ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 12
-
What are two ways to influence the direction of Dynamic VPN traffic over multiple links? (Choose two.)
- AS_PATH Prepending
- BFD
- MED
- Shouting at it
Explanation:
BFD detects failed links but does not create them. Shouting at it just isn’t nice. -
Which of these is not a requirement to set up a DX connection?
- Support for 802.1q VLANs
- BGP MD5 Authentication
- Autonegotiation enabled
- Single mode fiber capability
Explanation:
Autonegotiation must be disabled. -
Which of these is not required when setting up a VIF?
- BGP Key
- VLAN ID
- ASN
- BGP MED
Explanation:
BGP MED is used to steer traffic and not for requesting a VIF. -
Which path will be chosen first?
- 192.168.0.0/16 AS 65000 over Direct Connect
- 192.0.0.0/8 AS 65000 over Direct Connect
- 192.168.1.0/24 AS 65000 65000 65000 over a Dynamic VPN
- 192.168.0.0/16 AS 65000 over a Static VPN
Explanation:
The path selection process always chooses the most specific prefix first. -
What statement about LAGs is incorrect?
- If you create a new connection, you will have to fill out another LOA-CFA.
- You can pool connections with multiple speeds to create one faster speed.
- You will receive 1 LOA-CFA with a page for each connection.
- All connections in the LAG must terminate at the same DX endpoint.
Explanation:
All links must be the same speed for a LAG to be operational. -
Which one of the following options is not true about WorkSpaces?
- WorkSpaces allows integration with Microsoft AD.
- WorkSpaces is great for running Linux applications.
- WorkSpaces is a fully managed, secure desktop computing service.
- WorkSpaces can query on-premises domains for authentication.
-
Which two choices can serve as a directory service for WorkSpaces? (Choose two.)
- Simple AD
- Enhanced AD
- Direct Connection
- AWS Microsoft AD
Explanation:
There is no such thing as “Enhanced AD” and DX is not a directory service. -
Which of these modes is not a configuration mode for a WAF?
- Block
- Allow
- Sleep
- Monitor
Explanation:
There is no sleep mode for a WAF. WAFs are hard workers. -
Which of these metrics cannot help detect a DDoS?
- EC2 CPUUtilization
- ELB SurgeQueueLength
- EMR EMRspersecond
- CloudFront Requests
Explanation:
EMR EMRspersecond doesn’t exist. -
Which service would you use to see who changed your infrastructure?
- Config
- CloudTrail
- Flow Logs
-
Which service would you use to see CPU usage?
- CloudTrail
- Config
- CloudWatch
- None of the above
-
Your on-premises network has an IP address range of 11.11.0.0/16. Only IPs within this network range can be used for inter-server communication. The IP address range 11.11.253.0/24 has been allocated for the cloud.
You need to design a VPC in AWS. The servers within the VPC should be able to communicate with hosts both on the Internet and on-premises through a VPN connection.
What combination of configuration steps meets your needs? (Choose two)
- Set up the VPC with an IP address range of 11.11.253.0/24.
- Set up the VPC with an RFC 1918 private IP address range (e.g., 10.10.10.0/24), and set up a NAT gateway to do translation between 10.10.10.0/24 and 11.11.253.0/24 for all outbound traffic.
- Set up a VPN connection between a VGW and an on-premises router, set the VGW as the default gateway for all traffic, and configure the on-premises router to forward traffic to the Internet.
- Set up a VPN connection between a VGW and an on-premises router, set the VGW as the default gateway for traffic destined to 11.11.0.0/24, and add a VPC subnet route to point the default gateway to an Internet gateway for Internet traffic.
- Set up the VPC with an RFC 1918 private IP address range (e.g., 10.10.10.0/24), and set the VGW to do a source IP translation of all outbound packets to 11.11.0.0/16.
Explanation:
The VPC needs to use a CIDR block in the assigned range (and be non-overlapping with the data center). All traffic not destined for the VPC is routed to the VGW (that route is assumed) and must then be forwarded to the Internet when it arrives on-premises. B and E are wrong because they are not in the assigned range (you can use non-RFC 1918 addresses in a VPC). D is wrong because it directs traffic to the Internet through the Internet gateway. -
You are architecting an HPC solution in AWS. The system consists of a cluster of EC2 instances that require low-latency communications between them.
Which method should you use to set up a cluster to meet these requirements?
- Create a VPC with one subnet in a single Availability Zone. Keep the size of the subnet equal to the number of instances required in the cluster. Launch instances for the cluster in this small subnet to guarantee low-latency network performance.
- Create a placement group. Choose an EC2 instance type compatible with placement groups for the cluster. Launch instances for the cluster in the placement group.
- Launch Amazon EC2 instances with the largest available number of cores and RAM. Attach all instances to an Amazon EBS PIOPS volume. Implement a shared memory system across all instances in the cluster, using this shared EBS volume to minimize latency of communication.
- Choose an EC2 instance type that offers enhanced networking. Attach a 10-Gbps non-blocking elastic network interface to the instances. Configure the elastic network interface to optimize network performance to reduce latency.
Explanation:
Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both. A is incorrect because the size of a subnet has no impact on network performance. C is incorrect because an EBS volume cannot be shared between EC2 instances. D is only half the solution because the enhanced networking affects the network behavior of an EC2 instance but not the network infrastructure between instances. -
Your customer’s internal security teams receive requests to allow Amazon S3 access from inside the corporate network. All external traffic must be explicitly whitelisted through your corporate firewalls.
How can your security team grant this access?
- Obtain the list of IP prefixes from AWS Forum announcements, and use those prefixes in firewall rules.
- Obtain the list of IP prefixes from ip-ranges.json, and use those prefixes in firewall rules.
- Obtain the list of IP prefixes by performing a DNS lookup on Amazon S3 endpoints, and use those prefixes in firewall rules.
- Connect your data center to a VPC via Direct Connect. Create routes that forward traffic from your data center to an S3 private endpoint.
Explanation:
ip-ranges.json contains the latest list of IP addresses used by AWS. AWS no longer posts IP prefixes in Forum announcements. DNS lookups would not provide an exhaustive list of possible IP prefixes. D would require transitive routing, which is not possible. -
Your application server instances reside in the private subnet of your VPC. These instances need to access a Git repository on the Internet. You create a NAT gateway in the public subnet of your VPC. The NAT gateway can reach the Git repository, but instances in the private subnet cannot. You confirm that a default route in the private subnet route table points to the NAT gateway. The security group for your application server instances permits all traffic to the NAT gateway.
What configuration change should you make to ensure that these instances can reach the patch server?
- Assign public IP addresses to the instances and route 0.0.0.0/0 to the Internet gateway.
- Configure an outbound rule on the application server instance security group for the Git repository.
- Configure inbound network access control lists (network ACLs) to allow traffic from the Git repository to the public subnet.
- Configure an inbound rule on the application server instance security group for the Git repository.
Explanation:
The traffic leaves the instance destined for the Git repository; at this point, the security group must allow it through. The route then directs that traffic (based on the IP) to the NAT gateway. A is wrong because it removes the private aspect of the subnet and would have no effect on the blocked traffic anyway. C is wrong because the problem is that outgoing traffic is not getting to the NAT gateway. D is wrong because to allow outgoing traffic to the Git repository requires an outgoing security group rule. -
Considering your knowledge of both the OSI and TCP/IP models – select the following statement which you consider to NOT be true.
- The TCP/IP Application layer maps to 2 of the OSI Layers
- The top layer in the OSI model is named the Application layer
- The TCP/IP Application layer maps to 3 of the OSI Layers
- The top layer in the TCP/IP model is named the Application layer
Explanation:
The OSI model is a 7 layered model. The TCP/IP model is a 4 layered model. The top layer in both models is called the Application layer. The TCP/IP Application layer maps to the top 3 OSI layers (Application, Presentation, and Session layers). -
From the following options, select the answer that correctly describes the implementation of the HTTP protocol
- By definition, HTTP is a connection-less oriented protocol and therefore utilises TCP
- By definition, HTTP is a connection orientated protocol and therefore utilises TCP
- By definition, HTTP is a connection-less oriented protocol and therefore utilises UDP
- By definition, HTTP can be configured to be either connection or connection-less oriented – by specifying the appropriate HTTP header.
Explanation:
HTTP is a connection orientated protocol and therefore utilizes TCP -
You have just provisioned a new VPC a with a CIDR block of 172.16.12.0/24. The entire CIDR block is fully utilized by subdividing it into 6 subnets, we will refer to these as Subnet1 through to Subnet6. The first 2 subnets (Subnet1 and Subnet2) are the same size. The last 4 subnets (Subnet3, Subnet4, Subnet5, Subnet6) are also the same size. Subnet5 is half the size of Subnet2. The address space as occupied by the first two subnets is contiguous, as is the address space occupied by the last 4 subnets. Within Subnet3 AWS reserves the address 172.16.12.129 for the VPC router.
Select the correct IP address reserved by AWS for DNS in the Subnet2.
- 172.16.64.1
- 172.16.64.65
- 172.16.12.66
- 172.16.12.64
Explanation:
From the documentation above – we know AWS reserves the address x.x.x.1 for the VPC router, and x.x.x.2 for DNS from within each subnet. This question states that Subnet 3 reserves 172.16.12.130 for the VPC router. Given that we now know that the Subnet 3 (the 1st of the last 4 Subnets) starts at 172.16.12.128 – then it must follow that Subnet2 ends at 172.16.12.127. From here we know we have 128 addresses that are halved evenly between Subnet1 and Subnet2 – 128/2 = 64 or /26 in CIDR form. Therefore it follows that the address reserved by AWS for DNS in the Subnet2 must be 172.16.12.66 -
Select the VPC Peering statement below that is NOT true
- VPC peering supports transitive peering relationships for IPv6 traffic but not IPv4
- VPC peering can be performed between VPCs in different AWS accounts in the same region
- TCP connections can be performed between peered VPCs
- UDP connections can be performed between peered VPCs
Explanation:
VPC peering supports transitive peering relationships for IPv4 and IPv6 traffic -
Select the answer/s that correctly state how Jumbo Frames work
- Jumbo Frames assist with application disk storage
- Jumbo Frames can assist with application performance
- Jumbo Frames are supported across Virtual Private Gateway connections
- Jumbo Frames are enabled by increasing the MTU size to 9000 kilobytes
Explanation:
We know by definition that Jumbo Frames support 9000 byte MTU – therefore Answer A is incorrect (the stated unit is kilobytes). Jumbo Frames is a data transmission unit configuration option – it does not change or alter anything related to security – therefore Answer B is incorrect. Answer C is correct – we can get improved application performance when used within appropriate scenarios. Jumbo Frames are not supported over VPG IPsec VPN connections – therefore Answer D is incorrect. Answer E is nonsensical – Jumbo Frames is a networking construct and has nothing to do with disk storage.
Subscribe
0 Comments
Newest