first choice for BGP routing. Also, AWS will not accept an advertisement of a network less than /16. -
You have a server that serves www, FTP, and mail. You need to access this server using www.yourname.com, ftp.yourname.com, and mail.yourname.com. You want to ensure an IP change results in the least number of other changes.
What is the best solution?
- Create PTR records and point the IP address of the server back to www, ftp, and mail.
- Create an A record pointing to the server’s IP address and create CNAME records for www, ftp, and mail and point those to the A record.
- Create an A record for www, ftp and mail, and point it to the ALIAS of the server.
- Create CNAME records for www, ftp, and mail and point those to the A record already provided to the instance by AWS.
Explanation:
There is no ALIAS record for an EC2 instance, CNAME records pointed to the A record provided by AWS won’t work because if the IP changes, the A record will change also. A PTR record is not appropriate here and cannot point to more than one record. Having three CNAME records and one A record will result in only having to change the A record if the IP changes. -
Your company has a DX connection and you just added a new VPC and Private VIF to which you have connected to your DX link. You copied the settings from the other VPC to ensure it’s the same. Once you connected the new VIF, you began seeing problems with connectivity to both VPCs.
You checked to make sure you didn’t use the same CIDR with each VPC, so what could be the problem?
- You used the same VLAN ID for both connections.
- You overloaded your DX circuit.
- Your MPLS provider does not allow traffic to two VPCs.
- You can only connect one VIF to a DX circuit.
Explanation:
You can only have 1 instance of any VLAN ID. -
You need to find the public IP address of an instance that you’re logged in to. What command would you use?
- curl ftp://169.254.169.254/latest/meta-data/public-ipv4
- scp localhost/latest/meta-data/public-ipv4
- curl http://127.0.0.1/latest/meta-data/public-ipv4
- curl http://169.254.169.254/latest/meta-data/public-ipv4
Explanation:
curl http://169.254.169.254/latest/meta-data/public-ipv4 -
You have a hybrid infrastructure and you have configured your own DNS server on an EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. You need your data center to be able to resolve Route 53 queries in your private hosted zone. What do you need to do to accomplish this?
- Disable the source/destination check flag for the DNS instance.
- Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.
- Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.
- Configure the VPC DHCP option set in the VPC to point to the EC2 DNS server.
Explanation:
10.1.3.2 is not the DNS server. A DHCP option set is not needed since you are resolving AWS resources from on-premises not from a VPC and those instances are already configured to look to Route 53 DNS. -
Your company has signed up to trial AWS WorkSpaces. You aren’t sure you’re going to keep it, but you want to try it out to see if it works for your organization of 112 users. You need to deploy it with as little work and up-front expense as possible while still allowing access to your Active Directory for authentication.
What two things should you do? (Choose two.)
- Create a VPN connection.
- Create an AD connector
- Setup AWS hosted Microsoft AD
- Create a Direct Connect connection to AWS.
Explanation:
A VPN connection and an AD connector will allow you to get up and running without having to migrate users, setup expensive equipment or pay for another directory service. -
You have two autoscaling groups in your VPC. One deploys servers that host the index of your website and another that deploys servers that host the images for your website. What three steps would you take to ensure the right servers are used for the right purpose? (Choose three.)
- Create a path-based routing rule to route traffic destined for “/” to target group 1 and “/*.jpg” to target group 2.
- Create two target groups and associate them with each autoscaling group.
- Configure a Classic Load Balancer
- Configure an Application Load Balancer
Explanation:
A Classic Load Balancer does not support path-based routing rules -
You have two VPCs that you’ve peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs.
Why might this be?
- You forgot to add a return route.
- ICMP is not supported over peering connections.
- You have to enable Source/Destination check in the VPCs.
- You have to configure the peering connection to allow two way traffic.
Explanation:
Every route needs a return route for ICMP traffic. -
You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?
- Set all MTU to 1500 as that is the best way to ensure compatibility.
- Leave everything as is.
- Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
- Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
Explanation:
By using two ENIs, you ensure the right MTU goes to the proper destination.
Subscribe
0 Comments
Newest