ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 19

ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 19

ANS-C00 : AWS Certified Advanced Networking – Specialty : Part 19

  1. A company has a hybrid environment across its on-premises network and the AWS Cloud. The company wants to use Amazon Elastic File System (Amazon EFS) to store and share data between on-premises services that are required to resolve DNS queries through on-premises DNS servers. The company wants to use a custom domain name to connect to Amazon EFS. The company also wants to avoid using the Amazon EFS target IP address.

    What should a network engineer do to meet these requirements?

    • Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 public hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 public hosted zone.
    • Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
    • Create an Amazon Route 53 Resolver outbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new CNAME record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 Resolver.
    • Create an Amazon Route 53 Resolver inbound endpoint, and configure it for the VPC where Amazon EFS resides. Create a Route 53 private hosted zone, and add a new PTR record with the value of the Amazon EFS DNS name. Configure forwarding rules on the on-premises DNS servers to forward queries for the custom domain host to the Route 53 private hosted zone.

  2. A VPC is deployed with a 10.0.0.0/16 CIDR block. The engineering team is reviewing DHCP options, and there is disagreement about the valid DNS addresses available for the VPC.

    Which addresses are valid IP addresses provided by Amazon for this subnet? (Choose two.)

    • 8.8.8.8
    • 10.0.0.2
    • 10.1.0.2
    • 169.254.169.253
    • 169.254.169.254

  3. A company uses an Application Load Balancer (ALB) to provide access to a multi-tenant web application for 25 customers. The company creates a unique hostname for each customer to use to access the application. Hostnames use the format customer-name.example.com.

    Each customer has a dedicated group of Amazon EC2 instances that run their own version of the web application. When a customer visits customer-name.example.com, the ALB should route the request to the correct group of EC2 instances. The company requires a highly available solution that is easy to maintain.

    Which solution meets these requirements at the LOWEST cost?

    • Create one ALB for all customers. Create a listener rule that includes an HTTP header condition to match the URL. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
    • Create one ALB for each customer. Configure the listener to route requests to the customer target group. Configure an NGINX proxy server to manage connections to each ALB. Use Amazon Route 53 to create a CNAME record for each customer-name.example.com hostname that points to the NGINX proxy server.
    • Create one ALB for all customers. Create a listener rule that includes a Host header condition to match the hostname. Add a forward action to route the request to the customer target group. Use Amazon Route 53 to create an alias record for each customer-name.example.com hostname that points to the ALB.
    • Create one ALB for each customer. Configure the listener to route requests to the customer target group. Create an Amazon CloudFront distribution. Add each ALB to the distribution as a custom origin. Use Amazon Route 53 to create an alias for each customer-name.example.com hostname that points to the CloudFront distribution.

  4. A company needs to allow its remote users to access company resources in the AWS Cloud. The company has two VPCs that are connected through VPC peering. The remote users must be able to access resources in both VPCs by using secure connections from their laptop computers. The company does not want to implement an access management solution that requires additional costs or effort.

    Which solution meets these requirements?

    • Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Instruct the users to sign in to the AWS Management Console and navigate to Client VPN to connect to the Client VPN endpoint.
    • Deploy an AWS Client VPN endpoint in both VPCs, associate subnets, and define a target network. Add a rule to authorize client access to each target VPC. Update resource security groups in both VPCs to allow traffic from the security groups of each VPC for the subnet associations. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to both Client VPN endpoints at the same time to gain access to the resources.
    • Deploy a Network Load Balancer in front of the company resources. Set up security groups that contain the IP addresses of each of the user laptops. Instruct the users to connect to the application securely over TCP.
    • Deploy an AWS Client VPN endpoint in one VPC, associate a subnet, and define a target network. Add a rule to authorize client access to the target VPC, and add a rule to authorize client access to the peered VPC. Update resource security groups in both VPCs to allow traffic from the security group for the subnet association. Securely send the users the configuration options, and instruct the users to install Client VPN on their laptops. Instruct the users to connect to the Client VPN endpoint to gain access to the resources.

  5. A company is running services in a VPC with a CIDR block of 10.5.0.0/22. End users report that they no longer can provision new resources because some of the subnets in the VPC have run out of IP addresses.

    How should a network engineer resolve this issue?

    • Add 10.5.2.0/23 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.
    • Add 10.5.4.0/21 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.
    • Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses.
    • Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet.

  6. A company with several VPCs in the us-east-1 Region wants to reduce the cost of its workloads. A network engineer has identified that all traffic bound to Amazon services is flowing through a NAT gateway. Additionally, all the VPCs are peered to a hub VPC for access to common services.

    What should the network engineer do to reduce data transfer costs to Amazon Simple Queue Service (Amazon SQS)?

    • Disable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.
    • Disable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com. Create an alias record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.
    • Enable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.
    • Enable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com. Create an alias record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.

  7. A company’s website is hosted on an Amazon EC2 instance. The website delivers dynamic content through Amazon CloudFront to users. After instance maintenance, users receive HTTP 502 (Bad Gateway) errors while attempting to access the website.

    What is the MOST likely cause of this issue?

    • The security group configuration on the origin is blocking traffic from CloudFront.
    • The origin does not support the ciphers or protocols in the SSL/TLS exchange with CloudFront.
    • There are resource constraints, and CloudFront cannot route requests to an available edge location.
    • The origin does not have enough capacity to support the request rate.

  8. A space exploration company owns a series of telescopes that capture a large number of images and data of the night sky. The images and data are processed on an application hosted on AWS Fargate in a target group assigned to an Application Load Balancer (ALB). The application is made available through the address https://space.example.com.

    Scientists require another custom-built application hosted on several Amazon EC2 instances within an Auto Scaling group. This application will be made available from the address https://space.example.com/meteor. The company needs a solution that can automatically scale from a small number of requests overnight to a large number of requests for a future meteor shower.

    What is the MOST operationally efficient solution that meets these requirements?

    • Update the existing target group with the new EC2 instances. Update the application’s ALB by adding a listener rule that redirects /meteor to the newly added EC2 instances.
    • Create a new target group. Configure the Auto Scaling group of the EC2 instances to use the target group. Update the ALB by adding a listener rule that redirects /meteor to the new target group.
    • Create a Network Load Balancer (NLB). Configure the NLB to listen on two ports. Configure a target group for one port to deliver all IP traffic to the Auto Scaling group to process the custom images. Configure a target group for the second port to deliver all IP traffic to Fargate. Use path-based routing in the ALB to route traffic for the URL prefix /meteor to the first target group. Route all other paths to the second target group.
    • Place the ALB behind an Amazon CloudFront distribution. Create a Lambda@Edge function that parses the request URI and adds the path-pattern header with the IP addresses of the EC2 instances to any request for /meteor. Add a listener rule to the ALB that looks for the HTTP header and uses the IP addresses of the EC2 instances to forward the traffic.

  9. A company has a VPC in the us-west-1 Region and another VPC in the ap-southeast-2 Region. Network engineers set up an AWS Direct Connect connection from their data center to the us-east-1 Region. They create a private virtual interface (VIF) that references a Direct Connect gateway, which is then connected to virtual private gateways in both VPCs. When the setup is complete, the engineers cannot access resources in us-west-1 from ap-southeast-2.

    What should the network engineers do to resolve this issue?

    • Add the subnet range for the VPCs in us-west-1 and ap-southeast-2 to the route tables for both VPCs. Add the Direct Connect gateway as a target.
    • Configure the Direct Connect gateway to route traffic between the VPCs in ap-southeast-2 and us-west-2.
    • Establish a VPC peering connection between the VPCs in ap-southeast-2 and us-west-2. Add the subnet ranges to the routing tables.
    • Create static routes in each VPC that point to the destination VPC with the virtual private gateway as the route target.

  10. A company has a hybrid architecture with dual AWS Direct Connect connections and applications running in the AWS Cloud and on premises. The company uses its on-premises DNS servers to provide name resolution for is internal domain company.com. The company uses an Amazon Route 53 private hosted zone, aws.company.com, for resolution of AWS resource records.

    A new application that runs on Amazon EC2 in the company’s VPC needs to resolve records in the company.com domain and on other AWS resources.

    What should the company do to meet these requirements?

    • Create a new DHCP options set. Configure the DHCP options set name servers to be the on-premises DNS servers, and configure the domain name to be company.com. Assign the DHCP options set to the VPC with the EC2 instances.
    • Create Route 53 Resolver outbound endpoints in each subnet in the VPC. Configure a Route 53 forwarding rule with a rule type of Forward for company.com that points to the on-premises DNS servers. Configure a Route 53 forwarding rule with a rule type of System for aws.company.com.
    • Create Route 53 Resolver outbound endpoints in each subnet in the VPC. Configure conditional forwarding rules on the on-premises DNS servers to forward queries for the domain aws.company.com to the Route 53 Resolver endpoints. Modify the DHCP options set to configure instances to resolve hostnames using the on-premises DNS servers.
    • Create a private hosted zone for company.com within the AWS account. Create Route 53 Resolver inbound endpoints in each subnet in the VPC. Configure the on-premises DNS servers to send outbound zone transfers for company.com to the Route 53 Resolver endpoints.

  11. A company hosts its application, example.com, behind Application Load Balancers in the us-east-1 and eu-west-1 Regions. Users should be routed to the resources geographically nearest to them. Users must not be routed to the application when it is considered unhealthy.

    How should a network engineer configure Amazon Route 53 to route clients to example.com?

    • Configure latency.example.com to use a weighted routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.
    • Configure latency.example.com CNAME latency-based records that point to the load balancers, and associate an HTTP health check. Configure failover records for example.com. Point the primary alias record to latency.example.com, and enable the setting used to evaluate target health. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.
    • Configure latency.example.com to use a geoproximity routing policy that points to the load balancers, and associate an HTTP health check. Configure failover records for example com. Point the primary alias record to latency.example.com, and enable the evaluate target health setting. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.
    • Configure latency.example.com alias latency-based records that point to the load balancers, enable the setting used to evaluate target health, and associate an HTTP health check. Configure failover records for example.com. Point the primary CNAME record to latency.example.com, and associate an HTTP health check. Point the secondary record to a static HTML maintenance page hosted in Amazon S3.

  12. A gaming company is running an online multiplayer game in multiple AWS Regions. The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically. When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end users.

    Which solution will meet these requirements?

    • Create an Amazon CloudFront distribution in front of all the Regions.
    • Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region.
    • Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region.
    • Configure AWS Global Accelerator in front of all the Regions.

  13. A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy.

    What is the MOST cost-effective solution to meet these requirements?

    • Move the EC2 instances to a dedicated VPC. Enable VPC Flow Logs with a filter on the deny action. Publish the flow logs to Amazon CloudWatch Logs.
    • Move the EC2 instances to a dedicated VPC subnet. Enable VPC Flow Logs for the subnet with a filter on the reject action. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
    • Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to an Amazon Kinesis Data Firehose stream with a data delivery to an Amazon S3 bucket.
    • Enable VPC Flow Logs, filtered for rejected traffic, for the elastic network interfaces associated with the instances. Publish the flow logs to Amazon CloudWatch Logs.

  14. A company’s network engineer needs to evaluate and monitor DNS traffic. The company uses Amazon Route 53 as the DNS service for its public hosted zone. All DNS queries must be captured for future analysis.

    What should the network engineer do to meet these requirements?

    • Use AWS WAF to log information to Amazon CloudWatch Logs about the queries that Route 53 receives.
    • Use VPC Flow Logs to log information to Amazon CloudWatch Logs Insights about the queries that Route 53 receives.
    • Use Route 53 query logging to log information to Amazon CloudWatch Logs about the queries that Route 53 receives.
    • Use AWS CloudTrail to log information to Amazon CloudWatch Logs insights about the queries that Route 53 receives.

  15. A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.

    Which design should be recommended?

    • Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
    • Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
    • Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.
    • Create a total of four private VIFs, and enable VPC peering between all VPCs.

  16. A company has applications running in a single AWS Region and its on-premises data center in a hybrid mode. The company has a 1 Gbps AWS Direct Connect connection from the data center to AWS that is 65% utilized. The company has an AWS Enterprise Support plan.

    The company is planning to deploy a new critical application on AWS that will connect with existing applications running in the data center. The application SLA requires a minimum of 99.9% network uptime between the data center and AWS.

    What is the MOST cost-effective way to meet this SLA requirement?

    • Create a second virtual interface (VIF) on the existing Direct Connect connection, and terminate this VIF in the existing VPC. Use BGP for load balancing between the VIFs in active/active mode.
    • Purchase an additional 1 Gbps Direct Connect connection from AWS in a different cross-connect location terminated in the associated Region. Provision a new virtual interface (VIF) to the existing VPC, and use BGP for load balancing.
    • Set up two new hosted Direct Connect connections of 500 Mbps each through an AWS Direct Connect partner. Provision two virtual interfaces (VIFs) to the existing VPC on both Direct Connect connections, and use BGP for load balancing. Terminate the existing 1 Gbps Direct Connect connection.
    • Purchase an additional 1 Gbps Direct Connect connection from AWS in the existing cross-connect location. Ask AWS to terminate this new connection in a different router. Provision two virtual interfaces (VIFs) to the same VPC on both Direct Connect connections, and use BGP for load balancing.

  17. A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance. For compliance purposes, data encryption is required.

    What should the network engineer do to meet these requirements?

    • Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
    • Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
    • Configure an internet gateway in the VPC. Set up a software VPN between the customer gateway and an EC2 instance in the VPC.
    • Configure an internet gateway in the VPC. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.