An application runs on a fleet of Amazon EC2 instances in a VPC. All instances can reach one another using private IP addresses. The application owner has a new requirement that the domain name received via DHCP should be different for a particular set of instances that are currently in one particular subnet.What changes should be made to meet this requirement while continuing to support the existing application requirements?

Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

Modify the existing DHCP option set and specify the different domain name for the specified subnet.

Create a new DHCP option set with the different domain name, associate it with the specified subnet, and re-launch the Amazon EC2 instances.

Create a new subnet, configure the DHCP option set with the different domain name, and re-launch the required instances there.

Create a new peered VPC, configure the DHCP option set with the different domain name, and re-launch the required instances there.

Your company has signed up to trial AWS WorkSpaces. You aren't sure you're going to keep it, but you want to try it out to see if it works for your organization of 112 users. You need to deploy it with as little work and up-front expense as possible while still allowing access to your Active Directory for authentication. What two things should you do? (Choose two.)

Create a Direct Connect connection to AWS.

Which two statements about placement groups are correct? (Choose two.)

A placement group can span multiple VPCs.

You cannot merge placement groups.

A placement group can span multiple VPCs.

A placement group can span multiple Availability Zones.

You cannot merge placement groups.

It is best to use the same instance types in a placement group.

How many BGP advertised routes can you have per route table?

As many as you want as long as you contact AWS first.

When configuring Active/Passive HA on VPN tunnels, choose the two best ways to configure this. (Choose two.)

Configure AS_PATH prepending on one of the paths.

Turn off one of the paths until you need it.

Configure MED on one of the tunnels.

Your company is building a new data center. You currently have an on-premises data center that accesses your single VPC via VPN. You need to provide access to your single VPC to your new data center. Since your new data center build is already over budget, you need to keep costs low. How should you accomplish this?

Create a new Customer Gateway and add it to your VPN using a CloudHub infrastructure model.

Add a Private VIF and create a Direct Connect connection.

Create a new Customer Gateway and add it to your VPN using a CloudHub infrastructure model.

Add a Public VIF and create a Direct Connect connection.

Create a new Virtual Gateway and add it to your VPN using a CloudHub infrastructure model.

You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)

Run Squid proxy on a NAT instance.

Deploy a NAT gateway into your VPC.

Include s3.amazonaws.com in the whitelist.

Run Squid proxy on a NAT instance.

Deploy a NAT gateway into your VPC.

Utilize a security group to restrict access.

Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?

Leverage your current configuration management system to update SSL policy on all web servers.

Generate new SSL certificates for all web servers and replace current certificates.

Change the security policy on the ELB to disable vulnerable protocols and ciphers.

Generate new SSL certificates and use ELB to front-end the encrypted traffic for all web servers.

Leverage your current configuration management system to update SSL policy on all web servers.

You are configuring a CloudFront distribution, and when you try to attach an SSL, you do not see your SSL listed. What is the most likely reason for this?

You requested an SSL for the wrong region.

You must configure an https record in Route 53 first.

Sometimes, it won't show, and you need to retrieve the ARN for the SSL and enter it manually.

You requested an SSL for the wrong region.

You didn't wait 48 hours after approving the SSL.

An organization's Security team has a requirement that all data leaving its on-premises data center be encrypted at the network layer and use dedicated connectivity. There is also a requirement to centrally log all traffic flow in Amazon VPC environments. An AWS Direct Connect connection has been ordered to build out this design.What steps should be taken to ensure that connectivity to AWS meets these security requirements? (Choose two.)

Provision a private virtual interface for each VPC connection.

Provision a VPN connection to each VPC over the internet.

Provision a public virtual interface on AWS Direct Connect and set up a VPN to each VPC.

Provision a private virtual interface for each VPC connection.

Enable VPC Flow Logs for each VPC.

Use AWS KMS to encrypt traffic between on-premises and AWS.

Provision a VPN connection to each VPC over the internet.

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?

You forgot to add a return route.

ICMP is not supported over peering connections.

You have to enable Source/Destination check in the VPCs.

You have to configure the peering connection to allow two way traffic.

In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.

http://d111111abcdef8.cloudfront.net/image.jpg

http://d111111abcdef8.cloudfront.net/images/image.jpg

http://d111111abcdef8.dns/images/image.jpg

http://d111111abcdef8.dns/image.jpg

http://d111111abcdef8.cloudfront.net/image.jpg

A multinational organization has applications deployed in three different AWS regions. These applications must securely communicate with each other by VPN. According to the organization's security team, the VPN must meet the following requirements:AES 128-bit encryptionSHA-1 hashingUser access via SSL VPNPFS using DH Group 2Ability to maintain/rotate keys and passwords Certificate-based authentication Which solution should you recommend so that the organization meets the requirements?

AWS hardware VPN between the virtual private gateways in each region

AWS hardware VPN between the virtual private gateway and customer gateway

A third-party VPN solution deployed from AWS Marketplace

A private MPLS solution from an international carrier

AWS hardware VPN between the virtual private gateways in each region

Your company just acquired a new company. You have two VPCs ?one is 172.31.0.0/16 and one is 10.111.0.0/16. The acquired company uses 10.111.0.0/16 for their VPC. Your VPC "A" has a group of 12 servers in the range 10.111.2.101 ?10.111.2.112. Their VPC "B" has 20 servers from 10.111.2.171 ?10.111.2.190. You need to access both VPCs from the 172.31.0.0/16 VPC "C". What is the best way to approach this problem?

From VPC C, create a peering connection and add a route to VPC A's peering connection for 10.111.2.96/27 and a route to VPC B's peering connection for 10.111.2.0/24.

From VPC C, create a peering connection and add a route to VPC A's peering connection for 10.111.2.96/28 and a route to VPC B's peering connection for 10.111.2.0/24.

From VPC C, create a peering connection and adjust the route tables to direct traffic to the individual servers by exact IP address of the servers.

Invest the money and change the CIDR of one of the VPCs since one VPC cannot be peered to two VPCs with the same CIDR block.

A financial services company that has on-premises infrastructure has acquired a startup company that has an API that is deployed in the AWS Cloud. As part of the acquisition, the financial services company has deployed an AWS Direct Connect private VIF to establish IP connectivity between the on-premises data center and the AWS environment.Initial IP connectivity testing and bidirectional DNS resolution testing are successful. However, when business users attempt to connect to the API. a network administrator discovers IP subnet overlap between the financial services company's existing network and the startup company's AWS deployment.A network architect receives the following diagram that summarizes the situation: What is the MOST operationally efficient solution to enable the connectivity?

Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints in a target group that is associated with the NLAdvertise the new subnetIP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the NLB.

Provision additional subnets with a non-overlapping IP range in the VP

Deploy NAT gateways. Configure the virtual private gateway's next hop to be the NAT gateway. Advertise the new subnet IP address ranges through Direct Connect.Configure the on-premises hosts to target the API endpoint through the API servers.

Provision additional subnets with a non-overlapping IP range in the VP

Deploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints in a target group that is associated with the NLAdvertise the new subnetIP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the NLB.

Provision additional subnets with a non-overlapping IP range in a new VPDeploy a Network Load Balancer (NLB) across the subnets. Configure the API endpoints as targets by IP address in a target group that is associated with the NLB.Peer the two VPCs together, and relocate the virtual private gateway into the new VPAdvertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the NLB.

Provision additional subnets with a non-overlapping IP range in the VPC. Deploy a Network Load Balancer (NLB) across the existing subnets. Configure the API endpoints in a target group that is associated with the NLB. Configure aVPC endpoint service that targets the newly created NLB, and deploy VPC endpoints into the new subnet. Advertise the new subnet IP address ranges through Direct Connect. Configure the on-premises hosts to target the API endpoint through the VPC endpoints.

A company runs its applications on Amazon EC2 instances. A network engineer must deny specific ports for all applications and must allow only approved ports for each application. All outbound traffic from the instances must be allowed. Which solution will meet these requirements?

Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.

Create a network ACL for each application to allow the application's approved ports. Associate the network ACL with the appropriate instances. Create a security group that denies the required specific ports. Associate the security groupwith the appropriate subnets.

Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports. Associate the network ACLwith the appropriate subnets.

Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create a network ACL that denies the required specific ports inbound and denies all portsoutbound. Associate the network ACL with the appropriate subnets.

Create a security group for each application to allow the application's approved ports. Associate the security group with the appropriate instances. Create an additional security group that denies the required specific ports. Associate theadditional security group with the appropriate instances.

Your AWS WorkSpaces users are unable to authenticate. What could be one reason for this?

Port 389 is not open to your AD server.

Your AD server is running Windows Server 2016

Port 3389 is not open to your AD server.

Port 389 is not open to your AD server.

Your AD server is running Windows Server 2012 Core Edition.

Your organization requires strict adherence to a change control process for its Amazon Elastic Compute Cloud (EC2) and VPC environments. The organization uses AWS CloudFormation as the AWS service to control and implement changes.Which combination of three services provides an alert for changes made outside of AWS CloudFormation? (Choose three.)

AWS Simple Notification Service

AWS Identify and Access Management

A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?

Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.

Use an Amazon Route 53 multivalue answer routing policy to route older client traffic to the on-premises application version and the rest of the traffic to the new AWS based version.

Use a Classic Load Balancer for the new application. Route all traffic to the new application by using an Elastic Load Balancing (ELB) load balancer DNS. Define a user-agent-based rule on the backend servers to redirect earlier clients tothe on-premises application.

Use an Application Load Balancer for the new application. Register both the new and earlier applications as separate target groups and use path-based routing to route traffic based on the application version.

Use an Application Load Balancer for the new application. Register both the new and earlier application backends as separate target groups. Use host header-based routing to route traffic based on the application version.

You have two Direct Connect connections and two VPN connections to your network. Site A is VPN 10.1.0.0/24 AS 65000 65000, Site B is VPN 10.1.0.252/30 AS 65000, Site C is DX 10.0.0.0/8 AS 65000 and Site D is DX 10.0.0.0/16 AS 65000 65000 65000. Which site will AWS choose to reach your network?

Site B: VPN 10.0.1.252/30 AS 65000 65000 65000

Site A: VPN 10.0.1.0/24 AS 65000 65000

Site B: VPN 10.0.1.252/30 AS 65000 65000 65000

Fill in the blanks: One of the basic characteristics of security groups for your VPC is that you ______ .

can specify allow rules, but not deny rules

can specify deny rules, but not allow rules

can specify allow rules as well as deny rules

can neither specify allow rules nor deny rules

You are configuring a VPN to AWS for your company. You have configured the VGW and CGW. You have created the VPN.You have also run the necessary commands on your router. You allowed all TCP and UDP traffic between your datacenter and your VPC. The tunnel still doesn't come up. What is the most likely reason?

You haven't added protocol 50 to your firewall.

You forgot to turn on route propagation in the route table.

Your advertised subnet is too large.

You haven't added protocol 50 to your firewall.

An organization with a growing ecommerce presence uses the AWS CloudHSM to offload the SSL/TLS processing of its web server fleet. The company leverages Amazon EC2 Auto Scaling for web servers to handle the growth. What architectural approach is optimal to scale the encryption operation?

Use multiple CloudHSM instances, and load balance them using a Network Load Balancer.

Use multiple CloudHSM instances to the cluster; request to it will automatically load balance.

Enable Auto Scaling on the CloudHSM instance, with similar configuration to the web tier Auto Scaling group.

Use multiple CloudHSM instances, and load balance them using an Application Load Balancer.

A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

Allow Inbound traffic on port 22 from the user's network

The user can connect to a instance in a private subnet using the NAT instance

The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP

Allow Inbound traffic on port 22 from the user's network

Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the internet

Which statement about placement groups is incorrect?

If you stop an instance and restart it, it will always return to the same placement group.

A placement group is a logical grouping of instances in a single AZ.

If you stop an instance and restart it, it will always return to the same placement group.

To help ensure capacity in a placement group, deploy all instances at once.

There is no charge for creating a placement group.

A Network Engineer is provisioning a subnet for a load balancer that will sit in front of a fleet of application servers in a private subnet. There is limited IP space left in the VPC CIDR. The application has few users now but is expected to grow quickly to millions of users.What design will use the LEAST amount of IP space, while allowing for this growth?

Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

Use two /29 subnets for an Application Load Balancer in different Availability Zones.

Use one /29 subnet for the Network Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

Use two /28 subnets for a Network Load Balancer in different Availability Zones.

Use one /28 subnet for an Application Load Balancer. Add another VPC CIDR to the VPC to allow for future growth.

In Amazon CloudFront, if you need to quickly remove objects from a distribution, you can:

delete your distribution and recreate it.

A company has a hybrid architecture with dual AWS Direct Connect connections and applications running in the AWS Cloud and on premises. The company uses its on-premises DNS servers to provide name resolution for is internal domain company.com. The company uses an Amazon Route 53 private hosted zone, aws.company.com, for resolution of AWS resource records.A new application that runs on Amazon EC2 in the company's VPC needs to resolve records in the company.com domain and on other AWS resources. What should the company do to meet these requirements?

Create Route 53 Resolver outbound endpoints in each subnet in the VPConfigure conditional forwarding rules on the onpremises DNS servers to forward queries for the domain aws.company.com to the Route 53 Resolver endpoints.Modify the DHCP options set to configure instances to resolve hostnames using the on-premises DNS servers.

Create a new DHCP options set. Configure the DHCP options set name servers to be the on-premises DNS servers, and configure the domain name to be company.com. Assign the DHCP options set to the VPC with the EC2 instances.

Create Route 53 Resolver outbound endpoints in each subnet in the VP

Configure a Route 53 forwarding rule with a rule type of Forward for company.com that points to the on-premises DNS servers. Configure a Route 53 forwarding rule with a rule type of System for aws.company.com.

Create Route 53 Resolver outbound endpoints in each subnet in the VPConfigure conditional forwarding rules on the onpremises DNS servers to forward queries for the domain aws.company.com to the Route 53 Resolver endpoints.Modify the DHCP options set to configure instances to resolve hostnames using the on-premises DNS servers.

Create a private hosted zone for company.com within the AWS account. Create Route 53 Resolver inbound endpoints in each subnet in the VPC. Configure the on-premises DNS servers to send outbound zone transfers forcompany.com to the Route 53 Resolver endpoints.

Which of the following statements does not describe Jumbo Frames in an AWS VPC environment?

T2.micro instances do not support Jumbo Frames

For instances that are collocated inside a placement group, jumbo frames help to achieve the maximum network throughput possible

Jumbo Frames are not supported for traffic that exits the Virtual Private Gateway

Jumbo Frames are not supported for traffic that exits the Internet Gateway

T2.micro instances do not support Jumbo Frames

A computing team is evaluating whether to place a high performance computing (HPC) application in AWS. The team is concerned about application performance and wants to know what options are available to increase networking performance.Which of the following changes would increase performance for this application? (Choose two.)

Increase the MTU of the VPC to 9001.

Enable enhanced networking on the instances.

Place the application across many smaller instances to achieve higher total throughput.

Increase the MTU of the VPC to 9001.

Enable an MTU of 9001 in the application's operating system.

Enable enhanced networking on the instances.

Deploy the application in two Availability Zones and insert them in one placement group.

Your company has placement groups in two different availability zones. There is a large project coming up and, although resilience is important, cost and speed are the most important factors. The servers in each placement group need to be able to achieve the highest speed possible. How can this be achieved?

Create AMIs from all of the instances, terminate them, and deploy them all into one placement group.

In the CLI, run the command "aws ec2 set-placement-group 1 " for all of the instances.

Duplicate the VPC, peer the new VPC, create AMIs of the instances, terminate them, and redeploy them in two separate placement groups between the two VPCs.

Peer the two placement groups using AWS PG Peering.

Amazon ANS-C00 Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?

There is no rule in your bucket policy allowing public access.

You have applied your SSL to your Elastic Loadbalancer but not your CDN.

Your S3 Bucket permissions are incorrect.

You are using an SSL from an external CA.

Comment (1)

Amazon ANS-C00 Practice Test 1

Question

Amazon ANS-C00 Practice Tests

Practice Tests