ExamGecko
Search Search Login
Home Home / Amazon / ANS-C00

Amazon ANS-C00 Practice Test - Questions Answers, Page 7

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
You are deploying an EC2 instance in a private subnet that requires access to the Internet. One of the requirements for this solution is to restrict access to only particular URLs on a whitelist. In addition to the whitelisted URLs, the instances should be able to access any Amazon S3 bucket in the same region via any URL. Which of the following solutions should you deploy? (Choose two.)
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Your website is under attack and a malicious party is stealing large amounts of data. You have default NACL rules. Stopping the attack is the ONLY priority in this case. Which two commands should you use? (Choose two.)
Which element of AWS Config can be used to help maintain internal and external compliance controls?
A bank built a new version of its banking application in AWS using containers that connect to an on-premises database over a VPN connection. This application version requires users to also update their client application. The bank plans to deprecate the earlier client version. However, the company wants to keep supporting earlier clients through their onpremises version of the application to serve a small portion of the customers who haven't yet upgraded. What design will allow the company to serve both newer and earlier clients in the MOST efficient way?
A company is deploying a critical application on two Amazon EC2 instances in a VPC. Failed client connections to the EC2 instances must be logged according to company policy. What is the MOST cost-effective solution to meet these requirements?

Question 61

Report
Export
Collapse

Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to ensure the site is as secure as possible. What two items could you recommend?

(Choose two.)

A.
An NACL that blocks all ports to your subnets.
A.
An NACL that blocks all ports to your subnets.
Answers
B.
A restricted bucket policy.
B.
A restricted bucket policy.
Answers
C.
A WAF on the load balancer.
C.
A WAF on the load balancer.
Answers
D.
A WAF on your CloudFront distribution.
D.
A WAF on your CloudFront distribution.
Answers
Suggested answer: B, D

Explanation:

Explanation:

A WAF on CloudFront and a restricted bucket policy to ensure the only access is from CloudFront. You cannot apply a WAF to a classic load balancer and an NACL that blocks all ports would block access to the load balancer.

Question 62

Report
Export
Collapse

A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting.

Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected. What is causing this issue?

A.
The NAT gateway does not support fragmented packets.
A.
The NAT gateway does not support fragmented packets.
Answers
B.
The internet gateway only supports an MTU of 1500 bytes.
B.
The internet gateway only supports an MTU of 1500 bytes.
Answers
C.
An Amazon EC2 instance expects to communicate with an MTU of 9001.
C.
An Amazon EC2 instance expects to communicate with an MTU of 9001.
Answers
D.
The security group on the instances does not allow PMTUD.
D.
The security group on the instances does not allow PMTUD.
Answers
Suggested answer: D

Question 63

Report
Export
Collapse

You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.

Which three factors that must be supported should you consider when choosing the customer router? (Choose three.)

A.
802.1Q VLAN encapsulation
A.
802.1Q VLAN encapsulation
Answers
B.
802.1ax or 802.3ad link aggregation
B.
802.1ax or 802.3ad link aggregation
Answers
C.
OSPF
C.
OSPF
Answers
D.
BGP
D.
BGP
Answers
E.
single-mode optical fiber connectivity
E.
single-mode optical fiber connectivity
Answers
F.
1-Gbps copper connectivity
F.
1-Gbps copper connectivity
Answers
Suggested answer: A, D, E

Question 64

Report
Export
Collapse

An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address.

What could cause this connectivity issue? (Choose two.)

A.
The VGW is not advertising the correct CIDR range back on-premises.
A.
The VGW is not advertising the correct CIDR range back on-premises.
Answers
B.
The instance security group does not allow ICMP traffic.
B.
The instance security group does not allow ICMP traffic.
Answers
C.
A public virtual interface must be configured for Amazon EC2 connectivity.
C.
A public virtual interface must be configured for Amazon EC2 connectivity.
Answers
D.
The on-premises router is not advertising the correct CIDR range to AWS.
D.
The on-premises router is not advertising the correct CIDR range to AWS.
Answers
E.
There is a misconfiguration of the bi-directional forwarding detection.
E.
There is a misconfiguration of the bi-directional forwarding detection.
Answers
Suggested answer: C, D

Question 65

Report
Export
Collapse

You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect. You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

A.
Reboot the instance.
A.
Reboot the instance.
Answers
B.
Move the ENI from one server to the other.
B.
Move the ENI from one server to the other.
Answers
C.
Associate the new ENI with the database security group.
C.
Associate the new ENI with the database security group.
Answers
D.
Configure a secondary ENI on the standby instance.
D.
Configure a secondary ENI on the standby instance.
Answers
Suggested answer: C, D

Explanation:

Explanation:

You must configure a secondary ENI on the standby instance with an IP address that can access the data subnet. This may require modification of the security group for the database.

Question 66

Report
Export
Collapse

What statement about LAGs is incorrect?

A.
If you create a new connection, you will have to fill out another LOA-CF
A.
If you create a new connection, you will have to fill out another LOA-CF
Answers
B.
You can pool connections with multiple speeds to create one faster speed.
B.
You can pool connections with multiple speeds to create one faster speed.
Answers
C.
You will receive 1 LOA-CFA with a page for each connection.
C.
You will receive 1 LOA-CFA with a page for each connection.
Answers
D.
All connections in the LAG must terminate at the same DX endpoint.
D.
All connections in the LAG must terminate at the same DX endpoint.
Answers
Suggested answer: B

Explanation:

Explanation:

All links must be the same speed for a LAG to be operational.

Question 67

Report
Export
Collapse

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster.

You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

A.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.
A.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.
Answers
B.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
B.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Answers
C.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
C.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Answers
D.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.
D.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.
Answers
Suggested answer: D

Question 68

Report
Export
Collapse

By default, all AWS accounts are limited to ____ EIPs, because public (IPv4) Internet addresses are a scarce public resource.

A.
5
A.
5
Answers
B.
8
B.
8
Answers
C.
6
C.
6
Answers
D.
2
D.
2
Answers
Suggested answer: A

Explanation:

Explanation:

An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance by rapidly remapping the address to another instance. By default, all AWS accounts are limited to 5 EIPs, because public (IPv4) Internet addresses are a scarce public resource.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

Question 69

Report
Export
Collapse

Which of these is not specified on an ENI?

A.
A primary private IPv4 address
A.
A primary private IPv4 address
Answers
B.
A source/destination check flag
B.
A source/destination check flag
Answers
C.
A MAC address
C.
A MAC address
Answers
D.
An A record
D.
An A record
Answers
Suggested answer: D

Explanation:

Explanation:

An A record is not specified on an ENI. This is created in Route 53.

Question 70

Report
Export
Collapse

You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?

A.
Set all MTU to 1500 as that is the best way to ensure compatibility.
A.
Set all MTU to 1500 as that is the best way to ensure compatibility.
Answers
B.
Leave everything as is.
B.
Leave everything as is.
Answers
C.
Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
C.
Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
Answers
D.
Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
D.
Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
Answers
Suggested answer: C

Explanation:

Explanation:

By using two ENIs, you ensure the right MTU goes to the proper destination.

Total 414 questions
Go to page: of 42
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms