AWS Certified Advanced Networking Specialty Exam (ANS-C01) Free Questions - Part 6
Question No : 76) A network engineer has configured a private hosted zone using Amazon Route 53. The engineer needs to configure health checks for record sets within the zone that are associated with instances. How can the engineer meet the requirements?
A. Configure a Route 53 health check to a private IP associated with the instances inside the VPC to be checked.
B. Configure a Route 53 health check pointing to an Amazon SNS topic that notifies an Amazon CloudWatch alarm when the Amazon EC2 StatusCheckFailed metric fails.
C. Create a CloudWatch metric that checks the status of the EC2 StatusCheckFailed metric, add an alarm to the metric, and then create a health check that is based on the state of the alarm.
D. Create a CloudWatch alarm for the StatusCheckFailed metric and choose Recover this instance, selecting a threshold value of 1.
Question No : 77) A Lambda function needs to access the private address of an Amazon ElastiCache cluster in a VPC. The Lambda function also needs to write messages to Amazon SQS. The Lambda function has been configured to run in a subnet in the VPC. Which of the following actions meet the requirements? (Select two.)
A. The Lambda function needs an IAM role to access Amazon SQS
B. The Lambda function must route through a NAT gateway or NAT instance in another subnet to access the public SQS API.
C. The Lambda function must be assigned a public IP address to access the public Amazon SQS API.
D. The ElastiCache server outbound security group rules must be configured to permit the Lambda function’s security group.
E. The Lambda function must consume auto-assigned public IP addresses but not elastic IP addresses.
Question No : 78) You need to set up a VPN between AWS VPC and your on-premises network. You create a VPN connection in the AWS Management Console, download the configuration file, and install it on your on-premises router. The tunnel is not coming up because of firewall restrictions on your router. Which two network traffic options should you allow through the firewall? (Select two.)
A. UDP port 500
B. IP protocol 50
C. IP protocol 5
D. TCP port 50
E. TCP port 500
Question No : 79) An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address What could cause this connectivity issue? (Choose two.)
A. The VGW is not advertising the correct CIDR range back on-premises.
B. The instance security group does not allow ICMP traffic.
C. A public virtual interface must be configured for Amazon EC2 connectivity.
D. The on-premises router is not advertising the correct CIDR range to AWS.
E. There is a misconfiguration of the bi-directional forwarding detection.
Question No : 80) A network engineer is deploying an application on an Amazon EC2 instance. The instance is reachable within the VPC through its private IP address and from the internet using an elastic IP address. Clients are connecting to the instance over the Internet and within the VPC, and the application needs to be identified by a single custom Fully Qualified Domain Name that is publicly resolvable –‘app.example.com’. Instances within the VPC should always connect to the private IP to minimize data transfer costs. How should the engineer configure DNS to support these requirements?
A. Use Amazon Route 53 to create a geo-based routing entry for the hostname ‘app’ in the DNS zone ‘example.com’.
B. Create two A record entries for ‘app’ in the DNS zone ‘example.com’ – one for the public IP and one for the private IP.
C. Use Route 53 to create an ALIAS record to the public DNS name for the instance.
D. Create a CNAME for ‘app’ in the DNS zone ‘example.com’ to the public DNS name for the Amazon EC2 instance.
Question No : 81) A company's developers wrote an AWS Lambda function to modify existing private route tables in response to a security appliance's auto scaling events. The Lambda function will be invoked on lifecycle hooks for an Auto Scaling group and Is configured to run in a VPC . The developers are unsure if the following 1AM policy provides sufficient permissions to be used as an execution role for this Lambda function.
The developers ask a network engineer to review the permissions. Which set of permissions should the network engineer add lo the policy?
A. lambda. ListFunctions, lambda:GetPolicy, and ec2 Delete RouteTable
B. ec2:AssociateAddress, ec2 ModifylnstanceAttribute. and ec2 AssociateRouteTable
C. ec2:CreateNetworklntertace ec2 DeleteNetworklnterface, and ec2 ReplaceRoute
D. ec2:Describei.ifecydoHooks, ec2 DescribeScalingActivities, and ec2 DescribePolicies
Question No : 82) An organization has created a web application inside a VPC and wants to make it available to 200 client VPCs. The client VPCs are in the same region but are owned by other business units within the organization. What is the best way to meet this requirement, without making the application publicly available?
A. Configure the application as an AWS PrivateLink-powered service, and have the client VPCs connect to the endpoint service by using an interface VPC endpoint.
B. Enable VPC peering between the web application VPC and all client VPCs.
C. Deploy the web application behind an internet-facing Application Load Balancer and control which clients have access by using security groups.
D. Deploy the web application behind an internal Application Load Balancer and control which clients have access by using security groups.
Question No : 83) Changes made to a security group attached to an Application Load Balancer resulted in connectivity issues for a company's production web application. The Network Engineer needs to lock down permissions for the company's AWS account, automate auditing for any changes, and set up notifications. What actions should accomplish this?
A. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify API calls from users. Use AWS Config to audit any changes, and configure Amazon SNS to send notifications.
B. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API calls from users. Configure AWS CodeCommit to audit any changes in configurations, and configure Amazon SNS to send notifications.
C. Configure IAM user policies to lock down permissions for specific users. Enable AWS CloudTrail to identify the API calls from users. Configure Amazon Macie to use machine learning to identify any configuration changes, and configure Amazon SNS to send notifications.
D. Configure IAM role policies to lock down permissions for specific users. Configure Amazon GuardDuty to audit and monitor configuration changes, and configure Amazon SNS to send notifications.
Question No : 84) A financial services company receives real-time stock quotes in its ingestion VPC. The company plans to perform customer-specific data analysis on the stock quotes in various VPCs. The stock quotes must be distributed simultaneously from Amazon EC2 instances in the ingestion VPC to EC2 instances in the data analysis VPCs Which set of configuration steps should the company lake to meet these requirements?
A. Configure EC2 instances m f he ingestion VPC as IP unicast senders Configure a transit gateway to serve as a unicast router for instances that send traffic destined for the EC2 instances in the data analysis VPCs.
B. Configure VPC peering between the ingestion VPC and the data analysis VPCs Configure an Application Load Balancer to distribute Virtual Extensible LAN (VXLAN)-encapsulated traffic from the sender EC2 instances to the receiver EC2 instances.
C. Configure EC2 instances m the ingestion VPC as IP multicast senders Configure a transit gateway to serve as a multicast router for instances that send traffic destined for the EC2 instances m the data analysis VPCs
D. Configure Amazon Kinesis Data Forehose to capture streaming data from the ingestion VPC and load the data into Amazon S3 Configure the instances in the data analysis VPCs to download the data from Amazon S3 for processing
Question No : 85) A company with several VPCs in the us-east-1 Region wants to reduce the cost of its workloads A network engineer has identified that all traffic bound to Amazon services is flowing through a NAT gateway. Additionally, all the VPCs are peered to a hub VPC for access to common services.
A. Disable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1.sqs.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint Share the private hosted zone with ail other VPCs
B. Disable the private DNS name for the SOS endpoint. Create an Amazon Route 53 private hosted zone for the domain sqs.us-east-1 .amazonaws.com. Create an alias record to the DNS name of the SOS endpoint. Share the private hosted zone with all other VPCs
C. Enable the private DNS name for the SOS endpoint Create an Amazon Route 53 private hosted zone for the domain SQS.us-east-t.amazonaws.com. Create a CNAME record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.
D. Enable the private DNS name for the SQS endpoint. Create an Amazon Route 53 private hosted zone for the domain us-east-1 .sqs.amazonaws.com. Create an alias record to the DNS name of the SQS endpoint. Share the private hosted zone with all other VPCs.
Question No : 86) A company wants to enforce a compliance requirement that its Amazon EC2 instances use only on-premises DNS servers tor name resolution Outbound DNS requests lo all other name servers must be denied. A network engineer configures the following set of outbound rules for a security group.
The network engineer discovers that the EC2 instances are still able to resolve DNS requests by using Amazon DNS servers inside the VPC Why is the solution tailing to meet the compliance requirements
A. The security group cannot filter outbound traffic to the Amazon DNS servers
B. The security group must have inbound rules to prevent DNS requests from coming back to EC2 instances.
C. The EC2 instances are using the HTTPS port to send DNS queries to Amazon DNS servers
D. The security group cannot filter outbound traffic to destinations within the same VPC
Question No : 87) A company has established an AWS Direct Connect connection between its customer gateway at its on-premises data center and a virtual private gateway m the AWS Cloud The BGP routing protocol configuration includes the Autonomous System Number {ASN) of 7224 on the AWS end of the connection and the BGP ASN of 65004 on the company end of the connection The company's IT administrators report that servers that run at the on-premises data center are not able to communicate with the company's web application that runs on a fleet of Amazon EC2 Instances A network engineer performs initial troubleshooting The network engineer finds that the private VIF is operational and that there is a fully established BGP peering session However, the company still cannot route traffic over the private VIF Which of the following is a possible cause of this connectivity issue?
A. Firewall or ACL rules are blocking TCP pod 179 or are blocking high-numbered ephemeral TCP pons
B. The provider is advertising 50 prefixes for private VIFs C. VPC route tables am lacking prefixes that point to the virtual private gateway to which the private VIF is connected
D. Peer IP addresses for both sides of the BGP peering session are not configured correctly.
Question No : 88) A company has an AWS Direct Connect connection between its on-premises data center and Amazon VPC. An application running on an Amazon EC2 instance in the VPC needs to access confidential data stored in the on-premises data center with consistent performance For compliance purposes, data encryption is required. What should the network engineer do to meet these requirements?
A. Configure a public virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
B. Configure a private virtual interface on the Direct Connect connection. Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
C. Configure an internet gateway in the VPC Set up a software VPN between the customer gateway and an EC2 instance in the VPC.
D. Configure an internet gateway in the VPC Set up an AWS Site-to-Site VPN between the customer gateway and the virtual private gateway in the VPC.
Question No : 89) An organization is replacing a tape backup system with a storage gateway. there is currently no connectivity to AWS. Initial testing is needed. What connection option should the organization use to get up and running at minimal cost?
A. Use an internet connection.
B. Set up an AWS VPN connection.
C. Provision an AWS Direct Connection private virtual interface.
D. Provision a Direct Connect public virtual interface.
Question No : 90) A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization’s security team, the VPN must meet the following requirements: AES 128-bit encryption SHA-1 hashing User access via SSL VPN PFS using DH Group 2 Ability to maintain/rotate keys and passwords Certificate-based authentication Which solution should you recommend so that the organization meets the requirements?
A. AWS hardware VPN between the virtual private gateway and customer gateway
B. A third-party VPN solution deployed from AWS Marketplace
C. A private MPLS solution from an international carrier
D. AWS hardware VPN between the virtual private gateways in each region
ANS-C01 Answers