ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 22

List of questions

Question 211

Report
Export
Collapse

You work for an international corporation that uses AWS. Due to regulations, you are now required to route the US and China to two different websites. You set up the records and now no other countries can access your site. Why is this?

You forgot to set a default geolocation record.
You forgot to set a default geolocation record.
You probably broke your DNS.
You probably broke your DNS.
You must have a geolocation in place for every country.
You must have a geolocation in place for every country.
Geolocation features are only available in CloudFront.
Geolocation features are only available in CloudFront.
Suggested answer: A

Explanation:

Explanation:

A default record is required for traffic that does not match a geolocation criteria to follow.

asked 16/09/2024
Alfredo Alfaro
47 questions

Question 212

Report
Export
Collapse

A network engineer must provide additional safeguards to protect encrypted data at Application Load Balancers (ALBs) through the use of a unique random session key. What should the network engineer do to meet this requirement?

Change the ALB security policy to a policy that supports TLS 1.2 protocol only.
Change the ALB security policy to a policy that supports TLS 1.2 protocol only.
Use AWS Key Management Service (AWS KMS) to encrypt session keys.
Use AWS Key Management Service (AWS KMS) to encrypt session keys.
Associate an AWS WAF web ACL with the ALBs, and create a security rule to enforce forward secrecy (FS).
Associate an AWS WAF web ACL with the ALBs, and create a security rule to enforce forward secrecy (FS).
Change the ALB security policy to a policy that supports forward secrecy (FS).
Change the ALB security policy to a policy that supports forward secrecy (FS).
Suggested answer: D

Explanation:

Explanation:

Reference: https://aws.amazon.com/about-aws/whats-new/2014/02/19/elastic-load-balancing-perfect-forward-secrecy-andmore-new-security-features/

asked 16/09/2024
Cintron, Rigoberto
37 questions

Question 213

Report
Export
Collapse

A company uses an AWS Site-to-Site VPN to connect its corporate network. The company recently added an AWS Direct Connect connection. A network engineer wants all traffic to use the Direct Connect connection, and for the VPN to be used as backup. However, after the Direct Connect connection was added, traffic continued to pass through the VPN connection. What should the network engineer do to route the traffic through the Direct Connect connection?

Add routes to the VPC route tables that specify the Direct Connect connection.
Add routes to the VPC route tables that specify the Direct Connect connection.
Set local preference BGP community tags on the on-premises router.
Set local preference BGP community tags on the on-premises router.
Advertise the same network routes over the Direct Connect connection and VPN connection.
Advertise the same network routes over the Direct Connect connection and VPN connection.
Ensure the Direct Connect connection AS_PATH is longer than the VPN connection AS_PATH.
Ensure the Direct Connect connection AS_PATH is longer than the VPN connection AS_PATH.
Suggested answer: C

Explanation:

Explanation:

If you are advertising the same routes toward the AWS VPC, the Direct Connect path is always being preferred, regardless of AS path prepending. Reference: https://aws.amazon.com/premiumsupport/knowledge-center/configure-vpn-backup-dx/

asked 16/09/2024
Franjo Tomurad
27 questions

Question 214

Report
Export
Collapse

A company recently migrated its Amazon EC2 instances to VPC private subnets to satisfy a security compliance requirement. The EC2 instances now use a NAT gateway for internet access. After the migration, some long-running database queries from private EC2 instances to a publicly accessible third-party database no longer receive responses. The database query logs reveal that the queries successfully completed after 7 minutes but that the client EC2 instances never received the response.

Which configuration change should a network engineer implement to resolve this issue?

Configure the NAT gateway timeout to allow connections for up to 600 seconds
Configure the NAT gateway timeout to allow connections for up to 600 seconds
Enable enhanced networking on the client EC2 instances
Enable enhanced networking on the client EC2 instances
Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds
Enable TCP keepalive on the client EC2 instances with a value of less than 300 seconds
Close idle TCP connections though the NAT gateway
Close idle TCP connections though the NAT gateway
Suggested answer: C
asked 16/09/2024
Meghan Crofford
39 questions

Question 215

Report
Export
Collapse

An insurance company is planning the migration of workloads from its on-premises data center to the AWS Cloud. The company requires end-to-end domain name resolution. Bi-directional DNS resolution between AWS and the existing onpremises environments must be established. The workloads will be migrated into multiple VPCs. The workloads also have dependencies on each other, and not all the workloads will be migrated at the same time. Which solution meets these requirements?

Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Configure a public hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
Configure a public hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VP
Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPDefine Route 53 Resolver rules to forward requestsfor the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 outbound endpoints.
Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPDefine Route 53 Resolver rules to forward requestsfor the on-premises domains to the on-premises DNS resolver. Associate the application VPC private hosted zones with the egress VPC, and share the Route 53 Resolver rules with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 outbound endpoints.
Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the Route 53 outbound rules with the application VPCs, and share the private hosted zones with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Configure a private hosted zone for each application VPC, and create the requisite records. Create a set of Amazon Route 53 Resolver inbound and outbound endpoints in an egress VPC. Define Route 53 Resolver rules to forwardrequests for the on-premises domains to the on-premises DNS resolver. Associate the Route 53 outbound rules with the application VPCs, and share the private hosted zones with the application accounts by using AWS Resource Access Manager.Configure the on-premises DNS servers to forward the cloud domains to the Route 53 inbound endpoints.
Suggested answer: B

Explanation:

Explanation:

Reference: https://d1.awsstatic.com/whitepapers/hybrid-cloud-dns-options-for-vpc.pdf

asked 16/09/2024
Aleksandar Jovasevic
45 questions

Question 216

Report
Export
Collapse

A customer is using ABC Telecom as a network provider. The customer has 10 different offices connected to ABC Telecom's MPLS backbone. The customer is setting up an AWS Direct Connect connection to AWS and has provided the LOA-CFA to ABC Telecom. ABC Telecom has terminated the Direct Connect circuit into their MPLS backbone. To uniquely identify the customer's traffic over the MPLS backbone, the customer must encapsulate all traffic with VLAN tag 100. The customer wants to send traffic to multiple VPCs.

Which two steps should be taken to meet the customer's requirement? (Choose two.)

The customer performs Q-in-Q tunneling, with the AWS-required VLAN tag in the inside and VLAN 100 as the outside tag.
The customer performs Q-in-Q tunneling, with the AWS-required VLAN tag in the inside and VLAN 100 as the outside tag.
Create a support ticket with AWS to request the removal of the outer VLAN tag 100 as the traffic reaches AWS routers.
Create a support ticket with AWS to request the removal of the outer VLAN tag 100 as the traffic reaches AWS routers.
Send the traffic for all VPCs with the same VLAN tag 100 and use BGP to ensure that proper routing takes place to the appropriate VPC.
Send the traffic for all VPCs with the same VLAN tag 100 and use BGP to ensure that proper routing takes place to the appropriate VPC.
ABC Telecom removes the outer tag before sending the packet to AWS.
ABC Telecom removes the outer tag before sending the packet to AWS.
ABC Telecom creates a support ticket with AWS to exchange MPLS labels and include the AWS port as part of their MPLS network.
ABC Telecom creates a support ticket with AWS to exchange MPLS labels and include the AWS port as part of their MPLS network.
Suggested answer: C, E
asked 16/09/2024
David Miller
32 questions

Question 217

Report
Export
Collapse

A company has an application running on Amazon EC2 instances in a private subnet that connects to a third-party service provider's public HTTP endpoint through a NAT gateway. As request rates increase, new connections are starting to fail. At the same time, the ErrorPortAllocation Amazon CloudWatch metric count for the NAT gateway is increasing. Which of the following actions should improve the connectivity issues? (Choose two.)

Allocate additional Elastic IP addresses to the NAT gateway.
Allocate additional Elastic IP addresses to the NAT gateway.
Request that the third-party service provider implement HTTP keepalive.
Request that the third-party service provider implement HTTP keepalive.
Implement TCP keepalive on the client instances.
Implement TCP keepalive on the client instances.
Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.
Create additional NAT gateways and update the private subnet route table to introduce the new NAT gateways.
Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.
Create additional NAT gateways in the public subnet and split client instances into multiple private subnets, each with a route to a different NAT gateway.
Suggested answer: C, D

Explanation:

Explanation:

Reference: https://aws.amazon.com/premiumsupport/knowledge-center/vpc-resolve-port-allocation-errors/

asked 16/09/2024
Levente Mikofalvi
29 questions

Question 218

Report
Export
Collapse

You have two VPCs that require DNS resolution from your on-premises data center. You want to have a DNS server in the cloud, but you don't want to have multiple DNS servers. What two steps should you take? (Choose two.)

Peer the VPCs and set up routes between them.
Peer the VPCs and set up routes between them.
Create a VPN between the two VPCs
Create a VPN between the two VPCs
Configure DHCP option sets in both VPCs to point to the DNS server.
Configure DHCP option sets in both VPCs to point to the DNS server.
Configure a Route 53 record to forward all DNS requests to the DNS server.
Configure a Route 53 record to forward all DNS requests to the DNS server.
Suggested answer: A, C

Explanation:

Explanation:

Peer the VPCs and configure DHCP option sets. A VPN is not necessary. You cannot create a Route 53 record to forward DNS requests.

asked 16/09/2024
Giulia Alberghi
43 questions

Question 219

Report
Export
Collapse

What are two reasons to have multiple IP addresses or interfaces on one server? (Choose two.)

You can host multiple SSLs
You can host multiple SSLs
Create management networks
Create management networks
Direct Connect connections
Direct Connect connections
Teaming multiple NICs for more throughput
Teaming multiple NICs for more throughput
Suggested answer: A, B

Explanation:

Explanation:

You cannot bind multiple interfaces for faster speeds on AWS

asked 16/09/2024
James Williams
34 questions

Question 220

Report
Export
Collapse

A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

SNS cannot provide data every minute
SNS cannot provide data every minute
There is no need to enable since SNS provides data every minute
There is no need to enable since SNS provides data every minute
SNS will send data every minute after configuration
SNS will send data every minute after configuration
AWS CloudWatch does not support monitoring for SNS
AWS CloudWatch does not support monitoring for SNS
Suggested answer: A

Explanation:

Explanation:

CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/supported_services.html

asked 16/09/2024
Musaddiq Shorunke
44 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?