ExamGecko
Login
Home / Amazon / ANS-C00 / List of questions
Ask Question

Amazon ANS-C00 Practice Test - Questions Answers, Page 7

List of questions

Question 61

Report
Export
Collapse

Your website utilizes EC2, S3, ELB-Classic, and CloudFront. Your manager has shifted focus to security and wants you to ensure the site is as secure as possible. What two items could you recommend?

(Choose two.)

An NACL that blocks all ports to your subnets.
An NACL that blocks all ports to your subnets.
A restricted bucket policy.
A restricted bucket policy.
A WAF on the load balancer.
A WAF on the load balancer.
A WAF on your CloudFront distribution.
A WAF on your CloudFront distribution.
Suggested answer: B, D

Explanation:

Explanation:

A WAF on CloudFront and a restricted bucket policy to ensure the only access is from CloudFront. You cannot apply a WAF to a classic load balancer and an NACL that blocks all ports would block access to the load balancer.

asked 16/09/2024
Michele Valvason
40 questions

Question 62

Report
Export
Collapse

A network engineer deploys an application in a private subnet in a VPC that connects to many external video feed providers using RTMP over the internet. A NAT gateway has been deployed in a public subnet and is working as expected. From the Amazon EC2 instance, the application is able to connect to all feed providers except one, which hangs when connecting.

Manually testing a connection from an Amazon EC2 instance in the public subnet to the problem feed indicates that the feed works as expected. What is causing this issue?

The NAT gateway does not support fragmented packets.
The NAT gateway does not support fragmented packets.
The internet gateway only supports an MTU of 1500 bytes.
The internet gateway only supports an MTU of 1500 bytes.
An Amazon EC2 instance expects to communicate with an MTU of 9001.
An Amazon EC2 instance expects to communicate with an MTU of 9001.
The security group on the instances does not allow PMTUD.
The security group on the instances does not allow PMTUD.
Suggested answer: D
asked 16/09/2024
Elizaveta Kutuzova
54 questions

Question 63

Report
Export
Collapse

You are designing an AWS Direct Connect solution into your VPC. You need to consider requirements for the customer router to terminate the Direct Connect link at the Direct Connect location.

Which three factors that must be supported should you consider when choosing the customer router? (Choose three.)

802.1Q VLAN encapsulation
802.1Q VLAN encapsulation
802.1ax or 802.3ad link aggregation
802.1ax or 802.3ad link aggregation
OSPF
OSPF
BGP
BGP
single-mode optical fiber connectivity
single-mode optical fiber connectivity
1-Gbps copper connectivity
1-Gbps copper connectivity
Suggested answer: A, D, E
asked 16/09/2024
Juan Bueno
40 questions

Question 64

Report
Export
Collapse

An organization has ordered a new AWS Direct Connect connection. The AWS Management Console reports that the connection is available and BGP status is up. However, the networking team is not able to reach instances in the VPC using ping on the organization's private IP address.

What could cause this connectivity issue? (Choose two.)

The VGW is not advertising the correct CIDR range back on-premises.
The VGW is not advertising the correct CIDR range back on-premises.
The instance security group does not allow ICMP traffic.
The instance security group does not allow ICMP traffic.
A public virtual interface must be configured for Amazon EC2 connectivity.
A public virtual interface must be configured for Amazon EC2 connectivity.
The on-premises router is not advertising the correct CIDR range to AWS.
The on-premises router is not advertising the correct CIDR range to AWS.
There is a misconfiguration of the bi-directional forwarding detection.
There is a misconfiguration of the bi-directional forwarding detection.
Suggested answer: C, D
asked 16/09/2024
Eusebio Adrian
33 questions

Question 65

Report
Export
Collapse

You are managing a VPC with 4 AZs. There is a load balancer managing the public accessibility to your servers. You have a secondary ENI with a private IPv4 address on an instance that is serving public web traffic. Your server communicates over private addresses to a database in another subnet. Security is a major concern for your company and whitelisting is in effect. You have to bring the web server down for maintenance, what two things should you do? (Choose two.)

Reboot the instance.
Reboot the instance.
Move the ENI from one server to the other.
Move the ENI from one server to the other.
Associate the new ENI with the database security group.
Associate the new ENI with the database security group.
Configure a secondary ENI on the standby instance.
Configure a secondary ENI on the standby instance.
Suggested answer: C, D

Explanation:

Explanation:

You must configure a secondary ENI on the standby instance with an IP address that can access the data subnet. This may require modification of the security group for the database.

asked 16/09/2024
Bartłomiej Praniuk
24 questions

Question 66

Report
Export
Collapse

What statement about LAGs is incorrect?

If you create a new connection, you will have to fill out another LOA-CF
If you create a new connection, you will have to fill out another LOA-CF
You can pool connections with multiple speeds to create one faster speed.
You can pool connections with multiple speeds to create one faster speed.
You will receive 1 LOA-CFA with a page for each connection.
You will receive 1 LOA-CFA with a page for each connection.
All connections in the LAG must terminate at the same DX endpoint.
All connections in the LAG must terminate at the same DX endpoint.
Suggested answer: B

Explanation:

Explanation:

All links must be the same speed for a LAG to be operational.

asked 16/09/2024
Wilson Geneblazo
33 questions

Question 67

Report
Export
Collapse

You currently use a single security group assigned to all nodes in a clustered NoSQL database. Only your cluster members in one region must be able to connect to each other. This security group uses a self-referencing rule using the cluster security group's group-id to make it easier to add or remove nodes from the cluster.

You need to make this database comply with out-of-region disaster recovery requirements and ensure that the network traffic between the nodes is encrypted when travelling between regions. How should you enable secure cluster communication while deploying additional cluster members in another AWS region?

Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group rules that reference each other's security group-id in each region.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Create an IPsec VPN between AWS regions, use private IP addresses to route traffic, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group CIDR-based rules that correspond with the VPC CIDR in the other region.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.
Use public IP addresses and TLS to securely communicate between cluster nodes in each AWS region, and create cluster security group rules that reference each other's security group-id in each region.
Suggested answer: D
asked 16/09/2024
Veronica Puddu
54 questions

Question 68

Report
Export
Collapse

By default, all AWS accounts are limited to ____ EIPs, because public (IPv4) Internet addresses are a scarce public resource.

5
5
8
8
6
6
2
2
Suggested answer: A

Explanation:

Explanation:

An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance by rapidly remapping the address to another instance. By default, all AWS accounts are limited to 5 EIPs, because public (IPv4) Internet addresses are a scarce public resource.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html

asked 16/09/2024
Niels de Lange
38 questions

Question 69

Report
Export
Collapse

Which of these is not specified on an ENI?

A primary private IPv4 address
A primary private IPv4 address
A source/destination check flag
A source/destination check flag
A MAC address
A MAC address
An A record
An A record
Suggested answer: D

Explanation:

Explanation:

An A record is not specified on an ENI. This is created in Route 53.

asked 16/09/2024
Balazs Jarmy
48 questions

Question 70

Report
Export
Collapse

You want to ensure you have the absolute best transmission rates inside and outside your VPC. You are concerned about the MTU settings. What is the best way to configure your T2 instances to ensure the best compatibility?

Set all MTU to 1500 as that is the best way to ensure compatibility.
Set all MTU to 1500 as that is the best way to ensure compatibility.
Leave everything as is.
Leave everything as is.
Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
Configure two ENIs, one for internal traffic and one for external traffic. Configure the external ENI with an MTU of 1500 and the internal ENI with an MTU of 9001.
Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
Set all MTU to 9001 as that is the best way to ensure the best speed. The packets will be fragmented if they have to be.
Suggested answer: C

Explanation:

Explanation:

By using two ENIs, you ensure the right MTU goes to the proper destination.

asked 16/09/2024
Elham Alasmari
36 questions
Total 414 questions
Go to page: of 42
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

You have two VPCs that you've peered. You created a route for VPC A to get to an instance in VPC. You are unable to ping the instance. You have double checked your security groups and NACLs. Why might this be?
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
Which of these modes is not a configuration mode for a WAF?
Your organization runs a popular e-commerce application deployed on AWS that uses auto scaling in conjunction with an Elastic Load balancing (ELB) service with an HTTPS listener. Your security team reports that an exploitable vulnerability has been discovered in the encryption protocol and cipher that your site uses. Which step should you take to fix this problem?
You are configuring multiple Direct Connect links for your organization and need them to be in an HA Active/Passive configuration with extreme sensitivity to outages in order to encourage very quick failover times. You also need to be able to control which link is active. What two configuration changes should you implement? (Choose two.)
You have deployed a website that utilizes CloudFront, Elastic Loadbalancer, and S3 to serve content. When users access your site, they receive a "mixed content" security warning. What is most likely the problem?
Which service would you use to see who changed your infrastructure?
A company is building a hybrid PCI-DSS compliant application that runs in the us-west-2 Region and on-premises. The application sends access logs from all locations to a single Amazon S3 bucket in uswest-2. To protect this sensitive data, the bucket policy is configured to deny access from public IP addresses. How should an engineer configure the network to meet these requirements?
An organization has multiple applications running in VPCs across multiple AWS accounts. The network engineer has deployed a central VPC with a pair of software VPN instances that run IPSec tunnels with dynamic routing to VGWs of all application VPCs. This central VPC is connected to on-premises resources via a Direct Connect connection using a private VIF. What additional configuration is required to enable the applications in VPCs to communicate with each other and access onpremises resources?
Under increased cybersecurity concerns, a company is deploying a near real-time intrusion detection system (IDS) solution. A system must be put in place as soon as possible. The architecture consists of many AWS accounts, and all results must be delivered to a central location. Which solution will meet this requirement, while minimizing downtime and costs?