Independence Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Amazon Web Services ANS-C00 AWS Certified Advanced Networking-Specialty Exam Practice Test

Demo: 23 questions
Total 154 questions

AWS Certified Advanced Networking-Specialty Questions and Answers

Question 1

An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed.

What connection option should the organization use to get up and running at minimal cost?

Options:

A.

Use an internet connection.

B.

Set up an AWS VPN connection.

C.

Provision an AWS Direct Connection private virtual interface.

D.

Provision a Direct Connect public virtual interface.

Question 2

A corporate network routing table contains 624 individual RFC 1918 and public IP prefixes. You have two AWS Direct Connect connectors. You configure a private virtual interface on both connections to a virtual private gateway. The virtual private gateway is not currently attached to a VPC. Neither BGP session will maintain the Established state on the customer router. The AWS Management Console reports the private virtual interfaces as Down.

What could you do to address the problem so that the AWS Management Console reports the private virtual interface as Available?

Options:

A.

Attach the virtual private gateway to a VPC and enable route propagation.

B.

Filter the public IP prefixes on the corporate network from the private virtual interface.

C.

Change the BGP advertisements from the corporate network to only be a default route.

D.

Attach the second virtual interface to an alternative virtual private gateway.

Question 3

A gaming company is running an online multiplayer game in multiple AWS Regions The company needs traffic from its end users to be routed to the Region that is closest to the end users geographically When maintenance occurs in a Region, traffic must be routed to the next closest Region with no changes to the IP addresses being used as connections by the end users

Which solution will meet these requirements?

Options:

A.

Create an Amazon CloudFront distribution in front of all the Regions

B.

Use an Amazon Route 53 geoproximity routing policy to navigate traffic to the closest Region

C.

Use an Amazon Route 53 geolocation routing policy to navigate traffic to the closest Region

D.

Configure AWS Global Accelerator in front of all the Regions

Question 4

A company has an application running in an Amazon VPC that must be able to communicate with on-premises resources in a data center. Network traffic between AWS and the data center will initially be minimal, but will increase to more than 10 Gbps over the next

few months. The company's goal is to launch the application as quickly as possible.

The Network Engineer has been asked to design a hybrid IT connectivity solution.

What should be done to meet these requirements?

Options:

A.

Submit a 1 Gbps AWS Direct Connect connection request, then increase the number of Direct Connect connections, as needed.

B.

Allocate elastic IPs to Amazon EC2 instances for temporary access to on-premises resources, then provision AWS VPN connections between an Amazon VPC and the data center.

C.

Provision an AWS VPN connection between an Amazon VPC and the data center, then submit an AWS Direct Connect connection request. Later, cut over from the VPN connection to one or more Direct Connect connections, as needed.

D.

Provision a 100 Mbps AWS Direct Connect connection between an Amazon VPC and the data center, then submit a Direct Connect connection request. Later, cut over from the hosted connection to one or more Direct Connect connections, as needed.

Question 5

A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC.

Which of the following actions meet the requirements? (Select two.)

Options:

A.

The Lambda function needs an IAM role to access Amazon SQS

B.

The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.

C.

The Lambda function must be assigned a public IP address to access the public Amazon SQS API.

D.

The ElastiCache server outbound security group rules must be configured to permit the Lambda function’s security group.

E.

The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.

Question 6

A team implements a highly available solution using Amazon AppStream 2.0. The AppStream 2.0 fleet needs to communicate with resources both in an existing VPC and on-premises. The VPC is connected to the on-premises environment using an AWS Direct Connect private virtual interface.

What implementation enables on-premises users to connect to AppStream and existing VPC resources?

Options:

A.

Deploy two subnets into the existing VPC. Add a public virtual interface to the Direct Connect connection for users to access the AppStream endpoint

B.

Deploy two subnets into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.

C.

Deploy a new VPC with two subnets. Create a VPC peering connection between the two VPCs for users to access the AppStream endpoint.

D.

Deploy one subnet into the existing VPC. Add a private virtual interface on the Direct Connect connection for users to access the AppStream endpoint.

Question 7

An organization is deploying an application in a VPC that requires SSL mutual authentication with a client-side certificate, as that is the primary method of identifying clients. The Network Engineer has been tasked with defining the mechanism used within AWS to provide the SSL mutual authentication.

Which of the following options meets the organization's requirements?

Options:

A.

Use a Classic Load Balancer and upload the client certificate private keys to it. Perform SSL mutual authentication of the client-side certificate there.

B.

Use a Network Load Balancer with a TCP listener on port 443, and pass the request through for the SSL mutual authentication to be handled by a backend instance.

C.

Use an Application Load Balancer and upload the client certificate private keys to it by using the native server name indication (SNI) features with smart certificate selection to handle multiple calling applications.

D.

Front the application with Amazon API Gateway, and use its client-side SSL mutual authentication feature that uses the backend instances to verify the source of the request.

Question 8

You are configuring a virtual interface for access to your VPC on a newly provisioned 1-Gbps AWS Direct Connect connection. Which two configuration values do you need to provide? (Select two.)

Options:

A.

Public AS number

B.

VLAN ID

C.

IP prefixes to advertise

D.

Direct Connect location

E.

Virtual private gateway

Question 9

A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization’s security team, the VPN must meet the following requirements:

  • AES 128-bit encryption
  • SHA-1 hashing
  • User access via SSL VPN
  • PFS using DH Group 2
  • Ability to maintain/rotate keys and passwords
  • Certificate-based authentication

Which solution should you recommend so that the organization meets the requirements?

Options:

A.

AWS hardware VPN between the virtual private gateway and customer gateway

B.

A third-party VPN solution deployed from AWS Marketplace

C.

A private MPLS solution from an international carrier

D.

AWS hardware VPN between the virtual private gateways in each region

Question 10

A legacy, on-premises web application cannot be load balances effectively. There are both planned and unplanned events that cause usage spikes to millions of concurrent users. The existing infrastructure cannot handle the usage spikes. The CIO has mandated that the application be moved to the cloud to avoid further disruptions, with the additional requirement that source IP addresses be unaltered to support network traffic-monitoring needs. Which of the following designs will meet these requirements?

Options:

A.

Use an Auto Scaling group of Amazon EC2 instances behind a Classic Load Balancer.

B.

Use an Auto Scaling group of EC2 instances in a target group behind an Application Load Balancer.

C.

Use an Auto Scaling group of EC2 instances in a target group behind a Classic Load Balancer.

D.

Use an Auto Scaling group of EC2 instances in a target group behind a Network Load Balancer.

Question 11

DNS name resolution must be provided for services in the following four zones:

company.private.

emea.company.private.

apac.company.private.

amer.company.private.

The contents of these zones is not considered sensitive, however, the zones only need to be used by services hosted in these VPCs, one per geographic region. Each VPC should resolve the names in all zones.

How can you use Amazon route 53 to meet these requirements?

Options:

A.

Create a Route 53 Private Hosted Zone for each of the four zones and associate them with the three VPCs.

B.

Create a single Route 53 Private Hosted Zone for the zone company.private and associate it with the three VPCs.

C.

Create a Route Public Hosted Zone for each of the four zones and configure the VPS DNS Resolver to forward

D.

Create a single Route 53 Public Hosted Zone for the zone company.private and configure the VPS DNS Resolver to forward

Question 12

You have a three-tier web application with separate subnets for Web, Applications, and Database tiers. Your CISO suspects your application will be the target of malicious activity. You are tasked with notifying the security team in the event your application is port scanned by external systems.

Which two AWS Services cloud you leverage to build an automated notification system? (Select two.)

Options:

A.

Internet gateway

B.

VPC Flow Logs

C.

AWS CloudTrail

D.

Lambda

E.

AWS Inspector

Question 13

An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF.

What additional configuration is required to enable the applications in VPCs to communicate with each other and access on-premises resources?

Options:

A.

Configure each application VPC with a static route entry pointing the on-premises CIDR block to the software VPN instances.

B.

Configure the central VPC with a static route entry pointing the on-premises CIDR block to local VGWs.

C.

Advertise all application VPC CIDR blocks to on-premises resources via the VGW in the central VPC.

D.

Configure IPSec tunnels from the on-premises router into the software VPN instances with dynamic routing.

Question 14

A Network Engineer needs to be automatically notified when a certain TCP port is accessed on a fleet of Amazon EC2 instances running in an Amazon VPC.

Which of the following is the MOST reliable solution?

Options:

A.

Create an inbound rule in the VPC's network ACL that matches the TCP port. Create an Amazon CloudWatch alarm on the NetworkPackets metric for the ACL that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

B.

Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to notify the Administrator with Amazon SNS each time the TCP port is accessed.

C.

Create VPC Flow Logs that write to Amazon CloudWatch Logs, with a metric filter matching connections on the required port. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

D.

Install intrusion detection software on each Amazon EC2 instance and configure it to use the AWS CLI to publish to a custom Amazon CloudWatch metric each time the TCP port is accessed. Create a CloudWatch alarm on the resulting metric that uses Amazon SNS to notify the Administrator when the metric is greater than zero.

Question 15

A company’s web application is deployed on Amazon EC2 instances behind a public Application Load Balancer. The application flags malicious requests and uses an AWS Lambda function to add the offending IP addresses to the network ACL to block any further request for 24 hours. Recently, the application has been receiving more malicious requests, which causes the network ACL to reach its limit of allowed entries.

Which action should be taken to block more IP addresses, without compromising the existing security requirements?

Options:

A.

Update the AWS Lambda function to remove blocked entries from the network ACL after 2 hours.

B.

Update the AWS Lambda function to block malicious IPs in security groups rather than the network ACL.

C.

Update the AWS Lambda function to block malicious IPs in AWS WAF attached to the Application Load Balancer.

D.

Update the AWS Lambda function to add an additional network ACL to the subnets once the limit for the previous ones has been reached.

Question 16

A company has two redundant AWS Direct Connect connections to a VPC. The VPC is configured using BGP metrics so that one Direct Connect connection is used as the primary traffic path. The company wants the primary Direct Connect connection to fail to the secondary in less than one second.

What should be done to meet this requirement?

Options:

A.

Configure BGP on the company’s router with a keep-alive to 300 ms and the BGP hold timer to 900 ms.

B.

Enable Bidirectional Forwarding Detection (BFD) on the company’s router with a detection minimum interval of 300 ms and a BFD liveness detection multiplier of 3.

C.

Enable Dead Peer Detection (DPD) on the company’s router with a detection minimum interval of 300 ms and a DPD liveliness detection multiplier of 3.

D.

Enable Bidirectional Forwarding Detection (BFD) echo mode on the company’s router and disable sending the Internet Control Message Protocol (ICMP) IP packet requests.

Question 17

The Security department has mandated that all outbound traffic from a VPC toward an on-premises datacenter must go through a security appliance that runs on an Amazon EC2 instance.

Which of the following maximizes network performance on AWS? (Choose two.)

Options:

A.

Support for the enhanced networking drivers

B.

Support for sending traffic over the Direct Connect connection

C.

The instance sizes and families supported by the security appliance

D.

Support for placement groups within the VPC

E.

Security appliance support for multiple elastic network interfaces

Question 18

A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance For compliance purposes, data encryption is required.

What should the network engineer do to meet these requirements?

Options:

A.

Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

B.

Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

C.

Configure an internet gateway in the VPC Set up a software VPN between the customer gateway and an EC2 instance in the VPC.

D.

Configure an internet gateway in the VPC Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.

Question 19

An organization delivers high-resolution, dynamic web content. Internet users access the content from a variety of platforms, including mobile, tablet and desktop. Each platform receives a customized experience to account for the differences in viewing modes. A dedicated, automatic-scaling fleet of Amazon EC2 instances is used for each platform to server content based on path-based headers.

Which combination of services will MINIMIZE cost and MAXIMIZE performance? (Select two.)

Options:

A.

Amazon CloudFront with Lambda@Edge

B.

Network Load Balancer

C.

Amazon S3 static websites

D.

Amazon Route 53 with traffic flow policies

E.

Application Load Balancer

Question 20

A company has an application running on Amazon EC2 instances in a VPC The application must publish custom metrics to Amazon CloudWatch in the same AWS Region The metrics include proprietary information All connectivity must be over private IP addresses.

Which solution will meet these requirements'?

Options:

A.

Connect to CloudWatch through a NAT gateway

B.

Connect to CloudWatch through a gateway endpoint

C.

Connect to CloudWatch through an internet gateway

D.

Connect to CloudWatch through an interface endpoint

Question 21

A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable –‘app.example.com’.

Instances within the VPC should always connect to the private IP to minimize data transfer costs.

How should the engineer configure DNS to support these requirements?

Options:

A.

Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.

B.

Create two A record entries for ‘app’ in the DNS zone ‘example.com’ – one for the public IP and one for the private IP.

C.

Use Route 53 to create an ALIAS record to the public DNS name for the instance.

D.

Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.

Question 22

You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:

2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027

1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027

1432917082 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094

1432917142 REJECT OK

Why are ICMP responses not received by the on-premises system?

Options:

A.

The inbound network access control list is blocking the traffic

B.

The outbound network access control list is blocking the traffic

C.

The inbound security group is blocking the traffic.

D.

The outbound security group is blocking the traffic.

Question 23

A Network Engineer is troubleshooting a network connectivity issue for an instance within a public subnet that cannot connect to the internet. The first step the Engineer takes is to SSH to the instance via a local bastion within the VPC and runs an ifconfig command to inspect the IP addresses configured on the instance. The output is as follows:

The Engineer notices that the command output does not contain a public IP address. In the AWS Management Console, the public subnet has a route to the internet gateway. The instance also has a public IP address associated with it.

What should the Engineer do next to troubleshoot this situation?

Options:

A.

Configure the public IP on the interface.

B.

Disable source/destination checking for the instance.

C.

Associate an Elastic IP address to the interface.

D.

Evaluate the security groups and the network access control list.

Demo: 23 questions
Total 154 questions