ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 13

  1. You are the AWS cloud architect and have been tasked with designing an appropriate subnetting design for your production VPC. Your production VPC requires secure communications back to the corporate private network. Quality of Service (QoS) is very important 24 × 7 for this particular connection, as real-time data is passed continually backwards and forwards between your on-prem bioinformatics enterprise application, and the number crunching servers deployed in the cloud. Any potential latency incurred on this connection will have a direct impact on the company’s ability to attract investors and expansion into new markets.

    Select the correct network configuration that best facilitates your company’s continued growth plans.

    • Provision a Direct Connect connection – between your service provider’s data center and the AWS region that your cloud compute resources exist in. Configure just a Private Virtual Interface. As this is a Direct Connection, a Virtual Private Gateway is not required
    • Configure a site-to-site layer 2 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option
    • Configure a site-to-site layer 3 software router using OpenVPN within your VPC and ensure that QoS enabled – this is a secure and cheap option
    • Provision a Direct Connect connection – between your existing service provider’s data center and the AWS region that your cloud compute resources exist in. Configure a Virtual Private Gateway and Private Virtual Interface
    Explanation:
    Answers A, B, and C all rely on an Internet connection. An Internet connection cannot guarantee QoS and will be subject to performance fluctuations – therefore they are all incorrect options. The only difference between these options is whether a Virtual Private Gateway is required – the answer is yes and therefore the correct answer is D.
  2. You are your company’s AWS cloud architect. You have created a VPC topology that consists of 3 VPCs. You have a centralised VPC (VPC-Shared) that provides shared services to the remaining 2 departmental dedicated VPCs (VPC-Dept1 and VPC-Dept2). The centralised VPC is VPC peered to both of the departmental VPCs, that is a VPC peering connection exists between VPC-Shared and VPC-Dept1, and a VPC peering connection exists between VPC-Shared and VPC-Dept2.

    Select the correct option from the list below.

    • Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been disabled.
    • Instances within VPC-Dept1 can communicate directly with instances in VPC-Shared, as long as the appropriate routes and security groups are in place, and vice versa regardless of who initiates communication 
    • All network communication remains blocked between all VPCs until the respective peering bi-directional communication flags are set to the appropriate setting that allows traffic to flow.
    • Network traffic is possible between VPC-Shared instances and VPC-Dept1 and VPC-Dept2 instances as long as the appropriate routes and security groups are in place, but only for communication that is initiated from VPC1-Shared instances as the default peering bi-directional communication flag has been enabled.
    Explanation:
    Answers A, C and D are incorrect answers as they reference a non-existing setting – there is no such thing as a “default peering bi-directional communication flag”.
  3. In your current role as the corporate network architect – you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC.

    Select which option is NOT required.

    • Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP
    • Deploy a Customer Gateway within your corporate network 
    • Deploy a Customer Gateway within your VPC
    • Deploy a Virtual Private Gateway within your VPC
    Explanation:
    A customer gateway within the corporate network is NOT required. The Customer Gateway (CGW) is a component that you deploy within your VPC that logically represents you VPN physical hardware’s perimeter public IP – therefore Answer C is required. A Virtual Private Gateway (VPG) is the AWS VPN Concentrator end point – and is always a requirement that needs to be deployed in your VPC – therefore it must always be deployed – therefore Answer D is required.
    AWS only supports IPsec in Tunnel mode – therefore Answer A is required.
  4. You need to create a baseline of normal traffic flow in order to implement some security changes to your organization.

    What two items would be best to use? (Choose two.)

    • Wireshark 
    • CloudTrail
    • An IDS
    • CloudWatch
  5. Your company has just deployed IPv6 in a VPC. All of the instances currently use a NAT, but once they configured the instances for IPv6 only, they were unable to access the resources on the instances via IPv6. What is the best option to fix this?

    • Configure the NAT for IPv6.
    • Configure an egress-only internet gateway.
    • Add a route for ::/0 to the NAT.
    • Add an internet gateway.
    Explanation:
    NAT is not compatible with IPv6 and an IGW would allow full access to the instances, which is not good. An egress-only IGW is the best solution.
  6. Your company just acquired a new company. You have two VPCs ?one is 172.31.0.0/16 and one is 10.111.0.0/16. The acquired company uses 10.111.0.0/16 for their VPC. Your VPC “A” has a group of 12 servers in the range 10.111.2.101 ?10.111.2.112. Their VPC “B” has 20 servers from 10.111.2.171 ?10.111.2.190. You need to access both VPCs from the 172.31.0.0/16 VPC “C”.

    What is the best way to approach this problem?

    • From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/27 and a route to VPC B’s peering connection for 10.111.2.0/24. 
    • From VPC C, create a peering connection and add a route to VPC A’s peering connection for 10.111.2.96/28 and a route to VPC B’s peering connection for 10.111.2.0/24.
    • From VPC C, create a peering connection and adjust the route tables to direct traffic to the individual servers by exact IP address of the servers.
    • Invest the money and change the CIDR of one of the VPCs since one VPC cannot be peered to two VPCs with the same CIDR block.
    Explanation:
    You can peer VPCs with the same CIDR block to a third VPC, so changing the CIDR block is not necessary. You can adjust the route tables to point to individual servers, but this would be very inefficient. 10.111.2.96/28 does not provide enough addresses for the AWS required addresses. AWS reserves 5 addresses per subnet and this only allows 11 addresses. 10.111.2.96/27 provides 32 addresses with 27 usable. Since it is a /27, it will take precedence over the /24 and route the traffic destined for these instances correctly.
  7. Due to security requirements, all traffic must be encrypted between your VPC and your on-premises data center. You also want to maintain reliability.

    What two options will allow you to achieve this? (Choose two.)

    • A Direct Connect connection with a Private VIF
    • A VPN connection 
    • A Direct Connect connection with a Hosted VIF
    • A Direct Connect connection with a Public VIF
    Explanation:
    To run VPN over DX, you need to have a public VIF to access the VPN endpoints.
  8. You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a “mixed content” security warning.

    What is most likely the problem?

    • There is no rule in your bucket policy allowing public access.
    • You have applied your SSL to your Elastic Loadbalancer but not your CDN. 
    • Your S3 Bucket permissions are incorrect.
    • You are using an SSL from an external CA.
    Explanation:
    You must apply the SSL to your Elastic Loadblanacer and your CDN to encrypt all aspects of your site.
  9. You are a network engineer at a company that just purchased a DX connection. You ensured your equipment met all of the technical requirements, you have verified with your AWS account manager and your colocation provider that everything is connected, and all of your information is correct. For some reason, the link does not operate correctly.

    What could be the problem?

    • The CAT6 cable is frayed.
    • Autonegotiation is enabled. 
    • You are using 802.1q VLANs instead of 802.1w.
    • BFD is disabled.
    Explanation:
    Autonegotiation is enabled. A DX connection uses single-mode fiber, not CAT6; BFD is optional, and 802.1q is the correct standard. Autonegotiation must be disabled for DX to work properly.
  10. You have configured a dynamic VPN between your datacenter and your VPC. Your router says the tunnel is up and BGP is active, but for some reason, you are not seeing your routes propagate.

    What is most likely the issue?

    • You need to configure the firewall for BGP.
    • Your router does not support BFD.
    • You need to obtain a new BGP MD5 key.
    • You forgot to set route propagation to “yes” in the route table.
    Explanation:
    You forgot to set route propagation to “yes” in the route table. If the route table says BGP is active and the tunnel is up, then you do not have a firewall issue. BFD has nothing to do with route propagation. You do not need a BGP MD5 key for VPN.
  11. Your company just deployed a WAF to protect its resources. You need to create a baseline before you start blocking traffic. How will you achieve this?

    • Set the WAF to Monitor mode. 
    • Set the WAF to its defaults and let it do its job.
    • Setup a Lambda function to monitor Flow Logs and analyze the traffic using Elasticsearch.
    • A WAF is default deny and does not allow this. You need to use an IDS instead.
    Explanation:
    Monitor mode is the only good choice.
  12. Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to ensure the site is as secure as possible. What two items could you recommend? (Choose two.)

    • An NACL that blocks all ports to your subnets.
    • A restricted bucket policy. 
    • A WAF on the load balancer.
    • A WAF on your CloudFront distribution.
    Explanation:
    A WAF on CloudFront and a restricted bucket policy to ensure the only access is from CloudFront. You cannot apply a WAF to a classic load balancer and an NACL that blocks all ports would block access to the load balancer.
  13. You have two public applications on different domains that use two front-end servers and two back-end servers each. You wish to achieve high availability for both applications. What two options should you configure? (Choose two.)

    • Route 53: 2 public zones and 2 private zones. 
    • Route 53: 2 public zones and 1 private zone.
    • 3 load balancers: 2 public and 1 internal.
    • 4 load balancers: 2 public and 2 internal.
    Explanation:
    Route 53: 2 public zones and 2 private zones and 4 load balancers: 2 public and 2 internal. This will allow one domain to be balanced over two application servers which will then have traffic balanced to the two backend servers.
  14. Your company was recently acquired and a Direct Connection connection was extended from your new parent corporation to your AWS VPC using a hosted VIF. What data charges are billed to your account for that connection?

    • You are only responsible for the port hours of the VIF.
    • You are not charged anything.
    • You are responsible for all data transfer out. 
    • You are responsible for all data transfer in.
    Explanation:
    You are only responsible for the data transfer out. The port hours are the responsibility of the owner of the connection.
  15. The IPsec protocol suite is made up of various components covering aspects such as confidentiality, encryption, and integrity.

    Select the correct statement below regarding the correct configuration options for ensure IPsec confidentiality:

    • The following protocols may be used to configure IPsec confidentiality, DES, 3DES, MD5
    • The following protocols may be used to configure IPsec confidentiality, DES, 3DES, AES 
    • The following protocols may be used to configure IPsec confidentiality, PSK, RSA
    • The following protocols may be used to configure IPsec confidentiality, PSK, MD5
    • The following protocols may be used to configure IPsec confidentiality, PSK, RSA
    Explanation:
    Answer A is incorrect – as MD5 is a hashing protocol (data integrity) Answer C is incorrect – as PSK is short for Pre-Shared Keys (key exchange) – and again MD5 is a hashing protocol (data integrity)
    Answer D is incorrect – as both MD5 and SHA are hashing protocols (data integrity) Answer E is incorrect – as both PSK and RSA are used for key exchanges This leaves Answer B is the only correct IPsec configuration covering confidentiality. DES, 3DES, and AES are all encryption protocols.
  16. Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

    • For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible
    • Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway
    • Jumbo Frames are not supported for traffic that exits the Internet Gateway
    • T2.micro instances do not support Jumbo Frames
    Explanation:
    All answers except for Answer D are correct. Answer D is incorrect in that AWS does indeed support Jumbo Frames on all instance types within the T2 family class – including the T2.micro instance type.
  17. Within the TCP/IP model what is the name of the Packet Data Unit (PDU) used between Transport Layers for communication between sender and receiver

    • Frames
    • Packets
    • Data
    • Segments
    Explanation:
    Segments is the PDU used between transport layers.
  18. Considering the rules of IPv4 subnetting, how many subnets and hosts per subnet are possible given the following network 192.168.130.130/28? (in this question ignore the fact that AWS reserves 5 IP addresses)

    • 8 subnets and 30 hosts per subnet
    • 16 subnets and 14 hosts per subnet 
    • 32 subnets and 30 hosts per subnet
    • 8 subnets and 14 hosts per subnet
    Explanation:
    16 subnets and 14 hosts per subnet are possible in the CIDR.
  19. An unfortunate situation has just come to your attention. A business critical application with sensitive data running on-prem will run out of storage disk space in 24hrs. This business critical application is dependent a very large set of routes – required for integration with other system. You make a quick but well informed decision to migrate this application quickly to AWS. You are able to quickly launch a new VPC and within it equivalent infrastructure to re–home the application. In order to complete the replication of application data and ensure the application remains operational beyond the next 24hrs, select the best implementation.

    • Within the new VPC – establish a Direct Connect connection with max 10Gbps port speed for data replication. Establish a 802.1Q VLAN and configure a Virtual Private Gateway and Private Virtual Interface, and ensure Jumbo Frames is enabled.
    • Within the new VPC – deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with BGP dynamic routing 
    • Within the new VPC – deploy a Virtual Private Gateway, Customer Gateway, and establish a new IPsec VPN Connection with static routing, and ensure Jumbo Frames is enabled.
    • Within the new VPC – deploy a software based virtual router (for example a Cisco CSR). Configure with dual ENIs (external and internal), create and attach an EIP to the external ENI, Configure and setup IPsec VPN tunnels, and ensure Jumbo Frames is enabled.
    Explanation:
    Answer A – Let’s start by stating that all possible options are actually workable solutions. The key criteria of the question is to complete the data migration aspects as *quickly* as possible. With this in mind we can immediately rule out Answer A – due to the time it takes to provision and activate a fully functional Direct Connect connection, 72+ hrs. Answer C is the same as Answer D but lacks BGP – therefore we would need to setup the routes manually – more time and effort. Additionally Answer D uses Jumbo Frames – but AWS does not support Jumbo frames over the Virtual Private Gateway – therefore Answer D’s use of Jumbo Frames is negated. Overall Answer B is considered the quickest option.
  20. Convert the following IPv4 address in presented in binary form, into dotted decimal form 10101100.01111011.00001101.10011101.

    • 172.123.13.157 
    • 173.13.13.157
    • 172.122.13.15
    • 172.124.13.57
    Explanation:
    An IPv4 address in dotted decimal format is constructed using binary arithmetic. In binary arithmetic, each bit within a group represents a power of two. Specifically, the first bit in a group represents 2 to the power of 0, the second bit represents 2 to the power of 1, the third bit represents 2 to the power of 2, and so on. Binary format is simple because each successive bit in a group is exactly twice the value of the previous bit. The first octet is 128 + 32 + 8 + 4 = 172
    The second octet 64 + 32 + 16 + 8 + 2 + 1 = 123
    The third octet 8 + 4 + 1 = 13
    The fourth octet is 128 + 16 + 8 + 4 + 1 = 157
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments