ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 18
-
You are deploying a web application in a VPC that requires SSL mutual authentication with a client- side, smartcard-stored certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.
Which load balancer protocol should you select for this application?
- HTTP
- HTTPS
- SSL
- TCP
Explanation:
An ELB Classic Load Balancer cannot validate a client side certificate, so it must be passed through as standard TCP on port 443 to let the EC2 instance handle the validation. -
Use ___________ to get more visibility into the health of your AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance degradation.
- Amazon Elastic Beanstalk command line
- Amazon EC2 log files
- Amazon CloudWatch
- Amazon Load balancing
Explanation:
In AWS Elastic Beanstalk, you can use Amazon CloudWatch to get more visibility into the health of your AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance degradation. -
To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files
- SSE-S3
- SCE-KMS
- SCE-S3
- SSE-KMS
Explanation:
By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files. -
Which of the following statements is true of AWS Elastic Beanstalk?
- AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.
- AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, and both are free of charge.
- AWS Elastic Beanstalk doesn’t use CloudWatch for monitoring and alarms, but you pay extra for any AWS Elastic Beanstalk Alarm you set in the monitoring tool.
- AWS Elastic Beanstalk has its own free-of-charge monitoring tool, and you are not charged for the alarm you set.
Explanation:
AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use. -
Which of the following services is used to send an alert from CloudWatch?
- AWS SNS
- AWS EBS
- AWS SES
- AWS SQS
Explanation:
AWS Auto Scaling and Simple Notification Service (SNS) work in conjunction with CloudWatch. You use Amazon SNS with CloudWatch to send messages when an alarm threshold has been reached. -
To determine whether a log file was modified, deleted, or unchanged after CloudTrail delivered it, you can use ____.
- trusted signers
- optimistic locking
- integrity validation
- root credentialing
Explanation:
The AWS CloudTrail uses log file integrity validation to determine whether the log files were changed or modified since CloudTrail delivered them to an Amazon S3 bucket. -
An AWS CloudTrail log file provides the identity and source IP address of the API caller, and a time of the API call, request parameters, and ____.
- response elements
- event selectors
- port alarms
- destination buckets
Explanation:
An AWS CloudTrail log file provide the following details.- Identity of the API caller
– Time of the API call
– Source IP address of the API caller
– Request parameters
– Response elements -
What does the term “statistics” mean with respect to CloudWatch metrics?
- Time of a metric collection
- Data aggregation over a specific period of time
- Status of a metric
- Unit of a metric
Explanation:
Statistics represents data aggregation of the metric data values over a specific period of time. -
You wish to host a mailserver on an EC2 instance. What two steps must you take to ensure utmost reliability?
- Create an EIP for the instance.
- Configure the mail service to serve as an open relay.
- Contact AWS to have a Reverse DNS record configured and to help keep your domain from SPAM blacklists.
- Provide open security group access to your instance on ports 25, 3389 and 22.
Explanation:
Using an open relay is bad. Your security group does not require 3389 or 22 to be open. -
A company is delivering web content from an Amazon EC2 instance in a public subnet with address 2001:db8:1:100::1. Users report they are unable to access the web content. The VPC Flow Logs for the subnet contain the following entries:
2 012345678912 eni-0596e500123456789 2001:db8:2:200::2 2001:db8:1:100::1 0 0 58 234 24336 1551299195 1551299434 ACCEPT OK 2 012345678912 eni-0596e500123456789 2001:db8:1:100::1 2001:db8:2:200::2 0 0 58 234 24336 1551299195 1551299434 REJECT OK
Which action will restore network reachability to the EC2 instance?
- Update the security group associated with eni-0596e500123456789 to permit inbound traffic.
- Update the security group associated with eni-0596e500123456789 to permit outbound traffic.
- Update the network ACL associated with the subnet to permit inbound traffic.
- Update the network ACL associated with the subnet to permit outbound traffic.
-
A company has deployed a production environment in the AWS Cloud. The environment is contained in a VPC and includes a virtual private gateway. The company has established an AWS Direct Connect connection. which includes a private Virtual Interface (VIF), and a VPN connection to the on-premises data center.
For traffic originating in the VPC, what is the order of BGP path selection from MOST preferred to LEAST preferred?
- Direct Connect BGP routes, static routes, longest prefix match, VPN BGP routes.
- Static routes, longest prefix match, Direct Connect BGP routes, VPN BGP routes.
- Longest prefix match, static routes, Direct-Connect BGP routes, VPN BGP routes.
- Longest prefix match, VPN BGP routes, static routes, Direct Connect BGP routes.
-
A company wants to migrate its workloads to the AWS Cloud. The company has two web applications and wants to run them in separate, isolated VPCs. The company needs to use Elastic Load Balancing to distribute requests between application instances.
For security reasons, internet gateways must not be attached to the application VPCs. Inbound HTTP requests to the application must be routed through a centralized VPC, and the application VPCs must not be exposed to any other inbound traffic. The application VPCs cannot be allowed to initiate any outbound connections.
What should a network engineer do to meet these requirements?
- Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private DNS names of the ALBs. Configure host-based routing to route application traffic to the corresponding target group through the NLB.
- Run the applications behind private Application Load Balancers (ALBs) in separate VPCs. Create a public Network Load Balancer (NLB) in the centralized VPC. Create target groups for the private IP addresses of the ALBs. Configure host-based routing to route application traffic to the corresponding target group through the NLB.
- Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Create VPC peering connections between the application VPCs and the centralized VPC. Create a public Application Load Balancer (ALB) in the centralized VPC. Create target groups for the private DNS names of the NLBs. Configure host-based routing to route application traffic between individual applications though the ALB.
- Run the applications behind private Network Load Balancers (NLBs) in separate VPCs. Configure each NLB as an AWS PrivateLink endpoint service with associated VPC endpoints in the centralized VPC. Create target groups that include the private IP addresses of each endpoint. Create a public Application Load Balancer (ALB) in the centralized VPC. Configure host-based routing to route application traffic to the corresponding target group through the ALB.
-
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in us-west-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses.
How should an engineer configure the network to meet these requirements?
- Configure an AWS Direct Connect private virtual interface to the company’s AWS VPC in us-west-2. Create a VPC endpoint and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
- Configure a VPN connection to the company’s AWS VPC in us-west-2 and use BGP to advertise routes for Amazon S3.
- Configure a Direct Connect connection public virtual interface to us-west-2. Leverage an on-premises HTTPS proxy to send traffic to Amazon S3 over a Direct Connect connection.
- Configure a VPN connection to the company’s AWS VPC in us-west-2. Create a NAT gateway and configure the on-premises systems to leverage an HTTPS proxy in the VPC to access Amazon S3.
-
A financial company is designing a secure AWS network architecture to support a hybrid cloud strategy. Systems deployed in the AWS Cloud are mission critical and have strict availability requirements. The company anticipates the need for hundreds of VPCs. Instances will be transient and rely heavily on DNS resolution. The applications must be designed to have Availability Zone isolation and tolerate the loss of an Availability Zone.
What is the MOST reliable way to implement DNS in this scenario?
- Create a new DHCP options set with DNS settings with on-premises DNS servers that traverse an AWS Direct Connect connection.
- Create private hosted zones and share them with each VPC. Use Amazon Route 53 Resolver for hybrid DNS.
- Modify the default DHCP options set with a fleet of proxy DNS servers that are deployed in each VPC.
- Create a fleet of DNS proxy servers in a central VPC. Share the proxy fleet with each VPC using AWS PrivateLink.
-
A company installed an AWS Site-to-Site VPN and configured it to use two tunnels. The company has learned that the VPN connectivity is unstable. During a ping test from the on-premises data center to AWS, a network engineer notices that the first few ICMP replies time out but that subsequent requests are successful. The AWS Management Console shows that the status for both tunnels last changed at the same time the ping responses were successfully received.
Which steps should the network engineer take to resolve the instability? (Choose two.)
- Enable dead peer detection (DPD) on the customer gateway device.
- Change the tunnel configuration to active/standby on the virtual private gateway.
- Use AS PATH prepending on one path to cause all traffic to prefer that tunnel.
- Send ICMP requests to an instance in the VPC every 5 seconds from the on-premises network.
- Use a higher multi-exit discriminator (MED) value on the preferred path to prefer that tunnel.
-
A company wants to use thin clients running virtual desktops to replace 500 desktop computers used by its call center employees. The company is evaluating Amazon WorkSpaces as a solution.
A network engineer who is testing with a thin client is unable to connect to Amazon WorkSpaces. After entering credentials, the network engineer receives the following error:
“An error occurred while launching your WorkSpace. Please try again.”
What should the network engineer do to resolve this issue?
- Update the inbound rules on the network ACL on the subnets used for Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.
- Update the company’s corporate firewall to allow outbound access to UDP on port 4172 and TCP on port 4172. Open inbound ephemeral ports explicitly to allow return communication.
- Update the inbound rules on the security group assigned to Amazon WorkSpaces to allow UDP on port 4172 and TCP on port 4172.
- Update the company’s corporate firewall to allow inbound access to UDP on port 4172 and TCP on port 4172. Open outbound ephemeral ports explicitly to allow return communication.
-
A company has an application running on Amazon EC2 instances in a VPC. The application must publish custom metrics to Amazon CloudWatch in the same AWS Region. The metrics include proprietary information. All connectivity must be over private IP addresses.
Which solution will meet these requirements?
- Connect to CloudWatch through a NAT gateway.
- Connect to CloudWatch through a gateway endpoint.
- Connect to CloudWatch through an internet gateway.
- Connect to CloudWatch through an interface endpoint.
-
A company’s application runs in a VPC and stores sensitive data in Amazon S3. The application’s Amazon EC2 instances are located in a private subnet with a NAT gateway deployed in a public subnet to provide access to Amazon S3. The S3 bucket is located in the same AWS Region as the EC2 instances. The company wants to ensure that this bucket can be accessed only from the VPC where the application resides.
Which changes should a network engineer make to the architecture to meet these requirements?
- Delete the existing S3 bucket and create a new S3 bucket inside the VPC in the private subnet. Configure the S3 security group to allow only the application instances to access the bucket.
- Deploy an S3 VPC endpoint in the VPC where the application resides. Configure an S3 bucket policy with a condition to allow access only from the VPC endpoint.
- Configure an S3 bucket policy, and use an IP address condition to restrict access to the bucket. Allow access only from the VPC CIDR range, and deny all other IP address ranges.
- Create a new IAM role for the EC2 instances that provides access to the S3 bucket, and assign the role to the application instances. Configure an S3 bucket policy to allow access only from the role.
-
A company uses a newly provisioned 1-Gbps AWS Direct Connect connection to configure a virtual interface for access to Amazon S3.
Which configuration values is the network engineer required to provide? (Choose two.)
- Connection speed
- VLAN ID
- IP prefixes to advertise
- Direct Connect location
- Virtual private gateway
-
A company is migrating a legacy storefront web application to the AWS Cloud. The application is complex and will take several months to refactor. A solutions architect recommended an interim solution of using Amazon CloudFront with a custom origin pointing to the SSL endpoint URL for the legacy web application until the replacement is ready and deployed.
The interim solution has worked for several weeks. However, all browser connections recently began showing an HTTP 502 Bad Gateway error with the header “X-Cache: Error from cloudfront.” Monitoring services show that the HTTPS port 443 on the legacy web application is open and responding to requests.
What is the likely cause of the error, and what is the solution?
- The origin access identity is not correct. Edit the CloudFront distribution and update the identity in the origins settings.
- The SSL certificate on the CloudFront distribution has expired. Use AWS Certificate Manager (ACM) in the us-east-1 Region to replace the SSL certificate in the CloudFront distribution with a new certificate.
- The SSL certificate on the legacy web application server has expired. Use AWS Certificate Manager (ACM) in the us-east-1 Region to create a new SSL certificate. Export the public and private keys, and install the certificate on the legacy web application.
- The SSL certificate on the legacy web application server has expired. Replace the SSL certificate on the web server with one signed by a globally recognized certificate authority (CA). Install the full certificate chain onto the legacy web application server.
Subscribe
0 Comments
Newest