SlideShare a Scribd company logo

Clear Amazon ANS-C01 Exam with Certifiedumps

2
24servicehub

Certifiedumps offers real exam questions to help you pass the ANS-C01 on your first attempt.

Education
1 of 29
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Questions & Answers (Demo Version - Limited Content) Amazon ANS-C01 Exam Amazon AWS Certified Advanced Networking - Specialty https://www.certifiedumps.com/amazon/ans-c01-dumps.html Thank you for Downloading ANS-C01 exam PDF Demo Get Full File:
Questions & Answers PDF A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements? A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods. B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods. C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Page 2 Version: 8.0 Question: 1 www.certifiedumps.com
Explanation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target- groups.html#target-group-protocol-version https://docs.aws.amazon.com/prescriptive- guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it- with-an-application-load-balancer.html A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes. Which solution will meet these requirements? Questions & Answers PDF Page 3 Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group. D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group. Question: 2 Answer: B www.certifiedumps.com
Explanation: Questions & Answers PDF An Application Load Balancer (ALB) can be used to route traffic to multiple target groups based on the URL in the request. The ALB can be configured with an HTTPS listener to ensure all traffic uses HTTPS. TLS processing can be offloaded to the ALB, which reduces the load on the web server. Path- based routing rules can be used to route traffic to the correct target group based on the URL in the request. The X-Forwarded-For request header can be included with traffic to the targets, which will allow the web server to know the user's IP address and keep accurate logs for security purposes. A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets. B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X- Forwarded-For request header with traffic to the targets. C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets. D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets. Page 4 Question: 3 Answer: A www.certifiedumps.com
Questions & Answers PDF A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port. B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port. C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port. D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS. The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint. Which solution will meet these requirements? Page 5 www.certifiedumps.com
Explanation: Questions & Answers PDF A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner? Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc- connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet." Page 6 Question: 4 Answer: A www.certifiedumps.com
Explanation: Questions & Answers PDF Option C provides a secure and scalable solution using VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink enables private connectivity between VPCs and services without exposing the data to the public internet or using a VPN connection. By creating VPC endpoints in each application VPC, the company can securely access the central shared services VPC without the need for complex network configurations. Furthermore, PrivateLink supports cross-account connectivity, which makes it a scalable solution as more business units consume data from the central shared services VPC in the future. A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway. B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account. C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC. D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs. Page 7 Question: 5 Answer: C www.certifiedumps.com
Questions & Answers PDF A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps. C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection. D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS. A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem. Which solution will meet these requirements? Page 8 www.certifiedumps.com
Explanation: Questions & Answers PDF A. Deploy the SaaS service endpoint behind a Network Load Balancer. B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service. C. Deploy the SaaS service endpoint behind an Application Load Balancer. D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways. A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud. A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet. Which combination of steps is part of a solution that meets these requirements? (Choose two.) To meet the requirements of finding out which business unit is causing the sudden increase in throughput and resolving the problem, the network engineer should review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed (Option B). After identifying the VIF that is causing the issue, they can upgrade the bandwidth of the existing dedicated connection to 10 Gbps to resolve the problem (Option B). Page 9 Question: 6 Answer: A www.certifiedumps.com
Explanation: Questions & Answers PDF NLB for creating the private link which solves the overlapping IP address issue and the SaaS service endpoint behind it. (the SaaS endpoint could be an ALB) https://aws.amazon.com/about-aws/whats- new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/ A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet. The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event. Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.) E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway. Page 10 Question: 7 Answer: AB www.certifiedumps.com
Explanation: Questions & Answers PDF A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances. B. Set up AWS WAF on all network components. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets. To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps: Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D). Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E). Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F). These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks. Page 11 Answer: DEF www.certifiedumps.com
Questions & Answers PDF A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. C. Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic. D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs. E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs. A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway. The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage. Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.) Page 12 Question: 8 www.certifiedumps.com
Explanation: Questions & Answers PDF A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. To investigate the increased usage of a NAT gateway in a VPC architecture with ALBs and backend EC2 instances, a network engineer can use the following options: Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. (Option A) Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. (Option D) These options allow for detailed analysis of traffic through the NAT gateway to identify the source of increased usage. Page 13 Question: 9 Answer: AD www.certifiedumps.com
Explanation: Questions & Answers PDF Which solution will meet these requirements? A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway. B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance. C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway. D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway. Page 14 Question: 10 Answer: C www.certifiedumps.com
Explanation: https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network- firewall-logs-using-amazon-opensearch-service-part-1/ A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination. B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs. C. Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs. D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs. Questions & Answers PDF Page 15 implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time. Which solution will meet these requirements? Answer: B www.certifiedumps.com
Questions & Answers PDF A. Configure the BIND DNS servers in the central VPC to forward queries for efs.us-east- 1.amazonaws.com to the Amazon provided DNS server (169.254.169.253). B. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution. C. Create an Amazon Route 53 Resolver inbound endpoint in the central VPUpdate all the VPC DHCP options sets to use the Route 53 Resolver inbound endpoint in the central VPC for name resolution. D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs. E. Create an Amazon Route 53 private hosted zone for the efs.us-east-1.amazonaws.com domain. Associate the private hosted zone with the VPC where the EC2 instance is deployed. Create an A A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.) Page 16 Question: 11 www.certifiedumps.com
Explanation: Option B suggests using Amazon Route 53 Resolver outbound endpoint, which would replace the existing BIND DNS servers with the AmazonProvidedDNS for name resolution. However, the scenario specifically mentions that the company is using custom DNS servers that run BIND for name resolution in its VPCs, so this solution would not work. Option D suggests creating a Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers, which would not address the issue of resolving the EFS mount point. The problem is not with resolving queries for the on-premises domain, but rather with resolving the IP address for the EFS mount point. An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed. Which solution will meet these requirements? Questions & Answers PDF Page 17 record for fs-33444567d.efs.us-east-1.amazonaws.com in the private hosted zone. Configure the A record to return the mount target of the EFS mount point. Question: 12 Answer: BD www.certifiedumps.com
Explanation: Questions & Answers PDF A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway. A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Configure the Auto Scaling group to register instances with the ALB's target group. B. Create an Amazon CloudFront distribution. Configure the distribution with a custom SSL/TLS certificate. Set the Auto Scaling group as the distribution's origin. C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group. D. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group. To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at all stages between the customers and the application servers without decryption at intermediate points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution allows for end-to-end encryption of traffic without decryption at intermediate points. Page 18 Question: 13 Answer: C www.certifiedumps.com
Explanation: A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC. B. Change the router configurations to summarize the advertised routes. C. Open a support ticket to increase the quota on advertised routes to the VPC route table. D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway. "If you advertise more than 100 routes each for IPv4 and IPv6 over the BGP session, the BGP session will go into an idle state with the BGP session DOWN." https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html Questions & Answers PDF Page 19 A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner. What should the network engineer do to meet these requirements? Question: 14 Answer: B www.certifiedumps.com
Questions & Answers PDF A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access. B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created. C. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers. D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain. E. Launch two Amazon EC2 instances in the shared AWS account. Install BIND on each instance. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS account. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the IP addresses of the BIND servers. A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office- based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal. The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams. The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes. Which combination of steps should the network engineer take to meet these requirements? (Choose three.) Page 20 www.certifiedumps.com
Explanation: To meet the requirements of updating the DNS registration process while maximizing cost- effectiveness and minimizing configuration changes, the network engineer should take the following steps: Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint’s IP addresses that were created (Option B). Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain (Option D). Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access (Option A). These steps will allow service creators to register their DNS records while keeping costs low and minimizing configuration changes. Questions & Answers PDF Page 21 F. Create a private hosted zone in the shared AWS account for each account that runs the service. Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC. Question: 15 Answer: ABD www.certifiedumps.com
Explanation: A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross- Availability Zone load balancing. B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support. C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support. D. Modify the transit gateway by selecting multicast support. To resolve the issue of intermittent connections for traffic that crosses Availability Zones after configuring routing for traffic inspection between VPCs using a transit gateway and EC2 instances with IDS services in a shared services VPC, a network engineer should modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support (Option B). This will ensure that traffic is routed to the same EC2 instance for stateful inspection and prevent intermittent Questions & Answers PDF Page 22 A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs. The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection. Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones. What should a network engineer do to resolve this issue? Answer: B www.certifiedumps.com
Questions & Answers PDF connections. A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true. B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0 C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets. D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces. E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch. Associate the new security group with the endpoint network interfaces. F. Associate the VPC endpoint or endpoints with route tables that the private subnets use. A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway. In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway. Which combination of steps should the network engineer take to meet these requirements? (Choose three.) Page 23 Question: 16 www.certifiedumps.com
Explanation: Questions & Answers PDF A. Set up an Amazon CloudFront distribution with origin failover. Create an origin group for each Region where the solution is deployed. An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers. The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services. A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud. Which solution will meet these requirements with the HIGHEST availability? Page 24 Question: 17 Answer: B, D, F www.certifiedumps.com
Explanation: Questions & Answers PDF https://aws.amazon.com/blogs/iot/automate-global-device-provisioning-with-aws-iot-core-and- amazon-route-53/ A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud. Which solution will meet these requirements while providing the HIGHEST throughput? B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to Yes. C. Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups and health checks. D. Set up Bring Your Own IP (BYOIP) addresses. Use the same PI addresses for each Region where the solution is deployed. Page 25 Question: 18 Answer: B www.certifiedumps.com
Explanation: Questions & Answers PDF https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws- direct-connect-connections/ A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back. What should the network engineer do to resolve the error? A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment. B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software. C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway. D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-to-Site VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing. Page 26 Question: 19 Answer: C www.certifiedumps.com
Explanation: Questions & Answers PDF A. Change the order of resource creation in the CloudFormation template. B. Add the DependsOn attribute to the resource declaration for the virtual private gateway. Specify the route table entry resource. C. Add a wait condition in the template to wait for the creation of the virtual private gateway. D. Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource. A company operates its IT services through a multi-site hybrid infrastructure. The company deploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. The company also deploys resources in its own data centers that are located in the United States (US) and in the United Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect 15 VPCs to each other. The company has created a transit gateway peering connection between the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP addresses used within the data centers. The VPC CIDR prefixes can also be aggregated either on a Regional level or for the company's entire AWS environment. The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through Interior BGP (iBGP) sessions. The data centers maintain connectivity to AWS through one AWS Direct Connect connection in the US and one Direct Connect connection in the UK. Each Direct Connect connection is terminated on a Direct Connect gateway and is associated Page 27 Question: 20 Answer: D www.certifiedumps.com
Explanation: A. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add the company's entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection. B. Add the CIDR prefixes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. Configure data center routers to make routing decisions based on the BGP communities received. C. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. D. Add the aggregate IP prefix for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. E. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add both Regional aggregate IP prefixes to the list of subnets advertised through the Direct Connect connection on both sides of the network. Configure data center routers to make routing decisions based on the BGP communities received. Questions & Answers PDF Page 28 Traffic follows the shortest geographical path from source to destination. For example, packets from the UK data center that are targeted to resources in eu-west-2 travel across the local Direct Connect connection. In cases of cross-Region data transfers, such as from the UK data center to VPCs in us- east-1, the private WAN connection must be used to minimize costs on AWS. A network engineer has configured each transit gateway association on the Direct Connect gateway to advertise VPC-specific CIDR IP prefixes only from the local Region. The routes toward the other Region must be learned through BGP from the routers in the other data center in the original, non-aggregated form. The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original traffic routing goal when the network is operating normally. Which modifications will meet these requirements? (Choose two.) Answer: AD www.certifiedumps.com
www.certifiedumps.com Thank You for trying ANS-C01 PDF Demo https://www.certifiedumps.com/amazon/ans-c01-dumps.html [Limited Time Offer] Use Coupon "cert20" for extra 20% discount on the purchase of PDF file. Test your ANS-C01 preparation with actual exam questions Start Your ANS-C01 Preparation

More Related Content

PDF
Latest AWS ANS-C01 Exam Dumps with Explanations
jackjohnson9842
 
PDF
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
Jitendra Bafna
 
PDF
Aws certified advanced networking specialty exam dumps
TestPrep Training
 
PPTX
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 
PDF
Master the AWS SAP-C02 Exam with P2PCerts’ Verified Study Materials!
atkinson12111
 
PDF
Pass Amazon SAP-C02 in 2025 – Trusted Prep for AWS Success
brookeharry897
 
PDF
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Jitendra Bafna
 
PPTX
MuleSoft Meetup Vancouver 5th Virtual Event
Vikalp Bhalia
 
Latest AWS ANS-C01 Exam Dumps with Explanations
jackjohnson9842
 
MuleSoft Surat Live Demonstration Virtual Meetup#1 - Anypoint VPC VPN and DLB
Jitendra Bafna
 
Aws certified advanced networking specialty exam dumps
TestPrep Training
 
Toronto Virtual Meetup #7 - Anypoint VPC, VPN and DLB Architecture
Alexandra N. Martinez
 
Master the AWS SAP-C02 Exam with P2PCerts’ Verified Study Materials!
atkinson12111
 
Pass Amazon SAP-C02 in 2025 – Trusted Prep for AWS Success
brookeharry897
 
Nashik MuleSoft Virtual Meetup#1 - Shared and Dedicated Load Balancer
Jitendra Bafna
 
MuleSoft Meetup Vancouver 5th Virtual Event
Vikalp Bhalia
 

Similar to Clear Amazon ANS-C01 Exam with Certifiedumps (20)

PDF
AZ-700: Comprehensive Guide to Designing and Implementing Microsoft Azure Net...
24servicehub
 
PDF
Crack the AZ-700 Exam in 2025: Real Dumps, Networking Tips & Practice Questions
rl7159133
 
PPTX
CloudHub Load Balancers (SLB & DLB) | MuleSoft Mysore Meetup #21
MysoreMuleSoftMeetup
 
PDF
Cisco 300-440 ENCC Practice PDF – Sharpen Your Certification Skills
rl7159133
 
PDF
Amazon AWS SAA-C03 Exam Dumps
AWS SAA-C03 Exam Dumps
 
PDF
CV0-003 Questions and Answers pdf dumps.pdf
anam10379291
 
PDF
Building a CI/CD driven infrastructure for managing kubernetes clusters on ba...
TEC Campus
 
PDF
SAA-C03 Exam Dumps for 2025 – Pass Your AWS Associate Exam on First Attempt
24servicehub
 
PDF
Updated 2025 SAA-C03 Exam Guide – Pass AWS Solutions Architect Associate with...
rl7159133
 
PDF
SAA-C03 Practice Questions – Prepare Like a Pro for the AWS Exam
rl7159133
 
PDF
Start Your Cloud Career with the CompTIA CV0-004 Certification in 2025
brookeharry897
 
PDF
CSG Huawei.pdf
chien29091
 
PDF
Mastering PAS-C01 Unleash Your Potential with Amazondumps
NoraScarlett1
 
PDF
"Simple Q&A PDF for CV0-003 Exam Preparation Guide"
michaelklause613
 
PDF
2025 DumpsCafe Amazon Web Services-SOA-C02
Dumpcollection
 
DOCX
Updated SAA-C03 Dumps for 2024 Secure Your AWS Certification
jackjohnson9842
 
PDF
Google cloud certified professional cloud developer practice dumps 2020
SkillCertProExams
 
PDF
Guide to Network Security Fundamentals 6th Edition Ciampa Test Bank
dimonabiine
 
PDF
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PROIDEA
 
PPTX
Enterprise grade firewall and ssl termination to ac by will stevens
buildacloud
 
AZ-700: Comprehensive Guide to Designing and Implementing Microsoft Azure Net...
24servicehub
 
Crack the AZ-700 Exam in 2025: Real Dumps, Networking Tips & Practice Questions
rl7159133
 
CloudHub Load Balancers (SLB & DLB) | MuleSoft Mysore Meetup #21
MysoreMuleSoftMeetup
 
Cisco 300-440 ENCC Practice PDF – Sharpen Your Certification Skills
rl7159133
 
Amazon AWS SAA-C03 Exam Dumps
AWS SAA-C03 Exam Dumps
 
CV0-003 Questions and Answers pdf dumps.pdf
anam10379291
 
Building a CI/CD driven infrastructure for managing kubernetes clusters on ba...
TEC Campus
 
SAA-C03 Exam Dumps for 2025 – Pass Your AWS Associate Exam on First Attempt
24servicehub
 
Updated 2025 SAA-C03 Exam Guide – Pass AWS Solutions Architect Associate with...
rl7159133
 
SAA-C03 Practice Questions – Prepare Like a Pro for the AWS Exam
rl7159133
 
Start Your Cloud Career with the CompTIA CV0-004 Certification in 2025
brookeharry897
 
CSG Huawei.pdf
chien29091
 
Mastering PAS-C01 Unleash Your Potential with Amazondumps
NoraScarlett1
 
"Simple Q&A PDF for CV0-003 Exam Preparation Guide"
michaelklause613
 
2025 DumpsCafe Amazon Web Services-SOA-C02
Dumpcollection
 
Updated SAA-C03 Dumps for 2024 Secure Your AWS Certification
jackjohnson9842
 
Google cloud certified professional cloud developer practice dumps 2020
SkillCertProExams
 
Guide to Network Security Fundamentals 6th Edition Ciampa Test Bank
dimonabiine
 
PLNOG 7: Emil Gągała, Sławomir Janukowicz - carrier grade NAT
PROIDEA
 
Enterprise grade firewall and ssl termination to ac by will stevens
buildacloud
 
Ad

More from 24servicehub (20)

PDF
Pass AWS AIF-C01 Easily with Certifiedumps Real Practice Dumps
24servicehub
 
PDF
Get Ready to Pass the Cisco 300-701 SCOR Exam with Confidence in 2025
24servicehub
 
PDF
Pass Your Cisco 200-301 CCNA Exam in 2025 with Confidence
24servicehub
 
PDF
Pass ADM-201 Exam in 2025 with Updated Dumps – Certifiedumps
24servicehub
 
PDF
Pass CCST-Networking Exam in 2025 with Updated Dumps PDF
24servicehub
 
PDF
Pass the CompTIA Security+ SY0-701 Exam in 2025 with Confidence – Certifiedumps
24servicehub
 
PDF
Master CISSP in 2025: Practice with Purpose, Pass with Confidence
24servicehub
 
PDF
Pass the AZ-500 Exam Easily with Certifiedumps Updated Dumps and Practice Tests
24servicehub
 
PDF
Pass Cisco 350-601 DCCOR Exam with Certifiedumps – Real Dumps for Data Center...
24servicehub
 
PDF
Clear Cisco 200-901 DEVASC Exam with Certifiedumps – Trusted Dumps for Fast C...
24servicehub
 
PDF
"Pass Cisco 200-301 CCNA Exam with Certifiedumps – Verified Dumps for Guarant...
24servicehub
 
PDF
The AZ-104 exam certifies skills in managing Microsoft Azure cloud services, ...
24servicehub
 
PDF
Microsoft Azure AI Fundamentals: Introduction to AI Concepts and Azure AI Ser...
24servicehub
 
PDF
AI-102: Designing and Implementing Azure AI Solutions
24servicehub
 
PDF
Pass Amazon CLF-C02 Exam with Certifiedumps
24servicehub
 
PDF
Pass Amazon AIF-C01 Exam with Certifiedumps
24servicehub
 
PDF
Certifiedumps SOA-C02 Exam Dumps – Prepare for AWS Certified SysOps Administr...
24servicehub
 
PDF
Pass Cisco 200-301 CCNA Exam with Certifiedumps – Latest Dumps Cover Networki...
24servicehub
 
PDF
Get CompTIA Project+ PK0-005 Certified Quickly with Reliable and Verified Dum...
24servicehub
 
PDF
Prepare for the PK0-005 Project+ Exam with Certifiedumps: Trusted Dumps, Real...
24servicehub
 
Pass AWS AIF-C01 Easily with Certifiedumps Real Practice Dumps
24servicehub
 
Get Ready to Pass the Cisco 300-701 SCOR Exam with Confidence in 2025
24servicehub
 
Pass Your Cisco 200-301 CCNA Exam in 2025 with Confidence
24servicehub
 
Pass ADM-201 Exam in 2025 with Updated Dumps – Certifiedumps
24servicehub
 
Pass CCST-Networking Exam in 2025 with Updated Dumps PDF
24servicehub
 
Pass the CompTIA Security+ SY0-701 Exam in 2025 with Confidence – Certifiedumps
24servicehub
 
Master CISSP in 2025: Practice with Purpose, Pass with Confidence
24servicehub
 
Pass the AZ-500 Exam Easily with Certifiedumps Updated Dumps and Practice Tests
24servicehub
 
Pass Cisco 350-601 DCCOR Exam with Certifiedumps – Real Dumps for Data Center...
24servicehub
 
Clear Cisco 200-901 DEVASC Exam with Certifiedumps – Trusted Dumps for Fast C...
24servicehub
 
"Pass Cisco 200-301 CCNA Exam with Certifiedumps – Verified Dumps for Guarant...
24servicehub
 
The AZ-104 exam certifies skills in managing Microsoft Azure cloud services, ...
24servicehub
 
Microsoft Azure AI Fundamentals: Introduction to AI Concepts and Azure AI Ser...
24servicehub
 
AI-102: Designing and Implementing Azure AI Solutions
24servicehub
 
Pass Amazon CLF-C02 Exam with Certifiedumps
24servicehub
 
Pass Amazon AIF-C01 Exam with Certifiedumps
24servicehub
 
Certifiedumps SOA-C02 Exam Dumps – Prepare for AWS Certified SysOps Administr...
24servicehub
 
Pass Cisco 200-301 CCNA Exam with Certifiedumps – Latest Dumps Cover Networki...
24servicehub
 
Get CompTIA Project+ PK0-005 Certified Quickly with Reliable and Verified Dum...
24servicehub
 
Prepare for the PK0-005 Project+ Exam with Certifiedumps: Trusted Dumps, Real...
24servicehub
 
Ad

Recently uploaded (20)

PPTX
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
PDF
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PDF
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
PDF
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PDF
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
PDF
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
PPTX
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
PDF
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
PDF
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
PPTX
Pharma ospi slides which help in ospi learning
rameetkumar304
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PPTX
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
PPTX
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
Week 4 Term 3 Study Techniques revisited.pptx
mansk2
 
Chapter 2 Heredity, Prenatal Development, and Birth.pdf
MarjorieLopezTiu
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
Module 4: Burden of Disease Tutorial Slides S2 2025
Jonathan Hallett
 
3rd Neelam Sanjeevareddy Memorial Lecture.pdf
Academy of Grassroots Studies and Research of India (AGRASRI)
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
2.FourierTransform-ShortQuestionswithAnswers.pdf
Raji Murugan
 
Mark Klimek Lecture Notes_240423 revision books _173037.pdf
pascalgumisiriza1
 
IMMUNITY IMMUNITY refers to protection against infection, and the immune syst...
shilpa939953
 
O7-L3 Supply Chain Operations - ICLT Program
labyankof
 
01-Introduction-to-Information-Management.pdf
PrinceIbarra
 
Pharma ospi slides which help in ospi learning
rameetkumar304
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Institutional Correction lecture only . . .
limvtheghins
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
master seminar digital applications in india
ananyaray35
 
Classroom Observation Tools for Teachers
Nicaramirez
 
BOWEL ELIMINATION FACTORS AFFECTING AND TYPES
PreetiSawant10
 
human mycosis Human fungal infections are called human mycosis..pptx
shilpa939953
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 

Clear Amazon ANS-C01 Exam with Certifiedumps

  • 1. Questions & Answers (Demo Version - Limited Content) Amazon ANS-C01 Exam Amazon AWS Certified Advanced Networking - Specialty https://www.certifiedumps.com/amazon/ans-c01-dumps.html Thank you for Downloading ANS-C01 exam PDF Demo Get Full File:
  • 2. Questions & Answers PDF A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The company needs to use mutual TLS for two-way authentication between the client and the backend. Which solution will meet these requirements? A. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure a Network Load Balancer with a TCP listener on port 443 to forward traffic to the IP addresses of the backend service Pods. B. Install the AWS Load Balancer Controller for Kubernetes. Using that controller, configure an Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the IP addresses of the backend service Pods. C. Create a target group. Add the EKS managed node group's Auto Scaling group as a target Create an Page 2 Version: 8.0 Question: 1 www.certifiedumps.com
  • 3. Explanation: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target- groups.html#target-group-protocol-version https://docs.aws.amazon.com/prescriptive- guidance/latest/patterns/deploy-a-grpc-based-application-on-an-amazon-eks-cluster-and-access-it- with-an-application-load-balancer.html A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes. Which solution will meet these requirements? Questions & Answers PDF Page 3 Application Load Balancer with an HTTPS listener on port 443 to forward traffic to the target group. D. Create a target group. Add the EKS managed node group’s Auto Scaling group as a target. Create a Network Load Balancer with a TLS listener on port 443 to forward traffic to the target group. Question: 2 Answer: B www.certifiedumps.com
  • 4. Explanation: Questions & Answers PDF An Application Load Balancer (ALB) can be used to route traffic to multiple target groups based on the URL in the request. The ALB can be configured with an HTTPS listener to ensure all traffic uses HTTPS. TLS processing can be offloaded to the ALB, which reduces the load on the web server. Path- based routing rules can be used to route traffic to the correct target group based on the URL in the request. The X-Forwarded-For request header can be included with traffic to the targets, which will allow the web server to know the user's IP address and keep accurate logs for security purposes. A. Deploy an Application Load Balancer with an HTTPS listener. Use path-based routing rules to forward the traffic to the correct target group. Include the X-Forwarded-For request header with traffic to the targets. B. Deploy an Application Load Balancer with an HTTPS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Include the X- Forwarded-For request header with traffic to the targets. C. Deploy a Network Load Balancer with a TLS listener. Use path-based routing rules to forward the traffic to the correct target group. Configure client IP address preservation for traffic to the targets. D. Deploy a Network Load Balancer with a TLS listener for each domain. Use host-based routing rules to forward the traffic to the correct target group for each domain. Configure client IP address preservation for traffic to the targets. Page 4 Question: 3 Answer: A www.certifiedumps.com
  • 5. Questions & Answers PDF A. Configure the ALB in a private subnet of the VPC. Attach an internet gateway without adding routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB’s security group to only allow inbound traffic from the internet on the ALB listener port. B. Configure the ALB in a private subnet of the VPC. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the internet on the ALB listener port. C. Configure the ALB in a public subnet of the VPAttach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound traffic from the accelerator's IP addresses on the ALB listener port. D. Configure the ALB in a private subnet of the VPC. Attach an internet gateway. Add routes in the subnet route tables to point to the internet gateway. Configure the accelerator with endpoint groups that include the ALB endpoint. Configure the ALB's security group to only allow inbound A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending machines to the application happens over HTTPS. The company is planning to use an AWS Global Accelerator accelerator and configure static IP addresses of the accelerator in the vending machines for application endpoint access. The application must be accessible only through the accelerator and not through a direct connection over the internet to the ALB endpoint. Which solution will meet these requirements? Page 5 www.certifiedumps.com
  • 6. Explanation: Questions & Answers PDF A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC. The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units consume data from the central shared services VPC in the future. Which solution will meet these requirements in the MOST secure manner? Please read the below link typically describing ELB integration with AWS Global accelator (and the last line of the extract) - https://docs.aws.amazon.com/global-accelerator/latest/dg/secure-vpc- connections.html "When you add an internal Application Load Balancer or an Amazon EC2 instance endpoint in AWS Global Accelerator, you enable internet traffic to flow directly to and from the endpoint in Virtual Private Clouds (VPCs) by targeting it in a private subnet. The VPC that contains the load balancer or EC2 instance must have an internet gateway attached to it, to indicate that the VPC accepts internet traffic. However, you don't need public IP addresses on the load balancer or EC2 instance. You also don't need an associated internet gateway route for the subnet." Page 6 Question: 4 Answer: A www.certifiedumps.com
  • 7. Explanation: Questions & Answers PDF Option C provides a secure and scalable solution using VPC endpoint services powered by AWS PrivateLink. AWS PrivateLink enables private connectivity between VPCs and services without exposing the data to the public internet or using a VPN connection. By creating VPC endpoints in each application VPC, the company can securely access the central shared services VPC without the need for complex network configurations. Furthermore, PrivateLink supports cross-account connectivity, which makes it a scalable solution as more business units consume data from the central shared services VPC in the future. A. Create a central transit gateway. Create a VPC attachment to each application VPC. Provide full mesh connectivity between all the VPCs by using the transit gateway. B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account. C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC. D. Create a central transit VPC with a VPN appliance from AWS Marketplace. Create a VPN attachment from each VPC to the transit VPC. Provide full mesh connectivity among all the VPCs. Page 7 Question: 5 Answer: C www.certifiedumps.com
  • 8. Questions & Answers PDF A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the bandwidth of the existing dedicated connection to 10 Gbps. C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Upgrade the existing dedicated connection to a 5 Gbps hosted connection. D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed. Create a new 10 Gbps dedicated connection. Shift traffic from the existing dedicated connection to the new dedicated connection. A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS. A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same time for about an hour each business day. The company wants to know which business unit is causing the sudden increase in throughput. The network engineer must find out this information and implement a solution to resolve the problem. Which solution will meet these requirements? Page 8 www.certifiedumps.com
  • 9. Explanation: Questions & Answers PDF A. Deploy the SaaS service endpoint behind a Network Load Balancer. B. Configure an endpoint service, and grant the customers permission to create a connection to the endpoint service. C. Deploy the SaaS service endpoint behind an Application Load Balancer. D. Configure a VPC peering connection to the customer VPCs. Route traffic through NAT gateways. A software-as-a-service (SaaS) provider hosts its solution on Amazon EC2 instances within a VPC in the AWS Cloud. All of the provider's customers also have their environments in the AWS Cloud. A recent design meeting revealed that the customers have IP address overlap with the provider's AWS deployment. The customers have stated that they will not share their internal IP addresses and that they do not want to connect to the provider's SaaS service over the internet. Which combination of steps is part of a solution that meets these requirements? (Choose two.) To meet the requirements of finding out which business unit is causing the sudden increase in throughput and resolving the problem, the network engineer should review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed (Option B). After identifying the VIF that is causing the issue, they can upgrade the bandwidth of the existing dedicated connection to 10 Gbps to resolve the problem (Option B). Page 9 Question: 6 Answer: A www.certifiedumps.com
  • 10. Explanation: Questions & Answers PDF NLB for creating the private link which solves the overlapping IP address issue and the SaaS service endpoint behind it. (the SaaS endpoint could be an ALB) https://aws.amazon.com/about-aws/whats- new/2021/09/application-load-balancer-aws-privatelink-static-ip-addresses-network-load-balancer/ A network engineer is designing the architecture for a healthcare company's workload that is moving to the AWS Cloud. All data to and from the on-premises environment must be encrypted in transit. All traffic also must be inspected in the cloud before the traffic is allowed to leave the cloud and travel to the on-premises environment or to the internet. The company will expose components of the workload to the internet so that patients can reserve appointments. The architecture must secure these components and protect them against DDoS attacks. The architecture also must provide protection against financial liability for services that scale out during a DDoS event. Which combination of steps should the network engineer take to meet all these requirements for the workload? (Choose three.) E. Deploy an AWS Transit Gateway, and connect the SaaS VPC to it. Share the transit gateway with the customers. Configure routing on the transit gateway. Page 10 Question: 7 Answer: AB www.certifiedumps.com
  • 11. Explanation: Questions & Answers PDF A. Use Traffic Mirroring to copy all traffic to a fleet of traffic capture appliances. B. Set up AWS WAF on all network components. C. Configure an AWS Lambda function to create Deny rules in security groups to block malicious IP addresses. D. Use AWS Direct Connect with MACsec support for connectivity to the cloud. E. Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection. F. Configure AWS Shield Advanced and ensure that it is configured on all public assets. To meet the requirements for the healthcare company’s workload that is moving to the AWS Cloud, the network engineer should take the following steps: Use AWS Direct Connect with MACsec support for connectivity to the cloud to ensure that all data to and from the on-premises environment is encrypted in transit (Option D). Use Gateway Load Balancers to insert third-party firewalls for inline traffic inspection to inspect all traffic in the cloud before it is allowed to leave (Option E). Configure AWS Shield Advanced and ensure that it is configured on all public assets to secure components exposed to the internet against DDoS attacks and provide protection against financial liability for services that scale out during a DDoS event (Option F). These steps will help ensure that all data is encrypted in transit, all traffic is inspected before leaving the cloud, and components exposed to the internet are secured against DDoS attacks. Page 11 Answer: DEF www.certifiedumps.com
  • 12. Questions & Answers PDF A. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. B. Enable NAT gateway access logs. Publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. C. Configure Traffic Mirroring on the NAT gateway's elastic network interface. Send the traffic to an additional EC2 instance. Use tools such as tcpdump and Wireshark to query and analyze the mirrored traffic. D. Enable VPC flow logs on the NAT gateway's elastic network interface. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs. E. Enable NAT gateway access logs. Publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure. Use Athena to query and analyze the logs. A retail company is running its service on AWS. The company’s architecture includes Application Load Balancers (ALBs) in public subnets. The ALB target groups are configured to send traffic to backend Amazon EC2 instances in private subnets. These backend EC2 instances can call externally hosted services over the internet by using a NAT gateway. The company has noticed in its billing that NAT gateway usage has increased significantly. A network engineer needs to find out the source of this increased usage. Which options can the network engineer use to investigate the traffic through the NAT gateway? (Choose two.) Page 12 Question: 8 www.certifiedumps.com
  • 13. Explanation: Questions & Answers PDF A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6. A network engineer must turn on IPv6 connectivity for the existing workload that is deployed in a private subnet. The company does not want to permit IPv6 traffic from the public internet and mandates that the company's servers must initiate all IPv6 connectivity. The network engineer turns on IPv6 in the VPC and in the private subnets. To investigate the increased usage of a NAT gateway in a VPC architecture with ALBs and backend EC2 instances, a network engineer can use the following options: Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to a log group in Amazon CloudWatch Logs. Use CloudWatch Logs Insights to query and analyze the logs. (Option A) Enable VPC flow logs on the NAT gateway’s elastic network interface and publish the logs to an Amazon S3 bucket. Create a custom table for the S3 bucket in Amazon Athena to describe the log structure and use Athena to query and analyze the logs. (Option D) These options allow for detailed analysis of traffic through the NAT gateway to identify the source of increased usage. Page 13 Question: 9 Answer: AD www.certifiedumps.com
  • 14. Explanation: Questions & Answers PDF Which solution will meet these requirements? A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to A. Create an internet gateway and a NAT gateway in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT gateway. B. Create an internet gateway and a NAT instance in the VPC. Add a route to the existing subnet route tables to point IPv6 traffic to the NAT instance. C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway. D. Create an egress-only internet gateway in the VPC. Configure a security group that denies all inbound traffic. Associate the security group with the egress-only internet gateway. Page 14 Question: 10 Answer: C www.certifiedumps.com
  • 15. Explanation: https://aws.amazon.com/blogs/networking-and-content-delivery/how-to-analyze-aws-network- firewall-logs-using-amazon-opensearch-service-part-1/ A. Create an Amazon S3 bucket. Create an AWS Lambda function to load logs into the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster. Enable Amazon Simple Notification Service (Amazon SNS) notifications on the S3 bucket to invoke the Lambda function. Configure flow logs for the firewall. Set the S3 bucket as the destination. B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall Set the Kinesis Data Firehose delivery stream as the destination for the Network Firewall flow logs. C. Configure flow logs for the firewall. Set the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination for the Network Firewall flow logs. D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination. Configure flow logs for the firewall. Set the Kinesis data stream as the destination for the Network Firewall flow logs. Questions & Answers PDF Page 15 implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time. Which solution will meet these requirements? Answer: B www.certifiedumps.com
  • 16. Questions & Answers PDF A. Configure the BIND DNS servers in the central VPC to forward queries for efs.us-east- 1.amazonaws.com to the Amazon provided DNS server (169.254.169.253). B. Create an Amazon Route 53 Resolver outbound endpoint in the central VPC. Update all the VPC DHCP options sets to use AmazonProvidedDNS for name resolution. C. Create an Amazon Route 53 Resolver inbound endpoint in the central VPUpdate all the VPC DHCP options sets to use the Route 53 Resolver inbound endpoint in the central VPC for name resolution. D. Create an Amazon Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers. Share the rule with the organization by using AWS Resource Access Manager (AWS RAM). Associate the rule with all the VPCs. E. Create an Amazon Route 53 private hosted zone for the efs.us-east-1.amazonaws.com domain. Associate the private hosted zone with the VPC where the EC2 instance is deployed. Create an A A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configured a VPC DHCP options set in all the VPCs that specifies the custom DNS servers to be used as domain name servers. Multiple development teams in the company want to use Amazon Elastic File System (Amazon EFS). A development team has created a new EFS file system but cannot mount the file system to one of its Amazon EC2 instances. The network engineer discovers that the EC2 instance cannot resolve the IP address for the EFS mount point fs-33444567d.efs.us-east-1.amazonaws.com. The network engineer needs to implement a solution so that development teams throughout the organization can mount EFS file systems. Which combination of steps will meet these requirements? (Choose two.) Page 16 Question: 11 www.certifiedumps.com
  • 17. Explanation: Option B suggests using Amazon Route 53 Resolver outbound endpoint, which would replace the existing BIND DNS servers with the AmazonProvidedDNS for name resolution. However, the scenario specifically mentions that the company is using custom DNS servers that run BIND for name resolution in its VPCs, so this solution would not work. Option D suggests creating a Route 53 Resolver rule to forward queries for the on-premises domain to the on-premises DNS servers, which would not address the issue of resolving the EFS mount point. The problem is not with resolving queries for the on-premises domain, but rather with resolving the IP address for the EFS mount point. An ecommerce company is hosting a web application on Amazon EC2 instances to handle continuously changing customer demand. The EC2 instances are part of an Auto Scaling group. The company wants to implement a solution to distribute traffic from customers to the EC2 instances. The company must encrypt all traffic at all stages between the customers and the application servers. No decryption at intermediate points is allowed. Which solution will meet these requirements? Questions & Answers PDF Page 17 record for fs-33444567d.efs.us-east-1.amazonaws.com in the private hosted zone. Configure the A record to return the mount target of the EFS mount point. Question: 12 Answer: BD www.certifiedumps.com
  • 18. Explanation: Questions & Answers PDF A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through a virtual private gateway. A. Create an Application Load Balancer (ALB). Add an HTTPS listener to the ALB. Configure the Auto Scaling group to register instances with the ALB's target group. B. Create an Amazon CloudFront distribution. Configure the distribution with a custom SSL/TLS certificate. Set the Auto Scaling group as the distribution's origin. C. Create a Network Load Balancer (NLB). Add a TCP listener to the NLB. Configure the Auto Scaling group to register instances with the NLB's target group. D. Create a Gateway Load Balancer (GLB). Configure the Auto Scaling group to register instances with the GLB's target group. To distribute traffic from customers to EC2 instances in an Auto Scaling group and encrypt all traffic at all stages between the customers and the application servers without decryption at intermediate points, the company should create a Network Load Balancer (NLB) with a TCP listener and configure the Auto Scaling group to register instances with the NLB’s target group (Option C). This solution allows for end-to-end encryption of traffic without decryption at intermediate points. Page 18 Question: 13 Answer: C www.certifiedumps.com
  • 19. Explanation: A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC. B. Change the router configurations to summarize the advertised routes. C. Open a support ticket to increase the quota on advertised routes to the VPC route table. D. Create an AWS Transit Gateway. Attach the transit gateway to the VPC, and connect the Direct Connect gateway to the transit gateway. "If you advertise more than 100 routes each for IPv4 and IPv6 over the BGP session, the BGP session will go into an idle state with the BGP session DOWN." https://docs.aws.amazon.com/directconnect/latest/UserGuide/limits.html Questions & Answers PDF Page 19 A network engineer receives reports that resources in the VPC are not reachable from various locations in either data center. The network engineer checks the VPC route table and sees that the routes from the first data center location are not being populated into the route table. The network engineer must resolve this issue in the most operationally efficient manner. What should the network engineer do to meet these requirements? Question: 14 Answer: B www.certifiedumps.com
  • 20. Questions & Answers PDF A. Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access. B. Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint's IP addresses that were created. C. Create an Amazon Route 53 Resolver rule to forward any queries made to onprem.example.internal to the on-premises DNS servers. D. Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain. E. Launch two Amazon EC2 instances in the shared AWS account. Install BIND on each instance. Create a DNS conditional forwarder on each BIND server to forward queries for each subdomain under aws.example.internal to the appropriate private hosted zone in each AWS account. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the IP addresses of the BIND servers. A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office- based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal. The process to register a new service that runs on AWS requires a manual and complicated change request to the internal DNS. The process involves many teams. The company wants to update the DNS registration process by giving the service creators access that will allow them to register their DNS records. A network engineer must design a solution that will achieve this goal. The solution must maximize cost-effectiveness and must require the least possible number of configuration changes. Which combination of steps should the network engineer take to meet these requirements? (Choose three.) Page 20 www.certifiedumps.com
  • 21. Explanation: To meet the requirements of updating the DNS registration process while maximizing cost- effectiveness and minimizing configuration changes, the network engineer should take the following steps: Create an Amazon Route 53 Resolver inbound endpoint in the shared account VPC. Create a conditional forwarder for a domain named aws.example.internal on the on-premises DNS servers. Set the forwarding IP addresses to the inbound endpoint’s IP addresses that were created (Option B). Create an Amazon Route 53 private hosted zone named aws.example.internal in the shared AWS account to resolve queries for this domain (Option D). Create a record for each service in its local private hosted zone (serviceA.account1.aws.example.internal). Provide this DNS record to the employees who need access (Option A). These steps will allow service creators to register their DNS records while keeping costs low and minimizing configuration changes. Questions & Answers PDF Page 21 F. Create a private hosted zone in the shared AWS account for each account that runs the service. Configure the private hosted zone to contain aws.example.internal in the domain (account1.aws.example.internal). Associate the private hosted zone with the VPC that runs the service and the shared account VPC. Question: 15 Answer: ABD www.certifiedumps.com
  • 22. Explanation: A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross- Availability Zone load balancing. B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support. C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support. D. Modify the transit gateway by selecting multicast support. To resolve the issue of intermittent connections for traffic that crosses Availability Zones after configuring routing for traffic inspection between VPCs using a transit gateway and EC2 instances with IDS services in a shared services VPC, a network engineer should modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support (Option B). This will ensure that traffic is routed to the same EC2 instance for stateful inspection and prevent intermittent Questions & Answers PDF Page 22 A company has multiple AWS accounts. Each account contains one or more VPCs. A new security guideline requires the inspection of all traffic between VPCs. The company has deployed a transit gateway that provides connectivity between all VPCs. The company also has deployed a shared services VPC with Amazon EC2 instances that include IDS services for stateful inspection. The EC2 instances are deployed across three Availability Zones. The company has set up VPC associations and routing on the transit gateway. The company has migrated a few test VPCs to the new solution for traffic inspection. Soon after the configuration of routing, the company receives reports of intermittent connections for traffic that crosses Availability Zones. What should a network engineer do to resolve this issue? Answer: B www.certifiedumps.com
  • 23. Questions & Answers PDF connections. A. Validate that private DNS is enabled on the VPC by setting the enableDnsHostnames VPC attribute and the enableDnsSupport VPC attribute to true. B. Create a new security group with an entry to allow outbound traffic that uses the TCP protocol on port 443 to destination 0.0.0.0/0 C. Create a new security group with entries to allow inbound traffic that uses the TCP protocol on port 443 from the IP prefixes of the private subnets. D. Create the following interface VPC endpoints in the VPC: com.amazonaws.us-west-2.logs and com.amazonaws.us-west-2.monitoring. Associate the new security group with the endpoint network interfaces. E. Create the following interface VPC endpoint in the VPC: com.amazonaws.us-west-2.cloudwatch. Associate the new security group with the endpoint network interfaces. F. Associate the VPC endpoint or endpoints with route tables that the private subnets use. A company is using a NAT gateway to allow internet connectivity for private subnets in a VPC in the us-west-2 Region. After a security audit, the company needs to remove the NAT gateway. In the private subnets, the company has resources that use the unified Amazon CloudWatch agent. A network engineer must create a solution to ensure that the unified CloudWatch agent continues to work after the removal of the NAT gateway. Which combination of steps should the network engineer take to meet these requirements? (Choose three.) Page 23 Question: 16 www.certifiedumps.com
  • 24. Explanation: Questions & Answers PDF A. Set up an Amazon CloudFront distribution with origin failover. Create an origin group for each Region where the solution is deployed. An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service providers. The company has its own provider-independent (PI) address space. The IoT devices use TCP protocols for reliable transmission of the data they collect. The IoT devices have both landline and mobile internet connectivity. The infrastructure and the solution will be deployed in multiple AWS Regions. The company will use Amazon Route 53 for DNS services. A network engineer needs to design connectivity between the IoT devices and the services that run in the AWS Cloud. Which solution will meet these requirements with the HIGHEST availability? Page 24 Question: 17 Answer: B, D, F www.certifiedumps.com
  • 25. Explanation: Questions & Answers PDF https://aws.amazon.com/blogs/iot/automate-global-device-provisioning-with-aws-iot-core-and- amazon-route-53/ A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud. Which solution will meet these requirements while providing the HIGHEST throughput? B. Set up Route 53 latency-based routing. Add latency alias records. For the latency alias records, set the value of Evaluate Target Health to Yes. C. Set up an accelerator in AWS Global Accelerator. Configure Regional endpoint groups and health checks. D. Set up Bring Your Own IP (BYOIP) addresses. Use the same PI addresses for each Region where the solution is deployed. Page 25 Question: 18 Answer: B www.certifiedumps.com
  • 26. Explanation: Questions & Answers PDF https://aws.amazon.com/blogs/networking-and-content-delivery/adding-macsec-security-to-aws- direct-connect-connections/ A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back. What should the network engineer do to resolve the error? A. Configure a public VIF on the Direct Connect connection. Configure an AWS Site-to-Site VPN connection to the transit gateway as a VPN attachment. B. Configure a transit VIF on the Direct Connect connection. Configure an IPsec VPN connection to an EC2 instance that is running third-party VPN software. C. Configure MACsec for the Direct Connect connection. Configure a transit VIF to a Direct Connect gateway that is associated with the transit gateway. D. Configure a public VIF on the Direct Connect connection. Configure two AWS Site-to-Site VPN connections to the transit gateway. Enable equal-cost multi-path (ECMP) routing. Page 26 Question: 19 Answer: C www.certifiedumps.com
  • 27. Explanation: Questions & Answers PDF A. Change the order of resource creation in the CloudFormation template. B. Add the DependsOn attribute to the resource declaration for the virtual private gateway. Specify the route table entry resource. C. Add a wait condition in the template to wait for the creation of the virtual private gateway. D. Add the DependsOn attribute to the resource declaration for the route table entry. Specify the virtual private gateway resource. A company operates its IT services through a multi-site hybrid infrastructure. The company deploys resources on AWS in the us-east-1 Region and in the eu-west-2 Region. The company also deploys resources in its own data centers that are located in the United States (US) and in the United Kingdom (UK). In both AWS Regions, the company uses a transit gateway to connect 15 VPCs to each other. The company has created a transit gateway peering connection between the two transit gateways. The VPC CIDR blocks do not overlap with each other or with IP addresses used within the data centers. The VPC CIDR prefixes can also be aggregated either on a Regional level or for the company's entire AWS environment. The data centers are connected to each other by a private WAN connection. IP routing information is exchanged dynamically through Interior BGP (iBGP) sessions. The data centers maintain connectivity to AWS through one AWS Direct Connect connection in the US and one Direct Connect connection in the UK. Each Direct Connect connection is terminated on a Direct Connect gateway and is associated Page 27 Question: 20 Answer: D www.certifiedumps.com
  • 28. Explanation: A. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add the company's entire AWS environment aggregate route to the list of subnets advertised through the local Direct Connect connection. B. Add the CIDR prefixes from the other Region VPCs and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. Configure data center routers to make routing decisions based on the BGP communities received. C. Add the aggregate IP prefix for the other Region and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. D. Add the aggregate IP prefix for the company's entire AWS environment and the local VPC CIDR blocks to the list of subnets advertised through the local Direct Connect connection. E. Remove all the VPC CIDR prefixes from the list of subnets advertised through the local Direct Connect connection. Add both Regional aggregate IP prefixes to the list of subnets advertised through the Direct Connect connection on both sides of the network. Configure data center routers to make routing decisions based on the BGP communities received. Questions & Answers PDF Page 28 Traffic follows the shortest geographical path from source to destination. For example, packets from the UK data center that are targeted to resources in eu-west-2 travel across the local Direct Connect connection. In cases of cross-Region data transfers, such as from the UK data center to VPCs in us- east-1, the private WAN connection must be used to minimize costs on AWS. A network engineer has configured each transit gateway association on the Direct Connect gateway to advertise VPC-specific CIDR IP prefixes only from the local Region. The routes toward the other Region must be learned through BGP from the routers in the other data center in the original, non-aggregated form. The company recently experienced a problem with cross-Region data transfers because of issues with its private WAN connection. The network engineer needs to modify the routing setup to prevent similar interruptions in the future. The solution cannot modify the original traffic routing goal when the network is operating normally. Which modifications will meet these requirements? (Choose two.) Answer: AD www.certifiedumps.com
  • 29. www.certifiedumps.com Thank You for trying ANS-C01 PDF Demo https://www.certifiedumps.com/amazon/ans-c01-dumps.html [Limited Time Offer] Use Coupon "cert20" for extra 20% discount on the purchase of PDF file. Test your ANS-C01 preparation with actual exam questions Start Your ANS-C01 Preparation