New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Amazon Web Services ANS-C00 AWS Certified Advanced Networking-Specialty Exam Practice Test

Demo: 23 questions
Total 154 questions

AWS Certified Advanced Networking-Specialty Questions and Answers

Question 1

You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1–Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.

You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.

Which design should you choose?

Options:

A.

Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.

B.

Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.

C.

Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.

D.

Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.

Question 2

A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable –‘app.example.com’.

Instances within the VPC should always connect to the private IP to minimize data transfer costs.

How should the engineer configure DNS to support these requirements?

Options:

A.

Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

B.

Create two A record entries for ‘app’ in the DNS zone ‘example.com’ – one for the public IP and one for the private IP.

C.

Use Route 53 to create an ALIAS record to the public DNS name for the instance.

D.

Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

Question 3

A company uses a single connection to the internet when connecting its on-premises location to AWS. It has selected an AWS Partner Network (APN) Partner to provide a point-to-point circuit for its first-ever 10 Gbps AWS Direct Connect connection.

What steps must be taken to order the cross-connect at the Direct Connect location?

Options:

A.

Obtain the LOA/CFA from the APN Partner when ordering connectivity. Upload it to the AWS Management Console when creating a new Direct Connect connection. AWS will ensure that the cross-connect is installed.

B.

Obtain the LOA/CFA from the AWS Management Console when ordering the Direct Connect connection. Provide it to the APN Partner when ordering connectivity. The Direct Connect partner will ensure that the cross-connect is installed.

C.

Obtain the LOA/CFA each from the AWS Management Console and the APN Partner. Provide both to the Facility Operator of the Direct Connect location. The Facility Operator will ensure that the cross-connect is installed.

D.

Identify the APN Partner in the AWS Management Console when creating the Direct Connect connection. Provide the resulting Connection ID to the APN Partner, who will ensure that the cross-connect is installed.

Question 4

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum.

Which design should be recommended?

Options:

A.

Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.

B.

Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.

C.

Create a private VIF to the Management VPC, and peer this VPC to all other VPCs, enable source/destination NAT in the Management VPC.

D.

Create a total of four private VIFs, and enable VPC peering between all VPCs.

Question 5

A company is running services in a VPC with a CIDR block of 10.5.0.0/22 End users report that they no longer can provision new resources because some ot the subnets in theVPC have run out of IP addresses

How should a network engineer resolve this issue?

Options:

A.

Add 10 5.2.0/23 as a second CIDR block to the VPC Create a new subnet with a new CIDR block, and provision new resources in the new subnet

B.

Add 10 5.4.0/21 as a second CIDR block to the VPC Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses

C.

Add 10.5.4.0/22 as a second CIDR block to the VPC. Assign a second network from this CIDR block to the existing subnets that have run out of IP addresses

D.

Add 10.5.4.0/22 as a second CIDR block to the VPC. Create a new subnet with a new CIDR block, and provision new resources in the new subnet

Question 6

Your company’s policy requires that all VPCs peer with a “common services: VPC. This VPC contains a fleet of layer 7 proxies and an Internet gateway. No other VPC is allowed to provision an Internet gateway. You configure a new VPC and peer with the common service VPC as required by policy. You launch an Amazon EC2. Windows instance configured to forward all traffic to the layer 7 proxies in the common services VPC. The application on this server should successfully interact with Amazon S3 using its properly configured AWS Identity and Access Management (IAM) role. However, Amazon S3 is returning 403 errors to the application.

Which step should you take to enable access to Amazon S3?

Options:

A.

Update the S3 bucket policy with the private IP address of the instance.

B.

Exclude 169.254.169.0/24 from the instance’s proxy configuration.

C.

Configure a VPC endpoint for Amazon S3 in the same subnet as the instance.

D.

Update the CORS configuration for Amazon S3 to allow traffic from the proxy.

Question 7

An architecture is being designed to support an Amazon WorkSpaces deployment of 1,000 desktops.

Which architecture will support this deployment while allowing for future expansion?

Options:

A.

A VPC with a /16 CIDR and one /21 subnet

B.

A VPC with a /20 CIDR and two /21 subnets

C.

A VPC with a /16 CIDR and one /22 subnet

D.

A VPC with a /20 CIDR and two /23 subnets

Question 8

You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.

Which three factors that must be supported should you consider when choosing the customer router? (Select three.)

Options:

A.

802.1q trunking

B.

802.1ax or 802.3ad link aggregation

C.

OSPF

D.

BGP

E.

single-mode optical fiber connectivity

F.

1-Gbps copper connectivity

Question 9

A company is connecting to a VPC over an AWS Direct Connect using a private VIF, and a dynamic VPN connection as a backup. The company's Reliability Engineering team has been running failover and resiliency tests on the network and the existing VPC by simulating an outage situation on the Direct Connect connection. During the resiliency tests, traffic failed to switch over to the backup VPN connection.

How can this failure be troubleshot?

Options:

A.

Ensure that Bidirectional Forwarding Detection is enabled on the Direct Connect connection

B.

Confirm that the same routes are being advertised over both the VPN and Direct Connect.

C.

Reconfigure the Direct Connect session from static routes to Border Gateway Protocol (BGP) peering.

D.

Configure a virtual private gateway for the VPN and another virtual private gateway for Direct Connect.

Question 10

Your company maintains an Amazon Route 53 private hosted zone. DNS resolution is restricted to a single, pre-existing VPC. For a new application deployment, you create an additional VPC in the same AWS account. Both this new VPC and your on-premises DNS infrastructure must resolve records in the existing private hosted zone.

Which two activities are required to enable DNS resolution both within the new VPC and from the on-premises infrastructure? (Select two.)

Options:

A.

Update the DHCP options set for the new VPC with the Route 53 nameserver IP addresses.

B.

Update the Route 53 private hosted zone’s VPC associations to include the new VPC.

C.

Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies as forwarders in the on-premises DNS.

D.

Update the on-premises DNS to include forwarders to the Route 53 nameserver IP addresses.

E.

Launch Amazon EC2-based DNS proxies in the new VPC. Specify the proxies in the DHCP options set.

Question 11

A company’s web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.

Which action should be taken to block more IP addresses, without compromising the existing security requirements?

Options:

A.

Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.

B.

Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.

C.

Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.

D.

Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

Question 12

An IT company wants to securely perform an on-off migration of its on-premises VMs to the AWS Cloud by using AWS Server Migration Service {AWS SMS) For the first phase of the migration, the company must migrate 50 development VMs m batches during non-peak times over the next 7 days The VMs are between 2 GB and 5 GB in size The company has 1 Gbps of available bandwidth over the internet

Which network connectivity option meets these requirements MOST cost-effectively?

Options:

A.

Contact an AWS partner to order a hosted VIF

B.

Use the existing internet connection

C.

Order an AWS Direct Connect connection Provision a public VIF

D.

Create a VPN connection to AWS.

Question 13

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the ‘Remote’ (receiving) account are already in place.

The template below creates the VPC peering connection in the Originating account. It contains these components:

AWSTemplateFormation Version: 2010-09-09

Parameters:

Originating VCId:

Type: String

RemoteVPCId:

Type: String

RemoteVPCAccountId:

Type: String

Resources:

newVPCPeeringConnection:

Type: ‘AWS::EC2::VPCPeeringConnection’

Properties:

VpcdId: !Ref OriginatingVPCId

PeerVpcId: !Ref RemoteVPCId

PeerOwnerId: !Ref RemoteVPCAccountId

Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Select two.)

Options:

A.

Resources:NewEC2SecurityGroup:Type: AWS::EC2::SecurityGroup

B.

Resources:NetworkInterfaceToRemoteVPC:Type: “AWS::EC2NetworkInterface”

C.

Resources:newEC2Route:Type: AWS::EC2::Route

D.

Resources:VPCGatewayToRemoteVPC:Type: “AWS::EC2::VPCGatewayAttachment”

E.

Resources:newVPCPeeringConnection:Type: ‘AWS::EC2VPCPeeringConnection’PeerRoleArn: !Ref PeerRoleArn

Question 14

Your company operates a single AWS account. A common services VPC is deployed to provide shared services, such as network scanning and compliance tools. Each AWS workload uses its own VPC, and each VPC must peer with the common services VPC. You must choose the most efficient and cost effective approach.

Which approach should be used to automate the required VPC peering?

Options:

A.

AWS CloudTrail integration with Amazon CloudWatch Logs to trigger a Lambda function.

B.

An OpsWorks Chef recipe to execute a command-line peering request.

C.

Cfn-init with AWS CloudFormation to execute a command-line peering request.

D.

An AWS CloudFormation template that includes a peering request.

Question 15

The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.

Which of the following maximizes network performance on AWS? (Choose two.)

Options:

A.

Support for the enhanced networking drivers

B.

Support for sending traffic over the Direct Connect connection

C.

The instance sizes and families supported by the security appliance

D.

Support for placement groups within the VPC

E.

Security appliance support for multiple elastic network interfaces

Question 16

A network engineer is managing two AWS Direct Connect connections. Each connection has a public virtual interface configured with a private ASN. The engineer wants to configure active/passive routing between the Direct Connect connections to access Amazon public endpoints. What BGP configuration is required for the on-premises equipment? (Select two.)

Options:

A.

Use Local Pref to control outbound traffic.

B.

Use AS Prepending to control inbound traffic.

C.

Use eBGP multi-hop between loopback interfaces.

D.

Use BGP Communities to control outbound traffic.

E.

Advertise more specific prefixes over one Direct Connect connection.

Question 17

You are building an application in AWS that requires Amazon Elastic MapReduce (Amazon EMR). The application needs to resolve hostnames in your internal, on-premises Active Directory domain. You update your DHCP Options Set in the VPC to point to a pair of Active Directory integrated DNS servers running in your VPC.

Which action is required to support a successful Amazon EMR cluster launch?

Options:

A.

Add a conditional forwarder to the Amazon-provided DNS server.

B.

Enable seamless domain join for the Amazon EMR cluster.

C.

Launch an AD connector for the internal domain.

D.

Configure an Amazon Route 53 private zone for the EMR cluster.

Question 18

A space exploration firm possesses a collection of telescopes that take many photographs and data of the night sky. The pictures and data are processed on an AWS Fargate application that is allocated to a target group by an Application Load Balancer (ALB). The program is accessible at https://space.example.com.

Additionally, scientists demand a custom-built application that is hosted on many Amazon EC2 instances inside an Auto Scaling group. This application will be accessible at the following link: https://space.example.com/meteor. The firm need a system that can grow automatically from a low number of requests overnight to a high volume of demands during a future meteor shower.

What is the MOST OPTIMAL option that satisfies these requirements?

Options:

A.

Update the existing target group with the new EC2 instances. Update the application's ALB by adding a listener rule that redirects /meteor to the newly added EC2 instances.

B.

Create a new target group. Configure the Auto Scaling group of the EC2 instances to use the target group Update the ALB by adding a listener rule that redirects /meteor to the new target group.

C.

Create a Network Load Balancer (NLB). Configure the NLB to listen on two ports. Configure a target group for one port to deliver all IP traffic to the Auto Scaling group to process the custom images. Configure a target group for the second port to deliver all IP traffic to Fargate Use path-based routing in the ALB to route traffic for the URL prefix /meteor to the first target group. Route all other paths to the second target group.

D.

Place the ALB behind an Amazon CloudFront distribution. Create a Lambda@Edge function that parses the request URI and adds the path-pattern header with the IP addresses of the EC2 instances to any request for /meteor. Add a listener rule to the ALB that looks for the HTTP header and uses the IP addresses of the EC2 instances to forward the traffic.

Question 19

A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.

Which of the following actions meet the requirements? (Select two.)

Options:

A.

The Lambda function needs an IAM role to access Amazon SQS

B.

The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.

C.

The Lambda function must be assigned a public IP address to access the public Amazon SQS API.

D.

The ElastiCache server outbound security group rules must be configured to permit the Lambda function’s security group.

E.

The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.

Question 20

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes. Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Select three.)

Options:

A.

AWS Config

B.

AWS Simple Notification Service

C.

AWS CloudWatch metrics

D.

AWS Lambda

E.

AWS CloudFormation

F.

AWS Identify and Access Management

Question 21

You are moving a two-tier application into an Amazon VPC. An Elastic Load Balancing (ELB) load balancer is configured in front of the application tier. The application tier is driven through RESTful interfaces. The data tier uses relational database service (RDS) MySQL. Company policy requires end-to-end encryption of all data in transit. in front

What ELB configuration complies with the corporate encryption policy?

Options:

A.

Configure the ELB load balancer protocol as HTTP. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.

B.

Configure the ELB protocols in TCP mode. Configure the application instances for SSL termination. Configure Amazon RDS for SSL, and use REQUIRE SSL grants.

C.

Configure the ELB load balancer protocol as HTTPS. Offload application instance encryption to the load balancer. Install your SSL certificate on Amazon RDS, and configure SSL.

D.

Configure the ELB protocols in SSL mode. Offload application instance encryption to the load balancer. Install your SSL/TLS certificate on Amazon RDS, and configure SSL.

Question 22

A company has established an AWS Direct Connect connection between its customer gateway at its on-premises data center and a virtual private gateway m the AWS Cloud The BGP routing protocol configuration includes the Autonomous System Number {ASN) of 7224 on the AWS end of the connection and the BGP ASN of 65004 on the company end of the connection

The company's IT administrators report that servers that run at the on-premises data center are not able to communicate with the company's web application that runs on a fleet of Amazon EC2 Instances A network engineer performs initial troubleshooting The network engineer finds that the private VIF is operational and that there is a fully established BGP peering session However, the company still cannot route traffic over the private VIF

Which of the following is a possible cause of this connectivity issue?

Options:

A.

Firewall or ACL rules are blocking TCP pod 179 or are blocking high-numbered ephemeral TCP pons

B.

The provider is advertising 50 prefixes for private VIFs

C.

VPC route tables am lacking prefixes that point to the virtual private gateway to which the private VIF is connected

D.

Peer IP addresses for both sides of the BGP peering session are not configured correctly.

Question 23

DNS name resolution must be provided for services in the following four zones:

company.private.

emea.company.private.

apac.company.private.

amer.company.private.

The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.

How can you use Amazon route 53 to meet these requirements?

Options:

A.

Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.

B.

Create a single Route 53 Private Hosted Zone for the zone company.private and associate it with the three VPCs.

C.

Create a Route Public Hosted Zone for each of the four zones and configure the VPS DNS Resolver to forward

D.

Create a single Route 53 Public Hosted Zone for the zone company.private and configure the VPS DNS Resolver to forward

Demo: 23 questions
Total 154 questions