ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 35

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 341

Report
Export
Collapse

What are two reasons that could cause an HTTP health check to fail? (Choose two.)

A.
Security group blocking port 80 to the instance
A.
Security group blocking port 80 to the instance
Answers
B.
HTTP server not running
B.
HTTP server not running
Answers
C.
No Internet Gateway
C.
No Internet Gateway
Answers
D.
NACL blocking port 443 to the instance
D.
NACL blocking port 443 to the instance
Answers
Suggested answer: A, B

Explanation:

Explanation:

A load balancer does not perform health checks through the internet gateway, so it is not necessary and 443 is HTTPS notHTTP

Question 342

Report
Export
Collapse

A department in your company has created a new account that is not part of the organization's consolidated billing family.

The department has also created a VPC for its workload. Access is restricted by network access control lists to the department's on-premises private IP allocation. An AWS Direct Connect private virtual interface for this VPC advertises a default route to the company network. When the department downloads data from an Amazon EC2 instance in its new VPC, what are the associated charges?

A.
The company pays Internet Data Out charges.
A.
The company pays Internet Data Out charges.
Answers
B.
The company pays AWS Direct Connect Data Out charges.
B.
The company pays AWS Direct Connect Data Out charges.
Answers
C.
The department pays Internet Data Out charges.
C.
The department pays Internet Data Out charges.
Answers
D.
The department pays AWS Direct Connect Data Out charges.
D.
The department pays AWS Direct Connect Data Out charges.
Answers
Suggested answer: D

Question 343

Report
Export
Collapse

All IP addresses within a 10.0.0.0/16 VPC are fully utilized with application servers across two Availability Zones. The application servers need to send frequent UDP probes to a single central authentication server on the Internet to confirm that it is running up-to-date packages. The network is designed for application servers to use a single NAT gateway for internal access. Testing reveals that a few of the servers are unable to communicate with the authentication server. What is the reason for this failure?

A.
The NAT gateway does not support UDP traffic.
A.
The NAT gateway does not support UDP traffic.
Answers
B.
The authentication server is not accepting traffic.
B.
The authentication server is not accepting traffic.
Answers
C.
The NAT gateway cannot allocate more ports.
C.
The NAT gateway cannot allocate more ports.
Answers
D.
The NAT gateway is launched in a private subnet.
D.
The NAT gateway is launched in a private subnet.
Answers
Suggested answer: C

Question 344

Report
Export
Collapse

You are deploying a web application in a VPC that requires SSL mutual authentication with a client- side, smartcard-stored certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.

Which load balancer protocol should you select for this application?

A.
HTTP
A.
HTTP
Answers
B.
HTTPS
B.
HTTPS
Answers
C.
SSL
C.
SSL
Answers
D.
TCP
D.
TCP
Answers
Suggested answer: D

Explanation:

Explanation:

An ELB Classic Load Balancer cannot validate a client side certificate, so it must be passed through as standard TCP on port 443 to let the EC2 instance handle the validation.

Question 345

Report
Export
Collapse

A customer has set up multiple VPCs for Dev, Test, Prod, and Management. You need to set up AWS Direct Connect to enable data flow from on-premises to each VPC. The customer has monitoring software running in the Management VPC that collects metrics from the instances in all the other VPCs. Due to budget requirements, data transfer charges should be kept at minimum. Which design should be recommended?

A.
Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
A.
Create a total of four private VIFs, one for each VPC owned by the customer, and route traffic between VPCs using the Direct Connect link.
Answers
B.
Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
B.
Create a private VIF to the Management VPC, and peer this VPC to all other VPCs.
Answers
C.
Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.
C.
Create a private VIF to the Management VPC, and peer this VPC to all other VPCs; enable source/destination NAT in the Management VPC.
Answers
D.
Create a total of four private VIFs, and enable VPC peering between all VPCs.
D.
Create a total of four private VIFs, and enable VPC peering between all VPCs.
Answers
Suggested answer: A

Question 346

Report
Export
Collapse

A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness. Which of the below mentioned options is a recommended option for this case?

A.
For the period when there is no data, the user should not send the data at all
A.
For the period when there is no data, the user should not send the data at all
Answers
B.
The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring
B.
The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring
Answers
C.
For the period when there is no data the user should send the value as 0
C.
For the period when there is no data the user should send the value as 0
Answers
D.
For the period when there is no data the user should send a blank value
D.
For the period when there is no data the user should send a blank value
Answers
Suggested answer: C

Explanation:

Explanation:

AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. When the user data is more random and not generated at regular intervals, there can be a period which has no associated data. The user can either publish the zero (0) value for that period or not publish the data at all. It is recommended that the user should publish zero instead of no value to monitor the health of the application. This is helpful in an alarm as well as in the generation of the sample data count.

Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/publishingMetrics.html

Question 347

Report
Export
Collapse

Due to security requirements, all traffic must be encrypted between your VPC and your on-premises data center. You also want to maintain reliability. What two options will allow you to achieve this? (Choose two.)

A.
A Direct Connect connection with a Private VIF
A.
A Direct Connect connection with a Private VIF
Answers
B.
A VPN connection
B.
A VPN connection
Answers
C.
A Direct Connect connection with a Hosted VIF
C.
A Direct Connect connection with a Hosted VIF
Answers
D.
A Direct Connect connection with a Public VIF
D.
A Direct Connect connection with a Public VIF
Answers
Suggested answer: B, D

Explanation:

Explanation:

To run VPN over DX, you need to have a public VIF to access the VPN endpoints.

Question 348

Report
Export
Collapse

You are working with a government agency, and you need to choose an encryption standard for their VPN. Which standard should you choose?

A.
Twofish
A.
Twofish
Answers
B.
Blowfish
B.
Blowfish
Answers
C.
TripleDES
C.
TripleDES
Answers
D.
AES
D.
AES
Answers
Suggested answer: D

Explanation:

Explanation:

AES is the US Government standard

Question 349

Report
Export
Collapse

In your current role as the corporate network architect - you have decided to replace your existing hardware firewall appliances with a pair of Juniper SRX-Series Services Gateways. You have chosen these as AWS lists these as supportable devices for establishing IPsec connections. With this in mind, select the minimum set of options to ensure that you can establish IPsec connectivity between your on premise private corporate network and your AWS hosted VPC.

Select which option is NOT required.

A.
Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP
A.
Initiate network connections from somewhere within your corporate network, this is required to bring the tunnels UP
Answers
B.
Deploy a Customer Gateway within your corporate network
B.
Deploy a Customer Gateway within your corporate network
Answers
C.
Deploy a Customer Gateway within your VPC
C.
Deploy a Customer Gateway within your VPC
Answers
D.
Deploy a Virtual Private Gateway within your VPC
D.
Deploy a Virtual Private Gateway within your VPC
Answers
Suggested answer: B

Explanation:

Explanation:

A customer gateway within the corporate network is NOT required. The Customer Gateway (CGW) is a component that you deploy within your VPC that logically represents you VPN physical hardware's perimeter public IP - therefore

Answer C is required. A Virtual Private Gateway (VPG) is the AWS VPN Concentrator end point - and is always a requirement that needs to be deployed in your VPC therefore it must always be deployed - therefore Answer D is required.

AWS only supports IPsec in Tunnel mode - therefore Answer A is required. Reference: https://aws.amazon.com/vpc/faqs/

Question 350

Report
Export
Collapse

When an AWS Config rule is triggered a JSON object known as an AWS Config Event is created. This object contains a(n) ____ attribute, which is a JSON-formatted set of key/value pairs the receiving AWS Lambda function processes as part of its evaluation logic.

A.
inputParameters
A.
inputParameters
Answers
B.
invokingEvent
B.
invokingEvent
Answers
C.
ruleConfiguration
C.
ruleConfiguration
Answers
D.
mappingTemplate
D.
mappingTemplate
Answers
Suggested answer: A

Explanation:

Explanation:

The JSON object for an AWS Config event contains a ruleParameters attribute, which is a set of key/value pairs that the AWS Lambda function receiving the event processes as part of its evaluation logic. You define parameters when you use the AWS Config console to create a custom rule. You can also define parameters with the InputParameters attribute in the PutConfigRule AWS Config API request or the put-config-rule AWS CLI command. The JSON code for the parameters is contained within a string, so a function must parse the string with a JSON parser to be able to evaluate its contents Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_develop-rules_exa mple-events.html

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms