-
Which of the following does not configure Amazon CloudFront cache behaviors to forward cookies to an origin for web distributions?
- Origin server
- AWS CLI
- Amazon EMR
- Amazon S3
Explanation:
Amazon S3 and some HTTP servers do not process cookies. Do not configure Amazon CloudFront cache behaviors to forward cookies to an origin that doesn’t process cookies or you’ll adversely affect cache ability and consequently performance.
-
You received reports from clients in another time zone that they experienced an outage of your website several hours before you arrived at work. What two AWS services could prove crucial in figuring out what happened? (Choose two.)
- AWS Support
- CloudTrail
- CloudWatch
- Flow Logs
Explanation:
CloudTrail is for finding out who made a change. This could be a reason for the outage, but you need to see the metrics first. CloudWatch and Flow Logs are the best for this.
-
You wish to access all European regions using your Direct Connect connection. How should you accomplish this?
- Peer VPCs in the different regions and connect DX to one of the regions to communicate with the other.
- Use a DX Gateway.
- Find the prefix list for the other region and add it to your route table.
- One DX connection will connect you to all regions.
Explanation:
The DX Gateway will allow access to multiple regions.
-
You are using the CLI to assign multiple IP addresses to interfaces. The operation fails. What is the most likely reason?
- You cannot assign IP addresses in the CLI.
- You can only assign 5 IP addresses at a time through the CLI.
- One or more of the IP addresses could not be assigned.
- All of the IP addresses could not be assigned.
Explanation:
One more of the IP addresses could not be assigned. It only takes one failed assignment for the entire operation to fail.
-
You are a network admin of a US company called Webby Widgets that is expanding to Europe. The company has a website that serves dynamic and static content.
You have been instructed to ensure the European clients receive the least latency possible, no matter where in Europe they live, while still allowing the US clients to receive the same user experience and performance they have been accustomed to. You have also been instructed to ensure both countries use the same URL to access the site and keep costs low.
What two things should you do? (Choose two.)
- Deploy three VPCs; one for the US, one for the EU, and one as a central VPC that hosts an Elastic Load Balancer that will distribute traffic between the US and EU VPCs.
- Create two A records: eu.webbywidgets.com that points to the EU resources and us.webbywidgets.com that points to the US resources.
- Use the Traffic Flow policy creator to create the perfect routing policy.
- Create a CloudFront distribution to serve the static content from an S3 bucket.
Explanation:
The Traffic Flow policy creator costs $50/mo. per policy and Elastic Load Balancers cannot distribute traffic between VPCs.
-
You are configuring a CloudFront distribution, and when you try to attach an SSL, you do not see your SSL listed. What is the most likely reason for this?
- You must configure an https record in Route 53 first.
- Sometimes, it won’t show, and you need to retrieve the ARN for the SSL and enter it manually.
- You requested an SSL for the wrong region.
- You didn’t wait 48 hours after approving the SSL.
-
Your company has decided to use AWS WorkSpaces for its hosted desktop solution. Your company has an existing AD of about 57,000 users, and you want to minimize authentication traffic from AWS to your datacenter. Your company has a lot of personnel changes, and it is crucial that these changes are reflected reliably.
What two steps should you take? (Choose two.)
- Deploy Hosted AD in AWS.
- Deploy an AD Connector in AWS.
- Create a DX connection between the datacenter and AWS.
- Create a VPN between the datacenter AWS.
Explanation:
A VPN is not reliable enough, and an AD connector will cause too much authentication traffic.
-
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active.
What two configuration changes should you implement? (Choose two.)
- MPLS
- BFD
- AS_PATH Prepending
- BGP
Explanation:
Bidirectional-Forwarding Detection will allow for faster failover times. AS_PATH Prepending will allow you to choose the default path. BGP is already implemented and MPLS does not matter.
-
What number does the binary number 10101000 correspond to?
Explanation:
128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168
-
What number does the binary number 11000000 correspond to?
Explanation:
128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192
-
What value in a packet dictates the priority of the packet in a QoS enabled network?
Explanation:
The Differentiated Services Code Point value, or DSCP, is used to label packets on QoS enabled networks for prioritization.
-
What is the IPv6 subnet CIDR used by a VPC?
Explanation:
A VPC will always use /56 as its CIDR
-
What is the name of the label applied to packets to allow routers to know where to forward in an MPLS network?
Explanation:
Forward Equivalency Class is how routers know where to send packets.
-
What port and protocol is used by DNS?
- 80/TCP
- 22/TCP
- 80/TCP and UDP
- 53/TCP and UDP
Explanation:
DNS uses port 53 and either TCP or UDP depending on what type of DNS message is being sent.
-
Which port range must be allowed through a NACL to ensure all return traffic is successful?
- 1024 − 65,535
- 22
- 65,000 − 65,535
- 80 − 443
Explanation:
1024 − 65,535 is the full “ephemeral port” range.
-
To allow all traffic to access an instance in “Subnet 1” that uses “Security Group 1”, what two options need to be configured? (Choose two.)
- NACL rule allowing 0.0.0.0/0 to access “Subnet 1”
- Security Group rule in “Security Group 1” that allows 0.0.0.0/0 inbound
- Security Group rule in “Security Group 1” that allows outbound traffic to 0.0.0.0/0
- NACL rule allowing 0.0.0.0/0 to access “Security Group 1”
Explanation:
You must allow traffic through the NACL and through the Security Group to access the instance. If there is not an Outbound allow setup in the NACL, you may need to set that, but an outbound rule for Security Group 1 is not necessary as security groups are stateful.
-
You have created a custom VPC. What are two things you may need to do in order to SSH directly into your instance? (Choose two.)
- Enable SSH on the instance
- Attach a NAT Gateway
- Enable Public IP addresses
- Attach an Internet Gateway
Explanation:
Public IP addresses are not enabled by default in a custom VPC. An Internet Gateway is also required.
-
Which of these addresses cannot be given to an EC2 instance in your VPC?
- 10.0.0.157
- 10.0.0.3
- 10.0.0.4
- 10.0.0.253
Explanation:
10.0.0.3 is reserved by AWS for future use.
-
Which ports must you allow for HTTP and HTTPS traffic?
- 25/465
- 21/22
- 3389/3306
- 80/443
Explanation:
80 and 443 are the ports for HTTP and HTTPS, respectively.
-
If you have one VPC peered with two VPCs with overlapping CIDRs, which route will be more preferred?
- 10.1.0.0/16
- 10.0.0.0/8
- 10.1.1.5/32
- 10.1.1.0/24
Explanation:
10.1.1.5/32. The most specific route is preferred.