AWS Certified Advanced Networking - Specialty v1.0 (ANS-C00)

Page:    1 / 8   
Total 110 questions

You have a global corporate network with 153 individual IP prefixes in your internal routing table. You establish a private virtual interface over AWS Direct Connect to a VPC that has an Internet gateway (IGW). All instances in the VPC must be able to route to the Internet via an IGW and route to the global corporate network via the VGW.
How should you configure your on-premises BGP peer to meet these requirements?

  • A. Configure AS-Prepending on your BGP session
  • B. Summarize your prefix announcement to less than 100
  • C. Announce a default route to the VPC over the BGP session
  • D. Enable route propagation on the VPC route table


Answer : D

You are building an application that provides real-time audio and video services to customers on the Internet. The application requires high throughput. To ensure proper audio and video transmission, minimal latency is required.
Which of the following will improve transmission quality?

  • A. Enable enhanced networking
  • B. Select G2 instance types
  • C. Enable jumbo frames
  • D. Use multiple elastic network interfaces


Answer : D

The Payment Card Industry Data Security Standard (PCI DSS) merchants that handle credit card data must use strong cryptography. These merchants must also use security protocols to protect sensitive data during transmission over public networks.
You are migrating your PCI DSS application from on-premises SSL appliance and Apache to a VPC behind Amazon CloudFront.
How should you configure CloudFront to meet this requirement?

  • A. Configure the CloudFront Cache Behavior to require HTTPS and the CloudFront Origin"™s Protocol Policy to "˜Match Viewer"™.
  • B. Configure the CloudFront Cache Behavior to allow TCP connections and to forward all requests to the origin without TLS termination at the edge.
  • C. Configure the CloudFront Cache Behavior to require HTTPS and to forward requests to the origin via AWS Direct Connect.
  • D. Configure the CloudFront Cache Behavior to redirect HTTP requests to HTTPS and to forward request to the origin via the Amazon private network.


Answer : C

You deploy your Internet-facing application is the us-west-2(Oregon) region. To manage this application and upload content from your corporate network, you have a 1""Gbps AWS Direct Connect connection with a private virtual interface via one of the associated Direct Connect locations. In normal operation, you use approximately 300 Mbps of the available bandwidth, which is more than your Internet connection from the corporate network.
You need to deploy another identical instance of the application is us-east-1(N Virginia) as soon as possible. You need to use the benefits of Direct Connect. Your design must be the most effective solution regarding cost, performance, and time to deploy.
Which design should you choose?

  • A. Use the inter-region capabilities of Direct Connect to establish a private virtual interface from us-west-2 Direct Connect location to the new VPC in us-east-1.
  • B. Deploy an IPsec VPN over your corporate Internet connection to us-east-1 to provide access to the new VPC.
  • C. Use the inter-region capabilities of Direct Connect to deploy an IPsec VPN over a public virtual interface to the new VPC in us-east-1.
  • D. Use VPC peering to connect the existing VPC in us-west-2 to the new VPC in us-east-1, and then route traffic over Direct Connect and transit the peering connection.


Answer : A

Your company has a 1-Gbps AWS Direct Connect connection to AWS. Your company needs to send traffic from on-premises to a VPC owned by a partner company. The connectivity must have minimal latency at the lowest price.
Which of the following connectivity options should you choose?

  • A. Create a new Direct Connect connection, and set up a new circuit to connect to the partner VPC using a private virtual interface.
  • B. Create a new Direct Connect connection, and leverage the existing circuit to connect to the partner VPC.
  • C. Create a new private virtual interface, and leverage the existing connection to connect to the partner VPC.
  • D. Enable VPC peering and use your VPC as a transitive point to reach the partner VPC.


Answer : D

An organization wants to process sensitive information using the Amazon EMR service. The information is stored in on-premises databases. The output of processing will be encrypted using AWS KMS before it is uploaded to a customer-owned Amazon S3 bucket. The current configuration includes a VPS with public and private subnets, with VPN connectivity to the on-premises network. The security organization does not allow Amazon EC2 instances to run in the public subnet.
What is the MOST simple and secure architecture that will achieve the organization"™s goal?

  • A. Use the existing VPC and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • B. use the existing VPS and a NAT gateway, and configure Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • C. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint.
  • D. Create a new VPS without an IGW and configure the VPN and Amazon EMR in a private subnet with an Amazon S3 endpoint and a NAT gateway.


Answer : B

An organization has three AWS accounts with each containing VPCs in Virginia, Canada and the Sydney regions. The organization wants to determine whether all available Elastic IP addresses (EIPs) in these accounts are attached to Amazon EC2 instances or in use elastic network interfaces (ENIs) in all of the specified regions for compliance and cost-optimization purposes.
Which of the following meets the requirements with the LEAST management overhead?

  • A. Use an Amazon CloudWatch Events rule to schedule an AWS Lambda function in each account in all three regions to find the unattached and unused EIPs.
  • B. Use a CloudWatch event bus to schedule Lambda functions in each account in all three regions to find the unattached and unused EIPs.
  • C. Add an AWS managed, EIP-attached AWS Config rule in each region in all three accounts to find unattached and unused EIPs.
  • D. Use AWS CloudFormation StackSets to deploy an AWS Config EIP-attached rule in all accounts and regions to find the unattached and unused EIPs.


Answer : C

A Systems Administrator is designing a hybrid DNS solution with spilt-view. The apex-domain "example.com" should be served through name servers across multiple top-level domains (TLDs). The name server for subdomain "dev.example.com" should reside on-premises. The administrator has decided to use Amazon
Route 53 to achieve this scenario.
What procedurals steps must be taken to implement the solution?

  • A. Use a Route 53 public hosted zone for example.com and a private hosted zone for dev.example.com
  • B. Use a Route 53 public and private hosted zone for example.com and perform subdomain delegation for dev.example.com
  • C. Use a Route 53 public hosted zone for example.com and perform subdomain delegation for dev.example.com
  • D. Use a Route 53 private hosted zone for example.com and perform subdomain delegation for dev.example.com


Answer : A

DNS name resolution must be provided for services in the following four zones:


The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region.
Each VPC should resolve the names in all zones.
How can you use Amazon route 53 to meet these requirements?

  • A. Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.
  • B. Create a single Route 53 Private Hosted Zone for the zone company.private. and associate it with the three VPCs.
  • C. Create a Route Public 53 Hosted Zone for each of the four zones and configure the VPC DNS Resolver to forward
  • D. Create a single Route 53 Public Hosted Zone for the zone company.private. and configure the VPC DNS Resolver to forward


Answer : D

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.
What connection option should the organization use to get up and running at minimal cost?

  • A. Use an internet connection.
  • B. Set up an AWS VPN connection.
  • C. Provision an AWS Direct Connection private virtual interface.
  • D. Provision a Direct Connect public virtual interface.


Answer : A

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent
UDP probes to a single central authentication server on the Internet to confirm that is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server.

  • A. The NAT gateway does not support UDP traffic.
  • B. The authentication server is not accepting traffic.
  • C. The NAT gateway cannot allocate more ports.
  • D. The NAT gateway is launched in a private subnet.


Answer : C

An organization is using a VPC endpoint for Amazon S3. When the security group rules for a set of instances were initially configured, access was restricted to allow traffic only to the IP addresses of the Amazon S3 API endpoints in the region from the published JSON file. The application was working properly, but now is logging a growing number of timeouts when connecting with Amazon S3. No internet gateway is configured for the VPC.
Which solution will fix the connectivity failures with the LEAST amount of effort?

  • A. Create a Lambda function to update the security group based on AmazonIPSpaceChanged notifications.
  • B. Update the VPC routing to direct Amazon S3 prefix-list traffic to the VPC endpoint using the route table APIs.
  • C. Update the application server"™s outbound security group to use the prefix-list for Amazon S3 in the same region.
  • D. Create an additional VPC endpoint for Amazon S3 in the same route table to scale the concurrent connections to Amazon.


Answer : C

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their on-premises version of the application to serve a small portion of the customers who haven"™t yet upgraded.
What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

  • A. Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.
  • B. Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients to the on-premises application.
  • C. Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.
  • D. Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header- based routing to route traffic based on the application version.


Answer : B

A company is deploying a non-web application on an AWS load balancer. All targets are servers located on-premises that can be accessed by using AWS Direct
Connect. The company wants to ensure that the source IP addresses of clients connecting to the application are passed all the way to the end server.
How can this requirement be achieved?

  • A. Use a Network Load Balancer to automatically preserve the source IP address.
  • B. Use a Network Load Balancer and enable the X-Forwarded-For attribute.
  • C. Use a Network Load Balancer and enable the ProxyProtocol v2 attribute.
  • D. Use an Application Load Balancer to automatically preserve the source IP address in the X-Forwarded-For header.


Answer : D

An AWS CloudFormation template is being used to create a VPC peering connection between two existing operational VPCs, each belonging to a different AWS account. All necessary components in the "˜Remote"™ (receiving) account are already in place.
The template below creates the VPC peering connection in the Originating account. It contains these components:


Which additional AWS CloudFormation components are necessary in the Originating account to create an operational cross-account VPC peering connection with AWS CloudFormation? (Choose two.)
A.

B.

C.

D.

E.



Answer : DE

Page:    1 / 8   
Total 110 questions