ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 15

  1. Imagine you are using AWS Direct Connect with just one connection from your router to the AWS Direct Connect router. If your connection becomes unavailable, the communication with AWS cloud is lost. What is the best method to prevent this from happening?

    • AWS Direct Connect neither provides BGP nor provides the failover.
    • AWS Direct Connect recommends to have the same configuration set up in a multi AZ zone to prevent such loss in connections.
    • AWS Direct Connect recommends that you request and configure two dedicated connections to AWS either using BGP Multipath (Active/Active) connection or the failover (Active/Passive) connection. 
    • AWS Direct connect does not have a provision to prevent the situation but when you design the system, it is recommended to request a back-up instance to which the traffic can be re-routed.
    Explanation:
    When configuring redundant connections with the AWS Direct Connect, and to provide for failover, we recommend that you request and configure two dedicated connections to the AWS. There are different configuration choices available when you provision two dedicated connections. You can either use Active/Active (BGP multipath) connection or Active/Passive (failover) connection to configure the two dedicated connections.
  2. Which endpoint is considered to be best practice when analyzing data within a Configuration Stream of AWS Config?

    • SNS
    • E-Mail
    • SQS 
    • Kinesis
    Explanation:
    The Simple Queue Service can be subscribed to the AWS Config topic (the Configuration Stream) which gives you a highly available and decoupled environment for the data within your Configuration Streams. By using SQS it allows you to create and use your own applications to extract only information and data that is pertinent to you. There can be vast amounts of data coming into the Configuration Stream, but you might only want to be notified and made away of any changes that may relate to any potential security issues. As a result, you may want to pull information from the queue that only relate to Security Groups/NACLs/IAM Roles or any other resource type that could affect the security of your environment.
  3. You are the network engineer at your company, and you are noticing issues with QoS in you’re the traffic to your instances hosting a VOIP program. You need to inspect the network packets to determine if it is a programming error or a networking error. How should you do this?

    • Configure a network monitoring program on every instance and stream the logs to an S3 bucket to be parsed. 
    • Use CloudWatch
    • Set up another instance with an ENI added to act as a monitoring interface. Set the port to “promiscuous mode” and sniff the traffic to analyze the packets. Then output this single stream to an S3 bucket to be parsed.
    • Inspect Flow Logs
    Explanation:
    Flow Logs and CloudWatch do not display packet contents. You cannot sniff traffic destined for other instances.
  4. Your company has a highly available Direct Connect solution that utilizes two datacenters. Each data center contains one two-connection LAG and one standard DX connection. How many LOAs will be filled out in total if your company completes an order to add a new connection to each one of the LAGs?

    • 1
    • 11
    • 2
    • 6
    Explanation:
    Four LOAs are required for the first order and two more for the second.
  5. Your boss decides to assign an Elastic IP to a production instance. Once he does this, access to the URL for that website fails. What happened?

    • The original IP address was released back to AWS when the Elastic IP was assigned. 
    • Your boss only needs to restart the Apache service.
    • Your boss should have turned off the server before assigning the IP address.
    • Your boss needs to restart the server.
    Explanation:
    The original IP address was released back to AWS when the Elastic IP was assigned. If you attach an EIP, you lose the address originally assigned to the instance unless you add it to another interface.
  6. You have a data center with a 2 connection LAG. You wish to add 2 more connections, how many LOAs must you complete?

    • 2
    • 1
    • 4
    • 0
    Explanation:
    You must complete a LOA for each new physical connection.
  7. Your VPC has a DX connection that is advertising 99 routes. You have two more prefixes to add: 10.223.1.0/24 and 10.223.2.0/24. You have several locations, so you need to be as exact as possible with your routing.

    How would you do this?

    • Add the prefixes; AWS allows for as many BGP routes as you need but not static.
    • Contact AWS to extend the number of prefixes you are allowed to advertise.
    • Summarize the routes into a 10.223.0.0/22 and advertise that route instead. 
    • Summarize the routes into a 10.223.0.0/12 and advertise that route instead.
    Explanation:
    BGP has a strict 100 prefix limit. 10.223.0.0/12 includes both routes but is not very specific. 10.223.0.0/22 is the proper summarization of both routes.
  8. You have a hybrid environment in which your VPC queries your on-premises DNS server for up resources in your environment. The EC2 instances in your VPC are unable to resolve on-premises resources.

    What are two possible reasons for this problem? (Choose two.)

    • Your NACL is blocking UDP port 53 outbound 
    • Your security group is blocking port 53 inbound
    • Your NACL is blocking TCP port 53 outbound. 
    • Your on-premises firewall is blocking port 443
    Explanation:
    DNS requires TCP and UDP port 53.
  9. After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?

    • You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
    • You can change the region of your virtual interface.
    • You can create a hosted virtual interface.
    • You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
    Explanation:
    You must create a virtual interface to begin using your AWS Direct Connect connection. You can create a public virtual interface to connect to public resources or a private virtual interface to connect to your VPC. Also, it is possible to configure multiple virtual interfaces on a single AWS Direct Connect connection, and you’ll need one private virtual interface for each VPC to connect to. Each virtual interface needs a VLAN ID, interface IP address, ASN, and BGP key. To use your AWS Direct Connect connection with another AWS account, you can create a hosted virtual interface for that account. These hosted virtual interfaces work the same as standard virtual interfaces and can connect to public resources or a VPC.
  10. In the “start using the AWS Direct Connect steps,” when can you complete the Cross Connect step?

    • After verifying your virtual interface
    • After you have received your Letter of Authorization and Connecting Facility Assignment (LOA-CFA) from AWS
    • 72 hours after submitting your request for AWS Direct Connect Connection
    • Immediately after submitting your request for AWS Direct Connect Connection
    Explanation:
    To complete the steps of “start using the AWS Direct Connect,” after submitting your request for AWS Direct Connect connection, AWS will send you an email within 72 hours with a Letter of Authorization and Connecting Facility Assignment (LOA-CFA). After you have received your LOA-CFA, you need to complete your cross-network connection, also known as a cross connect.
  11. By default, all AWS accounts are limited to ____ EIPs, because public (IPv4) Internet addresses are a scarce public resource.

    • 5
    • 8
    • 6
    • 2
    Explanation:
    An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance by rapidly remapping the address to another instance. By default, all AWS accounts are limited to 5 EIPs, because public (IPv4) Internet addresses are a scarce public resource.
  12. A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH.

    How should the user define the security rule for SSH?

    • The user can connect to a instance in a private subnet using the NAT instance
    • The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
    • Allow Inbound traffic on port 22 from the user’s network
    • Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet
    Explanation:
    The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, the user can setup a case with a VPN only subnet (private) which uses VPN access to connect with his data centre. When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data centre. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22) from the data centre’s network range.
  13. In Amazon CloudFront, if you need to quickly remove objects from a distribution, you can:

    • delete the objects from cache.
    • invalidate the objects. 
    • remove your Amazon S3 bucket.
    • delete your distribution and recreate it.
    Explanation:
    In Amazon CloudFront, if you need to quickly remove objects from a distribution, you can invalidate them.
  14. Which of the following types of contents cannot serve over HTTP or HTTPS in Amazon CloudFront?

    • Apple HTTP Live Streaming
    • Static and dynamic download content
    • Adobe Flash multimedia content 
    • CloudFront RTMP distribution
    Explanation:
    In Amazon CloudFront, you can use web distributions to serve the following content over HTTP or HTTPS: Static and dynamic download content, for example, .html, .css, .php, and image files, using HTTP or HTTPS. Multimedia content on demand using progressive download and Apple HTTP Live Streaming (HLS). A live event, such as a meeting, conference, or concert, in real time. You can’t serve Adobe Flash multimedia content over HTTP or HTTPS.
  15. You need to create a subnet in a VPC that supports 1000 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

    • /16
    • /24
    • /7
    • /22
    Explanation:
    /22 supports 1019 hosts since AWS reserves 5 addresses.
  16. You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect.

    You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

    • Reboot the instance.
    • Move the ENI from one server to the other.
    • Associate the new ENI with the database security group. 
    • Configure a secondary ENI on the standby instance.
    Explanation:
    You must configure a secondary ENI on the standby instance with an IP address that can access the data subnet. This may require modification of the security group for the database.
  17. You manage a webserver that serves a webpage on AWS infrastructure. You utilize an Application Load Balancer, CloudFront, S3, and some other AWS services for this site. You are only responsible for the server and you don’t have access to the AWS console or API.

    You need to find out what IPs are accessing your website. What is the best way to achieve this?

    • Ask someone with IAM permissions to view the Flow Logs to give you access.
    • View the access logs. They already show this information.
    • Run “curl http://169.254.169.254/latest/meta-data/access_log
    • Add “X-Forwarded For” to the access logs and view the access logs.
    Explanation:
    Add “X-Forwarded For” to the access logs and view the access logs is the best answer here. IAM permissions could work, but not necessary, the curl command queries metadata, not access logs.
  18. You have 3 VPCs that need to be able to pass traffic. In what two ways can you achieve this? (Choose two.)

    • Peer each VPC to every other VPC to create a full mesh peering. 
    • Peer them, VPC peering allows transitive peering as of December 2017.
    • Call AWS to enable transitive peering.
    • Create VPNs between them and adjust the routing tables accordingly.
    Explanation:
    VPN instances can be used to create transitive peering. Full mesh peering is the only way to use peering to allow all VPCs to communicate with all other VPCs. Transitive peering is not possible.
  19. You have a Simple AD deployment, and you wish to use it for your Microsoft Exchange email server. You are having issues finding the AD server, why might this be?

    • You need to contact AWS to receive a PTR record for your email server.
    • Your firewall is blocking it.
    • Simple AD is not a full Active Directory server and will not work with many MS products. 
    • SSL is not implemented.
    Explanation:
    Simple AD is Samba based and does not support full Microsoft AD integration.
  20. You have 99 routes in your dynamic BGP propagated route table and you wish to add 2 more: 10.1.0.0 and 10.3.0.0. You cannot modify or remove routes that have already been announced.

    What should you do?

    • Summarize the two routes to combine them into one and advertise it. 
    • Just advertise them, the 100 route limit is a “soft limit” and will be expanded automatically.
    • You cannot add these routes.
    • Call AWS support to increase your route limit.
    Explanation:
    You cannot add these routes. If you try to summarize them, that would create a 10.0.0.0/14, which is too low of a CIDR to advertise to AWS. AWS has a minimum of /16. You cannot have the 100 route limit modified in any way. It is a hard 100 route limit.
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments