ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 14

  1. You have been tasked with migrating your company’s proprietary massively large dataset sorting application to AWS. The application currently runs on 4 highly spec’d servers that are in a cluster arrangement and runs 24×7, with the average CPU utilisation across any 24hr period being approx 85% – the migration of this cluster once up and running on AWS is expected to run similarly. The servers shuffle data internally and between themselves. Your company’s financial performance is entirely dependent on the speed at which it can sort your customers datasets, that is the faster a sorted result can be returned the better your company’s bottom line.

    Of the choices presented below, select the optimal network configuration that will ensure the best financial results for your company.

    • Disable Jumbo Frames to ensure better data throughput between instances
    • Enable Jumbo Frames to ensure better data throughput between instances 
    • Create an autoscaled group of c4.8xlarge instances – with min 1 and max 4 – this will ensure your operational costs a minimal
    • Configure a CloudWatch Alarm to add more CPUs to the instances when average cluster CPU utilisation breaches 85%
    Explanation:
    Answer C does not meet the brief – the question states that the requirement is to run a cluster of 4 servers 24×7 – and that the average CPU utilisation across any 24hr period is 85% – therefore have an ASG with min 1 and max 4 provides no benefit, and if anything scaling down from 4 machines would impact the speed at which sorting results are returned – and therefore this would affect the company’s bottom line. We know that of the Answers A and B we need to choose one – Answer B best supports our requirements – to move data faster between servers. Answer D is nonsensical – AWS doesn’t support adding or removing CPUs to instances.
  2. Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?

    • To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
    • To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session.
    • If you have a public virtual interface and established a BGP session to it, your router learns the routes of the other AWS regions in the US.
    • Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
    Explanation:
    AWS Direct Connect locations in the United States can access public resources in any US region. You can use a single AWS Direct Connect connection to build multi-region services. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.To access public resources in a remote region, you must set up a public virtual interface and establish a border gateway protocol (BGP) session. Then your router learns the routes of the other AWS regions in the US. You can then also establish a VPN connection to your VPC in the remote region.Any data transfer out of a remote region is billed at the remote region data transfer rate.
  3. You have a management server that needs to be able to communicate with two subnets. One of these subnets is private. This subnet must remain private and must not pass any traffic back to other subnets.

    How would you configure this?

    • Configure a NACL to allow access from the management server to the private server.
    • Add an ENI to the management server that resides in the subnet of the private server. 
    • You can’t do this without allowing traffic back through the other subnet.
    • Configure a security group rule to allow access from the management server to the private server.
    Explanation:
    Add an ENI to the management server that resides in the subnet of the private server. This will allow the management server to communicate with the private server without having to change security rules.
  4. You need to find the subnet, the security group and the VPC that your instance is associated with. You only have access to the terminal of an instance with an admin role attached.

    What is the first part of the command you would use?

    • aws ec2 describe-network-acl
    • aws ec2 describe-instances
    • aws vpc describe-all
    • aws ec2 describe-security-groups
    Explanation:
    aws ec2 describe-instances will tell a significant amount of information about the instances in your account. Apply a filter to be able to see information about your instance. Describe-security-groups and describe-network-acl would not allow you to see which group is associated with your instance and aws vpc describe-all doesn’t exist.
  5. You are working with a government agency, and you need to choose an encryption standard for their VPN. Which standard should you choose?

    • Twofish
    • Blowfish
    • TripleDES
    • AES
    Explanation:
    AES is the US Government standard
  6. You have a hybrid infrastructure, and you need AWS resources to be able to resolve your on-premises DNS names. You have configured a DNS server on an EC2 instance in your 10.1.3.0/24 subnet. This subnet resides on the VPC 10.1.0.0/16. What step should you take to accomplish this?

    • Configure your DNS server to forward queries for the private hosted zone to 10.1.3.2.
    • Configure the DHCP option set in the VPC to point to the EC2 DNS server. 
    • Configure your DNS server to forward queries for the private hosted zone to 10.1.0.2.
    • Disable the source/destination check flag for the DNS instance.
    Explanation:
    Your DNS server will forward queries to your on-premises DNS. You must configure the DHCP option set so the instances will forward queries to your on-premises DNS instead of the VPC DNS.
  7. You have several VPCs that are peered. Each VPC has several routes to different subnets. Over the years, your company has acquired many companies. You find that traffic destined for one VPC ends up going to another.

    What is the best way to remedy this?

    • Move the route table entry for the proper VPC higher in the list.
    • Adjust your routes so the proper VPC has a higher CIDR. 
    • Move the route table entry for the proper VPC lower in the list.
    • Adjust your routes so the proper VPC has a lower CIDR.
    Explanation:
    The higher CIDR or more specific route will always take precedence.
  8. You have set up an S3 endpoint, and you want to restrict some instances from being able to access it. These instances are all in the same subnet, so you cannot simply remove the prefix list from the route table.

    What two approaches can you take to solve this? (Choose two.)

    • Remove any access to the PL in the security group attached to the instances. 
    • Add A rule in the NACL to block the prefix list ID outbound.
    • This is not possible.
    • Modify the endpoint policy.
    Explanation:
    You cannot add a prefix list ID to a NACL.
  9. You want to send a broadcast message to your 10.0.0.0/24 subnet, which one of these addresses should you use?

    • 10.0.0.255
    • 10.0.0.1
    • 10.0.0.2
    • You cannot send a broadcast in an AWS VPC.
    Explanation:
    You cannot send a broadcast in an AWS VPC, but the address is still reserved.
  10. You have two VPCs that require DNS resolution from your on-premises data center. You want to have a DNS server in the cloud, but you don’t want to have multiple DNS servers.

    What two steps should you take? (Choose two.)

    • Peer the VPCs and set up routes between them. 
    • Create a VPN between the two VPCs
    • Configure DHCP option sets in both VPCs to point to the DNS server. 
    • Configure a Route 53 record to forward all DNS requests to the DNS server.
    Explanation:
    Peer the VPCs and configure DHCP option sets. A VPN is not necessary. You cannot create a Route 53 record to forward DNS requests.
  11. Your company has a highly-available Direct Connect solution that utilizes two datacenters. Each datacenter was initially configured with one four-connection LAG and one standard DX connection. How many LOA documents have been requested and completed for this configuration?

    • 1
    • 4
    • 2
    • 10
    Explanation:
    Only one LOA document is required for each physical connection. The logical connections in the LAG do not need separate LOAs, but they do have separate pages.
  12. To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Link, which step is NOT required?

    • Provide public IP address (/31) for each Border Gateway Protocol (BGP) session.
    • Allocate a Private IP address to your network in 172.x.x.x range. 
    • Provide the public routes that you will advertise over Border Gateway Protocol (BGP).
    • Provide a public Autonomous System Number (ASN) that you own or a private one to identify your network on the Internet.
    Explanation:
    To connect to public AWS products such as Amazon EC2 and Amazon S3 through the AWS Direct Connect, you need to provide the following:
    A public Autonomous System Number (ASN) that you own (preferred) or a private ASN. Public IP addresses (/30) (that is, one for each end of the BGP session) for each BGP session. The public routes that you will advertise over BGP.
  13. True or false: A VPC contains multiple subnets, where each subnet can span multiple Availability Zones.

    • This is true only for US regions.
    • This is false. 
    • This is true.
    • This is true only if requested during the set-up of VPC.
    Explanation:
    A VPC can span several Availability Zones. In contrast, a subnet must reside within a single Availability Zone.
  14. Over which of the following Ethernet standards does AWS Direct Connect link your internal network to an AWS Direct Connect location?

    • Copper backplane cable
    • Twisted pair cable
    • Single mode fiber-optic cable 
    • Shielded balanced copper cable
    Explanation:
    AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet single mode fiber-optic cable.
  15. Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you ______ .

    • can specify allow rules, but not deny rules 
    • can specify deny rules, but not allow rules
    • can specify allow rules as well as deny rules
    • can neither specify allow rules nor deny rules
    Explanation:
    Security Groups in VPC allow you to specify rules with reference to the protocols and ports through which communications with your instances can be established. One such rule is that you can specify allow rules, but not deny rules.
  16. Which of the following physical layer standards is required for connection to AWS Direct Connect over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable?

    • Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet
    • Multi mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-ER for 10 gigabit Ethernet
    • Single mode fiber, 1000BASE-LX for 1 gigabit Ethernet, or 10GBASE-LR for 10 gigabit Ethernet 
    • Multi mode fiber, 1000BASE-SX for 1 gigabit Ethernet, or 10GBASE-SR for 10 gigabit Ethernet
    Explanation:
    Connections to AWS Direct Connect require single mode fiber, 1000BASE-LX (1310nm) for 1 gigabit Ethernet, or 10GBASE-LR (1310nm) for 10 gigabit Ethernet.
  17. In AWS Direct Connect, which of the following is true of configuring your router to connect to the AWS Direct Connect router?

    • After creating a virtual interface for your AWS Direct Connect connection, you can download the router configuration file from the available link 
    • After Completing the Cross Connect step, the download link for router configuration will be available
    • After submitting your AWS Direct Connect connection request, you will receive the router configuration details by email within 72 hours
    • In Create a Virtual Interface step, the general configuration of your router would be available for downloading.
    Explanation:
    To use the AWS Direct Connect, after you have created a virtual interface for your AWS Direct Connect connection, you can download the router configuration file. This configuration helps your router connect to AWS Direct Connect router. This configuration is related to your created virtual interface details and vendor, platform, and software of your router.
  18. In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS. These connections can terminate on one or two routers in your network. You can do this while __________________ with AWS Direct Connect step.

    • creating a Virtual Interface
    • configuring redundant connections 
    • completing the cross-connect
    • verifying your Virtual Interface
    Explanation:
    In AWS Direct Connect, to provide for failover, AWS recommends that you request and configure two dedicated connections to AWS. These connections can terminate on one or two routers in your network. You can do this in Configure Redundant Connections with AWS Direct Connect step.
  19. To get started using AWS Direct Connect, in which of the following steps do you configure Border Gateway Protocol (BGP)?

    • Complete the Cross Connect
    • Verify your Virtual Interface
    • Create a Virtual Interface 
    • Submit AWS Direct Connect Connection Request
    Explanation:
    In AWS Direct Connect, your network must support Border Gateway Protocol (BGP) and BGP MD5 authentication, and you need to provide a private Autonomous System Number (ASN) for that to connect to Amazon Virtual Private Cloud (VPC). To connect to public AWS products such as Amazon EC2 and Amazon S3, you will also need to provide a public ASN that you own (preferred) or a private ASN. You have to configure BGP in the Create a Virtual Interface step.
  20. Does Amazon VPC support multicast or broadcast?

    • Yes, both.
    • It doesn’t support any of them. 
    • Multicast yes, Broadcast no.
    • Both, but only outside Amazon VPC.
    Explanation:
    Amazon VPC does not support multicast nor broadcast