DON'T WANT TO MISS A THING?

Certification Exam Passing Tips

Latest exam news and discount info

Curated and up-to-date by our experts

Yes, send me the newsletter

100% Pass Cisco, PMP, CISA, CISM, AWS Practice test on SALE!

Pass the AWS Exam Easily with Updated ANS-C01 Practice Questions

Prepare effectively for the SPOTO Fortinet AWS ANS-C01 exam with comprehensive exam questions and answers tailored for success. Our test questions cover key topics essential for AWS Certified Advanced Networking - Specialty certification, ensuring thorough preparation and confidence on exam day. Access valuable exam resources and study materials designed to enhance your understanding of network architecture for AWS services, empowering you to excel in the exam. With our professional mock exams, simulate the exam environment to sharpen your skills and identify areas for improvement. Our focus is on helping you pass successfully, equipping you with the knowledge and confidence needed to achieve your certification goals. Don't just aim to pass; aim to excel with SPOTO Fortinet AWS ANS-C01 exam preparation content.
Take other online exams
Question #1
A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use.Employees at the London office are experiencing latency issues when they connect to the business applications.What should a network engineer do to reduce th
A. Create a new Site-to-Site VPN connection
B. Modify the existing Site-to-Site VPN connection by setting the transit gateway as the target gateway
C. Create a new transit gateway in the eu-west-2 (London) Region
D. Create a new AWS Global Accelerator standard accelerator that has an endpoint of the Site-to-Site VPN connection
View answer
Correct Answer: A
Question #2
A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud.Which solution will meet these requirements while providing the HIGHEST throughput?
A. Configure a public VIF on the Direct Connect connection
B. Configure a transit VIF on the Direct Connect connection
C. Configure MACsec for the Direct Connect connection
D. Configure a public VIF on the Direct Connect connection
View answer
Correct Answer: D
Question #3
An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing on-premises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time.Which solution meets these requirements?
A. Configure a private hosted zone for each application VPC, and create the requisite records
B. Configure a public hosted zone for each application VPC, and create the requisite records
C. Configure a private hosted zone for each application VPC, and create the requisite records
D. Configure a private hosted zone for each application VPC, and create the requisite records
View answer
Correct Answer: A
Question #4
An international company provides early warning about tsunamis. The company plans to use IoT devices to monitor sea waves around the world. The data that is collected by the IoT devices must reach the company’s infrastructure on AWS as quickly as possible. The company is using three operation centers around the world. Each operation center is connected to AWS through Its own AWS Direct Connect connection. Each operation center is connected to the internet through at least two upstream internet service provi
A. Set up an Amazon CloudFront distribution with origin failover
B. Set up Route 53 latency-based routing
C. Set up an accelerator in AWS Global Accelerator
D. Set up Bring Your Own IP (BYOIP) addresses
View answer
Correct Answer: C
Question #5
A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The company has established network connectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. The applications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.What should a network engineer
A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosted domains
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC
View answer
Correct Answer: A
Question #6
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?
A. Deploy a Gateway Load Balancer with the firewall appliances as targets
B. Deploy a Gateway Load Balancer with the firewall appliances as targets
C. Deploy a Network Load Balancer with the firewall appliances as targets
D. Deploy a Network Load Balancer with the firewall appliances as targets
View answer
Correct Answer: D
Question #7
A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.Which configuration ch
A. Configure the NAT gateway timeout to allow connections for up to 600 seconds
B. Enable enhanced networking on the client EC2 instances
C. Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds
D. Close idle TCP connections through the NAT gateway
View answer
Correct Answer: C
Question #8
A company is using an AWS Site-to-Site VPN connection from the company's on-premises data center to a virtual private gateway in the AWS Cloud Because of congestion, the company is experiencing availability and performance issues as traffic travels across the internet before the traffic reaches AWS. A network engineer must reduce these issues for the connection as quickly as possible with minimum administration effort.Which solution will meet these requirements?
A. Edit the existing Site-to-Site VPN connection by enabling acceleration
B. Configure a transit gateway in the same AWS Region as the existing virtual private gateway
C. Create a new accelerated Site-to-Site VPN connection
D. Create a new AWS Direct Connect connection with a private VIF between the on-premises data center and the AWS Cloud
View answer
Correct Answer: B
Question #9
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?
A. Deploy a Gateway Load Balancer with the firewall appliances as targets
B. Deploy a Gateway Load Balancer with the firewall appliances as targets
C. Deploy a Network Load Balancer with the firewall appliances as targets
D. Deploy a Network Load Balancer with the firewall appliances as targets
View answer
Correct Answer: D
Question #10
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the
A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443
C. Create a VPC Reachability Analyzer path on port 443
D. Create a VPC Reachability Analyzer path on port 443
View answer
Correct Answer: D
Question #11
A company has an AWS Site-to-Site VPN connection between its existing VPC and on-premises network. The default DHCP options set is associated with the VPC. The company has an application that is running on an Amazon Linux 2 Amazon EC2 instance in the VPC. The application must retrieve an Amazon RDS database secret that is stored in AWS Secrets Manager through a private VPC endpoint. An on-premises application provides internal RESTful API service that can be reached by URL (https://api.example.internal). Tw
A. Create an Amazon DynamoDB table to maintain all IP address ranges and security groups that need to be updated
B. Create a new prefix list
C. Create a new prefix list
D. Create an Amazon S3 bucket to maintain all IP address ranges and security groups that need to be updated
View answer
Correct Answer: B
Question #12
A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public websites. The application requires the customer’s source IP addresses.A network engineer must implement a load balancing strategy that meets these requirements.Which combination of actions should the network engineer take to
A. Create a transit gateway
B. Create an AWS PrivateLink endpoint in every Availability Zone in the ingress VPC
C. Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs
D. Create a transit gateway
View answer
Correct Answer: BE
Question #13
A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead.Which solution will meet these requirements?
A. Launch an Amazon EC2 instance in the VPC
B. Use VPC flow logs
C. Use VPC flow logs
D. Configure the VPC to stream the network traffic directly to an Amazon Kinesis data stream
View answer
Correct Answer: C
Question #14
A company is deploying a new application on AWS. The application uses dynamic multicasting. The company has five VPCs that are all attached to a transit gateway Amazon EC2 instances in each VPC need to be able to register dynamically to receive a multicast transmission.How should a network engineer configure the AWS resources to meet these requirements?
A. Create a static source multicast domain within the transit gateway
B. Create a static source multicast domain within the transit gateway
C. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway
D. Create an Internet Group Management Protocol (IGMP) multicast domain within the transit gateway
View answer
Correct Answer: C
Question #15
A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprise customers will connect to the application over HTTPS from office locations.The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customers must be able to access the applicat
A. Create a new Network Load Balancer (NLB)
B. Create a new Amazon CloudFront distribution
C. Create a new accelerator in AWS Global Accelerator
D. Create a new Amazon Route 53 hosted zone
View answer
Correct Answer: C
Question #16
A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.What is the MOST scalable way to add VPCs with on-premises connectivity?
A. Provision a new Direct Connect connection to handle the additional VPCs
B. Create virtual private gateways for each VPC that is over the service quota
C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs
D. Create a transit gateway, and attach the VPCs
View answer
Correct Answer: D
Question #17
A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured.The security team needs
A. Create VPC flow logs in the default format
B. Create VPC flow logs in a custom format
C. Create VPC flow logs in a custom format
D. Create VPC flow logs in a custom format
View answer
Correct Answer: D
Question #18
A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.Which solution will meet th
A. Deploy a Network Load Balancer (NLB) as the traffic mirror target
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target
View answer
Correct Answer: A
Question #19
A company has expanded its network to the AWS Cloud by using a hybrid architecture with multiple AWS accounts. The company has set up a shared AWS account for the connection to its on-premises data centers and the company offices. The workloads consist of private web-based services for internal use. These services run in different AWS accounts. Office-based employees consume these services by using a DNS name in an on-premises DNS zone that is named example.internal.The process to register a new service tha
A. Modify the transit gateway VPC attachment on the shared services VPC by enabling cross-Availability Zone load balancing
B. Modify the transit gateway VPC attachment on the shared services VPC by enabling appliance mode support
C. Modify the transit gateway by selecting VPN equal-cost multi-path (ECMP) routing support
D. Modify the transit gateway by selecting multicast support
View answer
Correct Answer: CEF
Question #20
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.Which solution wi
A. Create a VPC peering connection between the web service VPC and the existing production VPC
B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there
C. Create a VPC endpoint service
D. Create a transit gateway in the existing production environment
View answer
Correct Answer: D
Question #21
A company has deployed a new web application on Amazon EC2 instances behind an Application Load Balancer (ALB). The instances are in an Amazon EC2 Auto Scaling group. Enterprise customers from around the world will use the application. Employees of these enterprise customers will connect to the application over HTTPS from office locations.The company must configure firewalls to allow outbound traffic to only approved IP addresses. The employees of the enterprise customers must be able to access the applicat
A. Create a new Network Load Balancer (NLB)
B. Create a new Amazon CloudFront distribution
C. Create a new accelerator in AWS Global Accelerator
D. Create a new Amazon Route 53 hosted zone
View answer
Correct Answer: C
Question #22
A company manages resources across VPCs in multiple AWS Regions. The company needs to connect to the resources by using its internal domain name. A network engineer needs to apply the aws.example.com DNS suffix to all resources.What must the network engineer do to meet this requirement?
A. Create an Amazon Route 53 private hosted zone for aws
B. Create one Amazon Route 53 private hosted zone for aws
C. Create one Amazon Route 53 private hosted zone for example
D. Create one Amazon Route 53 private hosted zone for aws
View answer
Correct Answer: D
Question #23
A company’s network engineer needs to design a new solution to help troubleshoot and detect network anomalies. The network engineer has configured Traffic Mirroring. However, the mirrored traffic is overwhelming the Amazon EC2 instance that is the traffic mirror target. The EC2 instance hosts tools that the company’s security team uses to analyze the traffic. The network engineer needs to design a highly available solution that can scale to meet the demand of the mirrored traffic.Which solution will meet th
A. Deploy a Network Load Balancer (NLB) as the traffic mirror target
B. Deploy an Application Load Balancer (ALB) as the traffic mirror target
C. Deploy a Gateway Load Balancer (GLB) as the traffic mirror target
D. Deploy an Application Load Balancer (ALB) with an HTTPS listener as the traffic mirror target
View answer
Correct Answer: A
Question #24
A company uses AWS Direct Connect to connect its corporate network to multiple VPCs in the same AWS account and the same AWS Region. Each VPC uses its own private VIF and its own virtual LAN on the Direct Connect connection. The company has grown and will soon surpass the limit of VPCs and private VIFs for each connection.What is the MOST scalable way to add VPCs with on-premises connectivity?
A. Provision a new Direct Connect connection to handle the additional VPCs
B. Create virtual private gateways for each VPC that is over the service quota
C. Create a Direct Connect gateway, and add virtual private gateway associations to the VPCs
D. Create a transit gateway, and attach the VPCs
View answer
Correct Answer: D
Question #25
A company has created three VPCs: a production VPC, a nonproduction VPC, and a shared services VPC. The production VPC and the nonproduction VPC must each have communication with the shared services VPC. There must be no communication between the production VPC and the nonproduction VPC. A transit gateway is deployed to facilitate communication between VPCs.Which route table configurations on the transit gateway will meet these requirements?
A. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for only the shared services VPC
B. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes for each VPC
C. Configure a route table with all the VPC attachments associated with propagated routes for only the shared services VPCreate an additional route table with only the shared services VPC attachment associated with propagated routes from the production and nonproduction VPCs
D. Configure a route table with the production and nonproduction VPC attachments associated with propagated routes disabled
View answer
Correct Answer: A
Question #26
A company delivers applications over the internet. An Amazon Route 53 public hosted zone is the authoritative DNS service for the company and its internet applications, all of which are offered from the same domain name.A network engineer is working on a new version of one of the applications. All the application's components are hosted in the AWS Cloud. The application has a three-tier design. The front end is delivered through Amazon EC2 instances that are deployed in public subnets with Elastic IP addres
A. Choose a Gateway Load Balancer (GLB) as the type of load balancer for the ECS service
B. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service
C. Choose an Application Load Balancer (ALB) as the type of load balancer for the ECS service
D. Choose a Network Load Balancer (NLB) as the type of load balancer for the ECS service
View answer
Correct Answer: BCD
Question #27
A banking company is successfully operating its public mobile banking stack on AWS. The mobile banking stack is deployed in a VPC that includes private subnets and public subnets. The company is using IPv4 networking and has not deployed or supported IPv6 in the environment. The company has decided to adopt a third-party service provider's API and must integrate the API with the existing environment. The service provider’s API requires the use of IPv6.A network engineer must turn on IPv6 connectivity for th
A. Create an internet gateway and a NAT gateway in the VPC
B. Create an internet gateway and a NAT instance in the VPC
C. Create an egress-only Internet gateway in the VPAdd a route to the existing subnet route tables to point IPv6 traffic to the egress-only internet gateway
D. Create an egress-only internet gateway in the VPC
View answer
Correct Answer: C
Question #28
A company's network engineer is designing an active-passive connection to AWS from two on-premises data centers. The company has set up AWS Direct Connect connections between the on-premises data centers and AWS. From each location, the company is using a transit VIF that connects to a Direct Connect gateway that is associated with a transit gateway.The network engineer must ensure that traffic from AWS to the data centers is routed first to the primary data center. The traffic should be routed to the failo
A. Set the BGP community tag for all prefixes from the primary data center to 7224:7100
B. Set the BGP community tag for all prefixes from the primary data center to 7224:7300
C. Set the BGP community tag for all prefixes from the primary data center to 7224:9300
D. Set the BGP community tag for all prefixes from the primary data center to 7224:9100
View answer
Correct Answer: B
Question #29
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB).The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales ev
A. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
B. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
C. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
D. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
View answer
Correct Answer: C
Question #30
A company is planning a migration of its critical workloads from an on-premises data center to Amazon EC2 instances. The plan includes a new 10 Gbps AWS Direct Connect dedicated connection from the on-premises data center to a VPC that is attached to a transit gateway. The migration must occur over encrypted paths between the on-premises data center and the AWS Cloud.Which solution will meet these requirements while providing the HIGHEST throughput?
A. Configure a public VIF on the Direct Connect connection
B. Configure a transit VIF on the Direct Connect connection
C. Configure MACsec for the Direct Connect connection
D. Configure a public VIF on the Direct Connect connection
View answer
Correct Answer: D
Question #31
A media company is implementing a news website for a global audience. The website uses Amazon CloudFront as its content delivery network. The backend runs on Amazon EC2 Windows instances behind an Application Load Balancer (ALB). The instances are part of an Auto Scaling group. The company's customers access the website by using service example com as the CloudFront custom domain name. The CloudFront origin points to an ALB that uses service-alb.example.com as the domain name.The company’s security policy r
A. Enable the new Availability Zone on the NLB
B. Create a new NLB for the instances in the second Availability Zone
C. Enable proxy protocol on the NLB
D. Create a new target group with the instances in both Availability Zones
View answer
Correct Answer: BDE
Question #32
A company's AWS architecture consists of several VPCs. The VPCs include a shared services VPC and several application VPCs. The company has established network connectivity from all VPCs to the on-premises DNS servers.Applications that are deployed in the application VPCs must be able to resolve DNS for internally hosted domains on premises. The applications also must be able to resolve local VPC domain names and domains that are hosted in Amazon Route 53 private hosted zones.What should a network engineer
A. Create a new Route 53 Resolver inbound endpoint in the shared services VPC
B. Create a new Route 53 Resolver outbound endpoint in the shared services VPC
C. Create a new Route 53 Resolver outbound endpoint in the shared services VPCreate forwarding rules for the on-premises hosted domains
D. Create a new Route 53 Resolver inbound endpoint in the shared services VPC
View answer
Correct Answer: A
Question #33
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.Which solution will meet these requirements?
A. Deploy an Application Load Balancer with an HTTPS listener
B. Deploy an Application Load Balancer with an HTTPS listener for each domain
C. Deploy a Network Load Balancer with a TLS listener
D. Deploy a Network Load Balancer with a TLS listener for each domain
View answer
Correct Answer: B
Question #34
A company wants to improve visibility into its AWS environment. The AWS environment consists of multiple VPCs that are connected to a transit gateway. The transit gateway connects to an on-premises data center through an AWS Direct Connect gateway and a pair of redundant Direct Connect connections that use transit VIFs. The company must receive notification each time a new route is advertised to AWS from on premises over Direct Connect.What should a network engineer do to meet these requirements?
A. Enable Amazon CloudWatch metrics on Direct Connect to track the received routes
B. Onboard Transit Gateway Network Manager to Amazon CloudWatch Logs Insights
C. Configure an AWS Lambda function to periodically check the routes on the Direct Connect gateway and to send notifications when routes change
D. Enable Amazon CloudWatch Logs on the transit VIFs to track the received routes
View answer
Correct Answer: B
Question #35
A global delivery company is modernizing its fleet management system. The company has several business units. Each business unit designs and maintains applications that are hosted in its own AWS account in separate application VPCs in the same AWS Region. Each business unit's applications are designed to get data from a central shared services VPC.The company wants the network connectivity architecture to provide granular security controls. The architecture also must be able to scale as more business units
A. Create a central transit gateway
B. Create VPC peering connections between the central shared services VPC and each application VPC in each business unit's AWS account
C. Create VPC endpoint services powered by AWS PrivateLink in the central shared services VPCreate VPC endpoints in each application VP
D. Create a central transit VPC with a VPN appliance from AWS Marketplace
View answer
Correct Answer: C
Question #36
A company is creating new features for its ecommerce website. These features will use several microservices that are accessed through different paths. The microservices will run on Amazon Elastic Container Service (Amazon ECS). The company requires the use of HTTPS for all of its public websites. The application requires the customer’s source IP addresses.A network engineer must implement a load balancing strategy that meets these requirements.Which combination of actions should the network engineer take to
A. Create a transit gateway
B. Create an AWS PrivateLink endpoint in every Availability Zone in the ingress VPC
C. Create a VPC peering connection between the ingress VPC and each of the 10 services VPCs
D. Create a transit gateway
View answer
Correct Answer: BE
Question #37
A company is developing an application in which IoT devices will report measurements to the AWS Cloud. The application will have millions of end users. The company observes that the IoT devices cannot support DNS resolution. The company needs to implement an Amazon EC2 Auto Scaling solution so that the IoT devices can connect to an application endpoint without using DNS.Which solution will meet these requirements MOST cost-effectively?
A. Use an Application Load Balancer (ALB)-type target group for a Network Load Balancer (NLB)
B. Use an AWS Global Accelerator accelerator with an Application Load Balancer (ALB) endpoint
C. Use a Network Load Balancer (NLB)
D. Use an AWS Global Accelerator accelerator with a Network Load Balancer (NLB) endpoint
View answer
Correct Answer: C
Question #38
A company is using Amazon Route 53 Resolver DNS Firewall in a VPC to block all domains except domains that are on an approved list. The company is concerned that if DNS Firewall is unresponsive, resources in the VPC might be affected if the network cannot resolve any DNS queries. To maintain application service level agreements, the company needs DNS queries to continue to resolve even if Route 53 Resolver does not receive a response from DNS Firewall.Which change should a network engineer implement to meet
A. Update the DNS Firewall VPC configuration to disable fail open for the VPC
B. Update the DNS Firewall VPC configuration to enable fail open for the VPC
C. Create a new DHCP options set with parameter dns_firewall_fail_open=false
D. Create a new DHCP options set with parameter dns_firewall_fail_open=true
View answer
Correct Answer: B
Question #39
A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit.Which solution will meet these requirements?
A. Create a Direct Connect public VIF
B. Create an IPsec VPN connection over the transit VIF
C. Create a VPC and attach the VPC to the transit gateway
D. Create a Direct Connect public VIF
View answer
Correct Answer: B
Question #40
A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through
A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC
B. Change the router configurations to summarize the advertised routes
C. Open a support ticket to increase the quota on advertised routes to the VPC route table
D. Create an AWS Transit Gateway
View answer
Correct Answer: D
Question #41
A company is building its website on AWS in a single VPC. The VPC has public subnets and private subnets in two Availability Zones. The website has static content such as images. The company is using Amazon S3 to store the content.The company has deployed a fleet of Amazon EC2 instances as web servers in a private subnet. The EC2 instances are in an Auto Scaling group behind an Application Load Balancer. The EC2 instances will serve traffic, and they must pull content from an S3 bucket to render the webpage
A. Create a Direct Connect private VIF
B. Create an AWS Site-to-Site VPN tunnel over the existing public VIF
C. Implement interface VPC endpoints for Amazon S3
D. Implement gateway VPC endpoints for Amazon S3
View answer
Correct Answer: D
Question #42
A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending ma
A. Configure the ALB in a private subnet of the VPC
B. Configure the ALB in a private subnet of the VPC
C. Configure the ALB in a public subnet of the VPAttach an internet gateway
D. Configure the ALB in a private subnet of the VPC
View answer
Correct Answer: A
Question #43
A company has deployed an application in a VPC that uses a NAT gateway for outbound traffic to the internet. A network engineer notices a large quantity of suspicious network traffic that is traveling from the VPC over the internet to IP addresses that are included on a deny list. The network engineer must implement a solution to determine which AWS resources are generating the suspicious traffic. The solution must minimize cost and administrative overhead.Which solution will meet these requirements?
A. Launch an Amazon EC2 instance in the VPC
B. Use VPC flow logs
C. Use VPC flow logs
D. Configure the VPC to stream the network traffic directly to an Amazon Kinesis data stream
View answer
Correct Answer: C
Question #44
A company plans to deploy a two-tier web application to a new VPC in a single AWS Region. The company has configured the VPC with an internet gateway and four subnets. Two of the subnets are public and have default routes that point to the internet gateway. Two of the subnets are private and share a route table that does not have a default route.The application will run on a set of Amazon EC2 instances that will be deployed behind an external Application Load Balancer. The EC2 instances must not be directly
A. 1
B. 1
C. 1
D. 1
View answer
Correct Answer: C
Question #45
A company has been using an outdated application layer protocol for communication among applications. The company decides not to use this protocol anymore and must migrate all applications to support a new protocol. The old protocol and the new protocol are TCP-based, but the protocols use different port numbers.After several months of work, the company has migrated dozens of applications that run on Amazon EC2 instances and in containers. The company believes that all the applications have been migrated, b
A. Use Amazon Inspector and its Network Reachability rules package
B. Enable Amazon GuardDuty
C. Configure VPC flow logs to be delivered into an Amazon S3 bucket
D. Inspect all security groups that are assigned to the EC2 instances that host the applications
View answer
Correct Answer: C
Question #46
A global company operates all its non-production environments out of three AWS Regions: eu-west-1, us-east-1, and us-west-1. The company hosts all its production workloads in two on-premises data centers. The company has 60 AWS accounts and each account has two VPCs in each Region. Each VPC has a virtual private gateway where two VPN connections terminate for resilient connectivity to the data centers. The company has 360 VPN tunnels to each data center, resulting in high management overhead. The total VPN
A. Set up an AWS Direct Connect connection from each data center to AWS in each Region
B. Create a single transit gateway with VPN connections from each data center
C. Create a transit gateway in each Region with multiple newly commissioned VPN connections from each data center
D. Peer all the VPCs in each Region to a new VPC in each Region that will function as a centralized transit VPC
View answer
Correct Answer: A
Question #47
A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back.What should the network engineer do to resolve the error?
A. Change the order of resource creation in the CloudFormation template
B. Add the DependsOn attribute to the resource declaration for the virtual private gateway
C. Add a wait condition in the template to wait for the creation of the virtual private gateway
D. Add the DependsOn attribute to the resource declaration for the route table entry
View answer
Correct Answer: D
Question #48
A company has hundreds of VPCs on AWS. All the VPCs access the public endpoints of Amazon S3 and AWS Systems Manager through NAT gateways. All the traffic from the VPCs to Amazon S3 and Systems Manager travels through the NAT gateways. The company's network engineer must centralize access to these services and must eliminate the need to use public endpoints.Which solution will meet these requirements with the LEAST operational overhead?
A. reate a central egress VPC that has private NAT gateways
B. reate a central shared services VPC
C. reate a central shared services VPIn the central shared services VPC, create interface VPC endpoints for Amazon S3 and Systems Manager to access
D. reate a central shared services VPC
View answer
Correct Answer: B
Question #49
A company has deployed a web application on AWS. The web application uses an Application Load Balancer (ALB) across multiple Availability Zones. The targets of the ALB are AWS Lambda functions. The web application also uses Amazon CloudWatch metrics for monitoring.Users report that parts of the web application are not loading properly. A network engineer needs to troubleshoot the problem. The network engineer enables access logging for the ALB.What should the network engineer do next to determine which erro
A. Send the logs to Amazon CloudWatch Logs
B. Configure the Amazon S3 bucket destination
C. Configure the Amazon S3 bucket destination
D. Send the logs to Amazon CloudWatch Logs
View answer
Correct Answer: B
Question #50
A network engineer must develop an AWS CloudFormation template that can create a virtual private gateway, a customer gateway, a VPN connection, and static routes in a route table. During testing of the template, the network engineer notes that the CloudFormation template has encountered an error and is rolling back.What should the network engineer do to resolve the error?
A. Change the order of resource creation in the CloudFormation template
B. Add the DependsOn attribute to the resource declaration for the virtual private gateway
C. Add a wait condition in the template to wait for the creation of the virtual private gateway
D. Add the DependsOn attribute to the resource declaration for the route table entry
View answer
Correct Answer: D
Question #51
A company uses a 4 Gbps AWS Direct Connect dedicated connection with a link aggregation group (LAG) bundle to connect to five VPCs that are deployed in the us-east-1 Region. Each VPC serves a different business unit and uses its own private VIF for connectivity to the on-premises environment. Users are reporting slowness when they access resources that are hosted on AWS.A network engineer finds that there are sudden increases in throughput and that the Direct Connect connection becomes saturated at the same
A. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed
B. Review the Amazon CloudWatch metrics for VirtualInterfaceBpsEgress and VirtualInterfaceBpsIngress to determine which VIF is sending the highest throughput during the period in which slowness is observed
C. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed
D. Review the Amazon CloudWatch metrics for ConnectionBpsIngress and ConnectionPpsEgress to determine which VIF is sending the highest throughput during the period in which slowness is observed
View answer
Correct Answer: A
Question #52
A company's development team has created a new product recommendation web service. The web service is hosted in a VPC with a CIDR block of 192.168.224.0/19. The company has deployed the web service on Amazon EC2 instances and has configured an Auto Scaling group as the target of a Network Load Balancer (NLB).The company wants to perform testing to determine whether users who receive product recommendations spend more money than users who do not receive product recommendations. The company has a big sales ev
A. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
B. Update the Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
C. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
D. Create a Direct Connect transit VIF and configure BGP peering with the AWS assigned IPv6 peering address
View answer
Correct Answer: C
Question #53
A company has deployed an AWS Network Firewall firewall into a VPC. A network engineer needs to implement a solution to deliver Network Firewall flow logs to the company’s Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster in the shortest possible time.Which solution will meet these requirements?
A. Create an Amazon S3 bucket
B. Create an Amazon Kinesis Data Firehose delivery stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination
C. Configure flow logs for the firewall
D. Create an Amazon Kinesis data stream that includes the Amazon OpenSearch Service (Amazon Elasticsearch Service) cluster as the destination
View answer
Correct Answer: B
Question #54
A company uses a 1 Gbps AWS Direct Connect connection to connect its AWS environment to its on-premises data center. The connection provides employees with access to an application VPC that is hosted on AWS. Many remote employees use a company-provided VPN to connect to the data center. These employees are reporting slowness when they access the application during business hours. On-premises users have started to report similar slowness while they are in the office.The company plans to build an additional a
A. Set up a new 1 Gbps Direct Connect dedicated connection to accommodate the additional traffic load from remote employees and the additional application
B. Deploy an AWS Site-to-Site VPN connection to the application VPC
C. Deploy Amazon Workspaces into the application VPInstruct the remote employees to connect to Workspaces
D. Replace the existing 1 Gbps Direct Connect connection with two new 2 Gbps Direct Connect hosted connections
View answer
Correct Answer: B
Question #55
A company is using custom DNS servers that run BIND for name resolution in its VPCs. The VPCs are deployed across multiple AWS accounts that are part of the same organization in AWS Organizations. All the VPCs are connected to a transit gateway. The BIND servers are running in a central VPC and are configured to forward all queries for an on-premises DNS domain to DNS servers that are hosted in an on-premises data center. To ensure that all the VPCs use the custom DNS servers, a network engineer has configu
A. Create an Application Load Balancer (ALB)
B. Create an Amazon CloudFront distribution
C. Create a Network Load Balancer (NLB)
D. Create a Gateway Load Balancer (GLB)
View answer
Correct Answer: BE
Question #56
A company is planning to use Amazon S3 to archive financial data. The data is currently stored in an on-premises data center. The company uses AWS Direct Connect with a Direct Connect gateway and a transit gateway to connect to the on-premises data center. The data cannot be transported over the public internet and must be encrypted in transit.Which solution will meet these requirements?
A. Create a Direct Connect public VIF
B. Create an IPsec VPN connection over the transit VIF
C. Create a VPC and attach the VPC to the transit gateway
D. Create a Direct Connect public VIF
View answer
Correct Answer: B
Question #57
An IoT company sells hardware sensor modules that periodically send out temperature, humidity, pressure, and location data through the MQTT messaging protocol. The hardware sensor modules send this data to the company's on-premises MQTT brokers that run on Linux servers behind a load balancer. The hardware sensor modules have been hardcoded with public IP addresses to reach the brokers.The company is growing and is acquiring customers across the world. The existing solution can no longer scale and is introd
A. Place the EC2 instances behind a Network Load Balancer (NLB)
B. Place the EC2 instances behind a Network Load Balancer (NLB)
C. Place the EC2 instances behind an Application Load Balancer (ALB)
D. Place the EC2 instances behind an Amazon CloudFront distribution
View answer
Correct Answer: B
Question #58
A security team is performing an audit of a company's AWS deployment. The security team is concerned that two applications might be accessing resources that should be blocked by network ACLs and security groups. The applications are deployed across two Amazon Elastic Kubernetes Service (Amazon EKS) clusters that use the Amazon VPC Container Network Interface (CNI) plugin for Kubernetes. The clusters are in separate subnets within the same VPC and have a Cluster Autoscaler configured.The security team needs
A. Create VPC flow logs in the default format
B. Create VPC flow logs in a custom format
C. Create VPC flow logs in a custom format
D. Create VPC flow logs in a custom format
View answer
Correct Answer: D
Question #59
A company is deploying third-party firewall appliances for traffic inspection and NAT capabilities in its VPC. The VPC is configured with private subnets and public subnets. The company needs to deploy the firewall appliances behind a load balancer.Which architecture will meet these requirements MOST cost-effectively?
A. eploy a Gateway Load Balancer with the firewall appliances as targets
B. eploy a Gateway Load Balancer with the firewall appliances as targets
C. eploy a Network Load Balancer with the firewall appliances as targets
D. eploy a Network Load Balancer with the firewall appliances as targets
View answer
Correct Answer: B
Question #60
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The comp
A. Install the AWS Load Balancer Controller for Kubernetes
B. Install the AWS Load Balancer Controller for Kubernetes
C. Create a target group
D. Create a target group
View answer
Correct Answer: D
Question #61
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly upl
A. Place the EC2 instances in a public subnet
B. Place the EC2 instances in a private subnet
C. Place the EC2 instances in a private subnet
D. Place the EC2 instances in a private subnet
View answer
Correct Answer: C
Question #62
A company has an AWS Direct Connect connection between its on-premises data center in the United States (US) and workloads in the us-east-1 Region. The connection uses a transit VIF to connect the data center to a transit gateway in us-east-1.The company is opening a new office in Europe with a new on-premises data center in England. A Direct Connect connection will connect the new data center with some workloads that are running in a single VPC in the eu-west-2 Region. The company needs to connect the US d
A. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF
B. Connect the VPC in eu-west-2 to a new transit gateway
C. Connect the VPC in eu-west-2 to a new transit gateway
D. Connect the VPC in eu-west-2 with the Europe data center by using a Direct Connect gateway and a private VIF
View answer
Correct Answer: B
Question #63
A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a shared services VPC, and a VPN connection to the company’s on-premises environment. A network engineer needs to implement a transit gateway with the following requirements:-Application VPCs must be isolated from each other.-Bidirectional communication must be allowed between the application VPCs and the on-premises network.-Bidirectional communication must be allowed between the a
A. Create a new DHCP options set that specifies the on-premises Windows DNS servers
B. Create an Amazon Route 53 Resolver rule
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the service domain name (api
D. Modify the local /etc/resolv
View answer
Correct Answer: CE
Question #64
A company is deploying a new application in the AWS Cloud. The company wants a highly available web server that will sit behind an Elastic Load Balancer. The load balancer will route requests to multiple target groups based on the URL in the request. All traffic must use HTTPS. TLS processing must be offloaded to the load balancer. The web server must know the user’s IP address so that the company can keep accurate logs for security purposes.Which solution will meet these requirements?
A. Deploy an Application Load Balancer with an HTTPS listener
B. Deploy an Application Load Balancer with an HTTPS listener for each domain
C. Deploy a Network Load Balancer with a TLS listener
D. Deploy a Network Load Balancer with a TLS listener for each domain
View answer
Correct Answer: B
Question #65
A software company offers a software-as-a-service (SaaS) accounting application that is hosted in the AWS Cloud The application requires connectivity to the company's on-premises network. The company has two redundant 10 GB AWS Direct Connect connections between AWS and its on-premises network to accommodate the growing demand for the application.The company already has encryption between its on-premises network and the colocation. The company needs to encrypt traffic between AWS and the edge routers in the
A. Deploy a new public VIF with encryption on the existing Direct Connect connections
B. Create a virtual private gateway Deploy new AWS Site-to-Site VPN connections from on premises to the virtual private gateway Reroute traffic from the Direct Connect private VIF to the new VPNs
C. Deploy a new pair of 10 GB Direct Connect connections with MACsec
D. Deploy a new pair of 10 GB Direct Connect connections with MACsec
View answer
Correct Answer: C
Question #66
An Australian ecommerce company hosts all of its services in the AWS Cloud and wants to expand its customer base to the United States (US). The company is targeting the western US for the expansion.The company’s existing AWS architecture consists of four AWS accounts with multiple VPCs deployed in the ap-southeast-2 Region. All VPCs are attached to a transit gateway in ap-southeast-2. There are dedicated VPCs for each application service. The company also has VPCs for centralized security features such as p
A. Create VPN attachments between the two transit gateways
B. Peer the transit gateways in each Region
C. Create a VPN server in a VPC in each Region
D. Attach the VPCs in us-west-1 to the transit gateway in ap-southeast-2
View answer
Correct Answer: B
Question #67
A company is deploying an application. The application is implemented in a series of containers in an Amazon Elastic Container Service (Amazon ECS) cluster. The company will use the Fargate launch type for its tasks. The containers will run workloads that require connectivity initiated over an SSL connection. Traffic must be able to flow to the application from other AWS accounts over private connectivity. The application must scale in a manageable way as more consumers use the application.Which solution wi
A. Create a VPC peering connection between the web service VPC and the existing production VPC
B. Ask the development team of the web service to redeploy the web service into the production VPC and integrate the systems there
C. Create a VPC endpoint service
D. Create a transit gateway in the existing production environment
View answer
Correct Answer: D
Question #68
A company has deployed its AWS environment in a single AWS Region. The environment consists of a few hundred application VPCs, a shared services VPC, and a VPN connection to the company’s on-premises environment. A network engineer needs to implement a transit gateway with the following requirements:-Application VPCs must be isolated from each other.-Bidirectional communication must be allowed between the application VPCs and the on-premises network.-Bidirectional communication must be allowed between the a
A. Create a new DHCP options set that specifies the on-premises Windows DNS servers
B. Create an Amazon Route 53 Resolver rule
C. Modify the local host file in the Amazon Linux 2 EC2 instance in the VPMap the service domain name (api
D. Modify the local /etc/resolv
View answer
Correct Answer: CE
Question #69
A network engineer is designing a hybrid architecture that uses a 1 Gbps AWS Direct Connect connection between the company's data center and two AWS Regions: us-east-1 and eu-west-1. The VPCs in us-east-1 are connected by a transit gateway and need to access several on-premises databases. According to company policy, only one VPC in eu-west-1 can be connected to one on-premises server. The on-premises network segments the traffic between the databases and the server.How should the network engineer set up th
A. Create one hosted connection
B. Create one hosted connection
C. Create one dedicated connection
D. Create one dedicated connection
View answer
Correct Answer: D
Question #70
A company has a hybrid cloud environment. The company’s data center is connected to the AWS Cloud by an AWS Direct Connect connection. The AWS environment includes VPCs that are connected together in a hub-and-spoke model by a transit gateway. The AWS environment has a transit VIF with a Direct Connect gateway for on-premises connectivity.The company has a hybrid DNS model. The company has configured Amazon Route 53 Resolver endpoints in the hub VPC to allow bidirectional DNS traffic flow. The company is ru
A. Create an Amazon EventBridge (Amazon CloudWatch Events) rule with a custom pattern to monitor the account for changes
B. Create custom metrics from Amazon CloudWatch logs
C. Record the current state of network resources by using AWS Config
D. Record the current state of network resources by using AWS Systems Manager Inventory
View answer
Correct Answer: ADF
Question #71
A company is planning to deploy many software-defined WAN (SD-WAN) sites. The company is using AWS Transit Gateway and has deployed a transit gateway in the required AWS Region. A network engineer needs to deploy the SD-WAN hub virtual appliance into a VPC that is connected to the transit gateway. The solution must support at least 5 Gbps of throughput from the SD-WAN hub virtual appliance to other VPCs that are attached to the transit gateway.Which solution will meet these requirements?
A. Create a new VPC for the SD-WAN hub virtual appliance
B. Assign a new CIDR block to the transit gateway
C. Create a new VPC for the SD-WAN hub virtual appliance
D. Assign a new CIDR block to the transit gateway
View answer
Correct Answer: B
Question #72
A company has two on-premises data center locations. There is a company-managed router at each data center. Each data center has a dedicated AWS Direct Connect connection to a Direct Connect gateway through a private virtual interface. The router for the first location is advertising 110 routes to the Direct Connect gateway by using BGP, and the router for the second location is advertising 60 routes to the Direct Connect gateway by using BGP. The Direct Connect gateway is attached to a company VPC through
A. Remove the Direct Connect gateway, and create a new private virtual interface from each company router to the virtual private gateway of the VPC
B. Change the router configurations to summarize the advertised routes
C. Open a support ticket to increase the quota on advertised routes to the VPC route table
D. Create an AWS Transit Gateway
View answer
Correct Answer: D
Question #73
A global company runs business applications in the us-east-1 Region inside a VPC. One of the company's regional offices in London uses a virtual private gateway for an AWS Site-to-Site VPN connection tom the VPC. The company has configured a transit gateway and has set up peering between the VPC and other VPCs that various departments in the company use.Employees at the London office are experiencing latency issues when they connect to the business applications.What should a network engineer do to reduce th
A. Create a new Site-to-Site VPN connection
B. Modify the existing Site-to-Site VPN connection by setting the transit gateway as the target gateway
C. Create a new transit gateway in the eu-west-2 (London) Region
D. Create a new AWS Global Accelerator standard accelerator that has an endpoint of the Site-to-Site VPN connection
View answer
Correct Answer: A
Question #74
A company has deployed a critical application on a fleet of Amazon EC2 instances behind an Application Load Balancer. The application must always be reachable on port 443 from the public internet. The application recently had an outage that resulted from an incorrect change to the EC2 security group.A network engineer needs to automate a way to verify the network connectivity between the public internet and the EC2 instances whenever a change is made to the security group. The solution also must notify the
A. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture REJECT traffic on port 443
B. Enable VPC Flow Logs on the elastic network interface of each EC2 instance to capture all traffic on port 443
C. Create a VPC Reachability Analyzer path on port 443
D. Create a VPC Reachability Analyzer path on port 443
View answer
Correct Answer: D
Question #75
A company is planning to create a service that requires encryption in transit. The traffic must not be decrypted between the client and the backend of the service. The company will implement the service by using the gRPC protocol over TCP port 443. The service will scale up to thousands of simultaneous connections. The backend of the service will be hosted on an Amazon Elastic Kubernetes Service (Amazon EKS) duster with the Kubernetes Cluster Autoscaler and the Horizontal Pod Autoscaler configured. The comp
A. Install the AWS Load Balancer Controller for Kubernetes
B. Install the AWS Load Balancer Controller for Kubernetes
C. Create a target group
D. Create a target group
View answer
Correct Answer: D
Question #76
A company is hosting an application on Amazon EC2 instances behind a Network Load Balancer (NLB). A solutions architect added EC2 instances in a second Availability Zone to improve the availability of the application. The solutions architect added the instances to the NLB target group.The company's operations team notices that traffic is being routed only to the instances in the first Availability Zone.What is the MOST operationally efficient solution to resolve this issue?
A. Configure the two network interfaces in the launch template
B. Configure the primary network interface in a private subnet in the launch template
C. Create an AWS Lambda function to run as a lifecycle hook of the Auto Scaling group when an instance is launching
D. During creation of the Auto Scaling group, select subnets for the primary network interface
View answer
Correct Answer: A
Question #77
A real estate company is building an internal application so that real estate agents can upload photos and videos of various properties. The application will store these photos and videos in an Amazon S3 bucket as objects and will use Amazon DynamoDB to store corresponding metadata. The S3 bucket will be configured to publish all PUT events for new object uploads to an Amazon Simple Queue Service (Amazon SQS) queue.A compute cluster of Amazon EC2 instances will poll the SQS queue to find out about newly upl
A. Place the EC2 instances in a public subnet
B. Place the EC2 instances in a private subnet
C. Place the EC2 instances in a private subnet
D. Place the EC2 instances in a private subnet
View answer
Correct Answer: C
Question #78
A company has developed an application on AWS that will track inventory levels of vending machines and initiate the restocking process automatically. The company plans to integrate this application with vending machines and deploy the vending machines in several markets around the world. The application resides in a VPC in the us-east-1 Region. The application consists of an Amazon Elastic Container Service (Amazon ECS) cluster behind an Application Load Balancer (ALB). The communication from the vending ma
A. Configure the ALB in a private subnet of the VPC
B. Configure the ALB in a private subnet of the VPC
C. Configure the ALB in a public subnet of the VPAttach an internet gateway
D. Configure the ALB in a private subnet of the VPC
View answer
Correct Answer: A

View Answers after Submission

Please submit your email and WhatsApp to get the answers of questions.

Note: Please make sure your email ID and Whatsapp are valid so that you can get the correct exam results.

Email:
Whatsapp/phone number:


Copyright © 2024. Designer by SPOTO Official Website. All Rights Reserved.