ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 14

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 131

Report
Export
Collapse

Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an onpremises Hadoop cluster. You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, fault- tolerant connectivity between Amazon Kinesis and your data center. What should you implement to address these needs?

A.
Deploy a single 1-Gbps Direct Connect connection with a VPN backup.
A.
Deploy a single 1-Gbps Direct Connect connection with a VPN backup.
Answers
B.
Deploy three 1-Gbps Direct Connect connections.
B.
Deploy three 1-Gbps Direct Connect connections.
Answers
C.
Deploy two 1-Gbps Direct Connect connections.
C.
Deploy two 1-Gbps Direct Connect connections.
Answers
D.
Set up an IPsec VPN connection over Direct Connect with two tunnels.
D.
Set up an IPsec VPN connection over Direct Connect with two tunnels.
Answers
Suggested answer: B

Explanation:

Explanation:

Three connections are required to provide fault tolerance. All of the other options would be unable to handle the peak loads over 1 Gbps without exceeding the available bandwidth.

Question 132

Report
Export
Collapse

You ping an Amazon Elastic Compute Cloud (EC2) instance from an on-premises server. VPC Flow Logs record the following:

2 123456789010 eni-1235b8ca 10.123.234.78 172.11.22.33 0 0 1 8 672 1432917027 1432917142 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917027 1432917082 ACCEPT OK

2 123456789010 eni-1235b8ca 172.11.22.33 10.123.234.78 0 0 1 4 336 1432917094 1432917142 REJECT OK

Why are ICMP responses not received by the on-premises system?

A.
The inbound network access control list is blocking the traffic
A.
The inbound network access control list is blocking the traffic
Answers
B.
The outbound network access control list is blocking the traffic
B.
The outbound network access control list is blocking the traffic
Answers
C.
The inbound security group is blocking the traffic.
C.
The inbound security group is blocking the traffic.
Answers
D.
The outbound security group is blocking the traffic.
D.
The outbound security group is blocking the traffic.
Answers
Suggested answer: B

Explanation:

Explanation:

An ACCEPT record for the originating ping that was allowed by both the network ACL and the security group, and therefore was allowed to reach your instance. A REJECT record for the response ping that the network ACL denied.

If your network ACL permits outbound ICMP traffic, the flow log displays two ACCEPT records (one for the originating ping and one for the response ping). If your security group denies inbound ICMP traffic, the flow log displays a single REJECT record, because the traffic was not permitted to reach your instance. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html

Question 133

Report
Export
Collapse

Which port range must be allowed through a NACL to ensure all return traffic is successful?

A.
1024 - 65,535
A.
1024 - 65,535
Answers
B.
22
B.
22
Answers
C.
65,000 - 65,535
C.
65,000 - 65,535
Answers
D.
80 - 443
D.
80 - 443
Answers
Suggested answer: A

Explanation:

Explanation:

1024 - 65,535 is the full "ephemeral port" range.

Question 134

Report
Export
Collapse

A media company that is based in Los Angeles, California, closed all of its on-premises data centers due to rising costs and inconsistent utilization. The company has deployed its video editing applications on Amazon EC2 instances in the AWS Cloud. The company has deployed to the us-west-1 Region and uses the internet for delivery of the applications.

Users are reporting high latency from Los Angeles to us-west-1. The company needs to reduce the latency to the EC2 instances while continuing to use the internet for delivery. Which solution meets these requirements?

A.
Order and deploy an AWS Direct Connect private VIF to us-west-1.
A.
Order and deploy an AWS Direct Connect private VIF to us-west-1.
Answers
B.
Enable a Los Angeles-based AWS Local Zone. Continue to run the EC2 instances in us-west-1.
B.
Enable a Los Angeles-based AWS Local Zone. Continue to run the EC2 instances in us-west-1.
Answers
C.
Order and deploy an AWS Direct Connect public VIF to us-west-2.
C.
Order and deploy an AWS Direct Connect public VIF to us-west-2.
Answers
D.
Enable a Los Angeles-based AWS Local Zone. Redeploy the EC2 instances in the Local Zone.
D.
Enable a Los Angeles-based AWS Local Zone. Redeploy the EC2 instances in the Local Zone.
Answers
Suggested answer: A

Explanation:

Explanation:

There is one private VIF from AWS Direct Connect location 2 to the Direct Connect gateway. Reference: https://docs.aws.amazon.com/directconnect/latest/UserGuide/dc-ug.pdf

Question 135

Report
Export
Collapse

You have several Amazon Glacier vaults you would like to monitor. How might you monitor those vaults?

A.
Create a custom AWS Config rule.
A.
Create a custom AWS Config rule.
Answers
B.
Use an AWS master Config rule.
B.
Use an AWS master Config rule.
Answers
C.
Use an AWS managed Config rule.
C.
Use an AWS managed Config rule.
Answers
D.
Create a KMS policy and attach it to your Amazon Glacier vault.
D.
Create a KMS policy and attach it to your Amazon Glacier vault.
Answers
Suggested answer: A

Explanation:

Explanation:

AWS Config does not currently record Amazon Glacier resources; you must create a custom rule if you wish to monitor such a resource.

Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_nodejs.html#creating-custom-rulesfor- additional-resource-types

Question 136

Report
Export
Collapse

Refer to the image.

You have three VPCs: A, B, and

A.
VPCs A and C are both peered with VPC
A.
VPCs A and C are both peered with VPC
Answers
B.
The IP address ranges are as follows:VPC A: 10.0.0.0/16VPC B: 192.168.0.0/16VPC C: 10.0.0.0/16Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i- 4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24. i-3 must be able to communicate with i-1 i-4 must be able to communicate with i-2 i-3 and i-4 are able to communicate with i-1, but not with i-2.Which two steps will fix this problem? (Choose two.)
B.
The IP address ranges are as follows:VPC A: 10.0.0.0/16VPC B: 192.168.0.0/16VPC C: 10.0.0.0/16Instance i-1 in VPC A has the IP address 10.0.0.10. Instance i-2 in VPC C has the IP address 10.0.0.10. Instances i-3 and i- 4 in VPC B have the IP addresses 192.168.1.10 and 192.168.1.20, respectively, i-3 and i-4 are in the subnet 192.168.1.0/24. i-3 must be able to communicate with i-1 i-4 must be able to communicate with i-2 i-3 and i-4 are able to communicate with i-1, but not with i-2.Which two steps will fix this problem? (Choose two.)
Answers
C.
Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
C.
Create subnets 192.168.1.0/28 and 192.168.1.16/28. Move i-3 and i-4 to these subnets, respectively.
Answers
D.
Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
D.
Create subnets 192.168.1.0/27 and 192.168.1.16/27. Move i-3 and i-4 to these subnets, respectively.
Answers
E.
VPCs A and C are both peered with VPCChange the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
E.
VPCs A and C are both peered with VPCChange the IP address of i-2 to 10.0.0.100. Assign it an elastic IP address.
Answers
F.
Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
F.
Create a new route table for VPC B, with unique route entries for destination VPC A and destination VPC C.
Answers
G.
Create two route tables: one with a route for destination VPC A, and another for destination VPC C.
G.
Create two route tables: one with a route for destination VPC A, and another for destination VPC C.
Answers
Suggested answer: A, E

Question 137

Report
Export
Collapse

For _______ distributions, CloudFront does not cache cookies in edge caches.

A.
AMI
A.
AMI
Answers
B.
Web
B.
Web
Answers
C.
RTMP
C.
RTMP
Answers
D.
Web and RTMP
D.
Web and RTMP
Answers
Suggested answer: C

Explanation:

Explanation:

For RTMP distributions, when Amazon CloudFront requests an object from the origin server, it removes any cookies before forwarding the request to your origin. If your origin returns any cookies along with the object, CloudFront removes them before returning the object to the viewer.

For RTMP distributions, CloudFront does not cache cookies in edge caches.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Cookies.html

Question 138

Report
Export
Collapse

An organization will be expanding its current network design. When fully built out, there will be 99 VPCs spread across 11 AWS accounts (9 VPCs per account). There is currently an AWS Direct Connect connection into one account with 9 VPCs, each with a virtual network interface (VIF) per VPC.

Which of the following designs will minimize cost while allowing the organization to expand?

A.
Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.
A.
Order 10 new Direct Connect connections, one from each of the accounts that will be provisioned. Create private VIFs in each account. Attach one private VIF per VPC.
Answers
B.
Create a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.
B.
Create a public VIF on the Direct Connect connection. Leverage the public VIF to create a VPN connection to each VPC.
Answers
C.
Create hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.
C.
Create hosted private VIFs in the existing account. Connect a private VIF to an AWS Direct Connect gateway in each account. Connect the gateway in each account to the VPCs.
Answers
D.
Create a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.
D.
Create a transit VPC in the existing account that consists of two routers in separate Availability Zones. Connect each VPC to the two routers in the transit VPC by using VPN.
Answers
Suggested answer: D

Question 139

Report
Export
Collapse

In Amazon CloudFront, while creating a web distribution, which of the following can be used as origin servers?

A.
Any combination AWS Glacier archives and Oracle server
A.
Any combination AWS Glacier archives and Oracle server
Answers
B.
Any combination of Amazon DB intances and XML servers
B.
Any combination of Amazon DB intances and XML servers
Answers
C.
Any combination of Amazon S3 buckets and HTTP servers
C.
Any combination of Amazon S3 buckets and HTTP servers
Answers
D.
Any combination of Amazon Data Insights and PHP servers
D.
Any combination of Amazon Data Insights and PHP servers
Answers
Suggested answer: C

Explanation:

Explanation:

In Amazon CloudFront, while creating a web distribution, you can create one or more Amazon S3 buckets or configure HTTPservers as your origin servers. An origin is the location where you store the original version of your web content. WhenCloudFront gets a request for your files, it goes to the origin to get the files that it distributes at edge locations. You can useany combination of Amazon S3 buckets and HTTP servers as your origin servers.

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-creating.html

Question 140

Report
Export
Collapse

You run a well-architected, multi-AZ application in the eu-central-1 (Frankfurt) AWS region. The application is hosted in a VPC and is only accessed from the corporate network. To support large volumes of data transfer and administration of the application, you use a single 10-Gbps AWS Direct Connect connection with multiple private virtual interfaces. As part of a review, you decide to improve the resilience of your connection to AWS and make sure that any additional connectivity does not share the same Direct Connect routers at AWS. You need to provide the best levels of resilience to meet the application's needs.

Which two options should you consider? (Choose two.)

A.
Install a second 10-Gbps Direct Connect connection to the same Direct Connection location.
A.
Install a second 10-Gbps Direct Connect connection to the same Direct Connection location.
Answers
B.
Deploy an IPsec VPN over a public virtual interface on a new 10-Gbps Direct Connect connection.
B.
Deploy an IPsec VPN over a public virtual interface on a new 10-Gbps Direct Connect connection.
Answers
C.
Install a second 10-Gbps Direct Connect connection to a Direct Connect location in eu-west-1.
C.
Install a second 10-Gbps Direct Connect connection to a Direct Connect location in eu-west-1.
Answers
D.
Deploy an IPsec VPN over the Internet to the eu-west-1 region for diversity.
D.
Deploy an IPsec VPN over the Internet to the eu-west-1 region for diversity.
Answers
E.
Install a second 10-Gbps Direct Connect connection to a second Direct Connect location for eu-central-1.
E.
Install a second 10-Gbps Direct Connect connection to a second Direct Connect location for eu-central-1.
Answers
Suggested answer: B, C
Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms