DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

100% Pass Cisco, PMP, CISA, CISM, AWS Practice test on SALE!

AWS ANS-C01 Exam Questions for Effective Preparation | AWS Certified Advanced Networking - Specialt

Aspiring to conquer the AWS Certified Advanced Networking - Specialty (ANS-C01) exam? Look no further than SPOTO's comprehensive exam questions and answers, test questions, and exam preparation materials. Our exhaustive study resources cover the entire exam scope, equipping you with the knowledge to tackle even the most challenging exam questions. Gain an edge with our mock exams that simulate the real testing environment, allowing you to identify strengths and weaknesses. With SPOTO's exam resources at your disposal, you'll be well-prepared to pass successfully on your first attempt. Don't leave your certification journey to chance – leverage our proven study materials and embark on your path to becoming an AWS Networking expert today.
Take other online exams
Question #1
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL (https://api.example.internal). Tw
A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated
B. Create a new prefix list
C. Create a new prefix list
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated
View answer
Correct Answer: B
Question #2
A company has a hybrid cloud environment. The company’s data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is ru
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes
B. Create custom metrics from Amazon CloudWatch logs
C. Record the current state of network resources by using AWS Config
D. Record the current state of network resources by using AWS Systems Manager Inventory
View answer
Correct Answer: ADF
Question #3
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.What is the MOST operationally efficient solution that meets these requirements?
A. Configure the ALB to store logs in an Amazon S3 bucket
B. Configure the ALB to push logs to Amazon Kinesis Data Streams
C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service)
D. Configure the ALB to store logs in an Amazon S3 bucket
View answer
Correct Answer: D
Question #4
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.Which solution will meet these requirements?
A. Create an Amazon S3 bucket
B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination
C. Configure flow logs for the firewall
D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination
View answer
Correct Answer: B
Question #5
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.Which solution will meet these requirements?
A. eploy an Application Load Balancer with an HTTPS listener
B. eploy an Application Load Balancer with an HTTPS listener for each domain
C. eploy a Network Load Balancer with a TLS listener
D. eploy a Network Load Balancer with a TLS listener for each domain
View answer
Correct Answer: A
Question #6
A development team is building a new web application in the AWS Cloud. The main company domain, example.com, is currently hosted in an Amazon Route 53 public hosted zone in one of the company's production AWS accounts.The developers want to test the web application in the company's staging AWS account by using publicly resolvable subdomains under the example.com domain with the ability to create and delete DNS records as needed. Developers have full access to Route 53 hosted zones within the staging account
A. Deploy the EC2 instances in the public subnets
B. Deploy the EC2 instances in the private subnets
C. Deploy the EC2 instances in the private subnets
D. Deploy the EC2 instances in the private subnets
View answer
Correct Answer: BE
Question #7
A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets.The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zone
A. Create a Network Load Balancer
B. Create an Application Load Balancer
C. Create a Network Load Balancer
D. Create an Application Load Balancer
View answer
Correct Answer: B
Question #8
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units
A. Create a central transit gateway
B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account
C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VP
D. Create a central transit VPC with a VPN appliance from AWS Marketplace
View answer
Correct Answer: C
Question #9
A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failo
A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100
View answer
Correct Answer: B
Question #10
A company manages resources across VPCs in multiple AWS Regions. The company needs to connect to the resources by using its internal domain name. A network engineer needs to apply the aws.example.com DNS suffix to all resources.What must the network engineer do to meet this requirement?
A. Create an Amazon Route 53 private hosted zone for aws
B. Create one Amazon Route 53 private hosted zone for aws
C. Create one Amazon Route 53 private hosted zone for example
D. Create one Amazon Route 53 private hosted zone for aws
View answer
Correct Answer: D
Question #11
A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending ma
A. onfigure the ALB in a private subnet of the VPC
B. onfigure the ALB in a private subnet of the VPC
C. onfigure the ALB in a public subnet of the VPAttach an internet gateway
D. onfigure the ALB in a private subnet of the VPC
View answer
Correct Answer: A
Question #12
A company hosts an application on Amazon EC2 instances behind an Application Load Balancer (ALB). The company recently experienced a network security breach. A network engineer must collect and analyze logs that include the client IP address, target IP address, target port, and user agent of each user that accesses the application.What is the MOST operationally efficient solution that meets these requirements?
A. Configure the ALB to store logs in an Amazon S3 bucket
B. Configure the ALB to push logs to Amazon Kinesis Data Streams
C. Configure Amazon Kinesis Data Streams to stream data from the ALB to Amazon OpenSearch Service (Amazon Elasticsearch Service)
D. Configure the ALB to store logs in an Amazon S3 bucket
View answer
Correct Answer: D
Question #13
A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises over Direct Connect.What should a network engineer do to meet these requirements?
A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes
B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights
C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes change
D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes
View answer
Correct Answer: B
Question #14
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.Which set of steps should the network engineer follow in each AWS account to meet these requirements?
A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs
B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures
C. Set up a Gateway Load Balancer
D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic
View answer
Correct Answer: D
Question #15
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.Which solution will meet these requirements?
A. Create a new VPC for the SD-WAN hub virtual appliance
B. Assign a new CIDR block to the transit gateway
C. Create a new VPC for the SD-WAN hub virtual appliance
D. Assign a new CIDR block to the transit gateway
View answer
Correct Answer: B
Question #16
A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2 instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue.What should the network engineer do to meet this requirement?
A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route tables
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables
View answer
Correct Answer: C
Question #17
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.How should a network engineer configure the AWS resources to meet these requirements?
A. Create a static source multicast domain within the transit gateway
B. Create a static source multicast domain within the transit gateway
C. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway
D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway
View answer
Correct Answer: C
Question #18
An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.Which solution meets these requirements?
A. Configure a private hosted zone for each application VPC, and create the requisite records
B. Configure a public hosted zone for each application VPC, and create the requisite records
C. Configure a private hosted zone for each application VPC, and create the requisite records
D. Configure a private hosted zone for each application VPC, and create the requisite records
View answer
Correct Answer: A
Question #19
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the
A. Deploy a new public VIF with encryption on the existing Direct Connect connections
B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs
C. Deploy a new pair of 10 GB Direct Connect connections with MACsec
D. Deploy a new pair of 10 GB Direct Connect connections with MACsec
View answer
Correct Answer: C
Question #20
A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website has static content such as images. The company is using Amazon S3 to store the content.The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpage
A. Create a Direct Connect private VIF
B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF
C. Implement interface VPC endpoints for Amazon S3
D. Implement gateway VPC endpoints for Amazon S3
View answer
Correct Answer: D
Question #21
A company is developing an application in which IoT devices will report measurements to the AWS Cloud. The application will have millions of end users. The company observes that the IoT devices cannot support DNS resolution. The company needs to implement an Amazon EC2 Auto Scaling solution so that the IoT devices can connect to an application endpoint without using DNS.Which solution will meet these requirements MOST cost-effectively?
A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer (NLB)
B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB) endpoint
C. Use a Network Load Balancer (NLB)
D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB) endpoint
View answer
Correct Answer: C
Question #22
A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.Which solution will meet these requirements?
A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration
B. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration
C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration
D. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration
View answer
Correct Answer: B
Question #23
A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.The company tests the application with a single EC2 instance and does not observe any problems. However, af
A. Modify the ALB listener configuration
B. Replace the ALB with a Network Load Balancer
C. Modify the ALB target group configuration by enabling the stickiness attribute
D. Remove the ALB
View answer
Correct Answer: C
Question #24
A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use.Employees at the London office are experiencing latency issues when they connect to the business applications.What should a network engineer do to reduce th
A. reate a new Site-to-Site VPN connection
B. odify the existing Site-to-Site VPN connection by setting the transit gateway as the target gateway
C. reate a new transit gateway in the eu-west-2 (London) Region
D. reate a new AWS Global Accelerator standard accelerator that has an endpoint of the Site-to-Site VPN connection
View answer
Correct Answer: A
Question #25
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.The company’s security policy r
A. Enable the new Availability Zone on the NLB
B. Create a new NLB for the instances in the second Availability Zone
C. Enable proxy protocol on the NLB
D. Create a new target group with the instances in both Availability Zones
View answer
Correct Answer: BDE
Question #26
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company’s peak event at the end o
A. Scale out the DNS service by adding two additional EC2 instances in the VPC
B. Scale up the existing EC2 instances that the company is using as DNS servers
C. Create Route 53 Resolver outbound endpoints
D. Create Route 53 Resolver inbound endpoints
View answer
Correct Answer: C
Question #27
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addres
A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service
B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service
C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service
D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service
View answer
Correct Answer: BCD
Question #28
An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.Which solution meets these requirements?
A. onfigure a private hosted zone for each application VPC, and create the requisite records
B. onfigure a public hosted zone for each application VPC, and create the requisite records
C. onfigure a private hosted zone for each application VPC, and create the requisite records
.
View answer
Correct Answer: A
Question #29
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US d
A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF
B. Connect the VPC in eu-west-2 to a new transit gateway
C. Connect the VPC in eu-west-2 to a new transit gateway
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF
View answer
Correct Answer: B
Question #30
A company deploys a new web application on Amazon EC2 instances. The application runs in private subnets in three Availability Zones behind an Application Load Balancer (ALB). Security auditors require encryption of all connections. The company uses Amazon Route 53 for DNS and uses AWS Certificate Manager (ACM) to automate SSL/TLS certificate provisioning. SSL/TLS connections are terminated on the ALB.The company tests the application with a single EC2 instance and does not observe any problems. However, af
A. Modify the ALB listener configuration
B. Replace the ALB with a Network Load Balancer
C. Modify the ALB target group configuration by enabling the stickiness attribute
D. Remove the ALB
View answer
Correct Answer: C
Question #31
A company is migrating an existing application to a new AWS account. The company will deploy the application in a single AWS Region by using one VPC and multiple Availability Zones. The application will run on Amazon EC2 instances. Each Availability Zone will have several EC2 instances. The EC2 instances will be deployed in private subnets.The company's clients will connect to the application by using a web browser with the HTTPS protocol. Inbound connections must be distributed across the Availability Zone
A. Create a Network Load Balancer
B. Create an Application Load Balancer
C. Create a Network Load Balancer
D. Create an Application Load Balancer
View answer
Correct Answer: B
Question #32
A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the application will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include an NLB that distributes traffic to the services pods in an EKS cluster.The company is concern
A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC
B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC
C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VP
D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs
View answer
Correct Answer: C
Question #33
A data analytics company has a 100-node high performance computing (HPC) cluster. The HPC cluster is for parallel data processing and is hosted in a VPC in the AWS Cloud. As part of the data processing workflow, the HPC cluster needs to perform several DNS queries to resolve and connect to Amazon RDS databases, Amazon S3 buckets, and on-premises data stores that are accessible through AWS Direct Connect. The HPC cluster can increase in size by five to seven times during the company’s peak event at the end o
A. Scale out the DNS service by adding two additional EC2 instances in the VPC
B. Scale up the existing EC2 instances that the company is using as DNS servers
C. Create Route 53 Resolver outbound endpoints
D. Create Route 53 Resolver inbound endpoints
View answer
Correct Answer: C
Question #34
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route.The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly
A. 1
B. 1
C. 1
D. 1
View answer
Correct Answer: C
Question #35
A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN
A. Set up an AWS Direct Connect connection from each data center to AWS in each Region
B. Create a single transit gateway with VPN connections from each data center
C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center
D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC
View answer
Correct Answer: A
Question #36
An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion.The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as p
A. Create VPN attachments between the two transit gateways
B. Peer the transit gateways in each Region
C. Create a VPN server in a VPC in each Region
D. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2
View answer
Correct Answer: B
Question #37
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introd
A. Place the EC2 instances behind a Network Load Balancer (NLB)
B. Place the EC2 instances behind a Network Load Balancer (NLB)
C. Place the EC2 instances behind an Application Load Balancer (ALB)
D. Place the EC2 instances behind an Amazon CloudFront distribution
View answer
Correct Answer: B
Question #38
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic.Users report that inter-VPC traffic to different Availability Zone
A. In the shared VPC, replace the VPC attachment with a VPN attachment
B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC
C. Enable transit gateway appliance mode on the VPC attachment in the shared VP
D. In the shared VPC, configure one VPC peering connection to VPC A and another VPC peering connection to VPC B
View answer
Correct Answer: D
Question #39
A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.The process to register a new service tha
A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing
B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support
C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support
D. Modify the transit gateway by selecting multicast support
View answer
Correct Answer: CEF
Question #40
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.The SQS queue is not receiving messages.Which of the following are possible causes of this problem? (Choose two.)
A. In the shared services account, create an interface endpoint for AWS KMS
B. In the shared services account, create an interface endpoint for AWS KMS
C. In each spoke AWS account, create an interface endpoint for AWS KMS
D. In each spoke AWS account, create an interface endpoint for AWS KMS
View answer
Correct Answer: BC
Question #41
A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its on-premises data center. The connection provides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.The company plans to build an additional a
A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application
B. Deploy an AWS Site-to-Site VPN connection to the application VPC
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections
View answer
Correct Answer: B
Question #42
A company is hosting an application on Amazon EC2 instances behind an Application Load Balancer. The instances are in an Amazon EC2 Auto Scaling group. Because of a recent change to a security group, external users cannot access the application.A network engineer needs to prevent this downtime from happening again. The network engineer must implement a solution that remediates noncompliant changes to security groups.Which solution will meet these requirements?
A. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration
B. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration
C. Configure Amazon GuardDuty to detect inconsistencies between the desired security group configuration and the current security group configuration
D. Configure an AWS Config rule to detect inconsistencies between the desired security group configuration and the current security group configuration
View answer
Correct Answer: B
Question #43
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?
A. Create a central egress VPC that has private NAT gateways
B. Create a central shared services VPC
C. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access
D. Create a central shared services VPC
View answer
Correct Answer: C
Question #44
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units
A. reate a central transit gateway
B. reate VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account
C. reate VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VPC
D. reate a central transit VPC with a VPN appliance from AWS Marketplace
View answer
Correct Answer: C
Question #45
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.What should a network engineer do to meet these requirements with the LEAST amount of config
A. Set up an AWS Site-to-Site VPN connection between on premises and AWS
B. Set up an AWS Direct Connect connection with a private VIF
C. Set up an AWS Client VPN connection between on premises and AWS
D. Set up an AWS Direct Connect connection with a public VIF
View answer
Correct Answer: A
Question #46
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.How should the network engineer conf
A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance
B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway
C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway
D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect
View answer
Correct Answer: A
Question #47
A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.Which change should a network engineer implement to meet
A. Update the DNS Firewall VPC configuration to disable fail open for the VPC
B. Update the DNS Firewall VPC configuration to enable fail open for the VPC
C. Create a new DHCP options set with parameter dns_firewall_fail_open=false
D. Create a new DHCP options set with parameter dns_firewall_fail_open=true
View answer
Correct Answer: B
Question #48
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?
A. Create a central egress VPC that has private NAT gateways
B. Create a central shared services VPC
C. Create a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access
D. Create a central shared services VPC
View answer
Correct Answer: C
Question #49
A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.A network engineer must implement connectivity between VPC-B and the on-premises data center in
A. Use the ALB to inspect the authorized token inside the GET/POST request payload
B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload
C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload
D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload
View answer
Correct Answer: BD
Question #50
A company is migrating an application from on premises to AWS. The company will host the application on Amazon EC2 instances that are deployed in a single VPC. During the migration period, DNS queries from the EC2 instances must be able to resolve names of on-premises servers. The migration is expected to take 3 months After the 3-month migration period, the resolution of on-premises servers will no longer be needed.What should a network engineer do to meet these requirements with the LEAST amount of config
A. Set up an AWS Site-to-Site VPN connection between on premises and AWS
B. Set up an AWS Direct Connect connection with a private VIF
C. Set up an AWS Client VPN connection between on premises and AWS
D. Set up an AWS Direct Connect connection with a public VIF
View answer
Correct Answer: A
Question #51
A company has deployed a software-defined WAN (SD-WAN) solution to interconnect all of its offices. The company is migrating workloads to AWS and needs to extend its SD-WAN solution to support connectivity to these workloads.A network engineer plans to deploy AWS Transit Gateway Connect and two SD-WAN virtual appliances to provide this connectivity. According to company policies, only a single SD-WAN virtual appliance can handle traffic from AWS workloads at a given time.How should the network engineer conf
A. Add a static default route in the transit gateway route table to point to the secondary SD-WAN virtual appliance
B. Configure the BGP community tag 7224:7300 on the primary SD-WAN virtual appliance for BGP routes toward the transit gateway
C. Configure the AS_PATH prepend attribute on the secondary SD-WAN virtual appliance for BGP routes toward the transit gateway
D. Disable equal-cost multi-path (ECMP) routing on the transit gateway for Transit Gateway Connect
View answer
Correct Answer: A
Question #52
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 priva
A. Create a VPN connection over the Direct Connect connection by using the on-premises firewall
B. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances
C. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed
D. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed
View answer
Correct Answer: CEF
Question #53
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The comp
A. nstall the AWS Load Balancer Controller for Kubernetes
B. nstall the AWS Load Balancer Controller for Kubernetes
C. reate a target group
D. reate a target group
View answer
Correct Answer: D
Question #54
A company uses a hybrid architecture and has an AWS Direct Connect connection between its on-premises data center and AWS. The company has production applications that run in the on-premises data center. The company also has production applications that run in a VPC. The applications that run in the on-premises data center need to communicate with the applications that run in the VPC. The company is using corp.example.com as the domain name for the on-premises resources and is using an Amazon Route 53 priva
A. Create a VPN connection over the Direct Connect connection by using the on-premises firewall
B. Configure the on-premises firewall to filter all requests from the on-premises network to the EC2 instances
C. Deploy a NAT gateway into a private subnet in the VPC where the EC2 instances are deployed
D. Deploy a NAT instance into a private subnet in the VPC where the EC2 instances are deployed
View answer
Correct Answer: CEF
Question #55
A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.Which solution will meet these requirements?
A. Edit the existing Site-to-Site VPN connection by enabling acceleration
B. Configure a transit gateway in the same AWS Region as the existing virtual private gateway
C. Create a new accelerated Site-to-Site VPN connection
D. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Cloud
View answer
Correct Answer: B
Question #56
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.What should the network engineer do to meet this requirement?
A. Change the ALB security policy to a policy that supports TLS 1
B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
C. Associate an AWS WAF web ACL with the ALBs
D. Change the ALB security policy to a policy that supports forward secrecy (FS)
View answer
Correct Answer: D
Question #57
A company manages resources across VPCs in multiple AWS Regions. The company needs to connect to the resources by using its internal domain name. A network engineer needs to apply the aws.example.com DNS suffix to all resources.What must the network engineer do to meet this requirement?
A. reate an Amazon Route 53 private hosted zone for aws
B. reate one Amazon Route 53 private hosted zone for aws
C. reate one Amazon Route 53 private hosted zone for example
D. reate one Amazon Route 53 private hosted zone for aws
View answer
Correct Answer: D
Question #58
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.What is the MOST operationally efficient solution to resolve this issue?
A. Configure the two network interfaces in the launch template
B. Configure the primary network interface in a private subnet in the launch template
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching
D. During creation of the Auto Scaling group, select subnets for the primary network interface
View answer
Correct Answer: A
Question #59
A company has its production VPC (VPC-A) in the eu-west-1 Region in Account 1. VPC-A is attached to a transit gateway (TGW-A) that is connected to an on-premises data center in Dublin, Ireland, by an AWS Direct Connect transit VIF that is configured for an AWS Direct Connect gateway. The company also has a staging VPC (VPC-B) that is attached to another transit gateway (TGW-B) in the eu-west-2 Region in Account 2.A network engineer must implement connectivity between VPC-B and the on-premises data center in
A. Use the ALB to inspect the authorized token inside the GET/POST request payload
B. Integrate AWS WAF with the ALB to inspect the authorized token inside the GET/POST request payload
C. Use an AWS Lambda@Edge function to inspect the authorized token inside the GET/POST request payload
D. Set up an EC2 instance that has a third-party packet inspection tool to inspect the authorized token inside the GET/POST request payload
View answer
Correct Answer: BD
Question #60
An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service provi
A. Set up an Amazon CloudFront distribution with origin failover
B. Set up Route 53 latency-based routing
C. Set up an accelerator in AWS Global Accelerator
D. Set up Bring Your Own IP (BYOIP) addresses
View answer
Correct Answer: C
Question #61
A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.Which configuration ch
A. Configure the NAT gateway timeout to allow connections for up to 600 seconds
B. Enable enhanced networking on the client EC2 instances
C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds
D. Close idle TCP connections through the NAT gateway
View answer
Correct Answer: C
Question #62
A company has two AWS accounts one for Production and one for Connectivity. A network engineer needs to connect the Production account VPC to a transit gateway in the Connectivity account. The feature to auto accept shared attachments is not enabled on the transit gateway.Which set of steps should the network engineer follow in each AWS account to meet these requirements?
A. Use Amazon GuardDuty to analyze traffic patterns by inspecting DNS requests and VPC flow logs
B. Use Amazon GuardDuty to deploy AWS managed decoy systems that are equipped with the most recent malware signatures
C. Set up a Gateway Load Balancer
D. Configure Amazon Inspector to perform deep packet inspection of outgoing traffic
View answer
Correct Answer: D
Question #63
A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configu
A. Create an Application Load Balancer (ALB)
B. Create an Amazon CloudFront distribution
C. Create a Network Load Balancer (NLB)
D. Create a Gateway Load Balancer (GLB)
View answer
Correct Answer: BE
Question #64
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.How should the network engineer set up th
A. Create one hosted connection
B. Create one hosted connection
C. Create one dedicated connection
D. Create one dedicated connection
View answer
Correct Answer: D
Question #65
A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key.What should the network engineer do to meet this requirement?
A. Change the ALB security policy to a policy that supports TLS 1
B. Use AWS Key Management Service (AWS KMS) to encrypt session keys
C. Associate an AWS WAF web ACL with the ALBs
D. Change the ALB security policy to a policy that supports forward secrecy (FS)
View answer
Correct Answer: D
Question #66
A network engineer has deployed an Amazon EC2 instance in a private subnet in a VPC. The VPC has no public subnet. The EC2 instance hosts application code that sends messages to an Amazon Simple Queue Service (Amazon SQS) queue. The subnet has the default network ACL with no modification applied. The EC2 instance has the default security group with no modification applied.The SQS queue is not receiving messages.Which of the following are possible causes of this problem? (Choose two.)
A. In the shared services account, create an interface endpoint for AWS KMS
B. In the shared services account, create an interface endpoint for AWS KMS
C. In each spoke AWS account, create an interface endpoint for AWS KMS
D. In each spoke AWS account, create an interface endpoint for AWS KMS
View answer
Correct Answer: BC
Question #67
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for th
A. Create an internet gateway and a NAT gateway in the VPC
B. Create an internet gateway and a NAT instance in the VPC
C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway
D. Create an egress-only internet gateway in the VPC
View answer
Correct Answer: C
Question #68
A development team is building a new web application in the AWS Cloud. The main company domain, example.com, is currently hosted in an Amazon Route 53 public hosted zone in one of the company's production AWS accounts.The developers want to test the web application in the company's staging AWS account by using publicly resolvable subdomains under the example.com domain with the ability to create and delete DNS records as needed. Developers have full access to Route 53 hosted zones within the staging account
A. Deploy the EC2 instances in the public subnets
B. Deploy the EC2 instances in the private subnets
C. Deploy the EC2 instances in the private subnets
D. Deploy the EC2 instances in the private subnets
View answer
Correct Answer: BE
Question #69
A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring.Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB.What should the network engineer do next to determine which erro
A. Send the logs to Amazon CloudWatch Logs
B. Configure the Amazon S3 bucket destination
C. Configure the Amazon S3 bucket destination
D. Send the logs to Amazon CloudWatch Logs
View answer
Correct Answer: B
Question #70
A company has been using an outdated application layer protocol for communication among applications. The company decides not to use this protocol anymore and must migrate all applications to support a new protocol. The old protocol and the new protocol are TCP-based, but the protocols use different port numbers.After several months of work, the company has migrated dozens of applications that run on Amazon EC2 instances and in containers. The company believes that all the applications have been migrated, b
A. Use Amazon Inspector and its Network Reachability rules package
B. Enable Amazon GuardDuty
C. Configure VPC flow logs to be delivered into an Amazon S3 bucket
D. Inspect all security groups that are assigned to the EC2 instances that host the applications
View answer
Correct Answer: C
Question #71
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same
A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed
B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed
C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed
D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed
View answer
Correct Answer: A
Question #72
A company has stateful security appliances that are deployed to multiple Availability Zones in a centralized shared services VPC. The AWS environment includes a transit gateway that is attached to application VPCs and the shared services VPC. The application VPCs have workloads that are deployed in private subnets across multiple Availability Zones. The stateful appliances in the shared services VPC inspect all east west (VPC-to-VPC) traffic.Users report that inter-VPC traffic to different Availability Zone
A. In the shared VPC, replace the VPC attachment with a VPN attachment
B. Enable transit gateway appliance mode on the VPC attachment in VPC A and VPC
C. Enable transit gateway appliance mode on the VPC attachment in the shared VP
D. In the shared VPC, configure one VPC peering connection to VPC A and another VPC peering connection to VPC B
View answer
Correct Answer: D
Question #73
A company is migrating its containerized application to AWS. For the architecture the company will have an ingress VPC with a Network Load Balancer (NLB) to distribute the traffic to front-end pods in an Amazon Elastic Kubernetes Service (Amazon EKS) cluster. The front end of the application will determine which user is requesting access and will send traffic to 1 of 10 services VPCs. Each services VPC will include an NLB that distributes traffic to the services pods in an EKS cluster.The company is concern
A. The stateful appliances and the transit gateway attachments are deployed in a separate subnet in the shared services VPC
B. Appliance mode is not enabled on the transit gateway attachment to the shared services VPC
C. The stateful appliances and the transit gateway attachments are deployed in the same subnet in the shared services VP
D. Appliance mode is not enabled on the transit gateway attachment to the application VPCs
View answer
Correct Answer: C
Question #74
A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.Which route table configurations on the transit gateway will meet these requirements?
A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VPC
B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC
C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs
D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled
View answer
Correct Answer: A
Question #75
A company has a global network and is using transit gateways to connect AWS Regions together. The company finds that two Amazon EC2 instances in different Regions are unable to communicate with each other. A network engineer needs to troubleshoot this connectivity issue.What should the network engineer do to meet this requirement?
A. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables and in the VPC route tables
B. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables
C. Use AWS Network Manager Route Analyzer to analyze routes in the transit gateway route tables
D. Use VPC Reachability Analyzer to analyze routes in the transit gateway route tables
View answer
Correct Answer: C

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.